このコンテンツは選択した言語では利用できません。

Chapter 6. New features and enhancements

This version adds the following major new features and enhancements.

6.1. Installer and image creation
リンクのコピー

New boot menu entry for fips=1 added to ISO installations

With this update, the DVD and Boot ISO image installations provide a new boot menu entry for setting the fips=1 kernel boot option. This simplifies the process, as enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. By using this boot option, you start the installation with the fips=1 kernel parameter and you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.

Jira:RHEL-91929

Soft reboots are now available in RHEL

Systemd now offers soft reboots, a capability for rebooting userspace without requiring full system downtime. Key enhancements include:

Reduced downtime: Perform a soft reboot to update system state without the time-consuming process of a full reboot, which benefits scheduled maintenance and troubleshooting.
Flexible patching: Apply certain userspace updates, such as openssl, glibc, and dbus-broker, without requiring a full system reboot.
Image mode integration: In image mode, soft reboots either restart userspace when no update is staged or seamlessly switch to a staged update if one is present, excluding kernel changes.
Improved immutability experience: Soft reboots simplify the adoption of new image versions on immutable systems by reducing the need for frequent full reboots.

Known limitations:

Kernel modules: Changes to kernel modules may result in mismatches with the running kernel after a soft reboot.
Kernel and firmware updates: Soft reboots do not apply kernel, kpatch, or firmware initialization changes.

Jira:RHELDOCS-20453^[1]

The rpm command is now available in the installation environment

Previously, the rpm command was not included in the installation environment. With this update, the rpm command is now included. Users can use this command when installing RHEL, for example, in the %post Kickstart scripts.

Jira:RHEL-101695^[1]

The blueprint file customization now supports a URI field for referencing files from external sources

This update adds the URI field support to the blueprint file customization structure. As a result, you can reference and source files from external locations rather than only those included directly in the blueprint, providing more flexible customization of the build system and a more adaptable build experience.

Jira:RHELDOCS-21016^[1]

RHEL image builder supports a new image type vagrant-libvirt for vagrant

With this update, RHEL image builder supports the libvirt hypervisor, and you can easily run RHEL virtual machines by using Vagrant. This enhancement provides pre-configured images to ensure a consistent and streamlined setup. It also grants sudo privileges to the vagrant user within the Vagrant box, making it easier to manage and execute administrative tasks. These enhancements deliver a more efficient and seamless experience when working with RHEL virtual machines in Vagrant environments.

Jira:RHELDOCS-21025^[1]

RHEL Image Builder now supports WSL2 images

You can now use the RHEL image builder to create Windows Subsystem for Linux (WSL2). The image type is available in the wsl format, and to consume the image, deploy it by double-clicking the generated file.

Jira:RHELDOCS-20633^[1]

RHEL Image Builder GUI supports modularized content discovery

Starting from RHEL 9.7, RHEL Image Builder Graphical User Interface (GUI) supports modularized content discovery. This capability introduces the following enhancements:

When creating RHEL OS images, you can use the RHEL Image Builder GUI to discover and include modularized content from various repositories, including RHEL AppStream and third-party repositories, for example, Extra Packages for Enterprise Linux (EPEL).
Enhanced modularity support in RHEL. Application Streams leverage DNF modularity and modulemd metadata to provide flexible package management. You can specify version streams and use case profiles in the modules with support for default streams and profiles.
DNF modularity implementation updates. The @ character syntax for specifying RPM groups enables and installs module streams, providing compatibility for kickstart files.

Jira:RHELDOCS-21026^[1]

image-installer provides a new boot menu entry for fips=1

In this update, the image-installer ISO image type provides a new boot menu entry for setting the fips=1 kernel boot option during installation. This simplifies the process, as in RHEL 10, you cannot switch an installed system to FIPS mode, and you must add fips=1 to the kernel command line when starting the installation. By setting fips=1 for the installation, you can target the system’s compliance with Federal Information Processing Standards (FIPS) 140 requirements.

Jira:RHEL-104075

Logical volume devices in /etc/fstab now use UUID in the fs_spec field

After installation, the system writes logical volume (LV) devices in /etc/fstab by using UUID in the fs_spec field. This change provides the following benefits:

Ensures consistency across all device entries in /etc/fstab.
Supports LV or volume group (VG) renaming without changes in /etc/fstab.
Keeps /etc/fstab valid after re-encrypting devices with LUKS.
Preserves correct mapping of the root (/) and other mounts across re-provisioning, even if device-mapper paths change.
Offers predictable and portable configs as UUIDs are globally unique identifiers stored in the file system superblock.

Jira:RHEL-87651^[1]

6.2. Security
リンクのコピー

RHEL 10.1 crypto-policies enable PQC algorithms by default

The system-wide cryptographic policies in RHEL 10.1 extend support for post-quantum cryptography (PQC) and enable PQC algorithms by default in all predefined policies. The most notable enhancements and fixes over the version in RHEL 10.0 include:

Hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and pure Module-Lattice-Based Digital Signature Standard (ML-DSA) post-quantum cryptographic algorithms are enabled in LEGACY, DEFAULT, and FUTURE cryptographic policies with the highest priorities.
The new NO-PQ subpolicy simplifies turning off the PQC algorithms.
The TEST-PQ subpolicy no longer enables PQC algorithms as a Technology Preview, but you can use it to enable pure ML-KEM in OpenSSL.
The FIPS cryptographic policy enables hybrid ML-KEM and pure ML-DSA post-quantum cryptographic algorithms.
The new OpenSSL group selection syntax prioritizes post-quantum groups over classical ones. The behavior of earlier releases can be achieved only by disabling all PQ groups.
The PQC algorithms are enabled for the Sequoia PGP tool in all policies.
ML-DSA algorithms are enabled for GnuTLS TLS connections by default, and you can control them through the MLDSA44, MLDSA65, and MLDSA87 values.
The ML-DSA-44, ML-DSA-65, and ML-DSA-87 PQC algorithms are enabled for NSS TLS connections in all cryptographic policies.
The mlkem768x25519, secp256r1mlkem768, and secp384r1mlkem1024 hybrid ML-KEM groups are enabled for NSS TLS negotiations.

Jira:RHEL-113008, Jira:RHEL-106868, Jira:RHEL-86059, Jira:RHEL-103962, Jira:RHEL-92148, Jira:RHEL-101123, Jira:RHEL-97763, Jira:RHEL-98732, Jira:RHEL-85078

AD-SUPPORT-LEGACY subpolicy re-added to crypto-policies

The AD-SUPPORT-LEGACY cryptographic subpolicy, which is used to support legacy RC4 encryption for interoperability with outdated Active Directory implementations, is re-added to RHEL.

Jira:RHEL-93323^[1]

OpenSSL rebased to 3.5

OpenSSL is rebased to upstream version 3.5. This version provides important fixes and enhancements, most notably the following:

Added support for the ML-KEM, ML-DSA, and SLH-DSA post-quantum algorithms.
Added the hybrid ML-KEM algorithms to the default TLS group list.
Enhanced TLS configuration options.
Added support for the QUIC transport protocol according to the IETF RFC 9000 draft.
Added support for opaque symmetric key objects in the form of the EVP_SKEY data structure.
Disabled the SHA-224 digest.
SHAKE-128 and SHAKE-256 implementations no longer have a default digest length. Therefore, these algorithms cannot be used with the EVP_DigestFinal/_ex() function unless the xoflen parameter is set.
Added a capability for a client to send multiple key shares in TLS 1.3 connections.

Jira:RHEL-80811

NSS rebased to 3.112

The NSS cryptographic toolkit packages have been rebased to upstream version 3.112, which provides many improvements and fixes. Most notably, the following:

Added support for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA), which is a post-quantum cryptography (PQC) standard.
Added hybrid support for SSL for the MLKEM1024 key encapsulation mechanism.

The following known issues occur in this version:

Updating the NSS database password corrupts the ML-DSA seed. For more information, see RHEL-114443.

Jira:RHEL-103352

libreswan rebased to 5.3

The libreswan packages are rebased to the 5.3 upstream version.

Jira:RHEL-102733^[1]

GnuTLS rebased to 3.8.10

The gnutls package is rebased to the 3.8.10 upstream release, which includes the following enhancements:

You can set TLS certificate compression methods with the cert-compression-alg configuration option in the gnutls priority file.
You can use all variants of ML-DSA private key formats defined in the draft-ietf-lamps-dilithium-certificates-12 document.
You can use the ML-DSA-44, ML-DSA-65, and ML-DSA-87 signature algorithms in TLS.
You can use PKCS#11 modules to override the default cryptographic backend as a Technology Preview. You can test this feature by specifying the [provider] section in the system-wide configuration to set the path and pin to the module.

Jira:RHEL-102557^[1]

Sequoia PGP updated to support OpenPGP v6

With this update, the sequoia-sq and sequoia-sqv can handle post-quantum cryptography (PQC) keys. The rpm-sequoia package newly supports verifications of OpenPGP v6 signatures. As a result, you can use quantum-resistant digital signatures conforming to the Commercial National Security Algorithm Suite (CNSA) 2.0 standard.

Jira:RHEL-101952, Jira:RHEL-101906, Jira:RHEL-92148, Jira:RHEL-101905

selinux-policy rebased to 42.1

The selinux-policy packages are rebased to upstream version 42.1. This version contains many fixes and improvements, including packaging improvements. Notably, SELinux types related to the systemd generators have been added to the SELinux policy.

Jira:RHEL-54303

OpenSSL supports sslkeylogfile

OpenSSL supports the sslkeylogfile format for TLS. As a result, you can log all secrets produced by SSL connections by setting the SSLKEYLOGFILE environment variable.

Important

Enabling the SSLKEYLOGFILE variable poses an explicit security risk. Recording the exchanged keys during an SSL session allows anyone with read access to the file to decrypt application traffic sent over that session. Use this feature only in test and debug environments.

Jira:RHEL-90853

NSS supports ML-DSA keys

With this update, the Network Security Services (NSS) database now supports using Module-Lattice-Based Digital Signature Algorithm (ML-DSA) keys. ML-DSA is a new signing algorithm approved by the National Institute of Standards and Technology (NIST) as resistant to attacks from a Cryptographically Relevant Quantum Computer (CRQC).

Jira:RHEL-64738

Hybrid ML-KEM cryptography works in FIPS mode

With this release, Hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) post-quantum cryptographic algorithms are supported in FIPS mode of RHEL. OpenSSL is able to fetch the Elliptic Curve Diffie-Hellman (ECDH) part of the new hybrid post-quantum groups from the FIPS provider when the system is running in FIPS mode. As a result, the OpenSSL library uses FIPS-compliant cryptography for the ECDH part of the hybrid post-quantum key exchanges.

Jira:RHEL-94614

OpenSSL 3.5 uses standard format for ML-KEM and ML-DSA

In RHEL 10.0, the oqsprovider library used a pre-standard format for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) private keys. With the rebase to OpenSSL 3.5, you must convert the ML-KEM and ML-DSA keys to the standard format by using the following command:

openssl pkcs8 -in <old_private_key> -nocrypt -topk8 -out <standard_private_key>

# openssl pkcs8 -in <old_private_key> -nocrypt -topk8 -out <standard_private_key>

Copy to Clipboard

Toggle word wrap

Replace <old_private_key> with the path to the non-standard private key, and <standard_private_key> with the path where the standard key will be saved.

Jira:RHEL-82676

SCAP Security Guide rebased to 0.1.78

For additional information, see the SCAP Security Guide release notes.

Jira:RHEL-111008

SELinux policy modules related to EPEL packages moved to -extra subpackages in the CRB repository

In RHEL 10.0, SELinux policy modules related only to packages contained in the Extra Packages for Enterprise Linux (EPEL) repository and not to any RHEL package were moved from the selinux-policy package to the selinux-policy-epel package. This reduced the size of selinux-policy, enabling the system to perform operations such as rebuilding and loading the SELinux policy faster.

In RHEL 10.1, the modules from selinux-policy-epel are moved to the following -extra subpackages in the RHEL CodeReady Linux Builder (CRB) repository:

selinux-policy-targeted-extra
selinux-policy-mls-extra

This change enables the automatic installation of -extra SELinux policy modules when users enable the EPEL repository.

Jira:RHEL-89587

setroubleshoot-server no longer requires initscripts

Before this update, the %post and %postun scriptlets for the setroubleshoot-server SELinux diagnostic tool called /sbin/service. With this update, the scriptlets now directly call auditctl for reloading the auditd service, and bypass the use of /sbin/service. This enhancement simplifies the dependency structure and streamlines the execution of the scriptlets.

Jira:RHEL-90842

OpenSSH ignores invalid RSA hostkeys in known_hosts

Before this update, if known_hosts contained only a bad hostkey, the SSH connection failed with a bad hostkey: Invalid key length message when OpenSSH received a server hostkey, even if the server had valid hostkeys available. With this update, OpenSSH ignores RSA hostkeys that are invalid due to being too short in the known_hosts file. As a result, instead of a failed SSH connection, OpenSSH receives new keys and can establish a connection.

Jira:RHEL-83644^[1]

Three RHEL services removed from SELinux permissive mode

The following SELinux domains for RHEL services have been removed from SELinux permissive mode:

gnome_remote_desktop_t
pcmsensor_t
samba_bgqd_t

Previously, these services from packages recently added to RHEL 10 were temporarily set to SELinux permissive mode, which allows gathering information about additional denials while the rest of the system is in SELinux enforcing mode. This temporary setting has now been removed, and as a result, these services now run in SELinux enforcing mode.

Jira:RHEL-82672^[1]

GnuTLS supports ML-DSA keys in TLS connections.

With this update, the GnuTLS library supports using X.509 certificates with Module-Lattice-Based Digital Signature Algorithm (ML-DSA) keys in TLS 1.3 connections. For resistance against attacks by quantum computers, the certificate chain and the TLS handshake must be authenticated with a post-quantum algorithm, such as ML-DSA.

Jira:RHEL-64740

OpenSSH server supports Kerberos authentication indicators

When in Match configuration, OpenSSH server supports authentication indicators from Kerberos tickets. If the GSSAPIIndicators option is defined in sshd configuration, a Kerberos ticket that has indicators but does not match the policy is denied. If at least one indicator is configured, whether for access or denial, tickets without authentication indicators are explicitly rejected. For more information, see the sshd_config(5) man page on your system.

Jira:RHEL-40790

DNS over TLS is generally available in RHEL 10.1

Encrypted DNS (eDNS) is generally available to secure all DNS communication using the DNS-over-TLS (DoT) protocol. You can use eDNS to secure new RHEL installations during boot time, which ensures no plaintext DNS traffic is ever sent. You can also convert an existing RHEL system to use eDNS.

To perform a new installation with eDNS, specify the DoT-enabled DNS server by using the kernel command line. If you require a custom CA certificate bundle, you can install it only by using the %certificate section in the Kickstart file. Currently, the custom CA bundle can be installed only through Kickstart installation.

On an existing system, configure NetworkManager to use a new DNS plugin, dnsconfd, which manages the local DNS resolver (unbound) for eDNS. Add kernel arguments to configure eDNS for the early boot process, and optionally install a custom CA bundle.

As a result, you can encrypt all RHEL DNS traffic end-to-end using the DoT protocol and configure policies to prevent any fallback to insecure protocols. See Securing system DNS traffic with encrypted DNS for more details.

Jira:RHELDOCS-21104^[1]

New package: fips-provider-next

The fips-provider-next package provides the next version of the FIPS provider that is submitted to the National Institute of Standards and Technology (NIST) for validation. The package is not installed by default because the openssl-fips-provider package is the validated OpenSSL FIPS provider. To switch from ‎openssl-fips-provider to ‎fips-provider-next:

dnf swap openssl-fips-provider fips-provider-next

# dnf swap openssl-fips-provider fips-provider-next

Copy to Clipboard

Toggle word wrap

Jira:RHEL-105014^[1]

Rsyslog imuxsock provides the new ratelimit.discarded counter

With this update, the imuxsock Rsyslog module includes a new counter, ratelimit.discarded, which tracks the number of messages dropped due to rate-limiting on the Unix socket. This enhancement provides administrators with visibility into message loss due to rate-limiting, enabling them to fine-tune their rate-limiting settings and prevent critical logs from being discarded.

Jira:RHEL-96589^[1]

The SELinux policy adds rules and type for the qgs daemon

The qgs daemon was added to RHEL with the linux-sgx package, which supports TDX confidential virtualization. The qgs daemon communicates with QEMU over a UNIX domain socket when the guest OS requests attestation of the virtual machine (VM). To make this possible, the SELinux policy adds a new qgs_t type, access rules, and permissions.

Jira:RHEL-87742

audit.cron helps to set up time-based auditd log rotation

With this update, the auditd.cron file has been added to the audit packages. This enhancement provides a clear, documented example of how to configure time-based auditd log rotation using existing tools. As a result, administrators have a simple, official guide to set up auditd log rotation based on time.

Jira:RHEL-77141^[1]

Additional services confined in the SELinux policy

This update adds additional rules to the SELinux policy that confine the following systemd services:

switcheroo-control
tuned-ppd

As a result, these services no longer run with the unconfined_service_t SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule, and run successfully in SELinux enforcing mode.

Jira:RHEL-69450, Jira:RHEL-83267

Rsyslog imfile provides the new deleteStateOnFileMove option

With this update, the new deleteStateOnFileMove parameter has been added to the imfile module, available as both a module-level and a per-action option. This enhancement addresses the issue of orphaned state files accumulating in the spool/ directory when monitored log files are rotated or moved. By enabling this parameter, you can automatically clean up these obsolete files when log files are moved, preventing disk space from being wasted and simplifying management.

Jira:RHEL-92757^[1]

6.3. Software management
リンクのコピー

RPM supports spec-local file attributes and dependency generators

File attributes and their dependency generators are usually shipped in separate packages that you must install prior to building a package that uses these attributes. However, you might need a file attribute to take effect during the build of the package that ships this attribute. You might also need the file attribute just for building the package, without shipping the attribute at all.

With this update, you can register spec-local file attributes and generators by performing the following actions:

Define the %_local_file_attrs macro. %_local_file_attrs accepts a colon-separated list of new attribute names to register directly in your spec file.
Define one or more dependency generator macros for each attribute, such as %__NAME_provides or %__NAME_path, where NAME is the name of the local file attribute.

RPM then uses the file attributes for dependency generation when the spec file is built. As a result, you can create build-time file attributes that are not necessarily meant for installation.

For example, the following spec file snippet generates the provides for each packaged file by using the foobar.sh script bundled with your package’s sources:

Source1: foobar.sh
[...]
%define _local_file_attrs foobar
%define __foobar_provides %{SOURCE1}
%define __foobar_path .*

Source1: foobar.sh
[...]
%define _local_file_attrs foobar
%define __foobar_provides %{SOURCE1}
%define __foobar_path .*

Copy to Clipboard

Toggle word wrap

Jira:RHEL-84057

RPM records a checksum of the original package during installation

With this update, RPM records the SHA256 and SHA512 digests of the entire .rpm package during its installation. You can then retrieve these digests from the RPM database to verify that the installed package corresponds to a specific .rpm file. As a result, you can improve the integrity of your RHEL system by retrospectively verifying that the installed package set matches, bit-by-bit, a known set of .rpm packages, such as the ones available in a DNF repository.

To print the package digests of an installed package, use the following command:

rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" <package_name>

$ rpm -q --qf "[%{packagedigestalgos:hashalgo} %{packagedigests}\n]" <package_name>

Copy to Clipboard

Toggle word wrap

You can also customize which digest types are recorded in the database by configuring the new %_pkgverify_digests macro, for example:

%_pkgverify_digests 8:10

%_pkgverify_digests 8:10

Copy to Clipboard

Toggle word wrap

Jira:RHEL-84062

System clock skew is reported during dnf transactions

Significant clock skew between a system and the entitlement server can make content repositories unavailable, even on properly registered systems. This is difficult to troubleshoot, particularly when a negative skew makes entitlements appear to start in the future.

With this enhancement, when subscription-manager detects a clock skew greater than 2 seconds, the following message is printed to stdout during a dnf transaction:

The system clock is skewed. There is a time difference of X.Y seconds with the entitlement server. Please check your clock settings to ensure access to all entitled content.

The system clock is skewed. There is a time difference of X.Y seconds with the entitlement server. Please check your clock settings to ensure access to all entitled content.

Copy to Clipboard

Toggle word wrap

Additional DEBUG logging is written to the /var/log/rhsm/rhsm.log file when the skew exceeds 2 seconds, changing to a WARNING if it exceeds 15 minutes.

For instructions on how to keep your RHEL 10 system clock synchronized with an NTP server, see Configuring time synchronization.

Jira:RHEL-13374^[1]

6.4. Shells and command-line tools
リンクのコピー

Support added for post-quantum cryptography in tog-pegasus

Previously, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

With this update, two new files /etc/pki/Pegasus/server-fallback.pem and /etc/pki/Pegasus/file-fallback.pem are provided for tog-pegasus server. These files are used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time. For more information, see /usr/share/doc/tog-pegasus/README.RedHat.SSL .

Jira:RHEL-93093^[1]

Support added for post-quantum cryptography in sblim-sfcb

Previously, the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

With this update, two new configuration options sslKeyFallbackFilePath and sslCertificateFallbackFilePath are introduced in sblim-sfcb server configuration file. These options are disabled by default, but can be used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time.

The ECDH ephemeral key generation which prevents post-quantum key exchange by default was disabled in the sblim-sfcb server.

Jira:RHEL-93092^[1]

Support added for post-quantum cryptography in openwsman

Previously,the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

With this update, two new configuration options ssl_cert_fallback_file and ssl_key_fallback_file are introduced in openwsman server configuration file. These options are disabled by default, but can be used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time.

The outdated SSL initialization which prevents post-quantum key exchange by default was removed from the openwsman server.

Jira:RHEL-93091^[1]

openCryptoki provided in version 3.25.0

The openCryptoki packages are provided in version 3.25.0. Support has been added for the following:

In EP11:
- PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms
- PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP
- PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms
- Opaque secure key blob import via C_CreateObject
In ICA/Soft:
- PKCS#11 v3.0 SHAKE key derivation
- The CKM_AES_KEY_WRAP[_*] mechanisms
- The CKM_ECDH_AES_KEY_WRAP mechanism
- Key wrapping with AES-GCM
In CCA:
- CCA AES CIPHER secure key types
- The CKM_ECDH1_DERIVE mechanism
- Newer CCA versions on s390x and non-s390x platforms
- CKM_AES_GCM for single-part operations only
CCA/Soft/ICA: The CKM_RSA_AES_KEY_WRAP mechanism.
P11KMIP: Added a tool for importing and exporting PKCS#11 keys to a KMIP server.
ICA: Report mechanisms depending on whether libica is in FIPS mode.

Jira:RHEL-73343^[1]

6.5. Infrastructure services
リンクのコピー

RHEL is now equipped with dyninst version 13.0.0

The dyninst framework is rebased to upstream version 13.0.0 This version offers the following list of enhancements:

improved support for AMD GPU binaries.
improved parsing of x86 instructions and C++ DWARF constructs.

For more information, see the upstream documentation.

Jira:RHEL-87001

RHEL is now equipped with SystemTap version 5.3

SystemTap is rebased to version 5.3, and its multithreaded parsing capability now improves startup performance by reducing initialization time by several seconds.

Jira:RHEL-86999

elfutils is now rebased to version 0.193

elfutils 0.193 is now available in RHEL 10.1. The notable changes in this update include:

debuginfod now supports CORS (webapp access) in the web API and provides a --cors option. The new --listen-address option enables binding the HTTP listen socket to a specific IPv4 or IPv6 address. The debuginfod client now caches x-debuginfod-* HTTP headers alongside downloaded files.
libdw library adds the dwarf_language and dwarf_language_lower_bound functions, with improved support for DWARF6 language metadata and new language constants for Nim, Dylan, Algol68, V, and Mojo. The dwarf_srclang function is forward-compatible with DWARF6 language constants.
libdwfl_stacktrace experimental interface can unwind stack samples into call chains and cache ELF data for multiple processes. This interface initially supports perf_events stack sample data and is provided as a Technology Preview.
libelf library has a more robust implementation of elf_scnshndx for ELF files with more than 64K sections.
readelf tool improves handling of corrupt ELF data. The output of the --section-headers option now includes a key to explain section flag meanings.

Jira:RHEL-86966

valgrind has been upgraded to upstream version 3.25.1

The upgrade from version 3.24.0 (RHEL 10.0) to the upstream version 3.25.1 (RHEL 10.1) provides the following notable enhancements:

Added support for zstd-compressed debug sections.
Extended to Linux syscalls: landlock*, io_pgetevents, open_tree, move_mount, fsopen, fsconfig, fsmount, fspick, userfaultfd.
Enhanced file-descriptor tracking: --track-fds=yes and --track-fds=all apply the same behavior to inherited file descriptors as to standard input, standard output, and standard error.
New option --modify-fds=high (use with --track-fds=yes) allocates higher-numbered descriptors first to help detect descriptor reuse issues.
Helgrind configuration: warnings for pthread_cond_signal and pthread_cond_broadcast with an unlocked mutex are now controlled by --check-cond-signal-mutex=yes|no (default: no).

Architecture-specific enhancements:

New IBM Z (s390x) NNPA hardware support.

Jira:RHEL-86988

valgrind package split into subpackages for flexible installation

Before this update, the ‎valgrind package included all core functionality, post-processing scripts, GDB integration, and documentation in a single package which required you to install all components, even if you only needed specific features.

With this update, the ‎valgrind package has been split into multiple subpackages. You can install only the components you require, such as the core ‎valgrind functionality, post-processing scripts, GDB integration, or documentation.

Jira:RHEL-75470^[1]

jemalloc 5.3.0 is integrated within Varnish

Before this update, some users reported excessive memory usage in Varnish following upgrades to newer versions of Red Hat Enterprise Linux. Despite setting explicit memory limits (for example, -s malloc,1G), memory consumption continued to grow over time.

With this enhancement, the jemalloc memory allocator library (version 5.3.0) is integrated within the Varnish package, replacing default glibc malloc. The integration of jemalloc 5.3.0 results in lower memory consumption, better performance, and greater memory stability for Varnish deployments, especially in high-load or long-running environments.

Jira:RHEL-45756^[1]

The BrowseOptionsUpdate directive is now available in RHEL

The BrowseOptionsUpdate directive determines the source and update frequency of default printing options. It specifies whether the system retrieves options from a local system or a remote printing server, and if it updates them at service startup, at certain intervals, or not at all.

You can now add the BrowseOptionsInterval directive and its value to the /etc/cups/cups-browsed.conf file to achieve the required behavior. The directive offers these values:

None (default): A local file, created from previous sessions, loads default options.
Static: The cups-browsed service retrieves default options from the remote server when it starts.
Dynamic: The system updates default options according to the BrowseInterval value, also defined in the /etc/cups/cups-browsed.conf file.

Note: You need to restart the service after changing the BrowseOptionsInterval directive values.

Jira:RHEL-87180^[1]

6.6. Networking
リンクのコピー

NetworkManager and Nmstate support configuring IPv4 forwarding per interface

With this enhancement, NetworkManager can enable and disable IPv4 forwarding per network interface. This enables granular control directly in NetworkManager connection profiles, and updating sysctl kernel settings is no longer required. If you enable the ipv4.forwarding parameter in a profile, the corresponding interface acts as a router and forwards IPv4 packets. With the default value auto, NetworkManager enables IPv4 forwarding if any shared connection is active and, in other cases, it uses the kernel default value.

This feature is also available in Nmstate.

Jira:RHEL-89582

KTLS now supports rekeying for TLS 1.3

Kernel Transport Layer Security (KTLS), which is an unsupported Technology Preview in RHEL, now supports in-kernel rekeying for TLS 1.3. Previously, long-lived sessions with large data transfers were not possible because only a limited number of bytes could be sent with the initial key. With this enhancement, updates now occur seamlessly during an active session, supporting the transfer of large amounts of data without applications needing to restart connections. Note that, to use this feature, user-space libraries, such as OpenSSL and GnuTLS, must also support KTLS rekeying capability.

This enhancement supports rekeying only for TLS 1.3 and not renegotiation in TLS 1.2.

Jira:RHEL-86020^[1]

Nmstate now supports the mtu and quickack route options

With this enhancement, you can use Nmstate to set the mtu and quickack route options. These settings are important for optimizing the network performance if the maximum transmission unit is different from the default and for tuning the TCP acknowledgment behavior. As a result, you now have more precise control over network traffic behavior.

Jira:RHEL-84768

Nmstate now supports configuring FEC settings for network interfaces

With this enhancement, you can now use Nmstate to apply Forward Error Correction (FEC) modes, such as RS-FEC, Base-R and Disabled to interfaces. These settings are crucial for improving data transmission reliability by detecting and correcting errors without retransmission. As a result, you can now use Nmstate to apply FEC settings instead of manually configuring them or using platform-specific tools.

Jira:RHEL-84766

An NBFT parser was added to nm-initrd-generator

NVMe Boot Firmware Table (NBFT) is a standard method for firmware to pass network and storage configuration from the pre-boot environment directly to the operating system by using an ACPI table. The nm-initrd-generator utility now uses this parser to automatically detect and apply this configuration, and creates the necessary connections without manual setup. This implementation replaces the 95nvmf module in dracut and relies on systemd automation for a more streamlined and robust boot sequence.

Jira:RHEL-83058

NetworkManager now supports fixed subnet IDs for downstream interfaces when using IPv6 prefix delegation

With this enhancement, you can now specify a fixed subnet ID for downstream interfaces in NetworkManager when you use IPv6 prefix delegation. In previous releases, when you rebooted the system, the subnet ID for these interfaces could change. With a fixed subnet ID, IPv6 addresses assigned to devices in the downstream network do not change when you reboot the RHEL host.

Jira:RHEL-81948

Nmstate now supports configuring routes by using a MAC address instead of an interface name

With Nmstate, you can create a network connection by assigning it to the MAC address of an interface. With this enhancement, you can use the profile name instead of the interface name in the next-hop-interface parameter in the routing configuration. With this feature, you can create static routes without knowing the interface name.

Jira:RHEL-80547^[1]

Nmstate can assign settings to network interfaces based on PCI addresses

With this enhancement, you can use Nmstate to set up network interfaces based on their PCI address instead of a device name. Use this feature to ensure consistent configuration across nodes in a cluster. For further details, see Configuring an Ethernet connection with a dynamic IP address by using nmstatectl with a device path and Configuring an Ethernet connection with a static IP address by using nmstatectl with a device path.

Jira:RHEL-80116

Nmstate now supports egress and ingress priority mapping for VLAN interfaces

NetworkManager already supports configuring traffic priority mapping for VLAN interfaces. With this enhancement, the Nmstate library can also handle both egress and ingress priority quality of service (QoS) mapping rules. As a result, you can use Nmstate to create VLANs and define bidirectional priority mapping, helping manage traffic more precisely and efficiently.

Jira:RHEL-78334^[1]

nmtui now supports configuring the loopback interface

NetworkManager already supports configuring the loopback interface by using the nmcli utility. This enhancement adds the same functionality to the nmtui application. As a result, you can configure IP addresses and routes on the loopback interface.

Jira:RHEL-70484

The NetworkManager-libreswan plugin supports using the Libreswan default values

With this enhancement, you can set the no-nm-default property in Libreswan VPN connection profiles to true to use Libreswan’s instead of NetworkManager’s default values. This ensures the compatibility with configurations defined for native Libreswan. As a result, you can now, for example, configure subnet-to-subnet tunnels.

Jira:RHEL-34057

Bond configurations in Nmstate support optimization settings

With this enhancement, the Nmstate API supports the following bond options:

lacp_active: Defines whether or not the Linux kernel periodically sends Link Aggregation Control Protocol Data Unit (LACPDU) frames. You can use this setting only in the 802.3ad bond mode.
ns_ip6_target: Lists the IPv6 addresses to use as IPv6 monitoring peers when you set the arp_interval parameter to a value larger than 0.

As a result, administrators can use these settings to optimize a network bond to ensure stable connections, efficient bandwidth, and IPv6 compatibility.

Jira:RHEL-1415

iproute rebased to version 6.14.0

The iproute package has been updated to upstream version 6.14.0.

Notable enhancements:

The ip nexthop command supports 16-bit nexthop weights.
The ip link rmnet command supports flag handling.
The ip lwtunnel command supports setting and getting the 'tunsrc' attribute.
The ip monitor command adds support for monitoring multicast addresses (ip monitor maddress).
The ip rule command supports the 'dscp' selector.
The ip rule command supports flow labels.
The ip route command supports IPv6 flow labels.
The ip address and ip link show commands support the 'down' filter.
The tc flower filter supports matching on tunnel metadata.
The tc fq queuing discipline supports the TCA_FQ_OFFLOAD_HORIZON attribute.
The tc utility supports the Hold/Release mechanism in Time-Sensitive Networking (TSN) as specified in the IEEE 802.1Q-2018 standard.
The rdma monitor command adds support for monitoring Remote Direct Memory Access (RDMA) events.
The vdpa utility supports setting the MAC address.
Several man pages were improved.

Notable bug fixes:

Some memory leaks were fixed.
The error checking of the ip netconf command was fixed to prevent unnecessarily strict errors.
Custom iproute2 settings in the /etc/iproute2/ directory work as expected.

Jira:RHEL-90493

New network packet drop reasons and MIB counters

The kernel’s networking stack now provides more detailed reasons when it drops network packets. This enhancement also adds two new Management Information Base (MIB) counters: LINUX_MIB_PAWS_TW_REJECTED and LINUX_MIB_PAWS_OLD_ACK. As a result, debugging and diagnosing network problems, is now easier.

Jira:RHEL-88891^[1]

The nft monitor trace command now displays connection tracking information

You can now use the nft monitor trace command to display details about connection tracking. This feature simplifies debugging connections and helps to better understand connection states.

Jira:RHEL-87758^[1]

The fwctl subsystem has been added to the kernel

If the kernel lock-down feature is enabled, the kernel does not allow access to resource0 files in the /sys/ directory and PCI config spaces for security reasons. The fwctl kernel subsystem manages communication with the firmware in software-defined devices, such as the mlx5 network interface controller. This subsystem establishes a standardized and secure Remote Procedure Call (RPC) interface, that enables user-space applications to interact with device firmware for diagnostics, configuration, and updates. In addition to the new subsystem, the mstflint utility now also uses the fwctl subsystem, and the utility functions fully in these secure environments.

Jira:RHEL-86015^[1]

The ice driver now supports reducing the MSI-X vector usage for a PF to free vectors for associated VF

With this enhancement, you can now reduce the Message Signaled Interrupts eXtended (MSI-X) vectors allocated to a physical function (PF) to ensure that a sufficient number of vectors are available for associated virtual functions (VFs). For details, see Reducing the MSI-X vector usage for a physical function to free vectors for associated virtual functions.

Jira:RHEL-80554^[1]

The named and dnssec utilities now support OpenSSL providers for hardware tokens

Before this update, support for using hardware security tokens to store private keys for DNSSEC zone signing was unavailable after the removal of OpenSSL ENGINEs. This functionality was required both for directly using hardware tokens with the named service and for the DNSSEC feature in the ipa-server-dns package.

With this update, the named and dnssec command-line utilities have been updated to support OpenSSL providers.

As a result, you can use OpenSSL providers to access both hardware and software tokens to store private keys. This restores the ability to use hardware tokens directly in the named service and enables the DNSSEC zone signing feature in the ipa-server-dns package.

Jira:RHEL-33729

NetworkManager and Nmstate support configuring IPv4 forwarding per interface

This feature is also available in Nmstate.

Jira:RHEL-59083

6.7. Kernel
リンクのコピー

Kernel version in RHEL 10.1

Red Hat Enterprise Linux 10.1 is distributed with the kernel version 6.12.0-124.8.1.

Perf core counters supported on Intel Panther Lake CPUs

Previously, users could not monitor hardware events using perf core counters on Intel Panther Lake CPUs. With the addition of Panther Lake support in the ‎perf package, users can access hardware event monitoring on this microarchitecture.

Jira:RHEL-47451^[1]

The default measurement module for rteval is now rtla timerlat for better tracing of problem latencies

With this enhancement, you should be able to easily identify the source of problem latencies. The desired cyclictest measurement module can be chosen using the rteval.config file.

Jira:RHEL-97541^[1]

kpatch-dnf plugin is updated with improved kernel management

Before this update, the ‎kpatch-dnf plugin did not align kernel upgrades with kpatch support. As a consequence, administrators might install or upgrade to kernels that were not supported by kpatch, thereby increasing the risk of running unsupported kernels and reducing system stability.

With this update, the ‎kpatch-dnf plugin enables administrators to focus kernel updates on those supported by kpatch. As a result, system upgrades are more reliable, and overall stability is improved.

Jira:RHEL-85686^[1]

perf tool rebased to upstream v6.14

The perf tool and its kernel backend are rebased to align with upstream version v6.14. This update introduces several enhancements and bug fixes. Most notably, the following:

Fixed the memory leak issue in the RAPL code.
Added the per-core energy tracking support for AMD.
Addressed memory leaks in perf trace.
Added Processor Trace Trigger Tracing (PTTT) support in the perf tool.
Supports the RDPMC metrics in clear mode.
Added RAPL energy events support in the perf tool for the ARL-U platform.

These changes improve performance analysis and resolve known issues in the perf tool.

Jira:RHEL-77936^[1]

Added support for virtio devices

Before this update, virtio devices inside of KVM guests were all listed as type generic-ccw. With this enhancement, you can easily identify which device type is connected at which device number by using the lszdev command:

lszdev

# lszdev
TYPE ID ON PERS NAMES

virtio-balloon 0.0.0007 yes no
virtio-blk 0.0.0000 yes no vda
virtio-console 0.0.0004 yes no
virtio-gpu 0.0.0002 yes no
virtio-input 0.0.0005 yes no
virtio-input 0.0.0006 yes no
virtio-net 0.0.0001 yes no enc1
virtio-scsi 0.0.0003 yes no
virtio-vsock 0.0.0008 yes no

Copy to Clipboard

Toggle word wrap

This enhancement also introduces additional chpstat fixes for Red Hat Enterprise Linux 10.0.z, improving DPU utilization scaling in reports (s390utils and s390-tools).

Jira:RHEL-73341^[1]

Intel Arrow Lake U RAPL energy events support in kernel

The kernel package now supports RAPL (Running Average Power Limit) energy performance counters for the Intel Arrow Lake U microarchitecture. With this enhancement, the perf tool identifies power-consumption events for Arrow Lake U platforms to monitor energy usage for CPU cores, GPUs, packages, and system domains.

Jira:RHEL-53584^[1]

Adaptive PEBS enables counter snapshotting support in perf on Intel Panther Lake

Before this update, the Linux kernel’s perf tool relied on software-based sample reads to collect performance event data. This approach introduced minor timing gaps and additional overhead when reading counters after an event overflow. With this update, adaptive PEBS counter snapshotting is available on Intel Panther Lake CPUs. With this feature, the kernel captures programmable counters, fixed-function counters, and performance metrics directly in the PEBS record by using the PEBS format version 6.

As a result, counter snapshotting provides a more accurate and lower-overhead alternative to software sample reads, improving performance monitoring and analysis capabilities.

Jira:RHEL-47443^[1]

Intel Trace Hub supports Intel Panther Lake

Before this update, the kernel package did not support Intel Panther Lake (P, H, U variants) in Intel Trace Hub. With this update, device IDs for Panther Lake platforms are added to Intel Trace Hub in the kernel package.

As a result, systems based on Panther Lake can use Intel Trace Hub features for enhanced debugging and tracing capabilities.

Jira:RHEL-47423^[1]

Perf uncore event support for Intel Clearwater Forest

The perf package adds uncore event monitoring on Clearwater Forest microarchitecture. With this enhancement, the perf package supports the uncore event monitoring on Clearwater Forest systems. As a result, users can perform advanced performance analysis and debugging on supported hardware.

Jira:RHEL-45094^[1]

Perf core event support for Intel Clearwater Forest

The perf package adds core event monitoring on Clearwater Forest microarchitecture. As a result, users can monitor and analyze core-level performance events on Intel Clearwater Forest systems using perf.

Jira:RHEL-45092^[1]

AMD Milan CPUs support per-core energy tracking with RAPL perf events

Before this update, energy monitoring on AMD systems was limited to package-level measurements. With this update, the kernel package supports per-core energy tracking through Running Average Power Limit (RAPL) performance events on AMD Milan CPUs. As a result, you can measure and analyze energy consumption at the individual core level for more granular performance and power management.

Jira:RHEL-24184^[1]

Intel Arrow Lake H microarchitecture support added to ‎⁠intel_th⁠

Before this update, Intel Trace Hub did not recognize Arrow Lake H NPK device IDs, which limited trace and debugging capabilities for systems using this hardware. With this update, the ‎⁠intel_th⁠ package supports the Intel Arrow Lake H microarchitecture in Intel Trace Hub. With the new support, users have enhanced tracing and debugging features on Arrow Lake H platforms.

Jira:RHEL-20109^[1]

PerfMon support enabled for Intel Arrow Lake H in kernel

With this update, the kernel package provides PerfMon support for Core, Uncore, Cstate, and MSR features on the Intel Arrow Lake H microarchitecture. As a result, you can monitor and analyze performance metrics specific to Arrow Lake H systems by using the perf tool.

Jira:RHEL-20093^[1]

KVM modules are integrated into the Realtime Kernel package

This update removes the generation of KVM module packages for the Realtime Kernel in RHEL, aligning with the decision to make the Realtime Kernel a deployment option for base RHEL. This change streamlines the deployment process, integrating KVM modules directly into the Realtime Kernel package and eliminating the separate kernel-rt-kvm package. As a result, users will experience a more seamless and efficient setup when deploying the Realtime Kernel on RHEL, improving the overall user experience.

Jira:RHEL-62687^[1]

Added Processor Trace Trigger Tracing (PTTT) support in the perf tool

With this update, performance analysis is elevated through the introduction of Processor Trace (PT) Trigger tracing. This enables software to select specific events as trigger points for pausing and resuming tracing activity, thereby enhancing the efficiency and accuracy of performance monitoring. This leads to more efficient and targeted tracing, ultimately offering a clearer comprehension of their application’s performance.

Jira:RHEL-45090^[1]

python-drgn rebased to version 0.0.31

python-drgn has been rebased to version 0.0.31. This update introduces several enhancements and new features:

Added support for debuginfod, which enables automatic retrieval of debugging information from debuginfod servers.
A new Module API, which provides improved extensibility and integration capabilities.
Kernel stack unwinding without debugging symbols, allowing stack traces to be generated even when debug symbols are unavailable.

For a complete list of changes, see the upstream changelogs:

Jira:RHEL-86265

eBPF subsystem rebased to version 6.14.

The eBPF subsystem is rebased to the Linux kernel upstream version v6.14. This version includes the following changes and enhancements:

Support for uprobe session probes.
Support for bpf_fastcall, a special annotation for eBPF helpers and kernel functions (kfuncs), which allows optimizing the execution of such helpers and functions.
New kmem_cache eBPF iterator to allow eBPF programs to iterate over entries in /proc/slabinfo or /sys/kernel/slab.
Support for a private stack in eligible eBPF programs, which allows preventing the kernel stack overflows in nested eBPF programs.
eBPF verifier improvement, which allows programs to avoid a NULL check on statically known map lookup keys.
Removal of "helper that may corrupt user memory!" warning message when using bpf_probe_write_user.
Prevent infinite loops when using a combination of tail calls and freplace.
Avoid potential kernel crashes when attaching eBPF programs to raw tracepoints with NULL arguments.
The bpf_timer destroy procedure used to cause the issues but that has been fixed by the rebase.
The bpf_local_storage in preventing the kmalloc, causing "sleeping function called from invalid context" issues while using eBPF on the real-time kernel.

Jira:RHEL-78201^[1]

perf tool rebased to upstream v6.15

The perf tool and its kernel backend are rebased to align with upstream version v6.15. This update introduces several enhancements and bug fixes. Most notably, the following:

Added the --code-with-type option to perf annotate, enabling decoding of data structures from pointers.
Refactored s390 cpum_sf and cpum_cf components.
Addressed memory leaks in perf trace.
Introduced hardware event support for RISCV CPUs.
Extended functionality for the python-perf module.
Enhanced perf report to display workload per parent and child processes.
Updated PMU events and metrics for various Intel CPUs.
Enabled Processor Trace (PT) Trigger tracing on Intel platforms.

These changes improve performance analysis, extend hardware support, and resolve known issues in the perf tool.

Jira:RHEL-78197^[1]

crash rebased to 9.0.0

The crash package, which provides a kernel analysis utility for live systems and various types of dump files, has been rebased to upstream version 9.0.0. This version provides a number of fixes and enhancements, most notably the following:

The internal gdb database has been updated to version 16.2.
The crash utility now supports cross-compilations.

Jira:RHEL-76107

Default configuration now disables jitter entropy source in rng-tools

The jitter entropy source is now disabled by default in rng-tools. Modern CPUs provide a hardware entropy source, and most virtual machines offer the /dev/hwrng device as an entropy source from the virtual host. In these environments, the jitter entropy source consumes unnecessary CPU cycles. For older hardware without a hardware entropy source, you can explicitly enable the jitter entropy source in /etc/sysconfig/rngd.

As a result, the rngd daemon no longer consumes CPU cycles unnecessarily on systems that have hardware entropy sources.

Jira:RHEL-91113

stalld no longer conflicts with the working of the dl-server

With this release, the stalld functionality detects the dl-server in the host kernel and boosts only the tasks that the dl-server fails to run. Currently, dl-server does not boost FIFO tasks. You might prefer to keep using stalld in a system upgrade and disable dl-server. The dl-server is the only entity responsible for running the starving tasks.

Jira:RHEL-73883

6.8. Boot loader
リンクのコピー

Secure boot shim signing for RHEL 10 on x86_64 and aarch64

RHEL 10 requires a signed shim binary to enable secure boot on AMD and Intel 64-bit architectures and on the 64-bit ARM architecture. Without a signed and trusted shim, systems with enforced secure boot did not boot, which affected both enterprise and cloud deployments.

With this release, the shim package was signed and updated for ‎x86_64 and ‎aarch64. On ‎x86_64, shim is signed by Microsoft Windows UEFI Driver Publisher and includes Red Hat Secure Boot CA 5 and CA 8 in the vendor database. On ‎aarch64, shim is signed by Microsoft UEFI CA 2023 and includes Red Hat Secure Boot CA 8. The SBAT entries were updated to the latest levels.

As a result, RHEL boots with the secure boot feature enabled. Additionally, the fallback works properly, and all other bootloader components are correctly signed.

Jira:RHEL-81188

6.9. File systems and storage
リンクのコピー

multipathd supports file-based sockets

With this update, the multipathd daemon listens for commands on a file-based socket /run/multipathd.socket in addition to the abstract namespace socket. You can communicate with the host’s multipathd daemon from within a container by using a bind mount for the new socket file.

Jira:RHEL-82180^[1]

LVM RAID repairs volumes after multiple simultaneous device failures

With this enhancement, you can use the lvconvert --repair /dev/VG-name/LV-name command to reintegrate missing RAID devices back into a striped RAID (raid4, raid5, and raid6). This repair process works even when the number of temporarily missing devices exceeds the fault tolerance of the RAID level, allowing for recovery once the devices reappear. Note that you must unmount and deactivate the volume and the file system on top before repairing them.

Jira:RHEL-89832

6.10. High availability and clusters
リンクのコピー

The IPaddr2 resource agent now detects network link failures

Before this update, the IPaddr2 resource agent did not monitor the link state of the network interface. As a consequence, an IPaddr2 resource continued to report success on a node even if the underlying interface was in a DOWN or LOWERLAYERDOWN state, preventing the cluster from recovering the resource on another node.

With this release, the IPaddr2 agent has been enhanced to check the interface’s link status.

As a result, an IPaddr2 resource correctly fails if its network interface goes down, allowing for a proper failover. You can disable this new default behavior by setting the check_link_status=false parameter in the resource configuration.

Jira:RHEL-85014^[1]

AWS resource agents reuse IMDS tokens to improve reliability

Before this update, the AWS resource agents requested a new Instance Metadata Service (IMDS) token for every operation. This could lead to a large number of API calls on a single node, which increased the risk of resource failures, especially in environments with many AWS resources.

With this update, the AWS resource agents cache and reuse IMDS tokens until they expire.

As a result, the volume of API calls to the AWS metadata service is significantly reduced. This improves the performance and reliability of AWS resources in high-availability clusters.

Jira:RHEL-81237^[1]

The awsvip resource agent allows specifying a network interface

Before this update, the awsvip resource agent always assigned the virtual IP address to the primary network interface of an EC2 instance. It was not possible to use a secondary network interface for the resource.

With this enhancement, an interface parameter has been added to the awsvip agent.

By using this parameter, you can specify to which network interface the agent should assign the virtual IP, which enables more flexible network configurations in AWS.

Jira:RHEL-81236^[1]

The fence_sbd agent can automatically detect the SBD device

Before this update, when configuring a fence_sbd resource, you were required to explicitly specify the SBD device path by using the devices parameter.

With this update, the fence_sbd agent can now retrieve the device configuration from the system.

As a result, if you do not set the devices parameter when creating the fence_sbd resource, the agent automatically uses the device specified in the SBD_DEVICE variable within the /etc/sysconfig/sbd file.

Jira:RHEL-79799^[1]

Watchdog device listing provides more detailed information

Before this update, when listing available watchdog devices, the output only displayed the device path, such as /dev/watchdog0. This made it difficult for administrators to distinguish between multiple devices on the same system.

With this update, the output includes the device path, identity, and driver for each watchdog. This allows for easy identification and selection of the correct device.

Jira:RHEL-76176

New fence agent for Nutanix AHV virtualization is now available

Previously, Red Hat High Availability Add-On did not provide a dedicated fence agent for Nutanix Acropolis Hypervisor (AHV) environments.

With this enhancement, the fence_nutanix agent is added.

As a result, you can now configure STONITH for cluster nodes running on the Nutanix AHV platform, enabling fully supported high-availability deployments.

Jira:RHEL-68322^[1]

pcs warns users before removing the last fencing device

Before this update, pcs allowed users to disable or remove the last fencing device from a cluster without a warning. This could inadvertently leave the cluster in an unsupported state without any STONITH or SBD fencing configured.

With this enhancement, pcs now includes a safety check to prevent the accidental removal of all fencing mechanisms.

As a result, if you attempt an action that would leave the cluster without any fencing, pcs displays an error and blocks the change by default. For example, this occurs when you try to remove the last STONITH resource while SBD is disabled. You can override this safety check to force the change if needed.

Jira:RHEL-66607

pcs provides more detailed error messages for failed CIB updates

Previously, when a CIB update failed when using the pcs cluster edit or pcs cluster cib-push commands, the error message provided by Pacemaker was generic. It did not explain the specific reason for the failure, which made troubleshooting the invalid configuration difficult.

With this enhancement, pcs is updated to request a detailed validation check from Pacemaker upon a failed CIB push.

As a result, when a CIB update is rejected, pcs now displays a specific error message explaining what is wrong with the configuration.

Jira:RHEL-63186

The pcs alert config command now supports multiple output formats

Previously, the pcs alert config command displayed its output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.

With this enhancement, a new --output-format option has been added to the pcs alert config command.

As a result, you can now display the configured alerts in one of three formats:

text: Displays the output in plain text. This is the default format.
json: Displays the output in a machine-readable JSON format, which is useful for scripting and automation.
cmd: Displays the output as a series of pcs commands, which you can use to recreate the same alert configuration on a different system.

Jira:RHEL-44347

The pcs resource meta command is improved to support bundles and prevent guest node misconfiguration

Previously, the pcs resource meta command did not support managing meta attributes for bundle resources. Additionally, the command did not prevent users from incorrectly modifying the connection parameters of a guest node, which could lead to a misconfigured resource.

With this enhancement, the pcs resource meta command has been rewritten.

As a result, you can now use pcs resource meta to update meta attributes for bundle resources. In addition to this, when using the command on a guest node, it now prevents unintended changes to connection parameters, avoiding potential misconfigurations.

Jira:RHEL-35407

A new pcs command is available for renaming a cluster

Previously, it was not possible to change the name of an existing cluster using pcs commands. Administrators had to perform a series of manual steps, which were complex and could lead to errors.

With this enhancement, the pcs cluster rename command has been introduced.

As a result, you can now easily change the name of an existing cluster. To rename your cluster, run the following command:

pcs cluster rename <new-name>

pcs cluster rename <new-name>

Copy to Clipboard

Toggle word wrap

Jira:RHEL-22423

The pcs node attribute and pcs node utilization commands now support multiple output formats

Previously, the pcs node attribute and pcs node utilization commands displayed their output only in a human-readable plain text format. This format was not suitable for machine parsing or for easily replicating the configuration.

With this enhancement, a new --output-format option has been added to the pcs node attribute and pcs node utilization commands.

As a result, you can now display the configured node attributes and utilization in one of three formats:

text: Displays the output in plain text. This is the default format.
json: Displays the output in a machine-readable JSON format, which is useful for scripting and automation.
cmd: Displays the output as a series of pcs commands, which you can use to recreate the same configuration on a different system.

Jira:RHEL-21050

pcs automatically validates the CIB for potential issues

Previously, the pcs utility did not automatically run advanced validation checks on the Cluster Information Base (CIB). As a consequence, certain cluster misconfigurations could remain undetected during routine operations.

With this enhancement, pcs has been updated to integrate Pacemaker’s CIB validation tool into its workflow.

As a result, pcs now automatically performs a validation check and displays the results when you run the pcs status, pcs cluster edit, or pcs cluster cib-push commands.

Jira:RHEL-7681

New crypt resource agent for managing encrypted volumes

Previously, Red Hat High Availability Add-On did not provide a resource agent for managing encrypted devices. This made it difficult to configure volumes encrypted with cryptsetup as highly available resources within a Pacemaker cluster.

With this update, the new crypt resource agent has been introduced.

As a result, you can configure encrypted local or network volumes as cluster resources. The crypt agent uses cryptsetup to manage these devices. It supports unlocking volumes with a standard key_file and also supports network-bound unlocking using tang/clevis.

Jira:RHEL-13089^[1]

6.11. Dynamic programming languages, web and database servers
リンクのコピー

The PostGIS extension is available for PostgreSQL

This enhancement adds the PostGIS extension to PostgreSQL. With this extension, PostgreSQL supports geographic objects, enabling spatial queries and analysis for Geographic Information System (GIS) applications, such as mapping, geolocation, and distance calculations within a relational database.

Jira:RHEL-81633^[1]

6.12. Compilers and development tools
リンクのコピー

glibc now supports ‎sched_setattr and ‎sched_getattr for advanced scheduler options

Previously, ‎glibc provided access to only a limited set of Linux scheduler options through functions defined in ‎<sched.h>. This limitation required applications to use direct system calls or Linux kernel headers to access advanced scheduling features.

With this enhancement, the extensible scheduler configuration mechanism from ‎sched_setattr and ‎sched_getattr is now available through the ‎glibc ‎<sched.h> header file. This change includes support for additional scheduling policies, such as ‎SCHED_DEADLINE.

As a result, applications can select from a wider range of scheduling options without relying on direct system calls or kernel-specific headers, improving portability and flexibility for developers.

Jira:RHEL-58357

Geomap support added for PCP Valkey datasource in ‎grafana-pcp

Previously, users could not visualize PCP metrics on a map in Grafana because the PCP Valkey data source did not provide the longitude and latitude labels required for geomap panels. This limitation made it difficult to compare the performance of monitored systems across different locations.

To create a geomap visualization for PCP metrics in Grafana:

Create a new panel.
Select the geomap panel type.
Enter the metric you want to visualize in the query window, as you would for other PCP visualizations.
In the Format drop-down menu below the query window, select Geomap.
Grafana will automatically detect the longitude and latitude labels and place the data on the map.
For additional options and customization, see the Grafana documentation.

With this enhancement, the PCP Valkey datasource in grafana-pcp includes longitude and latitude labels from PCP metrics, allowing instances to be accurately placed on a geomap. Users can create geomap visualizations in Grafana to compare system performance geographically.

Jira:RHEL-77946^[1]

llvm-toolset rebased to LLVM 20

The ‎llvm-toolset is updated to LLVM 20, delivering improved code generation, performance optimizations, and expanded language front‑end and library support across C, C++, and Rust workflows. This rebase aligns dependent components in RHEL, including rebuilds for ‎rust, ‎annobin, ‎bcc, ‎bpftrace, ‎qt5-qttools, and ‎mesa. The build is validated with ‎llvm-20.1.8-1.el10.

The notable changes are:

Backend improvements, including fixes for the ppc64le
Optimizations and diagnostics enhancements in Clang and LLVM passes for general performance and reliability
Toolchain ecosystem refresh with coordinated package rebuilds for compatibility with LLVM 20
Continued deprecation of older targets, consistent with upstream direction for ARM and MIPS in this stream

Jira:RHEL-80988

GDB now supports IBM’s z17 CPU architecture

The ‎gdb package is enhanced to support binaries that use new hardware instructions introduced with IBM’s z17 CPU architecture. This update enables developers and system administrators to debug applications compiled for the latest IBM Z hardware on RHEL 10.1.

Jira:RHEL-56897^[1]

GCC Toolset 15 is now available

With this update, ‎gcc-toolset-15 is now available in RHEL 10.1. The toolset includes the latest supported versions of GCC and related utilities, enabling developers to build, test, and deploy applications using up-to-date compiler technology.

Jira:RHEL-81745^[1]

glibc provides the GLIBC_ABI_GNU2_TLS symbol on x86_64

‎⁠glibc⁠ includes the GLIBC_ABI_GNU2_TLS symbol on x86_64 systems. Programs that use the gnu2 thread-local storage access convention might require this symbol to start. Before this update, if ‎⁠glibc⁠ did not provide this symbol, affected programs would fail to launch. With this update, programs that depend on GLIBC_ABI_GNU2_TLS start and run as expected.

Jira:RHEL-109625

glibc adds GLIBC_ABI_DT_X86_64_PLT symbol support for x86_64

Before this update, programs that required the GLIBC_ABI_DT_X86_64_PLT symbol failed to start when it was not available in ‎⁠glibc⁠. With this enhancement, ‎⁠glibc⁠ includes the GLIBC_ABI_DT_X86_64_PLT symbol for x86_64 systems. With this enhancement, programs requiring this symbol to start now run as expected.

Jira:RHEL-109621

glibc header files updated to align with Linux 6.12 UAPI

The glibc header files in Red Hat Enterprise Linux 10 are updated to incorporate the latest Linux User-space API (UAPI)constants for MAP_*, PIDFD_*, SCHED_*, and SYS_*, from Linux kernel version 6.12. As a result, developers can access new and revised UAPI constants when building applications, ensuring consistency and compatibility with the latest kernel features.

Jira:RHEL-107695

gdb is rebased to version 16.3

This update of gdb to version 16.3 in RHEL 10.1 provides the following notable enhancements:

Removed support for Intel MPX.
Added support for tagged data pointers, including Intel’s Linear Address Masking (LAM) and aarch64’s Memory Tagging Extension (MTE).
Enabled background DWARF reading for improved performance.
Enhanced Intel Process Trace (record btrace):
- Asynchronous event printing enabled with set record btrace pt event-tracing.
- Ptwrite payloads can now be accessed in Python as RecordAuxiliary objects.
Improved Python integration:
- Stop events now include a details attribute, mirroring MI "*stopped" events.
- gdb.Progspace() no longer creates objects directly; objects must be obtained with other APIs.
- User-defined attributes can be added to gdb.Inferior and gdb.InferiorThread objects.
- Introduced new event source: gdb.tui_enabled.
- Added gdb.record.clear, which clears the current recording’s trace data.
- Added modules for handling missing objfiles and debug information.
- New class gdb.missing_debug.MissingDebugInfo can be subclassed to handle missing debug information.
- New attribute gdb.Symbol.is_artificial.
- New constants for symbol lookup across multiple domains.
- New function gdb.notify_mi(NAME, DATA) emits custom async notifications.
- New attribute gdb.Value.bytes for reading and writing value contents.
- Added gdb.interrupt to simulate a CTRL-C interrupt.
- New attribute gdb.InferiorThread.ptid_string provides the target ID.
Debug Adapter Protocol (DAP) changes:
- Updated "scopes" request to include global variables and last return value.
- "launch" and "attach" requests can be used at any time, effective after "configurationDone".
- "variables" request no longer returns artificial symbols.
- Added "process" event and support for the "cancel" request.
- "attach" request now supports specifying the program.
Introduced new commands for styling, language frame mismatch warnings, missing objfile handlers, and function call timeouts.
Enhanced and renamed several commands, including improved error handling for disassemble and renaming set unwindonsignal to set unwind-on-signal.
Expanded remote packet support, including new packets for file status and memory fetch, and new stop reasons such as clone.
Introduced per-thread event reporting options and address tagging checks.

Jira:RHEL-91382

GCC tuning for IBM z16 is default on s390x

The default tuning for code generated by the‎‎ gcc compiler on the s390x architecture in RHEL 10.1 now aligns with IBM z16.

Before this update, the default tuning for s390x code generation in gcc was set for older IBM architectures.

With this update, code compiled with gcc on s390x in RHEL 10.1 is tuned for IBM z16 by default. If you need to optimize for a different architecture, you can override this setting by specifying the desired architecture with the -mtune flag during gcc invocation.

Jira:RHEL-86679^[1]

Initial support for IBM Z z17 added to ‎glibc

The dynamic loader in ‎glibc is enhanced to support detecting IBM z17 CPUs or their specific features. As a result, any IBM z17-optimized libraries installed in the ‎/usr/lib64/glibc-hwcap/z17/ directory are loaded automatically on z17 systems. This update improves hardware compatibility and performance for IBM Z z17 platforms.

Jira:RHEL-72564^[1]

Rust Toolset rebased to version 1.88.0

RHEL 10.1 is distributed with Rust Toolset in version 1.88.0. This update includes the following notable enhancements:

Rust 2024 Edition is now stable. This is a major opt-in release that enables significant language changes and is the largest edition released to date.
Leverage the 2024 Edition with let chains, allowing fluent &&-chaining of let statements within if and while conditions to reduce nesting and improve readability.
For high-performance computing, when you enable target features, you can call multiple std::arch intrinsics directly in safe Rust, which gives you direct access to specific CPU features.
async closures are now supported, providing first-class solutions for asynchronous programming. These closures allow borrowing from captures and properly express higher-ranked function signatures with the AsyncFn traits.
Trait upcasting allows coercing a reference to a trait object to a reference of its supertrait, simplifying common patterns, especially with the Any trait.
Cargo now automatically cleans its cache, removing old downloaded files not accessed in 1-3 months, which helps manage disk space.

Rust Toolset is a rolling Application Stream, and Red Hat only supports the latest version. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

Jira:RHEL-81600

tzdata includes the NEWS file

With this update, the tzdata package includes its NEWS file with each release to provide precise descriptions of timezone data changes. As a result, you can review what changed in detail. Users can review the included NEWS file to understand what changed in the update.

Jira:RHEL-105042^[1]

Red Hat build of OpenJDK 25 is available

Red Hat introduces the latest long term support (LTS) release of the Red Hat build of OpenJDK (Open Java Development Kit) 25, a free and open source implementation of the Java Platform, Standard Edition (Java SE). Red Hat build of OpenJDK 25 is available starting from RHEL 10.1. For more information about OpenJDK Life Cycle, Support Policy, and all supported configurations, see the OpenJDK Life Cycle and Support Policy.

OpenJDK 25 includes a number of enhancements and additions to the Java specification, multiple bug and stabilization fixes, and general performance improvements and new features, such as the following improvements:

Java Flight Recorder enhancements (cooperative sampling, method timing and tracing)
Generational Shenandoah garbage collector
Late barrier expansion and region pinning for the G1 garbage collector
Ahead-Of-Time class loading and linking
Compact object headers
Synchronize virtual threads without pinning
Compact source files and instance main methods
Unnamed variables and patterns
Scoped values
Stream Gatherers
Launch multi-file source-code programs

For the complete list of new features since the last LTS release, see JEPs in JDK 25 integrated since JDK 21.

Jira:RHEL-100678^[1]

6.13. Identity Management
リンクのコピー

ipa-healthcheck now warns about expiring certificates

With this update, the ipa-healthcheck tool now evaluates user-provided HTTP, DS, and PKINIT certificates for expiration and provides warnings 28 days prior to their expiration date. This is to prevent certificate expirations going potentially unnoticed, which can lead to downtime.

Jira:RHELDOCS-20303^[1]

ansible-freeipa rebased to 1.15.1

The ansible-freeipa package, which provides modules and roles to manage Red Hat Identity Management (IdM) environments, has been rebased from version 1.13.2 to 1.15.1. The update includes the following enhancement:

The freeipa.ansible_freeipa collection that the ansible-freeipa RPM package provides is now compatible with the namespace and name of the redhat.rhel_idm collection provided by Red Hat Ansible Automation Hub (RH AAH). If you have installed the RPM package, you can now run playbooks that reference the AAH roles and modules. Note that internally, the namespace and names from the RPM package are used.

Jira:RHELDOCS-20257^[1]

Healthcheck warns if krbLastSuccessfulAuth is enabled

Enabling the krbLastSuccessfulAuth setting in the ipaConfigString attribute can lead to performance issues if large numbers of users are authenticating at the same time. Therefore, it is disabled by default. With this update, Healthcheck displays a message if krbLastSuccessfulAuth is enabled, warning about the possible performance problems.

Jira:RHEL-84771^[1]

IdM now supports UIDs up to Linux maximum UID limit for legacy systems compatibility

With this update, you can now use User and Group IDs up to 4,294,967,293, or 2^32-1. This aligns IdM’s maximum with the Linux UID limit and can be useful in rare cases where the standard IdM range, up to 2,147,483,647, is insufficient. Specifically, it enables IdM deployment alongside legacy systems that require the full 32-bit POSIX ID space.

Warning

In standard deployments, IdM reserves the 2,147,483,648 - 4,294,836,223 range for subIDS. Using the 2^31 to 2^32-1 UID range requires disabling the subID feature and therefore conflicts with modern Linux capabilities.

To enable UIDs up to 2^32-1:

Disable the subordinate ID feature:

ipa config-mod --addattr ipaconfigstring=SubID:Disable

$ ipa config-mod --addattr ipaconfigstring=SubID:Disable

Copy to Clipboard

Toggle word wrap

Remove any existing subordinate ID ranges:
```
ipa idrange-del <id_range>
```
```
$ ipa idrange-del <id_range>
```
Copy to Clipboard Toggle word wrap
On the IdM server, ensure the internal DNA plugin configuration is correctly removed:
```
ipa-server-upgrade
```
```
# ipa-server-upgrade
```
Copy to Clipboard Toggle word wrap
Add a new local ID range that covers the 2^31 to 2^32-1 space. Ensure that you define RID bases for this new range so that IdM can generate SIDs properly for users and groups.

Note

You can only disable the subordinate ID feature if no subordinate IDs have been allocated yet.

Jira:RHEL-67686^[1]

samba rebased to version 4.22.4

The samba package has been updated to upstream version 4.22.4. This version provides bug fixes and enhancements, most notably the following:

Samba supports Server message block version 3 (SMB3) directory leases. With this enhancement, clients can cache directory listings, which reduces network traffic and improves performance.
Samba supports querying domain controller (DC) information by using TCP-based LDAP or LDAPS, as an alternative to the traditional UDP method on port 389. This enhancement improves compatibility with firewall-restricted environments. You can configure the protocol by using the client netlogon ping protocol parameter (default value: CLADP).
The following configuration parameters are removed:
- nmbd_proxy_logon: This setting was used to forward NetLogon authentication requests to a Windows NT4 primary domain controller (PDC) before Samba introduced its own NetBIOS over TCP/IP (NBT) server.
- cldap port: Connectionless Lightweight Directory Access Protocol (CLDAP) always uses UDP port 389. Additionally, the Samba code did not use this parameter consistently, so the behavior was inconsistent.
- fruit:posix_rename: This option of the vfs_fruit module is removed because it could result in problems with Windows clients. As a possible workaround to prevent the creation of .DS_Store files on network mounts, use the defaults write com.apple.desktopservices DSDontWriteNetworkStores true command on MacOS.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.

Before starting Samba, back up the database files. Samba automatically updates its tdb database files when the smbd, nmbd, or winbind services start. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

Jira:RHEL-89870

Identity Management Upgrade Helper

The Identity Management Upgrade Helper is a new application that simplifies upgrading your IdM environment to a newer RHEL version. It provides an upgrade plan with step-by-step instructions that are specific to your upgrade path. As a result, you can use the app to prepare your deployment, set up a new replica, and decommission an old server with clear instructions.

To use this app, see Identity Management Upgrade Helper on the Red Hat Customer Portal.

Jira:RHELDOCS-21103^[1]

You can now use dsconf or the web console to exclude subtrees from the attribute uniqueness verification

With this update, you can configure the uniqueness-exclude-subtrees parameter for the Attribute Uniqueness plug-in directly through the dsconf utility and web console. Before this update, uniqueness-exclude-subtrees was set only by using the ldapmodify utility.

Use the --exclude-subtree option for the dsconf plugin attr-uniq set command to set the distinguished name (DN) under which the plug-in skips uniqueness verification of the attribute’s value. Alternatively, go to the Plugins menu in the web console, add or edit the Attribute Uniqueness plug-in configuration and set the Excluded Subtrees field.

Jira:RHEL-67006

389-ds-base rebased to version 3.1.3

The 389-ds-base package has been updated to version 3.1.3. This version provides various bug fixes and enhancements, most notably:

Support of Session Tracking Control internet draft
The nsslapd-pwdPBKDF2NumIterations configuration attribute for PBKDF2-* plugins
Log buffering for the error log
Support of CRYPT-YESCRYPT as a password storage scheme
JSON format for access and error logs
Various dsidm bug fixes:
- dsidm no longer fails with the argument must be a string or a number error.
- dsidm get_dn no longer fails for an organizational unit, service and POSIX group.
- dsidm uniquegroup members correctly displays the unique group members.
- dsidm role rename-by-dn correctly renames a role.
- dsidm -j account get-by-dn and dsidm -j role get-by-dn returns the output in JSON format.
- dsidm role subtree-status correctly displays a subtree status.
- dsidm role create-nested and dsidm role create-filtered create nested and filtered roles.
- dsidm role delete properly deletes a role.
- dsidm user rename renames the user correctly.
- dsidm account unlock re-enables user accounts that reached the inactivity limit correctly.

Jira:RHEL-80162

Custom matching rules in the Attribute Uniqueness plug-in to search uniqueness attributes

With this update, in Attribute Uniqueness plug-in configuration, you can specify a matching rule for the attribute you want to enforce uniqueness on. For example, when you want to override the attribute’s syntax from case exact or case ignore.

Specify attributes and their matching rules in the plugin configuration, as follows:

uniqueness-attribute-name: <attribute>:<Matching rule OID>:

uniqueness-attribute-name: <attribute>:<Matching rule OID>:

Copy to Clipboard

Toggle word wrap

Before this update, if you used the attribute cn with a case exact syntax, the Attribute Uniqueness plug-in could not find a matching value if the case was different between the two values being compared. Now you can set the matching rule and make it case ignore and the plug-in will see that the values match:

uniqueness-attribute-name: cn:caseIgnoreMatch:

uniqueness-attribute-name: cn:caseIgnoreMatch:

Copy to Clipboard

Toggle word wrap

Jira:RHEL-109018^[1]

JSON format is available for the access and error logs in 389-ds-base

With this update, you can use the following commands to configure JSON format for the access and error log files:

dsconf <instance_name> logging access set log-format json
dsconf <instance_name> logging error set log-format json

# dsconf <instance_name> logging access set log-format json
# dsconf <instance_name> logging error set log-format json

Copy to Clipboard

Toggle word wrap

These commands set the nsslapd-accesslog-log-format or nsslapd-errorlog-json-format configuration attributes to json. As a result, access and error logging becomes more consumable by standard parsing tools.

Note that when you change the format setting, Directory Server rotates the current log file.

Jira:RHEL-80252

The new list --full-dn option is available for the dsidm utility

With this update, you can use the list --full-dn option to get the list of full distinguished names (DN) of the entries of the same type. For example, to see the role DNs, use the following command:

dsidm <instance_name> -b dc=example,dc=com role list --full-dn

# dsidm <instance_name> -b dc=example,dc=com role list --full-dn

Copy to Clipboard

Toggle word wrap

Before this update, you had no option to determine DNs of these entries with the dsidm tool because the existing list option only displays relative distinguished name (RDN) values.

Jira:RHEL-74270

389-ds-base log files now contain a session identifier for bind or modify operations

With this enhancement, the replication plugin works with the session tracking feature, correlating consumer activities with supplier server operations in 389-ds-base.

On the supplier side, when the replication debug level is enabled, the supplier error log contains messages as follows:

[time_stamp] - DEBUG - NSMMReplicationPlugin - repl5_inc_run - "EWBpte8J8Wx 2" - agmt="cn=004" (localhost:39004): State: wait_for_changes -> ready_to_acquire_replica

[time_stamp] - DEBUG - NSMMReplicationPlugin - repl5_inc_run - "EWBpte8J8Wx 2" - agmt="cn=004" (localhost:39004): State: wait_for_changes -> ready_to_acquire_replica

Copy to Clipboard

Toggle word wrap

On the consumer side, without any debug log level, the access logs contain messages as follows:

[time_stamp] conn=2 op=7 SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=\*)" attrs="distinguishedName"
[time_stamp]] conn=2 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000189515 optime=0.000171470 etime=0.000358345 notes=U,P details="Partially Unindexed Filter,Paged Search" pr_idx=0 pr_cookie=-1 sid="EWBpte8J8Wx   2"

[time_stamp] conn=2 op=7 SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=\*)" attrs="distinguishedName"
[time_stamp]] conn=2 op=7 RESULT err=0 tag=101 nentries=1 wtime=0.000189515 optime=0.000171470 etime=0.000358345 notes=U,P details="Partially Unindexed Filter,Paged Search" pr_idx=0 pr_cookie=-1 sid="EWBpte8J8Wx   2"

Copy to Clipboard

Toggle word wrap

As a result, you can trace the origin of connections or operations more effectively. This improves the overall efficiency and troubleshooting capabilities in connections or operations deployments.

Jira:RHEL-31959^[1]

ACME server adds support for the ES256 signature algorithm

Previously, the Automatic Certificate Management Environment (ACME) server did not support the ES256 signature algorithm for JSON Web Key (JWK) validation. This lack of support prevented certain clients, such as the Caddy web server, from successfully obtaining certificates.

With this update, the ACME server has been enhanced to support the ES256 signature algorithm for JWK validation.

As a result, the server can interoperate with clients that use ES256, such as the Caddy web server, allowing them to successfully obtain certificates and establish secure HTTPS communication.

Jira:RHEL-98721^[1]

IdM-to-IdM migration now available

IdM-to-IdM migration, previously available as a Technology Preview, is now fully supported with this release. You can use the ipa-migrate command to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, from one IdM server to another. This can be useful, for example, when moving IdM from a development or staging environment into a production one.

Jira:RHELDOCS-19500^[1]

HSM is now fully supported in IdM

Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.

IdM relies on the networking features of the HSM to share the keys between machines to create replicas. The HSM provides additional security without visibly affecting most IdM operations. When using low-level tooling the certificates and keys are handled differently but this is seamless for most users.

Note

Migration of an existing CA or KRA to an HSM-based setup is not supported. You need to reinstall the CA or KRA with keys on the HSM.

You need the following:

A supported HSM.
The HSM Public-Key Cryptography Standard (PKCS) #11 library.
An available slot, token, and the token password.

To install a CA or KRA with keys stored on an HSM, you must specify the token name and the path to the PKCS #11 library. For example:

ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra

ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers -–token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra

Copy to Clipboard

Toggle word wrap

Jira:RHELDOCS-17465^[1]

6.14. SSSD
リンクのコピー

Improved smart card authentication for environments with multiple PKCS#11 tokens

SSSD smart card authentication has been enhanced to handle authentication in environments that have multiple PKCS#11 tokens inserted simultaneously. This improves authentication, especially in STIG compliant environments that require multiple user accounts, each with distinct privileges and often tied to a separate PKI token.

Previously, SSSD might fail to authenticate if the first checked token did not contain a matching certificate, because SSSD did not continue searching for the appropriate certificate on other available tokens. With this update, SSSD scans all inserted PKCS#11 tokens for a matching authentication certificate, so that users can authenticate successfully.

Jira:RHEL-4976

The new SSSD option ldap_read_rootdse to control RootDSE reads

With this update, SSSD provides a new option, ldap_read_rootdse, to control how SSSD reads Root Directory Service Entry (RootDSE) from the LDAP server. By default, SSSD attempts to read the RootDSE anonymously before the user authenticates. However, this default behavior might conflict with strict security policies that typically restrict all anonymous binds to the LDAP server.

To manage this behavior, you can configure the ldap_read_rootdse option to authenticated to instruct SSSD to read the RootDSE only after a successful user authentication, or set it to never to completely prevent SSSD from attempting the read.

Jira:RHEL-13086^[1]

6.15. Desktop
リンクのコピー

OpenGL and Vulkan are supported by default in Toolbx containers based on UBI

Before this update, you had to manually install Mesa-related packages to enable OpenGL and Vulkan support, which was not intuitive or documented.

With this enhancement, OpenGL and Vulkan work by default inside Toolbx containers created from updated UBI-based toolbox images, matching the behavior on Red Hat Enterprise Linux Workstation hosts. This includes only the free software drivers provided by Mesa, not proprietary ones like NVIDIA.

As a result, OpenGL and Vulkan applications can run inside Toolbx containers without additional configuration, improving usability and consistency with the host system.

Jira:RHEL-85074

6.16. The web console
リンクのコピー

cockpit rebased to version 344

The cockpit packages have been rebased to version 344, which provides many improvements and fixes compared to version 334 in RHEL 10.0, most notably:

Improved UI to the new style based on the PatternFly 6 design system.
Added support for the SMART (Self-Monitoring, Analysis and Reporting Technology) standard and the Stratis 3.8+ pool format in the Storage component.
Improved graphical VNC, control VNC, and serial consoles in the Virtual machines component.
Added support for IPv6 addresses for WireGuard VPNs in the Networking component.
All web console pages can be branded through the branding.css style-sheet file.

Jira:RHEL-87394

new subpackage: cockpit-ws-selinux

The SELinux policy for the cockpit_ws processes is provided in a separate subpackage cockpit-ws-selinux. This prevents the RHEL web console from failing when run on a system without SELinux installed, because the package manager installs the selinux_policy packages as dependencies. See the cockpit_ws_selinux(8) man page on your system for more information.

Jira:RHEL-92061

6.17. Red Hat Enterprise Linux System Roles
リンクのコピー

Introduced a variable MaxRetention to configure the maximum retention parameter

With this update, users can configure the maximum retention parameter for journald, enabling time-based deletion of journal files. This enhancement provides flexibility in managing log data according to specific data retention policies, allowing both time-based log deletion and size-based deletion. It helps with compliance with data retention requirements and improves overall system performance by preventing excessive log storage.

Jira:RHEL-102635

metrics role supports enabling additional PCP PMDA

With this update, the rhel-system-roles package adds the ‎metrics_optional_domains variable to the ‎metrics system role. A domain is a set of metrics managed by a Performance Metrics Domain Agent (PMDA), such as a database, specialized hardware, or an application. Use this variable to enable additional PMDAs. The role adds these PMDAs to the default set (for example, the kernel) and the PMDAs that the role manages explicitly (for example, SQL Server databases). As a result, users can enable the domains they require for their specific use cases, improving flexibility in data collection and monitoring.

Jira:RHEL-101724

Ability to configure the default kernel in rhel-system-roles

Previously, users could not specify which kernel should be set as the default during system boot. This limitation prevented administrators from managing the default kernel selection through automation.

With this update, the rhel-system-roles package introduces the ability to configure the default bootloader kernel using a new default option. Users can now designate a single kernel as the default by setting the default boolean parameter in the kernel settings. The system validates that only one kernel can be marked as default, and applies the selection using grubby --set-default as required.

This enhancement improves flexibility and simplifies automation when managing kernel versions in RHEL.

Jira:RHEL-101671^[1]

The ad_integration RHEL system role can control the SSSD domain section naming and consolidate duplicates

With this update, users can control the name of the section used in the SSSD config file for the domain or realm-specific settings, as managed by the ad_dyndns_update and ad_integration_sssd_custom_settings parameters. By default, the ad_integration role uses the lower case of the ad_integration_realm variable. However if users want to use the actual case of ad_integration_realm, users can use a new option ad_integration_sssd_realm_preserve_case = true to preserve the case of the realm. This may leave the SSSD config file with multiple sections for the realm. Use the new ad_integration_sssd_remove_duplicate_sections setting to consolidate all of the settings from the multiple sections into the chosen section. As a result, the ad_integration system role can manage domain and realm sections in the SSSD config file correctly.

Jira:RHEL-99087

The journald RHEL system role can monitor disk space

With this update, you can configure the SystemKeepFree option in the journald.conf journal service to set a maximum size for the system journal. This improves overall system stability and performance. As a result, you can use the journald_system_keep_free variable to configure size limit. The value is specified in megabytes. There is no default value - by default, it will use the journald default value.

Jira:RHEL-95846

Introducing flexibility for package installation in ad_integration role

Previously, the ad_integration role always attempted to install the required packages, for example, realmd, sssd-ad, adcli, and many more that are listed in __ad_integration_packages. In environments where external systems handled package management, for example, via configuration management outside of this role, pre-baked images, or immutable systems, this step was redundant and undesirable.

With this update, users can now manage package installations through other means and only want this role to join a domain, offering them flexibility. The notable enhancements are:

New Variable: Introduced a new boolean variable ad_integration_manage_packages to control whether the role installs packages.
Default Value: The default value is set to true in defaults/main.yml to ensure backward compatibility. Existing playbooks using this role will continue to function as before without modification.
Conditional Task: Added a when: ad_integration_manage_packages | bool condition to the "Ensure required packages are installed" task in tasks/main.yml. The task will now only run if the flag is true (the default).
Documentation: Updated README.md to include the new ad_integration_manage_packages variable, explaining its purpose and default value.

Jira:RHEL-88312

The firewall RHEL system role now supports including other services

With this enhancement, you can include other services when you use the firewall RHEL system role to create firewalld service definitions. For example, you can create a service webserver that includes the http and https services. If you then enable the webserver service, firewalld open the ports defined in http and https services. For further details, see Creating a custom firewalld service by using the firewall RHEL system role.

Jira:RHEL-84953^[1]

The podman role generates all TOML compliant configuration file

Before this update, the current Jinja-based formatter did not support many TOML features, including tables and inline tables, which were required to configure all aspects of podman. With this enhancement, all features of TOML are supported by using a true TOML formatter instead of a simple Jinja template. As a result, the podman role can generate any TOML compliant configuration file that podman can use.

The podman role needs to preserve certain features of the old formatter. Therefore, the TOML formatter is disabled by default. For the particular use cases that you need to use the old formatter for and information about how you can convert your inventory data in order to use the new and improved formatter, see the README file.

To use the new TOML formatter in all cases, set the podman_use_new_toml_formatter to true:

podman_use_new_toml_formatter: true

podman_use_new_toml_formatter: true

Copy to Clipboard

Toggle word wrap

Jira:RHEL-84932^[1]

Metrics role now supports Apache Spark metric collection and export

Previously, users could not directly collect or export Apache Spark metrics using the metrics role. With this update, the ‎rhel-system-roles package adds support to gather and update metrics from Apache Spark. Two new boolean parameters are introduced:

metrics_into_spark: false This enables exporting metric values into Spark.
‎metrics_from_spark: false This enables gathering metrics from Spark.

You can now both retrieve metrics from Spark and send metrics information into Spark, improving integration and monitoring capabilities for Spark workloads.

Jira:RHEL-78262^[1]

Enables IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role

With this update, users can customize the chronyd configuration on RHEL 10.1 when IPv6 is disabled on a node. The enhancement provides two options: add a setting to the timesync role to disable IPv6, or pass a parameter to set the OPTIONS value for chronyd. These options enable IPv4-only operation for the chronyd service when using the rhel-system-roles.timesync role. This improves time synchronization accuracy and stability for environments where IPv6 is disabled.

Jira:RHEL-85689^[1]

The ha_cluster RHEL System Role can now export resource definitions

Previously, the ha_cluster RHEL System Role’s export functionality did not include variables related to cluster resources, such as primitives, groups, and clones. This made it difficult to use the role to get a complete, reusable definition of an existing cluster’s configuration.

With this enhancement, the export functionality of the ha_cluster RHEL System Role has been updated to gather and export cluster resource definitions.

As a result, you can now use the ha_cluster RHEL System Role to export a complete cluster configuration that is compatible with the role’s input format. The exported data now includes the following variables:

ha_cluster_resource_primitives
ha_cluster_resource_groups
ha_cluster_resource_clones
ha_cluster_resource_bundles

Jira:RHEL-46225

The ha_cluster RHEL System Role can now export OS and pcsd configurations

Previously, when using the ha_cluster RHEL System Role to export the configuration of an existing cluster, the export did not include important OS-level settings such as repository, firewall, or SELinux configurations. This resulted in an incomplete definition, making it difficult to fully recreate a cluster from the exported data.

With this enhancement, the ha_cluster role’s export functionality now gathers and exports OS-level and pcsd daemon configurations from cluster nodes.

As a result, you can generate a more complete cluster definition from an existing deployment. This is useful for recreating the cluster or for bringing a cluster that was not created with the ha_cluster role under its management. The exported data now includes the following variables:

ha_cluster_enable_repos
ha_cluster_enable_repos_resilient_storage
ha_cluster_manage_firewall
ha_cluster_manage_selinux
ha_cluster_install_cloud_agents
ha_cluster_pcs_permission_list

Jira:RHEL-46224

postfix provided in version 3.8.5

RHEL 10.0 provides the postfix in version 3.8.5. Notable changes include:

The Simple Mail Transfer Protocol (SMTP) and Local Mail Transfer Protocol (LMTP) clients support looking up DNS SRV records.
In previous releases, the PostgreSQL client encoding was hardcoded and set to LATIN1. With this release, you can use the encoding parameter to configure the encoding. Default: UTF8
Postfix supports threaded bounces. With these features, mail readers can display a non-delivery, delayed delivery, or successful delivery notification in the same email thread as the original message.
Postfix logs Application error instead of Success or Unknown error: 0 when an operation fails with errno == 0, indicating the error originated from non-kernel code.
Postfix randomizes the initial state of in-memory hash tables to prevent hash collision attacks involving a large number of attacker-chosen lookup keys.
The postqueue command sanitizes non-printable characters, such as new lines, in strings before they are formatted as JSON or as legacy output.
By default, Postfix uses the Lightning Memory-Mapped Database (LMDB) backend. The previous default backend, Berkeley DB (BDB), is not available in RHEL 10. If you used BDB and upgrade from an earlier RHEL version to RHEL 10, you must convert the databases. For details, see Postfix fails with unsupported dictionary type: hash after upgrading to RHEL 10.

Jira:RHELDOCS-20766^[1]

6.18. Virtualization
リンクのコピー

virtio-mem is available on IBM Z

With this update, virtio-mem, a paravirtualized memory device, can be used on IBM Z hardware. By using virtio-mem, you can dynamically add or remove host memory in virtual machines.

Jira:RHEL-72994^[1]

New command for IBM Z hosts: virsh hypervisor-cpu-models

This update introduces the virsh hypervisor-cpu-models command. You can use this command on the IBM Z architecture to display which CPU models your hypervisor recognizes.

Jira:RHEL-58151^[1]

virt-v2v can now convert VMware VMs that use NVMe disks

With this update, the libvirt toolset can correctly detect non-volatile memory express (NVMe) disks when analyzing the configuration of virtual machines (VMs) created on the VMware hypervisor. As a result, it is now possible to use the virt-v2v utility to convert such VMs for the KVM hypervisor.

Jira:RHEL-7390

Fast initialization NetKVM parameter

This update adds a Fast Initialization (FastInit) parameter for NetKVM drivers. Enabling this parameter ensures that the driver allocates only a part of the required memory blocks to virtual queues, and then indicates readiness to the kernel. The remaining memory blocks are then initialized in the background.

This makes starting or restarting the network in Windows virtual machines significantly faster, especially when the network back end uses a high number of virtual queues. However, it might also negatively impact performance before the background memory allocation is finished.

FastInit is enabled by default, but you can disable it by using the Device Manager app in the Windows guest operating system.

Jira:RHEL-40693

Performance-enhanced PCI translation for IBM Z guests

With this update, virtual machines (VMs) on IBM Z hosts can use identity-mapped direct memory access (DMA) for PCI devices. This feature significantly improves the performance of PCI device passthrough. Note that to use the feature, your system must be configured as follows:

The iommu.passthrough=1 parameter must be set up on the kernel command line of the VM.
The VM must have fully NUMA-pinned memory.
The RHEL host system must not be using logical partitioning (LPAR).

Jira:RHEL-52964^[1]

virtio based keyboard driver improvements

With this update, the new virtio based keyboard driver enables capturing early keyboard input in a virtual machine, especially in firmware setup screens and in GRUB bootloader.

Jira:RHEL-50^[1]

New option for VM live migration: --available-switchover-bandwidth

When live-migrating a virtual machine (VM) by using the virsh migrate --live command, you can now add the --available-switchover-bandwidth option to specify the bandwidth at which the migration switches over to the destination host in the pre-copy process. By default, the hypervisor measures the available bandwidth automatically, but when this might not reliably ensure that the live migration finishes successfully, using --available-switchover-bandwidth can fix the issue.

Jira:RHEL-20294

VMs can now use MSDM ACPI tables

On certain Windows guest operating systems, license activation requires the guest to be configured with a Microsoft Data Management (MSDM) Advanced Configuration and Power Interface (ACPI) table. For this purpose, you can now set up a MSDM ACPI table on virtual machines (VMs) hosted on RHEL. To do so, use the following lines in the XML configuration of the VM:

  <acpi>
    <table type="msdm">/path/to/table</table>
  </acpi>

  <acpi>
    <table type="msdm">/path/to/table</table>
  </acpi>

Copy to Clipboard

Toggle word wrap

Jira:RHEL-81041

Fine-grained configuration of VM actions on host shutdown

With this update, it is possible to configure the libvirt drivers on how to handle virtual machines (VMs) when the host shuts down. For example, you can configure the VM memory to be saved when the host shuts down, and for VMs to be automatically started from the saved memory when the host starts. For the specific configuration options, see the auto_shutdown parameters in the /etc/libvirt/virtqemud.conf file.

Note that this feature implements the same functionality provided by the libvirt-guests service, as configured in the /etc/sysconfig/libvirt-guests file. As a consequence, you cannot use auto_shutdown configuration in virtqemud.conf at the same time as libvirt-guests.service.

For new deployments, using auto_shutdown in virtqemud.conf is recommended instead of libvirt-guests.service, and it will replace libvirt-guests.service completely in a future major release of RHEL.

Jira:RHEL-71662

New QEMU configuration parameter: migrate_tls_priority

With this update, you can configure the migrate_tls_priority parameter in the /etc/libvirt/qemu.conf file. You can use this parameter to work around QEMU issues with TLS when live migrating virtual machines. To obtain the recommended value to set if the default does not work on your deployment, contact Red Hat customer support.

Jira:RHEL-104382

New features for virtual machines on 64-bit ARM hosts

The following features are now supported for virtual machines on RHEL hosts that use the 64-bit ARM architecture (aarch64):

Live snapshots
Pre-copy migration with the following options:
- TLS encryption and XBZRLE compression
- Dirty rate monitoring
- Auto-converge
Multi-FD migration with the following options:
- TLS encryption and XBZRLE compression
- Auto-converge
- Zero-copy
Post-copy migration with the following options:
- TLS encryption and XBZRLE compression
- Recovery
- Preemption
Live migration with virtiofs

Jira:RHELDOCS-20674^[1]

Direct kernel boot supported for SecureBoot VMs

With this update, you can set up direct kernel boot in virtual machines (VM) that are configured with the SecureBoot feature. To do so, use the <shim> parameter in the XML configuration of the VM, for example as follows:

 <os firmware="efi">
   ...
   <shim>/var/lib/libvirt/images/BOOTX64.EFI</shim>
 </os>

 <os firmware="efi">
   ...
   <shim>/var/lib/libvirt/images/BOOTX64.EFI</shim>
 </os>

Copy to Clipboard

Toggle word wrap

Jira:RHEL-68043

Support for multiple I/O threads in virtio-scsi devices

With this update, you can configure multiple I/O threads for a single virtio-scsi device. To do so, use the <iothreads> parameter in the XML configuration of the virtual machine to which the device is attached. This provides additional options for fine-tuning the performance and scalability of your virtual SCSI devices.

Jira:RHEL-77552

6.19. RHEL in cloud environments
リンクのコピー

Enhanced automatic registration for eligible RHEL images

With this update, RHEL instances based on eligible images from eligible marketplaces automatically receive content and updates from Red Hat content delivery network (CDN) instead of the Red Hat Update Infrastructure (RHUI). The RHUI repositories are turned off by default.

This ensures automatic access to latest updates for users of subscribed RHEL instances.

For additional details, see Understanding auto-registration.

Jira:RHELDOCS-21241^[1]

RHEL is available on Azure confidential VMs

You can create and run RHEL confidential virtual machines (CVMs) on Microsoft Azure by using RHEL CVM images. The images support full disk encryption through the Confidential OS disk encryption feature in Azure.

Jira:RHELDOCS-21373^[1]

New package: azure-vm-utils

This update adds the azure-vm-utils package, which provides a collection of utilities and udev rules to optimize the experience of using RHEL 10 as a guest operating system on Microsoft Azure.

Jira:RHEL-73904^[1]

6.20. Supportability
リンクのコピー

sos now collects the Satellite metrics file for improved support diagnostics

The foreman-installer plugin of sos now collects the satellite_metrics.yml file located at /var/lib/foreman-maintain/ directory. It provides insight into which features of Satellite are in use and in what scale.

Jira:RHEL-71825

6.21. Containers
リンクのコピー

A new rhel10/valkey-8 container image is generally available in RHEL

The newly available rhel10/valkey-8 container image allows atomic operations and supports various data types like strings, hashes, lists, sets, and sorted sets. The image offers high performance because of its in-memory dataset, which can be persisted to disk or by appending commands to a log.

Jira:RHELDOCS-20640^[1]

Improved support for reproducible container builds

Reproducible builds ensure that a given set of inputs consistently generates the same output. This enhancement addresses several factors that previously complicated reproducibility in container image builds. While using -source-date-epoch and -rewrite-timestamp improves the reproducibility of builds and better aligns with common practices like setting and looking for $SOURCE_DATE_EPOCH, it cannot guarantee complete reproducibility.

Jira:RHEL-88522

New artifact endpoints for Podman RESTFUL API

Podman RESTFUL API now includes new artifact endpoints, enabling programmatic management of OCI artifacts. This enhancement simplifies integration of OCI artifact operations into existing systems and scripts.

Jira:RHEL-88473

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version v1.41.0, and Skopeo has been updated to version 1.20.0.

Podman release v5.6 contains the following notable bug fixes and enhancements over the previous version:

A new set of commands for managing Quadlets has been added as podman quadlet install (install a new Quadlet for the current user), podman quadlet list (list installed Quadlets), podman quadlet print (print the contents of a Quadlet file), and podman quadlet rm (remove a Quadlet).
The podman kube play command can restrict container execution to specific CPU cores and specific memory nodes using the io.podman.annotations.cpuset/$ctrname and io.podman.annotations.memory-nodes/$ctrname annotations.
The podman kube play command supports the lifecycle.stopSignal field in Pod YAML, allowing the signal used to stop containers to be specified.
The podman volume import and podman volume export commands are available in the remote Podman client.
The podman volume create command accepts two new options, --uid and --gid, to set the UID and GID the volume will be created with.
The podman secret create command has a new option, --ignore, causing the command to succeed even if a secret with the given name already exists.
The podman pull command has a new option, --policy, to configure pull policy.
The podman update command has a new option, --latest, to update the latest container instead of specifying a specific container.
A full set of API endpoints for interacting with artifacts has been added, including inspecting artifacts (GET /libpod/artifacts/{name}/json), listing all artifacts (GET /libpod/artifacts/json), pulling an artifact (POST /libpod/artifacts/pull), removing an artifact (DELETE /libpod/artifacts/{name}), adding an artifact (or appending to an existing artifact) from a tar file in the request body (POST /libpod/artifacts/add), pushing an artifact to a registry (/libpod/artifacts/{name}/push), and retrieving the contents of an artifact (GET /libpod/artifacts/{name}/extract).
A new command has been added, podman artifact extract, to copy some or all of the contents of an OCI artifact to a location on disk.
The --mount option to podman create, podman run, and podman pod create supports a new mount type, --mount type=artifact, to mount OCI artifacts into containers.
The podman artifact add command features two new options, --append to add new files to an existing artifact, and --file-type to specify the MIME type of the file added to the artifact.
The podman artifact rm command features a new option, --all, to remove all artifacts in the local store.
The podman kube generate and podman kube play commands supports a new annotation, io.podman.annotation.pids-limit/$containername, preserving the PID limit for containers across kube generate and kube play.
Quadlet .container units support three new keys, Memory= (set maximum memory for the created container), ReloadCmd (execute a command via systemd ExecReload), and ReloadSignal (kill the container with the given signal via systemd ExecReload).
Quadlet .container, .image, and .build units support two new keys, Retry (number of times to retry pulling image on failure) and RetryDelay (delay between retries).
Quadlet .pod units support a new key, HostName=, to set the pod’s hostname.
Quadlet files support a new option, UpheldBy, in the Install section, corresponding to the systemd Upholds option.
The names of Quadlet units specified as systemd dependencies are automatically translated, for example Wants=my.container is valid.

For more information about notable changes, see upstream release notes.

Jira:RHEL-88463

The ADD and COPY instructions now support the --link option

Buildah and Podman now support the --link flag for ADD and COPY instructions in Containerfiles, which causes the new content to be added as its own layer in the built image.

Jira:RHEL-88308

StrictForwardPorts is now available in firewalld

When the StrictForwardPorts option in the /etc/firewalld/firewalld.conf configuration file is set to yes, port forwarding from Podman is no longer possible, and attempting to start a container or pod with the -p or -P options returns errors. All ports must be forwarded by using firewalld. This ensures that containers cannot allow traffic through the firewall without administrator intervention. See the netavark-firewalld man page for more details.

Jira:RHEL-27842

New rhel10/nodejs-24 and rhel10/nodejs-24-minimal container images available

The real-time registry.redhat.io/rhel10/nodejs-24 and registry.redhat.io/rhel10/nodejs-24-minimal container images are now available in the Red Hat Container Registry.

Node.js is a platform built on Chrome’s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, ideal for data-intensive real-time applications that run across distributed systems.

Jira:RHELDOCS-20749^[1]

RHEL image mode supports creating root-level directories and symlinks at runtime

With this release, you can use RHEL image mode to create root-level directories and symbolic links after system deployment, then return the filesystem to read-only mode. As a result, you can use a single base image across multiple deployment environments with different file system requirements.

Jira:RHELDOCS-21230^[1]

bootc-image-builder uses the local container storage by default

With this release, the bootc-image-builder tool operates in local mode by default, which means it no longer pulls container images from remote registries. To build disk images, you must pre-load the base bootc container image in the local container registry of the system before building disk images. If you have existing workflows that relied on automatic image pulling, you must update them. This change improves security by reducing external network dependencies during the build process.

Jira:RHELDOCS-21218^[1]

6.22. RHEL Lightspeed
リンクのコピー

The command-line assistant supports image mode for RHEL

With this enhancement, you can customize your Containerfile to include the command-line-assistant package, create a disk image from a container image, and boot a system with that image. As a result, the system image has the command-line assistant preinstalled, and you can use it after you register your system with subscription-manager.

Jira:RHELDOCS-20546^[1]

The command-line assistant context limit increased to 32KB input

Before this update, the command-line assistant had a 2KB input context limit, causing it to fail when input exceeded this limit. As a consequence, user experience was limited, preventing thorough log analysis due to the 2KB input context limit. With this release, the command-line assistant input context limit has been increased from 2KB to 32KB. As a result, the command-line assistant now supports larger input contexts, enabling better log analysis and potential issue detection.

Jira:RHELDOCS-20421^[1]

The command-line assistant for RHEL Lightspeed has better error handling and exit codes

With this enhancement, the command-line assistant brings better error handling and exit codes, such as:

Output different error messages based on different types of errors that can occur during CLA runtime.
Try to output an error message that corresponds to the actual cause of the error, and log it.
Implement different exit codes based on different types of issues.

Jira:RHELDOCS-21313^[1]

Command-line assistant -w option displays current output

Before this update, when you tried to use the -w option without the current enable-capture mode, the command-line assistant incorrectly displayed output from an earlier session. With this update, the terminal capture log file is actively verified before outputting from the -w option. As a result, the mentioned problem is fixed, and the displayed output is accurate.

Jira:RHELDOCS-21315^[1]

6.23. AI accelerator driver availability
リンクのコピー

Accelerator drivers available through Red Hat

With RHEL 10.1, third-party accelerator drivers and compute stacks, for example CUDA from NVIDIA and ROCm from AMD, are directly available to install from Red Hat. The kernel drivers are built and signed within the Red Hat infrastructure and work with secure boot. In addition, a new AppStream component, rhel-drivers, eases the installation of these third-party drivers and regular updates are through the existing dnf update process.

For instructions about installing AI accelerator drivers on RHEL, see the following Red Hat blog post: The new and simplified AI accelerator driver experience on Red Hat Enterprise Linux.

Jira:RHELDOCS-21377^[1]

Simplified third-party driver installation with rhel-drivers

RHEL 10.1 introduces the rhel-drivers installer, which is available in the AppStream repository. With this tool, you can more easily install third-party hardware drivers for GPUs and AI accelerators by using a single, uniform command-line interface. The rhel-drivers tool manages the installation of complex driver stacks, such as the NVIDIA kernel module and CUDA libraries, by pulling packages directly from the RHEL Extensions and Supplementary channels.

Before this release, installing specialized hardware drivers on RHEL was a manual and inconsistent process. You had to find, download, and manage driver installations from various vendor websites. This approach created significant friction when setting up systems for high-performance computing or AI and machine learning workloads. With rhel-drivers, you can more easily, consistently, and reliably install and manage RHEL-distributed partner drivers. This streamlines system provisioning, ensures that you receive the latest supported driver versions directly from Red Hat repositories, and eliminates the need for manual downloads.

For example, you can install all necessary drivers with just two commands:

dnf install rhel-drivers
rhel-drivers install --auto-detect

# dnf install rhel-drivers
# rhel-drivers install --auto-detect

Copy to Clipboard

Toggle word wrap

Jira:RHEL-113198^[1]

このコンテンツは選択した言語では利用できません。

Chapter 6. New features and enhancements

6.1. Installer and image creation
リンクのコピー

6.2. Security
リンクのコピー

6.3. Software management
リンクのコピー

6.4. Shells and command-line tools
リンクのコピー

6.5. Infrastructure services
リンクのコピー

6.6. Networking
リンクのコピー

6.7. Kernel
リンクのコピー

6.8. Boot loader
リンクのコピー

6.9. File systems and storage
リンクのコピー

6.10. High availability and clusters
リンクのコピー

6.11. Dynamic programming languages, web and database servers
リンクのコピー

6.12. Compilers and development tools
リンクのコピー

6.13. Identity Management
リンクのコピー

6.14. SSSD
リンクのコピー

6.15. Desktop
リンクのコピー

6.16. The web console
リンクのコピー

6.17. Red Hat Enterprise Linux System Roles
リンクのコピー

6.18. Virtualization
リンクのコピー

6.19. RHEL in cloud environments
リンクのコピー

6.20. Supportability
リンクのコピー

6.21. Containers
リンクのコピー

6.22. RHEL Lightspeed
リンクのコピー

6.23. AI accelerator driver availability
リンクのコピー

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

このコンテンツは選択した言語では利用できません。

Chapter 6. New features and enhancements

6.1. Installer and image creationリンクのコピーリンクがクリップボードにコピーされました!

6.2. Securityリンクのコピーリンクがクリップボードにコピーされました!

6.3. Software managementリンクのコピーリンクがクリップボードにコピーされました!

6.4. Shells and command-line toolsリンクのコピーリンクがクリップボードにコピーされました!

6.5. Infrastructure servicesリンクのコピーリンクがクリップボードにコピーされました!

6.6. Networkingリンクのコピーリンクがクリップボードにコピーされました!

6.7. Kernelリンクのコピーリンクがクリップボードにコピーされました!

6.8. Boot loaderリンクのコピーリンクがクリップボードにコピーされました!

6.9. File systems and storageリンクのコピーリンクがクリップボードにコピーされました!

6.10. High availability and clustersリンクのコピーリンクがクリップボードにコピーされました!

6.11. Dynamic programming languages, web and database serversリンクのコピーリンクがクリップボードにコピーされました!

6.12. Compilers and development toolsリンクのコピーリンクがクリップボードにコピーされました!

6.13. Identity Managementリンクのコピーリンクがクリップボードにコピーされました!

6.14. SSSDリンクのコピーリンクがクリップボードにコピーされました!

6.15. Desktopリンクのコピーリンクがクリップボードにコピーされました!

6.16. The web consoleリンクのコピーリンクがクリップボードにコピーされました!

6.17. Red Hat Enterprise Linux System Rolesリンクのコピーリンクがクリップボードにコピーされました!

6.18. Virtualizationリンクのコピーリンクがクリップボードにコピーされました!

6.19. RHEL in cloud environmentsリンクのコピーリンクがクリップボードにコピーされました!

6.20. Supportabilityリンクのコピーリンクがクリップボードにコピーされました!

6.21. Containersリンクのコピーリンクがクリップボードにコピーされました!

6.22. RHEL Lightspeedリンクのコピーリンクがクリップボードにコピーされました!

6.23. AI accelerator driver availabilityリンクのコピーリンクがクリップボードにコピーされました!

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

6.1. Installer and image creation
リンクのコピー

6.2. Security
リンクのコピー

6.3. Software management
リンクのコピー

6.4. Shells and command-line tools
リンクのコピー

6.5. Infrastructure services
リンクのコピー

6.6. Networking
リンクのコピー

6.7. Kernel
リンクのコピー

6.8. Boot loader
リンクのコピー

6.9. File systems and storage
リンクのコピー

6.10. High availability and clusters
リンクのコピー

6.11. Dynamic programming languages, web and database servers
リンクのコピー

6.12. Compilers and development tools
リンクのコピー

6.13. Identity Management
リンクのコピー

6.14. SSSD
リンクのコピー

6.15. Desktop
リンクのコピー

6.16. The web console
リンクのコピー

6.17. Red Hat Enterprise Linux System Roles
リンクのコピー

6.18. Virtualization
リンクのコピー

6.19. RHEL in cloud environments
リンクのコピー

6.20. Supportability
リンクのコピー

6.21. Containers
リンクのコピー

6.22. RHEL Lightspeed
リンクのコピー

6.23. AI accelerator driver availability
リンクのコピー