Questo contenuto non è disponibile nella lingua selezionata.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.5.
4.1. Installer and image creation
Minimal RHEL installation now installs only the s390utils-core
package
In RHEL 8.4 and later, the s390utils-base
package is split into an s390utils-core
package and an auxiliary s390utils-base
package. As a result, setting the RHEL installation to minimal-environment
installs only the necessary s390utils-core
package and not the auxiliary s390utils-base
package. If you want to use the s390utils-base
package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base
using a Kickstart file.
Bugzilla:1932480[1]
4.2. Security
NSS rebased to 3.101
The NSS cryptographic toolkit packages have been rebased to upstream version 3.101, which provides many bug fixes and enhancements. The most notable changes are the following:
- DTLS 1.3 protocol is now supported (RFC 9147).
- PBMAC1 support has been added to PKCS#12 (RFC 9579).
-
The X25519Kyber768Draft00 hybrid post-quantum key agreement has experimental support (
draft-tls-westerbaan-xyber768d00
). -
lib::pkix
is the default validator in RHEL 10. - RSA certificates with keys shorter than 2048 bits stop working, in accordance with the system-wide cryptographic policy (breaking fix).
Jira:RHEL-46840[1]
Libreswan accepts IPv6 SAN extensions
Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the pluto
daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.
Jira:RHEL-32720[1]
Custom key sizes in ssh-keygen
You can now configure the size of keys generated by the /usr/libexec/openssh/sshd-keygen
script by setting environment variables SSH_RSA_BITS
and SSH_ECDSA_BITS
in the /etc/sysconfig/sshd
environment file.
Jira:RHEL-26454[1]
fips-mode-setup
checks for use of Argon2 KDF in open LUKS volumes before enabling FIPS mode
The fips-mode-setup
system management command now detects key derivation functions (KDF) used in currently open LUKS volumes, and aborts if it detects usage of Argon2 KDF. This is because Argon2 KDF is not FIPS-compatible, so preventing its use helps ensure FIPS compliance. As a result, switching into FIPS mode on a system with open LUKS volumes that use Argon2 as a KDF is blocked until those volumes are closed or converted to a different KDF.
New SELinux boolean to allow QEMU Guest Agent executing confined commands
Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount
, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent
must run in the virt_qemu_ga_unconfined_t
domain.
Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined
that allows guest-agent
to make the transition to virt_qemu_ga_unconfined_t
for executables located in any of the following directories:
-
/etc/qemu-ga/fsfreeze-hook.d/
-
/usr/libexec/qemu-ga/fsfreeze-hook.d/
-
/var/run/qemu-ga/fsfreeze-hook.d/
In addition, the necessary rules for transitions for the qemu-ga
daemon have been added to the SELinux policy boolean.
As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the virt_qemu_ga_run_unconfined
boolean.
OpenSSL rebased to 3.2.2
The OpenSSL packages have been rebased to upstream version 3.2.2. This update brings various enhancements and bug fixes, most notably the following:
-
The
openssl req
command with the-extensions
option no longer mishandles extensions when creating certificate signing requests (CSR). Previously, the command fetched, parsed, and checked the name of the configuration file section for consistency but the name was not used for adding extensions to the created CSR file. With this fix, the extension is added to the generated CSR. As a side effect of this change, if the section specifies an extension incompatible with its use in the CSR, the command might fail with an error likeerror:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server_cert, name=authorityKeyIdentifier, value=keyid, issuer:always
. -
The default X.500 distinguished name (DN) formatting has been changed to use the UTF-8 formatter. This also causes the removal of space characters around the equal sign (
=
) that separates DN element types from their values. - Certificate compression extension (RFC 8879) is now supported.
- The QUIC protocol can now be used on the client side as a Technology Preview.
- The Argon2d, Argon2i, and Argon2id key derivation functions (KDF) are supported.
- Brainpool curves have been added to the TLS 1.3 protocol (RFC 8734) but Brainpool curves remain disabled in all supported system-wide cryptographic policies.
crypto-policies
provide algorithm selection in Java
The crypto-policies
packages have been updated to extend its control to algorithm selection in Java. This is caused by the evolution of the Java cryptographic agility configuration and crypto-policies
needing to catch up to provide a better mapping for a more consistent system-wide configuration. Specifically, the update has the following changes:
-
DTLS 1.0 is now controlled by the
protocol
option, is disabled by default, and can be reenabled by using theprotocol@java = DTLS1.0+
scoped directive. -
The
anon
andNULL
ciphersuites are now controlled bycipher@java = NULL
and disabled by default. -
The list of signature algorithms is now controlled by the
sign@java
scoped directive and aligned to the system-wide defaults. -
The list of signature algorithms is now controlled by the
sign
option and aligned to the system-wide defaults. If necessary, you can re-enable the use of desired algorithms specifically with Java with asign@java = <algorithm1>+ <algorithm2>+
scoped directive. - Elliptic curve (EC) keys smaller than 256 bits are disabled unconditionally to align with upstream guidance.
As a result, the list of cryptographic algorithms allowed for use with Java by default better matches system-wide defaults. For information on interoperability see the /etc/crypto-policies/back-ends/java.config
file and configure your active cryptographic policy accordingly.
Jira:RHEL-45620[1]
The selinux-policy
git repository for Centos Stream 10 is now publicly accessible
CentOS Stream contributors now can participate in the development of the SELinux policy by contributing to the c10s
branch of the fedora-selinux/selinux-policy
git repository.
clevis
rebased to version 20
The clevis
packages have been upgraded to version 20. The most notable enhancements and fixes include the following:
-
Increased security by fixing potential problems reported by static analyzer tools in the
clevis luks
command,udisks2
integration, and the Shamir’s Secret Sharing (SSS) thresholding scheme. -
Password generation now uses the
jose
utility instead ofpwmake
. This ensures enough entropy for passwords generated during the Clevis binding step.
ca-certificates
provide trusted CA roots in the OpenSSL directory format
This update populates the /etc/pki/ca-trust/extracted/pem/directory-hash/
directory with trusted CA root certificates. As a consequence, lookups and validations are faster when OpenSSL is configured to load certificates from this directory, for example, by setting the SSL_CERT_DIR
environment variable to /etc/pki/ca-trust/extracted/pem/directory-hash/
.
Jira:RHEL-21094[1]
The nbdkit
service is confined by SELinux
The nbdkit-selinux
sub-package adds new rules to the SELinux policy, and as a result, nbdkit
is confined in SELinux. Therefore, the systems that run nbdkit
are more resilient against privilege escalation attacks.
libreswan
rebased to 4.15
The libreswan
packages have been rebased to upstream version 4.15. This version provides substantial improvements over the previous version 4.9 that was provided in previous releases.
-
Removed a dependency on
libxz
throughlibsystemd
. -
In IKEv1, default proposals have been set to
aes-sha1
for Encapsulating Security Payload (ESP) andsha1
for Authentication Header (AH). - IKEv1 rejects ESP proposals that combine Authenticated Encryption with Associated Data (AEAD) and non-empty INTEG.
- IKEv1 rejects exchange when a connection has no proposals.
IKEv1 has now a more limited default cryptosuite:
IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31} ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256} AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128
-
Failures of the
libcap-ng
library are no longer fatal. -
TFC padding is now set for AEAD algorithms in the
pluto
utility.
Jira:RHEL-50006[1]
jose
rebased to version 14
The jose
package has been upgraded to upstream version 14. jose
is a C-language implementation of the Javascript Object Signing and Encryption (JOSE) standards. The most important enhancements and fixes include the following:
-
Improved bound checks for the
len
function for theoct
JWK Type in OpenSSL. -
The protected JSON Web Encryption (JWE) headers no longer contain
zip
. -
jose
avoids potential denial of service (DoS) attacks by using high decompression chunks.
Four RHEL services removed from SELinux permissive mode
The following SELinux domains for RHEL services have been removed from SELinux permissive mode:
-
afterburn_t
-
bootupd_t
-
mptcpd_t
-
rshim_t
Previously, these services from packages recently added to RHEL 9 were temporarily set to SELinux permissive mode, which allows gathering information about additional denials while the rest of the system is in SELinux enforcing mode. This temporary setting has now been removed, and as a result, these services now run in SELinux enforcing mode.
The bootupd
service is SELinux confined
The bootupd
service supports updating the bootloader, and therefore needs to be confined. This update to the SELinux policy adds additional rules, and as a result, the bootupd
service runs in the bootupd_t
SELinux domain.
4.3. RHEL for Edge
Support available to file system customization for the simplified-installer
and raw
image types
With this enhancement, now you can add file system customizations to a blueprint when building the following image types:
-
simplified-installer
-
edge-raw-image
-
edge-ami
-
edge-vsphere
With some additional exceptions for OSTree systems, you can choose arbitrary directory names at the /root
level of the file system, for example: /local
,/mypartition
, /$PARTITION
.
In logical volumes, these changes are made on top of the LVM partitioning system. The following directories are supported: /var
,/var/log
, and /var/lib/containers
on a separate logical volume.
Jira:RHELDOCS-17515[1]
4.4. Shells and command-line tools
The default value for the DefaultLimitCore
systemd
configuration option is now set to unlimited:unlimited
Previously, the default value for the DefaultLimitCore
systemd
configuration option was set to 0:infinity
. As a result, all processes started by systemd
had a soft process limit for core files set to 0
, and no core files were created by default. However, the process adjusted the limit as required.
With this update, the default value for DefaultLimitCore
is set to unlimited:unlimited
. As a result, the core file size is not limited by default. The default size of the crash dumps in the /etc/systemd/coredump.conf
systemd-coredump
component configuration file is 1GiB
. Note that you can gather crash dumps for sporadic crashes, but ensure that the use of disk space by crash dumps remains conservative.
The crash dumps stored by systemd-coredump
are removed after 14 days if not used.
openCryptoki
rebased to version 3.23.0
The openCryptoki
packages are updated to version 3.23.0, which provides multiple bug fixes and enhancements. Notable changes include:
-
EP11
: Added support for FIPS-session mode - Various updates are available for protection against RSA timing attacks
Jira:RHEL-23673[1]
librtas
rebased to version 2.0.6
The librtas
package is updated to version 2.0.6. With this update, you can use the lockdown-compatible ABI provided by the kernel.
Jira:RHEL-10566[1]
4.5. Infrastructure services
The BIND 9.18
is now supported in RHEL
BIND 9.18
has been added in RHEL 9.5 in the new bind9.18
package. The notable feature enhancements include the following:
-
Added support for DNS over TLS (DoT) and DNS over HTTPS (DoH) in the
named
daemon - Added support for both incoming and outgoing zone transfers over TLS
- Improved support for OpenSSL 3.0 interfaces
- New configuration options for tuning TCP and UDP send and receive buffers
-
Various improvements to the
dig
utility
Jira:RHEL-14898[1]
4.6. Networking
NetworkManager now supports the leftsubnet
parameter for IPsec VPNs
With this update, NetworkManager supports the leftsubnet
parameter to define the private subnet behind the local participant used to configure subnet-to-subnet scenarios in Internet Protocol Security (IPsec) VPNs.
nmstate
now supports the congestion window clamp (cwnd
) option
With this update, you can use the cwnd
option of the nmstate
utility to set a maximum limit on the TCP congestion window size. This way you can control the maximum amount of unacknowledged data expressed as a number of packets that can be in transit over the network at any given time. The following example YAML file sets the cwnd
option:
--- interfaces: - name: eth1 type: ethernet state: up ipv4: address: - ip: 192.0.2.251 prefix-length: 24 dhcp: false enabled: true routes: config: - destination: 198.51.100.0/24 metric: 150 next-hop-address: 192.0.2.1 next-hop-interface: eth1 table-id: 254 cwnd: 20
The NetworkManager-libreswan
plugin supports the rightcert
option
You can use the rightcert
option when configuring Libreswan connections through NetworkManager. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using a certificate.
The nmstate
utility now supports the rightcert
option
You can use the rightcert
option when configuring Libreswan connections through the nmstate
utility. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using the certificate. The following example YAML file sets the rightcert
option:
--- interfaces: - name: hosta_conn type: ipsec ipv4: enabled: true dhcp: true libreswan: left: 192.0.2.1 leftid: '%fromcert' leftrsasigkey: '%cert' leftmodecfgclient: false leftcert: leftcert.example.com right: 192.0.2.2 rightid: '%fromcert' rightrsasigkey: '%cert' rightcert: rightcert.example.com rightsubnet: 192.0.2.2/32
nmstate
now supports the leftsubnet
option
You can define entire subnets for IPsec (Internet Protocol Security) connections when configuring Libreswan connections through the nmstate
utility by using the leftsubnet
option. This ensures secure communication between different network segments. The following example YAML file sets the leftsubnet
option:
interfaces: - name: hosta type: ipsec ipv4: enabled: true dhcp: true libreswan: left: 192.0.2.246 leftid: _<hosta.example.org>_ leftcert: _<hosta.example.org>_ leftsubnet: 192.0.4.0/24 leftmodecfgclient: no right: 192.0.2.157 rightid: _<hostb.example.org>_ rightsubnet: 192.0.3.0/24 ikev2: insist
Note that the IPsec technology requires a peer-to-peer configuration, including another server with appropriate IP addresses and IPsec settings.
NetworkManager supports connecting to IPsec VPNs that use IPv6 addressing
Previously, NetworkManager supported only IPv4 addressing when using the NetworkManager-libreswan
plugin to connect to Internet Protocol Security (IPsec) VPN. With this update, you can connect to IPsec VPNs that use IPv6 addressing.
You can use both firewalld
and nftables
services simultaneously
The firewalld
and nftables
systemd
services are available to use simultaneously. Previously, users could enable only one of these services at a time. With this enhancement, these systemd
services no longer conflict with each other.
Jira:RHEL-17002[1]
4.7. Kernel
Kernel version in RHEL 9.5
Red Hat Enterprise Linux 9.5 is distributed with the kernel version 5.14.0-503.11.1.
The eBPF
facility has been rebased to Linux kernel version 6.8
Notable changes and enhancements include:
- Support exceptions allowing asserting conditions in BPF programs that should never be true but are hard for the verifier to infer.
- Improved working with per-cpu objects such as support for local per-cpu kptr and support for allocating and storing per-cpu objects in maps.
-
Support for BPF v4 CPU instructions for
arm32
ands390x
. - Several new open-coded iterators for task, task_vma, css, and css_task.
-
New
kfunc
that acquires the associated cgroup of a task within a specific cgroup v1 hierarchy. -
Support for BPF link_info for uprobe multi-link along with
bpftool
integration. - Several improvements and bug fixes in the BPF verifier allowing more precise program verification and improving the BPF program developer experience.
- Verifier improvement which prevents the creation of infinite loops by combining tail calls and fentry/fexit programs.
- Change in BPF verifier logic to validate global subprograms lazily instead of unconditionally before the main program, so they can be guarded using BPF CO-RE techniques.
- Add the ability to pin the BPF timer to the current CPU.
-
Support uid/gid options when mounting
bpffs
.
Jira:RHEL-23644[1]
rteval
now supports relative CPU lists for loads
With this enhancement, the --loads-cpulist
now accepts relative CPU lists as arguments. The syntax is the same for the default measurement CPU list when using the parameter --measurement-cpulist
.
Jira:RHEL-25206[1]
A support for 420xx devices is added to QAT
With this update, QAT supports 420xx devices. It includes a new device driver that supports updates to the firmware loader and other capabilities. Compared to 4xxx devices, the 420xx devices now have more acceleration engines, 16 service engines, and 1 administrative engine, and support the wireless cipher algorithms ZUC
and Snow 3G
.
Jira:RHEL-17715[1]
Introducing noswap
option when mounting TMPFS filesystem
TMPFS is an in-memory filesystem largely utilized for quickly sharing information across multiple processes. Starting with version 2.2, glibc
expects a tmpfs
filesystem to be mounted at dev/shm
to support POSIX shared memory. This mount point is necessary for shm_open
and shm_unlink
subroutines to function correctly. TMPFS blocks can be swapped out when there is a memory shortage, which poses a problem for certain performance- or privacy-critical workloads.
Passing the new noswap
mount option when mounting a TMPFS filesystem disables swap for that particular mount point of TMPFS.
Jira:RHEL-31975[1]
Kernel module is now updated to version 6.8
Kernel module is now updated to version 6.8, which includes the following features:
- Improved Hardware Support: Expanded compatibility for the latest processors, GPUs, and peripherals.
- Security Enhancements: Integration of critical security patches and mitigations to address recent vulnerabilities.
- Performance Optimizations: Enhanced scheduling, memory management, and I/O performance for improved workload efficiency.
Jira:RHEL-28063[1]
Introducing rteval
container for real-time performance testing
The rteval
container provides tools and methods for accurately measuring system latencies. With this feature, users can measure the real-time performance of their systems. It evaluates the configuration of the Linux kernel for optimal real-time performance to analyze performance based on specific application needs.
Note that no specific tuning guidelines are provided in the RHEL 9.5 release, and support is limited to customers with a Real-Time subscription.
Jira:RHELDOCS-19122[1]
NVMf-FC
kdump is now supported on the IBM Power
NVMf-FC
kdump now supports the IBM Power system for running kexec-tools
. This allows the capture of system memory dumps over a fiber channel network using the NVMe storage devices for high-speed and low-latency access to storage for crash dump data.
Jira:RHEL-11471[1]
4.8. File systems and storage
File system quotas for tmpfs
file system are now supported
The /tmp
directory is typically mounted using tmpfs
, and it is accessible to all users by default. This presents a risk where a single user can potentially fill up the entire system memory by writing excessively to this directory.
With this update, system administrators can now implement file system quotas to limit the space or memory users can consume on a tmpfs
file system, preventing memory exhaustion.
Jira:RHEL-7768[1]
NVMe TP 8006 in-band authentication with NVMe/TCP is now supported
NVMe TP 8006 in-band authentication for NVMe over Fabrics (NVMe-oF) was introduced in RHEL 9.2 as a Technology Preview, which is now fully supported. This feature provides DH-HMAC-CHAP in-band authentication protocol for NVMe-oF, which is defined in the NVMe Technical Proposal 8006. For details, see the dhchap-secret
and dhchap-ctrl-secret
option descriptions in the nvme-connect(1)
man page.
cryptsetup
rebased to version 2.7
The cryptsetup
package has been rebased to version 2.7. It contains improvements for the libcryptsetup
package to support Linux Unified Key Setup (LUKS) encrypted devices in the kdump
enabled systems.
Jira:RHEL-32377[1]
Dax feature is now supported for Ext4 and XFS
The direct access (dax) feature for the Ext4 and XFS file systems, previously available as a Technology Preview, is now fully supported. DAX enables an application to map persistent memory directly into its address space, enhancing performance. For more information, see Creating a file system DAX namespace on an NVDIMM.
Jira:RHELDOCS-19196[1]
4.9. High availability and clusters
New pcs status wait
command
The pcs
command-line interface now provides a pcs status wait
command. This command ensures that Pacemaker has completed any actions required by changes to the Cluster Information Base (CIB) and does not need to take any further actions in order to make the actual cluster state match the requested cluster state.
pcs
support for new commands to query the status of a resource in a cluster
The pcs
command-line interface now provides pcs status query resource
commands to query various attributes of a single resource in a cluster. These commands query:
- the existence of the resource
- the type of the resource
- the state of the resource
- various information about the members of a collective resource
- on which nodes the resource is running
You can use these commands for pcs-based scripting since there is no need to parse plain text outputs.
New pcs resource defaults
and pcs resource op defaults
option for displaying configuration in text, JSON, and command formats
The pcs resource defaults
and pcs resource op defaults
commands and their aliases pcs stonith defaults
and pcs stonith op defaults
now provide the --output-format
option.
-
Specifying
--output-format=text
displays the configured resource defaults or operation defaults in plain text format, which is the default value for this option. -
Specifying
--output-format=cmd
displays thepcs resource defaults
orpcs resource op defaults
commands created from the current cluster defaults configuration. You can use these commands to re-create configured resource defaults or resource operation defaults on a different system. -
Specifying
--output-format=json
displays the configured resource defaults or resource operation defaults in JSON format, which is suitable for machine parsing.
New Pacemaker option to leave a panicked node shut down without rebooting automatically
You can now set the PCMK_panic_action
variable in the /etc/sysconfig/pacemaker
configuration file to off
or sync-off
. When you set this variable to off
or sync-off
, a node remains shut down after a panic condition instead of rebooting automatically.
Support for new pcsd
Web UI features
The pcsd
Web UI now supports the following features:
-
When you set the
placement-strategy
cluster property todefault
, thepcsd
Web UI displays a warning near the utilization attributes for nodes and resources. This warning notes that the utilization has no effect due toplacement-strategy
configuration. -
The
pscd
Web UI supports dark mode, which you can set through the user menu in the masthead.
4.10. Dynamic programming languages, web and database servers
Increased performance of the Python interpreter
All supported versions of Python in RHEL 9 are now compiled with GCC’s -O3
optimization flag, which is the default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter itself.
Jira:RHEL-49615[1], Jira:RHEL-49637, Jira:RHEL-49635
httpd
rebased to 2.4.62
The httpd
package has been updated to version 2.4.62 that includes various bug fixes, security fixes, and new features. Notable feature include :
The following directives have been added:
-
CGIScriptTimeout
directive is added in themod_cgi
module . -
AliasPreservePath
directive in themod_alias
module to map the full path after alias in a location. -
RedirectRelative
directive inmod_alias
to allow relative redirect targets to be issued as-is. -
DeflateAlterETag
directive in themod_deflate
module to control the modification ofETag
. TheNoChange
parameter mimics 2.2.x behavior.
-
-
An optional third argument for the
ProxyRemote
server is added in themod_proxy
module which configures basic authentication credentials to pass to the remote proxy. -
LDAPConnectionPoolTTL
directive now accepts negative values to allow reusing the connections of any age. Previously, an error was encountered in themod_ldap
module when you parsed the configuration file with a negative value. -
You can now use the
-T
option to allow truncating the subsequent rotated log files without the initial log file being truncated in the rotatelogs binary.
mod_md
rebased to version 2.4.26
The mod_md
module has been updated to version 2.4.26. Notable changes over the previous version include:
The following directives have been added:
-
MDCheckInterval
to control the number of server checks for detected revocations. -
MDMatchNames all|servernames
to allow more control over how the MDomains are matched to the VirtualHosts. -
MDChallengeDns01Version
. When you set the value of this directive to2
, it provides the command with the challenge value on theteardown
invocation. By default, in version 1, only thesetup
invocation gets this parameter.
-
-
For Managed Domain in
manual mode
, themod_md_verification
module now checks if all usedServerName
andServerAlias
reports a warning instead of an error (AH10040). -
You can now configure the
MDChallengeDns01
directive for individual domains.
Jira:RHEL-25075[1]
PostgreSQL 16 now provides the pgvector
extension
The postgresql:16
module stream is now distributed with the pgvector
extension. With the pgvector
extension, you can store and query high-dimensional vector embeddings directly within PostgreSQL databases and perform a vector similarity search. Vector embeddings are numerical representations of data that are often used in machine learning and AI applications to capture the semantic meaning of text, images, or other data types.
A new db_converter
tool to convert a libdb
database to the GDBM format
The deprecated Berkeley DB (libdb
) now provides the db_converter
tool for converting a lidbd
database to the GNU dbm (GDBM) database format. The db_converter
tool is distributed in the libdb-utils
subpackage.
For more information about alternatives to libdb
, see the Red Hat Knowledgebase article Available replacements for the deprecated Berkeley DB (libdb) in RHEL.
4.11. Compilers and development tools
System GCC rebased to version 11.5
The system version of GCC in RHEL 9 has been updated to version 11.5. This update provides numerous bug fixes.
A new tunable for glibc
is available to improve performance by placing dynamic objects closer together
Previously, the dynamic loader of glibc
placed dynamic objects randomly throughout the available address space to enhance security. Consequently, objects were often too far apart, which led to inefficient calls between them.
With this update, you can now place objects closer together, specifically, in the first 2 Gb of address space, by setting the following tunable:
export GLIBC_TUNABLES=glibc.cpu.prefer_map_32bit_exec=1
Setting this tunable might result in improved performance for some applications at the expense of a small reduction in address space layout randomization (ASLR).
Jira:RHEL-20172[1]
glibc
now supports dynamic linking of Intel APX-enabled functions
An incompatible dynamic linker trampoline was identified as a potential source of incompatibilities for Intel Advanced Performance Extensions (APX) applications. As a workaround, it was possible to use the BIND_NOW
executable or use only the standard calling convention. With this update, the dynamic linker of glibc
preserves APX-related registers.
Because of this change, additional space is needed beyond the top of the stack. Users who strictly limit this space might need to adjust or evaluate the stack limits.
Jira:RHEL-25046[1]
Optimization of AMD Zen 3 and Zen 4 performance in glibc
Previously, AMD Zen 3 and Zen 4 processors sometimes used the Enhanced Repeat Move String (ERMS) version of the memcpy
and memmove
library routines regardless of the most optimal choice. With this update to glibc
, AMD Zen 3 and Zen 4 processors use the most optimal versions of memcpy
and memmove
.
Jira:RHEL-25531[1]
System version of GDB rebased to version 14.2 and GDB removed from GCC Toolset
GDB has been updated to version 14.2. Starting with RHEL 9.5, GDB is transitioning into a rolling Application Stream with its system version rebased in minor releases of RHEL. Therefore, GDB is not included in GCC Toolset 14 in RHEL 9.
The following paragraphs list notable changes in GDB 14.2 since GDB 12.1.
General:
-
The
info breakpoints
command now displays enabled breakpoint locations of disabled breakpoints as in they-
state. -
Added support for debug sections compressed with Zstandard (
ELFCOMPRESS_ZSTD
) for ELF. -
The Text User Interface (TUI) no longer styles the source and assembly code highlighted by the current position indicator by default. To re-enable styling, use the new command
set style tui-current-position
. -
A new
$_inferior_thread_count
convenience variable contains the number of live threads in the current inferior. -
For breakpoints with multiple code locations, GDB now prints the code location using the
<breakpoint_number>.<location_number>
syntax. -
When a breakpoint is hit, GDB now sets the
$_hit_bpnum
and$_hit_locno
convenience variables to the hit breakpoint number and code location number. You can now disable the last hit breakpoint by using thedisable $_hit_bpnum
command, or disable only the specific breakpoint code location by using thedisable $_hit_bpnum.$_hit_locno
command. -
Added support for the
NO_COLOR
environment variable. - Added support for integer types larger than 64 bits.
-
You can use new commands for multi-target feature configuration to configure remote target feature sets (see the
set remote <name>-packet
andshow remote <name>-packet
in Commands). - Added support for the Debugger Adapter Protocol.
-
You can now use the new
inferior
keyword to make breakpoints inferior-specific (seebreak
orwatch
in Commands). -
You can now use the new
$_shell()
convenience function to execute a shell command during expression evaluation.
Changes to existing commands:
break
,watch
-
Using the
thread
ortask
keywords multiple times with thebreak
andwatch
commands now results in an error instead of using the thread or task ID of the last instance of the keyword. -
Using more than one of the
thread
,task
, andinferior
keywords in the samebreak
orwatch
command is now invalid.
-
Using the
printf
,dprintf
-
The
printf
anddprintf
commands now accept the%V
output format, which formats an expression the same way as theprint
command. You can also modify the output format by using additional print options in brackets[…]
following the command, for example:printf "%V[-array-indexes on]", <array>
.
-
The
list
-
You can now use the
.
argument to print the location around the point of execution in the current frame, or around the beginning of themain()
function if the inferior has not started yet. -
Attempting to list more source lines in a file than are available now issues a warning, referring the user to the
.
argument.
-
You can now use the
document user-defined
- It is now possible to document user-defined aliases.
New commands:
-
set print nibbles [on|off]
(default:off
),show print nibbles
- controls whether theprint/t
command displays binary values in groups of four bits (nibbles). -
set debug infcall [on|off]
(default:off
),show debug infcall
- prints additional debug messages about inferior function calls. -
set debug solib [on|off]
(default:off
),show debug solib
- prints additional debug messages about shared library handling. -
set print characters <LIMIT>
,show print characters
,print -characters <LIMIT>
- controls how many characters of a string are printed. -
set debug breakpoint [on|off]
(default:off
),show debug breakpoint
- prints additional debug messages about breakpoint insertion and removal. -
maintenance print record-instruction [ N ]
- prints the recorded information for a given instruction. -
maintenance info frame-unwinders
- lists the frame unwinders currently in effect in the order of priority (highest first). -
maintenance wait-for-index-cache
- waits until all pending writes to the index cache are completed. -
info main
- prints information on the main symbol to identify an entry point into the program. -
set tui mouse-events [on|off]
(default:on
),show tui mouse-events
- controls whether mouse click events are sent to the TUI and Python extensions (whenon
), or the terminal (whenoff
).
Machine Interface (MI) changes:
- MI version 1 has been removed.
-
MI now reports
no-history
when reverse execution history is exhausted. -
The
thread
andtask
breakpoint fields are no longer reported twice in the output of the-break-insert
command. - Thread-specific breakpoints can no longer be created on non-existent thread IDs.
-
The
--simple-values
argument to the-stack-list-arguments
,-stack-list-locals
,-stack-list-variables
, and-var-list-children
commands now considers reference types as simple if the target is simple. -
The
-break-insert
command now accepts a new-g thread-group-id
option to create inferior-specific breakpoints. -
Breakpoint-created notifications and the output of the
-break-insert
command can now include an optionalinferior
field for the main breakpoint and each breakpoint location. -
The async record stating the
breakpoint-hit
stopped reason now contains an optional fieldlocno
giving the code location number in case of a multi-location breakpoint.
Changes in the GDB Python API:
Events
-
A new
gdb.ThreadExitedEvent
event. -
A new
gdb.executable_changed
event registry, which emits theExecutableChangedEvent
objects that haveprogspace
andreload
attributes. -
New
gdb.events.new_progspace
andgdb.events.free_progspace
event registries, which emit theNewProgpspaceEvent
andFreeProgspaceEvent
event types. Both of these event types have a single attributeprogspace
to specify thegdb.Progspace
program space that is being added to or removed from GDB.
-
A new
The
gdb.unwinder.Unwinder
class-
The
name
attribute is now read-only. -
The name argument of the
__init__
function must be of thestr
type, otherwise aTypeError
is raised. -
The
enabled
attribute now accepts only thebool
type.
-
The
The
gdb.PendingFrame
class-
New methods:
name
,is_valid
,pc
,language
,find_sal
,block
, andfunction
, which mirror similar methods of thegdb.Frame
class. -
The
frame-id
argument of thecreate_unwind_info
function can now be either an integer or agdb.Value
object for thepc
,sp
, andspecial
attributes.
-
New methods:
-
A new
gdb.unwinder.FrameId
class, which can be passed to thegdb.PendingFrame.create_unwind_info
function. -
The
gdb.disassembler.DisassemblerResult
class can no longer be sub-classed. -
The
gdb.disassembler
module now includes styling support. -
A new
gdb.execute_mi(COMMAND, [ARG]…)
function, which invokes a GDB/MI command and returns result as a Python dictionary. -
A new
gdb.block_signals()
function, which returns a context manager that blocks any signals that GDB needs to handle. -
A new
gdb.Thread
subclass of thethreading.Thread
class, which calls thegdb.block_signals
function in itsstart
method. -
The
gdb.parse_and_eval
function has a newglobal_context
parameter to restrict parsing on global symbols. The
gdb.Inferior
class-
A new
arguments
attribute, which holds the command-line arguments to the inferior, if known. -
A new
main_name
attribute, which holds the name of the inferior’smain
function, if known. -
New
clear_env
,set_env
, andunset_env
methods, which can modify the inferior’s environment before it is started.
-
A new
The
gdb.Value
class-
A new
assign
method to assign a value of an object. -
A new
to_array
method to convert an array-like value to an array.
-
A new
The
gdb.Progspace
class-
A new
objfile_for_address
method, which returns thegdb.Objfile
object that covers a given address (if exists). -
A new
symbol_file
attribute holding thegdb.Objfile
object that corresponds to theProgspace.filename
variable (orNone
if the filename isNone
). -
A new
executable_filename
attribute, which holds the string with a filename that is set by theexec-file
orfile
commands, orNone
if no executable file is set.
-
A new
The
gdb.Breakpoint
class-
A new
inferior
attribute, which contains the inferior ID (an integer) for breakpoints that are inferior-specific, orNone
if no such breakpoints are set.
-
A new
The
gdb.Type
class-
New
is_array_like
andis_string_like
methods, which reflect whether a type might be array- or string-like regardless of the type’s actual type code.
-
New
-
A new
gdb.ValuePrinter
class, which can be used as the base class for the result of applying a pretty-printer. -
A newly implemented
gdb.LazyString.__str__
method. The
gdb.Frame
class-
A new
static_link
method, which returns the outer frame of a nested function frame. -
A new
gdb.Frame.language
method that returns the name of the frame’s language.
-
A new
The
gdb.Command
class-
GDB now reformats the doc string for the
gdb.Command
class and thegdb.Parameter
sub-classes to remove unnecessary leading whitespace from each line before using the string as the help output.
-
GDB now reformats the doc string for the
The
gdb.Objfile
class-
A new
is_file
attribute.
-
A new
-
A new
gdb.format_address(ADDRESS, PROGSPACE, ARCHITECTURE)
function, which uses the same format as when printing address, symbol, and offset information from the disassembler. -
A new
gdb.current_language
function, which returns the name of the current language. -
A new Python API for wrapping GDB’s disassembler, including
gdb.disassembler.register_disassembler(DISASSEMBLER, ARCH)
,gdb.disassembler.Disassembler
,gdb.disassembler.DisassembleInfo
,gdb.disassembler.builtin_disassemble(INFO, MEMORY_SOURCE)
, andgdb.disassembler.DisassemblerResult
. -
A new
gdb.print_options
function, which returns a dictionary of the prevailing print options, in the form accepted by thegdb.Value.format_string
function. The
gdb.Value.format_string
function-
gdb.Value.format_string
now uses the format provided by theprint
command if it is called during aprint
or other similar operation. -
gdb.Value.format_string
now accepts thesummary
keyword.
-
-
A new
gdb.BreakpointLocation
Python type. -
The
gdb.register_window_type
method now restricts the set of acceptable window names.
Architecture-specific changes:
AMD and Intel 64-bit architectures
-
Added support for disassembler styling using the
libopcodes
library, which is now used by default. You can modify how the disassembler output is styled by using theset style disassembler *
commands. To use the Python Pygments styling instead, use the newmaintenance set libopcodes-styling off
command.
-
Added support for disassembler styling using the
The 64-bit ARM architecture
- Added support for dumping memory tag data for the Memory Tagging Extension (MTE).
- Added support for the Scalable Matrix Extension 1 and 2 (SME/SME2). Some features are still considered experimental or alpha, for example, manual function calls with ZA state or tracking Scalable Vector Graphics (SVG) changes based on DWARF.
- Added support for Thread Local Storage (TLS) variables.
- Added support for hardware watchpoints.
The 64-bit IBM Z architecture
-
Record and replay support for the new
arch14
instructions on IBM Z targets, except for the specialized-function-assist instructionNNPA
.
-
Record and replay support for the new
IBM Power Systems, Little Endian
- Added base enablement support for POWER11.
For more details about rolling Application Streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-36211, Jira:RHEL-10550, Jira:RHEL-39555
elfutils
rebased to version 0.191
The elfutils
package has been updated to version 0.191. Notable improvements include:
Changes in the
libdw
library:-
The
dwarf_addrdie
function now supports binaries lacking adebug_aranges
section. - Support for DWARF package files has been improved.
-
A new
dwarf_cu_dwp_section_info
function has been added.
-
The
-
Caching eviction logic in the
debuginfod
server has been enhanced to improve retention of small, frequent, or slow files, such asvdso.debug
. -
The
eu-srcfiles
utility can now fetch the source files of a DWARF/ELF file and place them into azip
archive.
SystemTap
rebased to version 5.1
The SystemTap
tracing and probing tool has been updated to version 5.1. Notable changes include:
-
An experimental
--build-as=USER
flag to reduce privileges during script compilation. - Improved support for probing processes running in containers, identified by host PID.
- New probes for userspace hardware breakpoints and watchpoints.
-
Support for the
--remote
operation of--runtime=bpf
mode. - Improved robustness of kernel-user transport.
valgrind
rebased to version 3.23.0
The Valgrind
suite has been updated to version 3.23.0. Notable enhancements include:
-
The
--track-fds=yes
option now warns against double closing of file descriptors, generates suppressible errors, and supports XML output. -
The
--show-error-list=no|yes
option now accepts a new value,all
, to also print the suppressed errors. -
On the 64-bit IBM Z architecture,
Valgrind
now supports neural network processing assist (NNPA) facility vector instructions:VCNF
,VCLFNH
,VCFN
,VCLFNL
,VCRNF
, andNNPA
(z16/arch14). -
On the 64-bit ARM architecture,
Valgrind
now supportsdotprod
instructions (sdot/udot
). -
On the AMD and Intel 64-bit architectures,
Valgrind
now provides more accurate instruction support for the x86_64-v3 microarchitecture. -
Valgrind
now provides wrappers for thewcpncpy
,memccpy
,strlcat
, andstrlcpy
functions that can detect memory overlap. -
Valgrind
now supports the following Linux syscalls:mlock2
,fchmodat2
, andpidfd_getfd
.
Jira:RHEL-29534, Jira:RHEL-10551
libabigail
rebased to version 2.5
The libabigail
library has been updated to version 2.5. Notable changes include:
- Improved suppression specification for strict conversions of flexible array data members.
- Added support for pointer-to-member types in C++ binaries.
-
Improved
weak
mode of theabicompat
tool. -
A new
abidb
tool to manage the ABI of operating systems. - Numerous bug fixes.
Jira:RHEL-30013, Jira:RHEL-7325, Jira:RHEL-7332
New GCC Toolset 14
GCC Toolset 14 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
The following tools and versions are provided by GCC Toolset 14:
- GCC 14.2
-
binutils
2.41 -
annobin
12.70 -
dwz
0.14
Note that the system version of GDB has been rebased and GDB is no longer included in GCC Toolset.
To install GCC Toolset 14, enter the following command as root:
# dnf install gcc-toolset-14
To run a tool from GCC Toolset 14:
$ scl enable gcc-toolset-14 <tool>
To run a shell session where tool versions from GCC Toolset 14 override system versions of these tools:
$ scl enable gcc-toolset-14 bash
GCC Toolset 14 components are also available in the gcc-toolset-14-toolchain
container image.
For more information, see GCC Toolset 14 and Using GCC Toolset.
Jira:RHEL-29758[1], Jira:RHEL-29852
GCC Toolset 14: GCC rebased to version 14.2
In GCC Toolset 14, the GNU Compiler Collection (GCC) has been updated to version 14.2.
Notable changes include:
- Optimization and diagnostic improvements
-
A new
-fhardened
umbrella option, which enables a set of hardening flags -
A new
-fharden-control-flow-redundancy
option to detect attacks that transfer control into the middle of functions -
A new
strub
type attribute to control stack scrubbing properties of functions and variables -
A new
-finline-stringops
option to force inline expansion of certainmem*
functions - Support for new OpenMP 5.1, 5.2, and 6.0 features
- Several new C23 features
- Multiple new C++23 and C++26 features
- Several resolved C++ defect reports
- New and improved experimental support for C++20, C++23, and C++26 in the C++ library
- Support for new CPUs in the 64-bit ARM architecture
- Multiple new instruction set architecture (ISA) extensions in the 64-bit Intel architecture, for example: AVX10.1, AVX-VNNI-INT16, SHA512, and SM4
- New warnings in the GCC’s static analyzer
- Certain warnings changed to errors; for details, see Porting to GCC 14
- Various bug fixes
For more information about changes in GCC 14, see the upstream GCC release notes.
Jira:RHEL-29853[1]
GCC Toolset 14: annobin
rebased to version 12.70
In GCC Toolset 14, annobin
has been updated to version 12.70. The updated set of the annobin
tools for testing binaries provides various bug fixes, introduces new tests, and updates the tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers. With the enhanced tools, you can detect new issues in programs that are built in a non-standard way.
Jira:RHEL-29850[1]
GCC Toolset 14: binutils
rebased to version 2.41
RHEL 9.5 is distributed with GCC Toolset 14 binutils
version 2.41. New features include:
-
binutils
tools support architecture extensions in the 64-bit Intel and ARM architectures. -
The linker now accepts the
--remap-inputs <PATTERN>=<FILE>
command-line option to replace any input file that matches<PATTERN>
with<FILE>
. In addition, you can use the--remap-inputs-file=<FILE>
option to specify a file containing any number of these remapping directives. -
For ELF targets, you can use the linker command-line option
--print-map-locals
to include local symbols in a linker map. -
For most ELF-based targets, you can use the
--enable-linker-version
option to insert the version of the linker as a string into the.comment
section. -
The linker script syntax has a new command for output sections,
ASCIZ "<string>"
, which inserts a zero-terminated string at the current location. -
You can use the new
-z nosectionheader
linker command-line option to omit ELF section header.
Jira:RHEL-29851[1]
GCC Toolset 13: GCC supports AMD Zen 5
The GCC Toolset 13 version of GCC adds support for the AMD Zen 5 processor microarchitecture. To enable the support, use the -march=znver5
command-line option.
Jira:RHEL-36523[1]
LLVM Toolset updated to 18.1.8
LLVM Toolset has been updated to version 18.1.8.
Notable LLVM updates:
-
The constant expression variants of the following instructions have been removed:
and
,or
,lshr
,ashr
,zext
,sext
,fptrunc
,fpext
,fptoui
,fptosi
,uitofp
,sitofp
. -
The
llvm.exp10
intrinsic has been added. -
The
code_model
attribute for global variables has been added. - The backend for the AArch64, AMDGPU, PowerPC, RISC-V, SystemZ and x86 architectures has been improved.
- LLVM tools have been improved.
Notable Clang enhancements:
C++20 feature support:
-
Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the
-Xclang -fno-skip-odr-check-in-gmf
option.
-
Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the
C++23 feature support:
-
A new diagnostic flag
-Wc++23-lambda-attributes
has been added to warn about the use of attributes on lambdas.
-
A new diagnostic flag
C++2c feature support:
-
Clang now allows using the
_
character as a placeholder variable name multiple times in the same scope. - Attributes now expect unevaluated strings in attribute parameters that are string literals.
- The deprecated arithmetic conversion on enumerations from C++26 has been removed.
- The specification of template parameter initialization has been improved.
-
Clang now allows using the
- For a complete list of changes, see the upstream release notes for Clang.
ABI changes in Clang:
-
Following the SystemV ABI for x86_64, the
__int128
arguments are no longer split between a register and a stack slot. - For more information, see the list of ABI changes in Clang.
Notable backwards incompatible changes:
- A bug fix in the reversed argument order for templated operators breaks code in C++20 that was previously accepted in C++17.
-
The
GCC_INSTALL_PREFIX
CMake variable (which sets the default--gcc-toolchain=
) is deprecated and will be removed. Specify the--gcc-install-dir=
or--gcc-triple=
option in a configuration file instead. -
The default extension name for precompiled headers (PCH) generation (
-c -xc-header
and-c -xc++-header
) is now.pch
instead of.gch
. -
When
-include a.h
probes thea.h.gch
file, the include now ignoresa.h.gch
if it is not a Clang PCH file or a directory containing any Clang PCH file. -
A bug that caused
__has_cpp_attribute
and__has_c_attribute
to return incorrect values for certain C++-11-style attributes has been fixed. -
A bug in finding a matching
operator!=
while adding a reversedoperator==
has been fixed. - The name mangling rules for function templates have been changed to accept that functions can be overloaded on their template parameter lists or requires-clauses.
-
The
-Wenum-constexpr-conversion
warning is now enabled by default on system headers and macros. It will be turned into a hard (non-downgradable) error in the next Clang release. - A path to the imported modules for C++20 named modules can no longer be hardcoded. You must specify all the dependent modules from the command line.
-
It is no longer possible to import modules by using
import <module>
; Clang uses explicitly-built modules. - For more details, see the list of potentially breaking changes.
For more information, see the LLVM release notes and Clang release notes.
LVM Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Rust Toolset rebased to version 1.79.0
Rust Toolset has been updated to version 1.79.0. Notable enhancements since the previously available version 1.75.0 include:
-
A new
offset_of!
macro - Support for C-string literals
-
Support for inline
const
expressions - Support for bounds in associated type position
- Improved automatic temporary lifetime extension
-
Debug assertions for
unsafe
preconditions
Rust Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Go Toolset rebased to version 1.22
Go Toolset has been updated to version 1.22.
Notable enhancements include:
- Variables in for loops are now created per iteration, preventing accidental sharing bugs. Additionally, for loops can now range over integers.
- Commands in workspaces can now use a vendor directory for the dependencies of the workspace.
-
The
go get
command no longer supports the legacyGOPATH
mode. This change does not affect thego build
andgo test
commands. -
The
vet
tool has been updated to match the new behavior of the for loops. - CPU performance has been improved by keeping type-based garbage collection metadata nearer to each heap object.
- Go now provides improved inlining optimizations and better profile-guided optimization support for higher performance.
-
A new
math/rand/v2
package is available. - Go now provides enhanced HTTP routing patterns with support for methods and wildcards.
For more information, see the Go upstream release notes.
Go Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-29527[1]
PCP rebased to version 6.2.2
Performance Co-Pilot (PCP) has been updated to version 6.2.2. Notable changes over the previously available version 6.2.0 include:
New tools and agents
-
pcp2openmetrics
: a new tool to push PCP metrics in Open Metrics format to remote end points -
pcp-geolocate
: a new tool to report latitude and longitude metric labels -
pmcheck
: a new tool to interrogate and control PCP components -
pmdauwsgi
: a new PCP agent that exports instrumentation from uWSGI servers
Enhanced tools
-
pmdalinux
: added new kernel metrics (hugepages, filesystems, TCP, softnet, virtual machine balloon) -
pmdalibvirt
: added support for metric labels, added new balloon, vCPU, and domain info metrics -
pmdabpf
: improved eBPF networking metrics for use with thepcp-atop
utility
Grafana
rebased to version 10.2.6
The Grafana
platform has been updated to version 10.2.6.
Notable enhancements include:
- Support for zooming in on the y axis of time series and candlestick visualizations by holding shift while clicking and dragging.
- Streamlined data source selection when creating a dashboard.
- Updated User Interface, including updates to navigation and the command palette.
-
Various improvements to transformations, including the new unary operation mode for the
Add field from calculation
transformation. - Various improvements to dashboards and data visualizations, including a redesigned empty dashboard and dashboard panel.
- New geomap and canvas panels.
Other changes:
- Various improvements to users, access, authentication, authorization, and security.
- Alerting improvements along with new alerting features.
- Public dashboards now available.
For a complete list of changes since the previously available Grafana
version 9.2, see the upstream documentation.
Jira:RHEL-31246[1]
Red Hat build of OpenJDK 17 is now the default Java implementation in RHEL 9
The default RHEL 9 Java implementation is being changed from OpenJDK 11, which has reached its End Of Life (EOL), to OpenJDK 17. After this update, the java-17-openjdk
packages, which provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit, will also provide the java
and java-devel
packages. For more information, see the OpenJDK documentation.
Existing packages in RHEL 9 that call java/bin
or java-openjdk/bin
directly will be immediately able to use OpenJDK 17.
Existing packages in RHEL 9 that require the java
or java-devel
packages directly, namely tomcat
and systemtap-runtime-java
, will pull the appropriate dependency automatically.
Ant, Maven, and packages that are using Java indirectly through the javapackages-tools
package will be fully transitioned in an asynchronous update shortly after the general availability of RHEL 9.5.
If you need to install OpenJDK for the first time or if the default package is not installed through a dependency chain, use DNF:
# dnf install java-17-openjdk-devel
For more information, see Installing multiple minor versions of Red Hat build of OpenJDK on RHEL by using yum.
The current java-11-openjdk
packages in RHEL 9 will not receive any further updates. However, Red Hat will provide Extended Life Cycle support (ELS) phase 1 with updates for Red Hat build of OpenJDK 11 until October 31, 2027. See Red Hat build of OpenJDK 11 Extended Lifecycle Support (ELS-1) Availability for details.
For information specific to the OpenJDK ELS program and the OpenJDK lifecycle, see the OpenJDK Life Cycle and Support Policy.
If you have the alternatives
command set to manual
mode for java
and related components, OpenJDK 11 will still be used after the update. To use OpenJDK 17 in this case, change the alternatives
setting to auto
, for example:
# alternatives --auto java # alternatives --auto javac
Use the alternatives --list
command to verify the settings.
Jira:RHEL-56094[1]
4.12. Identity Management
python-jwcrypto
rebased to version 1.5.6
The python-jwcrypto
package has been updated to version 1.5.6. This version includes a security fix to an issue where an attacker could cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio.
Jira:RHELDOCS-18197[1]
ansible-freeipa
rebased to 1.13.2
The ansible-freeipa
package has been rebased from version 1.12.1 to 1.13.2 Notable enhancements include:
-
You can now create an inventory of Identity Management (IdM) servers for
ansible-freeipa
playbooks dynamically. Thefreeipa
plugin gathers data about the IdM servers in the domain, and selects only those that have a specified IdM server role assigned. For example, if you want to search the logs of all IdM DNS servers in the domain to detect possible issues, the plugin ensures that all IdM replicas with the DNS server role are detected and automatically added to the managed nodes. You can now more efficiently run
ansible-freeipa
playbooks that use a single Ansible task to add, modify, and delete multiple Identity Management (IdM) users, user groups, hosts, and services. Previously, each entry in a list of users had its dedicated API call. With this enhancement, several API calls are combined into one API call within a task. The same applies to lists of user groups, hosts and services.As a result, the speed of adding, modifying, and deleting these IdM objects by using the
ipauser
,ipagroup
,ipahost
andipaservice
modules is increased. The biggest benefit can be seen when the client context is used.ansible-freeipa
now additionally provides the roles and modules as an Ansible collection in theansible-freeipa-collection
subpackage. To use the new collection:-
Install the
ansible-freeipa-collection
subpackage. -
Add the
freeipa.ansible_freeipa
prefix to the names of roles and modules. Use the fully-qualified names to follow Ansible recommendations. For example, to refer to theipahbacrule
module, usefreeipa.ansible_freeipa.ipahbacrule
.
You can simplify the use of the modules that are part of the
freeipa.ansible_freeipa
collection by applyingmodule_defaults
.-
Install the
ipa
rebased to version 4.12.0
The ipa
package has been updated from version 4.11 to 4.12.0. Notable changes include:
- You can enforce LDAP authentication to fail for a user that does not provide an OTP token.
- You can enroll an Identity Management (IdM) client using a trusted Active Directory user.
- Documentation for identity mapping in FreeIPA is now available.
-
The
python-dns
package has been rebased to version 2.6.1-1.el10. -
The
ansible-freeipa
package has been rebased from version 1.12.1 to 1.13.2.
For more information, see the FreeIPA and ansible-freeipa upstream release notes.
certmonger
rebased to version 0.79.20
The certmonger
package has been rebased to version 0.79.20. The update includes various bug fixes and enhancements, most notably:
- Enhanced handling of new certificates in the internal token and improved the removal process on renewal.
-
Removed restrictions on tokens for
CKM_RSA_X_509
cryptographic mechanism. -
Fixed the documentation for the
getcert add-scep-ca
,--ca-cert
, and--ra-cert
options. - Renamed the D-Bus service and configuration files to match canonical name.
-
Added missing
.TP
tags in thegetcert-resubmit
man page. - Migrated to the SPDX license format.
-
Included owner and permissions information in the
getcert list
output. -
Removed the requirement for an NSS database in the
cm_certread_n_parse
function. - Added translations using Webplate for Simplified Chinese, Georgian, and Russian.
389-ds-base
rebased to version 2.5.2
The 389-ds-base
package has been updated to version 2.5.2. Notable bug fixes and enhancements over version 2.4.5 include:
Improved MIT krb5
TCP connection timeout handling
Previously, TCP connections timed out after 10 seconds. With this update, MIT krb5
TCP connection handling has been modified to no longer use a default timeout. The request_timeout
setting now limits the total request duration rather than the duration of individual TCP connections. This change addresses integration issues with SSSD, especially for two-factor authentication use cases. As a result, users experience more consistent handling of TCP connections, as the request_timeout
setting now effectively controls the global request maximum duration.
Jira:RHEL-17132[1]
4.13. SSSD
samba
rebased to version 4.20.2
The samba
packages have been upgraded to upstream version 4.20.2, which provides bug fixes and enhancements over the previous version. The most notable changes are:
-
The
smbacls
utility can now save and restore discretionary access control list (DACL) entries. This feature mimics the functionality of the Windowsicacls.exe
utility. - Samba now supports conditional access control entries (ACEs).
-
Samba no longer reads currently logged on users from the
/var/run/utmp
file. This feature was removed from theNetWkstaGetInfo
level 102 andNetWkstaEnumUsers
level 0 and 1 functions because/var/run/utmp
uses a time format that is not year 2038 safe.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd
, nmbd
, or winbind
services start, Samba automatically updates its tdb
database files. Red Hat does not support downgrading tdb
database files.
After updating Samba, use the testparm
utility to verify the /etc/samba/smb.conf
file.
Jira:RHEL-33645[1]
New SSSD option: failover_primary_timeout
You can use the failover_primary_timeout
option to specify the time interval in seconds for the sssd
service to attempt reconnecting to the primary IdM server after switching to a backup server. The default value is 31 seconds. Previously, if the primary server was unavailable, SSSD would automatically switch to a backup server after the fixed timeout of 31 seconds.
Jira:RHEL-17659[1]
4.14. Desktop
GNOME Online Accounts can restrict which features providers can use
You can use the new goa.conf
file in the system configuration directory, usually named /etc/goa.conf
, to limit what features each provider can use.
In the goa.conf
file, the group name defines the provider type, and the keys define boolean switches to disable the respective features. If you do not set any key or section for a feature, the feature is enabled.
For example, to disable the mail feature for Google accounts, use the following setting:
[google] mail=false
You can use the all
special section name to cover every provider. The value in the specific provider has precedence, if it exists and contains a valid boolean value. Note that some combinations of disabled features can lead to incomplete or invalid accounts being read by the GOA users, such as the Evolution application. Always test the changes first. Restart the GNOME Online Accounts for the changed configuration to take effect.
4.15. The web console
New package: cockpit-files
The cockpit-files
package provides the File manager page in the RHEL web console. With the File manager, you can perform the following actions:
- Browse files and directories on file systems you can access
- Sort files and directories by various criteria
- Filter displayed files by a sub-string
- Copy, move, delete, and rename files and directories
- Create directories
- Upload files
- Bookmark file paths
- Use keyboard shortcuts for the actions
Jira:RHELDOCS-16362[1]
4.16. Red Hat Enterprise Linux System Roles
Support for new ha_cluster
system role features
The ha_cluster
system role now supports the following features:
- Configuring utilization attributes for node and primitive resources.
-
Configuring node addresses and SBD options by using the
ha_cluster_node_options
variable. If bothha_cluster_node_options
andha_cluster
variables are defined, their values are merged, with values fromha_cluster_node_options
having precedence. - Configuring access control lists (ACLs).
- Configuring Pacemaker alerts to take an external action when a cluster event such as node failure or resource starting or stopping occurs.
-
Easy installation of agents for cloud environments by setting the
ha_cluster_install_cloud_agents
variable totrue
.
Jira:RHEL-30111, Jira:RHEL-17271, Jira:RHEL-33532, Jira:RHEL-27186
Support for configuring GFS2 file systems by using RHEL system roles
Red Hat Enterprise Linux 9.5 supports the configuration and management of the Red Hat Global File System 2 (GFS2) by using the gfs2
RHEL system role. The role creates GFS2 file systems in a Pacemaker cluster managed with the pcs
command-line interface.
Previously, setting up GFS2 file systems in a supported configuration required you to follow a long series of steps to configure the storage and cluster resources. The gfs2
role simplifies the process. Using the role, you can specify only the minimum information needed to configure GFS2 file systems in a RHEL high availability cluster.
The gfs2 role performs the following tasks:
- Installing the packages necessary for configuring a GFS2 file system in a Red Hat high availability cluster
-
Setting up the
dlm
andlvmlockd
cluster resources - Creating the LVM volume groups and logical volumes required by the GFS2 file system
- Creating the GFS2 file system and cluster resources with the necessary resource constraints
Jira:RHELDOCS-18629[1]
New sudo
RHEL system role
sudo
is a critical part of RHEL system configuration. With the new sudo
RHEL system role, you can consistently manage sudo configuration at scale across your RHEL systems.
The storage
RHEL system role can now manage Stratis pools
With this enhancement, you can use the storage
RHEL system role to complete the following tasks:
- Create a new encrypted and unencrypted Stratis pool
- Add new volumes to the existing Stratis pool
- Add new disks to the Stratis pool
For details on how to manage Stratis pools and other related information, see the resources in the /usr/share/doc/rhel-system-roles/storage/
directory.
New variables in the journald
RHEL system role: journald_rate_limit_interval_sec
and journald_rate_limit_burst
The following two variables have been added to the journald
RHEL system role:
-
journald_rate_limit_interval_sec
(integer, defaults to 30): Configures a time interval in seconds, within which only thejournald_rate_limit_burst
log messages are handled. Thejournald_rate_limit_interval_sec
variable corresponds to theRateLimitIntervalSec
setting in thejournald.conf
file. -
journald_rate_limit_burst
(integer, defaults to 10 000): Configures the upper limit of log messages, which are handled within the time defined byjournald_rate_limit_interval_sec
. Thejournald_rate_limit_burst
variable corresponds to theRateLimitBurst
setting in thejournald.conf
file.
As a result, you can use these settings to tune the performance of the journald
service to handle applications that log many messages in a short period of time.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/journald/
directory.
New variables in the podman
RHEL system role: podman_registry_username
and podman_registry_password
The podman
RHEL system role now enables you to specify the container image registry credentials either globally or on a per-specification basis. For that purpose, you must configure both role variables:
-
podman_registry_username
(string, defaults to unset): Configures the username for authentication with the container image registry. You must also set thepodman_registry_password
variable. You can overridepodman_registry_username
on a per-specification basis with theregistry_username
variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification. -
podman_registry_password
(string, defaults to unset): Configures the password for authentication with the container image registry. You must also set thepodman_registry_username
variable. You can overridepodman_registry_password
on a per-specification basis with theregistry_password
variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification. For security, encrypt the password using the Ansible Vault feature.
As a result, you can use the podman
RHEL system role to manage containers with images, whose registries require authentication for access.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/
directory.
New variable in the postfix
RHEL system role: postfix_files
The postfix
RHEL system role now enables you to configure extra files for the Postfix mail transfer agent. For that purpose, you can use the following role variable:
postfix_files
-
Defines a list of files to be placed in the
/etc/postfix/
directory that can be converted into Postfix Lookup Tables if needed. This variable enables you to configure Simple Authentication and Security Layer (SASL) credentials, and similar. For security, encrypt files that contain credentials and other secrets using the Ansible Vault feature.
As a result, you can use the postfix
RHEL system role to create these extra files and integrate them in your Postfix configuration.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/postfix/
directory.
The snapshot
RHEL system role now supports managing snapshots of LVM thin pools
With thin provisioning, you can use the snapshot
RHEL system role to manage snapshots of LVM thin pools. These thin snapshots are space-efficient and only grow as data is written or modified after the snapshot is taken. The role automatically detects if the specified volume is scheduled for a thin pool. The added feature could be useful in environments where you need to take frequent snapshots without consuming a lot of physical storage.
New option in the logging
RHEL system role: reopen_on_truncate
The files
input type of the logging_inputs
variable now supports the following option:
reopen_on_truncate
(boolean, defaults to false)-
Configures the
rsyslog
service to re-open the input log file if it was truncated, such as during log rotation. Thereopen_on_truncate
role option corresponds to thereopenOnTruncate
parameter forrsyslog
.
As a result, you can configure rsyslog
in an automated fashion through the logging
RHEL system role to re-open an input log file if it was truncated.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/
directory.
Jira:RHEL-46590[1]
New variable in the logging
RHEL system role: logging_custom_config_files
You can provide custom logging configuration files by using the following variable for the logging
RHEL system role:
logging_custom_config_files
(list)-
Configures a list of configuration files to copy to the default logging configuration directory. For example, for the
rsyslog
service it is the/etc/rsyslog.d/
directory. This assumes the default logging configuration loads and processes the configuration files in that directory. The defaultrsyslog
configuration has a directive such as$IncludeConfig /etc/rsyslog.d/*.conf
.
As a result, you can use customized configurations not provided by the logging
RHEL system role.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/
directory.
The logging
RHEL system role can set ownership and permissions for rsyslog
files and directories
The files
output type of the logging_outputs
variable now supports the following options:
-
mode
(raw, defaults to null): Configures theFileCreateMode
parameter associated with theomfile
module in thersyslog
service. -
owner
(string, defaults to null): Configures thefileOwner
orfileOwnerNum
parameter associated with theomfile
module inrsyslog
. If the value is an integer, it setsfileOwnerNum
. Otherwise, it setsfileOwner
. -
group
(string, defaults to null): Configures thefileGroup
orfileGroupNum
parameter associated with theomfile
module inrsyslog
. If the value is an integer, it setsfileGroupNum
. Otherwise, it setsfileGroup
. -
dir_mode
(defaults to null): Configures theDirCreateMode
parameter associated with theomfile
module inrsyslog
. -
dir_owner
(defaults to null): Configures thedirOwner
ordirOwnerNum
parameter associated with theomfile
module inrsyslog
. If the value is an integer, it setsdirOwnerNum
. Otherwise, it setsdirOwner
. -
dir_group
(defaults to null): Configures thedirGroup
ordirGroupNum
parameter associated with theomfile
module inrsyslog
. If the value is an integer, it setsdirGroupNum
. Otherwise, it setsdirGroup
.
As a result, you can set ownership and permissions for files and directories created by rsyslog
.
Note that the file or directory properties are the same as the corresponding variables in the Ansible file
module.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/
directory. Alternatively, review the output of the ansible-doc file
command.
Jira:RHEL-34935[1]
Using the storage
RHEL system role creates fingerprints on managed nodes
If not already present, storage
creates a unique identifier (fingerprint) every time you run this role. The fingerprint has the form of the # system_role:storage
string written to the /etc/fstab
file on your managed nodes. As a result, you can track which nodes are managed by storage
.
New variables in the podman
RHEL system role: podman_registry_certificates
and podman_validate_certs
The following two variables have been added to the podman
RHEL system role:
-
podman_registry_certificates
(list of dictionary elements): Enables you to manage TLS certificates and keys used to connect to the specified container image registry. -
podman_validate_certs
(boolean, defaults to null): Controls whether pulling images from container image registries will validate TLS certificates or not. The default null value means that it is used whatever the default configured by thecontainers.podman.podman_image
module is. You can override thepodman_validate_certs
variable on a per-specification basis with thevalidate_certs
variable.
As a result, you can use the podman
RHEL system role to configure TLS settings for connecting to container image registries.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/
directory. Alternatively, you can review the containers-certs(5)
manual page.
New variable in the podman
RHEL system role: podman_credential_files
Some operations need to pull container images from registries in an automated or unattended way and cannot use the podman_registry_username
and podman_registry_password
variables.
Therefore, the podman
RHEL system role now accepts the containers-auth.json
file to authenticate against container image registries. For that purpose, you can use the following role variable:
podman_credential_files
(list of dictionary elements)- Each dictionary element in the list defines a file with user credentials for authentication to private container image registries. For security, encrypt these credentials using the Ansible Vault feature. You can specify file name, mode, owner, group of the file, and can specify the contents in different ways. See the role documentation for more details.
As a result, you can input container image registry credentials for automated and unattended operations.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/
directory. Alternatively, you can review the containers-auth.json(5)
and containers-registries.conf(5)
manual pages.
The nbde_client
RHEL system role now enables you to skip running certain configurations
With the nbde_client
RHEL system role you can now disable the following mechanisms:
- Initial ramdisk
- NetworkManager flush module
- Dracut flush module
The clevis-luks-askpass
utility unlocks some storage volumes late in the boot process after the NetworkManager service puts the OS on the network. Therefore, no configuration changes to the mentioned mechanisms are necessary.
As a result, you can disable the mentioned configurations from being run to support advanced networking setups, or volume decryption to occur late in the boot process.
The ssh
RHEL system role now recognizes the ObscureKeystrokeTiming
and ChannelTimeout
configuration options
The ssh
RHEL system role has been updated to reflect addition of the following configuration options in the OpenSSH utility suite:
-
ObscureKeystrokeTiming
(yes|no|interval specifier, defaults to 20): Configures whether thessh
utility should obscure the inter-keystroke timings from passive observers of network traffic. -
ChannelTimeout
: Configures whether and how quickly thessh
utility should close inactive channels.
When using the ssh
RHEL system role, you can use the new options like in this example play:
--- - name: Non-exclusive sshd configuration hosts: managed-node-01.example.com tasks: - name: Configure ssh to obscure keystroke timing and set 5m session timeout ansible.builtin.include_role: name: rhel-system-roles.ssh vars: ssh_ObscureKeystrokeTiming: "interval:80" ssh_ChannelTimeout: "session=5m"
The src
parameter was added to the network
RHEL system role
The src
parameter to the route
sub-option of the ip
option for the network_connections
variable has been added. This parameter specifies the source IP address for a route. Typically, it is useful for the multi-WAN connections. These setups ensure that a machine has multiple public IP addresses, and outbound traffic uses a specific IP address tied to a particular network interface. As a result, support for the src
parameter provides better control over traffic routing by ensuring a more robust and flexible network configuration capability in the described scenarios.
For more details, see the resources in the /usr/share/doc/rhel-system-roles/network/
directory.
The storage
RHEL system role can now resize LVM physical volumes
If the size of a block device has changed and you use this device in an LVM, you can adjust the LVM physical volume as well. With this enhancement, you can use the storage
RHEL system role to resize LVM physical volumes to match the size of the underlying block devices after you resized it. To enable automatic resizing, set grow_to_fill: true
on the pool in your playbook.
4.17. Virtualization
New features for 64-bit ARM hosts
The following virtualization features have now become fully supported on the 64-bit ARM architecture:
- 4 KiB memory page size virtual machines (VMs) on 4kiB memory page size hosts. Note that hosts and guests with different page sizes are still not supported. The only supported page size combinations are 4 KiB/4 KiB and 64 KiB/64 KiB.
-
The
virtiofs
feature for sharing files between the host and the VM - Guest error RAS recovery (Reliability, Availability, Serviceability)
-
The
pvpanic
event logging device -
The
virtio-mem
feature for dynamic memory assignment
As a result, VMs hosted on RHEL 9 running on an 64-bit ARM system will be able to use these features.
Jira:RHEL-43234[1]
RHEL supports live migrating VMs with attached NVIDIA vGPUs
With this update, you can now live migrate a running virtual machine with attached vGPUs to another KVM host. Currently, this is only possible with NVIDIA GPUs.
This functionality is available only with certain NVIDIA Virtual GPU Software Driver versions. Refer to the relevant NVIDIA vGPU documentation for more details.
Jira:RHELDOCS-16572[1]
nbdkit rebased to version 1.38
The nbdkit
package has been rebased to upstream version 1.38, which provides various bug fixes and enhancements. The most notable changes are the following:
- Block size advertising has been enhanced and a new read-only filter has been added.
- The Python and OCaml bindings support more features of the server API.
- Internal struct integrity checks have been added to make the server more robust.
For a complete list of changes, see the upstream release notes.
Adjustable packet loss prevention added for the NetKVM driver
This update adds the MinRxBufferPercent
parameter for the the NetKVM driver, which you can use to reduce the risk of received packet loss in Windows virtual machines. The default value of MinRxBufferPercent
is 0, and setting a higher value, up to 100, improves the prevention of packet loss, but might increase CPU consumption during high network traffic.
4.18. RHEL in cloud environments
OpenTelemetry Collector for RHEL on public cloud platforms
When running RHEL on a public cloud platform, you can now use the OpenTelemetry (OTel) framework to collect and send telemetry data, such as logs, metrics, and traces. This helps you maintain and debug your RHEL cloud instances. With this update, RHEL includes the OTel Collector service, which you can use to manage logs. The OTel Collector gathers, processes, transforms, and exports logs to and from various formats and external back ends.
You can also use the OTel Collector to aggregate the collected data and generate metrics useful for analytics services. For example, you can configure OTel Collector to send data to Amazon Web Services (AWS) CloudWatch, which enhances the scope and accuracy of data obtained by CloudWatch from RHEL instances .
For details, see Configuring the OpenTelemetry Collector for RHEL on public cloud platforms.
Jira:RHELDOCS-18125[1]
awscli2
is generally available for RHEL on AWS
With the awscli2
utility, you can now use Amazon Web Services (AWS) APIs from a RHEL instance to deploy new infrastructure offerings, as well as manage existing deployments. Note that installing awscli2
from a Red Hat Enterprise Linux repository ensures that awscli2
is installed from a trusted source and receives automatic updates. As a result, you can gather information regarding cloud deployment services, manage infrastructure resources, and refer to built-in documentation provided with awscli2
.
Jira:RHEL-14523[1]
Log collection on Azure is now disabled by default
Previously, the Windows Azure Linux Agent (WALA) in Microsoft Azure collected debugging logs on virtual machines (VMs) by default. However, these agent logs might contain confidential information. To improve data security, WALA is now disabled by default, and does not collect any data on the VM. To re-enable log collection, do the following:
-
Edit the
/etc/waagent.conf
file. -
Set the
Logs.Collect
parameter value toy
.
Jira:RHEL-7273[1]
4.19. Supportability
The --api-url
option is now available
With the --api-url
option you can call another API as per requirement. For instance, the API for an OCP cluster. Example: sos collect --cluster-type=ocp --cluster-option ocp.api-url=_<API_URL> --alloptions
.
The new --skip-cleaning-files
option is now available
The --skip-cleaning-files
option for the sos report
command allows you to skip cleaning selected files. The option supports globs and wildcards. Example: sos report -o host --batch --clean --skip-cleaning-files 'hostname'
.
Jira:RHEL-30893[1]
The plugin option names now use only hyphens instead of underscores
To ensure consistency across sos
global options, the plugin option names now use only hyphens instead of underscores For example, the networking plugin namespace_pattern
option is now namespace-pattern
and must be specified by using the --plugin-option networking.namespace-pattern=<pattern>
syntax.
Jira:RHELDOCS-18655[1]
4.20. Containers
Image mode for RHEL now supports FIPS mode
With this enhancement, you can enable the FIPS mode when building a bootc image to configure the system to use only FIPS-approved modules. You can use bootc-image-builder
, which requires enabling the FIPS crypto policy in the Containerfile configuration, or use the RHEL Anaconda installation, that additionally to enabling FIPS mode in the Containerfile, also requires adding the fips=1
kernel argument when booting the system installation. See Installing the system with FIPS mode enabled for more details.
The following is a Containerfile with instructions to enable the fips=1
kernel argument:
FROM registry.redhat.io/rhel9/rhel-bootc:latest# # Enable fips=1 kernel argument: https://containers.github.io/bootc/building/kernel-arguments.html COPY 01-fips.toml /usr/lib/bootc/kargs.d/ # Install and enable the FIPS crypto policy RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS
Jira:RHELDOCS-18585[1]
Image mode for RHEL now supports logically bound app images
With this enhancement, you have support for container images that are lifecycle bound to the base bootc image. This helps unite different operational processes for applications and operating systems and the app images are referenced from the base image as image files or an equivalent. As a result, you can manage multiple container images for system installations, for example, for a disconnected installation, the system must all be mirrored, not just one.
Jira:RHELDOCS-18666[1]
Podman and Buildah support adding OCI artifacts to image indexes
With this update, you can create artifact manifests and add them to image indexes.
The buildah manifest add
command now supports the following options:
-
the
--artifact
option to create artifact manifests -
the
--artifact-type
,--artifact-config-type
,--artifact-layer-type
,--artifact-exclude-titles
, and--subject
options to finetune the contents of the artifact manifests it creates.
The buildah manifest annotate
command now supports the following options:
-
the
--index
option to set annotations on the index itself instead of a one of the entries in the image index -
the
--subject
option for setting the subject field of an image index.
The buildah manifest create
command now supports the --annotation
option to add annotations to the new image index.
Option is available to disable Podman healthcheck event
This enhancement adds a new healthcheck_events
option in the containers.conf
configuration file under the [engine]
section to disable the generation of health_status
events. Set healthcheck_events=false
to disable logging healthchek events.
Runtime resource changes in Podman are persistent
The updates of container configuration by using the podman update
command are persistent. Note that this enhancement is for both SQLite and BoltDB database backends.
Building multi-architecture images is fully supported
The podman farm build
command that creates multi-architecture container images is now fully supported.
A farm is a group of machines that have a unix Podman socket running in them. The nodes in the farm can have different machines of various architectures. The podman farm build
command is faster than the podman build --arch --platform
command.
You can use podman farm build
to perform the following actions:
- Build an image on all nodes in a farm.
- Bundle an image on all nodes in a farm up into a manifest list.
-
Execute the
podman build
command on all the farm nodes. -
Push the images to the registry specified by using the
--tag
option. - Locally create a manifest list.
- Push the manifest list to the registry.
The manifest list contains one image per native architecture type present in the farm.
Quadlets for pods in Podman are available
Beginning with Podman v5.0, you can use Quadlet to automatically generate a systemd
service file from a pod description.
The Podman v2.0 RESTful API has been updated
The new fields has been added to the libpod/images/json
endpoint:
-
The
isManifest
boolean field to determine if the target is a manifest or not. Thelibpod
endpoint returns both images and manifest lists. -
The
os
andarch
fields for image listing.
Kubernetes YAML now supports a data volume container as an init container
A list of images to automatically mount as volumes can now be specified in Kubernetes YAML by using the "io.podman.annotations.kube.image.automount/$ctrname"
annotation. Image-based mounts using podman run --mount type=image,source=<image>,dst=<path>,subpath=<path>
now support a new option, subpath
, to mount only part of the image into the container.
The Container Tools packages have been updated
The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun
, and runc
tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:
-
The
podman manifest add
command now supports a new--artifact
option to add OCI artifacts to a manifest list. -
The
podman create
,podman run
, andpodman push
commands now support the--retry
and--retry-delay
options to configure retries for pushing and pulling images. -
The
podman run
andpodman exec
commands now support the--preserve-fd
option to pass a list of file descriptors into the container. It is an alternative to--preserve-fds
, which passes a specific number of file descriptors. - Quadlet now supports templated units.
-
The
podman kube play
command can now create image-based volumes by using thevolume.podman.io/image
annotation. -
Containers created with the
podman kube play
command can now include volumes from other containers by using a new annotation,io.podman.annotations.volumes-from
. -
Pods created with the
podman kube play
command can now set user namespace options by using theio.podman.annotations.userns annotation
in the pod definition. -
The
--gpus
option topodman create
andpodman run
is now compatible with Nvidia GPUs. -
The
--mount
option topodman create
andpodman run
supports a new mount option,no-dereference
, to mount a symlink instead of its dereferenced target into a container. -
Podman now supports the new
--config
global option to point to a Docker configuration where registry login credentials can be sourced. -
The
podman ps --format
command now supports the new.Label
format specifier. -
The
uidmapping
andgidmapping
options to thepodman run --userns=auto
option can now map to host IDs by prefixing host IDs with the@
symbol. - Quadlet now supports systemd-style drop-in directories.
-
Quadlet now supports creating pods by using the new
.pod
unit files. -
Quadlet now supports two new keys,
Entrypoint
andStopTimeout
, in.container
files. -
Quadlet now supports specifying the
Ulimit
key multiple times in.container
files to set more than oneulimit
on a container. -
Quadlet now supports setting the
Notify
key tohealthy
in.container
files, to only notify that a container has started when its health check begins passing. -
The output of the
podman inspect
command for containers has changed. TheEntrypoint
field changes from a string to an array of strings andStopSignal
from an integer to a string. -
The
podman inspect
command for containers now returns nil for health checks when inspecting containers without health checks. - It is no longer possible to create new BoltDB databases. Attempting to do so results in an error. All new Podman installations now use the SQLite database backend. Existing BoltDB databases remain usable.
- Support for CNI networking is gated by a build tag and is not enabled by default.
-
Podman now prints warnings when used on
cgroups v1
systems. Support forcgroups v1
is deprecated and will be removed in a future release. You can set thePODMAN_IGNORE_CGROUPSV1_WARNING
environment variable to suppress warnings. - Network statistics sent over the Docker-compatible API are now per-interface, and not aggregated, which improves Docker compatibility.
-
The default tool for rootless networking has been changed from
slirp4netns
topasta
for improved performance. As a result, networks namedpasta
are no longer supported. - Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility.
The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delimited lists, and instead to require the option to be passed multiple times. These options are:
-
The
--annotation
option topodman manifest annotate
andpodman manifest add
-
The
--configmap
,--log-opt
, and--annotation
options topodman kube play
-
The
The
--pubkeysfile
option topodman image trust set
-
The
--encryption-key
and--decryption-key
options topodman create
,podman run
,podman push
andpodman pull
-
The
--env-file
option topodman exec
, the--bkio-weight-device
,--device-read-bps
,--device-write-bps
,--device-read-iops
,--device-write-iops
,--device
,--label-file
,--chrootdirs
,--log-opt
,--env-file
options topodman create
andpodman run
-
The
--hooks-dir
and--module
global options
-
The
-
The
podman system reset
command no longer waits for running containers to stop, and instead immediately sends theSIGKILL
signal. -
The
podman network inspect
command now includes running containers that use the network in its output. -
The
podman compose
command is now supported on other architectures in addition to AMD and Intel 64-bit architectures (x86-64-v2) and the 64-bit ARM architecture (ARMv8.0-A).. -
The
--no-trunc
option to thepodman kube play
andpodman kube generate
commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, which removes the need for this option. -
Connections from the
podman system connection
command and farms from thepodman farm
command are now written to a new configuration file calledpodman-connections.conf
file. As a result, Podman no longer writes to thecontainers.conf
file. Podman still respects existing connections fromcontainers.conf
. -
Most
podman farm
subcommands no longer need to connect to the machines in the farm to run. -
The
podman create
andpodman run
commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command is passed to the OCI runtime, and the resulting behavior is runtime-specific. -
A new API endpoint,
/libpod/images/$name/resolve
, has been added to resolve a potential short name to a list of fully-qualified image references Podman, which you can use to pull the image.
For more information about notable changes, see upstream release notes.
The --compat-volumes
option is available for Podman and Buildah
You can use the new --compat-volumes
option with the buildah build
, podman build
, and podman farm build
commands. This option triggers special handling for the contents of directories marked using the VOLUME
instruction such that their contents can subsequently only be modified by ADD
and COPY
instructions. Any changes made in those locations by RUN
Instructions will be discarded. Previously, this behavior was the default, but it is now disabled by default.
A new rhel10-beta/rteval
container image
The real-time registry.redhat.io/rhel10-beta/rteval
container image is now available in the Red Hat Container Registry to run latency analysis on either a standalone RHEL installation. With rhel10-beta/rteval
container image, you can perform latency testing within a containerized setup to determine if such a solution is viable for your real-time workloads or to compare results against a bare-metal run of rteval
. To use this feature, subscribe to RHEL with real-time support. No tuning guidelines are provided.
Jira:RHELDOCS-18522[1]
The containers.conf
file is now read-only
The system connections and farm information stored in the containers.conf
file is now read-only. The system connections and farm information will now be stored in the podman.connections.json
file, managed only by Podman. Podman continues to support the old configuration options such as [engine.service_destinations]
and the [farms]
section. You can still add connections or farms manually if needed however, it is not possible to delete a connection from the containers.conf
file with the podman system connection rm
command.
You can still manually edit the containers.conf
file if needed. System connections that were added by Podman v4.0 remain unchanged after the upgrade to Podman v5.0.
macvlan
and ipvlan
network interface names are configurable in containers.conf
To specify macvlan
and ipvlan
networks, you can adjust the name of the network interface created inside containers by using the new interface_name
field in the containers.conf
configuration file.
Jira:RHELDOCS-18769[1]
bootc-image-builder
now supports defining and injecting custom Kickstart files to ISO builds
With this enhancement, now you can define a Kickstart by setting users, customize partitioning, inject key, and inject the kickstart file to an ISO build to configure the installation process. The resulting disk image creates a self-contained installer that automates and deploys devices, disconnected systems, edge devices, between others. As a result, it is much easier to create customized media with bootc-image-builder
.
Jira:RHELDOCS-18734[1]
Support to building GCP images by using bootc-image-builder
By using the bootc-image-builder
tool you can now generate .gce
disk images and provision the instances on the Google Compute Engine (GCE) platform.
Jira:RHELDOCS-18472[1]
Support to creating and deploying VMDK with bootc-image-builder
With this enhancement, now you can create a Virtual Machine Disk (VMDK) from a bootc image, by using the bootc-image-builder
tool, and deploy VMDK images to VMware vSphere.
Jira:RHELDOCS-18398[1]
The podman pod inspect
command now provides a JSON array regardless of the number of pods
Previously, the podman pod inspect
command omitted the JSON array when inspecting a single pod. With this update, the podman pod inspect
command now produces a JSON array in the output regardless of the number of pods inspected.
Jira:RHELDOCS-18770[1]
The composefs filesystem is now available
The composefs read-only filesystem is now fully supported. This is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified filesystem tree mounted, with opportunistic fine-grained sharing of identical files.
Jira:RHEL-18157[1]