Chapter 7. Technology Preview features

With this release, you can install and use the new image-builder-cli package to build an image with one command. The new tool supports containers and enhances your user experience to create a container image that you can use to build other images. This capability is a Technology Preview feature. For more details, see Installing RHEL image builder.

Jira:RHELDOCS-20354^[1]

RHEL 10.1 introduces the Relax and Recover (ReaR) package for the 64-bit ARM architecture (aarch64) as a Technology Preview. ReaR is a disaster recovery tool that produces a bootable image that you can use to restore the system from a backup. You can currently use the following output methods with ReaR on aarch64: ISO, USB, and PXE.

For more information about ReaR, see the article What is Relax and Recover(ReaR) and how to use it for disaster recovery?

Jira:RHEL-84286^[1]

A new nodejs24 component is available as a Technology Preview in Red Hat Enterprise Linux 10.1. This update introduces Node.js 24, which includes new features, bug fixes, security updates, and performance improvements compared to Node.js 22 in RHEL 10.0.

Currently, the nodejs24 package provides versioned binaries (/usr/bin/node-24, /usr/bin/npm-24, and /usr/bin/npx-24). To use these binaries, update the shebang lines in your scripts to reference the version-specific paths. The ability for nodejs24 to provide the base binaries (/usr/bin/node and related files) might be included in a future update.

To install the nodejs24 package, enter:

# dnf install nodejs24

For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-90826

You can now use Ansible to ensure that all DNS queries and responses between DNS clients and Identity Management (IdM) DNS servers are encrypted. Encrypted DNS using DNS over TLS (DoT) has been available as a Technology Preview in IdM deployments since RHEL 10. In RHEL 10.1, the functionality is available as a Technology Preview in the freeipa.ansible_freeipa collection.

To enable DoT during a deployment of IdM by using ansible-freeipa use the following options:

Additionally, you can set the dns_policy variable to enforce DoT-only communication, overriding the default behavior that allows fallback to unencrypted DNS.

Jira:RHELDOCS-20258^[1]

As a Technology Preview, you can use a Virtual Socket (vsock) to TCP bridge. By using this bridge, you can securely expose a virtual machine (VM) service, such as SSH, to the host machine without configuring any IP networking.

To bridge your host’s connection directly to the SSH service inside the VM over the hypervisor’s private vsock channel, you can use a relay tool such as socat.

Jira:RHEL-91041

As a Technology Preview, you can enable Confidential Compute Architecture (CCA) on RHEL 10.1 and later virtual machines (VMs). CCA, built on top of Realm Management Extension (RME), helps to maintain data privacy while it is in use within a virtual machine.

Currently, CCA can only be enabled on ARM VMs as a Technology Preview and not on a RHEL host.

Jira:RHEL-83042

As a Technology Preview, you can enable Trust Domain Extensions (TDX) on RHEL hosts. TDX is a hardware-based security feature that provides strong memory encryption and integrity protection for virtual machines, isolating them from the hypervisor and other system software.

TDX is available only with Intel CPUs.

Jira:RHEL-111863^[1]

Podman supports the following Docker API versions as a Technology Preview:

Jira:RHEL-88122

The macros.rpmsign-sequoia macro file that configures RPM to use Sequoia PGP instead of GnuPG for signing packages is now available as a Technology Preview. To enable its usage, perform the following steps:

Jira:RHEL-56363^[1]

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

For further details, see Setting up a WireGuard VPN.

Jira:RHELDOCS-20056^[1]

In RHEL, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records by using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.

Note that specific uses cases of kernel TLS offload might have a higher support status.

Jira:RHELDOCS-20440^[1]

With this Technology Preview, the Red Hat Enterprise Linux for Real Time is now enabled for ARM64. The ARM64 is enabled on ARM (AARCH64), for both 4k and 64k ARM kernels.

Jira:RHELDOCS-19635^[1]

The ublk_drv kernel module is now enabled as a Technology Preview. It provides the ublk framework with which you can create and build high-performance block devices from userspace. Currently, ublk requires userspace implementations, such as the Userspace Block Driver (ublksrv) or the Rust-based ublk (rublk), to function effectively.

Jira:RHELDOCS-19891^[1]

Encrypting Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) network traffic using TLS configured with Pre-Shared Keys (PSK) has been added as a Technology Preview in RHEL 10.0. For instructions, see Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys.

Jira:RHELDOCS-19968^[1]

You can check all the metadata on a mounted XFS file system by using the xfs_scrub utility as a Technology Preview. It functions similarly to the xfs_repair -n command for an unmounted XFS filesystem. For details, see the xfs_scrub(8) man page on your system. Note that currently only the scrub feature is available in RHEL 10 kernels and online repair is not enabled.

Jira:RHELDOCS-20041^[1]

You can reduce the size of XFS file systems by using the xfs_growfs utility as a Technology Preview. You can remove blocks from the end of the file system by using xfs_growfs, provided that all of the following conditions are true:

Jira:RHELDOCS-20042^[1]

You can now mount XFS file systems created with a block size larger than the system page size as a Technology Preview. For example, a file system with 16-KB blocks can now be mounted on a system with a 4-KB page size, such as x86_64.

Jira:RHELDOCS-20043^[1]

The io_uring, which is an asynchronous I/O interface, is available as a Technology Preview. By default, this feature is disabled in RHEL 10. You can enable this interface by setting the kernel/io_uring_disabled variable:

You can also disable io_uring for all processes:

# echo 2 > /proc/sys/kernel/io_uring_disabled

Jira:RHEL-65347

NVMe/TCP Boot by using the NVM Express Boot Specification (NBFT) is available on select server platforms as a Technology Preview. Consult your server manufacturer for platform-specific details and compatibility information.

Jira:RHELDOCS-21587^[1]

The eu-stacktrace utility, which has been distributed through the elfutils package since version 0.192, is available as a Technology Preview feature. eu-stacktrace is a prototype utility that uses the elfutils toolkit’s unwinding libraries to support a sampling profiler to unwind frame pointer-less stack sample data.

Jira:RHELDOCS-19072^[1]

Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.

To start using this functionality, install the ipa-server-encrypted-dns package on IdM servers and replicas, and the ipa-client-encrypted-dns package on IdM clients. Administrators can enable DoT during the installation by using the --dns-over-tls option.

IdM configures Unbound as a local caching resolver and BIND to receive DoT requests. This functionality is available through the command-line interface (CLI) and non-interactive installations of IdM.

The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service:

By default, IdM uses the relaxed DNS policy, which allows fallback to unencrypted DNS. You can enforce encrypted-only communication by using the new --dns-policy option with the enforced setting.

You can also enable DoT on an existing IdM deployment by reconfiguring the integrated DNS service by using ipa-dns-install with the new DoT options.

See Securing DNS with DoT in IdM for more details.

Jira:RHEL-67912

As a Technology Preview, RHEL provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the VM security.

In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.

RHEL also provides the Secure Nested Paging (SEV-SNP) feature as Technology Preview. SNP enhances SEV and SEV-ES by improving its memory integrity protection, which helps to prevent hypervisor-based attacks, such as data replay or memory re-mapping.

Note that:

Also note that RHEL includes SEV, SEV-ES, and SEV-SNP encryption, but not the SEV, SEV-ES, and SEV-SNP security attestation and live migration.

Jira:RHELDOCS-16800^[1]

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 10. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 10 host can act as a hypervisor, and host its own VMs.

Jira:RHELDOCS-20080^[1]

As a Technology Preview, this update adds the trustee-guest-components package. This makes it possible for confidential virtual machines to attest themselves and get confidential resources from a Trustee server.

Jira:RHEL-73770^[1]

You can pull only the changed parts of the container images compressed with the zstd:chunked format, reducing network traffic and necessary storage. You can enable partial pulls by adding the enable_partial_images = "true" setting to the /etc/containers/storage.conf file. This functionality is available as a Technology Preview.

Jira:RHEL-32266

The podman artifact command, which you can use to work with OCI artifacts at the command-line level, is available as a Technology Preview. For further informal, reference the man page.

Jira:RHEL-70218

The podman network create command now provides the vrf value for the --opt option, as a Technology Preview. The vrf value assigns a virtual routing and forwarding instance (VRF) to the bridge interface. It accepts the name of the VRF and defaults to none.

Jira:RHEL-89373

High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.

Jira:RHEL-5852

Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:

Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.

Jira:RHELDOCS-20690^[1]

The virtio Data Path Acceleration (vDPA) device in userspace (VDUSE) feature is now available as a Technology Preview for RHEL networking. VDUSE is a Linux kernel mechanism, which allocates user-space for vDPA devices specifically. This mechanism enables a user-space process to register a virtio-class device, such as a NIC or block device, with the kernel in a controlled manner. As a result, you can use it on virtual machines or the host through standard vDPA or virtio interfaces.

Jira:RHEL-76477^[1]