Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 7. Technology Preview features
This part provides a list of all Technology Preview features available in Red Hat Enterprise Linux 10.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
7.1. Security
System-wide post-quantum cryptography is available through crypto-policies-pq-preview as a Technology Preview
The TEST-PQ subpolicy contained in the new crypto-policies-pq-preview package provides system-wide post-quantum cryptography (PQC) as a Technology Preview. You can enable PQC by switching to the TEST-PQ subpolicy and restarting the system, for example:
update-crypto-policies --set DEFAULT:TEST-PQ reboot
# update-crypto-policies --set DEFAULT:TEST-PQ
# rebootNote that all PQC algorithms in RHEL 10 are provided as a Technology Preview feature. The package and system-wide cryptographic policy name are subject to change when post-quantum cryptography exits the Technology Preview state. See the Post-quantum cryptography in Red Hat Enterprise Linux 10 article (Red Hat Blog) for more information.
RHEL 10 packages liboqs, oqsprovider, nss, openssh, and gnutls provide PQC as a Technology Preview
The RHEL 10.0 packages liboqs, oqsprovider, nss, openssh, and gnutls provide post-quantum cryptography (PQC) as a Technology Preview. To enable the PQC algorithms, install the crypto-policies-pq-preview package and apply the TEST-PQ cryptographic subpolicy.
For details, see the Interoperability of RHEL 10 post-quantum cryptography article (Red Hat Knowledgebase).
Jira:RHEL-65426, Jira:RHEL-65422, Jira:RHEL-58245, Jira:RHEL-58246
Encrypted DNS in RHEL is available as a Technology Preview
You can enable encrypted DNS to secure DNS communication that uses DNS-over-TLS (DoT). Encrypted DNS (eDNS) encrypts all DNS traffic end-to-end, with no fallback to insecure protocols, and aligns with zero trust architecture (ZTA) principles.
To perform a new installation with eDNS, specify the DoT-enabled DNS server by using the kernel command line. This ensures encrypted DNS is active during the installation process, boot time, and on the installed system. If you require a custom CA certificate bundle, you can install it only by using the %certificate section in the Kickstart file. Currently, the custom CA bundle can be installed only through Kickstart installation.
On an existing system, configure NetworkManager to use a new DNS plugin, dnsconfd, which manages the local DNS resolver (unbound) for eDNS. Add kernel arguments to configure eDNS for the early boot process, and optionally install a custom CA bundle.
Additionally, Identity Management (IdM) deployments can also use encrypted DNS, with the integrated DNS server supporting DoT.
See Securing system DNS traffic with encrypted DNS for more details.
Jira:RHELDOCS-20058[1], Jira:RHEL-67912
7.2. Software management
Support for signing packages with Sequoia PGP is available as a Technology Preview
The macros.rpmsign-sequoia macro file that configures RPM to use Sequoia PGP instead of GnuPG for signing packages is now available as a Technology Preview. To enable its usage, perform the following steps:
Install the following packages:
dnf install rpm-sign sequoia-sq
# dnf install rpm-sign sequoia-sqCopy to Clipboard Copied! Toggle word wrap Toggle overflow Copy the
macros.rpmsign-sequoiafile to the/etc/rpm/directory:cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/
$ cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Jira:RHEL-56363[1]
7.3. Shells and command-line tools
The systemd-resolved service is available as a Technology Preview
The systemd-resolved service provides name resolution to local applications. The service implements a caching and validating DNS stub resolver, a Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder.
Note that systemd-resolved is an unsupported Technology Preview.
7.4. Kernel
The Red Hat Enterprise Linux for Real Time on ARM64 is now available as a Technology Preview
With this Technology Preview, the Red Hat Enterprise Linux for Real Time is now enabled for ARM64. The ARM64 is enabled on ARM (AARCH64), for both 4k and 64k ARM kernels.
Jira:RHELDOCS-19635[1]
7.5. File systems and storage
ublk_drv driver is available as a Technology Preview
The ublk_drv kernel module is now enabled as a Technology Preview. It provides the ublk framework with which you can create and build high-performance block devices from userspace. Currently, ublk requires userspace implementations, such as the Userspace Block Driver (ublksrv) or the Rust-based ublk (rublk), to function effectively.
Jira:RHELDOCS-19891[1]
NVMe/TCP using TLS is available as a Technology Preview
Encrypting Non-volatile Memory Express (NVMe) over TCP (NVMe/TCP) network traffic using TLS configured with Pre-Shared Keys (PSK) has been added as a Technology Preview in RHEL 10.0. For instructions, see Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys.
Jira:RHELDOCS-19968[1]
xfs_scrub utility is available as a Technology Preview
You can check all the metadata on a mounted XFS file system by using the xfs_scrub utility as a Technology Preview. It functions similarly to the xfs_repair -n command for an unmounted XFS filesystem. For details, see the xfs_scrub(8) man page on your system. Note that currently only the scrub feature is available in RHEL 10 kernels and online repair is not enabled.
Jira:RHELDOCS-20041[1]
Limited shrinking of XFS file systems is available as Technology Preview
You can reduce the size of XFS file systems by using the xfs_growfs utility as a Technology Preview. You can remove blocks from the end of the file system by using xfs_growfs, provided that all of the following conditions are true:
- No metadata or data is allocated within the range to be removed.
- The requested size is within the last allocation group.
Jira:RHELDOCS-20042[1]
Mounting XFS file systems with blocks larger than system page is available as Technology Preview
You can now mount XFS file systems created with a block size larger than the system page size as a Technology Preview. For example, a file system with 16-KB blocks can now be mounted on a system with a 4-KB page size, such as x86_64.
Jira:RHELDOCS-20043[1]
io-uring interface is available as a Technology Preview
The io_uring, which is an asynchronous I/O interface, is available as a Technology Preview. By default, this feature is disabled in RHEL 10. You can enable this interface by setting the kernel/io_uring_disabled variable:
- For all users:
echo 0 > /proc/sys/kernel/io_uring_disabled
# echo 0 > /proc/sys/kernel/io_uring_disabled- For root only:
echo 1 > /proc/sys/kernel/io_uring_disabled
# echo 1 > /proc/sys/kernel/io_uring_disabled
You can also disable io_uring for all processes:
echo 2 > /proc/sys/kernel/io_uring_disabled
# echo 2 > /proc/sys/kernel/io_uring_disabled7.6. Compilers and development tools
eu-stacktrace available as a Technology Preview
The eu-stacktrace utility, which has been distributed through the elfutils package since version 0.192, is available as a Technology Preview feature. eu-stacktrace is a prototype utility that uses the elfutils toolkit’s unwinding libraries to support a sampling profiler to unwind frame pointer-less stack sample data.
Jira:RHELDOCS-19072[1]
7.7. Identity Management
DNSSEC available as Technology Preview in IdM
Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.
Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:
Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices.
Jira:RHELPLAN-121751[1]
DNS over TLS (DoT) in IdM deployments is available as a Technology Preview
Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.
To start using this functionality, install the ipa-server-encrypted-dns package on IdM servers and replicas, and the ipa-client-encrypted-dns package on IdM clients. Administrators can enable DoT during the installation by using the --dns-over-tls option.
IdM configures Unbound as a local caching resolver and BIND to receive DoT requests. This functionality is available through the command-line interface (CLI) and noninteractive installations of IdM.
The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service:
-
--dot-forwarderto specify an upstream DoT-enabled DNS server. -
--dns-over-tls-keyand--dns-over-tls-certto configure DoT certificates. -
--dns-policyto set a DNS security policy to either allow fallback to unencrypted DNS or enforce strict DoT usage.
By default, IdM uses the relaxed DNS policy, which allows fallback to unencrypted DNS. You can enforce encrypted-only communication by using the new --dns-policy option with the enforced setting.
You can also enable DoT on an existing IdM deployment by reconfiguring the integrated DNS service by using ipa-dns-install with the new DoT options.
See Securing DNS with DoT in IdM for more details.
Jira:RHEL-67912, Jira:RHELDOCS-20058
IdM-to-IdM migration is available as a Technology Preview
IdM-to-IdM migration is available in Identity Management as a Technology Preview. You can use a new ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.
Jira:RHELDOCS-18408[1]
logconv.py is available as a Technology Preview
The logconv.py utility is available in Directory Server as a Technology Preview. logconv.py is a future replacement for the old logconv.pl utility that you could use to analyze Directory Server access logs, extract usage statistics, and count occurrences of significant events.
The utility syntax:
logconv.py /var/log/dirsrv/slapd-<instance_name>/access
logconv.py /var/log/dirsrv/slapd-<instance_name>/access
For more details about the utility options and usage examples, run the logconv.py -h command.
7.8. Virtualization
AMD SEV, SEV-ES, and SEV-SNP for KVM virtual machines are available as a Technology Preview
As a Technology Preview, RHEL provides the Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV encrypts the VM’s memory to protect the VM from access by the host. This increases the VM security.
In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host from modifying the VM’s CPU registers or reading any information from them.
RHEL also provides the Secure Nested Paging (SEV-SNP) feature as Technology Preview. SNP enhances SEV and SEV-ES by improving its memory integrity protection, which helps to prevent hypervisor-based attacks, such as data replay or memory re-mapping.
Note that: * SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. * SEV-SNP works only on 3rd generation AMD EPYC CPUs (codenamed Milan) or later.
Also note that RHEL includes SEV, SEV-ES, and SEV-SNP encryption, but not the SEV, SEV-ES, and SEV-SNP security attestation and live migration.
Jira:RHELDOCS-16800[1]
Creating nested virtual machines
Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 10. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 10 host can act as a hypervisor, and host its own VMs.
Jira:RHELDOCS-20080[1]
New package: trustee-guest-components
As a Technology Preview, this update adds the trustee-guest-components package. This makes it possible for confidential virtual machines to attest themselves and get confidential resources from a Trustee server.
Jira:RHEL-73770[1]
7.9. Containers
composefs filesystem is available as a Technology Preview
The key technologies composefs uses are:
- OverlayFS as the kernel interface
- Enhanced Read-Only File System (EROFS) for a mountable metadata tree
-
The
fs-verityfeature (optional) from the lower filesystem
Key advantages of composefs:
-
Separation between metadata and data.
composefsdoes not store any persistent data. The underlying metadata and data files are stored in a valid lower Linux filesystem such asext4,xfs,btrfs, and so on. -
Mounting multiple
composefswith a shared storage. - Data files are shared in the page cache to enable multiple container images to share their memory.
-
Support
fs-verityvalidation of the content files.
The composefs file system is available as Technology Preview
The composefs read-only file system available as Technology Preview is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified file-system tree mounted, with opportunistic fine-grained sharing of identical files.
Jira:RHEL-18157[1]
Partial pulls for zstd:chunked are available as a Technology Preview
You can pull only the changed parts of the container images compressed with the zstd:chunked format, reducing network traffic and necessary storage. You can enable partial pulls by adding the enable_partial_images = "true" setting to the /etc/containers/storage.conf file. This functionality is available as a Technology Preview.
The podman artifact command is available as a Technology Preview
The podman artifact command, which you can use to work with OCI artifacts at the command-line level, is available as a Technology Preview. For further informal, reference the man page.
The vrf option for the podman network create is available as a Technology Preview
The podman network create command provides the vrf value for the --opt option, as a Technology Preview. The vrf value assigns a virtual routing and forwarding instance (VRF) to the bridge interface. It accepts the name of the VRF and defaults to none.
This option can only be used with the Netavark network backend.
7.10. Technology Preview features identified in previous releases
This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 10.
For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support Scope.
7.10.1. Networking
WireGuard VPN is available as a Technology Preview
WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.
For further details, see Setting up a WireGuard VPN.
Jira:RHELDOCS-20056[1]
KTLS available as a Technology Preview
In RHEL, Kernel Transport Layer Security (KTLS) is provided as a Technology Preview. KTLS handles TLS records by using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM cipher. KTLS also includes the interface for offloading TLS record encryption to Network Interface Controllers (NICs) that provides this functionality.
Note that specific uses cases of kernel TLS offload might have a higher support status. For details see the release notes in the New features and enhancements chapter.
Jira:RHELDOCS-20440[1]
NetworkManager enables configuring HSR and PRP interfaces
High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) are network protocols that provide seamless failover against failure of any single network component. Both protocols are transparent to the application layer, meaning that users do not experience any disruption in communication or any loss of data, because a switch between the main path and the redundant path happens very quickly and without awareness of the user. Now it is possible to enable and configure HSR and PRP interfaces using the NetworkManager service through the nmcli utility and the DBus message system.
The PRP and HSR protocols are now available as a Technology Preview
This update adds the hsr kernel module that provides the following protocols:
- Parallel Redundancy Protocol (PRP)
- High-availability Seamless Redundancy (HSR)
The IEC 62439-3 standard defines these protocols, and you can use this feature to configure redundancy with zero-time recovery in Ethernet networks.
Jira:RHELDOCS-20472[1]
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}