Questo contenuto non è disponibile nella lingua selezionata.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.1.
4.1. Installer and image creation
Automatic FCP SCSI LUN scanning support in installer
The installer can now use the automatic LUN scanning when attaching FCP SCSI LUNs on IBM Z systems. Automatic LUN scanning is available for FCP devices operating in NPIV mode, if it is not disabled through the zfcp.allow_lun_scan
kernel module parameter. It is enabled by default. It provides access to all SCSI devices found in the storage area network attached to the FCP device with the specified device bus ID. It is not necessary to specify WWPN and FCP LUNs anymore and it is sufficient to provide just the FCP device bus ID.
(BZ#1937031)
Image builder on-premise now supports the /boot
partition customization
Image builder on-premise version now supports building images with custom /boot
mount point partition size. You can specify the size of the /boot
mount point partition in the blueprint customization, to increase the size of the /boot
partition in case the default boot partition size is too small. For example:
[[customizations.filesystem]] mountpoint = "/boot" size = "20 GiB"
(JIRA:RHELPLAN-130379)
Added the --allow-ssh
kickstart option to enable password-based SSH root logins
During the graphical installation, you have an option to enable password-based SSH root logins. This functionality was not available in kickstart installations. With this update, an option --allow-ssh
has been added to the rootpw
kickstart command. This option enables the root user to login to the system using SSH with a password.
Boot loader menu hidden by default
The GRUB boot loader is now configured to hide the boot menu by default. This results in a smoother boot experience. The boot menu is hidden in all of the following cases:
- When you restart the system from the desktop environment or the login screen.
- During the first system boot after the installation.
-
When the
greenboot
package is installed and enabled.
If the previous system boot failed, GRUB always displays the boot menu during the next boot.
To access the boot menu manually, use either of the following options:
- Repeatedly press Esc during boot.
- Repeatedly press F8 during boot.
- Hold Shift during boot.
To disable this feature and configure the boot loader menu to display by default, use the following command:
# grub2-editenv - unset menu_auto_hide
(BZ#2059414)
Minimal RHEL installation now installs only the s390utils-core
package
In RHEL 8.4 and later, the s390utils-base
package is split into an s390utils-core
package and an auxiliary s390utils-base
package. As a result, setting the RHEL installation to minimal-environment
installs only the necessary s390utils-core
package and not the auxiliary s390utils-base
package. If you want to use the s390utils-base
package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base
using a kickstart file.
(BZ#1932480)
Image builder on-premise now supports uploading images to GCP
With this enhancement, you can use image builder CLI to build a gce
image, providing credentials for the user or service account that you want to use to upload the images. As a result, image builder creates the image and then uploads the gce
image directly to the GCP environment that you specified.
Image builder on-premise CLI supports pushing a container image directly to a registry
With this enhancement, you can push RHEL for Edge container images directly to a container registry after it has been built, using the image builder CLI. To build the container image:
- Set up an upload provider and optionally, add credentials.
Build the container image, passing the container registry and the repository to
composer-cli
as arguments.After the image is ready, it is available in the container registry you set up.
(JIRA:RHELPLAN-130376)
Image builder on-premise users now customize their blueprints during the image creation process
With this update, the Edit Blueprint page was removed to unify the user experience in the image builder service and in the image builder app in cockpit-composer
. Users can now create their blueprints and add their customization, such as adding packages, and create users, during the image creation process. The versioning of blueprints has also been removed so that blueprints only have one version: the current one. Users have access to older blueprint versions through their already created images.
(JIRA:RHELPLAN-122735)
4.2. RHEL for Edge
RHEL for Edge now supports the fdo-admin
cli utility
With this update, you can configure the FDO services directly across all deployment scenarios by using the CLI.
Run the following commands to generate the certificates and keys for the services :
This example takes into consideration that you already installed the fdo-admin-cli
RPM package. If you used the source code and compiled it, the correct path is ./target/debug/fdo-admin-tool
or ./target/debug/fdo-admin-tool
, depending on your build options.
$ mkdir keys $ for i in "diun" "manufacturer" "device_ca" "owner"; do fdo-admin-tool generate-key-and-cert $i; done $ ls keys device_ca_cert.pem device_ca_key.der diun_cert.pem diun_key.der manufacturer_cert.pem manufacturer_key.der owner_cert.pem owner_key.der
As a result, after you install and start the service, it runs with the default settings.
(JIRA:RHELPLAN-122776)
4.3. Subscription management
The subscription-manager utility displays the current status of actions
The subscription-manager
utility now displays with progress information while it is processing the current operation. This is helpful when subscription-manager
takes more than usual time to complete its operations related to server communication, for example, registration.
To revert to the previous behavior, enter:
# subscription-manager config --rhsm.progress_messages=0
4.4. Software management
The modulesync
command is now available to replace certain workflows in RHEL 9
In RHEL 9, modular packages cannot be installed without modular metadata. Previously, you could use the dnf
command to download packages, and then use the createrepo_c
command to redistribute those packages.
This enhancement introduces the modulesync
command to ensure the presence of modular metadata, which ensures package installability. This command downloads RPM packages from modules and creates a repository with modular metadata in a working directory.
(BZ#2066646)
4.5. Shells and command-line tools
Cronie
adds support for a randomized time within a selected range
The Cronie
utility now supports the ~
(random within range) operator for cronjob execution. As a result, you can start a cronjob on a randomized time within the selected range.
ReaR adds new variables for executing commands before and after recovery
With this enhancement, ReaR introduces two new variables for easier automation of commands to be executed before and after recovery:
-
PRE_RECOVERY_COMMANDS
accepts an array of commands. These commands will be executed before recovery starts. -
POST_RECOVERY_COMMANDS
accepts an array of commands. These commands will be executed after recovery finishes.
These variables are an alternative to PRE_RECOVERY_SCRIPT
and POST_RECOVERY_SCRIPT
with the following differences:
-
The earlier
PRE_RECOVERY_SCRIPT
andPOST_RECOVERY_SCRIPT
variables accept a single shell command. To pass multiple commands to these variables, you must separate the commands by semicolons. -
The new
PRE_RECOVERY_COMMANDS
andPOST_RECOVERY_COMMANDS
variables accept arrays of commands, and each element of the array is executed as a separate command.
As a result, providing multiple commands to be executed in the rescue system before and after recovery is now easier and less error-prone.
For more information, see the default.conf
file.
A new package: xmlstarlet
XMLStarlet is a set of command-line utilities for parsing, transforming, querying, validating, and editing XML files. The new xmlstarlet
package provides a simple set of shell commands that you can use in a similar way as you use UNIX commands for plain text files such as grep
, sed
, awk
, diff
, patch
, join
, and other.
(BZ#2069689)
opencryptoki
rebased to version 3.18.0
The opencryptoki
package, which is an implementation of the Public-Key Cryptography Standard (PKCS) #11, has been updated to version 3.18.0. Notable improvements include:
- Default to Federal Information Processing Standards (FIPS) compliant token data format (tokversion = 3.12).
- Added support for restricting usage of mechanisms and keys with a global policy.
- Added support for statistics counting of mechanism usage.
-
The
ICA/EP11
tokens now supportlibica
library version 4. -
The
p11sak
tool enables setting different attributes for public and private keys. -
The
C_GetMechanismList
does not returnCKR_BUFFER_TOO_SMALL
in the EP11 token.
openCryptoki
supports two different token data formats:
- the earlier data format, which uses non-FIPS-approved algorithms (such as DES and SHA1)
- the new data format, which uses FIPS-approved algorithms only.
The earlier data format no longer works because the FIPS provider allows the use of only FIPS-approved algorithms.
To make openCryptoki work on RHEL 9, migrate the tokens to use the new data format before enabling FIPS mode on the system. This is necessary because the earlier data format is still the default in openCryptoki 3.17
. Existing openCryptoki
installations that use the earlier token data format will no longer function when the system is changed to FIPS-enabled.
You can migrate the tokens to the new data format by using the pkcstok_migrate
utility, which is provided with openCryptoki
. Note that pkcstok_migrate
uses non-FIPS-approved algorithms during the migration. Therefore, use this tool before enabling FIPS mode on the system. For additional information, see Migrating to FIPS compliance - pkcstok_migrate utility.
(BZ#2044179)
powerpc-utils
rebased to version 1.3.10
The powerpc-utils
package, which provides various utilities for a PowerPC platform, has been updated to version 1.3.10. Notable improvements include:
-
Added the capability to parsing the Power architecture platform reference (PAPR) information for energy and frequency in the
ppc64_cpu
tool. -
Improved the
lparstat
utility to display enhanced error messages, when thelparstat -E
command fails on max config systems. Thelparstat
command reports logical partition-related information. -
Fixed reported online memory in legacy format in the
lparstat
command. -
Added support for the
acc
command for changing the quality of service credits (QoS) dynamically for the NX GZIP accelerator. -
Added improvements to format specifiers in
printf()
andsprintf()
calls. The
hcnmgr
utility, which provides the HMC tools to hybrid virtual network, includes following enhancements:-
Added the
wicked
feature to the Hybrid Network VirtualizationHNV FEATURE
list. Thehcnmgr
utility supports wicked hybrid network virtualization (HNV) to use thewicked
functions for bonding. -
hcnmgr
maintains anhcnid
state for later cleanup. -
hcnmgr
excludes NetworkManager (NM)nmcli
code. -
The NM HNV
primary slave
setting was fixed. -
hcnmgr
supports the virtual Network Interface Controller (vNIC) as a backup device.
-
Added the
-
Fixed the invalid hexadecimal numbering system message in
bootlist
. -
The
-l
flag included inkpartx
utility as-p
delimiter value in thebootlist
command. -
Fixes added to
sslot
utility to prevent memory leak when listing IO slots. -
Added the DRC type description strings for the latest peripheral component interconnect express (PCIe) slot types in the
lsslot
utility. -
Fixed the invalid config address to RTAS in
errinjct
tool. -
Added support for non-volatile memory over fabrics (NVMf) devices in the
ofpathname
utility. The utility provides a mechanism for converting a logical device name to an open firmware device path and the other way round. -
Added fixes to the non-volatile memory (NVMe) support in asymmetric namespace access (ANA) mode in the
ofpathname
utility. -
Installed
smt.state
file as a configuration file.
(BZ#1920964)
The Redfish modules are now part of the redhat.rhel_mgmt
Ansible collection
The redhat.rhel_mgmt
Ansible collection now includes the following modules:
-
redfish_info
-
redfish_command
-
redfish_config
With that, users can benefit from the management automation, by using the Redfish modules to retrieve server health status, get information about hardware and firmware inventory, perform power management, change BIOS settings, configure Out-Of-Band (OOB) controllers, configure hardware RAID, and perform firmware updates.
libvpd
rebased to version 2.2.9
The libvpd
package, which contains classes for accessing the Vital Product Data (VPD), has been updated to version 2.2.9. Notable improvements include:
- Fixed database locking
-
Updated
libtool
utility version information
(BZ#2051288)
lsvpd
rebased to version 1.7.14
The lsvpd
package, which provides commands for constituting a hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd
utility prevents corruption of the database file when you run the vpdupdate
command.
(BZ#2051289)
ppc64-diag
rebased to version 2.7.8
The ppc64-diag
package for platform diagnostics has been updated to version 2.7.8. Notable improvements include:
-
Updated build dependency to use
libvpd
utility version 2.2.9 or higher -
Fixed
extract_opal_dump
error message on unsupported platform -
Fixed build warning with
GCC-8.5
andGCC-11
compilers
(BZ#2051286)
sysctl
introduces identic syntax for arguments as systemd-sysctl
The sysctl
utility from the procps-ng
package, which you can use to modify kernel parameters at runtime, now uses the same syntax for arguments as the systemd-sysctl
utility. With this update, sysctl
now parses configuration files that contain hyphens (-
) or globs (*
) on configuration lines. For more information about the systemd-sysctl
syntax, see the sysctl.d(5)
man page.
Updated systemd-udevd
assigns consistent network device names to InfiniBand interfaces
Introduced in RHEL 9, the new version of the systemd
package contains the updated systemd-udevd
device manager. The device manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd
.
You can define custom naming rules for naming InfiniBand interfaces by following the Renaming IPoIB devices procedure.
For more details of the naming scheme, see the systemd.net-naming-scheme(7)
man page.
4.6. Infrastructure services
chrony
now uses DHCPv6 NTP servers
The NetworkManager dispatcher script for chrony
updates the Network time protocol (NTP) sources passed from Dynamic Host Configuration Protocol (DHCP) options. Since RHEL 9.1, the script uses NTP servers provided by DHCPv6 in addition to DHCPv4. The DHCP option 56 specifies the usage of DHCPv6, the DHCP option 42 is DHCPv4-specific.
chrony
rebased to version 4.2
The chrony
suite has been updated to version 4.2. Notable enhancements over version 4.1 include:
- The server interleaved mode has been improved to be more reliable and supports multiple clients behind a single address translator (Network Address Translation - NAT).
-
Experimental support for the Network Time Protocol Version 4 (NTPv4) extension field has been added to improve time synchronization stability and precision of estimated errors. You can enable this field, which extends the capabilities of the protocol NTPv4, by using the
extfield F323
option. -
Experimental support for NTP forwarding over the Precision Time Protocol (PTP) has been added to enable full hardware timestamping on Network Interface Cards (NIC) that have timestamping limited to PTP packets. You can enable NTP over PTP by using the
ptpport 319
directive.
unbound
rebased to version 1.16.2
The unbound
component has been updated to version 1.16.2. unbound
is a validating, recursive, and caching DNS resolver. Notable improvements include:
-
With the ZONEMD Zone Verification with
RFC 8976
support, recipients can now verify the zone contents for data integrity and origin authenticity. -
With
unbound
, you can now configure persistent TCP connections. -
The SVCB and HTTPS types and handling according to the Service binding and parameter specification through the DNS
draft-ietf-dnsop-svcb-https
document were added. -
unbound
takes the default TLS ciphers from crypto policies. -
You can use a Special-Use Domain
home.arpa.
according to theRFC8375
. This domain is designated for non-unique use in residential home networks. -
unbound
now supports selective enabling oftcp-upstream
queries for stub or forward zones. -
The default of
aggressive-nsec
option is nowyes
. -
The
ratelimit
logic was updated. -
You can use a new
rpz-signal-nxdomain-ra
option for unsetting theRA
flag when a query is blocked by an Unbound response policy zone (RPZ) nxdomain reply. -
With the basic support for Extended DNS Errors (EDE) according to the
RFC8914
, you can benefit from additional error information.
The password encryption function is now available in whois
The whois
package now provides the /usr/bin/mkpasswd
binary, which you can use to encrypt a password with the crypt
C library interface.
frr
rebased to version 8.2.2
The frr
package for managing dynamic routing stack has been updated to version 8.2.2. Notable changes and enhancements over version 8.0 include:
- Added Ethernet VPN (EVPN) route type-5 gateway IP Overlay Index.
- Added Autonomous system border router (ASBR) summarization in the Open-shortest-path-first (OSPFv3) protocol.
- Improved usage of stub and not-so-stubby-areas (NSSA) in OSPFv3.
- Added the graceful restart capability in OSPFv2 and OSPFv3.
-
The link bandwidth in the border gateway protocol (BGP) is now encoded according to the IEEE 754 standard. To use the previous encoding method, run the
neighbor PEER disable-link-bw-encoding-ieee
command in the existing configuration. - Added the long-lived graceful restart capability in BGP.
-
Implemented the extended administrative shutdown communication
rfc9003
, and the extended optional parameters lengthrfc9072
in BGP.
TuneD real-time profiles now auto determine initial CPU isolation setup
TuneD is a service for monitoring your system and optimizing the performance profile. You can also isolate central processing units (CPUs) using the tuned-profiles-realtime
package to give application threads the most execution time possible.
Previously, the real-time profiles for systems running the real-time kernel did not load if you did not specify the list of CPUs to isolate in the isolated_cores
parameter.
With this enhancement, TuneD introduces the calc_isolated_cores
built-in function that automatically calculates housekeeping and isolated cores lists, and applies the calculation to the isolated_cores
parameter. With the automatic preset, one core from each socket is reserved for housekeeping, and you can start using the real-time profile without any additional steps. If you want to change the preset, customize the isolated_cores
parameter by specifying the list of CPUs to isolate.
4.7. Security
New packages: keylime
RHEL 9.1 introduces Keylime, a tool for attestation of remote systems, which uses the trusted platform module (TPM) technology. With Keylime, you can verify and continuously monitor the integrity of remote systems. You can also specify encrypted payloads that Keylime delivers to the monitored machines, and define automated actions that trigger whenever a system fails the integrity test.
See Ensuring system integrity with Keylime in the RHEL 9 Security hardening document for more information.
(JIRA:RHELPLAN-92522)
New option in OpenSSH supports setting the minimum RSA key length
Accidentally using short RSA keys makes the system more vulnerable to attacks. With this update, you can set minimum RSA key lengths for OpenSSH servers and clients. To define the minimum RSA key length, use the new RequiredRSASize
option in the /etc/ssh/sshd_config
file for OpenSSH servers, and in the /etc/ssh/ssh_config
file for OpenSSH clients.
crypto-policies
enforce 2048-bit RSA key length minimum for OpenSSH by default
Using short RSA keys makes the system more vulnerable to attacks. Because OpenSSH now supports limiting minimum RSA key length, the system-wide cryptographic policies enforce the 2048-bit minimum key length for RSA by default.
If you encounter OpenSSH failing connections with an Invalid key length
error message, start using longer RSA keys.
Alternatively, you can relax the restriction by using a custom subpolicy at the expense of security. For example, if the update-crypto-policies --show
command reports that the current policy is DEFAULT
:
-
Define a custom subpolicy by inserting the
min_rsa_size@openssh = 1024
parameter into the/etc/crypto-policies/policies/modules/RSA-OPENSSH-1024.pmod
file. -
Apply the custom subpolicy using the
update-crypto-policies --set DEFAULT:RSA-OPENSSH-1024
command.
New option in OpenSSL supports SHA-1 for signatures
OpenSSL 3.0.0 in RHEL 9 does not support SHA-1 for signature creation and verification by default (SHA-1 key derivation functions (KDF) and hash-based message authentication codes (HMAC) are still supported). However, to support backwards compatibility with RHEL 8 systems that still use SHA-1 for signatures, a new configuration option rh-allow-sha1-signatures
is introduced to RHEL 9. This option, if enabled in the alg_section
of openssl.cnf
, permits the creation and verification of SHA-1 signatures.
This option is automatically enabled if the LEGACY system-wide cryptographic policy (not legacy provider) is set.
Note that this also affects the installation of RPM packages with SHA-1 signatures, which may require switching to the LEGACY system-wide cryptographic policy.
(BZ#2060510, BZ#2055796)
crypto-policies
now support sntrup761x25519-sha512@openssh.com
This update of the system-wide cryptographic policies adds support for the sntrup761x25519-sha512@openssh.com
key exchange (KEX) method. The post-quantum sntrup761
algorithm is already available in the OpenSSH suite, and this method provides better security against attacks from quantum computers. To enable sntrup761x25519-sha512@openssh.com
, create and apply a subpolicy, for example:
# echo 'key_exchange = +SNTRUP' > /etc/crypto-policies/policies/modules/SNTRUP.pmod # update-crypto-policies --set DEFAULT:SNTRUP
For more information, see the Customizing system-wide cryptographic policies with subpolicies section in the RHEL 9 Security hardening document.
NSS no longer support RSA keys shorter than 1023 bits
The update of the Network Security Services (NSS) libraries changes the minimum key size for all RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following functions:
- Generate RSA keys shorter than 1023 bits.
- Sign or verify RSA signatures with RSA keys shorter than 1023 bits.
- Encrypt or decrypt values with RSA key shorter than 1023 bits.
SELinux policy confines additional services
The selinux-policy
packages have been updated, and therefore the following services are now confined by SELinux:
-
ksm
-
nm-priv-helper
-
rhcd
-
stalld
-
systemd-network-generator
-
targetclid
-
wg-quick
(BZ#1965013, BZ#1964862, BZ#2020169, BZ#2021131, BZ#2042614, BZ#2053639, BZ#2111069)
SELinux supports the self
keyword in type transitions
SELinux tooling now supports type transition rules with the self
keyword in the policy sources. Support for type transitions with the self
keyword prepares the SELinux policy for labeling of anonymous inodes.
SELinux user-space packages updated
SELinux user-space packages libsepol
, libselinux
, libsemanage
, policycoreutils
, checkpolicy
, and mcstrans
were updated to the latest upstream release 3.4. The most notable changes are:
Added support for parallel relabeling through the
-T
option in thesetfiles
,restorecon
, andfixfiles
tools.-
You can either specify the number of process threads in this option or use
-T 0
for using the maximum of available processor cores. This reduces the time required for relabeling significantly.
-
You can either specify the number of process threads in this option or use
-
Added the new
--checksum
option, which prints SHA-256 hashes of modules. -
Added new policy utilities in the
libsepol-utils
package.
SELinux automatic relabeling is now parallel by default
Because the newly introduced parallel relabeling option significantly reduces the time required for the SELinux relabeling process on multi-core systems, the automatic relabeling script now contains the -T 0
option in the fixfiles
command line. The -T 0
option ensures that the setfiles
program uses the maximum of available processor cores for relabeling by default.
To use only one process thread for relabeling as in the previous version of RHEL, override this setting by entering either the fixfiles -T 1 onboot
command instead of just fixfiles onboot
or the echo "-T 1" > /.autorelabel
command instead of touch /.autorelabel
.
SCAP Security Guide rebased to 0.1.63
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.63. This version provides various enhancements and bug fixes, most notably:
-
New compliance rules for
sysctl
,grub2
,pam_pwquality
, and build time kernel configuration were added. -
Rules hardening the PAM stack now use
authselect
as the configuration tool. Note: With this change, the rules hardening the PAM stack are not applied if the PAM stack was edited by other means.
Added a maximum size option for Rsyslog error files
Using the new action.errorfile.maxsize
option, you can specify a maximum number of bytes of the error file for the Rsyslog log processing system. When the error file reaches the specified size, Rsyslog cannot write any additional errors or other data in it. This prevents the error file from filling up the file system and making the host unusable.
clevis-luks-askpass
is now enabled by default
The /lib/systemd/system-preset/90-default.preset
file now contains the enable clevis-luks-askpass.path
configuration option and the installation of the clevis-systemd
sub-package ensures that the clevis-luks-askpass.path
unit file is enabled. This enables the Clevis encryption client to unlock also LUKS-encrypted volumes that mount late in the boot process. Before this update, the administrator must use the systemctl enable clevis-luks-askpass.path
command to enable Clevis to unlock such volumes.
fapolicyd
rebased to 1.1.3
The fapolicyd
packages have been upgraded to version 1.1.3. Notable improvements and bug fixes include:
- Rules can now contain the new subject PPID attribute, which matches the parent PID (process ID) of a subject.
- The OpenSSL library replaced the Libgcrypt library as a cryptographic engine for hash computations.
-
The
fagenrules --load
command now works correctly.
4.8. Networking
The act_ctinfo
kernel module has been added
This enhancement adds the act_ctinfo
kernel module to RHEL. Using the ctinfo
action of the tc
utility, administrators can copy the conntrack
mark or the value of the differentiated services code point (DSCP) of network packets into the socket buffer’s mark
metadata field. As a result, you can use conditions based on the conntrack
mark or the DSCP value to filter traffic. For further details, see the tc-ctinfo(8)
man page.
(BZ#2027894)
cloud-init
updates network configuration at every boot on Microsoft Azure
Microsoft Azure does not change the instance ID when an administrator updates the network interface configuration while a VM is offline. With this enhancement, the cloud-init
service always updates the network configuration when the VM boots to ensure that RHEL on Microsoft Azure uses the latest network settings.
As a consequence, if you manually configure settings on interfaces, such as an additional search domain, cloud-init
may override them when you reboot the VM. For further details and a workaround, see the cloud-init-22.1-5 updates network config on every boot solution.
The PTP driver now supports virtual clocks and time stamping
With this enhancement, the Precision Time Protocol (PTP) driver can create virtual PTP Hardware Clocks (PHCs) on top of a free-running PHC by writing to /sys/class/ptp/ptp*/n_vclocks
. As a result, users can run multiple domain synchronization with hardware time stamps on one interface.
(BZ#2066451)
firewalld
was rebased to version 1.1.1
The firewalld
packages have been upgraded to version 1.1.1. This version provides multiple bug fixes and enhancements over the previous version:
New features:
-
Rich rules support NetFilter-log (NFLOG) target for user-space logging. Note that there is not any NFLOG capable logging daemon in RHEL. However, you can use the
tcpdump -i nflog
command to collect the logs you need. -
Support for port forwarding in policies with
ingress-zones=HOST
andegress-zones={ANY, source based zone}
.
Other notable changes include:
-
Support for the
afp
,http3
,jellyfin
,netbios-ns
,ws-discovery
, andws-discovery-client
services -
Tab-completion and sub-options in Z Shell for the
policy
option
NetworkManager now supports advmss
, rto_min
, and quickack
route attributes
With this enhancement, administrators can configure the ipv4.routes
setting with the following attributes:
-
rto_min
(TIME) - configure the minimum TCP re-transmission timeout in milliseconds when communicating with the route destination -
quickack
(BOOL) - a per-route setting to enable or disable TCP quick ACKs -
advmss
(NUMBER) - advertise maximum segment size (MSS) to the route destination when establishing TCP connections. If unspecified, Linux uses a default value calculated from the maximum transmission unit (MTU) of the first hop device
Benefit of implementing the new functionality of ipv4.routes
with the mentioned attributes is that there is no need to run the dispatcher
script.
Note that once you activate a connection with the mentioned route attributes, such changes are set in the kernel.
(BZ#2068525)
Support for the 802.ad vlan-protocol
option in nmstate
The nmstate
API now supports creating the linux-bridge
interfaces using the 802.ad vlan-protocol
option. This feature enables the configuration of Service-Tag VLANs. The following example illustrates usage of this functionality in a yaml
configuration file.
--- interfaces: - name: br0 type: linux-bridge state: up bridge: options: vlan-protocol: 802.1ad port: - name: eth1 vlan: mode: trunk trunk-tags: - id: 500
The firewalld
service can forward NAT packets originating from the local host to a different host and port
You can forward packets sent from the localhost that runs the firewalld
service to a different destination port and IP address. The functionality is useful, for example, to forward ports on the loopback
device to a container or a virtual machine. Prior to this change, firewalld
could only forward ports when it received a packet that originated from another host. For more details and an illustrative configuration, see Using DNAT to forward HTTPS traffic to a different host.
NetworkManager now supports migration from ifcfg-rh
to key file
Users can migrate their existing connection profile files from the ifcfg-rh
format to the key file format. This way, all connection profiles will be in one location and in the preferred format. The key file format has the following advantages:
- Closely resembles the way how NetworkManager expresses network configuration
- Guarantees compatibility with future RHEL releases
- Is easier to read
- Supports all connection profiles
To migrate the connections, run:
# nmcli connection migrate
Note that the ifcfg-rh
files will work correctly during the RHEL 9 lifetime. However, migrating the configuration to the key file format guarantees compatibility beyond RHEL 9.
For more details, see the nmcli(1)
, nm-settings-keyfile(5), and nm-settings-ifcfg-rh(5) manual pages.
More DHCP and IPv6 auto-configuration attributes have been added to the nmstate API
This enhancement adds support for the following attributes to the nmstate API:
-
dhcp-client-id
for DHCPv4 connections as described in RFC 2132 and 4361. -
dhcp-duid
for DHCPv6 connections as described in RFC 8415. addr-gen-mode
for IPv6 auto-configuration. You can set this attribute to:-
eui64
as described in RFC 4862 -
stable-privacy
as described in RFC 7217
-
NetworkManager now clearly indicates that WEP support is not available in RHEL 9
The wpa_supplicant
packages in RHEL 9.0 and later no longer contain the deprecated and insecure Wired Equivalent Privacy (WEP) security algorithm. This enhancement updates NetworkManager to reflect these changes. For example, the nmcli device wifi list
command now returns WEP access points at the end of the list in gray color, and connecting to a WEP-protected network returns a meaningful error message.
For secure encryption, use only wifi networks with Wi-Fi Protected Access 2 (WPA2) and WPA3 authentication.
The MPTCP code has been updated
The MultiPath TCP (MPTCP) code in the kernel has been updated and upstream Linux 5.19. This update provides a number of bug fixes and enhancements over the previous version:
-
The
FASTCLOSE
option has been added to close MPTCP connections without a full three-way handshake. -
The
MP_FAIL
option has been added to enable fallback to TCP even after the initial handshake. - The monitoring capabilities have been improved by adding additional Management Information Base (MIB) counters.
-
Monitor support for MPTCP listener sockets has been added. Use the
ss
utility to monitor the sockets.
(BZ#2079368)
4.9. Kernel
Kernel version in RHEL 9.1
Red Hat Enterprise Linux 9.1 is distributed with the kernel version 5.14.0-162.
Memory consumption of the list_lru
has been optimized
The internal kernel data structure, list_lru
, tracks the "Least Recently Used" status of kernel inodes and directory entries for files. Previously, the number of list_lru
allocated structures was directly proportional to the number of mount points and the number of present memory cgroups
. Both these numbers increased with the number of running containers leading to memory consumption of O(n^2)
where n
is the number of running containers. This update optimizes the memory consumption of list_lru
in the system to O(n)
. As a result, sufficient memory is now available for the user applications, especially on the systems with a large number of running containers.
(BZ#2013413)
BPF rebased to Linux kernel version 5.16
The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 5.16 with multiple bug fixes and enhancements. The most notable changes include:
Streamlined internal BPF program sections handling and
bpf_program__set_attach_target()
API in thelibbpf
userspace library.The
bpf_program__set_attach_target()
API sets the BTF based attach targets for BPF based programs.-
Added support for the
BTF_KIND_TAG
kind, which allows you to tag declarations. -
Added support for the
bpf_get_branch_snapshot()
helper, which enables the tracing program to capture the last branch records (LBR) from the hardware. -
Added the legacy
kprobe
events support in thelibbpf
userspace library that enableskprobe
tracepoint events creation through the legacy interface. -
Added the capability to access hardware timestamps through BPF specific structures with the
__sk_buff
helper function. -
Added support for a batched interface for RX buffer allocation in
AF_XDP
buffer pool, with driver support fori40e
andice
. -
Added the legacy
uprobe
support inlibbpf
userspace library to complement recently merged legacykprobe
. -
Added the
bpf_trace_vprintk()
as variadicprintk
helper. -
Added the
libbpf
opt-in for stricter BPF program section name handling as part oflibbpf
1.0 effort. -
Added the
libbpf
support to locate specialized maps, such asperf RB
and internally delete BTF type identifiers while creating them. -
Added the
bloomfilter
BPF map type to test if an element exists in a set. - Added support for kernel module function calls from BPF.
-
Added support for typeless and weak
ksym
in light skeleton. -
Added support for the
BTF_KIND_DECL_TAG
kind.
For more information on the full list of BPF features available in the running kernel, use the bpftool feature
command.
(BZ#2069045)
BTF data is now located in the kernel module
BPF Type Format (BTF) is the metadata format that encodes the debug information related to BPF program and map. Previously, the BTF data for kernel modules was stored in the kernel-debuginfo
package. As a consequence, it was necessary to install the corresponding kernel-debuginfo
package in order to use BTF for kernel modules. With this update, the BTF data is now located directly in the kernel module. As a result, you do not need to install any additional packages for BTF to work.
(BZ#2097188)
The kernel-rt
source tree has been updated to RHEL 9.1 tree
The kernel-rt
sources have been updated to use the latest Red Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest upstream version, v5.15-rt
. These updates provide a number of bug fixes and enhancements.
(BZ#2061574)
Dynamic preemptive scheduling enabled on ARM and AMD and Intel 64-bit architectures
RHEL 9 provides the dynamic scheduling feature on the ARM and AMD and Intel 64-bit architectures. This enhancement enables changing the preemption mode of the kernel at boot or runtime instead of the compile time. The /sys/kernel/debug/sched/preempt
file contains the current setting and allows runtime
modification.
Using the DYNAMIC_PREEMPT
option, you can set the preempt=
variable at boot time to either none
, voluntary
or full
with voluntary
preemption being the default. Using dynamic preemptive handling, you can override the default preemption model to improve scheduling latency.
(BZ#2065226)
stalld
rebased to version 1.17
The stalld
program, which provides the stall
daemon, is a mechanism to prevent the starvation state of operating system threads in a Linux system. This version monitors the threads for the starvation state. Starvation occurs when a thread is on a CPU run queue for longer than the starvation threshold.
This stalld
version includes many improvements and bug fixes over the previous version. The notable change includes the capability to detect runnable dying tasks.
When stalld
detects a starving thread, the program changes the scheduling class of the thread to the SCHED_DEADLINE
policy, which gives the thread a small slice of time for the specified CPU to run the thread. When the timeslice
is used, the thread returns to its original scheduling policy and stalld
continues to monitor the thread states.
The tpm2-tools
package has been rebased to tpm2-tools-5.2-1
version
The tpm2-tools
package has been rebased to version tpm2-tools-5.2-1
. This upgrade provides many significant enhancements and bug fixes. Most notable changes include:
-
Adds support for public-key output at primary object creation using the
tpm2_createprimary
andtpm2_create
tools. -
Adds support for the
tpm2_print
tool to print public-key output formats.tpm2_print
decodes a Trusted Platform Module (TPM) data structure and prints enclosed elements. -
Adds support to the
tpm2_eventlog
tool for reading logs larger than 64 KB. -
Adds the
tpm2_sessionconfig
tool to support displaying and configuring session attributes.
For more information on notable changes, see the /usr/share/doc/tpm2-tools/Changelog.md
file.
(BZ#2090748)
Intel E800 devices now support iWARP and RoCE protocols
With this enhancement, you can now use the enable_iwarp
and enable_roce
devlink parameters to turn on and off iWARP or RoCE protocol support. With this mandatory feature, you can configure the device with one of the protocols. The Intel E800 devices do not support both protocols simultaneously on the same port.
To enable or disable the iWARP protocol for a specific E800 device, first obtain the PCI location of the card:
$ lspci | awk '/E810/ {print $1}' 44:00.0 44:00.1 $
Then enable, or disable, the protocol. You can use use pci/0000:44:00.0
for the first port, and pci/0000:44:00.1
for second port of the card as argument to the devlink command
$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value true cmode runtime $ devlink dev param set pci/0000:44:00.0 name enable_iwarp value false cmode runtime
To enable or disable the RoCE protocol for a specific E800 device, obtain the PCI location of the card as shown above. Then use one of the following commands:
$ devlink dev param set pci/0000:44:00.0 name enable_roce value true cmode runtime $ devlink dev param set pci/0000:44:00.0 name enable_roce value false cmode runtime
(BZ#2096127)
4.10. Boot loader
GRUB is signed by new keys
Due to security reasons, GRUB is now signed by new keys. As a consequence, you need to update the RHEL firmware to version FW1010.30 (or later) or FW1020 to be able to boot the little-endian variant of IBM Power Systems with the Secure Boot feature enabled.
(BZ#2074761)
Configurable disk access retries when booting a VM on IBM POWER
You can now configure how many times the GRUB boot loader retries accessing a remote disk when a logical partition (lpar
) virtual machine (VM) boots on the IBM POWER architecture. Lowering the number of retries can prevent a slow boot in certain situations.
Previously, GRUB retried accessing disks 20 times when disk access failed at boot. This caused problems if you performed a Live Partition Mobility (LPM) migration on an lpar
system that connected to slow Storage Area Network (SAN) disks. As a consequence, the boot might have taken very long on the system until the 20 retries finished.
With this update, you can now configure and decrease the number of disk access retries using the ofdisk_retries
GRUB option. For details, see Configure disk access retries when booting a VM on IBM POWER.
As a result, the lpar
boot is no longer slow after LPM on POWER, and the lpar
system boots without the failed disks.
4.11. File systems and storage
Stratis now enables setting the file system size upon creation
You can now set the required size when creating a file system. Previously, the automatic default size was 1 TiB. With this enhancement, users can set an arbitrary filesystem size. The lower limit must not go below 512 MiB.
Improved overprovision management of Stratis pools
With the improvements to the management of thin provisioning, you can now have improved warnings, precise allocation of space for the pool metadata, improved predictability, overall safety, and reliability of thin pool management. A new distinct mode disables overprovisioning. With this enhancement, the user can disable overprovisioning to ensure that a pool contains enough space to support all its file systems, even if these are completely full.
Stratis now provides improved individual pool management
You can now stop and start stopped individual Stratis pools. Previously, stratisd
attempted to start all available pools for all devices it detected. This enhancement provides more flexible management of individual pools within Stratis, better debugging and recovery capabilities. The system no longer requires a reboot to perform recovery and maintenance operations for a single pool.
Enabled protocol specific configuration of multipath device paths
Previously due to different optimal configurations for the different protocols, it was impossible to set the configuration correctly without setting an option for each individual protocol. With this enhancement, users can now configure multipath device paths based on their path transport protocol. Use the protocol
subsection of the overrides
section in the /etc/multipath.conf
file to correctly configure multipath device paths, based on their protocol.
New libnvme
feature library
Previously, the NVMe storage command line interface utility (nvme-cli
) included all of the helper functions and definitions. This enhancement brings a new libnvme
library to RHEL 9.1. The library includes:
- Type definitions for NVMe specification structures
- Enumerations and bit fields
- Helper functions to construct, dispatch, and decode commands and payloads
- Utilities to connect, scan, and manage NVMe devices
With this update, users do not need to duplicate the code and multiple projects and packages, such as nvme-stas
, and can rely on this common library.
(BZ#2099619)
A new library libnvme
is now available
With this update, nvme-cli is divided in two different projects: * nvme-cli
now only contains the code specific to the nvme
tool * libnvme
library now contains all type definitions for NVMe specification structures, enumerations, bit fields, helper functions to construct, dispatch, decode commands and payloads, and utilities to connect, scan, and manage NVMe devices.
4.12. High availability and clusters
Support for High Availability on Red Hat OpenStack platform
You can now configure a high availability cluster on the Red Hat OpenStack platform. In support of this feature, Red Hat provides the following new cluster agents:
-
fence_openstack
: fencing agent for HA clusters on OpenStack -
openstack-info
: resource agent to configure theopenstack-info
cloned resource, which is required for an HA cluster on OpenStack -
openstack-virtual-ip
: resource agent to configure a virtual IP address resource -
openstack-floating-ip
: resource agent to configure a floating IP address resource -
openstack-cinder-volume
: resource agent to configure a block storage resource
pcs
supports updating multipath SCSI devices without requiring a system restart
You can now update multipath SCSI devices with the pcs stonith update-scsi-devices
command. This command updates SCSI devices without causing a restart of other cluster resources running on the same node.
Support for cluster UUID
During cluster setup, the pcs
command now generates a UUID for every cluster. Since a cluster name is not a unique cluster identifier, you can use the cluster UUID to identify clusters with the same name when you administer multiple clusters.
You can display the current cluster UUID with the pcs cluster config [show]
command. You can add a UUID to an existing cluster or regenerate a UUID if it already exists by using the pcs cluster config uuid generate
command.
New pcs resource config
command option to display the pcs
commands that re-create configured resources
The pcs resource config
command now accepts the --output-format=cmd
option. Specifying this option displays the pcs
commands you can use to re-create configured resources on a different system.
New pcs stonith config
command option to display the pcs
commands that re-create configured fence devices
The pcs stonith config
command now accepts the --output-format=cmd
option. Specifying this option displays the pcs
commands you can use to re-create configured fence devices on a different system.
Pacemaker rebased to version 2.1.4
The Pacemaker packages have been upgraded to the upstream version of Pacemaker 2.1.4. Notable changes include:
-
The
multiple-active
resource parameter now accepts a value ofstop_unexpected
, Themultiple-active
resource parameter determines recovery behavior when a resource is active on more than one node when it should not be. By default, this situation requires a full restart of the resource, even if the resource is running successfully where it should be. A value ofstop_unexpected
for this parameter specifies that only unexpected instances of a multiply-active resource are stopped. It is the user’s responsibility to verify that the service and its resource agent can function with extra active instances without requiring a full restart. -
Pacemaker now supports the
allow-unhealthy-node
resource meta-attribute. When this meta-attribute is set totrue
, the resource is not forced off a node due to degraded node health. When health resources have this attribute set, the cluster can automatically detect if the node’s health recovers and move resources back to it. -
Users can now specify Access Control Lists (ACLS) for a system group using the
pcs acl group
command. Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes simpler and would conform better with local policies to specify ACLs for a system group, and to have them apply to all users in that group. This command was present in earlier releases but had no effect.
Samba no longer automatically installed with cluster packages
As of this release, installing the packages for the RHEL High Availability Add-On no longer installs the Samba packages automatically. This also allows you to remove the Samba packages without automatically removing the HA packages as well. If your cluster uses Samba resources you must now manually install them.
(BZ#1826455)
4.13. Dynamic programming languages, web and database servers
The nodejs:18
module stream is now fully supported
The nodejs:18
module stream, previously available as a Technology Preview, is fully supported with the release of the RHSA-2022:8832 advisory. The nodejs:18
module stream now provides Node.js 18.12
, which is a Long Term Support (LTS) version.
Node.js 18
included in RHEL 9.1 provides numerous new features together with bug and security fixes over Node.js 16
.
Notable changes include:
-
The
V8
engine has been upgraded to version 10.2. -
The
npm
package manager has been upgraded to version 8.19.2. -
Node.js
now provides a new experimentalfetch
API. -
Node.js
now provides a new experimentalnode:test
module, which facilitates the creation of tests that report results in the Test Anything Protocol (TAP) format. -
Node.js
now prefers IPv6 addresses over IPv4.
To install the nodejs:18
module stream, use:
# dnf module install nodejs:18
(BZ#2083072)
A new module stream: php:8.1
RHEL 9.1 adds PHP 8.1
as a new php:8.1
module stream.
With PHP 8.1
, you can:
- Define a custom type that is limited to one of a discrete number of possible values using the Enumerations (Enums) feature
-
Declare a property with the
readonly
modifier to prevent modification of the property after initialization - Use fibers, full-stack, interruptible functions
To install the php:8.1
module stream, use:
# dnf module install php:8.1
For details regarding PHP usage on RHEL 9, see Using the PHP scripting language.
(BZ#2070040)
A new module stream: ruby:3.1
RHEL 9.1 introduces Ruby 3.1.2
in a new ruby:3.1
module stream. This version provides a number of performance improvements, bug and security fixes, and new features over Ruby 3.0
distributed with RHEL 9.0.
Notable enhancements include:
-
The
Interactive Ruby
(IRB) utility now provides an autocomplete feature and a documentation dialog -
A new
debug
gem, which replaceslib/debug.rb
, provides improved performance, and supports remote debugging and multi-process/multi-thread debugging -
The
error_highlight
gem now provides a fine-grained error location in the backtrace - Values in the hash literal data types and keyword arguments can now be omitted
-
The pin operator (
^
) now accepts an expression in pattern matching - Parentheses can now be omitted in one-line pattern matching
- YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD and Intel 64-bit architectures
-
The
TypeProf For IDE
utility has been introduced, which is an experimental static type analysis tool forRuby
code in IDEs
The following performance improvements have been implemented in Method Based Just-in-Time Compiler (MJIT):
-
For workloads like
Rails
, the default maximum JIT cache value has increased from 100 to 10000 -
Code compiled using JIT is no longer canceled when a
TracePoint
for class events is enabled
Other notable changes include:
-
The
tracer.rb
file has been removed -
Since version 4.0, the
Psych
YAML parser uses thesafe_load
method by default
To install the ruby:3.1
module stream, use:
# dnf module install ruby:3.1
(BZ#2063773)
httpd
rebased to version 2.4.53
The Apache HTTP Server has been updated to version 2.4.53, which provides bug fixes, enhancements, and security fixes over version 2.4.51 distributed with RHEL 9.0.
Notable changes in the mod_proxy
and mod_proxy_connect
modules include:
-
mod_proxy
: The length limit of the name of the controller has been increased -
mod_proxy
: You can now selectively configure timeouts for backend and frontend -
mod_proxy
: You can now disable TCP connections redirection by setting theSetEnv proxy-nohalfclose
parameter -
mod_proxy
andmod_proxy_connect
: It is forbidden to change a status code after sending it to a client
In addition, a new ldap
function has been added to the expression API, which can help prevent the LDAP injection vulnerability.
A new default for the LimitRequestBody
directive in httpd
configuration
To fix CVE-2022-29404, the default value for the LimitRequestBody
directive in the Apache HTTP Server has been changed from 0
(unlimited) to 1 GiB.
On systems where the value of LimitRequestBody
is not explicitly specified in an httpd
configuration file, updating the httpd
package sets LimitRequestBody
to the default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd
returns the 413 Request Entity Too Large
error code.
If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd
configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use:
LimitRequestBody 2147483648
Systems already configured to use any explicit value for the LimitRequestBody
directive are unaffected by this change.
(BZ#2128016)
New package: httpd-core
Starting with RHEL 9.1, the httpd
binary file with all essential files has been moved to the new httpd-core
package to limit the Apache HTTP Server’s dependencies in scenarios where only the basic httpd
functionality is needed, for example, in containers.
The httpd
package now provides systemd
-related files, including mod_systemd
, mod_brotli
, and documentation.
With this change, the httpd
package no longer provides the httpd
Module Magic Number (MMN) value. Instead, the httpd-core
package now provides the httpd-mmn
value. As a consequence, fetching httpd-mmn
from the httpd
package is no longer possible.
To obtain the httpd-mmn
value of the installed httpd
binary, you can use the apxs
binary, which is a part of the httpd-devel
package. To obtain the httpd-mmn
value, use the following command:
# apxs -q HTTPD_MMN 20120211
(BZ#2065677)
pcre2
rebased to version 10.40
The pcre2
package, which provides the Perl Compatible Regular Expressions library v2, has been updated to version 10.40.
With this update, the use of the \K
escape sequence in lookaround assertions is forbidden, in accordance with the respective change in Perl 5.32
. If you rely on the previous behavior, you can use the PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK
option. Note that when this option is set, \K
is accepted only inside positive assertions but is ignored in negative assertions.
4.14. Compilers and development tools
The updated GCC compiler is now available for RHEL 9.1
The system GCC compiler, version 11.2.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.
The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.
For usage information, see Developing C and C++ applications in RHEL 9.
New GCC Toolset 12
GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream
repository.
The GCC compiler has been updated to version 12.1.1, which provides many bug fixes and enhancements that are available in upstream GCC.
The following tools and versions are provided by GCC Toolset 12:
Tool | Version |
---|---|
GCC | 12.1.1 |
GDB | 11.2 |
binutils | 2.35 |
dwz | 0.14 |
annobin | 10.76 |
To install GCC Toolset 12, run the following command as root:
# dnf install gcc-toolset-12
To run a tool from GCC Toolset 12:
$ scl enable gcc-toolset-12 tool
To run a shell session where tool versions from GCC Toolset 12 override system versions of these tools:
$ scl enable gcc-toolset-12 bash
For more information, see GCC Toolset 12.
(BZ#2077465)
GCC Toolset 12: Annobin rebased to version 10.76
In GCC Toolset 12, the Annobin package has been updated to version 10.76.
Notable bug fixes and enhancements include:
-
A new command line option for annocheck tells it to avoid using the
debuginfod
service, if it is unable to find debug information in another way. Usingdebuginfod
provides annocheck with more information, but it can also cause significant slow downs in annocheck’s performance if thedebuginfod
server is unavailable. -
The Annobin sources can now be built using
meson
andninja
rather than configure and make if desired. - Annocheck now supports binaries built by the Rust 1.18 compiler.
Additionally, the following known issue has been reported in the GCC Toolset 12 version of Annobin:
Under some circumstances it is possible for a compilation to fail with an error message that looks similar to the following:
cc1: fatal error: inaccessible plugin file
opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin/gcc-annobin.so
expanded from short plugin name gcc-annobin: No such file or directory
To work around the problem, create a symbolic link in the plugin directory from annobin.so
to gcc-annobin.so
:
# cd /opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin
# ln -s annobin.so gcc-annobin.so
Where architecture is replaced with the architecture being used:
-
aarch64
-
i686
-
ppc64le
-
s390x
-
x86_64
(BZ#2077438)
GCC Toolset 12: binutils
rebased to version 2.38
In GCC Toolset 12, the binutils
package has been updated to version 2.38.
Notable bug fixes and enhancements include:
-
All tools in the
binutils
package now support options to display or warn about the presence of multibyte characters. -
The
readelf
andobjdump
tools now automatically follow any links to separatedebuginfo
files by default. This behavior can be disabled by using the--debug-dump=no-follow-links
option forreadelf
or the--dwarf=no-follow-links
option forobjdump
.
(BZ#2077445)
GCC 12 and later supports _FORTIFY_SOURCE
level 3
With this enhancement, users can build applications with -D_FORTIFY_SOURCE=3
in the compiler command line when building with GCC version 12 or later. _FORTIFY_SOURCE
level 3 improves coverage of source code fortification, thus improving security for applications built with -D_FORTIFY_SOURCE=3
in the compiler command line. This is supported in GCC versions 12 and later and all Clang in RHEL 9 with the __builtin_dynamic_object_size
builtin.
DNS stub resolver option now supports no-aaaa
option
With this enhancement, glibc
now recognizes the no-aaaa
stub resolver option in /etc/resolv.conf
and the RES_OPTIONS
environment variable. When this option is active, no AAAA queries will be sent over the network. System administrators can disable AAAA DNS lookups for diagnostic purposes, such as ruling out that the superfluous lookups on IPv4-only networks do not contribute to DNS issues.
Added support for IBM Z Series z16
The support is now available for the s390
instruction set with the IBM z16
platform. IBM z16
provides two additional hardware capabilities in glibc
that are HWCAP_S390_VXRS_PDE2
and HWCAP_S390_NNPA
. As a result, applications can now use these capabilities to deliver optimized libraries and functions.
(BZ#2077838)
Applications can use the restartable sequence features through the new glibc
interfaces
To accelerate the sched_getcpu
function (especially on aarch64), it is necessary to use the restartable sequences (rseq) kernel feature by default in glibc
. To allow applications to continuously use the shared rseq area, glibc
now provides the __rseq_offset
, __rseq_size
and __rseq_flags
symbols which were first added in glibc
2.35 upstream version. With this enhancement, the performance of the sched_getcpu
function is increased and applications can now use the restartable sequence features through the new glibc
interfaces.
GCC Toolset 12: GDB rebased to version 11.2
In GCC Toolset 12, the GDB package has been updated to version 11.2.
Notable bug fixes and enhancements include:
-
New support for the 64-bit ARM architecture Memory Tagging Extension (MTE). See new commands with the
memory-tag
prefix. --qualified
option for-break-insert
and-dprintf-insert
. This option looks for an exact match of the user’s event location instead of searching in all scopes.For example,
break --qualified foo
will look for a symbol named foo in the global scope. Without--qualified
, GDB will search all scopes for a symbol with that name.-
--force-condition
: Any supplied condition is defined even if it is currently invalid. -
-break-condition --force
: Likewise for the MI command. -
-file-list-exec-source-files
accepts optionalREGEXP
to limit output. .gdbinit
search path includes the config directory. The order is:-
$XDG_CONFIG_HOME/gdb/gdbinit
-
$HOME/.config/gdb/gdbinit
-
$HOME/.gdbinit
-
-
Support for
~/.config/gdb/gdbearlyinit
or~/.gdbearlyinit
. -
-eix
and-eiex
early initialization file options.
Terminal user interface (TUI):
- Support for mouse actions inside terminal user interface (TUI) windows.
- Key combinations that do not act on the focused window are now passed to GDB.
New commands:
-
show print memory-tag-violations
-
set print memory-tag-violations
-
memory-tag show-logical-tag
-
memory-tag with-logical-tag
-
memory-tag show-allocation-tag
-
memory-tag check
-
show startup-quietly
andset startup-quietly
: A way to specify-q
or-quiet
in GDB scripts. Only valid in early initialization files. -
show print type hex
andset print type hex
: Tells GDB to print sizes or offsets for structure members in hexadecimal instead of decimal. -
show python ignore-environment
andset python ignore-environment
: If enabled, GDB’s Python interpreter ignores Python environment variables, much like passing-E
to the Python executable. Only valid in early initialization files. -
show python dont-write-bytecode
andset python dont-write-bytecode
: Ifoff
, these commands suppress GDB’s Python interpreter from writing bytecode compiled objects of imported modules, much like passing-B
to the Python executable. Only valid in early initialization files.
Changed commands:
-
break LOCATION if CONDITION
: If CONDITION is invalid, GDB refuses to set a breakpoint. The-force-condition
option overrides this. -
CONDITION -force N COND
: Same as the previous command. -
inferior [ID]
: When ID is omitted, this command prints information about the current inferior. Otherwise, unchanged. -
ptype[/FLAGS] TYPE | EXPRESSION
: Use the/x
flag to use hexadecimal notation when printing sizes and offsets of struct members. Use the/d
flag to do the same but using decimal. -
info sources
: Output has been restructured.
Python API:
-
Inferior objects contain a read-only
connection_num
attribute. -
New
gdb.Frame.level()
method. -
New
gdb.PendingFrame.level()
method. -
gdb.BreakpoiontEvent
emitted instead ofgdb.Stop
.
(BZ#2077494)
GDB supports Power 10 PLT instructions
GDB now supports Power 10 PLT instructions. With this update, users are able to step into shared library functions and inspect stack backtraces using GDB version 10.2-10 and later.
(BZ#1870017)
The dyninst
packaged rebased to version 12.1
The dyninst
package has been rebased to version 12.1. Notable bug fixes and enhancements include:
-
Initial support for
glibc-2.35
multiple namespaces - Concurrency fixes for DWARF parallel parsing
-
Better support for the
CUDA
andCDNA2
GPU binaries - Better support for IBM POWER Systems (little endian) register access
- Better support for PIE binaries
- Corrected parsing for catch blocks
-
Corrected access to 64-bit Arm (
aarch64
) floating point registers
A new fileset /etc/profile.d/debuginfod.*
Added new fileset for activating organizational debuginfod services. To get a system-wide debuginfod
client activation you must add the URL to /etc/debuginfod/FOO.urls
file.
Rust Toolset rebased to version 1.62.1
Rust Toolset has been updated to version 1.62.1. Notable changes include:
-
Destructuring assignment allows patterns to assign to existing variables in the left-hand side of an assignment. For example, a tuple assignment can swap to variables:
(a, b) = (b, a);
-
Inline assembly is now supported on 64-bit x86 and 64-bit ARM using the
core::arch::asm!
macro. See more details in the "Inline assembly" chapter of the reference,/usr/share/doc/rust/html/reference/inline-assembly.html
(online at https://doc.rust-lang.org/reference/inline-assembly.html). -
Enums can now derive the
Default
trait with an explicitly annotated#[default]
variant. -
Mutex
,CondVar
, andRwLock
now use a customfutex
-based implementation rather than pthreads, with new optimizations made possible by Rust language guarantees. -
Rust now supports custom exit codes from
main
, including user-defined types that implement the newly-stabilizedTermination
trait. -
Cargo supports more control over dependency features. The
dep:
prefix can refer to an optional dependency without exposing that as a feature, and a?
only enables a dependency feature if that dependency is enabled elsewhere, likepackage-name?/feature-name
. -
Cargo has a new
cargo add
subcommand for adding dependencies toCargo.toml
. For more details, please see the series of upstream release announcements:
(BZ#2075337)
LLVM Toolset rebased to version 14.0.6
LLVM Toolset has been rebased to version 14.0.6. Notable changes include:
-
On 64-bit x86, support for
AVX512-FP16
instructions has been added. - Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added.
-
On PowerPC, added the
__ibm128
type to represent IBM double-double format, also available as__attribute__((mode(IF)))
.
clang
changes:
-
if consteval
forC++2b
is now implemented. -
On 64-bit x86, support for
AVX512-FP16
instructions has been added. -
Completed support of OpenCL C 3.0 and
C++
for OpenCL 2021 at experimental state. -
The
-E -P
preprocessor output now always omits blank lines, matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the output. -
Support
-Wdeclaration-after-statement
withC99
and later standards, and not just C89, matching GCC’s behavior. A notable use case is supporting style guides that forbid mixing declarations and code, but want to move to newer C standards.
For more information, see the LLVM Toolset and Clang upstream release notes.
(BZ#2061041)
Go Toolset rebased to version 1.18.2
Go Toolset has been rebased to version 1.18.2.
Notable changes include:
- The introduction of generics while maintaining backwards compatibility with earlier versions of Go.
- A new fuzzing library.
-
New
debug
/buildinfo
andnet
/netip
packages. -
The
go get
tool no longer builds or installs packages. Now, it only handles dependencies ingo.mod
. -
If the main module’s
go.mod
file specifiesgo 1.17
or higher, thego mod download
command used without any additional arguments only downloads source code for the explicitly required modules in the main module’sgo.mod
file. To also download source code for transitive dependencies, use thego mod download all
command. -
The
go mod vendor
subcommand now supports a-o
option to set the output directory. -
The
go mod tidy
command now retains additional checksums in thego.sum
file for modules whose source code is required to verify that only one module in the build list provides each imported package. This change is not conditioned on the Go version in the main module’sgo.mod
file.
(BZ#2075169)
A new module stream: maven:3.8
RHEL 9.1 introduces Maven 3.8
as a new module stream.
To install the maven:3.8
module stream, use:
# dnf module install maven:3.8
(BZ#2083112)
.NET version 7.0 is available
Red Hat Enterprise Linux 9.1 is distributed with .NET version 7.0. Notable improvements include:
-
Support for IBM Power (
ppc64le
)
For more information, see Release Notes for .NET 7.0 RPM packages and Release Notes for .NET 7.0 containers.
(BZ#2112027)
4.15. Identity Management
SSSD now supports memory caching for SID requests
With this enhancement, SSSD now supports memory caching for SID requests, which are GID and UID lookups by SID and vice versa. Memory caching results in improved performance, for example, when copying large amounts of files to or from a Samba server.
(JIRA:RHELPLAN-123369)
The ipaservicedelegationtarget
and ipaservicedelegationrule
Ansible modules are now available
You can now use the ipaservicedelegationtarget
and ipaservicedelegationrule
ansible-freeipa
modules to, for example, configure a web console client to allow an Identity Management (IdM) user that has authenticated with a smart card to do the following:
-
Use
sudo
on the RHEL host on which the web console service is running without being asked to authenticate again. -
Access a remote host using
SSH
and access services on the host without being asked to authenticate again.
The ipaservicedelegationtarget
and ipaservicedelegationrule
modules utilize the Kerberos S4U2proxy
feature, also known as constrained delegation. IdM traditionally uses this feature to allow the web server framework to obtain an LDAP service ticket on the user’s behalf. The IdM-AD trust system uses the feature to obtain a cifs principal.
(JIRA:RHELPLAN-117109)
SSSD support for anonymous PKINIT for FAST
With this enhancement, SSSD now supports anonymous PKINIT for Flexible Authentication via Secure Tunneling (FAST), also called Kerberos armoring in Active Directory. Until now, to use FAST, a Kerberos keytab was needed to request the required credentials. You can now use anonymous PKINIT to create this credential cache to establish the FAST session.
To enable anonymous PKINIT, perform the following steps:
-
Set
krb5_fast_use_anonymous_pkinit
totrue
in the[domain]
section of thesssd.conf
file. - Restart SSSD.
In an IdM environment, you can verify that anonymous PKINIT was used to establish the FAST session by logging in as the IdM user. A cache file with the FAST ticket is created and the
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
indicates that anonymous PKINIT was used:klist /var/lib/sss/db/fast_ccache_IPA.VM Ticket cache: FILE:/var/lib/sss/db/fast_ccache_IPA.VM Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 03/10/2022 10:33:45 03/10/2022 10:43:45 krbtgt/IPA.VM@IPA.VM
(JIRA:RHELPLAN-123368)
IdM now supports Random Serial Numbers
With this update, Identity Management (IdM) now includes dogtagpki 11.2.0
, which allows you to use Random Serial Numbers version 3 (RSNv3). You can enable RSNv3 by using the --random-serial-numbers
option when running ipa-server-install
or ipa-ca-install
. With RSNv3 enabled, IdM generates fully random serial numbers for certificates and requests in PKI without range management. Using RSNv3, you can avoid range management in large IdM installations and prevent common collisions when reinstalling IdM.
RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 on all PKI services.
IdM now supports a limit on the number of LDAP binds allowed after a user password has expired
With this enhancement, you can set the number of LDAP binds allowed when the password of an Identity Management (IdM) user has expired:
- -1
- IdM grants the user unlimited LDAP binds before the user must reset the password. This is the default value, which matches the previous behavior.
- 0
- This value disables all LDAP binds once a password is expired. In effect, the users must reset their password immediately.
- 1-MAXINT
- The value entered allows exactly that many binds post-expiration.
The value can be set in the global password policy and in group policies.
Note that the count is stored per server.
In order for a user to reset their own password they need to bind with their current, expired password. If the user has exhausted all post-expiration binds, then the password must be administratively reset.
New ipasmartcard_server
and ipasmartcard_client
roles
With this update, the ansible-freeipa
package provides Ansible roles to configure Identity Management (IdM) servers and clients for smart card authentication. The ipasmartcard_server
and ipasmartcard_client
roles replace the ipa-advise
scripts to automate and simplify the integration. The same inventory and naming scheme are used as in the other ansible-freeipa
roles.
IdM now supports configuring an AD Trust with Windows Server 2022
With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) domains and Active Directory forests that use Domain Controllers running Windows Server 2022.
The ipa-dnskeysyncd
and ipa-ods-exporter
debug messages are no longer logged to /var/log/messages by default
Previously, ipa-dnskeysyncd
, the service that is responsible for the LDAP-to-OpenDNSSEC synchronization, and ipa-ods-exporter
, the Identity Management (IdM) OpenDNSSEC exporter service, logged all debug messages to /var/log/messages
by default. As a consequence, log files grew substantially. With this enhancement, you can configure the log level by setting debug=True
in the /etc/ipa/dns.conf
file. For more information, refer to default.conf(5)
, the man page for the IdM configuration file.
samba
rebased to version 4.16.1
The samba
packages have been upgraded to upstream version 4.16.1, which provides bug fixes and enhancements over the previous version:
-
By default, the
smbd
process automatically starts the newsamba-dcerpcd
process on demand to serve Distributed Computing Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always requiressamba-dcerpcd
to use DCERPC. If you disable therpc start on demand helpers
setting in the[global]
section in the/etc/samba/smb.conf
file, you must create asystemd
service unit to runsamba-dcerpcd
in standalone mode. The Cluster Trivial Database (CTDB)
recovery master
role has been renamed toleader
. As a result, the followingctdb
sub-commands have been renamed:-
recmaster
toleader
-
setrecmasterrole
tosetleaderrole
-
-
The CTDB
recovery lock
configuration has been renamed tocluster lock
. - CTDB now uses leader broadcasts and an associated timeout to determine if an election is required.
Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Note that Red Hat does not support downgrading tdb
database files.
After updating Samba, verify the /etc/samba/smb.conf
file using the testparm
utility.
For further information about notable changes, read the upstream release notes before updating.
SSSD now supports direct integration with Windows Server 2022
With this enhancement, you can use SSSD to directly integrate your RHEL system with Active Directory forests that use Domain Controllers running Windows Server 2022.
Improved SSSD multi-threaded performance
Previously, SSSD serialized parallel requests from multi-threaded applications, such as Red Hat Directory Server and Identity Management. This update fixes all SSSD client libraries, such as nss
and pam
, so they do not serialize requests, therefore allowing requests from multiple threads to be executed in parallel for better performance. To enable the previous behavior of serialization, set the environment variable SSS_LOCKFREE
to NO
.
(BZ#1978119)
Directory Server now supports canceling the Auto Membership plug-in task.
Previously, the Auto Membership plug-in task could generate high CPU usage on the server if Directory Server has complex configuration (large groups, complex rules and interaction with other plugins). With this enhancement, you can cancel the Auto Membership plug-in task. As a result, performance issues no longer occur.
Directory Server now supports recursive delete operations when using ldapdelete
With this enhancement, Directory Server now supports the Tree Delete Control [1.2.840.113556.1.4.805]
OpenLDAP control. As a result, you can use the ldapdelete
utility to recursively delete subentries of a parent entry.
You can now set basic replication options during the Directory Server installation
With this enhancement, you can configure basic replication options like authentication credentials and changelog trimming during an instance installation using an .inf
file.
Directory Server now supports instance creation by a non-root user
Previously, non-root users were not able to create Directory Server instances. With this enhancement, a non-root user can use the dscreate ds-root
subcommand to configure an environment where dscreate
,dsctl
,dsconf
commands are used as usual to create and administer Directory Server instances.
pki
packages renamed to idm-pki
The following pki
packages are now renamed to idm-pki
to better distinguish between IDM packages and Red Hat Certificate System ones:
-
idm-pki-tools
-
idm-pki-acme
-
idm-pki-base
-
idm-pki-java
-
idm-pki-ca
-
idm-pki-kra
-
idm-pki-server
-
python3-idm-pki
4.16. Graphics infrastructures
Wayland is now enabled with Matrox GPUs
The desktop session now enables the Wayland back end with Matrox GPUs.
In previous releases, Wayland was disabled with Matrox GPUs due to performance and other limitations. These problems have now been fixed.
You can still switch the desktop session from Wayland back to Xorg. For more information, see Overview of GNOME environments.
12th generation Intel Core GPUs are now supported
This release adds support for several integrated GPUs for the 12th Gen Intel Core CPUs. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models:
- Intel Core i3 12100T through Intel Core i9 12900KS
- Intel Pentium Gold G7400 and G7400T
- Intel Celeron G6900 and G6900T
- Intel Core i5-12450HX through Intel Core i9-12950HX
- Intel Core i3-1220P through Intel Core i7-1280P
(JIRA:RHELPLAN-135601)
Support for new AMD GPUs
This release adds support for several AMD Radeon RX 6000 Series GPUs and integrated graphics of the AMD Ryzen 6000 Series CPUs.
The following AMD Radeon RX 6000 Series GPU models are now supported:
- AMD Radeon RX 6400
- AMD Radeon RX 6500 XT
- AMD Radeon RX 6300M
- AMD Radeon RX 6500M
AMD Ryzen 6000 Series includes integrated GPUs found with the following CPU models:
- AMD Ryzen 5 6600U
- AMD Ryzen 5 6600H
- AMD Ryzen 5 6600HS
- AMD Ryzen 7 6800U
- AMD Ryzen 7 6800H
- AMD Ryzen 7 6800HS
- AMD Ryzen 9 6900HS
- AMD Ryzen 9 6900HX
- AMD Ryzen 9 6980HS
- AMD Ryzen 9 6980HX
(JIRA:RHELPLAN-135602)
4.17. The web console
Update progress page in the web console now supports an automatic restart option
The update progress page now has a Reboot after completion switch. This reboots the system automatically after installing the updates.
4.18. Red Hat Enterprise Linux system roles
The network
RHEL system role supports network configuration using the nmstate
API
With this update, the network
RHEL system role supports network configuration through the nmstate
API. Users can now directly apply the configuration of the required network state to a network interface instead of creating connection profiles. The feature also allows partial configuration of a network. As a result, the following benefits exist:
- decreased network configuration complexity
- reliable way to apply the network state changes
- no need to track the entire network configuration
Users can create connections with IPoIB capability using the network
RHEL system role
The infiniband
connection type of the network
RHEL system role now supports the Internet Protocol over Infiniband (IPoIB) capability. To enable this feature, define a value to the p_key
option of infiniband
. Note that if you specify p_key
, the interface_name
option of the network_connections
variable must be left unset. The previous implementation of the network
RHEL system role did not properly validate the p_key
value and the interface_name
option for the infiniband
connection type. Therefore, the IPoIB functionality never worked before. For more information, see a README file in the /usr/share/doc/rhel-system-roles/network/
directory.
HA Cluster RHEL system role now supports SBD fencing and configuration of Corosync settings
The HA Cluster system role now supports the following features:
- SBD fencing
- Fencing is a crucial part of HA cluster configuration. SBD provides a means for nodes to reliably self-terminate when fencing is required. SBD fencing can be particularly useful in environments where traditional fencing mechanisms are not possible. It is now possible to configure SBD fencing with the HA Cluster system role.
- Corosync settings
- The HA Cluster system role now supports the configuration of Corosync settings, such as transport, compression, encryption, links, totem, and quorum. These settings are required to match cluster configuration with customers' needs and environment when the default settings are not suitable.
(BZ#2065337, BZ#2070452, BZ#2079626, BZ#2098212, BZ#2120709, BZ#2120712)
The network
RHEL role now configures network settings for routing rules
Previously, you could route the packet based on the destination address field in the packet, but you could not define the source routing and other policy routing rules. With this enhancement, network
RHEL role supports routing rules so that the users have control over the packet transmission or route selection.
The new previous:replaced
configuration enables firewall
system role to reset the firewall settings to default
System administrators who manage different sets of machines, where each machine has different pre-existing firewall settings, can now use the previous: replaced
configuration in the firewall
role to ensure that all machines have the same firewall configuration settings. The previous: replaced
configuration can erase all the existing firewall settings and replace them with consistent settings.
New option in the postfix
RHEL system role for overwriting previous configuration
If you manage a group of systems which have inconsistent postfix
configurations, you may want to make the configuration consistent on all of them. With this enhancement, you can specify the previous: replaced
option within the postfix_conf
dictionary to remove any existing configuration and apply the desired configuration on top of a clean postfix
installation. As a result, you can erase any existing postfix
configuration and ensure consistency on all the systems being managed.
Enhanced microsoft.sql.server
RHEL system role
The following new variables are now available for the microsoft.sql.server
RHEL system role:
-
Variables with the
mssql_ha_
prefix to control configuring a high availability cluster. -
The
mssql_tls_remote_src
variable to search formssql_tls_cert
andmssql_tls_private_key
values on managed nodes. If you keep the defaultfalse
setting, the role searches for these files on the control node. -
The
mssql_manage_firewall
variable to manage firewall ports automatically. If this variable is set tofalse
, you must enable firewall ports manually. -
The
mssql_pre_input_sql_file
andmssql_post_input_sql_file
variables to control whether you want to run the SQL scripts before the role execution or after it. These new variables replace the formermssql_input_sql_file
variable, which did not allow you to influence the time of SQL script execution.
The logging
RHEL system role supports options startmsg.regex
and endmsg.regex
in files inputs
With this enhancement, you can now filter log messages coming from files by using regular expressions. Options startmsg_regex
and endmsg_regex
are now included in the files’ input. The startmsg_regex
represents the regular expression that matches the start part of a message, and the endmsg_regex
represents the regular expression that matches the last part of a message. As a result, you can now filter messages based upon properties such as date-time, priority, and severity.
The sshd
RHEL system role verifies the include directive for the drop-in directory
The sshd
RHEL system role on RHEL 9 manages only a file in the drop-in directory, but previously did not verify that the directory is included from the main sshd_config
file. With this update, the role verifies that sshd_config
contains the include directive for the drop-in directory. As a result, the role more reliably applies the provided configuration.
The sshd
RHEL system role can be managed through /etc/ssh/sshd_config
The sshd
RHEL system role applied to a RHEL 9 managed node places the SSHD configuration in a drop-in directory (/etc/ssh/sshd_config.d/00-ansible_system_role.conf
by default). Previously, any changes to the /etc/ssh/sshd_config
file overwrote the default values in 00-ansible_system_role.conf
. With this update, you can manage SSHD by using /etc/ssh/sshd_config
instead of 00-ansible_system_role.conf
while preserving the system default values in 00-ansible_system_role.conf
.
The metrics
role consistently uses "Ansible_managed" comment in its managed configuration files
With this update, the metrics
role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed
variable. The comment indicates that the configuration files should not be directly edited because the metrics
role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
The storage
RHEL system role now supports managing the pool members
The storage
RHEL system role can now add or remove disks from existing LVM pools without removing the pool first. To increase the pool capacity, the storage
RHEL system role can add new disks to the pool and free currently allocated disks in the pool for another use.
Support for thinly provisioned volumes is now available in the storage
RHEL system role
The storage
RHEL system role can now create and manage thinly provisioned LVM logical volumes (LVs). Thin provisioned LVs are allocated as they are written, allowing better flexibility when creating volumes as physical storage provided for thin provisioned LVs can be increased later as the need arises. LVM thin provisioning also allows creating more efficient snapshots because the data blocks common to a thin LV and any of its snapshots are shared.
Better support for cached volumes is available in the storage
RHEL system role
The storage
RHEL system role can now attach cache to existing LVM logical volumes. LVM cache can be used to improve performance of slower logical volumes by temporarily storing subsets of an LV’s data on a smaller, faster device, for example an SSD. This enhances the previously added support for creating cached volumes by allowing adding (attaching) a cache to an existing, previously uncached volume.
The logging
RHEL system role now supports template
, severity
and facility
options
The logging
RHEL system role now features new useful severity
and facility
options to the files inputs as well as a new template
option to the files and forwards outputs. Use the template
option to specify the traditional time format by using the parameter traditional
, the syslog protocol 23 format by using the parameter syslog
, and the modern style format by using the parameter modern
. As a result, you can now use the logging
role to filter by the severity and facility as well as to specify the output format by template.
RHEL system roles now available also in playbooks with fact gathering disabled
Ansible fact gathering might be disabled in your environment for performance or other reasons. Previously, it was not possible to use RHEL system roles in such configurations. With this update, the system detects the ANSIBLE_GATHERING=explicit
parameter in your configuration and gather_facts: false
parameter in your playbooks, and use the setup:
module to gather only the facts required by the given role, if not available from the fact cache.
If you have disabled Ansible fact gathering due to performance, you can enable Ansible fact caching instead, which does not cause a performance hit of retrieving them from source.
The storage role now has less verbosity by default
The storage role output is now less verbose by default. With this update, users can increase the verbosity of storage role output to only produce debugging output if they are using Ansible verbosity level 1 or above.
The firewall
RHEL system role does not require the state
parameter when configuring masquerade
or icmp_block_inversion
When configuring custom firewall zones, variables masquerade
and icmp_block_inversion
are boolean settings. A value of true
implies state: present
and a value of false
implies state: absent
. Therefore, the state
parameter is not required when configuring masquerade
or icmp_block_inversion
.
You can now add, update, or remove services using absent
and present
states in the firewall
RHEL system role
With this enhancement, you can use the present
state to add ports, modules, protocols, services, and destination addresses, or use the absent
state to remove them. Note that to use the absent
and present
states in the firewall
RHEL system role, set the permanent
option to true
. With the permanent
option set to true
, the state settings apply until changed, and remain unaffected by role reloads.
The firewall
system role can add or remove an interface to the zone using PCI device ID
Using the PCI device ID, the firewall
system role can now assign or remove a network interface to or from a zone. Previously, if only the PCI device ID was known instead of the interface name, users had to first identify the corresponding interface name to use the firewall
system role. With this update, the firewall
system role can now use the PCI device ID to manage a network interface in a zone.
The firewall
RHEL system role can provide Ansible facts
With this enhancement, you can now gather the firewall
RHEL system role’s Ansible facts from all of your systems by including the firewall:
variable in the playbook with no arguments. To gather a more detailed version of the Ansible facts, use the detailed: true
argument, for example:
vars: firewall: detailed: true
Added setting of seuser
and selevel
to the selinux
RHEL system role
Sometimes, it is necessary to set seuser
and selevel
parameters when setting SELinux context file system mappings. With this update, you can use the seuser
and selevel
optional arguments in selinux_fcontext
to specify SELinux user and level in the SELinux context file system mappings.
New cockpit
system role variable for setting a custom listening port
The cockpit
system role introduces the cockpit_port
variable that allows you to set a custom listening port other than the default 9090 port. Note that if you decide to set a custom listening port, you will also need to adjust your SELinux policy to allow the web console to listen on that port.
The metrics
role can export postfix
performance data
You can now use the new metrics_from_postfix
boolean variable in the metrics
role for recording and detailed performance analysis. With this enhancement, setting the variable enables the pmdapostfix
metrics agent on the system, making statistics about postfix
available.
The postfix
role consistently uses "Ansible_managed" comment in its managed configuration files
The postfix
role generates the /etc/postfix/main.cf
configuration file. With this update, the postfix
role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard ansible_managed
variable. The comment indicates that the configuration files should not be directly edited because the postfix
role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
The nbde-client
RHEL system role supports static IP addresses
In previous versions of RHEL, restarting a system with a static IP address and configured with the nbde_client
RHEL system role changed the system’s IP address. With this update, systems with static IP addresses are supported by the nbde_client
role, and their IP addresses do not change after a reboot.
Note that by default, the nbde_client
role uses DHCP when booting, and switches to the configured static IP after the system is booted.
(BZ#2070462)
4.19. Virtualization
RHEL web console now features RHEL as an option for the Download an OS
VM workflow
With this enhancement, the RHEL web console now supports the installation of RHEL virtual machines (VMs) using the default Download an OS
workflow. As a result, you can download and install the RHEL OS as a VM directly within the web console.
(JIRA:RHELPLAN-121982)
Improved KVM architectural compliance
With this update, the architectural compliance of the KVM hypervisor has now been enhanced and made stricter. As a result, the hypervisor is now better prepared to address future changes to Linux-based and other operating systems.
(JIRA:RHELPLAN-117713)
ap-check
is now available in RHEL 9
The mdevctl
tool now provides a new ap-check
support utility. You can use mdevctl
to persistently configure cryptographic adapters and domains that are allowed for pass-through usage into virtual machines as well as the matrix
and vfio-ap
devices. With mdevctl
, you do not have to reconfigure these adapters, domains, and devices after every IPL. In addition, mdevctl
prevents the distributor from inventing other ways to reconfigure them.
When invoking mdevctl
commands for vfio-ap
devices, the new ap-check
support utility is invoked as part of the mdevctl
command to perform additional validity checks against vfio-ap
device configurations.
In addition, the chzdev
tool now provides the ability to manage the system-wide Adjunct Processor (AP) mask settings, which determine what AP resources are available for vfio-ap
devices. When used, chzdev
makes it possible to persist these settings by generating an associated udev
rule. Using lszdev
, you can can now also query the system-wide AP mask settings.
(BZ#1870699)
open-vm-tools
rebased to 12.0.5
The open-vm-tools
packages have been upgraded to version 12.0.5, which introduces a number of bug fixes and new features. Most notably, support has been added for the Salt Minion tool to be managed through guest OS variables.
(BZ#2061193)
Selected VMs on IBM Z can now boot with kernel command lines longer than 896 bytes
Previously, booting a virtual machine (VM) on a RHEL 9 IBM Z host always failed if the kernel command line of the VM was longer than 896 bytes. With this update, the QEMU emulator can handle kernel command lines longer than 896 bytes. As a result, you can now use QEMU direct kernel boot for VMs with very long kernel command lines, if the VM kernel supports it. Specifically, to use a command line longer than 896 bytes, the VM must use Linux kernel version 5.16-rc1 or later.
(BZ#2044218)
The Secure Execution feature on IBM Z now supports remote attestation
The Secure Execution feature on the IBM Z architecture now supports remote attestation. The pvattest
utility can create a remote attestation request to verify the integrity of a guest that has Secure Execution enabled.
Additionally, it is now possible to inject interrupts to guests with Secure Execution through the use of GISA.
(BZ#2001936, BZ#2044300)
VM memory preallocation using multiple threads
You can now define multiple CPU threads for virtual machine (VM) memory allocation in the domain XML configuration, for example as follows:
<memoryBacking> <allocation threads='8'/> </memoryBacking>
This ensures that more than one thread is used for allocating memory pages when starting a VM. As a result, VMs with multiple allocation threads configured start significantly faster, especially if the VMs has large amounts of RAM assigned and backed by hugepages.
(BZ#2064194)
RHEL 9 guests now support SEV-SNP
On virtual machines (VMs) that use RHEL 9 as a guest operating system, you can now use AMD Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. Among other benefits, SNP enhances SEV by improving its memory integrity protection, which helps prevent hypervisor-based attacks such as data replay or memory re-mapping. Note that for SEV-SNP to work on a RHEL 9 VM, the host running the VM must support SEV-SNP as well.
(BZ#2169738)
4.20. RHEL in cloud environments
New SSH module for cloud-init
With this update, an SSH module has been added to the cloud-init
utility, which automatically generates host keys during instance creation.
Note that with this change, the default cloud-init
configuration has been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line.
Otherwise, cloud-init
creates an image which fails to start the sshd
service. If this occurs, do the following to work around the problem:
Make sure the
/etc/cloud/cloud.cfg
file contains the following line:ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']
-
Check whether
/etc/ssh/ssh_host_*
files exist in the instance. If the
/etc/ssh/ssh_host_*
files do not exist, use the following command to generate host keys:cloud-init single --name cc_ssh
Restart the sshd service:
systemctl restart sshd
(BZ#2115791)
4.21. Containers
The Container Tools packages have been updated
The Container Tools packages which contain the Podman, Buildah, Skopeo, crun, and runc tools are now available. This update provides a list of bug fixes and enhancements over the previous version.
Notable changes include:
-
The
podman pod create
command now supports setting the CPU and memory limits. You can set a limit for all containers in the pod, while individual containers within the pod can have their own limits. -
The
podman pod clone
command creates a copy of an existing pod. -
The
podman play kube
command now supports the security context settings using theBlockDevice
andCharDevice
volumes. -
Pods created by the
podman play kube
can now be managed by systemd unit files using apodman-kube@<service>.service
(for examplesystemctl --user start podman-play-kube@$(systemd-escape my.yaml).service
). -
The
podman push
andpodman push manifest
commands now support the sigstore signatures. -
The Podman networks can now be isolated by using the
podman network --opt isolate
command.
Podman has been upgraded to version 4.2, for further information about notable changes, see the upstream release notes.
(JIRA:RHELPLAN-118462)
GitLab Runner is now available on RHEL using Podman
Beginning with GitLab Runner 15.1, you can use Podman as the container runtime in the GitLab Runner Docker Executor. For more details, see GitLab’s Release Note.
(JIRA:RHELPLAN-101140)
Podman now supports the --health-on-failure
option
The podman run
and podman create
commands now support the --health-on-failure
option to determine the actions to be performed when the status of a container becomes unhealthy.
The --health-on-failure
option supports four actions:
-
none
: Take no action, this is the default action. -
kill
: Kill the container. -
restart
: Restart the container. -
stop
: Stop the container.
Do not combine the restart
action with the --restart
option. When running inside of a systemd unit, consider using the kill
or stop
action instead to make use of systemd’s restart policy.
Netavark network stack is now available
The Netavark stack is a network configuration tool for containers. In RHEL 9, the Netavark stack is fully supported and enabled by default.
This network stack has the following capabilities:
- Configuration of container networks using the JSON configuration file
- Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces
- Configuring firewall settings, such as network address translation (NAT) and port mapping rules
- IPv4 and IPv6
- Improved capability for containers in multiple networks
- Container DNS resolution using the aardvark-dns project
You have to use the same version of Netavark stack and the aardvark-dns
authoritative DNS server.
(JIRA:RHELPLAN-132023)
New package: catatonit
in the CRB repository
A new catatonit
package is now available in the CodeReady Linux Builder (CRB) repository. The catatonit
package is used as a minimal init program for containers and can be included within the application container image. Note that packages included in the CodeReady Linux Builder repository are unsupported.
Note that since RHEL 9.0, the podman-catonit
package is available in the AppStream repository. The podman-catatonit
package is used only by the Podman tool.
(BZ#2074193)