Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 9. Technology Previews
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
9.1. Installer and image creation
NVMe over Fibre Channel devices are now available in RHEL installation program as a Technology Preview
You can now add NVMe over Fibre Channel devices to your RHEL installation as a Technology Preview. In RHEL installation program, you can select these devices under the NVMe Fabrics Devices section while adding disks on the Installation Destination screen.
9.2. Security
gnutls
now uses kTLS as a Technology Preview
The updated gnutls
packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko
kernel module using the modprobe
command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt
for the system-wide cryptographic policies with the following content:
[global] ktls = true
Note that the current version does not support updating traffic keys through TLS KeyUpdate
messages, which impacts the security of AES-GCM ciphersuites. See the RFC 7841 - TLS 1.3 document for more information.
Bugzilla:2108532[1]
9.3. Shells and command-line tools
GIMP available as a Technology Preview in RHEL 9
GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp
package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.
In RHEL 9, you can install gimp
easily as an RPM package.
Bugzilla:2047161[1]
9.4. Infrastructure services
Socket API for TuneD available as a Technology Preview
The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf
file.
9.5. Networking
WireGuard VPN is available as a Technology Preview
WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.
For further details, see Setting up a WireGuard VPN.
Bugzilla:1613522[1]
kTLS available as a Technology Preview
RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. kTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.
Bugzilla:1570255[1]
The systemd-resolved
service is available as a Technology Preview
The systemd-resolved
service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.
Note that systemd-resolved
is an unsupported Technology Preview.
The PRP and HSR protocols are now available as a Technology Preview
This update adds the hsr
kernel module that provides the following protocols:
- Parallel Redundancy Protocol (PRP)
- High-availability Seamless Redundancy (HSR)
The IEC 62439-3 standard defines these protocols, and you can use this feature to configure zero-loss redundancy in Ethernet networks.
Bugzilla:2177256[1]
Offloading IPsec encapsulation to a NIC is now available as a Technology Preview
This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.
Note that offloading the IPsec encapsulation process to a NIC also reduces the ability of the kernel to monitor and filter such packets.
Bugzilla:2178699[1]
Network drivers for modems in RHEL are available as Technology Preview
Device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat Enterprise Linux provides the drivers for the following modems with limited functionality as a Technology Preview:
- Qualcomm MHI WWAM MBIM - Telit FN990Axx
- Intel IPC over Shared Memory (IOSM) - Intel XMM 7360 LTE Advanced
- Mediatek t7xx (WWAN) - Fibocom FM350GL
- Intel IPC over Shared Memory (IOSM) - Fibocom L860GL modem
Jira:RHELDOCS-16760[1], Bugzilla:2123542, Jira:RHEL-6564, Bugzilla:2110561, Bugzilla:2222914
Segment Routing over IPv6 (SRv6) is available as a Technology Preview
The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.
Bugzilla:2186375[1]
kTLS rebased to version 6.3
The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. With this RHEL release, kTLS has been rebased to the 6.3 upstream version, and notable changes include:
- Added the support for 256-bit keys with TX device offload
- Delivered various bugfixes
Bugzilla:2183538[1]
9.6. Kernel
The kdump
mechanism with a unified kernel image is available as a Technology Preview
The kdump
mechanism with a kernel image contained in a unified kernel image (UKI) is available as a Technology Preview. UKI is a single executable, combining the initramfs
, vmlinuz
,and the kernel command line in a single file. The UKI key benefit being extending the cryptographic signature for SecureBoot to all components at once.
For the feature to work, with the kernel command line contained in the UKI, set the crashkernel=
parameter with an appropriate value. This reserves the required memory for kdump
.
Note: Currently the kexec_file_load
system call from the Linux kernel cannot load UKI. Therefore, only the kernel image contained in the UKI is used when loading the crash kernel with the kexec_file_load
system call.
Bugzilla:2169720[1]
SGX available as a Technology Preview
Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:
- Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
- Dynamic addition of regular enclave pages to an initialized enclave.
- Expanding an initialized enclave to accommodate more threads.
- Removing regular and TCS pages from an initialized enclave.
Bugzilla:1874182[1]
The Intel data streaming accelerator driver for kernel is available as a Technology Preview
The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).
The Soft-iWARP driver is available as a Technology Preview
Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.
Bugzilla:2023416[1]
SGX available as a Technology Preview
Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification. The RHEL kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:
- Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
- Dynamic addition of regular enclave pages to an initialized enclave.
- Expanding an initialized enclave to accommodate more threads.
- Removing regular and TCS pages from an initialized enclave.
Bugzilla:1660337[1]
rvu_af
, rvu_nicpf
, and rvu_nicvf
available as Technology Preview
The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:
-
rvu_nicpf
- Marvell OcteonTX2 NIC Physical Function driver -
rvu_nicvf
- Marvell OcteonTX2 NIC Virtual Function driver -
rvu_nicvf
- Marvell OcteonTX2 RVU Admin Function driver
Bugzilla:2040643[1]
9.7. File systems and storage
DAX is now available for ext4 and XFS as a Technology Preview
In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax
mount option. Then, an mmap
of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.
Bugzilla:1995338[1]
NVMe-oF Discovery Service features available as a Technology Preview
The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0
package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.
Bugzilla:2021672[1]
nvme-stas
package available as a Technology Preview
The nvme-stas
package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf
) and Manual configuration.
This package consists of two daemons, Storage Appliance Finder (stafd
) and Storage Appliance Connector (stacd
).
Bugzilla:1893841[1]
NVMe TP 8006 in-band authentication available as a Technology Preview
Implementing Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for NVMe over Fabrics (NVMe-oF) is now available as an unsupported Technology Preview. The NVMe Technical Proposal 8006 defines the DH-HMAC-CHAP
in-band authentication protocol for NVMe-oF, which is provided with this enhancement.
For more information, see the dhchap-secret
and dhchap-ctrl-secret
option descriptions in the nvme-connect(1)
man page.
Bugzilla:2027304[1]
The io_uring
interface is available as a Technology Preview
io_uring
is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled
sysctl variable to any one of the following values:
0
-
All processes can create
io_uring
instances as usual. 1
-
io_uring
creation is disabled for unprivileged processes. Theio_uring_setup
fails with the-EPERM
error unless the calling process is privileged by theCAP_SYS_ADMIN
capability. Existingio_uring
instances can still be used. 2
-
io_uring
creation is disabled for all processes. Theio_uring_setup
always fails with-EPERM
. Existingio_uring
instances can still be used. This is the default setting.
An updated version of the SELinux policy to enable the mmap
system call on anonymous inodes is also required to use this feature.
By using the io_uring
command pass-through, an application can issue commands directly to the underlying hardware, such as nvme
. Use of io_uring
command pass-through currently requires a custom SELinux policy module. Create a custom SELinux policy module:
Save the following lines as
io_uring_cmd_passthrough.cil
file:---cut here--- ( allow unconfined_domain_type device_node ( io_uring ( cmd ))) ( allow unconfined_domain_type file_type ( io_uring ( cmd ))) ---cut here---
Load the policy module:
# semodule -i io_uring_cmd_passthrough.cil
Bugzilla:2068237[1]
9.8. Compilers and development tools
jmc-core
and owasp-java-encoder
available as a Technology Preview
RHEL 9 is distributed with the jmc-core
and owasp-java-encoder
packages as Technology Preview features for the AMD and Intel 64-bit architectures.
jmc-core
is a library providing core APIs for Java Development Kit (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, and libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP).
The owasp-java-encoder
package provides a collection of high-performance low-overhead contextual encoders for Java.
Note that since RHEL 9.2, jmc-core
and owasp-java-encoder
are available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See How to enable and make use of content within CodeReady Linux Builder for more information.
9.9. Identity Management
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
Identity Management JSON-RPC API available as Technology Preview
An API is available for Identity Management (IdM). To view the API, IdM also provides an API browser as a Technology Preview.
Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements could change the behavior of a command in an incompatible way. Users are now able to continue using existing tools and scripts even if the IdM API changes. This enables:
- Administrators to use previous or later versions of IdM on the server than on the managing client.
- Developers can use a specific version of an IdM call, even if the IdM version changes on the server.
In all cases, the communication with the server is possible, regardless if one side uses, for example, a newer version that introduces new options for a feature.
For details on using the API, see Using the Identity Management API to Communicate with the IdM Server (TECHNOLOGY PREVIEW).
sssd-idp sub-package available as a Technology Preview
The sssd-idp
sub-package for SSSD contains the oidc_child
and krb5 idp
plugins, which are client-side components that perform OAuth2 authentication against Identity Management (IdM) servers. This feature is available only with IdM servers on RHEL 9.1 and later.
SSSD internal krb5 idp plugin available as a Technology Preview
The SSSD krb5 idp
plugin allows you to authenticate against an external identity provider (IdP) using the OAuth2 protocol. This feature is available only with IdM servers on RHEL 9.1 and later.
RHEL IdM allows delegating user authentication to external identity providers as a Technology Preview
In RHEL IdM, you can now associate users with external identity providers (IdP) that support the OAuth 2 device authorization flow. When these users authenticate with the SSSD version available in RHEL 9.1 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after performing authentication and authorization at the external IdP.
Notable features include:
-
Adding, modifying, and deleting references to external IdPs with
ipa idp-*
commands -
Enabling IdP authentication for users with the
ipa user-mod --user-auth-type=idp
command
For additional information, see Using external identity providers to authenticate to IdM.
ACME available as a Technology Preview
The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.
In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert
profile when issuing ACME certificates. The validity period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire IdM deployment.
It is recommended to enable ACME only in an IdM deployment where all servers are running RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause problems in mixed-version deployments. For example, a CA server without ACME can cause client connections to fail, because it uses a different DNS Subject Alternative Name (SAN).
Currently, RHCS does not remove expired certificates. Because ACME certificates expire after 90 days, the expired certificates can accumulate and this can affect performance.
To enable ACME across the whole IdM deployment, use the
ipa-acme-manage enable
command:# ipa-acme-manage enable The ipa-acme-manage command was successful
To disable ACME across the whole IdM deployment, use the
ipa-acme-manage disable
command:# ipa-acme-manage disable The ipa-acme-manage command was successful
To check whether the ACME service is installed and if it is enabled or disabled, use the
ipa-acme-manage status
command:# ipa-acme-manage status ACME is enabled The ipa-acme-manage command was successful
Bugzilla:2084181[1]
9.10. Desktop
GNOME for the 64-bit ARM architecture available as a Technology Preview
The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.
You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can manage the server using graphical applications.
A limited set of graphical applications is available on 64-bit ARM. For example:
- The Firefox web browser
-
Red Hat Subscription Manager (
subscription-manager-cockpit
) -
Firewall Configuration (
firewall-config
) -
Disk Usage Analyzer (
baobab
)
Using Firefox, you can connect to the Cockpit service on the server.
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.
Jira:RHELPLAN-27394[1]
GNOME for the IBM Z architecture available as a Technology Preview
The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.
You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage the server using graphical applications.
A limited set of graphical applications is available on IBM Z. For example:
- The Firefox web browser
-
Red Hat Subscription Manager (
subscription-manager-cockpit
) -
Firewall Configuration (
firewall-config
) -
Disk Usage Analyzer (
baobab
)
Using Firefox, you can connect to the Cockpit service on the server.
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.
Jira:RHELPLAN-27737[1]
9.11. Virtualization
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.
Jira:RHELDOCS-17040[1]
AMD SEV and SEV-ES for KVM virtual machines
As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.
In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.
Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security attestation.
Jira:RHELPLAN-65217[1]
Virtualization is now available on ARM 64
As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM 64 CPUs.
Jira:RHELPLAN-103993[1]
virtio-mem
is now available on AMD64, Intel 64, and ARM 64
As a Technology Preview, RHEL 9 introduces the virtio-mem
feature on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem
makes it possible to dynamically add or remove host memory in virtual machines (VMs).
To use virtio-mem
, define virtio-mem
memory devices in the XML configuration of a VM and use the virsh update-memory-device
command to request memory device size changes while the VM is running. To see the current memory size exposed by such memory devices to a running VM, view the XML configuration of the VM.
Note, however, that virtio-mem
currently does not work on VMs that use a Windows operating system.
Bugzilla:2014487, Bugzilla:2044162, Bugzilla:2044172
Intel TDX in RHEL guests
As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump
, and enabling TDX will cause kdump
to fail on the VM.
Bugzilla:1955275[1]
A unified kernel image of RHEL is now available as a Technology Preview
As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.
UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong SecureBoot capabilities are required. The UKI is available as a kernel-uki-virt
package in RHEL 9 repositories.
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Bugzilla:2142102[1]
Intel vGPU available as a Technology Preview
As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices
. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.
Note that this feature is deprecated and was removed entirely with the RHEL 9.3 release.
Jira:RHELDOCS-17050[1]
9.12. RHEL in cloud environments
RHEL is now available on Azure confidential VMs as a Technology Preview
With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt
package in RHEL 9 repositories.
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Jira:RHELPLAN-139800[1]
9.13. Containers
SQLite database backend for Podman is available as a Technology Preview
Beginning with Podman v4.6, the SQLite database backend for Podman is available as a Technology Preview. To set the database backend to SQLite, add the database_backend = "sqlite"
option in the /etc/containers/containers.conf
configuration file. Run the podman system reset
command to reset storage back to the initial state before you switch to the SQLite database backend. Note that you have to re-create all containers and pods. The SQLite database guarantees good stability and consistency. Other databases in the containers stack will be moved to SQLite as well. The BoltDB remains the default database backend.
Jira:RHELPLAN-154429[1]
The podman-machine
command is unsupported
The podman-machine
command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.
Jira:RHELDOCS-16861[1]