Questo contenuto non è disponibile nella lingua selezionata.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.9.
4.1. Installer and image creation
Support to both legacy and UEFI boot for AWS EC2 images
Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with support only for the legacy boot type. As a consequence, it was not possible to take advantage of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which require booting the image with UEFI.
Jira:RHELDOCS-16339[1]
New boot option inst.wait_for_disks=
to add wait time for loading a kickstart file or the kernel drivers
Sometimes, it may take a few seconds to load a kickstart file or the kernel drivers from the device with the OEMDRV
label during the boot process. To adjust the wait time, you can now use the new boot option, inst.wait_for_disks=
. Using this option, you can specify how many seconds to wait before the installation. The default time is set to 5
seconds, however, you can use 0
seconds to minimize the delay. For more information about this option, see Storage boot options.
New network
kickstart options to control DNS handling
You can now control DNS handling using the network
kickstart command with the following new options. Use these new options with the --device
option.
The
--ipv4-dns-search
and--ipv6-dns-search
options allow you to set DNS search domains manually. These options mirror their respective NetworkManager properties, for example:network --device ens3 --ipv4-dns-search domain1.example.com,domain2.example.com
-
The
--ipv4-ignore-auto-dns
and--ipv6-ignore-auto-dns
options allow you to ignore DNS settings from DHCP. They do not require any arguments.
Bugzilla:1656662[1]
4.2. Security
opencryptoki
rebased to 3.21.0
The opencryptoki
package has been rebased to version 3.21.0, which provides many enhancements and bug fixes. Most notably, opencryptoki
now supports the following features:
- Concurrent hardware security module (HSM) master key changes
-
The
protected-key
option to transform a chosen key into a protected key - Additional key types, such as DH, DSA, and generic secret key types
- EP11 host library version 4
- AES-XTS key type
- IBM-specific Kyber key type and mechanism
- Additional IBM-specific Dilithium key round 2 and 3 variants
Additionally, pkcsslotd
slot manager no longer runs as root and opencryptoki
offers further hardening. With this update, you can also use the following set of new commands:
p11sak set-key-attr
- To modify keys
p11sak copy-key
- To copy keys
p11sak import-key
- To import keys
p11sak export-key
- To export keys
Bugzilla:2159697[1]
fapolicyd
now provides rule numbers for troubleshooting
With this enhancement, new kernel and Audit components allow the fapolicyd
service to send the number of the rule that causes a denial to the fanotify
API. As a result, you can troubleshoot problems related to fapolicyd
more precisely.
ANSSI-BP-028 security profiles updated to version 2.0
The following French National Agency for the Security of Information Systems (ANSSI) BP-028 profiles in the SCAP Security Guide were updated to be aligned with version 2.0:
- ANSSI-BP-028 Minimal Level
- ANSSI-BP-028 Intermediary Level
- ANSSI-BP-028 Enhanced Level
- ANSSI-BP-028 High Level
Better definition of interactive users
The rules in the scap-security-guide
package were improved to provide more consistent interactive user configuration. Previously, some rules used different approaches for identifying interactive and non-interactive users. With this update, we have unified the definitions of interactive users. User accounts with UID greater than or equal to 1000 are now considered interactive, with the exception of the nobody
and nfsnobody
accounts and with the exception of accounts that use /sbin/nologin
as the login shell.
This change affects the following rules:
-
accounts_umask_interactive_users
-
accounts_user_dot_user_ownership
-
accounts_user_dot_group_ownership
-
accounts_user_dot_no_world_writable_programs
-
accounts_user_interactive_home_directory_defined
-
accounts_user_interactive_home_directory_exists
-
accounts_users_home_files_groupownership
-
accounts_users_home_files_ownership
-
accounts_users_home_files_permissions
-
file_groupownership_home_directories
-
file_ownership_home_directories
-
file_permissions_home_directories
-
file_permissions_home_dirs
-
no_forward_files
Bugzilla:2157877, Bugzilla:2178740
The DISA STIG profile now supports audit_rules_login_events_faillock
With this enhancement, the SCAP Security Guide audit_rules_login_events_faillock
rule, which references STIG ID RHEL-08-030590, has been added to the DISA STIG profile for RHEL 8. This rule checks if the Audit daemon is configured to record any attempts to modify login event logs stored in the /var/log/faillock
directory.
OpenSCAP rebased to 1.3.8
The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various bug fixes and enhancements, most notably:
-
Fixed
systemd
probes to not ignore somesystemd
units -
Added offline capabilities to the
shadow
OVAL probe -
Added offline capabilities to the
sysctl
OVAL probe -
Added
auristorfs
to the list of network filesystems -
Created a workaround for issues with tailoring files produced by the
autotailor
utility
SCAP Security Guide rebased to version 0.1.69
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This version provides various enhancements and bug fixes, most notably three new SCAP profiles for RHEL 9 which are aligned with three levels of the CCN-STIC-610A22 Guide issued by the National Cryptologic Center of Spain in 2022-10:
- CCN Red Hat Enterprise Linux 9 - Basic
- CCN Red Hat Enterprise Linux 9 - Intermediate
- CCN Red Hat Enterprise Linux 9 - Advanced
FIPS-enabled in-place upgrades from RHEL 8.8 and later to RHEL 9.2 and later are supported
With the release of the RHBA-2023:3824 advisory, you can perform an in-place upgrade of a RHEL 8.8 and later system to a RHEL 9.2 and later system with FIPS mode enabled.
crypto-policies
permitted_enctypes
no longer break replications in FIPS mode
Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes
krb5
configuration broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode.
With this update, the values of the permitted_enctypes
krb5
configuration option depend on the mac
and cipher
crypto-policy
values. That allows the prioritization of the interoperable encryption types by default.
As additional results of this update, the arcfour-hmac-md5
option is available only in the LEGACY:AD-SUPPORT
subpolicy and the aes256-cts-hmac-sha1-96
is no longer available in the FUTURE
policy.
If you use Kerberos, verify the order of the values of permitted_enctypes
in the /etc/crypto-policies/back-ends/krb5.config
file. If your scenario requires a different order, apply a custom cryptographic subpolicy.
Audit now supports FANOTIFY
record fields
This update of the audit
packages introduces support for FANOTIFY
Audit record fields. The Audit subsystem now logs additional information in the AUDIT_FANOTIFY
record, notably:
-
fan_type
to specify the type of aFANOTIFY
event -
fan_info
to specify additional context information -
sub_trust
andobj_trust
to indicate trust levels for a subject and an object involved in an event
As a result, you can better understand why the Audit system denied access in certain cases. This can help you write policies for tools such as the fapolicyd
framework.
New SELinux boolean to allow QEMU Guest Agent executing confined commands
Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount
, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent
must run in the virt_qemu_ga_unconfined_t
domain.
Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined
that allows guest-agent
to make the transition to virt_qemu_ga_unconfined_t
for executables located in any of the following directories:
-
/etc/qemu-ga/fsfreeze-hook.d/
-
/usr/libexec/qemu-ga/fsfreeze-hook.d/
-
/var/run/qemu-ga/fsfreeze-hook.d/
In addition, the necessary rules for transitions for the qemu-ga
daemon have been added to the SELinux policy boolean.
As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the virt_qemu_ga_run_unconfined
boolean.
4.3. Infrastructure services
Postfix now supports SRV lookups
With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to automatically configure mail clients and balance load of servers. Additionally, you can prevent mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using the following SRV-related options in your Postfix configuration:
use_srv_lookup
- You can enable discovery for the specified service by using DNS SRV records.
allow_srv_lookup_fallback
- You can use a cascading approach to locating a service.
ignore_srv_lookup_error
- You can ensure that the service discovery remains functional even if SRV records are not available or encounter errors.
You can now specify TLS 1.3 cipher suites in vsftpd
With this enhancement, you can use the new ssl_ciphersuites
option to configure which cipher suites vsftpd
uses. As a result, you can specify TLS 1.3 cipher suites that differ from the previous TLS versions. To specify multiple cipher suites, separate entries with colons (:).
Generic LF-to-CRLF driver is available in cups-filters
With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, by using this driver, you can send an LF character terminated file from your application to a printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of the text-only
driver from RHEL 7. The new name reflects its actual functionality.
Bugzilla:2118406[1]
4.4. Networking
iproute
rebased to version 6.2.0
The iproute
packages have been upgraded to upstream version 6.2.0, which provides a number of enhancements and bug fixes over the previous version. The most notable changes are:
-
The new
ip stats
command manages and shows interface statistics. By default, theip stats show
command displays statistics for all network devices, including bridges and bonds. You can filter the output by using thedev
andgroup
options. For further details, see theip-stats(8)
man page. -
The
ss
utility now provides the-T
(--threads
) option to display thread information, which extends the-p
(--processes
) option. For further details, see thess(8)
man page. -
You can use the new
bridge fdb flush
command to remove specific forwarding database (fdb) entries which match a supplied option. For further details, see thebridge(8)
man page.
Jira:RHEL-424[1]
Security improvement of the default nftables
service configuration
This enhancement adds the do_masquerade
chain to the default nftables
service configuration in the /etc/sysconfig/nftables/nat.nft
file. This reduces the risk of a port shadow attack, which is described in CVE-2021-3773. The first rule in the do_masquerade
chain detects suitable packets and enforces source port randomization to reduce the risk of port shadow attacks.
NetworkManager
supports the no-aaaa
DNS option
You can now use the no-aaaa
option to configure DNS settings on managed nodes by suppressing AAAA queries generated by the stub resolver. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo
; only DNS lookups were affected. With this enhancement, you can disable IPv6 resolution by using the nmcli
utility. After a restart of the NetworkManager
service, the no-aaaa
setting gets reflected in the /etc/resolv.conf
file, with additional control over DNS lookups.
The nm-cloud-setup
utility now supports IMDSv2 configuration
Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service Version 2 (IMDSv2) with the nm-cloud-setup
utility. To comply with improved security that restricts unauthorized access to EC2 metadata and new features, integration between AWS and Red Hat services is necessary to provide advanced features. This enhancement enables the nm-cloud-setup
utility to fetch and save the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available interfaces and IP configuration by using the secured IMDSv2 tokens.
The libnftnl
package rebased to version 1.2.2
The Netlink API to the in-kernel nf_tables
subsystem (libnftnl
) package has been rebased. Notable changes and enhancements include:
Added features:
-
Nesting of the
udata
attribute -
Resetting TCP options with the
exthdr
expression -
The
sdif
andsdifname
meta keywords -
Support for a new attribute
NFTNL_CHAIN_FLAGS
in thenftnl_chain
struct, to communicate flags between the kernel and user space. -
Support for the
nftnl_set
struct nftables sets backend to add expressions to sets and set elements. - Comments to sets, tables, objects, and chains
-
The
nftnl_table
struct now has anNFTNL_TABLE_OWNER
attribute. Set this attribute to enable the kernel to communicate the owner to the user space. - Readiness for incremental updates to flowtable device
-
The
typeof
keyword relatednftnl_set udata
definitions -
The
chain
ID attribute - The function to remove expressions from a rule
-
A new
last
expression
-
Nesting of the
Improved bitwise expressions:
-
Newly added
op
anddata
attributes - Left and right shifts
- Aligned with debug output of other expressions
-
Newly added
Improved socket expressions:
-
Added the
wildcard
attribute - Support for cgroups v2
-
Added the
Improved debug output:
-
Included the
key_end
data register in set elements -
Dropped unused registers from
masq
and nat expressions - Applied fix for verdict map elements
- Removed leftovers from dropped XML formatting
- Support for payload offset of inner header
-
Included the
4.5. Kernel
Kernel version in RHEL 8.9
Red Hat Enterprise Linux 8.9 is distributed with the kernel version 4.18.0-513.5.1.
The RHEL kernel now supports AutoIBRS
Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability.
Bugzilla:1989283[1]
The Intel® QAT kernel driver rebased to upstream version 6.2
The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression performance, and other CPU intensive tasks.
The rebase includes many bug fixes and enhancements. The most notable enhancement is the support available for following hardware accelerator devices for QAT GEN4:
- Intel Quick Assist Technology 401xx devices
- Intel Quick Assist Technology 402xx devices
Bugzilla:2144529[1]
makedumpfile
rebased to version 1.7.2
The makedumpfile
tool, which makes the crash dump file small by compressing pages or excluding memory pages that are not required, has been rebased to version 1.7.2. The rebase includes many bug fixes and enhancements.
The most notable change is the added 5-level paging mode for standalone dump (sadump
) mechanism on AMD and Intel 64-bit architectures. The 5-level paging mode extends the processor’s linear address width to allow applications access larger amounts of memory. 5-level paging extends the size of virtual addresses from 48 to 57 bits and the physical addresses from 46 to 52 bits.
4.6. File systems and storage
Support for specifying a UUID when creating a GFS2 file system
The mkfs.gfs2
command now supports the new -U
option, which makes it possible to specify the file system UUID for the file system you create. If you omit this option, the file system’s UUID is generated randomly.
fuse3
now allows invalidating a directory entry without triggering umount
With this update, a new mechanism has been added to fuse3
package, that allows invalidating a directory entry without automatically triggering the umount
of any mounts that exists on the entry.
Bugzilla:2171095[1]
4.7. High availability and clusters
Pacemaker’s scheduler now tries to satisfy all mandatory colocation constraints before trying to satisfy optional colocation constraints
Previously, colocation constraints were considered one by one regardless of whether they were mandatory or optional. This meant that certain resources could be unable to run even though a node assignment was possible. Pacemaker’s scheduler now tries to satisfy all mandatory colocation constraints, including the implicit constraints between group members, before trying to satisfy optional colocation constraints. As a result, resources with a mix of optional and mandatory colocation constraints are now more likely to be able to run.
IPaddr2
and IPsrcaddr
cluster resource agents now support policy-based routing
The IPaddr2
and IPsrcaddr
cluster resource agents now support policy-based routing, which enables you to configure complex routing scenarios. Policy-based routing requires that you configure the resource agent’s table
parameter.
The Filesystem
resource agent now supports the EFS file system type
The ocf:heartbeat:Filesystem
cluster resource agent now supports the Amazon Elastic File System (EFS). You can now specify fstype=efs
when configuring a Filesystem
resource.
The alert_snmp.sh.sample
alert agent now supports SNMPv3
The alert_snmp.sh.sample
alert agent, which is the sample alert agent provided with Pacemaker, now supports the SNMPv3 protocol as well as SNMPv2. With this update, you can copy the alert_snmp.sh.sample
agent without modification to use SNMPv3 with Pacemaker alerts.
New enabled
alert meta option to disable a Pacemaker alert
Pacemaker alerts and alert recipients now support an enabled
meta option.
-
Setting the
enabled
meta option tofalse
for an alert disables the alert. -
Setting the
enabled
meta option totrue
for an alert andfalse
for a particular recipient disables the alert for that recipient.
The default value for the enabled
meta option is true
. You can use this option to temporarily disable an alert for any reason, such as planned maintenance.
Pacemaker Remote nodes now preserve transient node attributes after a brief connection outage
Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its transient node attributes. This was unnecessary if the connection was quickly recoverable and the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now preserve transient node attributes after a brief, recoverable connection outage.
Enhancements to the pcs property
command
The pcs property
command now supports the following enhancements:
The
pcs property config --output-format=
option-
Specify
--output-format=cmd
to display thepcs property set
command created from the current cluster properties configuration. You can use this command to re-create configured cluster properties on a different system. -
Specify
--output-format=json
to display the configured cluster properties in JSON format. -
Specify
output-format=text
to display the configured cluster properties in plain text format, which is the default value for this option.
-
Specify
-
The
pcs property defaults
command, which replaces the deprecatedpcs property --defaults
option -
The
pcs property describe
command, which describes the meaning of cluster properties.
4.8. Dynamic programming languages, web and database servers
A new nodejs:20
module stream is fully supported
A new module stream, nodejs:20
, previously available as a Technology Preview, is fully supported with the release of the RHEA-2023:7249 advisory. The nodejs:20
module stream now provides Node.js 20.9
, which is a Long Term Support (LTS) version.
Node.js 20
included in RHEL 8.9 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 18
available since RHEL 8.7.
Notable changes include:
-
The
V8
JavaScript engine has been upgraded to version 11.3. -
The
npm
package manager has been upgraded to version 9.8.0. -
Node.js
introduces a new experimental Permission Model. -
Node.js
introduces a new experimental Single Executable Application (SEA) feature. -
Node.js
provides improvements to the Experimental ECMAScript modules (ESM) loader. -
The native test runner, introduced as an experimental
node:test
module inNode.js 18
, is now considered stable.
To install the nodejs:20
module stream, use:
# yum module install nodejs:20
If you want to upgrade from the nodejs:18
stream, see Switching to a later stream.
For information about the length of support for the nodejs
Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new filter
argument to the Python tarfile
extraction functions
To mitigate CVE-2007-4559, Python adds a filter
argument to the tarfile
extraction functions. The argument allows turning tar
features off for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a filter is not specified, the 'data'
filter, which is the safest but most limited, is used by default in RHEL. In addition, Python emits a warning when your application has been affected.
For more information, including instructions to hide the warning, see the Knowledgebase article Mitigation of directory traversal attack in the Python tarfile library (CVE-2007-4559).
Jira:RHELDOCS-16405[1]
The HTTP::Tiny
Perl module now verifies TLS certificates by default
The default value for the verify_SSL
option in the HTTP::Tiny
Perl module has been changed from 0
to 1
to verify TLS certificates when using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny
and CVE-2023-31484 for the CPAN Perl module.
To make support for TLS verification available, this update adds the following dependencies to the perl-HTTP-Tiny
package:
-
perl-IO-Socket-SSL
-
perl-Mozilla-CA
-
perl-Net-SSLeay
Bugzilla:2228409[1]
A new environment variable in Python to control parsing of email addresses
To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.
The update in RHSA-2024:0256 introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING
environment variable. When you set this variable to true
, the previous, less strict parsing behavior is the default for the entire system:
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
However, individual calls to the affected functions can still enable stricter behavior.
You can achieve the same result by creating the /etc/python/email.cfg
configuration file with the following content:
[email_addr_parsing] PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.
Jira:RHELDOCS-17369[1]
4.9. Compilers and development tools
Improved string and memory routine performance on Intel® Xeon® v5-based hardware in glibc
Previously, the default amount of cache used by glibc
for string and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based systems. With this update, the amount of cache to use has been tuned to improve performance.
GCC now supports preserving register arguments
With this update, you can now store argument register content to the stack and generate proper Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting performance.
Bugzilla:2168205[1]
New GCC Toolset 13
GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
The GCC compiler has been updated to version 13.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.
The following tools and versions are provided by GCC Toolset 13:
Tool | Version |
---|---|
GCC | 13.1.1 |
GDB | 12.1 |
binutils | 2.40 |
dwz | 0.14 |
annobin | 12.20 |
To install GCC Toolset 13, run the following command as root:
# yum install gcc-toolset-13
To run a tool from GCC Toolset 13:
$ scl enable gcc-toolset-13 tool
To run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:
$ scl enable gcc-toolset-13 bash
For more information, seehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/developing_c_and_cpp_applications_in_rhel_8/additional-toolsets-for-development_developing-applications#gcc-toolset-13_assembly_additional-toolsets-for-development[GCC Toolset 13] and Using GCC Toolset.
Bugzilla:2171898[1], Bugzilla:2171928, Bugzilla:2188490
GCC Toolset 13: GCC rebased to version 13.1.1
In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable changes include:
General improvements
OpenMP:
- OpenMP 5.0: Fortran now supports some non-rectangular loop nests. Such support was added for C/C++ in GCC 11.
- Many OpenMP 5.1 features have been added.
- Initial support for OpenMP 5.2 features has been added.
-
A new debug info compression option value,
-gz=zstd
, is now available. -
The
-Ofast
,-ffast-math
, and-funsafe-math-optimizations
options no longer add startup code to alter the floating-point environment when producing a shared object with the-shared
option. -
GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a JSON-based format suited for capturing the results of static analysis tools (like GCC’s
-fanalyzer
). You can also use SARIF to capture other GCC warnings and errors in a machine-readable format. - Link-time optimization improvements have been implemented.
New languages and language-specific improvements
C family:
-
A new
-Wxor-used-as-pow
option warns about uses of the exclusive or (^
) operator where the user might have meant exponentiation. Three new function attributes have been added for documenting
int
arguments that are file descriptors:-
attribute((fd_arg(N)))
-
attribute((fd_arg_read(N)))
-
attribute((fd_arg_write(N)))
These attributes are also used by
-fanalyzer
to detect misuses of file descriptors.-
-
A new statement attribute,
attribute((assume(EXPR)));
, has been added for C++23 portable assumptions. The attribute is supported also in C or earlier C++. -
GCC can now control when to treat the trailing array of a structure as a flexible array member for the purpose of accessing the elements of such an array. By default, all trailing arrays in aggregates are treated as flexible array members. Use the new command-line option
-fstrict-flex-arrays
to control what array members are treated as flexible arrays.
C:
Several C23 features have been implemented:
-
Introduced the
nullptr
constant. - Enumerations enhanced to specify underlying types.
- Requirements for variadic parameter lists have been relaxed.
-
Introduced the
auto
feature to enable type inference for object definitions. -
Introduced the
constexpr
specifier for object definitions. - Introduced storage-class specifiers for compound literals.
-
Introduced the
typeof
object (previously supported as an extension) and thetypeof_unqual
object. -
Added new keywords:
alignas
,alignof
,bool
,false
,static_assert
,thread_local
, andtrue
. -
Added the
[[noreturn]]
attribute to specify that a function does not return execution to its caller. - Added support for empty initializer braces.
-
Added support for
STDC_VERSION_*_H
header version macros. -
Removed the
ATOMIC_VAR_INIT
macro. -
Added the
unreachable
macro for the<stddef.h>
header. - Removed trigraphs.
- Removed unprototyped functions.
-
Added
printf
andscanf
format checking through the-Wformat
option for the%wN
and%wfN
format length modifiers. - Added support for identifier syntax of Unicode Standard Annex (UAX) 31.
-
Existing features adopted in C23 have been adjusted to follow C23 requirements and are not diagnosed using the
-std=c2x -Wpedantic
option.
-
Introduced the
-
A new
-Wenum-int-mismatch
option warns about mismatches between an enumerated type and an integer type.
C++:
Implemented excess precision support through the
-fexcess-precision
option. It is enabled by default in strict standard modes like-std=c++17
, where it defaults to-fexcess-precision=standard
. In GNU standard modes like-std=gnu++20
, it defaults to-fexcess-precision=fast
, which restores previous behavior.The
-fexcess-precision
option affects the following architectures:-
Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where
float
anddouble
expressions are evaluated inlong double
precision. -
64-bit IBM Z systems where
float
expressions are evaluated indouble
precision. -
Several architectures that support the
std::float16_t
orstd::bfloat16_t
types, where these types are evaluated infloat
precision.
-
Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where
Improved experimental support for C++23, including:
- Added support for labels at the end of compound statements.
- Added a type trait to detect reference binding to a temporary.
- Reintroduced support for volatile compound operations.
-
Added support for the
#warning
directive. - Added support for delimited escape sequences.
- Added support for named universal character escapes.
-
Added a compatibility and portability fix for the
char8_t
type. -
Added static
operator()
function objects. - Simplified implicit moves.
- Rewriting equality in expressions is now less of a breaking change.
- Removed non-encodable wide character literals and wide multicharacter literals.
-
Relaxed some
constexpr
function restrictions. - Extended floating-point types and standard names.
- Implemented portable assumptions.
- Added support for UTF-8 as a portable source file encoding standard.
-
Added support for static
operator[]
subscripts.
New warnings:
-
-Wself-move
warns when a value is moved to itself withstd::move
. -
-Wdangling-reference
warns when a reference is bound to a temporary whose lifetime has ended. -
The
-Wpessimizing-move
and-Wredundant-move
warnings have been extended to warn in more contexts.
-
-
The new
-nostdlib++
option enables linking withg++
without implicitly linking in the C++ standard library.
Changes in the libstdc++
runtime library
Improved experimental support for C++20, including:
-
Added the
<format>
header and thestd::format
function. -
Added support in the
<chrono>
header for thestd::chrono::utc_clock
clock, other clocks, time zones, and thestd::format
function.
-
Added the
Improved experimental support for C++23, including:
-
Additions to the
<ranges>
header:views::zip
,views::zip_transform
,views::adjacent
,views::adjacent_transform
,views::pairwise
,views::slide
,views::chunk
,views::chunk_by
,views::repeat
,views::chunk_by
,views::cartesian_product
,views::as_rvalue
,views::enumerate
,views::as_const
. -
Additions to the
<algorithm>
header:ranges::contains
,ranges::contains_subrange
,ranges::iota
,ranges::find_last
,ranges::find_last_if
,ranges::find_last_if_not
,ranges::fold_left
,ranges::fold_left_first
,ranges::fold_right
,ranges::fold_right_last
,ranges::fold_left_with_iter
,ranges::fold_left_first_with_iter
. -
Support for monadic operations for the
std::expected
class template. -
Added
constexpr
modifiers to thestd::bitset
,std::to_chars
andstd::from_chars
functions. - Added library support for extended floating-point types.
-
Additions to the
-
Added support for the
<experimental/scope>
header from version 3 of the Library Fundamentals Technical Specification (TS). -
Added support for the
<experimental/synchronized_value>
header from version 2 of the Concurrency TS. Added support for many previously unavailable features in freestanding mode. For example:
-
The
std::tuple
class template is now available for freestanding compilation. -
The
libstdc++
library adds components to the freestanding subset, such asstd::array
andstd::string_view
. -
The
libstdc++
library now respects the-ffreestanding
compiler option, so it is no longer necessary to build a separate freestanding installation of thelibstdc++
library. Compiling with-ffreestanding
will restrict the available features to the freestanding subset, even if thelibstdc++
library was built as a full, hosted implementation.
-
The
New targets and target-specific Improvements
The 64-bit ARM architecture:
-
Added support for the
armv9.1-a
,armv9.2-a
, andarmv9.3-a
arguments for the-march=
option.
The 32- and 64-bit AMD and Intel architectures:
-
For both C and C++, the
__bf16
type is supported on systems with Streaming SIMD Extensions 2 and above enabled. -
The real
__bf16
type is now used forAVX512BF16
instruction intrinsics. Previously,__bfloat16
, a typedef of short, was used. Adjust yourAVX512BF16
related source code when upgrading GCC 12 to GCC 13. Added new Instruction Set Architecture (ISA) extensions to support the following Intel instructions:
-
AVX-IFMA
whose instruction intrinsics are available through the-mavxifma
compiler switch. -
AVX-VNNI-INT8
whose instruction intrinsics are available through the-mavxvnniint8
compiler switch. -
AVX-NE-CONVERT
whose instruction intrinsics are available through the-mavxneconvert
compiler switch. -
CMPccXADD
whose instruction intrinsics are available through the-mcmpccxadd
compiler switch. -
AMX-FP16
whose instruction intrinsics are available through the-mamx-fp16
compiler switch. -
PREFETCHI
whose instruction intrinsics are available through the-mprefetchi
compiler switch. -
RAO-INT
whose instruction intrinsics are available through the-mraoint
compiler switch. -
AMX-COMPLEX
whose instruction intrinsics are available through the-mamx-complex
compiler switch.
-
-
GCC now supports AMD CPUs based on the
znver4
core through the-march=znver4
compiler switch. The switch makes GCC consider using 512-bit vectors when auto-vectorizing.
Improvements to the static analyzer
The static analyzer has gained 20 new warnings:
-
-Wanalyzer-allocation-size
-
-Wanalyzer-deref-before-check
-
-Wanalyzer-exposure-through-uninit-copy
-
-Wanalyzer-imprecise-fp-arithmetic
-
-Wanalyzer-infinite-recursion
-
-Wanalyzer-jump-through-null
-
-Wanalyzer-out-of-bounds
-
-Wanalyzer-putenv-of-auto-var
-
-Wanalyzer-tainted-assertion
Seven new warnings relating to misuse of file descriptors:
-
-Wanalyzer-fd-access-mode-mismatch
-
-Wanalyzer-fd-double-close
-
-Wanalyzer-fd-leak
-
-Wanalyzer-fd-phase-mismatch
(for example, callingaccept
on a socket before callinglisten
on it) -
-Wanalyzer-fd-type-mismatch
(for example, using a stream socket operation on a datagram socket) -
-Wanalyzer-fd-use-after-close
-Wanalyzer-fd-use-without-check
-
Also implemented special-casing handling of the behavior of the
open
,close
,creat
,dup
,dup2
,dup3
,pipe
,pipe2
,read
, andwrite
functions.
-
Also implemented special-casing handling of the behavior of the
-
Four new warnings for misuses of the
<stdarg.h>
header:-
-Wanalyzer-va-list-leak
warns about missing ava_end
macro after ava_start
orva_copy
macro. -
-Wanalyzer-va-list-use-after-va-end
warns about ava_arg
orva_copy
macro used on ava_list
object type that has had theva_end
macro called on it. -
-Wanalyzer-va-arg-type-mismatch
type-checksva_arg
macro usage in interprocedural execution paths against the types of the parameters that were actually passed to the variadic call. -
-Wanalyzer-va-list-exhausted
warns if ava_arg
macro is used too many times on ava_list
object type in interprocedural execution paths.
-
-
- Numerous other improvements.
Backwards incompatible changes
For C++, construction of global iostream objects such as std::cout
, std::cin
is now done inside the standard library, instead of in every source file that includes the <iostream>
header. This change improves the startup performance of C++ programs, but it means that code compiled with GCC 13.1 will crash if the correct version of libstdc++.so
is not used at runtime. See the documentation about using the correct libstdc++.so
at runtime. Future GCC releases will mitigate the problem so that the program cannot be run at all with an earlier incompatible libstdc++.so
.
Bugzilla:2172091[1]
GCC Toolset 13: annobin
rebased to version 12.20
GCC Toolset 13 provides the annobin
package version 12.20. Notable enhancements include:
-
Added support for moving
annobin
notes into a separate debug info file. This results in reduced executable binary size. - Added support for a new smaller note format reduces the size of the separate debuginfo files and the time taken to create these files.
Bugzilla:2171923[1]
GCC Toolset 13: GDB rebased to version 12.1
GCC Toolset 13 provides GDB version 12.1.
Notable bug fixes and enhancements include:
-
GDB now styles source code and disassembler by default. If styling interferes with automation or scripting of GDB, you can disable it by using the
maint set gnu-source-highlight enabled off
andmaint set style disassembler enabled off
commands. -
GDB now displays backtraces whenever it encounters an internal error. If this affects scripts or automation, you can use the
maint set backtrace-on-fatal-signal off
command to disable this feature.
C/C++ improvements:
- GDB now treats functions or types involving C++ templates similarly to function overloads. You can omit parameter lists to set breakpoints on families of template functions, including types or functions composed of multiple template types. Tab completion has gained similar improvements.
Terminal user interface (TUI):
tui layout
tui focus
tui refresh
tui window height
These are the new names for the oldlayout
,focus
,refresh
, andwinheight
TUI commands respectively. The old names still exist as aliases to these new commands.tui window width
winwidth
Use the new
tui window width
command, or thewinwidth
alias, to adjust the width of a TUI window when windows are laid out in horizontal mode.info win
This command now includes information about the width of the TUI windows in its output.
Machine Interface (MI) changes:
- The default version of the MI interpreter is now 4 (-i=mi4).
-
The
-add-inferior
command with no flag now inherits the connection of the current inferior. This restores the behavior of GDB prior to version 10. -
The
-add-inferior
command now accepts a--no-connection
flag that causes the new inferior to start without a connection. The
script
field in breakpoint output (which is syntactically incorrect in MI 3 and earlier) has become a list in MI 4. This affects the following commands and events:-
-break-insert
-
-break-info
-
=breakpoint-created
=breakpoint-modified
Use the
-fix-breakpoint-script-output
command to enable the new behavior with earlier MI versions.
-
New commands:
maint set internal-error backtrace [on|off]
maint show internal-error backtrace
maint set internal-warning backtrace [on|off]
maint show internal-warning backtrace
GDB can now print a backtrace of itself when it encounters internal error or internal warning. This is enabled by default for internal errors and disabled by default for internal warnings.
exit
You can exit GDB using the new
exit
command in addition to the existingquit
command.maint set gnu-source-highlight enabled [on|off]
maint show gnu-source-highlight enabled
Enables or disables the GNU Source Highlight library for adding styling to source code. When disabled, the library is not used even if it is available. When the GNU Source Highlight library is not used the Python Pygments library is used instead.set suppress-cli-notifications [on|off]
show suppress-cli-notifications
Controls if printing the notifications is suppressed for CLI or not. CLI notifications occur when you change the selected context (such as the current inferior, thread, or frame), or when the program being debugged stops (for example: because of hitting a breakpoint, completing source-stepping, or an interrupt).
set style disassembler enabled [on|off]
show style disassembler enabled
When enabled, the command applies styling to disassembler output if GDB is compiled with Python support and the Python Pygments package is available.
Changed commands:
set logging [on|off]
Deprecated and replaced by the
set logging enabled [on|off]
command.print
Printing of floating-point values with base-modifying formats like
/x
has been changed to display the underlying bytes of the value in the desired base.clone-inferior
The
clone-inferior
command now ensures that theTTY
,CMD
, andARGs
settings are copied from the original inferior to the new one. All modifications to the environment variables done using theset environment
orunset environment
commands are also copied to the new inferior.
Python API:
-
The new
gdb.add_history()
function takes agdb.Value
object and adds the value it represents to GDB’s history list. The function returns an integer, which is the index of the new item in the history list. -
The new
gdb.history_count()
function returns the number of values in GDB’s value history. -
The new
gdb.events.gdb_exiting
event is called with agdb.GdbExitingEvent
object that has the read-only attributeexit_code
containing the value of the GDB exit code. This event is triggered prior to GDB’s exit before GDB starts to clean up its internal state. -
The new
gdb.architecture_names()
function returns a list containing all of the possibleArchitecture.name()
values. Each entry is a string. -
The new
gdb.Architecture.integer_type()
function returns an integer type given a size and a signed-ness. -
The new
gdb.TargetConnection
object type represents a connection (as displayed by theinfo connections
command). A sub-class,gdb.RemoteTargetConnection
, representsremote
andextended-remote
connections. -
The
gdb.Inferior
type now has aconnection
property that is an instance of thegdb.TargetConnection
object, the connection used by this inferior. This can beNone
if the inferior has no connection. -
The new
gdb.events.connection_removed
event registry emits agdb.ConnectionEvent
event when a connection is removed from GDB. This event has aconnection
property, agdb.TargetConnection
object for the connection being removed. -
The new
gdb.connections()
function returns a list of all currently active connections. -
The new
gdb.RemoteTargetConnection.send_packet(PACKET)
method is equivalent to the existingmaint packet
CLI command. You can use it to send a specified packet to the remote target. -
The new
gdb.host_charset()
function returns the name of the current host character set as a string. -
The new
gdb.set_parameter(NAME, VALUE)
function sets the GDB parameterNAME
toVALUE
. -
The new
gdb.with_parameter(NAME, VALUE)
function returns a context manager that temporarily sets the GDB parameterNAME
toVALUE
and then resets it when the context is exited. -
The
gdb.Value.format_string
method now takes astyling
argument, which is a boolean. Whentrue
, the returned string can include escape sequences to apply styling. The styling is present only if styling is turned on in GDB (seehelp set styling
). Whenfalse
, which is the default if thestyling
argument is not given, no styling is applied to the returned string. -
The new read-only attribute
gdb.InferiorThread.details
is either a string containing additional target-specific thread-state information, orNone
if there is no such additional information. -
The new read-only attribute
gdb.Type.is_scalar
isTrue
for scalar types, andFalse
for all other types. -
The new read-only attribute
gdb.Type.is_signed
should only be read whenType.is_scalar
isTrue
, and will beTrue
for signed types andFalse
for all other types. Attempting to read this attribute for non-scalar types will raise aValueError
. - You can now add GDB and MI commands implemented in Python.
For more information see the upstream release notes:
Bugzilla:2172095[1]
GCC Toolset 13: bintuils
rebased to version 2.40
GCC Toolset 13 provides the binutils
package version 2.40. Notable enhancements include:
Linkers:
-
The new
-w
(--no-warnings
) command-line option for the linker suppresses the generation of any warning or error messages. This is useful in case you need to create a known non-working binary. The ELF linker now generates a warning message if:
- The stack is made executable
-
It creates a memory resident segment with all three of the
Read
,Write
andeXecute
permissions set It creates a thread local data segment with the
eXecute
permission set.You can disable these warnings by using the
--no-warn-exec-stack
or--no-warn-rwx-segments
options.
- The linker can now insert arbitrary JSON-format metadata into binaries that it creates.
Other tools:
-
A new the
objdump
tool’s--private
option to display fields in the file header and section headers for Portable Executable (PE) format files. -
A new
--strip-section-headers
command-line option for theobjcopy
andstrip
utilities to remove the ELF section header from ELF files. -
A new
--show-all-symbols
command-line option for theobjdump
utility to display all symbols that match a given address when disassembling, as opposed to the default function of displaying only the first symbol that matches an address. -
A new
-W
(--no-weak
) option to thenm
utility to make it ignore weak symbols. The
objdump
utility now supports syntax highlighting of disassembler output for some architectures. Use the--disassembler-color=MODE
command-line option, with MODE being one of the following:-
off
-
color
- This option is supported by all terminal emulators. -
extended-color
- This option uses 8-bit colors not supported by all terminal emulators.
-
Bugzilla:2171924[1]
GCC Toolset 13: annobin
rebased to version 12.20
GCC Toolset 13 provides the annobin
package version 12.20. Notable enhancements include:
-
Added support for moving
annobin
notes into a separate debug info file. This results in reduced executable binary size. - Added support for a new smaller note format, which reduces the size of the separate debuginfo files and the time taken to create these files.
Bugzilla:2171921[1]
Valgrind rebased to version 3.21.0
Valgrind has been updated to version 3.21.0. Notable enhancements include:
-
A new
abexit
value for the--vgdb-stop-at=event1,event2,…
option notifies thegdbserver
utility when your program exits abnormally, such as with a non-zero exit code. A new
--enable-debuginfod=[yes|no]
option instructs Valgrind to use thedebuginfod
servers listed in theDEBUGINFOD_URLS
environment variable to fetch any missing DWARF debuginfo information for the program running under Valgrind. The default value for this option isyes
.NoteThe
DEBUGINFOD_URLS
environment variable is not set by default.-
The
vgdb
utility now supports the extended remote protocol when invoked with the--multi
option. The GDBrun
command is supported in this mode and, as a result, you can run GDB and Valgrind from a single terminal. -
You can use the
--realloc-zero-bytes-frees=[yes|no]
option to change the behavior of therealloc()
function with a size of zero for tools that intercept themalloc()
call. -
The
memcheck
tool now performs checks for the use of therealloc()
function with a size of zero. Use the new--show-realloc-size-zero=[yes|no]
switch to disable this feature. -
You can use the new
--history-backtrace-size=value
option for thehelgrind
tool to configure the number of entries to record in the stack traces of earlier accesses. -
The
--cache-sim=[yes|no]
cachegrind
option now defaults tono
and, as a result, only instruction cache read events are gathered by default. -
The source code for the
cg_annotate
,cg_diff
, andcg_merge
cachegrind
utilities has been rewritten and, as a result, the utilities have more flexible command line option handling. For example, they now support the--show-percs
and--no-show-percs
options as well as the existing--show-percs=yes
and--show-percs=no
options. -
The
cg_annotate
cachegrind
utility now supports diffing (using the--diff
,--mod-filename
, and--mod-funcname
options) and merging (by passing multiple data files). In addition,cg_annotate
now provides more information at the file and function level. -
A new user-request for the
DHAT
tool allows you to override the 1024 byte limit on access count histograms for blocks of memory.
The following new architecture-specific instruction sets are now supported:
64-bit ARM:
- v8.2 scalar and vector Floating-point Absolute Difference (FABD), Floating-point Absolute Compare Greater than or Equal (FACGE), Floating-point Absolute Compare Greater Than (FACGT), and Floating-point Add (FADD) instructions.
- v8.2 Floating-point (FP) compare and conditional compare instructions.
- Zero variants of v8.2 Floating-point (FP) compare instructions.
64-bit IBM Z:
-
Support for the
miscellaneous-instruction-extensions facility 3
and thevector-enhancements facility 2
. This enables programs compiled with the-march=arch13
or-march=z15
options to be executed under Valgrind.
-
Support for the
IBM Power:
- ISA 3.1 support is now complete.
- ISA 3.0 now supports the deliver a random number (darn) instruction.
- ISA 3.0 now supports the System Call Vectored (scv) instruction.
- ISA 3.0 now supports the copy, paste, and cpabort instructions.
systemtap
rebased to version 4.9
The systemtap
package has been upgraded to version 4.9. Notable changes include:
-
A new Language-Server-Protocol (LSP) backend for easier interactive drafting of
systemtap
scripts on LSP-capable editors. - Access to a Python/Jupyter interactive notebook frontend.
- Improved handling of DWARF 5 bitfields.
elfutils
rebased to version 0.189
The elfutils
package has been updated to version 0.189. Notable improvements and bug fixes include:
libelf
-
The
elf_compress
tool now supports theELFCOMPRESS_ZSTD
ELF compression type. libdwfl
-
The
dwfl_module_return_value_location
function now returns 0 (no return type) for DWARF Information Entries (DIEs) that point to aDW_TAG_unspecified_type
type tag. eu-elfcompress
-
The
-t
and--type=
options now support the Zstandard (zstd
) compression format via thezstd
argument.
libpfm
rebased to version 4.13
The libpfm
package has been updated to version 4.13. With this update, libpfm
can now access performance monitoring hardware native events for the following processor microarchitectures:
- AMD Zen 4
- ARM Neoverse N1
- ARM Neoverse N2
- ARM Neoverse V1
- ARM Neoverse V2
- 4th Generation Intel® Xeon® Scalable Processors
- IBM z16
Bugzilla:2185653, Bugzilla:2111987, Bugzilla:2111966, Bugzilla:2111973, Bugzilla:2109907, Bugzilla:2111981, Bugzilla:2047725
papi
supports new processor microarchitectures
With this enhancement, you can access performance monitoring hardware using papi
events presets on the following processor microarchitectures:
- ARM Neoverse N1
- ARM Neoverse N2
- ARM Neoverse V1
- ARM Neoverse V2
Bugzilla:2111982[1], Bugzilla:2111988
papi
now supports fast performance event count read operations for 64-bit ARM
Previously on 64-bit ARM processors, all performance event counter read operations required the use of a resource-intensive system call. papi
has been updated for 64-bit ARM to let processes monitoring themselves with the performance counters use a faster user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access
parameter to 1 reduces the average number of clock cycles for papi
to read 2 counters from 724 cycles to 29 cycles.
Bugzilla:2161146[1]
LLVM Toolset rebased to version 16.0.6
LLVM Toolset has been updated to version 16.0.6.
Notable enhancements include:
- Improvements to optimization
- Support for new CPU extensions
- Improved support for new C++ versions.
Notable backwards incompatible changes include:
-
Clang’s default C++ standard is now
gnu++17
instead ofgnu++14
. -
The
-Wimplicit-function-declaration
,-Wimplicit-int
and-Wincompatible-function-pointer-types
options now default to error for C code. This might affect the behavior of configure scripts.
By default, Clang 16 uses the libstdc++
library version 13 and binutils 2.40
provided by GCC Toolset 13.
For more information, see the LLVM release notes and Clang release notes.
Rust Toolset rebased to version 1.71.1
Rust Toolset has been updated to version 1.71.1. Notable changes include:
- A new implementation of multiple producer, single consumer (mpsc) channels to improve performance
-
A new Cargo
sparse
index protocol for more efficient use of thecrates.io
registry -
New
OnceCell
andOnceLock
types for one-time value initialization -
A new
C-unwind
ABI string to enable usage of forced unwinding across Foreign Function Interface (FFI) boundaries
For more details, see the series of upstream release announcements:
The Rust profiler_builtins
runtime component is now available
With this enhancement, the Rust profile_builtins
runtime component is now available. This runtime component enables the following compiler options:
-C instrument-coverage
- Enables coverage profiling
-C profile-generate
- Enables profile-guided optimization
Bugzilla:2213875[1]
Go Toolset rebased to version 1.20.10
Go Toolset has been updated to version 1.20.10.
Notable enhancements include:
-
New functions added in the
unsafe
package to handle slices and strings without depending on the internal representation. - Comparable types can now satisfy comparable constraints.
-
A new
crypto/ecdh
package. -
The
go build
andgo test
commands no longer accept the-i
flag. -
The
go generate
andgo test
commands now accept the-skip pattern
option. -
The
go build
,go install
, and other build-related commands now support the-pgo
and-cover
flags. -
The
go
command now disablescgo
by default on systems without a C toolchain. -
The
go version -m
command now supports reading more Go binaries types. -
The
go
command now disablescgo
by default on systems without a C toolchain. - Added support for collecting code coverage profiles from applications and integration tests instead of collecting them only from unit tests.
Bugzilla:2185260[1]
grafana
rebased to version 9.2.10
The grafana
package has been updated to version 9.2.10. Notable changes include:
- The time series panel is now the default visualization option, replacing the graph panel.
- Grafana provides a new Prometheus and Loki query builder.
- Grafana now includes multiple UI/UX and performance improvements.
- The license has changed from Apache 2.0 to GNU Affero General Public License (AGPL).
- The heatmap panel is now used throughout Grafana.
- Geomaps can now measure both distance and area.
- The Alertmanager is now based on Prometheus Alertmanager version 0.24.
-
Grafana Alerting rules now return an
Error
state by default on execution error or timeout. - Expressions can now be used on public dashboards.
- The join transformation now supports inner joins.
- Public dashboards now allow sharing Grafana dashboards.
- A new Prometheus streaming parser is now available as an opt-in feature.
For more information, see the upstream release notes:
grafana-pcp
rebased to version 5.1.1
The grafana-pcp
package, which provides the Performance Co-Pilot Grafana Plugin, has been updated to version 5.1.1. Notable changes include:
- Query editor: Added buttons to disable rate conversation and time utilization conversation
Redis datasource:
-
Removed the deprecated
label_values(metric, label)
function - Fixed the network error for metrics with many series (requires Performance Co-Pilot version 6 and later)
-
Removed the deprecated
-
Set the
pmproxy
API timeout to 1 minute
.NET 8.0 is available
Red Hat Enterprise Linux 8.9 is distributed with .NET version 8.0. Notable improvements include:
- Added support for the C#12 and F#8 language versions.
- Added support for building container images using the .NET Software Development Kit directly.
- Many performance improvements to the garbage collector (GC), Just-In-Time (JIT) compiler, and the base libraries.
Jira:RHELPLAN-164398[1]
4.10. Identity Management
samba
rebased to version 4.18.4
The samba
packages have been upgraded to upstream version 4.18.4, which provides bug fixes and enhancements over the previous version. The most notable changes:
- Security improvements in previous releases impacted the performance of the Server Message Block (SMB) server for high metadata workloads. This update improves the performance in this scenario.
-
The new
wbinfo --change-secret-at=<domain_controller>
command enforces the change of the trust account password on the specified domain controller. -
By default, Samba stores access control lists (ACLs) in the
security.NTACL
extended attribute of files. You can now customize the attribute name with theacl_xattr:<security_acl_name>
setting in the/etc/samba/smb.conf
file. Note that a custom extended attribute name is not a protected location assecurity.NTACL
. Consequently, users with local access to the server can be able to modify the custom attribute’s content and compromise the ACL.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Red Hat does not support downgrading tdb
database files.
After updating Samba, use the testparm
utility to verify the /etc/samba/smb.conf
file.
ipa
rebased to version 4.9.12
The ipa
package has been upgraded to version 4.9.12. For more information, see the upstream FreeIPA release notes.
Multiple IdM groups and services can now be managed in a single Ansible task
With this enhancement in ansible-freeipa
, you can add, modify, and delete multiple Identity Management (IdM) user groups and services by using a single Ansible task. For that, use the groups
and services
options of the ipagroup
and ipaservice
modules.
Using the groups
option available in ipagroup
, you can specify multiple group variables that only apply to a particular group. This group is defined by the name
variable, which is the only mandatory variable for the groups
option.
Similarly, using the services
option available in ipaservice
, you can specify multiple service variables that only apply to a particular service. This service is defined by the name
variable, which is the only mandatory variable for the services
option.
Jira:RHELDOCS-16474[1]
ansible-freeipa
ipaserver
role now supports Random Serial Numbers
With this update, you can use the ipaserver_random_serial_numbers=true
option with the ansible-freeipa
ipaserver
role. This way, you can generate fully random serial numbers for certificates and requests in PKI when installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.
RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 on all PKI services.
Jira:RHELDOCS-16462[1]
The ipaserver_remove_on_server
and ipaserver_ignore_topology_disconnect
options are now available in the ipaserver
role
If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain
option of the ipaserver
ansible-freeipa
role leads to a disconnected topology, you must now specify which part of the domain you want to preserve. Specifically, you must do the following:
-
Specify the
ipaserver_remove_on_server
value to identify which part of the topology you want to preserve. -
Set
ipaserver_ignore_topology_disconnect
to True.
Note that if removing a replica from IdM by using the remove_server_from_domain
option preserves a connected topology, neither of these options is required.
The ipaclient
role now allows configuring user subID ranges on the IdM level
With this update, the ipaclient
role provides the ipaclient_subid
option, using which you can configure subID ranges on the Identity Management (IdM) level. Without the new option set explicitly to true
, the ipaclient
role keeps the default behavior and installs the client without subID ranges configured for IdM users.
Previously, the role configured the sssd
authselect
profile that in turn customized the /etc/nsswitch.conf
file. The subID database did not use IdM and relied only on the local files of /etc/subuid
and /etc/subgid
.
You can now manage IdM certificates using the ipacert
Ansible module
You can now use the ansible-freeipa
ipacert
module to request or retrieve SSL certificates for Identity Management (IdM) users, hosts and services. The users, hosts and services can then use these certificates to authenticate to IdM. You can also revoke the certificates, as well as restore certificates that have been put on hold.
MIT Kerberos now supports the Extended KDC MS-PAC signature
With this update, MIT Kerberos, which is used by Red Hat, implements support for one of the two types of the Privilege Attribute Certificate (PAC) signatures introduced by Microsoft in response to recent CVEs. Specifically, MIT Kerberos in RHEL 8 supports the Extended KDC signature that was released in KB5020805 and that addresses CVE-2022-37967.
Note that because of ABI stability constraints, MIT Kerberos on RHEL8 cannot support the other PAC signature type, that is Ticket signature as defined in KB4598347.
To troubleshoot problems related to this enhancement, see the following Knowledgebase resources:
- RHEL-8.9 IdM update, web UI and CLI 401 Unauthorized with KDC S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC - user and group objects need SIDs
- find_sid_for_ldap_entry - [file ipa_sidgen_cofind_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [120000023l] into an unused SID]
- When upgrading to RHEL9, IDM users are not able to login anymore
- POSIX IDs, SIDs and IDRanges in IPA
See also BZ#2211387 and BZ#2176406.
RHEL 8.9 provides 389-ds-base
1.4.3.37
RHEL 8.9 is distributed with the 389-ds-base
package version 1.4.3.37.
New passwordAdminSkipInfoUpdate: on/off
configuration option is now available
You can add a new passwordAdminSkipInfoUpdate: on/off
setting under the cn=config
entry to provide a fine grained control over password updates performed by password administrators. When you enable this setting, password updates do not update certain attributes, for example, passwordHistory
,passwordExpirationTime
,passwordRetryCount
, pwdReset
, and passwordExpWarned
.
4.11. Graphics infrastructures
Intel Arc A-Series graphics is now fully supported
The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware acceleration, mostly used in PC gaming.
With this release, you no longer have to set the i915.force_probe
kernel option, and full support for these GPUs is enabled by default.
Bugzilla:2041686[1]
4.12. The web console
Podman health check action is now available
You can select one of the following Podman health check actions when creating a new container:
- No action (default): Take no action.
- Restart: Restart the container.
- Stop: Stop the container.
- Force stop: Force stops the container, it does not wait for the container to exit.
Jira:RHELDOCS-16247[1]
Accounts page updates for the web console
This update introduces the following updates to the Accounts page:
- It is now possible to add custom user ID and define home directory and shell during the account creation process.
- When creating an account, password validation actively performs a check on every keystroke. Additionally, weak passwords are now shown with a warning.
- Account detail pages now show the home directory and shell for an account.
- It is possible to change shell from the account details page.
Jira:RHELDOCS-16367[1]
4.13. Red Hat Enterprise Linux system roles
The postgresql
RHEL system role is now available
The new postgresql
RHEL system role installs, configures, manages, and starts the PostgreSQL
server. The role also optimizes the database server settings to improve performance.
The role supports the currently released and supported versions of PostgreSQL
on RHEL 8 and RHEL 9 managed nodes.
For more information, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.
keylime_server
RHEL system role
With the new keylime_server
RHEL system role, you can use Ansible playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime is a remote machine attestation tool that uses the trusted platform module (TPM) technology.
Support for new ha_cluster
system role features
The ha_cluster
system role now supports the following features:
- Configuration of resource and resource operation defaults, including multiple sets of defaults with rules.
- Loading and blocking of SBD watchdog kernel modules. This makes installed hardware watchdogs available to the cluster.
-
Assignment of distinct passwords to the cluster hosts and the quorum device. With that, you can configure a deployment where the same quorum hosts are joined to multiple, separate clusters, and the passwords of the
hacluster
user on these clusters are different.
For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster
RHEL system role.
Bugzilla:2190483, Bugzilla:2190478, Bugzilla:2216485
storage
system role supports configuring the stripe size for RAID LVM volumes
With this update, you can now specify a custom stripe size when creating RAID LVM devices. For better performance, use the custom stripe size for SAP HANA. The recommended stripe size for RAID LVM volumes is 64 KB.
podman
RHEL system role now supports Quadlets, healthchecks, and secrets
Starting with Podman 4.6, you can use the podman_quadlet_specs
variable in the podman
RHEL system role. You can define a Quadlet by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. Types of a unit can be the following: container
, kube
, network
, and volume
. Note that Quadlets work only with root containers on RHEL 8. Quadlets work with rootless containers on RHEL 9.
The healthchecks are supported only for Quadlet Container types. In the [Container]
section, specify the HealthCmd
field to define the healthcheck command and HealthOnFailure
field to define the action when a container is unhealthy. Possible options are none
, kill
, restart
, and stop
.
You can use the podman_secrets
variable to manage secrets. For details, see upstream documentation.
Jira:RHELPLAN-154440[1]
RHEL system roles now have new volume options for mount point customization
With this update, you can now specify mount_user
, mount_group
, and mount_permissions
parameters for your mount directory.
kdump
RHEL system role updates
The kdump
RHEL system role has been updated to a newer version, which brings the following notable enhancements:
-
After installing
kexec-tools
, the utility suite no longer generates the/etc/sysconfig/kdump
file because you do not need to manage this file anymore. -
The role supports the
auto_reset_crashkernel
anddracut_args
variables.
For more details, see resources in the /usr/share/doc/rhel-system-roles/kdump/
directory.
The ad_integration
RHEL system role can now rejoin an AD domain
With this update, you can now use the ad_integration
RHEL system role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin
variable to true
. If the realm_list
output shows that host is already in an AD domain, it will leave the existing domain before rejoining it.
The rhc
system role now supports setting a proxy server type
The newly introduced attribute scheme
under the rhc_proxy
parameter enables you to configure the proxy server type by using the rhc
system role. You can set two values: http
, the default and https
.
New option in the ssh
role to disable configuration backups
You can now prevent old configuration files from being backed up before they are overwritten by setting the new ssh_backup
option to false
. Previously, backup configuration files were created automatically, which might be unnecessary. The default value of the ssh_backup
option is true
, which preserves the original behavior.
The certificate
RHEL system role now allows changing certificate file mode when using certmonger
Previously, certificates created by the certificate
RHEL system role with the certmonger
provider used a default file mode. However, in some use-cases you might require a more restrictive mode. With this update, you can now set a different certificate and a key file mode using the mode
parameter.
New RHEL system role for managing systemd
units
The rhel-system-role
package now contains the systemd
RHEL system role. You can use this role to deploy unit files and manage systemd
units on multiple systems. You can automate systemd
functionality by providing systemd
unit files and templates, and by specifying the state of those units, such as started, stopped, masked and other.
The network
RHEL system role supports the no-aaaa
DNS option
You can now use the no-aaaa
option to configure DNS settings on managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo
; only DNS lookups were affected. With this enhancement, you can now suppress AAAA queries generated by the stub resolver.
The network
RHEL system role supports the auto-dns
option to control automatic DNS record updates
This enhancement provides support for defined name servers and search domains. You can now use only the name servers and search domains specified in dns
and dns_search
properties while disabling automatically configured name servers and search domains such as dns record
from DHCP. With this enhancement, you can disable automatically auto dns record by changing the auto-dns
settings.
firewall
RHEL system role supports variables related to ipsets
With this update of the firewall
RHEL system role, you can define, modify, and delete ipsets
. Also, you can add and remove those ipsets
from firewall zones. Alternatively, you can use those ipsets
when defining firewall rich rules.
You can manage ipsets
with the firewall
RHEL system role using the following variables:
-
ipset
-
ipset_type
-
ipset_entries
-
short
-
description
-
state: present
orstate: absent
-
permanent: true
The following are some notable benefits of this enhancement:
- You can reduce the complexity of the rich rules that define rules for many IP addresses.
- You can add or remove IP addresses from sets as needed without modifying multiple rules.
For more details, see resources in the /usr/share/doc/rhel-system-roles/firewall/
directory.
Improved performance of the selinux
system role with restorecon -T 0
The selinux
system role now uses the -T 0
option with the restorecon
command in all applicable cases. This improves the performance of tasks that restore default SELinux security contexts on files.
The firewall
RHEL system role has an option to disable conflicting services, and it no longer fails if firewalld
is masked
Previously, the firewall
system role failed when the firewalld
service was masked on the role run or in the presence of conflicting services. This update brings two notable enhancements:
The linux-system-roles.firewall
role always attempts to install, unmask, and enable the firewalld
service on role run. You can now add a new variable firewall_disable_conflicting_services
to your playbook to disable known conflicting services, for example, iptables.service
, nftables.service
, and ufw.service
. The firewall_disable_conflicting_services
variable is set to false
by default. To disable conflicting services, set the variable to true
.
The podman
RHEL system role now uses getsubids
to get subuids and subgids
The podman
RHEL system role now uses the getsubids
command to get the subuid and subgid ranges for a user and group, respectively. The podman
RHEL system role also uses this command to verify users and groups to work with identity management.
Jira:RHEL-866[1]
The podman_kube_specs
variable now supports pull_image
and continue_if_pull_fails
fields
The podman_kube_specs
variable now supports new fields:
-
pull_image
: ensures the image is pulled before use. The default value istrue
. Usefalse
if you have some other mechanism to ensure the images are present on the system and you do not want to pull the images. -
continue_if_pull_fails
: If pulling image fails, it is not treated as a fatal error, and continues with the role. The default isfalse
. Usetrue
if you have some other mechanism to ensure the correct images are present on the system.
Jira:RHEL-858[1]
Resetting the firewall
RHEL system role configuration now requires minimal downtime
Previously, when you reset the firewall
role configuration by using the previous: replaced
variable, the firewalld
service restarted. Restarting adds downtime and prolongs the period of an open connection in which firewalld
does not block traffic from active connections. With this enhancement, the firewalld
service completes the configuration reset by reloading instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass firewall rules. As a result, using the previous: replaced
variable to reset the firewall
role configuration now requires minimal downtime.
4.14. RHEL in cloud environments
cloud-init supports NetworkManager keyfiles
With this update, the cloud-init
utility can use a NetworkManager (NM) keyfile to configure the network of the created cloud instance.
Note that by default, cloud-init
still uses the sysconfig
method for network setup. To configure cloud-init
to use a NM keyfile instead, edit the /etc/cloud/cloud.cfg
and set network-manager
as the primary network renderer:
# cat /etc/cloud/cloud.cfg network: renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']
Bugzilla:2219528[1]
cloud-init
now uses VMware datasources by default on ESXi
When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such as the VMware vSphere cloud platform. This improves the performance and stability of creating an ESXi instance of RHEL by using cloud-init
. Note, however, that ESXi is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF datasource if a VMware one is not available.
Bugzilla:2230777[1]
4.15. Supportability
sos
rebased to version 4.6
The sos
utility, for collecting configuration, diagnostic, and troubleshooting data, has been rebased to version 4.6. This update provides the following enhancements:
-
sos
reports now include the contents of both/boot/grub2/custom.cfg
and/boot/grub2/user.cfg
files that might contain critical information for troubleshooting boot issues. (BZ#2213951) -
The
sos
plugin for OVN-Kubernetes collects additional logs for the interconnect environment. With this update,sos
also collects logs from theovnkube-controller
container when bothovnkube-node
andovnkube-controller
containers are merged into one.
In addition, notable bug fixes include:
-
sos
now correctly gatherscgroup
data in the OpenShift Container Platform 4 environment (BZ#2186361). -
While collecting
sos
reports with thesudo
plugin enabled,sos
now removes thebindpw
option properly. (BZ#2143272) -
The
subscription_manager
plugin no longer collects proxy usernames and passwords from the/var/lib/rhsm/
path. (BZ#2177282) -
The
virsh
plugin no longer collects the SPICE remote-display passwords in virt-manager logs, which preventssos
from disclosing passwords in its reports. (BZ#2184062) sos
now masks usernames and passwords previously displayed in the/var/lib/iscsi/nodes/<IQN>/<PortalIP>/default
file.ImportantThe generated archive might contain data considered sensitive. Thus, you should always review the content before passing it to any third party.
(BZ#2187859)
-
sos
completes the tailed log collection even when the size of the log file is exceeded and when a plugin times out. (BZ#2203141) -
When entering the
sos collect
command on a Pacemaker cluster node,sos
collects an sos report from the same cluster node. (BZ#2186460) -
When collecting data from a host in the OpenShift Container Platform 4 environment,
sos
now uses thesysroot
path, which ensures that only the correct data are assembled. (BZ#2075720) -
The
sos report --clean
command obfuscates all MAC addresses as intended. (BZ#2207562) -
Disabling the
hpssm
plugin no longer raises exceptions. (BZ#2216608) -
The
sos clean
command follows permissions of sanitized files. (BZ#2218279)
For details on each release of sos
, see upstream release notes.
Jira:RHELPLAN-156196[1]
4.16. Containers
Podman supports pulling and pushing images compressed with zstd
You can pull and push images compressed with the zstd
format. The zstd compression is more efficient and faster than gzip. It can reduce the amount of network traffic and storage involved in pulling and pushing the image.
Jira:RHELPLAN-154313[1]
Quadlet in Podman is now available
Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd
service file from a container description. The Quadlets might be easier to use than the podman generate systemd
command because the description focuses on the relevant container details and without the technical complexity of running containers under systemd
. Note that Quadlets work only with rootful containers.
For more details, see the Quadlet upstream documentation and the Make systemd better for Podman with Quadlet article.
Jira:RHELPLAN-154431[1]
The Container Tools packages have been updated
The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. This update applies a series of bug fixes and enhancements over the previous version.
Notable changes in Podman v4.6 include:
-
The
podman kube play
command now supports the--configmap=<path>
option to provide Kubernetes YAML file with environment variables used within the containers of the pod. -
The
podman kube play
command now supports multiple Kubernetes YAML files for the--configmap
option. -
The
podman kube play
command now supports containerPort names and port numbers within liveness probes. -
The
podman kube play
command now adds the ctrName as an alias to the pod network. -
The
podman kube play
andpodman kube generate
commands now support SELinux filetype labels and ulimit annotations. -
A new command,
podman secret exists
, has been added, which verifies if a secret with the given name exists. -
The
podman create
,podman run
,podman pod create
, andpodman pod clone
commands now support a new option,--shm-size-systemd
, which allows limiting tmpfs sizes for systemd-specific mounts. -
The
podman create
and podman run commands now support a new option,--security-opt label=nested
, which allows SELinux labeling within a confined container. - Podman now supports auto updates for containers running inside a pod.
-
Podman can now use an SQLite database as a backend for increased stability. The default remains the BoltDB database. You can select the database by setting the
database_backend
field in thecontainers.conf
file. -
Podman now supports Quadlets to automatically generate a
systemd
service file from the container description. The description focuses on the relevant container details and hides the technical complexity of running containers undersystemd
.
For further information about notable changes, see upstream release notes.
Jira:RHELPLAN-154443[1]
Podman now supports a Podmansh login shell
Beginning with Podman v4.6, you can use the Podmansh
login shell to manage user access and control. To switch to CGroups v2, add systemd.unified_cgroup_hierarchy=1
to the kernel command line. Configure the settings for a user to use the /usr/bin/podmansh
command as a login shell instead of a standard shell command, for example, /usr/bin/bash
. When a user logs into a system setup, the podmansh
command runs the user’s session in a Podman container named podmansh
. Containers into which users log in are defined using the Quadlet files, which are created in the /etc/containers/systemd/users/
directory. In these files, set the ContainerName
field in the [Container]
section to podmansh
. Systemd automatically starts podmansh
when the user session starts and continues running until all user sessions exit.
For more information, see Podman v4.6.0 Introduces Podmansh: A Revolutionary Login Shell.
Jira:RHELPLAN-163002[1]
Clients for sigstore signatures with Fulcio and Rekor are now available
With Fulcio and Rekor servers, you can now create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology Preview, are now fully supported. This added functionality is the client side support only, and does not include either the Fulcio or Rekor servers.
Add the fulcio
section in the policy.json
file. To sign container images, use the podman push --sign-by-sigstore=file.yml
or skopeo copy --sign-by-sigstore=file.yml
commands, where file.yml
is the sigstore signing parameter file.
To verify signatures, add the fulcio
section and the rekorPublicKeyPath
or rekorPublicKeyData
fields in the policy.json
file. For more information, see containers-policy.json
man page.
Jira:RHELPLAN-160659[1]