Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.3.
4.1. Installer and image creation
Support to both legacy and UEFI boot for AWS EC2 images
Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with support only for the legacy boot type. As a consequence, it was not possible to take advantage of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which require booting the image with UEFI.
Jira:RHELDOCS-16339[1]
New boot option inst.wait_for_disks=
to add wait time for loading a Kickstart file or the kernel drivers
Sometimes, it may take a few seconds to load a Kickstart file or the kernel drivers from the device with the OEMDRV
label during the boot process. To adjust the wait time, you can now use the new boot option, inst.wait_for_disks=
. Using this option, you can specify how many seconds to wait before the installation. The default time is set to 5
seconds, however, you can use 0
seconds to minimize the delay. For more information about this option, see Storage boot options.
Ability to select required kernel while installing RHEL on ARM using GUI and TUI
Previously, you could install RHEL on ARM with kernel-64k page size only by using the Kickstart method. With this update, you can now install RHEL on ARM using the GUI or the TUI and selecting the required kernel version. The option to select the required kernel is available on the Software Selection screen under Kernel Options.
Bugzilla:2164819[1]
Support for VMware VSphere (OVA)
This update adds support to build VMware VSphere OVA files by using RHEL image builder. The Open Virtual Appliance (OVA) file is a virtual appliance used by the VMware VSphere virtualization application. The OVA file contains files used to describe a virtual machine, such as an OVF descriptor file, one or more virtual machine disk image files (VMDK), optional manifest (MF) and certificate files. By using the VMware VSphere (.ova), you can more easily deploy the image to VMware vSphere by using the vSphere GUI client. You can further customize the resulting VM before you boot the image.
Jira:RHELDOCS-16877[1]
New network
Kickstart options to control DNS handling
You can now control DNS handling using the network
Kickstart command with the following new options. Use these new options with the --device
option.
The
--ipv4-dns-search
and--ipv6-dns-search
options allow you to set DNS search domains manually. These options mirror their NetworkManager properties, for example:network --device ens3 --ipv4-dns-search domain1.example.com,domain2.example.com
-
The
--ipv4-ignore-auto-dns
and--ipv6-ignore-auto-dns
options allow you to ignore DNS settings from DHCP. They do not require any arguments.
Bugzilla:2065754[1]
Minimal RHEL installation now installs only the s390utils-core
package
In RHEL 8.4 and later, the s390utils-base
package is split into an s390utils-core
package and an auxiliary s390utils-base
package. As a result, setting the RHEL installation to minimal-environment
installs only the necessary s390utils-core
package and not the auxiliary s390utils-base
package. If you want to use the s390utils-base
package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base
using a Kickstart file.
Bugzilla:1932480[1]
4.2. Security
Keylime rebased to version 7.3.0
The Keylime packages have been updated to upstream version 7.3.0. This version provides various enhancements and bug fixes. Most notably, the allow and exclude lists are combined into the Keylime runtime policy. You can combine the two lists by using the convert_runtime_policy.py
script.
In addition, the update fixes two vulnerabilities with the moderate impact rating: CVE-2023-38200 and CVE-2023-38201.
Jira:RHEL-476[1]
Ports for Keylime have stricter rules in SELinux policy
Ports used by Keylime are now labeled as keylime_port_t
in the Keylime SELinux policy. The policy now allows TCP connections for ports with this label. This is because the previous Keylime SELinux policy allowed connecting to all undefined ports and also most of the ports used by Keylime were in the undefined group. As a result, this update increases the granularity of the Keylime SELinux policy, and port security can be more strict and better targeted.
Jira:RHEL-595[1]
Audit now supports FANOTIFY
record fields
This update of the audit
packages introduces support for FANOTIFY
Audit record fields. The Audit subsystem now logs additional information in the AUDIT_FANOTIFY
record, notably:
-
fan_type
to specify the type of aFANOTIFY
event -
fan_info
to specify additional context information -
sub_trust
andobj_trust
to indicate trust levels for a subject and an object involved in an event
As a result, you can better understand why the Audit system denied access in certain cases. This can help you write policies for tools such as the fapolicyd
framework.
Jira:RHELPLAN-161087[1]
fapolicyd
now provides rule numbers for troubleshooting
With this enhancement, new kernel and Audit components allow the fapolicyd
service to send the number of the rule that causes a denial to the fanotify
API. As a result, you can troubleshoot problems related to fapolicyd
more precisely.
crypto-policies
now provides the NO-ENFORCE-EMS
subpolicy for TLS 1.2 connections in FIPS mode
The system-wide cryptographic policies now contain the NO-ENFORCE-EMS
subpolicy. After applying the new subpolicy, the system no longer requires the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. This allows the system to connect to legacy systems without support for EMS or TLS 1.3. Note that this violates the requirements of the FIPS-140-3 standard. You can apply the subpolicy by entering the update-crypto-policies --set FIPS:NO-ENFORCE-EMS
command.
Bugzilla:2216257[1]
GnuTLS requires EMS with TLS 1.2 in FIPS mode
To comply with the FIPS-140-3 standard, GnuTLS servers and clients require the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. If your scenario requires preserving compatibility with older servers and clients that do not support EMS and you cannot use TLS 1.3, you can apply the NO-ENFORCE-EMS
system-wide cryptographic subpolicy:
# update-crypto-policies --set FIPS:NO-ENFORCE-EMS
If you allow TLS 1.2 connections without EMS, your system no longer meets the FIPS-140-3 requirements.
NSS now enforce EMS in FIPS mode
The Network Security Services (NSS) libraries now contain the TLS-REQUIRE-EMS
policy to require the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections as mandated by the FIPS 140-3 standard. NSS use the new policy when the system-wide cryptographic policies are set to FIPS
.
If your scenario requires interoperating with legacy systems without support for EMS or TLS 1.3, you can apply the NO-ENFORCE-EMS
system-wide cryptographic subpolicy. Such a change violates the FIPS-140-3 requirements.
OpenSSL now supports disabling EMS in FIPS mode
You can now configure the OpenSSL cryptographic libraries to allow for TLS 1.2 connections without the Extended Master Secret (EMS) extension (RFC 7627) in FIPS mode by editing the /etc/pki/tls/fips_local.cnf
file. In a text editor of your choice, add the following section to the configuration file:
[fips_sect] tls1-prf-ems-check = 0 activate = 1
Then, locate the SSL configuration section in the /etc/pki/tls/openssl.cnf
file. The default SSL configuration section is crypto_policy
. At the end of the SSL configuration section, add the following line:
Options=RHNoEnforceEMSinFIPS
The previous configuration changes allow the system in FIPS mode to connect to legacy systems without support for EMS or TLS 1.3.
You can stop enforcing EMS for TLS 1.2 in FIPS mode by entering the update-crypto-policies --set FIPS:NO-ENFORCE-EMS
command. In both cases, such a configuration change violates the requirements of the FIPS-140-3 standard.
Bugzilla:2216256[1]
OpenSSH further enforces SHA-2
As part of the effort to migrate further from the less secure SHA-1 message digest for cryptographic purposes, the following changes were made in OpenSSH:
-
Added a check on
sshd
startup whether using SHA-1 is configured on the system. If it is not available, OpenSSH does not try to use SHA-1 for operations. This eliminates loading DSS keys when they are present and also enforces advertisingrsa-sha2
combinations when they are available. - On SSH private key conversion, OpenSSH explicitly uses SHA-2 for testing RSA keys.
-
When SHA-1 signatures are unavailable on the server side,
sshd
uses SHA-2 to confirm host key proof. This might be incompatible with clients on RHEL 8 and earlier versions. - When the SHA-1 algorithm is unavailable on the client side, OpenSSH uses SHA-2.
- On the client side, OpenSSH permits SHA-2-based key proofs from the server when SHA-1 was used in key proof request or when the hash algorithm is not specified (assuming default). This is aligned with the already present exception for RSA certificates, and allows connecting by using modern algorithms when supported.
OpenSSL now contains protections against Bleichenbacher-like attacks
This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.
You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")
function on the RSA decryption context, but this makes your system more vulnerable.
OpenSSL now supports Brainpool curves configurable through the Groups
option
This update of the OpenSSL TLS toolkit introduces support for Brainpool curves in Elliptic Curve Cryptography (ECC). Additionally, you can control the curves with the system-wide cryptographic policies through the Groups
configuration option.
The following Brainpool curves are enabled in OpenSSL ECC:
-
brainpoolP256r1
-
brainpoolP256t1
-
brainpoolP320r1
-
brainpoolP320t1
-
brainpoolP384r1
-
brainpoolP384t1
-
brainpoolP512r1
-
brainpoolP512t1
crypto-policies
now supports OpenSSL ECC Brainpool curves
With this update of the system-wide cryptographic policies, you can now control the following Brainpool Elliptic Curve Cryptography (ECC) curves in OpenSSL by using the group
option:
-
BRAINPOOL-P256R1
-
BRAINPOOL-P384R1
-
BRAINPOOL-P512R1
.
For example, you can enable all supported Brainpool elliptic curves in OpenSSL by creating a subpolicy that contains the following line:
group = BRAINPOOL-*+
Bugzilla:2193324[1]
crypto-policies
now use the same group order as OpenSSL by default
In this release, the system-wide cryptographic policies (crypto-policies
) control the group order in the OpenSSL Groups
configuration option. To preserve the performance in OpenSSL, crypto-policies
use the default group order that matches the order of the OpenSSL built-in preferences. As a result, the RHEL cryptographic back ends that support crypto-policies
for controlling the group order, such as GnuTLS, now use the same order as OpenSSL.
Jira:RHEL-591[1]
crypto-policies
permitted_enctypes
no longer break replications in FIPS mode
Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes
krb5
configuration broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode.
This update of the system-wide cryptographic policies reorders the permitted_enctypes
krb5
configuration option values to allow prioritization of more interoperable encryption types by default. As a result, the permitted_enctypes
configuration no longer break replications between a RHEL 8 IdM servers and a RHEL 9 IdM replica in FIPS mode.
If you use Kerberos, verify the order of the values of permitted_enctypes
in the /etc/crypto-policies/back-ends/krb5.config
file. If your scenario requires a different order, apply a custom cryptographic subpolicy.
pcsc-lite-ccid
rebased to 1.5.2
The pcsc-lite-ccid
package has been updated to version 1.5.2. This version provides various bug fixes and enhancements, most notably:
- Support for new readers
- Fix for Alcor Micro AU9560
opensc
rebased to 0.23
The opensc
packages have been updated to version 0.23. This version provides various bug fixes and enhancements, most notably:
- Added support for encryption and decryption using symmetric keys
- Added support for signing data with a length of more than 512 bytes
- Disabled old card driver support by default
- Removed support for old drivers MioCOS and JCOP
Jira:RHEL-280[1]
setools
rebased to 4.4.3
The setools
packages have been updated to version 4.4.3. This version provides various bug fixes and enhancements, most notably:
- Fixed compilation with Cython 3.0.0
- Improved man pages
-
Removed unused options in
sediff
,sesearch
, andapol
-
Added the
-r
option toseinfoflow
command to get flows analysis into the source type - Rules with no permissions are automatically rejected as an invalid policy
Bugzilla:2231801, Bugzilla:2184140
Additional services confined in the SELinux policy
This update adds additional rules to the SELinux policy that confine the following systemd
services:
-
qat
-
systemd-pstore
-
boothd
-
fdo-manufacturing-server
-
fdo-rendezvous-server
-
fdo-client-linuxapp
-
fdo-owner-onboarding-server
As a result, these services do not run with the unconfined_service_t
SELinux label anymore, and run successfully in SELinux enforcing mode.
Bugzilla:2080443[1], Bugzilla:2026795, Bugzilla:2181565, Bugzilla:2128833
OpenSCAP rebased to 1.3.8
The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various bug fixes and enhancements, most notably:
-
Fixed
systemd
probes to not ignore somesystemd
units -
Added offline capabilities to the
shadow
OVAL probe -
Added offline capabilities to the
sysctl
OVAL probe -
Added
auristorfs
to the list of network filesystems -
Created a workaround for issues with tailoring files produced by the
autotailor
utility
SCAP Security Guide rebased to version 0.1.69
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This version provides various enhancements and bug fixes. Most notably, it introduces three new SCAP profiles for RHEL 9 aligned with the CCN-STIC-610A22 Guide issued by the National Cryptologic Center of Spain in October 2022:
Profile name | Profile ID | Policy version |
---|---|---|
CCN Red Hat Enterprise Linux 9 - Advanced |
| 2022-10 |
CCN Red Hat Enterprise Linux 9 - Basic |
| 2022-10 |
CCN Red Hat Enterprise Linux 9 - Intermediate |
| 2022-10 |
ANSSI-BP-028 security profiles updated to version 2.0
The following French National Agency for the Security of Information Systems (ANSSI) BP-028 in the SCAP Security Guide were updated to be aligned with version 2.0:
- ANSSI-BP-028 Minimal Level
- ANSSI-BP-028 Intermediary Level
- ANSSI-BP-028 Enhanced Level
- ANSSI-BP-028 High Level
python3-greenlet-devel
is now available in CRB
The python3-greenlet-devel
package is now available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See the How to enable and make use of content within CodeReady Linux Builder Knowledgebase article for more information. Note that packages included in the CRB repository are unsupported.
SSG rule to check the group used by the pam_wheel.so
module is simplified
The CIS Benchmark requires restricting the su
command in favor of the sudo
command. SCAP Security Guide (SSG) fulfills this requirement with the pam_wheel.so
module, which restricts the su
command to a specific group. This update improves the rule that checks whether this group exists and has no members. As a result, the rule is more efficient and simplifies the interpretation of the assessment report.
4.3. RHEL for Edge
New FIDO Device Onboarding Servers container images are available
The following FIDO Device Onboarding Servers container images for onboarding IoT and edge computing devices are now available in the Red Hat Container Catalog:
- rhel9/fdo-manufacturing-server container image
- rhel9/fdo-owner-onboarding-server container image
- rhel9/fdo-rendezvous-server container image
- rhel9/fdo-serviceinfo-api-server container image
Jira:RHELPLAN-163133[1]
The minimal-raw
image type now supports 64-bit ARM architectures
With this enhancement, you can create a minimal-raw
image type with support for 64-bit ARM architecture, and AMD and Intel 64-bit architectures. The minimal-raw
image is pre-packaged, bootable, minimal RPM image, compressed in the xz
format. To boot the image, you must decompress it and copy to any bootable device, such as an SD card. To decompress the image, run the following command:
$ xz -d <_uuid-minimal-raw.img_.xz>
Jira:RHELPLAN-163665[1]
The Commit ID is now supported as a value for the --parent
argument of composer-cli
CLI
You can now use the image Commit ID as a value for the --parent
argument of the composer-cli
command line. To get the image Commit ID, download and extract the RHEL for Edge Commit image. You can find the ref
name and the commit ID in the extracted .tar
file.
Jira:RHELDOCS-16386[1]
Support to build RHEL for Edge .ami
images
With this enhancement, you have support to build .ami
images for RHEL for Edge by using on-premise RHEL image builder. During the initial boot, you can customize the blueprint with Ignition to inject the credentials into the image. You can upload the .ami
image to AWS and boot an EC2 instance in AWS.
Jira:RHELDOCS-16708[1]
Support to build .vmdk
images for RHEL for Edge
With this enhancement, you have support to build a .vmdk
image for RHEL for Edge by using on-premise RHEL image builder. You can customize the blueprint with Ignition to inject the credentials into the image during the initial boot. You can load the image on vSphere and boot the image in a VM vSphere. The image is compatible with ESXi 7.0 U2, ESXi 8.0, and later. The VM is compatible with versions 19 and 20.
Jira:RHELDOCS-16709[1]
You can now log in to an Edge system as the initial user without setting a password
Previously, logging in as the initial user created during the FDO onboarding process did not work because the system asked for a password that was not set with the useradd
command. With this enhancement, the password is now set to optional, and you can log in even if you did not previously set a password by using the useradd
command. Note that you can log in with an SSH key without entering a password, and if it fails, you will be prompted to enter a password.
Jira:RHELDOCS-17101[1]
4.4. Software management
New DNF Automatic reboot
option for an automatic reboot after an upgrade
With this enhancement, you can use the DNF Automatic reboot
option to set your system to automatically reboot to apply the changes after an upgrade.
The reboot
option supports the following settings:
-
never
does not reboot the system. This is the current behavior. -
when-changed
triggers a reboot after any upgrade. -
when-needed
triggers a reboot only when rebooting is required to apply changes, for example, when systemd or the kernel is upgraded.
You can use the reboot_command
option to customize the command used to reboot. The default reboot command is shutdown -r
.
The new --poweroff
option allows you to shut down the system after installing updates
With this enhancement, the new --poweroff
option has been added to the reboot
command of the dnf system-upgrade
plugin. You can use this option to shut down the system after installing updates instead of rebooting.
New dnf leaves
and show-leaves
plug-ins are now available for the DNF API
With this enhancement, the following new DNF plug-ins are available that list packages installed on your system that are not required as dependencies of other installed packages:
-
dnf leaves
lists all packages. -
show-leaves
lists newly installed packages and packages that became unrequired as dependencies of other installed packages after a transaction.
4.5. Shells and command-line tools
The NetBackup services are now enabled for backup restoration
When using the NetBackup (NBU) backup method, ReaR now includes the unit files for the NetBackup services version 10.1.1 in the rescue image and starts them when the rescue system boots. As a result, you can restore the system backup by using the NBU backup method during the recovery process and complete the restore successfully.
opencryptoki
rebased to 3.21.0
The opencryptoki
package has been rebased to version 3.21.0, which provides many enhancements and bug fixes. Most notably, opencryptoki
now supports the following features:
- Concurrent hardware security module (HSM) master key changes
-
The
protected-key
option to transform a chosen key into a protected key - Additional key types, such as DH, DSA, and generic secret key types
- EP11 host library version 4
- AES-XTS key type
- IBM-specific Kyber key type and mechanism
- Additional IBM-specific Dilithium key round 2 and 3 variants
Additionally, pkcsslotd
slot manager no longer runs as root and opencryptoki
offers further hardening. With this update, you can also use the following set of new commands:
p11sak set-key-attr
- To modify keys
p11sak copy-key
- To copy keys
p11sak import-key
- To import keys
p11sak export-key
- To export keys
Bugzilla:2160061[1]
Updated systemd-udevd
assigns consistent network device names to InfiniBand interfaces
Introduced in RHEL 9, the new version of the systemd
package contains the updated systemd-udevd
device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd
.
You can define custom naming rules for naming InfiniBand interfaces by following the Renaming IPoIB devices using systemd link file procedure.
For more details of the naming scheme, see the systemd.net-naming-scheme(7)
man page.
4.6. Infrastructure services
Postfix now supports SRV lookups
With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to automatically configure mail clients and balance load of servers. Additionally, you can prevent mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using the following SRV-related options in your Postfix configuration:
use_srv_lookup
- You can enable discovery for the specified service by using DNS SRV records.
allow_srv_lookup_fallback
- You can use a cascading approach to locating a service.
ignore_srv_lookup_error
- You can ensure that the service discovery remains functional even if SRV records are not available or encounter errors.
Generic LF-to-CRLF driver is available in cups-filters
With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, by using this driver, you can send an LF character terminated file from your application to a printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of the text-only
driver from RHEL 7. The new name reflects its actual functionality.
4.7. Networking
RHEL on ARM now fully supports wifi adapters in RHEL 9.3
With this enhancement, you can now enable access to wifi adapters for several cards for the arm64
platforms.
For details on configuring wifi connections, see Managing wifi connections.
Bugzilla:2208365[1]
NetworkManager
now supports the no-aaaa
option in resolv.conf
NetworkManager
now supports adding the no-aaaa
DNS option in the resolv.conf file. By using the no-aaaa
value in the DNS option setting, you can disable IPv6 DNS resolution.
nmstate
now supports mixing static DNS search along with dynamic DNS name servers
The nmstate
framework now supports both static Domain Name System (DNS) search domains and dynamic DNS name servers, which nmstate
obtained from Dynamic Host Configuration Protocol (DHCP) or the autoconf
mechanism. Previously, static DNS search domains could not co-exist with dynamic DNS name servers because the dynamic configurations were discarded by nmstate
. This often led to unnecessary complexity and limitations in network setup and management. This enhancement aims to bring more flexibility in managing DNS configurations. As a result, nmstate
attempts to find a network interface to store the DNS configuration in the following order:
- The preferred interface, which currently holds the DNS configuration and is still valid for DNS
- An automatic interface
- An IP enabled interface
Note that this enhancement does not remove the DNS name servers learned from DHCP.
The following is an example YAML file to apply this feature:
--- dns-resolver: config: search: - example.com - example.org interfaces: - name: eth1 type: ethernet state: up ipv4: enabled: true dhcp: true ipv6: enabled: true dhcp: true autoconf: true
nmstate
now supports the bridge.vlan-default-pvid
NetworkManager configuration option
With this update, you can use the nmstate
framework to configure the bridge.vlan-default-pvid
NetworkManager configuration option. By using this option, you can set the default port VLAN identifier (PVID) for untagged traffic on a bridge interface that supports VLANs, when you use Linux bridge VLAN filtering. To achieve this result, use the following YAML configuration:
interfaces: - name: linux-br0 type: linux-bridge state: up bridge: options: vlan-default-pvid: 5 port: - name: eth1 stp-hairpin-mode: false stp-path-cost: 100 stp-priority: 32 vlan: mode: access tag: 100
Note that the default value of bridge.vlan-default-pvid
is 1. When set to 0 with VLAN filtering enabled, the untagged traffic is dropped.
The NetworkManager
service restarts immediately after the dbus
service is restarted
Previously, after restarting dbus
for some reason, NetworkManager
stopped. This behavior was not optimal and caused a loss of connectivity. Therefore, this enhancement updates NetworkManager
to become more robust and to make it restart automatically upon a dbus
restart.
The nm-cloud-setup
utility now supports IMDSv2 configuration
Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service Version 2 (IMDSv2) with the nm-cloud-setup
utility. To comply with improved security that restricts unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services is necessary to provide advanced features. This enhancement enables the nm-cloud-setup
utility to fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available interfaces and IP configuration by using the secured IMDSv2 tokens.
NetworkManager notifies when using the deprecated ifcfg
format
Connection profiles in ifcfg
format are deprecated in RHEL 9 (see NetworkManager connection profiles in ifcfg
format are deprecated). With this update, NetworkManager notifies users about the deprecation of this format:
NetworkManager logs the following warning to the
systemd
journal if it processes a connection profile inifcfg
format in the/etc/sysconfig/network-scripts/
directory:Warning: the ifcfg-rh plugin is deprecated, please migrate connections to the keyfile format using "nmcli connection migrate"
The
nmcli
utility reports the following error if you try to modify a property that is not supported inifcfg
format:Error: Failed to modify connection '<name>': failed to update connection: The ifcfg-rh plugin doesn't support setting '<property>'. If you are modifying an existing connection profile saved in ifcfg-rh format, please migrate the connection to keyfile using 'nmcli connection migrate <connection_uuid>' or via the Update2() D-Bus API and try again.
As a result of these enhancements, NetworkManager now notifies users if they still use or modify connection profiles in the deprecated ifcfg
format.
For further details about migrating profiles from ifcfg
to keyfile format, see Migrating NetworkManager profiles from ifcfg to keyfile format.
NetworkManager
now supports the lacp_active
option in the bonding configuration
By using NetworkManager
, the lacp_active
option in bonding configuration provides fine-grained control over Link Aggregation Control Protocol Data Units (LACPDU) frames. The lacp_active
option also adjusts the behavior of LACPDU frames and controls periodic transmission of these frames in the bonding setup. To customize network configurations, you can enable or disable periodic transmission of LACPDU frames by setting lacp_active
to ON
or OFF
.
NetworkManager
now supports configuration of the ns_ip6_target
option for bond interfaces
This enhancement allows setting the arp_interval
option by specifying a maximum of 16 IPv6 addresses as monitoring peers in NetworkManager
for configuration of the ns_i6_target
option for bond interfaces. Previously, it was not possible to specify IPv6 monitoring peers in NetworkManager
. With this update, you can configure the ns_ip6_target
option in the bond.options
parameter by using the nmcli
utility. NetworkManager
applies this setting to the bond interface by enabling the specification of a maximum of 16 IPv6 addresses. This enhancement equally applies to IPv4 and IPv6 settings.
NetworkManager
now supports both static and DHCP IP configuration on the same network interface
By using the nmstate
utility, you can now assign a static IP address with dhcp: true
or autoconf: true
value on the DHCP or Ad-Hoc Network Autoconfiguration (autoconf) enabled interface.
With this enhancement, nmstate
supports two properties of IP addresses:
-
valid_lft
means valid lifetime in seconds -
preferred_lft
means preferred lifetime in seconds
Default value of both parameters is forever
which means static.
With above properties, nmstate
can ignore DHCP/autoconf based IP addresses to avoid converting dynamic IP addresses to static IP after applying the queried state back. If your scenario requires having disabled DHCP/autoconf settings with dynamic IP addresses, nmstate
converts those dynamic IP to static IP addresses.
nmstate
supports MAC address identifiable network interface
The nmstate
utility supports network configuration directly to a network interface with a MAC address instead of an interface name.
This enhancement introduces two properties to the base interface:
-
identifier
: identifiesname
ormac-address
on a network. The default value isname
. -
profile-name
: string
When the identifier
variable is set to the mac-address
value, nmstate
uses the interface.mac-address
over interface.name
to choose a network interface for a specific network state. When storing the network configuration, if the interface.profile-name
variable is not assigned, nmstate
prefers interface.profile-name
over interface.name
. If you check the current network state, the interface.profile-name
remains hidden if it is equal to interface.name
.
NetworkManager supports defining after how many failed ARP checks the bonding driver marks a port as down
This enhancement adds the arp_missed_max
option to bond connection profiles in NetworkManager. If you use the Address Resolution Protocol (ARP) monitor to check if ports of a bond are up, you can now set arp_missed_max
to define after how many failed checks the bonding driver marks the port as down.
NetworkManager supports specifying link-related properties
This enhancement adds the following network link properties to NetworkManager connection profiles:
-
link.tx-queue-length
- The size of the transmit (TX) queue length in number of packets. -
link.gro-max-size
- The maximum size in bytes of a Generic Receive Offload (GRO) packet the device accepts. -
link.gso-max-segments
- The maximum number of segments of a Generic Segmentation Offload (GSO) packet the device accepts. -
link.gso-max-size
- The maximum size in bytes of a GSO packet.
Previously, you could configure these kernel settings only by using ip
commands or by using such commands in NetworkManager dispatcher scripts. With this enhancement, you can now configure these settings directly in connection profiles.
Note that NetworkManager supports these properties only in connection profiles in keyfile
format and not in the deprecated ifcfg
format.
The nmstate
API support available for dhcp-send-hostname
and dhcp-custom-hostname
DHCP options
With this enhancement, the nmstate
utility supports configuration of the following two DHCP options in the connection file:
-
dhcp-send-hostname
:true
orfalse
value. If a DHCP request needs the hostname or fully qualified domain name (FQDN) option, the hostname from that option is set. The default istrue
. dhcp-custom-hostname
: <string>. Use this option to configure the hostname or FQDN option in a DHCP request, value type is string.- For DHCPv4 network protocols
-
If the hostname is FQDN, see the
Fully Qualified Domain Name (FQDN)
, option (81) in RFC 4702. If the hostname is not FQDN, see the
Host Name
, option (12) in RFC 2132.- For DHCPv6 network protocols
Supports custom string, empty domain name, overrides the hostname for a DHCP request. See the
Fully Qualified Domain Name (FQDN)
, option (29) in RFC 4704.
NetworkManager rebased to version 1.44.0
The NetworkManager
packages have been upgraded to upstream version 1.44.0, which provides several enhancements and bug fixes over the previous version:
- Link-related properties have been added to NetworkManager.
-
The
arp_missed_max
,lacp_active
, andns_ip6_target
properties have been added to bond connection profiles. -
You can now set a DHCPv6 prefix delegation hint in the
ipv6.dhcp-pd-hint
connection property. -
Enabling the new
rename
parameter in the[keyfile]
section of the/etc/NetworkManager/NetworkManager.conf
file causes NetworkManager to rename a connection profile in/etc/NetworkManager/system-connections/
if you change a profile name (connection.id
). If external applications or scripts rely on the file names, do not enable this parameter. - When you set a hostname that contains a non-public top-level domain (TLD), NetworkManager now uses this TLD as DNS search domain instead of the full hostname.
-
NetworkManager now applies DNS options from the
[global-dns]
section in the/etc/NetworkManager/NetworkManager.conf
file. - To avoid race conditions with other depending services, NetworkManager now acquires the D-Bus name only after populating the D-Bus tree. Note that this can add a delay when NetworkManager starts.
-
NetworkManager now adds a
version-id
argument toUpdate2()
D-Bus calls to prevent concurrent profile modifications.F - NetworkManager no longer uses tentative IPv6 addresses to resolve the system hostname from DNS.
- To prevent unexpected behaviors in case of multi-connect profiles, NetworkManager now tracks the number of auto-connect retries left for each device and connection instead of only per connection.
-
NetworkManager sets VLAN filtering options by using the kernel’s
netlink
interface instead of thesysfs
file system. -
The
nm-cloud-setup
utility now supports Instance Metadata Service Version 2 (IDMSv2) on Amazon EC2. -
Users can now enable and disable wifi and Wireless Wide Area Networks (WWANs) in the
nmtui
application. -
Bond, bridge, and team connections now use the
ignore-carrier=no
setting in the[main]
section of the/etc/NetworkManager/NetworkManager.conf
file.
SCTP rebased to the latest version of the kernel networking tree for RHEL 9
Notable changes in the Stream Control Transmission Protocol (SCTP) networking subsystem include:
- Virtual routing and forwarding (VRF) support to segment and isolate SCTP traffic within complex network environments.
-
New stream schedulers (
fair capacity
, andweighted fair queueing
) to ensure efficient and equal resource allocation in the network.
MPTCP rebased to the latest version of the kernel networking tree for RHEL 9
Notable changes in the Multipath TCP (MPTCP) protocol extension include:
- Support for TCP fastopen (TFO) extension, including the client-side support. This feature offers latency, efficiency, and performance improvements for your network.
- Support multiple mixed IPv4/IPv6 subflows to allow for greater flexibility and adaptability in networks where both IP versions are used.
Bugzilla:2193330[1]
The xdp-tools
package rebased to version 1.4.0
The xdp-tools
package has been upgraded to version 1.4.0, which provides multiple bug fixes and enhancements. Notable changes include:
-
The
xdp-bench
utility gained support for multi-buffer eXpress Data Path (XDP) and for benchmarking thexdp_load_bytes()
helper in the kernel. This feature enables conducting network benchmarking tests with large maximum transmission units (MTUs). -
The locking of the command line utilities of
xdp-tools
was improved to prevent stale locks if the utility did not exit cleanly. -
The
libxdp
library contains a newxsk_umem__create_with_fd()
API that accepts an extra file descriptor of an already openAF_XDP
socket. You can use this function as a substitute for the regularxsk_umem__create()
function when a process does not haveCAP_NET_RAW
privileges.
iproute
rebased to version 6.2.0
The iproute
packages have been upgraded to upstream version 6.2.0, which provides several enhancements and bug fixes over the previous version. The most notable changes are:
-
The new
ip stats
command manages and shows interface statistics. By default, theip stats show
command displays statistics for all network devices, including bridges and bonds. You can filter the output by using thedev
andgroup
options. For further details, see theip-stats(8)
man page. -
The
ss
utility now provides the-T
(--threads
) option to display thread information, which extends the-p
(--processes
) option. For further details, see thess(8)
man page. -
You can use the new
bridge fdb flush
command to remove specific forwarding database (fdb) entries which match a supplied option. For further details, see thebridge(8)
man page.
Jira:RHEL-428[1]
The kernel supports activating bond ports in a specific order
With this enhancement, the kernel’s netlink
interface supports setting a priority on each port if you configure a bond in active-backup
, balance-tlb
or balance-alb
mode. The priority value uses a 32-bit Integer, and a higher value means a higher priority. As a result, you can now activate the bond ports in a specific order.
To use this feature, you can configure the priority by setting the bond-port.prio
property when you create or modify a NetworkManager port connection profile.
Bugzilla:2092194[1]
firewalld
now avoids unnecessary firewall rule flushes
With the release of the RHBA-2023:7748, advisory the firewalld
service was upgraded in a sense that it will not remove all the existing rules from the iptables
configuration if both following conditions are met:
-
firewalld
is using thenftables
backend. -
There are no firewall rules created with the
--direct
option.
This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration with other software.
Jira:RHEL-14694[1]
Introduction of new nmstate
attributes for the VLAN interface
With this update of the nmstate
framework, the following VLAN attributes were introduced:
-
registration-protocol
: VLAN Registration Protocol. The valid values aregvrp
(GARP VLAN Registration Protocol),mvrp
(Multiple VLAN Registration Protocol), andnone
. -
reorder-headers
: reordering of output packet headers. The valid values aretrue
andfalse
. -
loose-binding
: loose binding of the interface to the operating state of its primary device. The valid values aretrue
andfalse
.
Your YAML configuration file can look similar to the following example:
--- interfaces: - name: eth1.101 type: vlan state: up vlan: base-iface: eth1 id: 101 registration-protocol: mvrp loose-binding: true reorder-headers: true
Jira:RHEL-19142[1]
4.8. Kernel
Kernel version in RHEL 9.3
Red Hat Enterprise Linux 9.3 is distributed with the kernel version 5.14.0-362.8.1.
Support added for NVIDIA Grace CPUs
Red Hat Enterprise Linux 9.3 adds support for the NVIDIA Grace ARM 64-bit CPU.
Jira:RHELDOCS-17055[1]
The RHEL kernel now supports AutoIBRS
Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability.
Bugzilla:1898184[1]
perf
rebased to version 6.2
The perf
performance analysis tool has been rebased to version 6.2. Apart from numerous minor bug fixes and updates, the perf list
command now displays Performance Monitor Unit (PMU) events that contain human-friendly names and descriptions. In addition, this update adds support for the following processors:
- Intel 13th generation of Core processors (Intel Raptor Lake-S)
- Intel 14th generation of processors (Intel Meteor Lake)
- Intel 5th generation Xeon server processors (Intel Emerald Rapids)
Bugzilla:2177180[1]
The Intel® QAT kernel driver rebased to upstream version 6.2
The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression performance, and other CPU intensive tasks.
The rebase includes many bug fixes and enhancements. The most notable enhancement is the support available for following hardware accelerator devices for QAT GEN4:
- Intel Quick Assist Technology 401xx devices
- Intel Quick Assist Technology 402xx devices
Bugzilla:2144528[1]
vTPM
functionality is available for Linux containers
This enhancement introduces virtual Trusted Platform Module (vTPM
) for Linux containers and other virtual environments. vTPM
is a virtualized version of TPM that provides a dedicated TPM instance to use for a secure running environment. With vTPM
proxy drivers, programs interact with an emulated TPM the same way as they interact with physical TPMs.
As a result, each virtual machine can now have a dedicated vTPM
instance that is isolated and encrypted.
Bugzilla:2210263[1]
crash
rebased to version 8.0.3
crash
is an interactive utility to analyze a running system and a core dump file created by kdump
in case of a kernel crash. The crash
utility has been rebased to version 8.0.3 that includes many bug fixes and enhancements. The most notable enhancement is the added IPv6 support.
For network interfaces that support IPv6, crash
prints IPv6 addresses with the net
or net -s
command.
-
The
net
command displays the list of network devices, names, and the IP address. The
net -s
command displays the following information:- The open network socket and sock addresses
- The family and the type of sockets and sock addresses
-
The source and destination address and ports for
INET
andINET6
families
LVM thin-provisioned storage volumes supported as the vmcore
dump target
The kdump
mechanism now supports thin-provisioned logical volumes as the vmcore
target. To configure LVM thin provisioning, complete the following steps:
Create an LVM volume group.
vgcreate vg00 /dev/sdb
Create an LVM thin pool of 10 MB available space.
lvcreate -L 10M -T vg00/thinpool
Create an LVM thin volume with 300 MB of the file system space.
lvcreate -V 300M -T vg00/thinpool -n thinvol mkfs.ext4 /dev/vg00/thinvol
Configure the LVM thin pool threshold to automatically extend the space.
cat /etc/lvm/lvm.conf activation { thin_pool_autoextend_threshold = 70 thin_pool_autoextend_percent = 20 monitoring = 1 }
Enable the LVM thin pool monitoring service for the first kernel.
systemctl enable lvm2-monitor.service systemctl start lvm2-monitor.service
Append the following lines to the
kdump.conf
file to set the LVM thin volume as thekdump
target.ext4 /dev/vg00/thinvol path /
Start the
kdump
service.kdumpctl restart
-
Verify the configuration by triggering a kernel panic and check if the
vmcore
is saved to/dev/vg00/thinvol
.
As a result, with this enhancement, the kdump
mechanism now extends capability to save the vmcore
dump files on thin-provisioned storage volumes.
makedumpfile
rebased to upstream version 1.7.3
The makedumpfile
tool, which makes the crash dump file small by compressing pages or excluding memory pages that are not required, has been rebased to upstream version 1.7.3. The rebase includes many bug fixes and enhancements.
The most notable change is the added 5-level paging mode for standalone dump (sadump
) mechanism on AMD and Intel 64-bit architecture. The 5-level paging mode extends the processor’s linear address width to allow applications access larger amounts of memory. 5-level paging extends the size of virtual addresses from 48 to 57 bits and the physical addresses from 46 to 52 bits.
Red Hat Enterprise Linux supports ARM’s SystemReady ES and IR tier
Red Hat Enterprise Linux now supports ARM’s SystemReady ES and IR, while previously only the SR tier was supported. In RHEL 9.3, the NVIDIA Orin, NXP i.MX 8M, and NXP i.MX 8M Mini modules have been enabled and are candidates for the RHEL hardware certification. Hardware partners are able to submit certifications by enrolling in the Red Hat hardware certification journey. Customers can use the supported hardware listed in the catalog for an improved experience in production.
Bugzilla:2195986[1]
RHEL on ARM now supports Bluetooth
With this enhancement, you can configure a bluetooth device by using the bluetoothctl
tool on the command-line interface.
Bugzilla:2187856[1]
RHEL on ARM now fully supports USB-attached cameras in RHEL 9.3
This enhancement enables the CONFIG_MEDIA_SUPPORT
kernel configuration for RHEL on AMD and Intel 64-bit architectures platforms. With that, you can now use USB cameras on AMD and Intel 64-bit architectures systems.
Bugzilla:2192722[1]
bpf
rebased to version 6.3
The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.3. Notable changes and enhancements include:
- BPF trampoline is now available on the 64-bit IBM Z architecture.
-
A new map type -
BPF_MAP_TYPE_USER_RINGBUF
- and related helpers have been defined for the communication between the user space and kernel over a BPF-specific ring buffer. -
BPF now provides new complex data structures: linked list and
rbtree
. -
BPF trampoline that traces programs now supports
struct
arguments. - BPF now provides a way to export XDP features supported by a NIC.
-
Hardware metadata are now exposed to XDP programs by using the BPF kernel functions (
kfuncs
) with initial support for RX hash and timestamp metadata. -
BPF now provides a helper that sets source and destination NAT addresses and ports in new
conntrack
module entries in BPF programs. -
BPF can now write directly to the
nf_conn:mark
connection mark of the netfilter packet filtering framework.
Bugzilla:2178930[1]
4.9. Boot loader
New default behavior of grub2-mkconfig
with BLS
In the Boot Loader Specification (BLS) framework, GRUB generates the boot menu dynamically from BLS snippets at boot, and it is not predefined in the grub.cfg
file.
Previously, the grub2-mkconfig
command generated a new grub.cfg
file and always overwrote the command-line arguments in all BLS snippets with the value of the GRUB_CMDLINE_LINUX
variable found in the /etc/default/grub
file.
With this release, the grub2-mkconfig
command no longer overwrites the kernel command line in BLS snippets with GRUB_CMDLINE_LINUX
by default. Each kernel in the boot loader menu takes its kernel command line from its BLS snippet. This new default behavior is caused by the GRUB_ENABLE_BLSCFG=true
option.
To regenerate grub.cfg
so that kernels ignore BLS snippets and take their command line from GRUB_CMDLINE_LINUX
instead, set the GRUB_ENABLE_BLSCFG=false
option.
To update the kernel command line in BLS snippets according to GRUB_CMDLINE_LINUX
, add the --update-bls-cmdline
option:
# grub2-mkconfig -o /path/to/grub.cfg --update-bls-cmdline
Also note that you can make changes to BLS snippets for individual kernels using grubby
:
# grubby --update-kernel /path/to/kernel --args "new args"
Jira:RHELDOCS-16752[1]
4.10. File systems and storage
NFS server now implements courteous server code for nfsd
This update introduces the implementation of courteous server code for nfsd
in the RHEL kernel NFS server. With this new feature, the NFS server avoids revoking leases for clients that have lost contact with the server for an extended period, provided that there is no conflicting access while the client is out of contact.
DAX mount option and reflink are now compatible
With this update, reflinked files are now generally compatible with DAX mode. The file system DAX mount option -o dax=always
is compatible with reflink-enabled file systems. Files that were reflinked can be set to DAX mode using inode flags. For more information see the xfs(5)
man page.
Bugzilla:2192730[1]
New encryption types for the RPCSEC GSS Kerberos V5
The RPCSEC GSS Kerberos V5 mechanism now supports encryption types defined in RFC 6803 (Camellia Encryption for Kerberos 5) and RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos 5).
The following encryption types have been added:
-
camellia128-cts-cmac
-
camellia256-cts-cmac
-
aes128-cts-hmac-sha256-128
-
aes256-cts-hmac-sha384-192
This allows NFS clients and NFS servers to use stronger encryption types when negotiating GSS contexts.
fuse3
now allows invalidating a directory entry without triggering umount
With this update, a new mechanism has been added to fuse3
package, that allows invalidating a directory entry without automatically triggering the umount
of any mounts that exists on the entry.
Stratis storage manager is now available
Stratis is a local storage manager. It provides managed file systems on top of pools of storage with additional features to the user:
- Manage snapshots and thin provisioning
- Automatically grow file system sizes as needed
- Maintain file systems
- Pool Level Encryption
- TMP2 and NBDE Support
To administer Stratis storage, use the stratis
utility, which communicates with the stratisd
background service.
For more information, see the Stratis documentation: Setting up Stratis file systems.
Improvements to GFS2 file system configuration and operation
The following updates have been implemented for GFS2 file systems:
-
The
mkfs.gfs2
command now supports the new-U
option, which makes it possible to specify the file system UUID for the file system you create. If you omit this option, the file system’s UUID is generated randomly. -
The
gfs2_jadd
command creates journals at a much faster speed than in previous releases. - The GFS2 man pages have been improved.
dmpd
rebased to version 1.0.2
The dmpd
package has been upgraded to version 1.0.2. Notable changes include:
- Rewriting the tools in the Rust language for memory safety and for using multiple threads to boost performance.
-
Improving the
thin_check
andcache_check
tools to save the time of LVM pool activation along with the system startup. The required execution time for these tools is now improved by more than ten times as compared to the previous version. -
Updating
thin_dump
andthin_restore
tools to avoid losing sharing of the metadatabtrees
for snapshots. Now the restored metadata does not require more space. -
Adding new
thin_metadata_pack
andthin_metadata_unpack
tools to compress thin metadata, typically to a tenth of the size. This is better than the generic compressors. With this tool, it is easier to pass damaged metadata around for inspection.
New per-device counter is added for SCSI devices
A new per-device counter, iotmo_cnt
, is now added for the I/O timeouts in the SCSI updates. In addition to the iorequest_cnt
count of I/O requests, the iodone_cnt
I/O completions, and the ioerr_cnt
I/O errors, the number of request timeouts can be seen. For example:
/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iorequest_cnt /sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iodone_cnt /sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iotmo_cnt /sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/ioerr_cnt
Bugzilla:2171093[1]
mpathcleanup
flushes the multipath devices in device-mapper-multipath
The mpathcleanup
tool works on SCSI-based multipath devices and removes the multipath device along with the SCSI path devices. Some users need to remove multipath devices and their path devices regularly. Previously, there was no tool available to remove multipath devices and a user-defined script was required for this operation.
With this new tool, users can now easily remove multipath devices and their underlying storage, and there is no need to create any script for this operation.
Jira:RHEL-782[1]
nvme-cli
rebased to version 2.4
The nvme-cli
package has been upgraded to version 2.4, which provides multiple bug fixes and enhancements. Notable changes include:
- Supports TLS over TCP.
-
Fixes incorrect ordering of the
systemd
auto-connect services to mount file systems using the/etc/fstab
file. -
Fixes printing of the
u32
values. - Validates storage tag size correctly.
-
Supports the
nvme effects-log
command for fabrics controllers.
Bugzilla:2159929[1]
4.11. High availability and clusters
Support for failover of LVM volume groups with missing physical volumes
The LVM-activate
resource agent now supports two new options that allow volume group failover if the volume group is missing physical volumes:
-
The
majoritypvs
option allows the system ID to be changed on a volume group when a volume group is missing physical volumes, provided that a majority of physical volumes are present. -
The
degraded_activation
option allows RAID logical volumes in a volume group to be activated when legs are missing, provided that sufficient devices are available for RAID to provide all the data in the logical volume.
Bugzilla:2174911[1]
IPaddr2
and IPsrcaddr
cluster resource agents now support policy-based routing
The IPaddr2
and IPsrcaddr
cluster resource agents now support policy-based routing,which enables you to configure complex routing scenarios. Policy-based routing requires that you configure the resource agent’s table
parameter.
The Filesystem
resource agent now supports the EFS file system type
The ocf:heartbeat:Filesystem
cluster resource agent now supports the Amazon Elastic File System (EFS). You can now specify fstype=efs
when configuring a Filesystem
resource.
New pcs
parsing requires meta
keyword when specifying clone meta attributes
To ensure consistency in the pcs
command format, configuring clone meta attributes with the pcs resource clone
, pcs resource promotable
, and pcs resource create
commands without specifying the meta
keyword is now deprecated.
Previously, the meta
keyword was ignored in the pcs resource clone
and pcs resource promotable
commands. In the pcs resource create
command, however, the meta attributes specified after the meta
keyword when it followed the clone
keyword were assigned to the resource rather than to the clone. With this updated parsing algorithm, meta attributes specified after the meta
keyword when it follows the clone
keyword are assigned to the clone. To maintain compatibility with existing scripts which rely on the older format, you must specify the --future
command option to enable this new argument processing when creating a cloned resource with the pcs resource create
command.
The following command now creates a resource with the meta attribute mv=v1
and a clone with the meta attribute mv=v2
:
pcs resource create dummy1 ocf:pacemaker:Dummy meta m1=v1 clone meta m2=v2 --future
Displaying the pcs
commands for re-creating configured resource constraints
You can now display the pcs constraint
commands that can be used to re-create configured resource constraints on a different system by using the pcs constraint
command with the new --output-format=cmd
option. The default output format is plain text, as in previous releases, which you can specify with the --output-format=text
option. The plain text format has been changed slightly to make it consistent with the output format of other pcs
commands.
Rebase Pacemaker packages to version: 2.1.6
The Pacemaker packages have been upgraded to upstream version 2.1.6, which provides several enhancements and bug fixes over the previous version.
The following features have been added:
- Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its transient node attributes. This was unnecessary if the connection was quickly recoverable and the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now preserve transient node attributes after a brief, recoverable connection outage.
-
The
alert_snmp.sh.sample
alert agent, which is the sample alert agent provided with Pacemaker, now supports the SNMPv3 protocol and SNMPv2. With this update, you can copy thealert_snmp.sh.sample
agent without modification to use SNMPv3 with Pacemaker alerts. -
Pacemaker alerts and alert recipients now support an
enabled
meta option. Setting this option tofalse
for an alert disables the alert. Setting this option totrue
for an alert andfalse
for a particular recipient disables the alert for that recipient. The default value for this option istrue
. You can use this option to temporarily disable an alert for any reason, such as planned maintenance.
The following bugs have been fixed:
- Pacemaker Designated Controller elections no longer finalized until all pending actions are complete and no action results are lost.
-
The
fence_scsi
agent is now able to auto-detect sharedlvmlockd
devices when thedevices
attribute is not set. - Resource stickiness now properly compares against colocation scores.
-
The
crm_resource
command now allows banning or moving a bundle with only a single active replica. - Previously, promotable clone instances were assigned in numerical order, with promoted instances first. As a result, if a promoted clone instance needed to start, an unpromoted instance in some cases restarted unexpectedly, because the instance numbers changed. With this fix, roles are considered when assigning instance numbers to nodes and as a result no unnecessary restarts occur.
Enhancements to the pcs property
command
The pcs property
command now supports the following enhancements:
The
pcs property config --output-format=
option-
Specify
--output-format=cmd
to display thepcs property set
command created from the current cluster properties configuration. You can use this command to re-create configured cluster properties on a different system. -
Specify
--output-format=json
to display the configured cluster properties in JSON format. -
Specify
output-format=text
to display the configured cluster properties in plain text format, which is the default value for this option.
-
Specify
-
The
pcs property defaults
command, which replaces the deprecatedpcs property --defaults
option -
The
pcs property describe
command, which describes the meaning of cluster properties
4.12. Dynamic programming languages, web and database servers
A new environment variable in Python to control parsing of email addresses
To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.
The update in RHSA-2024:2024 introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING
environment variable. When you set this variable to true
, the previous, less strict parsing behavior is the default for the entire system:
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
However, individual calls to the affected functions can still enable stricter behavior.
You can achieve the same result by creating the /etc/python/email.cfg
configuration file with the following content:
[email_addr_parsing] PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.
Jira:RHELDOCS-17369[1]
A new nodejs:20
module stream is fully supported
A new module stream, nodejs:20
, previously available as a Technology Preview, is fully supported with the release of the RHEA-2023:7252 advisory. The nodejs:20
module stream now provides Node.js 20.9
, which is a Long Term Support (LTS) version.
Node.js 20
included in RHEL 9.3 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 18
available since RHEL 9.1.
Notable changes include:
-
The
V8
JavaScript engine has been upgraded to version 11.3. -
The
npm
package manager has been upgraded to version 9.8.0. -
Node.js
introduces a new experimental Permission Model. -
Node.js
introduces a new experimental Single Executable Application (SEA) feature. -
Node.js
provides improvements to the Experimental ECMAScript modules (ESM) loader. -
The native test runner, introduced as an experimental
node:test
module inNode.js 18
, is now considered stable. -
Node.js
provides various performance improvements.
To install the nodejs:20
module stream, use:
# dnf module install nodejs:20
If you want to upgrade from the nodejs:18
stream, see Switching to a later stream.
For information about the length of support for the nodejs
Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new filter
argument to the Python tarfile
extraction functions
To mitigate CVE-2007-4559, Python adds a filter
argument to the tarfile
extraction functions. The argument allows turning tar
features off for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a filter is not specified, the 'data'
filter, which is the safest but most limited, is used by default in RHEL. In addition, Python emits a warning when your application has been affected.
For more information, including instructions to hide the warning, see the Knowledgebase article Mitigation of directory traversal attack in the Python tarfile library (CVE-2007-4559).
Jira:RHELDOCS-16405[1]
The HTTP::Tiny
Perl module now verifies TLS certificates by default
The default value for the verify_SSL
option in the HTTP::Tiny
Perl module has been changed from 0
to 1
to verify TLS certificates when using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny
and CVE-2023-31484 for the CPAN Perl module.
To make support for TLS verification available, this update adds the following dependencies to the perl-HTTP-Tiny
package:
-
perl-IO-Socket-SSL
-
perl-Mozilla-CA
-
perl-Net-SSLeay
Bugzilla:2228412[1]
httpd
rebased to version 2.4.57
The Apache HTTP Server has been updated to version 2.4.57, which provides bug fixes, enhancements, and security fixes over version 2.4.53 available since RHEL 9.1.
Notable enhancements include:
-
The
rotatelogs
utility provided withhttpd
introduces a new-T
option to truncate all rotated logfiles except the initial log file. -
The
LDAPConnectionPoolTTL
directive of themod_ldap
module now accepts negative values to enable reuse of connections of any age. Previously, a negative value was handled as an error. -
Workers from the
mod_proxy_hcheck
module now correctly time out according to the worker timeout settings. -
The
hcmethod
parameter of themod_proxy_hcheck
module now provides newGET11
,HEAD11
, andOPTIONS11
methods for HTTP/1.1 requests.
A new mod_authnz_fcgi
module in httpd
The Apache HTTP Server now includes the mod_authnz_fcgi
module, which enables FastCGI authorizer applications to authenticate users and authorize access to resources.
The mod_authnz_fcgi
module is not loaded by default. To load this module, uncomment the following line in the /etc/httpd/conf.modules.d/00-optional.conf
file:
LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
Bugzilla:2173295[1]
A new ssl_pass_phrase_dialog
directive in nginx:1.22
With this update to the nginx:1.22
module stream, you can use the new ssl_pass_phrase_dialog
directive to configure an external program that is called at nginx
start for each encrypted private key.
To use the new directive, add one of the following lines to the /etc/nginx/nginx.conf
file:
To call an external program for each encrypted private key file, enter:
ssl_pass_phrase_dialog exec:<path_to_program>;
nginx
calls this program with the following two arguments:-
The server name specified in the
server_name
setting. -
One of the following algorithms:
RSA
,DSA
,EC
,DH
, orUNK
if a cryptographic algorithm cannot be recognized.
-
The server name specified in the
If you want to manually enter a passphrase for each encrypted private key file, enter:
ssl_pass_phrase_dialog builtin;
This is the default behavior if
ssl_pass_phrase_dialog
is not configured.Note that the
nginx
service fails to start if you use this method but have at least one private key protected by a passphrase. In this case, use one of the other methods.If you want
systemd
to prompt for the passphrase for each encrypted private key when you start thenginx
service by using thesystemctl
utility, enter:ssl_pass_phrase_dialog exec:/usr/libexec/nginx-ssl-pass-dialog;
Note that the ssl_pass_phrase_dialog
directive in nginx
is similar to the SSLPassPhraseDialog
directive in the Apache HTTP Server.
A new rhel9/squid
container image
The rhel9/squid
container image is now available in the Red Hat Container Registry. Squid
is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid
handles all requests in a single, non-blocking, I/O-driven process. Squid
keeps metadata and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.
To pull the new container image, run:
# podman pull registry.redhat.io/rhel9/squid
A new module stream: redis:7
Redis 7
, an advanced key-value store, is now available as a new module stream, redis:7
.
Notable changes over Redis 6
include:
- Server-side scripting in the Redis Functions API
- Fine-grained access control list (ACL) support
- Shared publish/subscribe (pub/sub) support for clusters
- Various new commands and command arguments
Redis 7
introduces several backward incompatible changes, for example:
-
Redis 7
now stores append-only files (AOF) as multiple files in a folder -
Redis 7
uses a new version format for Redis Database (RDB) files that is incompatible with earlier versions
For a complete list of features and incompatible changes, see the upstream release notes.
To install the redis:7
module stream, use:
# dnf module install redis:7
For information about the length of support for the redis
Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
4.13. Compilers and development tools
A new glibc
option to influence optimized routine usage on IBM Z
On the IBM Z architecture, the glibc
library selects function implementations based on the hardware capabilities, such as hwcaps
and stfle
bits. With this update, you can direct the choice made by the library by setting the glibc.cpu.hwcaps
tunable.
Bugzilla:2169978[1]
Improved string and memory routine performance on Intel® Xeon® v5-based hardware in glibc
Previously, the default amount of cache used by glibc
for string and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based systems. With this update, the amount of cache to use has been tuned to improve performance.
The system GCC compiler updated to version 11.4.1
The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.
The system GCC compiler has been updated to version 11.4.1, which includes numerous bug fixes and enhancements available in the upstream GCC.
For usage information, see Developing C and C++ applications in RHEL 9.
GCC now supports preserving register arguments
With this update, you can now store argument register content to the stack and generate proper Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting performance.
Bugzilla:2168204[1]
A new -mdaz-ftz
option in GCC on the 64-bit Intel architecture
The system version of GNU Compiler Collection (GCC) on the 64-bit Intel architecture now supports the -mdaz-ftz
option to enable flush-to-zero (FTZ) and denormals-are-zero (DAZ) flags in the MXCSR Control and Status Register.
New GCC Toolset 13
GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
The GCC compiler has been updated to version 13.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.
The following tools and versions are provided by GCC Toolset 13:
Tool | Version |
---|---|
GCC | 13.1.1 |
GDB | 12.1 |
binutils | 2.40 |
dwz | 0.14 |
annobin | 12.20 |
To install GCC Toolset 13, run the following command as root:
# dnf install gcc-toolset-13
To run a tool from GCC Toolset 13:
$ scl enable gcc-toolset-13 tool
To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:
$ scl enable gcc-toolset-13 bash
For more information, see GCC Toolset 13 and Using GCC Toolset.
Bugzilla:2171919[1], Bugzilla:2171930
GCC Toolset 13: GCC rebased to version 13.1.1
In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable changes include:
General improvements
OpenMP:
- OpenMP 5.0: Fortran now supports some non-rectangular loop nests. Such support was added for C/C++ in GCC 11.
- Many OpenMP 5.1 features have been added.
- Initial support for OpenMP 5.2 features has been added.
-
A new debug info compression option value,
-gz=zstd
, is now available. -
The
-Ofast
,-ffast-math
, and-funsafe-math-optimizations
options no longer add startup code to alter the floating-point environment when producing a shared object with the-shared
option. -
GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a JSON-based format suited for capturing the results of static analysis tools (such as GCC’s
-fanalyzer
). You can also use SARIF to capture other GCC warnings and errors in a machine-readable format. - Link-time optimization improvements have been implemented.
New languages and language-specific improvements
C family:
-
A new
-Wxor-used-as-pow
option warns about uses of the exclusive or (^
) operator where the user might have meant exponentiation. Three new function attributes have been added for documenting
int
arguments that are file descriptors:-
attribute((fd_arg(N)))
-
attribute((fd_arg_read(N)))
-
attribute((fd_arg_write(N)))
These attributes are also used by
-fanalyzer
to detect misuses of file descriptors.-
-
A new statement attribute,
attribute((assume(EXPR)));
, has been added for C++23 portable assumptions. The attribute is supported also in C or earlier C++. -
GCC can now control when to treat the trailing array of a structure as a flexible array member for the purpose of accessing the elements of such an array. By default, all trailing arrays in aggregates are treated as flexible array members. Use the new command-line option
-fstrict-flex-arrays
to control what array members are treated as flexible arrays.
C:
Several C23 features have been implemented:
-
Introduced the
nullptr
constant. - Enumerations enhanced to specify underlying types.
- Requirements for variadic parameter lists have been relaxed.
-
Introduced the
auto
feature to enable type inference for object definitions. -
Introduced the
constexpr
specifier for object definitions. - Introduced storage-class specifiers for compound literals.
-
Introduced the
typeof
object (previously supported as an extension) and thetypeof_unqual
object. -
Added new keywords:
alignas
,alignof
,bool
,false
,static_assert
,thread_local
, andtrue
. -
Added the
[[noreturn]]
attribute to specify that a function does not return execution to its caller. - Added support for empty initializer braces.
-
Added support for
STDC_VERSION_*_H
header version macros. -
Removed the
ATOMIC_VAR_INIT
macro. -
Added the
unreachable
macro for the<stddef.h>
header. - Removed trigraphs.
- Removed unprototyped functions.
-
Added
printf
andscanf
format checking through the-Wformat
option for the%wN
and%wfN
format length modifiers. - Added support for identifier syntax of Unicode Standard Annex (UAX) 31.
-
Existing features adopted in C23 have been adjusted to follow C23 requirements and are not diagnosed using the
-std=c2x -Wpedantic
option.
-
Introduced the
-
A new
-Wenum-int-mismatch
option warns about mismatches between an enumerated type and an integer type.
C++:
Implemented excess precision support through the
-fexcess-precision
option. It is enabled by default in strict standard modes such as-std=c++17
, where it defaults to-fexcess-precision=standard
. In GNU standard modes such as-std=gnu++20
, it defaults to-fexcess-precision=fast
, which restores previous behavior.The
-fexcess-precision
option affects the following architectures:-
Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where
float
anddouble
expressions are evaluated inlong double
precision. -
64-bit IBM Z systems where
float
expressions are evaluated indouble
precision. -
Several architectures that support the
std::float16_t
orstd::bfloat16_t
types, where these types are evaluated infloat
precision.
-
Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where
Improved experimental support for C++23, including::
- Added support for labels at the end of compound statements.
- Added a type trait to detect reference binding to a temporary.
- Reintroduced support for volatile compound operations.
-
Added support for the
#warning
directive. - Added support for delimited escape sequences.
- Added support for named universal character escapes.
-
Added a compatibility and portability fix for the
char8_t
type. -
Added static
operator()
function objects. - Simplified implicit moves.
- Rewriting equality in expressions is now less of a breaking change.
- Removed non-encodable wide character literals and wide multicharacter literals.
-
Relaxed some
constexpr
function restrictions. - Extended floating-point types and standard names.
- Implemented portable assumptions.
- Added support for UTF-8 as a portable source file encoding standard.
-
Added support for static
operator[]
subscripts.
New warnings:
-
-Wself-move
warns when a value is moved to itself withstd::move
. -
-Wdangling-reference
warns when a reference is bound to a temporary whose lifetime has ended. -
The
-Wpessimizing-move
and-Wredundant-move
warnings have been extended to warn in more contexts.
-
-
The new
-nostdlib++
option enables linking withg++
without implicitly linking in the C++ standard library.
Changes in the libstdc++
runtime library
Improved experimental support for C++20, including:
-
Added the
<format>
header and thestd::format
function. -
Added support in the
<chrono>
header for thestd::chrono::utc_clock
clock, other clocks, time zones, and thestd::format
function.
-
Added the
Improved experimental support for C++23, including:
-
Additions to the
<ranges>
header:views::zip
,views::zip_transform
,views::adjacent
,views::adjacent_transform
,views::pairwise
,views::slide
,views::chunk
,views::chunk_by
,views::repeat
,views::chunk_by
,views::cartesian_product
,views::as_rvalue
,views::enumerate
,views::as_const
. -
Additions to the
<algorithm>
header:ranges::contains
,ranges::contains_subrange
,ranges::iota
,ranges::find_last
,ranges::find_last_if
,ranges::find_last_if_not
,ranges::fold_left
,ranges::fold_left_first
,ranges::fold_right
,ranges::fold_right_last
,ranges::fold_left_with_iter
,ranges::fold_left_first_with_iter
. -
Support for monadic operations for the
std::expected
class template. -
Added
constexpr
modifiers to thestd::bitset
,std::to_chars
andstd::from_chars
functions. - Added library support for extended floating-point types.
-
Additions to the
-
Added support for the
<experimental/scope>
header from version 3 of the Library Fundamentals Technical Specification (TS). -
Added support for the
<experimental/synchronized_value>
header from version 2 of the Concurrency TS. Added support for many previously unavailable features in freestanding mode. For example:
-
The
std::tuple
class template is now available for freestanding compilation. -
The
libstdc++
library adds components to the freestanding subset, such asstd::array
andstd::string_view
. -
The
libstdc++
library now respects the-ffreestanding
compiler option, so it is no longer necessary to build a separate freestanding installation of thelibstdc++
library. Compiling with-ffreestanding
will restrict the available features to the freestanding subset, even if thelibstdc++
library was built as a full, hosted implementation.
-
The
New targets and target-specific Improvements
The 64-bit ARM architecture:
-
Added support for the
armv9.1-a
,armv9.2-a
, andarmv9.3-a
arguments for the-march=
option.
The 32- and 64-bit AMD and Intel architectures:
-
For both C and C++, the
__bf16
type is supported on systems with Streaming SIMD Extensions 2 and above enabled. -
The real
__bf16
type is now used forAVX512BF16
instruction intrinsics. Previously,__bfloat16
, a typedef of short, was used. Adjust yourAVX512BF16
related source code when upgrading GCC 12 to GCC 13. Added new Instruction Set Architecture (ISA) extensions to support the following Intel instructions:
-
AVX-IFMA
whose instruction intrinsics are available through the-mavxifma
compiler switch. -
AVX-VNNI-INT8
whose instruction intrinsics are available through the-mavxvnniint8
compiler switch. -
AVX-NE-CONVERT
whose instruction intrinsics are available through the-mavxneconvert
compiler switch. -
CMPccXADD
whose instruction intrinsics are available through the-mcmpccxadd
compiler switch. -
AMX-FP16
whose instruction intrinsics are available through the-mamx-fp16
compiler switch. -
PREFETCHI
whose instruction intrinsics are available through the-mprefetchi
compiler switch. -
RAO-INT
whose instruction intrinsics are available through the-mraoint
compiler switch. -
AMX-COMPLEX
whose instruction intrinsics are available through the-mamx-complex
compiler switch.
-
-
GCC now supports AMD CPUs based on the
znver4
core through the-march=znver4
compiler switch. The switch makes GCC consider using 512-bit vectors when auto-vectorizing.
Improvements to the static analyzer
The static analyzer has gained 20 new warnings:
-
-Wanalyzer-allocation-size
-
-Wanalyzer-deref-before-check
-
-Wanalyzer-exposure-through-uninit-copy
-
-Wanalyzer-imprecise-fp-arithmetic
-
-Wanalyzer-infinite-recursion
-
-Wanalyzer-jump-through-null
-
-Wanalyzer-out-of-bounds
-
-Wanalyzer-putenv-of-auto-var
-
-Wanalyzer-tainted-assertion
Seven new warnings relating to misuse of file descriptors:
-
-Wanalyzer-fd-access-mode-mismatch
-
-Wanalyzer-fd-double-close
-
-Wanalyzer-fd-leak
-
-Wanalyzer-fd-phase-mismatch
(for example, callingaccept
on a socket before callinglisten
on it) -
-Wanalyzer-fd-type-mismatch
(for example, using a stream socket operation on a datagram socket) -
-Wanalyzer-fd-use-after-close
-Wanalyzer-fd-use-without-check
-
Also implemented special-casing handling of the behavior of the
open
,close
,creat
,dup
,dup2
,dup3
,pipe
,pipe2
,read
, andwrite
functions.
-
Also implemented special-casing handling of the behavior of the
-
Four new warnings for misuses of the
<stdarg.h>
header:-
-Wanalyzer-va-list-leak
warns about missing ava_end
macro after ava_start
orva_copy
macro. -
-Wanalyzer-va-list-use-after-va-end
warns about ava_arg
orva_copy
macro used on ava_list
object type that has had theva_end
macro called on it. -
-Wanalyzer-va-arg-type-mismatch
type-checksva_arg
macro usage in interprocedural execution paths against the types of the parameters that were actually passed to the variadic call. -
-Wanalyzer-va-list-exhausted
warns if ava_arg
macro is used too many times on ava_list
object type in interprocedural execution paths.
-
-
- Numerous other improvements.
Backwards incompatible changes
For C++, construction of global iostream objects such as std::cout
, std::cin
is now done inside the standard library, instead of in every source file that includes the <iostream>
header. This change improves the startup performance of C++ programs, but it means that code compiled with GCC 13.1 will crash if the correct version of libstdc++.so
is not used at runtime. See the documentation about using the correct libstdc++.so
at runtime. Future GCC releases will mitigate the problem so that the program cannot be run at all with an earlier incompatible libstdc++.so
.
Bugzilla:2172093[1]
GCC Toolset 13: annobin
rebased to version 12.20
GCC Toolset 13 provides the annobin
package version 12.20. Notable enhancements include:
-
Added support for moving
annobin
notes into a separate debug info file. This results in reduced executable binary size. - Added support for a new smaller note format reduces the size of the separate debuginfo files and the time taken to create these files.
Bugzilla:2171923[1]
GCC Toolset 13: GDB rebased to version 12.1
GCC Toolset 13 provides GDB version 12.1.
Notable bug fixes and enhancements include:
-
GDB now styles source code and disassembler by default. If styling interferes with automation or scripting of GDB, you can disable it by using the
maint set gnu-source-highlight enabled off
andmaint set style disassembler enabled off
commands. -
GDB now displays backtraces whenever it encounters an internal error. If this affects scripts or automation, you can use the
maint set backtrace-on-fatal-signal off
command to disable this feature.
C/C++ improvements:
- GDB now treats functions or types involving C++ templates similarly to function overloads. You can omit parameter lists to set breakpoints on families of template functions, including types or functions composed of multiple template types. Tab completion has gained similar improvements.
Terminal user interface (TUI):
tui layout
tui focus
tui refresh
tui window height
These are the new names for the oldlayout
,focus
,refresh
, andwinheight
TUI commands. The old names still exist as aliases to these new commands.tui window width
winwidth
Use the new
tui window width
command, or thewinwidth
alias, to adjust the width of a TUI window when windows are laid out in horizontal mode.info win
This command now includes information about the width of the TUI windows in its output.
Machine Interface (MI) changes:
- The default version of the MI interpreter is now 4 (-i=mi4).
-
The
-add-inferior
command with no flag now inherits the connection of the current inferior. This restores the behavior of GDB before version 10. -
The
-add-inferior
command now accepts a--no-connection
flag that causes the new inferior to start without a connection. The
script
field in breakpoint output (which is syntactically incorrect in MI 3 and earlier) has become a list in MI 4. This affects the following commands and events:-
-break-insert
-
-break-info
-
=breakpoint-created
=breakpoint-modified
Use the
-fix-breakpoint-script-output
command to enable the new behavior with earlier MI versions.
-
New commands:
maint set internal-error backtrace [on|off]
maint show internal-error backtrace
maint set internal-warning backtrace [on|off]
maint show internal-warning backtrace
GDB can now print a backtrace of itself when it encounters internal error or internal warning. This is enabled by default for internal errors and disabled by default for internal warnings.
exit
You can exit GDB using the new
exit
command in addition to the existingquit
command.maint set gnu-source-highlight enabled [on|off]
maint show gnu-source-highlight enabled
Enables or disables the GNU Source Highlight library for adding styling to source code. When disabled, the library is not used even if it is available. When the GNU Source Highlight library is not used the Python Pygments library is used instead.set suppress-cli-notifications [on|off]
show suppress-cli-notifications
Controls if printing the notifications is suppressed for CLI or not. CLI notifications occur when you change the selected context (such as the current inferior, thread, or frame), or when the program being debugged stops (for example: because of hitting a breakpoint, completing source-stepping, or an interrupt).
set style disassembler enabled [on|off]
show style disassembler enabled
When enabled, the command applies styling to disassembler output if GDB is compiled with Python support and the Python Pygments package is available.
Changed commands:
set logging [on|off]
Deprecated and replaced by the
set logging enabled [on|off]
command.print
Printing of floating-point values with base-modifying formats such as
/x
has been changed to display the underlying bytes of the value in the required base.clone-inferior
The
clone-inferior
command now ensures that theTTY
,CMD
, andARGs
settings are copied from the original inferior to the new one. All modifications to the environment variables done using theset environment
orunset environment
commands are also copied to the new inferior.
Python API:
-
The new
gdb.add_history()
function takes agdb.Value
object and adds the value it represents to GDB’s history list. The function returns an integer, which is the index of the new item in the history list. -
The new
gdb.history_count()
function returns the number of values in GDB’s value history. -
The new
gdb.events.gdb_exiting
event is called with agdb.GdbExitingEvent
object that has the read-only attributeexit_code
containing the value of the GDB exit code. This event is triggered before GDB’s exit before GDB starts to clean up its internal state. -
The new
gdb.architecture_names()
function returns a list containing all of the possibleArchitecture.name()
values. Each entry is a string. -
The new
gdb.Architecture.integer_type()
function returns an integer type given a size and a signed-ness. -
The new
gdb.TargetConnection
object type represents a connection (as displayed by theinfo connections
command). A sub-class,gdb.RemoteTargetConnection
, representsremote
andextended-remote
connections. -
The
gdb.Inferior
type now has aconnection
property that is an instance of thegdb.TargetConnection
object, the connection used by this inferior. This can beNone
if the inferior has no connection. -
The new
gdb.events.connection_removed
event registry emits agdb.ConnectionEvent
event when a connection is removed from GDB. This event has aconnection
property, agdb.TargetConnection
object for the connection being removed. -
The new
gdb.connections()
function returns a list of all currently active connections. -
The new
gdb.RemoteTargetConnection.send_packet(PACKET)
method is equivalent to the existingmaint packet
CLI command. You can use it to send a specified packet to the remote target. -
The new
gdb.host_charset()
function returns the name of the current host character set as a string. -
The new
gdb.set_parameter(NAME, VALUE)
function sets the GDB parameterNAME
toVALUE
. -
The new
gdb.with_parameter(NAME, VALUE)
function returns a context manager that temporarily sets the GDB parameterNAME
toVALUE
and then resets it when the context is exited. -
The
gdb.Value.format_string
method now takes astyling
argument, which is a boolean. Whentrue
, the returned string can include escape sequences to apply styling. The styling is present only if styling is turned on in GDB (seehelp set styling
). Whenfalse
, which is the default if thestyling
argument is not given, no styling is applied to the returned string. -
The new read-only attribute
gdb.InferiorThread.details
is either a string containing additional target-specific thread-state information, orNone
if there is no such additional information. -
The new read-only attribute
gdb.Type.is_scalar
isTrue
for scalar types, andFalse
for all other types. -
The new read-only attribute
gdb.Type.is_signed
should only be read whenType.is_scalar
isTrue
, and will beTrue
for signed types andFalse
for all other types. Attempting to read this attribute for non-scalar types will raise aValueError
. - You can now add GDB and MI commands implemented in Python.
For more information see the upstream release notes:
Bugzilla:2172096[1]
GCC Toolset 13: bintuils
rebased to version 2.40
GCC Toolset 13 provides the binutils
package version 2.40. Notable enhancements include:
Linkers:
-
The new
-w
(--no-warnings
) command-line option for the linker suppresses the generation of any warning or error messages. This is useful in case you need to create a known non-working binary. The ELF linker now generates a warning message if:
- The stack is made executable
-
It creates a memory resident segment with all three of the
Read
,Write
andeXecute
permissions set It creates a thread local data segment with the
eXecute
permission set.You can disable these warnings by using the
--no-warn-exec-stack
or--no-warn-rwx-segments
options.
- The linker can now insert arbitrary JSON-format metadata into binaries that it creates.
Other tools:
-
A new the
objdump
tool’s--private
option to display fields in the file header and section headers for Portable Executable (PE) format files. -
A new
--strip-section-headers
command-line option for theobjcopy
andstrip
utilities to remove the ELF section header from ELF files. -
A new
--show-all-symbols
command-line option for theobjdump
utility to display all symbols that match a given address when disassembling, as opposed to the default function of displaying only the first symbol that matches an address. -
A new
-W
(--no-weak
) option to thenm
utility to make it ignore weak symbols. The
objdump
utility now supports syntax highlighting of disassembler output for some architectures. Use the--disassembler-color=MODE
command-line option, with MODE being one of the following:-
off
-
color
- This option is supported by all terminal emulators. -
extended-color
- This option uses 8-bit colors not supported by all terminal emulators.
-
Bugzilla:2171926[1]
libabigail
rebased to version 2.3
The libabigail
package has been updated to version 2.3. Notable improvements include:
- The BTF debuginfo format is now supported.
- Improved support for Ada range types.
-
A new
[allow_type]
directive in suppression specifications is now supported. -
Added various new properties for the
[supress_type]
suppression specification. - The ABIXML file format has been updated to version 2.2.
- The SONAME of the library has been changed to reflect its own ABI change.
The libabigail
package is available in the CodeReady Linux Builder (CRB) repository. Note that packages included in the CodeReady Linux Builder repository are unsupported.
The find-debuginfo
script in debugedit
now supports the -q
(--quiet
) flag
With this update, you can use the find-debuginfo
script’s -q
(--quiet
) flag in the debugedit
utility to silence non-error output from the script.
Valgrind rebased to version 3.21.0
Valgrind has been updated to version 3.21.0. Notable enhancements include:
-
A new
abexit
value for the--vgdb-stop-at=event1,event2,…
option notifies thegdbserver
utility when your program exits abnormally, such as with a nonzero exit code. A new
--enable-debuginfod=[yes|no]
option instructs Valgrind to use thedebuginfod
servers listed in theDEBUGINFOD_URLS
environment variable to fetch any missing DWARF debuginfo information for the program running under Valgrind. The default value for this option isyes
.NoteThe
DEBUGINFOD_URLS
environment variable is not set by default.- Valgrind now provides GDB Python commands. These GDB front end commands provide a better integration in the GDB command-line interface. Benefits of this are, for example, GDB auto-completion, and command-specific help, searching for a command or command help that matches a regular expression. For relevant monitoring commands, GDB evaluates arguments to simplify usage of monitor commands.
-
The
vgdb
utility now supports the extended remote protocol when invoked with the--multi
option. The GDBrun
command is supported in this mode and, as a result, you can run GDB and Valgrind from a single terminal. -
You can use the
--realloc-zero-bytes-frees=[yes|no]
option to change the behavior of therealloc()
function with a size of zero for tools that intercept themalloc()
call. -
The
memcheck
tool now performs checks for the use of therealloc()
function with a size of zero. Use the new--show-realloc-size-zero=[yes|no]
switch to disable this feature. -
You can use the new
--history-backtrace-size=value
option for thehelgrind
tool to configure the number of entries to record in the stack traces of earlier accesses. -
The
--cache-sim=[yes|no]
cachegrind
option now defaults tono
and, as a result, only instruction cache read events are gathered by default. -
The source code for the
cg_annotate
,cg_diff
, andcg_merge
cachegrind
utilities has been rewritten and, as a result, the utilities have more flexible command line option handling. For example, they now support the--show-percs
and--no-show-percs
options and the existing--show-percs=yes
and--show-percs=no
options. -
The
cg_annotate
cachegrind
utility now supports diffing (using the--diff
,--mod-filename
, and--mod-funcname
options) and merging (by passing multiple data files). In addition,cg_annotate
now provides more information at the file and function level. -
A new user-request for the
DHAT
tool allows you to override the 1024 byte limit on access count histograms for blocks of memory.
The following new architecture-specific instruction sets are now supported:
64-bit ARM:
- v8.2 scalar and vector Floating-point Absolute Difference (FABD), Floating-point Absolute Compare Greater than or Equal (FACGE), Floating-point Absolute Compare Greater Than (FACGT), and Floating-point Add (FADD) instructions.
- v8.2 Floating-point (FP) compare and conditional compare instructions.
- Zero variants of v8.2 Floating-point (FP) compare instructions.
64-bit IBM Z:
-
Support for the
miscellaneous-instruction-extensions facility 3
and thevector-enhancements facility 2
. This enables programs compiled with the-march=arch13
or-march=z15
options to be executed under Valgrind.
-
Support for the
IBM Power:
- ISA 3.1 support is now complete.
- ISA 3.0 now supports the deliver a random number (darn) instruction.
- ISA 3.0 now supports the System Call Vectored (scv) instruction.
- ISA 3.0 now supports the copy, paste, and cpabort instructions.
systemtap
rebased to version 4.9
The systemtap
package has been upgraded to version 4.9. Notable changes include:
-
A new Language-Server-Protocol (LSP) backend for easier interactive drafting of
systemtap
scripts on LSP-capable editors. - Access to a Python/Jupyter interactive notebook front end.
- Improved handling of DWARF 5 bit fields.
elfutils
rebased to version 0.189
The elfutils
package has been updated to version 0.189. Notable improvements and bug fixes include:
libelf
-
The
elf_compress
tool now supports theELFCOMPRESS_ZSTD
ELF compression type. libdwfl
-
The
dwfl_module_return_value_location
function now returns 0 (no return type) for DWARF Information Entries (DIEs) that point to aDW_TAG_unspecified_type
type tag. eu-elfcompress
-
The
-t
and--type=
options now support the Zstandard (zstd
) compression format via thezstd
argument.
libpfm
rebased to version 4.13
The libpfm
package has been updated to version 4.13. With this update, libpfm
can access performance monitoring hardware native events for the following processor microarchitectures:
- AMD Zen 2
- AMD Zen 3
- AMD Zen 4
- ARM Neoverse N1
- ARM Neoverse N2
- ARM Neoverse V1
- ARM Neoverse V2
- IBM z16
- 4th Generation Intel® Xeon® Scalable Processors
Bugzilla:2185652, Bugzilla:2047720, Bugzilla:2111940, Bugzilla:2111924, Bugzilla:2111930, Bugzilla:2111933, Bugzilla:2111957, Bugzilla:2111946
papi
supports new processor microarchitectures
With this enhancement, you can access performance monitoring hardware using papi
events presets on the following processor microarchitectures:
- AMD Zen 2
- AMD Zen 3
- ARM Neoverse N1
- ARM Neoverse N2
- ARM Neoverse V1
- ARM Neoverse V2
Bugzilla:2111923[1], Bugzilla:2111947, Bugzilla:2111942
papi
now supports fast performance event count read operations for 64-bit ARM processors
Previously on 64-bit ARM processors, all performance event counter read operations required the use of a resource-intensive system call. papi
has been updated for 64-bit ARM to let processes monitoring themselves with the performance counters use a faster user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access
parameter to 1 reduces the average number of clock cycles for papi
to read 2 counters from 724 cycles to 29 cycles.
Bugzilla:2186927[1]
LLVM Toolset rebased to version 16.0.6
LLVM Toolset has been updated to version 16.0.6.
Notable enhancements include:
- Improvements to optimization
- Support for new CPU extensions
- Improved support for new C++ versions.
Notable backwards incompatible changes include:
-
Clang’s default C++ standard is now
gnu++17
instead ofgnu++14
. -
The
-Wimplicit-function-declaration
,-Wimplicit-int
and-Wincompatible-function-pointer-types
options now default to error for C code. This might affect the behavior of configure scripts.
By default, Clang 16 uses the libstdc++
library version 13 and binutils 2.40
provided by GCC Toolset 13.
For more information, see the LLVM release notes and Clang release notes.
Rust Toolset rebased to version 1.71.1
Rust Toolset has been updated to version 1.71.1. Notable changes include:
- A new implementation of multiple producer, single consumer (mpsc) channels to improve performance
-
A new Cargo
sparse
index protocol for more efficient use of thecrates.io
registry -
New
OnceCell
andOnceLock
types for one-time value initialization -
A new
C-unwind
ABI string to enable usage of forced unwinding across Foreign Function Interface (FFI) boundaries
For more details, see the series of upstream release announcements:
The Rust profiler_builtins
runtime component is now available
With this enhancement, the Rust profile_builtins
runtime component is now available. This runtime component enables the following compiler options:
-C instrument-coverage
- Enables coverage profiling
-C profile-generate
- Enables profile-guided optimization
Bugzilla:2227082[1]
Go Toolset rebased to version 1.20.10
Go Toolset has been updated to version 1.20.10.
Notable enhancements include:
-
New functions added in the
unsafe
package to handle slices and strings without depending on the internal representation. - Comparable types can now satisfy comparable constraints.
-
A new
crypto/ecdh
package. -
The
go build
andgo test
commands no longer accept the-i
flag. -
The
go generate
andgo test
commands now accept the-skip pattern
option. -
The
go build
,go install
, and other build-related commands now support the-pgo
and-cover
flags. -
The
go
command now disablescgo
by default on systems without a C toolchain. -
The
go version -m
command now supports reading more Go binaries types. -
The
go
command now disablescgo
by default on systems without a C toolchain. - Added support for collecting code coverage profiles from applications and integration tests instead of collecting them only from unit tests.
Bugzilla:2185259[1]
pcp
rebased to version 6.0.5
The pcp
package has been updated to version 6.0.5. Notable changes include:
Collector tool features
pmdaproc
:- Added support for per-cgroup IRQ PSI metrics in recent kernels
-
Added a new
proc.smaps.pss_dirty
metric
-
pmdasmart
: Added NVME disk information and power state metrics pmdalinux
:- Added support for system wide IRQ PSI metrics in recent kernels
- Added NUMA external memory fragmentation metric
- Added new networking (TCP, ICMP) metrics
-
pmdaoverhead
: A new PMDA to measure overhead for groups of processes -
pmdahacluster
: Updated to handle Pacemaker 2.1.5crm_mon
output changes
Monitoring tool features
pmieconf
:- Added support for webhook actions (Event Driven Ansible)
-
Added a new
pmie
rule that checks file descriptor limits
-
pcp2json
: Extendedpcp2json
with an option to send HTTP POSTs -
pcp-atop
: Addedcgroup
, NUMA memory, and NUMA CPU support -
pcp-htop
: Added support for a new open file descriptors Meter -
pcp-ps
: Added capability to show multiple archive samples
PCP’s pmie
utility now supports generating webhook events
The Performance Metrics Inference Engine (pmie
) utility from Performance Co-Pilot (PCP) now supports generating webhook events. With this update, configured pmie
rules generate events in a format consumable by Event-Driven Ansible (EDA). As a result, EDA can respond to PCP rules.
To enable this feature, configure all local pmie
rules to send to a webhook at a given endpoint (URL):
# pmieconf modify global webhook_endpoint https://localhost:443/<endpoint> # pmieconf modify global webhook_action yes
grafana
rebased to version 9.2.10
The grafana
package has been updated to version 9.2.10. Notable changes include:
- The heatmap panel is now used throughout Grafana.
- Geomaps can now measure both distance and area.
- The Alertmanager is now based on Prometheus Alertmanager version 0.24.
-
Grafana Alerting rules now return an
Error
state by default on execution error or timeout. - Expressions can now be used on public dashboards.
- The join transformation now supports inner joins.
- Public dashboards now allow sharing Grafana dashboards.
- A new Prometheus streaming parser is now available as an opt-in feature.
For more information, see the upstream release notes:
Grafana no longer enables weak cryptographic ciphers
With this update, Grafana no longer enables ciphers that are considered weak for encrypting secure communication. The affected ciphers are:
-
AES128-GCM-SHA256
-
AES128-SHA
-
AECDHE-RSA-AES128-SHA
-
AES256-GCM-SHA384
-
AES256-SHA
-
ECDHE-RSA-AES256-SHA
Bugzilla:2190025[1]
.NET 8.0 is available
Red Hat Enterprise Linux 9.3 is distributed with .NET version 8.0. Notable improvements include:
- Added support for the C#12 and F#8 language versions.
- Added support for building container images using the .NET Software Development Kit directly.
- Many performance improvements to the garbage collector (GC), Just-In-Time (JIT) compiler, and the base libraries.
Jira:RHELPLAN-164399[1]
4.14. Identity Management
samba
rebased to version 4.18.6
The samba
packages have been upgraded to upstream version 4.18.6, which provides bug fixes and enhancements over the previous version. The most notable changes:
- Security improvements in previous releases impacted the performance of the Server Message Block (SMB) server for high metadata workloads. This update improves the performance in this scenario.
-
The new
wbinfo --change-secret-at=<domain_controller>
command enforces the change of the trust account password on the specified domain controller. -
By default, Samba stores access control lists (ACLs) in the
security.NTACL
extended attribute of files. You can now customize the attribute name with theacl_xattr:<security_acl_name>
setting in the/etc/samba/smb.conf
file. Note that a custom extended attribute name is not a protected location assecurity.NTACL
. Consequently, users with local access to the server can be able to modify the custom attribute’s content and compromise the ACL.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Red Hat does not support downgrading tdb
database files.
After updating Samba, use the testparm
utility to verify the /etc/samba/smb.conf
file.
The ipaclient
role now allows configuring user subID ranges on the IdM level
With this update, the ipaclient
ansible-freeipa
role provides the ipaclient_subid
option, using which you can configure subID ranges on the Identity Management (IdM) level. Without the new option set explicitly to true
, the ipaclient
role keeps the default behavior and installs the client without subID ranges configured for IdM users.
Previously, the role configured the sssd
authselect
profile that in turn customized the /etc/nsswitch.conf
file. The subID database did not use IdM and relied only on the local files of /etc/subuid
and /etc/subgid
.
Multiple IdM groups and services can now be managed in a single Ansible task
With this enhancement in ansible-freeipa
, you can add, modify, and delete multiple Identity Management (IdM) user groups and services by using a single Ansible task. For that, use the groups
and services
options of the ipagroup
and ipaservice
modules.
Using the groups
option available in ipagroup
, you can specify multiple group variables that only apply to a particular group. This group is defined by the name
variable, which is the only mandatory variable for the groups
option.
Similarly, using the services
option available in ipaservice
, you can specify multiple service variables that only apply to a particular service. This service is defined by the name
variable, which is the only mandatory variable for the services
option.
Jira:RHELDOCS-16474[1]
ansible-freeipa
ipaserver
role now supports Random Serial Numbers
With this update, you can use the ipaserver_random_serial_numbers=true
option with the ansible-freeipa
ipaserver
role. This way, you can generate fully random serial numbers for certificates and requests in PKI when installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.
RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 on all PKI services.
Jira:RHELDOCS-16462[1]
ipa
rebased to version 4.10.2
The ipa
package has been upgraded to version 4.10.2. Notable changes include:
- Searching and listing certificates in the IdM CLI and Web UI now offer better performance.
For more information, see the upstream FreeIPA release notes.
The ipaserver_remove_on_server
and ipaserver_ignore_topology_disconnect
options are now available in the ipaserver
role
If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain
option of the ipaserver
ansible-freeipa
role leads to a disconnected topology, you must now specify which part of the domain you want to preserve. Specifically, you must do the following:
-
Specify the
ipaserver_remove_on_server
value to identify which part of the topology you want to preserve. -
Set
ipaserver_ignore_topology_disconnect
to True.
Note that if removing a replica from IdM by using the remove_server_from_domain
option preserves a connected topology, neither of these options is required.
IdM now supports the min_lifetime
parameter
With this enhancement, the min_lifetime
parameter has been added to the /etc/gssproxy/*.conf
file. The min_lifetime
parameter triggers the renewal of a service ticket in case its remaining lifetime is lower than this value.
By default its value is 15 seconds. For network volume clients such as NFS, to reduce the risk of losing access in case the KDC is momentarily unavailable, set this value to 60 seconds.
You can now manage IdM certificates using the ipacert
Ansible module
You can now use the ansible-freeipa
ipacert
module to request or retrieve SSL certificates for Identity Management (IdM) users, hosts and services. The users, hosts and services can then use these certificates to authenticate to IdM. You can also revoke the certificates, and restore certificates that have been put on hold.
The optional_pac_tkt_chksum
option helps preserve interoperability between different versions of krb5
You can now use the optional_pac_tkt_chksum
option to preserve the interoperability between RHEL Kerberos Distribution Center (KDC) servers running different versions of the krb5
package. Specifically, you can change their behavior regarding Privilege Attribute Certificate (PAC) ticket signature verification. If you set the optional_pac_tkt_chksum
string attribute to true
for the Kerberos principal expected to sign a ticket, then the KDC does not reject service for user (S4U) requests containing a ticket that lacks the PAC ticket signature. The principal to sign the ticket is the ticket-granting service (TGS) one or a cross-realm TGS one, depending on the realm of the ticket’s target service.
Since the krb5-1.20
release, MIT Kerberos KDCs have required the presence of ticket signatures in PACs based on the encrypted part of Kerberos tickets so that they could process S4U requests successfully. Previously, this was a problem in gradual upgrade scenarios where certain KDCs used krb5-1.19
or older, while others used krb5-1.20
or newer. KDCs using the newer versions of krb5
for S4U requests rejected service tickets that were provided by KDCs using the older versions of krb5
if a service used them for S4U requests.
For more information about how this feature is used in Identity Management (IdM), see this pull request.
IdM now supports resource-based constrained delegation
With this update, IdM now supports resource-based constrained delegation (RBCD). RBCD allows a granular control of delegation on a resource level and access can be set by the owner of the service to which credentials are delegated.
RBCD can be useful, for example, in an integration between IdM and Active Directory (AD), because AD enforces the use of RBCD when both target and proxy services belong to different forests.
Currently, only services in the IdM domain can be configured with RBCD rules. If the target service is part of an AD domain, the permission can only be granted on the AD side. As AD domain controllers cannot resolve IdM service information to create the rule, this is not currently supported.
For more information on delegation scenarios, see the FreeIPA design page.
RHEL 9.3 provides 389-ds-base
2.3.4
RHEL 9.3 is distributed with the 389-ds-base
package version 2.3.4. Notable bug fixes and enhancements over version 2.3.4 include:
- https://www.port389.org/docs/389ds/releases/release-2-2-8.html
- https://www.port389.org/docs/389ds/releases/release-2-2-9.html
- https://www.port389.org/docs/389ds/releases/release-2-3-0.html
- https://www.port389.org/docs/389ds/releases/release-2-3-1.html
- https://www.port389.org/docs/389ds/releases/release-2-3-2.html
- https://www.port389.org/docs/389ds/releases/release-2-3-3.html
- https://www.port389.org/docs/389ds/releases/release-2-3-4.html
Directory Server can now close a client connection if a bind
operation fails
Previously, when a bind
operation failed, some applications that ignore the bind
return code could load Director Server with further requests.
With the new nsslapd-close-on-failed-bind
configuration attribute under the cn=config
entry, the server can close a client connection when the bind
operation fails. As a result, the server load can be reduced.
Automembership plug-in improvements. It no longer cleans up groups by default
Previously, the automember rebuild task went through all the automember rules and removed all the memberships, then the task rebuilt the memberships from scratch. Thus, the rebuild task was expensive, especially if other be_txn
plugins are enabled.
With this update, the Automembership plug-in has the following improvements:
- Only one rebuilt task is allowed at a time.
The Automembership plug-in now does not clean up previous members by default. Use the new CLI option
--cleanup
to intentionally clean up memberships before rebuilding from scratch:# dsconf slapd-instance_name plugins automember fixup -f objectclass=posixaccount -s sub --cleanup "ou=people,dc=example,dc=com"
- Improved logging to show fixup progress.
New passwordAdminSkipInfoUpdate: on/off
configuration option is now available
You can add a new passwordAdminSkipInfoUpdate: on/off
setting under the cn=config
entry to provide a fine grained control over password updates performed by password administrators. When you enable this setting, password updates do not update certain attributes, for example, passwordHistory
,passwordExpirationTime
,passwordRetryCount
, pwdReset
, and passwordExpWarned
.
New slapi_memberof()
plug-in function is now available for Directory Server plug-ins and client applications
The new slapi_memberof()
function retrieves distinguished names (DNs) of groups to which the given entry belongs directly or indirectly. Previously, MemberOf, Referential Integrity, and ACL plug-ins implemented their own mechanism to retrieve such groups. With this update, you can use the slapi_memberof()
function that introduces a unified mechanism to return group DNs.
Directory Server now replaces the virtual attribute nsRole
with an indexed attribute for managed and filtered roles
Previously, LDAP searches that contained the virtual attribute nsRole
in the filter were time consuming because that attribute cannot be indexed. With this update, when you perform the ldapsearch
with virtual attribute nsRole
in the filter, Directory Server replaces the nsRole
attribute the following way:
-
For managed roles, the
nsRole
attribute is replaced with thensRoleDN
attribute. -
For filtered roles, the
nsRole
attribute is replaced with thensRoleFilter
attribute.
As a result, response time for search with the nsRole
attribute improves because the search becomes indexed.
Note that this update does not apply to nested roles.
New nsslapd-numlisteners
configuration option is now available
The nsslapd-numlisteners
attribute specifies the number of listener threads Directory Server can use to monitor established connections. You can improve the response times when the server experiences a large number of client connection by increasing the attribute value.
IdM supports the option to control the encryption type used to sign the PAC
By default, the Kerberos Key Distribution Center (KDC) generates an AES HMAC-SHA2 signature for the Privilege Attribute Certificate (PAC). However, this encryption type is not supported by Active Directory (AD). As a result, AD cross-realm constrained delegation requests are not processed correctly.
With this enhancement, you can now control the encryption type used to sign the PAC by setting the pac_privsvr_entype
attribute on the TGS principal, krbtgt/[realm]@[realm]
, to the required encryption type for the target realm. In IdM, this string attribute is automatically configured when an AD trust exists.
WARNING: This update is about standalone MIT realms. Do not change the Kerberos Distribution Center (KDC) configuration in RHEL Identity Management.
For example, for an MIT
realm and an AD
realm, to ensure cross-realm ticket-granting tickets (TGT) use AD-compatible encryption types, an administrator must configure the cross-realm TGS principal as shown below on the MIT side. This results in cross-realm TGTs using the AES 256 HMAC-SHA1 encryption type and constrained delegation requests being processed correctly.
kadmin.local <<EOF setstr krbtgt/AD@IPA pac_privsvr_enctype aes256-cts-hmac-sha1-96 setstr krbtgt/IPA@AD pac_privsvr_enctype aes256-cts-hmac-sha1-96 EOF
Identity Management API is now fully supported
The Identity Management (IdM) API was available as a Technology Preview in RHEL 9.2 and as of RHEL 9.3, it is fully supported.
Users can use existing tools and scripts even if the IdM API is enhanced to enable multiple versions of API commands. These enhancements do not change the behavior of a command in an incompatible way. This has the following benefits:
- Administrators can use previous or later versions of IdM on the server than on the managing client.
- Developers can use a specific version of an IdM call, even if the IdM version changes on the server.
The communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.
- NOTE
- While IdM API provides a JSON-RPC interface, this type of access is not supported. Red Hat recommends accessing the API with Python instead. Using Python automates important parts such as the metadata retrieval from the server, which allows listing all available commands.
4.15. Graphics infrastructures
Intel Arc A-Series graphics is now fully supported
The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware acceleration, mostly used in PC gaming.
Bugzilla:2101598[1]
4.16. The web console
Podman health check action is now available
You can select one of the following Podman health check actions when creating a new container:
- No action (default): Take no action.
- Restart: Restart the container.
- Stop: Stop the container.
- Force stop: Force stops the container, it does not wait for the container to exit.
Jira:RHELDOCS-16247[1]
Stratis is now available in the RHEL web console
With this update, the Red Hat Enterprise Linux web console provides the ability to manage Stratis storage.
To learn more about Stratis, see Setting up Stratis file systems using the web console.
Jira:RHELPLAN-122345[1]
4.17. Red Hat Enterprise Linux system roles
New RHEL system role for managing systemd
units
The rhel-system-role
package now contains the systemd
RHEL system role. You can use this role to deploy unit files and manage systemd
units on multiple systems. You can automate systemd
functionality by providing systemd
unit files and templates, and by specifying the state of those units, such as started, stopped, masked and other.
New option in the ssh
role to disable configuration backups
You can now prevent old configuration files from being backed up before they are overwritten by setting the new ssh_backup
option to false
. Previously, backup configuration files were created automatically, which might be unnecessary. The default value of the ssh_backup
option is true
, which preserves the original behavior.
keylime_server
RHEL system role
With the new keylime_server
RHEL system role, you can use Ansible Playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime is a remote machine attestation tool that uses the trusted platform module (TPM) technology.
Support for new ha_cluster
system role features
The ha_cluster
system role now supports the following features:
- Configuration of resource and resource operation defaults, including multiple sets of defaults with rules.
- Loading and blocking of SBD watchdog kernel modules. This makes installed hardware watchdogs available to the cluster.
-
Assignment of distinct passwords to the cluster hosts and the quorum device. This allows you to configure a deployment where the same quorum hosts are joined to multiple, separate clusters, and the passwords of the
hacluster
user on these clusters are different.
For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL system role.
Bugzilla:2185065, Bugzilla:2185067, Bugzilla:2216481
storage
system role supports configuring the stripe size for RAID LVM volumes
With this update, you can now specify a custom stripe size when creating RAID LVM devices. For better performance, use the custom stripe size for SAP HANA. The recommended stripe size for RAID LVM volumes is 64 KB.
The network
RHEL system role supports the auto-dns
option to control automatic DNS record updates
This enhancement provides support for defined name servers and search domains. You can now use only the name servers and search domains specified in dns
and dns_search
properties while disabling automatically configured name servers and search domains such as dns record
from DHCP. With this enhancement, you can disable automatically auto dns record by changing the auto-dns
settings.
The network
RHEL system role supports the no-aaaa
DNS option
You can now use the no-aaaa
option to configure DNS settings on managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo
; only DNS lookups were affected. With this enhancement, you can now suppress AAAA queries generated by the stub resolver.
The ad_integration
RHEL system role can now rejoin an AD domain
With this update, you can now use the ad_integration
RHEL system role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin
variable to true
. If the realm_list
output shows that host is already in an AD domain, it will leave the existing domain before rejoining it.
The certificate
RHEL system role now allows changing certificate file mode when using certmonger
Previously, certificates created by the certificate
RHEL system role with the certmonger
provider used a default file mode. However, in some use-cases you might require a more restrictive mode. With this update, you can now set a different certificate and a key file mode using the mode
parameter.
The postgresql
RHEL system role is now available
The new postgresql
RHEL system role installs, configures, manages, and starts the PostgreSQL
server. The role also optimizes the database server settings to improve performance.
The role supports the currently released and supported versions of PostgreSQL
on RHEL 8 and RHEL 9 managed nodes.
For more information, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.
podman
RHEL system role now supports Quadlets, health checks, and secrets
Starting with Podman 4.6, you can use the podman_quadlet_specs
variable in the podman
RHEL system role. You can define a Quadlet by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. Types of a unit can be the following: container
, kube
, network
, and volume
. Note that Quadlets work only with root containers on RHEL 8. Quadlets work with rootless containers on RHEL 9.
The health checks are supported only for Quadlet Container types. In the [Container]
section, specify the HealthCmd
field to define the health check command and HealthOnFailure
field to define the action when a container is unhealthy. Possible options are none
, kill
, restart
, and stop
.
You can use the podman_secrets
variable to manage secrets. For details, see upstream documentation.
Jira:RHELPLAN-154441[1]
Improved performance of the selinux
system role with restorecon -T 0
The selinux
system role now uses the -T 0
option with the restorecon
command in all applicable cases. This improves the performance of tasks that restore default SELinux security contexts on files.
The rhc
system role now supports setting a proxy server type
The newly introduced attribute scheme
under the rhc_proxy
parameter enables you to configure the proxy server type by using the rhc
system role. You can set two values: http
, the default and https
.
firewall
RHEL system role supports variables related to ipsets
With this update of the firewall
RHEL system role, you can define, modify, and delete ipsets
. Also, you can add and remove those ipsets
from firewall zones. Alternatively, you can use those ipsets
when defining firewall rich rules.
You can manage ipsets
with the firewall
RHEL system role using the following variables:
-
ipset
-
ipset_type
-
ipset_entries
-
short
-
description
-
state: present
orstate: absent
-
permanent: true
The following are some notable benefits of this enhancement:
- You can reduce the complexity of the rich rules that define rules for many IP addresses.
- You can add or remove IP addresses from sets as needed without modifying multiple rules.
For more details, see resources in the /usr/share/doc/rhel-system-roles/firewall/
directory.
RHEL system roles now have new volume options for mount point customization
With this update, you can now specify mount_user
, mount_group
, and mount_permissions
parameters for your mount directory.
The firewall
RHEL system role has an option to disable conflicting services, and it no longer fails if firewalld
is masked
Previously, the firewall
system role failed when the firewalld
service was masked on the role run or in the presence of conflicting services. This update brings two notable enhancements:
The linux-system-roles.firewall
role always attempts to install, unmask, and enable the firewalld
service on role run. You can now add a new variable firewall_disable_conflicting_services
to your playbook to disable known conflicting services, for example, iptables.service
, nftables.service
, and ufw.service
. The firewall_disable_conflicting_services
variable is set to false
by default. To disable conflicting services, set the variable to true
.
Resetting the firewall
RHEL system role configuration now requires minimal downtime
Previously, when you reset the firewall
role configuration by using the previous: replaced
variable, the firewalld
service restarted. Restarting adds downtime and prolongs the period of an open connection in which firewalld
does not block traffic from active connections. With this enhancement, the firewalld
service completes the configuration reset by reloading instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass firewall rules. As a result, using the previous: replaced
variable to reset the firewall
role configuration now requires minimal downtime.
4.18. Virtualization
sevctl
is now fully compatible with AMD EPYC Rome and Milan
With this update, the sevctl
utility correctly recognizes the latest AMD EPYC cores, including the AMD EPYC Rome and AMD EPYC Milan series. As a result, you can use sevctl
to configure the features of AMD Secure Encrypted Virtualization (SEV) that are available on these CPUs.
Note, however, that advanced SEV functions, such as SEV-ES and SEV-SNP are only provided as Technology Previews in RHEL 9, and therefore unsupported.
Bugzilla:2104857[1]
virtio-vga
and virtio-gpu
devices now support blob
resources
It is now possible for virtio-vga
and virtio-gpu
devices to use blob
memory resources, which improves their performance in certain scenarios. To attach a blob
resource to a virtio
graphics device, add a blob="on"
option to the corresponding <video>
section in the virtual machine’s XML configuration. For example:
<video> <model type="virtio" heads="1" primary="yes" blob="on"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/> </video>
Note, however, that this feature currently does not work on IBM Z hosts.
Virtualization support for 4th Generation Intel Xeon Scalable processors
With this update, virtualization on RHEL 9 adds support for the 4th Generation Intel Xeon Scalable processors, formerly known as Sapphire Rapids. As a result, virtual machines hosted on RHEL 9 can now use the SapphireRapids
CPU model and utilise new features that the processors provide.
Bugzilla:1880531[1]
Improved memory reclaiming for Secure Execution on IBM Z
When using a virtual machine (VM) with IBM Secure Execution on IBM Z, you can now set up enhanced memory reclaiming for the VM. If the VM is using 32 GiB or more RAM, this setting improves the performance of rebooting or stopping the VM.
To set up enhanced memory reclaiming in a VM, add the <async-teardown enabled='yes'/>
line to the <features></features>
section in its XML configuration.
Bugzilla:2168499[1]
New virtualization features in the RHEL web console
With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:
-
Select the
Create and edit
button for a virtual machine (VM) based on a cloud image, which allows you to edit all of the VM properties before the VM is installed. -
Create a
raw
storage volume during virtual machine creation. Set up a virtual socket (vsock) to enable communication between the host and the VM over a socket.
Note that a virtual socket requires vsock-aware software, such as
socat
, to enable the communication.
Jira:RHELDOCS-16487[1]
4.19. RHEL in cloud environments
cloud-init supports NetworkManager keyfiles
With this update, the cloud-init
utility can use a NetworkManager (NM) keyfile to configure the network of the created cloud instance.
Note that by default, cloud-init
still uses the sysconfig
method for network setup. To configure cloud-init
to use a NM keyfile instead, edit the /etc/cloud/cloud.cfg
and set network-manager
as the primary network renderer:
# cat /etc/cloud/cloud.cfg network: renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']
Bugzilla:2118235[1]
cloud-init
now uses VMware datasources by default on ESXi
When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such as the VMware vSphere cloud platform. This improves the performance and stability of creating an ESXi instance of RHEL by using cloud-init
. Note, however, that ESXi is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF datasource if a VMware one is not available.
Bugzilla:2172341[1]
4.20. Supportability
sos
rebased to version 4.6
The sos
utility, for collecting configuration, diagnostic, and troubleshooting data, has been rebased to version 4.6. This update provides the following enhancements:
-
sos
reports now include the contents of both/boot/grub2/custom.cfg
and/boot/grub2/user.cfg
files that might contain critical information for troubleshooting boot issues. (BZ#2213951) -
The
sos
plugin for OVN-Kubernetes collects additional logs for the interconnect environment. With this update,sos
also collects logs from theovnkube-controller
container when bothovnkube-node
andovnkube-controller
containers are merged into one.
In addition, notable bug fixes include:
-
sos
now correctly gatherscgroup
data in the OpenShift Container Platform 4 environment (BZ#2186361). -
While collecting
sos
reports with thesudo
plugin enabled,sos
now removes thebindpw
option properly. (BZ#2143272) -
The
subscription_manager
plugin no longer collects proxy usernames and passwords from the/var/lib/rhsm/
path. (BZ#2177282) -
The
virsh
plugin no longer collects the SPICE remote-display passwords in virt-manager logs, which preventssos
from disclosing passwords in its reports. (BZ#2184062) sos
now masks usernames and passwords previously displayed in the/var/lib/iscsi/nodes/<IQN>/<PortalIP>/default
file.ImportantThe generated archive might contain data considered sensitive. Thus, you should always review the content before passing it to any third party.
(BZ#2187859)
-
sos
completes the tailed log collection even when the size of the log file is exceeded and when a plugin times out. (BZ#2203141) -
When entering the
sos collect
command on a Pacemaker cluster node,sos
collects an sos report from the same cluster node. (BZ#2186460) -
When collecting data from a host in the OpenShift Container Platform 4 environment,
sos
now uses thesysroot
path, which ensures that only the correct data are assembled. (BZ#2075720) -
The
sos report --clean
command obfuscates all MAC addresses as intended. (BZ#2207562) -
Disabling the
hpssm
plugin no longer raises exceptions. (BZ#2216608) -
The
sos clean
command follows permissions of sanitized files. (BZ#2218279)
For details on each release of sos
, see upstream release notes.
Jira:RHELPLAN-156196[1]
4.21. Containers
Podman supports pulling and pushing images compressed with zstd
You can pull and push images compressed with the zstd
format. The zstd compression is more efficient and faster than gzip. It can reduce the amount of network traffic and storage involved in pulling and pushing the image.
Jira:RHELPLAN-154314[1]
Quadlet in Podman is now available
Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd
service file from a container description. The Quadlets might be easier to use than the podman generate systemd
command because the description focuses on the relevant container details and without the technical complexity of running containers under systemd
.
For more details, see the Quadlet upstream documentation and the Make systemd better for Podman with Quadlet article.
Jira:RHELPLAN-154432[1]
The Container Tools packages have been updated
The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.
Notable changes in Podman v4.6 include:
-
The
podman kube play
command now supports the--configmap=<path>
option to provide Kubernetes YAML file with environment variables used within the containers of the pod. -
The
podman kube play
command now supports multiple Kubernetes YAML files for the--configmap
option. -
The
podman kube play
command now supports containerPort names and port numbers within liveness probes. -
The
podman kube play
command now adds the ctrName as an alias to the pod network. -
The
podman kube play
andpodman kube generate
commands now support SELinux filetype labels and ulimit annotations. -
A new command,
podman secret exists
, has been added, which verifies if a secret with the given name exists. -
The
podman create
,podman run
,podman pod create
, andpodman pod clone
commands now support a new option,--shm-size-systemd
, which allows limiting tmpfs sizes for systemd-specific mounts. -
The
podman create
and podman run commands now support a new option,--security-opt label=nested
, which allows SELinux labeling within a confined container. - Podman now supports auto updates for containers running inside a pod.
-
Podman can now use an SQLite database as a backend for increased stability. The default remains the BoltDB database. You can select the database by setting the
database_backend
field in thecontainers.conf
file. -
Podman now supports Quadlets to automatically generate a
systemd
service file from the container description. The description focuses on the relevant container details and hides the technical complexity of running containers undersystemd
.
For further information about notable changes, see upstream release notes.
Jira:RHELPLAN-154438[1]
Podman now supports a Podmansh login shell
Beginning with Podman v4.6, you can use the Podmansh
login shell to manage user access and control. Configure your settings to use the /usr/bin/podmansh
command as a login shell instead of a standard shell command, for example, /usr/bin/bash
. When a user logs into a system setup, the podmansh
command runs the user’s session into a Podman container named podmansh
. Containers into which users log in are defined using the Quadlet files, which are created in the /etc/containers/systemd/users/
directory. In these files, set the ContainerName
field in the [Container]
section to podmansh
. The systemd automatically starts podmansh
when the user session starts and continues running until all user sessions exit.
For more information, see Podman v4.6.0 Introduces Podmansh: A Revolutionary Login Shell.
Jira:RHELPLAN-163003[1]
Clients for sigstore signatures with Fulcio and Rekor are now available
With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology Preview, are now fully supported. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.
Add the fulcio
section in the policy.json
file. To sign container images, use the podman push --sign-by-sigstore=file.yml
or skopeo copy --sign-by-sigstore=file.yml
commands, where file.yml
is the sigstore signing parameter file.
To verify signatures, add the fulcio
section and the rekorPublicKeyPath
or rekorPublicKeyData
fields in the policy.json
file. For more information, see containers-policy.json
man page.
Jira:RHELPLAN-160660[1]
The pasta
networking mode is now available
Starting with Podman v4.4.1, you can use the pasta
network mode. It is a high-performance replacement of the default network mode slirp4netns
and supports IPv6 forwarding. To select the pasta
network mode, install the passt
package to use the podman run
command with the --network=pasta
option. With Podman v4.6, you can set default rootless network mode in the /etc/containers/containers.conf
configuration file by using the default_rootless_network_cmd
field under the [network]
section.
Jira:RHELDOCS-16240[1]
UBI 9 Micro Container Image no longer contains zoneinfo
installed by tzdata
With this update, the time zone information provided by the tzdata
package is no longer included in UBI 9 Micro container images, consequently reducing the image size. The UBI 9 Minimal and UBI 9 Micro containers are UTC-only, and users should reinstall the tzdata
package to get the full zoneinfo
, if needed.