Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 9. Technology previews
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
9.1. Installer and image creation
NVMe over TCP for RHEL installation is now available as a Technology Preview
With this Technology Preview, you can now use NVMe over TCP volumes to install RHEL after configuring the firmware. While adding disks from the Installation Destination screen, you can select the NVMe namespaces under the NVMe Fabrics Devices section.
Jira:RHEL-10216[1]
Installation of bootable OSTree native containers is now available as a Technology Preview
The ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview. You can use this command to install the operating system from an OSTree commit encapsulated in an OCI image. When performing Kickstart installations, the following commands are available together with ostreecontainer:
- graphical, text, or cmdline
- ostreecontainer
- clearpart, zerombr
- autopart
- part
- logvol, volgroup
- reboot and shutdown
- lang
- rootpw
- sshkey
-
bootloader - Available only with the
--appendoptional parameter. - user
When you specify a group within the user command, the user account can be assigned only to a group that already exists in the container image. Kickstart commands not listed here are allowed to be used with ostreecontainer command, however, they are not guaranteed to work as expected with package-based installations.
However, the following Kickstart commands are unsupported together with ostreecontainer:
- %packages (any necessary packages must be already available in the container image)
-
url (if there is a need to fetch a
stage2image for installation, for example, PXE installations useinst.stage2=on the kernel instead of providing a URL forstage2inside the Kickstart file) - liveimg
- vnc
- authconfig and authselect (provide relevant configuration in the container image instead)
- module
- repo
- zipl
- zfcp
Installation of bootable OSTree native containers is not supported in interactive installations that use partial Kickstart files.
Note: When customizing a mount point, you must define the mount point in the /mnt directory and ensure that the mount point directory exists inside /var/mnt in the container image.
Jira:RHEL-2250[1]
Boot loader installation and configuration via bootupd / bootupctl in Anaconda is now available as a Technology Preview
As the ostreecontainer Kickstart command is now available in Anaconda as a Technology Preview, you can use it to install the operating system from an OSTree commit encapsulated in an OCI image. Anaconda automatically arranges a boot loader installation and configuration via the bootupd/bootupctl tool contained within the container image, even without an explicit boot loader configuration in Kickstart.
Jira:RHEL-17205[1]
The bootc image builder tool is available as a Technology Preview
The bootc image builder tool, now available as a Technology Preview, works as a container to easily create and deploy compatible disk images from the bootc container inputs. After running your container image with bootc image builder, you can generate images for the architecture that you need. Then, you can deploy the resulting image on VMs, clouds, or servers. You can easily update the images with the bootc, instead of having to regenerate the content with bootc image builder every time a new update is required.
Jira:RHELDOCS-17468[1]
A new rhel9/bootc-image-builder container image is available as a Technology Preview
The rhel9/bootc-image-builder container image for image mode for RHEL includes a minimal version of image builder that converts bootable container images, for example rhel-bootc, to different disk image formats, such as QCOW2, AMI, VMDK, ISO, and others.
Jira:RHELDOCS-17733[1]
9.2. Security
gnutls now uses kTLS as a Technology Preview
The updated gnutls packages can use kernel TLS (kTLS) for accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:
[global] ktls = true
Note that the current version does not support updating traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites. See the RFC 7841 - TLS 1.3 document for more information.
Bugzilla:2108532[1]
The io_uring interface is available as a Technology Preview
io_uring is a new and effective asynchronous I/O interface, which is now available as a Technology Preview. By default, this feature is disabled. You can enable this interface by setting the kernel.io_uring_disabled sysctl variable to any one of the following values:
0-
All processes can create
io_uringinstances as usual. 1-
io_uringcreation is disabled for unprivileged processes. Theio_uring_setupfails with the-EPERMerror unless the calling process is privileged by theCAP_SYS_ADMINcapability. Existingio_uringinstances can still be used. 2-
io_uringcreation is disabled for all processes. Theio_uring_setupalways fails with-EPERM. Existingio_uringinstances can still be used. This is the default setting.
An updated version of the SELinux policy to enable the mmap system call on anonymous inodes is also required to use this feature.
By using the io_uring command pass-through, an application can issue commands directly to the underlying hardware, such as nvme.
Jira:RHEL-11792[1]
9.3. RHEL for Edge
FDO now provides storing and querying Owner Vouchers from a SQL backend as a Technology Preview
With this Technology Preview, FDO manufacturer-server, onboarding-server, and rendezvous-server are available for storing and querying Owner Vouchers from a SQL backend. As a result, you can select a SQL datastore in the FDO servers options, along with credentials and other parameters, to store the Owner Vouchers.
Jira:RHELDOCS-17752[1]
9.4. Shells and command-line tools
GIMP available as a Technology Preview in RHEL 9
GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. The gimp package version 2.99.8 is a pre-release version with a set of improvements, but a limited set of features and no guarantee for stability. As soon as the official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release version.
In RHEL 9, you can install gimp easily as an RPM package.
Bugzilla:2047161[1]
9.5. Infrastructure services
Socket API for TuneD available as a Technology Preview
The socket API for controlling TuneD through a UNIX domain socket is now available as a Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative communication method for cases where D-Bus is not available. By using the socket API, you can control the TuneD daemon to optimize the performance, and change the values of various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file.
9.6. Networking
WireGuard VPN is available as a Technology Preview
WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.
For further details, see Setting up a WireGuard VPN.
Bugzilla:1613522[1]
kTLS available as a Technology Preview
RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. kTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.
Bugzilla:1570255[1]
The systemd-resolved service is available as a Technology Preview
The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.
Note that systemd-resolved is an unsupported Technology Preview.
The PRP and HSR protocols are now available as a Technology Preview
This update adds the hsr kernel module that provides the following protocols:
- Parallel Redundancy Protocol (PRP)
- High-availability Seamless Redundancy (HSR)
The IEC 62439-3 standard defines these protocols, and you can use this feature to configure zero-loss redundancy in Ethernet networks.
Bugzilla:2177256[1]
NetworkManager and the Nmstate API support MACsec hardware offload
You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface controller.
Note that this feature is an unsupported Technology Preview.
NetworkManager enables configuring HSR and PRP interfaces
High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.
Offloading IPsec encapsulation to a NIC is now available as a Technology Preview
This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was possible to only offload the encryption to a network interface controller (NIC). With this enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to reduce the workload.
Note that offloading the IPsec encapsulation process to a NIC also reduces the ability of the kernel to monitor and filter such packets.
Bugzilla:2178699[1]
Network drivers for modems in RHEL are available as Technology Preview
Device manufacturers support Federal Communications Commission (FCC) locking as the default setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat Enterprise Linux provides the drivers for the following modems with limited functionality as a Technology Preview:
- Qualcomm MHI WWAM MBIM - Telit FN990Axx
- Intel IPC over Shared Memory (IOSM) - Intel XMM 7360 LTE Advanced
- Mediatek t7xx (WWAN) - Fibocom FM350GL
- Intel IPC over Shared Memory (IOSM) - Fibocom L860GL modem
Jira:RHELDOCS-16760[1], Jira:RHEL-6564, Bugzilla:2110561, Bugzilla:2123542, Bugzilla:2222914
Segment Routing over IPv6 (SRv6) is available as a Technology Preview
The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.
Bugzilla:2186375[1]
kTLS rebased to version 6.3
The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. In RHEL 9.3, kTLS was rebased to the 6.3 upstream version, and notable changes include:
- Added the support for 256-bit keys with TX device offload
- Delivered various bug fixes
Bugzilla:2183538[1]
9.7. Kernel
The Soft-iWARP driver is available as a Technology Preview
Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This protocol suite is fully implemented in software and does not require a specific Remote Direct Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to connect to an iWARP adapter or to another system with already installed Soft-iWARP.
Bugzilla:2023416[1]
rvu_af, rvu_nicpf, and rvu_nicvf available as Technology Preview
The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 Infrastructure Processor family:
rvu_nicpf- Marvell OcteonTX2 NIC Physical Function driver
rvu_nicvf- Marvell OcteonTX2 NIC Virtual Function driver
rvu_nicvf- Marvell OcteonTX2 RVU Admin Function driver
Bugzilla:2040643[1]
python-drgn available as a Technology Preview
The python-drgn package brings an advanced debugging utility, which adds emphasis on programmability. You can use its Python command-line interface to debug both the live kernels and the kernel dumps. Additionally, python-drgn offers scripting capabilities for you to automate debugging tasks and conduct intricate analysis of the Linux kernel.
Jira:RHEL-6973[1]
The IAA crypto driver is now available as a Technology Preview
The Intel® In-Memory Analytics Accelerator (Intel® IAA) is a hardware accelerator that provides very high throughput compression and decompression combined with primitive analytic functions.
The iaa_crypto driver, which offloads compression and decompression operations from the CPU, has been introduced in RHEL 9.4 as a Technology Preview. It supports compression and decompression compatible with the DEFLATE compression standard described in RFC 1951. The iaa_crypto driver is designed to work as a layer underneath higher-level compression devices such as zswap.
For details about the IAA crypto driver, see:
Jira:RHEL-20145[1]
9.8. File systems and storage
DAX is now available for ext4 and XFS as a Technology Preview
In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an application to directly map persistent memory into its address space. To use DAX, a system must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct mapping of storage into the application’s address space.
Bugzilla:1995338[1]
NVMe-oF Discovery Service features available as a Technology Preview
The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ website.
Bugzilla:2021672[1]
nvme-stas package available as a Technology Preview
The nvme-stas package, which is a Central Discovery Controller (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, and Automatic (zeroconf) and Manual configuration.
This package consists of two daemons, Storage Appliance Finder (stafd) and Storage Appliance Connector (stacd).
Bugzilla:1893841[1]
NVMe TP 8006 in-band authentication available as a Technology Preview
Implementing Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for NVMe over Fabrics (NVMe-oF) is now available as an unsupported Technology Preview. The NVMe Technical Proposal 8006 defines the DH-HMAC-CHAP in-band authentication protocol for NVMe-oF, which is provided with this enhancement.
For more information, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-connect(1) man page.
Bugzilla:2027304[1]
9.9. Compilers and development tools
jmc-core and owasp-java-encoder available as a Technology Preview
RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the AMD and Intel 64-bit architectures.
jmc-core is a library providing core APIs for Java Development Kit (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, and libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP).
The owasp-java-encoder package provides a collection of high-performance low-overhead contextual encoders for Java.
Note that since RHEL 9.2, jmc-core and owasp-java-encoder are available in the CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See How to enable and make use of content within CodeReady Linux Builder for more information.
libabigail: Flexible array conversion warning-suppression available as a Technology Preview
With this update, when comparing binaries, you can suppress warnings related to fake flexible arrays that were converted to true flexible arrays by using the following suppression specification:
[suppress_type]
type_kind = struct
has_size_change = true
has_strict_flexible_array_data_member_conversion = trueJira:RHEL-16629[1]
9.10. Identity Management
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
ACME available as a Technology Preview
The Automated Certificate Management Environment (ACME) service is now available in Identity Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and avoiding manual processes from certificate lifecycle management.
In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire IdM deployment.
It is recommended to enable ACME only in an IdM deployment where all servers are running RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause problems in mixed-version deployments. For example, a CA server without ACME can cause client connections to fail, because it uses a different DNS Subject Alternative Name (SAN).
Currently, RHCS does not remove expired certificates. Because ACME certificates expire after 90 days, the expired certificates can accumulate and this can affect performance.
To enable ACME across the whole IdM deployment, use the
ipa-acme-manage enablecommand:# ipa-acme-manage enable The ipa-acme-manage command was successful
To disable ACME across the whole IdM deployment, use the
ipa-acme-manage disablecommand:# ipa-acme-manage disable The ipa-acme-manage command was successful
To check whether the ACME service is installed and if it is enabled or disabled, use the
ipa-acme-manage statuscommand:# ipa-acme-manage status ACME is enabled The ipa-acme-manage command was successful
Bugzilla:2084181[1]
9.11. Desktop
GNOME for the 64-bit ARM architecture available as a Technology Preview
The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology Preview.
You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can manage the server using graphical applications.
A limited set of graphical applications is available on 64-bit ARM. For example:
- The Firefox web browser
-
Red Hat Subscription Manager (
subscription-manager-cockpit) -
Firewall Configuration (
firewall-config) -
Disk Usage Analyzer (
baobab)
Using Firefox, you can connect to the Cockpit service on the server.
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.
Jira:RHELPLAN-27394[1]
GNOME for the IBM Z architecture available as a Technology Preview
The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview.
You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage the server using graphical applications.
A limited set of graphical applications is available on IBM Z. For example:
- The Firefox web browser
-
Red Hat Subscription Manager (
subscription-manager-cockpit) -
Firewall Configuration (
firewall-config) -
Disk Usage Analyzer (
baobab)
Using Firefox, you can connect to the Cockpit service on the server.
Certain applications, such as LibreOffice, only provide a command-line interface, and their graphical interface is disabled.
Jira:RHELPLAN-27737[1]
9.12. The web console
The RHEL web console can now manage WireGuard connections
Starting with RHEL 9.4, you can use the RHEL web console to create and manage WireGuard VPN connections. Note that, both the WireGuard technology and its web console integration are unsupported Technology Previews.
Jira:RHELDOCS-17520[1]
9.13. Virtualization
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.
Jira:RHELDOCS-17040[1]
AMD SEV and SEV-ES for KVM virtual machines
As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the security of the VM.
In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.
Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security attestation.
Jira:RHELPLAN-65217[1]
Intel TDX in RHEL guests
As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL 9.2 and later guest operating systems. If the host system supports TDX, you can deploy hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently does not work with kdump, and enabling TDX will cause kdump to fail on the VM.
Bugzilla:1955275[1]
A unified kernel image of RHEL is now available as a Technology Preview
As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel command line into a single signed binary file.
UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong SecureBoot capabilities are required. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Bugzilla:2142102[1]
Intel vGPU available as a Technology Preview
As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple virtual devices referred to as mediated devices. These mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, these VMs share the performance of a single physical Intel GPU.
Note that this feature is deprecated and was removed entirely with the RHEL 9.3 release.
Jira:RHELDOCS-17050[1]
CPU clusters on ARM 64
As a Technology Preview, you can now create KVM virtual machines that use multiple ARM 64 CPU clusters in their CPU topology.
Jira:RHEL-7043[1]
Live migrating a VM with a Mellanox virtual function is now available as a Technology Preview
As a Technology Preview, you can now live migrate a virtual machine (VM) with an attached virtual function (VF) of a Mellanox networking device.
This feature is currently available only on a Mellanox CX-7 networking device. The VF on the Mellanox CX-7 networking device uses a new mlx5_vfio_pci driver, which adds functionality that is necessary for the live migration, and libvirt binds the new driver to the VF automatically.
Jira:RHEL-13007[1]
9.14. RHEL in cloud environments
RHEL is now available on Azure confidential VMs as a Technology Preview
With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories.
Currently, the RHEL UKI can only be used in a UEFI boot configuration.
Jira:RHELPLAN-139800[1]
9.15. Containers
The podman-machine command is unsupported
The podman-machine command for managing virtual machines, is available only as a Technology Preview. Instead, run Podman directly from the command line.
Jira:RHELDOCS-16861[1]
Building multi-architecture images is available as a Technology Preview
The podman farm build command, which you can use to create multi-architecture container images, is available as a Technology Preview.
A farm is a group of machines that have a UNIX podman socket running in them. The nodes in the farm can have different machines of different architectures. The podman farm build command is faster than the podman build --arch --platform command.
You can use podman farm build to perform the following actions:
- Build an image on all nodes in a farm.
- Bundle nodes up into a manifest list.
-
Run the
podman buildcommand on all the farm nodes. -
Push the images to the registry specified by using the
--tagoption. - Locally create a manifest list.
Push the manifest list to the registry.
The manifest list contains one image per native architecture type that is present in the farm.
Jira:RHELPLAN-154436[1]
A new rhel9/rhel-bootc container image is available as a Technology Preview
The rhel9/rhel-bootc container image is now available in the Red Hat Container Registry as a Technology Preview. With the RHEL bootable container images, you can build, test, and deploy an operating system exactly as a container. The RHEL bootable container images differ from the existing application Universal Base Images (UBI) thanks to the following enhancements: RHEL bootable container images contain additional components necessary to boot, such as, kernel, initrd, boot loader, firmware, between others. There are no changes to existing container images. For more information, see Red Hat Ecosystem Catalog.
Jira:RHELDOCS-17803[1]
The composefs filesystem is now available as a Technology Preview
The composefs read-only filesystem is now available as a Technology Preview. This is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified filesystem tree mounted, with opportunistic fine-grained sharing of identical files.
Jira:RHEL-18157[1]
