Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 4. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.10.
4.1. Installer and image creation
Ability to use partitioning mode on the blueprint filesystem customization
With this update, while using RHEL image builder, you can customize your blueprint with the chosen filesystem customization. You can choose one of the following partition modes while you create an image:
-
Default:
auto-lvm - LVM: the image uses Logical Volume Manager (LVM) even without extra partitions
- Raw: the image uses raw partitioning even with extra partitions
Jira:RHELDOCS-16337[1]
Filesystem customization policy changes in image builder
The following policy changes are in place when using the RHEL image builder filesystem customization in blueprints:
Currently, mountpoint and minimum partition minsize can be set. The following image types do not support filesystem customizations: image-installeredge-installeredge-simplified-installer The following image types do not create partitioned operating systems images. Customizing their filesystem is meaningless: edge-commitedge-containertarcontainer The blueprint now supports the mountpoint customization for tpm and its sub-directories.
Jira:RHELDOCS-17261[1]
4.2. Security
SCAP Security Guide rebased to 0.1.72
The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This version provides bug fixes and various enhancements, most notably:
- CIS profiles are updated to align with the latest benchmarks.
- The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
- STIG profiles are aligned with the latest DISA STIG policies.
For additional information, see the SCAP Security Guide release notes.
Jira:RHEL-25250[1]
OpenSSL now contains protections against Bleichenbacher-like attacks
This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657.
You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function on the RSA decryption context, but this makes your system more vulnerable.
Jira:RHEL-17689[1]
librdkafka rebased to 1.6.1
The librdkafka implementation of the Apache Kafka protocol has been rebased to upstream version 1.6.1. This is the first major feature release for RHEL 8. The rebase provides many important enhancements and bug fixes. For all relevant changes, see the CHANGELOG.md document provided in the librdkafka package.
This update changes configuration defaults and deprecates some configuration properties. Read the Upgrade considerations section in CHANGELOG.md for more details. The API (C & C++) and ABI © in this version are compatible with older versions of librdkafka, but some changes to the configuration properties might require changes to existing applications.
Jira:RHEL-12892[1]
libkcapi rebased to 1.4.0
The libkcapi library, which provides access to the Linux kernel cryptographic API, has been rebased to upstream version 1.4.0. The update includes various enhancements and bug fixes, most notably:
-
Added the
sm3sumandsm3hmactools. -
Added the
kcapi_md_sm3andkcapi_md_hmac_sm3APIs. - Added SM4 convenience functions.
- Fixed support for link-time optimization (LTO).
- Fixed LTO regression testing.
-
Fixed support for AEAD encryption of an arbitrary size with
kcapi-enc.
Jira:RHEL-5366[1]
stunnel rebased to 5.71
The stunnel TLS/SSL tunneling service has been rebased to upstream version 5.71. This update changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. If OpenSSL is in FIPS mode and stunnel default FIPS configuration is set to no, stunnel adapts to OpenSSL and FIPS mode is enabled.
Additional new features include:
- Added support for modern PostgreSQL clients.
-
You can use the
protocolHeaderservice-level option to insert customconnectprotocol negotiation headers. -
You can use the
protocolHostoption to control the client SMTP protocol negotiation HELO/EHLO value. -
Added client-side support for Client-side
protocol = ldap. -
You can now configure session resumption by using the service-level
sessionResumeoption. -
Added support to request client certificates in server mode with
CApath(previously, onlyCAfilewas supported). - Improved file reading and logging performance.
-
Added support for configurable delay for the
retryoption. -
In client mode, OCSP stapling is requested and verified when
verifyChainis set. - In server mode, OCSP stapling is always available.
-
Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting
OCSPrequire = no.
Jira:RHEL-2340[1]
OpenSSH limits artificial delays in authentication
OpenSSH’s response after login failure is artificially delayed to prevent user enumeration attacks. This update introduces an upper limit so that such artificial delays do not become excessively long when remote authentication takes too long, for example in privilege access management (PAM) processing.
libkcapi now provides an option for specifying target file names in hash-sum calculations
This update of the libkcapi (Linux kernel cryptographic API) packages introduces the new option -T for specifying target file names in hash-sum calculations. The value of this option overrides file names specified in processed HMAC files. You can use this option only with the -c option, for example:
sha256hmac -c <hmac_file> -T <target_file>
$ sha256hmac -c <hmac_file> -T <target_file>Jira:RHEL-15300[1]
audit rebased to 3.1.2
The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.0.7. Notable enhancements include:
-
The
auparselibrary now interprets unnamed and anonymous sockets. -
You can use the new keyword
this-hourin thestartandendoptions of theausearchandaureporttools. -
User-friendly keywords for signals have been added to the
auditctlprogram. -
Handling of corrupt logs in
auparsehas been improved. -
The
ProtectControlGroupsoption is now disabled by default in theauditdservice. - Rule checking for the exclude filter has been fixed.
-
The interpretation of
OPENAT2fields has been enhanced. -
The
audispd af_unixplugin has been moved to a standalone program. - The Python binding has been changed to prevent setting Audit rules from the Python API. This change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG).
Jira:RHEL-15001[1]
4.3. Shells and command-line tools
openCryptoki rebased to version 3.22.0
The opencryptoki package has been updated to version 3.22.0. Notable changes include:
-
Added support for the
AES-XTSkey type by using theCPACFprotected keys. - Added support for managing certificate objects.
-
Added support for public sessions with the
no-loginoption. - Added support for logging in as the Security Officer (SO).
-
Added support for importing and exporting the
EdwardsandMontgomerykeys. -
Added support for importing the
RSA-PSSkeys and certificates. - For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update adds checks to the key generation and import process to ensure this.
- Various bug fixes have been implemented.
Jira:RHEL-11413[1]
4.4. Infrastructure services
chrony rebased to version 4.5
The chrony suite has been updated to version 4.5. Notable changes include:
-
Added periodic refresh of IP addresses of Network Time Protocol (NTP) sources specified by hostname. The default interval is two weeks and it can be disabled by adding
refresh 0to thechrony.conffile. - Improved automatic replacement of unreachable NTP sources.
-
Improved logging of important changes made by the
chronycutility. - Improved logging of source selection failures and falsetickers.
-
Added the
hwtstimeoutdirective to configure timeout for late hardware transmit timestamps. - Added experimental support for corrections provided by Precision Time Protocol (PTP) transparent clocks to reach accuracy of PTP with hardware timestamping.
-
Fixed the
presendoption ininterleavedmode. -
Fixed reloading of modified sources specified by IP address from the
sourcedirdirectories.
linuxptp rebased to version 4.2
The linuxptp protocol has been updated to version 4.2. Notable changes include:
-
Added support for multiple domains in the
phc2sysutility. - Added support for notifications on clock updates and changes in the Precision Time Protocol (PTP) parent dataset, for example, clock class.
- Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017.
Jira:RHEL-21326[1]
4.5. Networking
firewalld now avoids unnecessary firewall rule flushes
The firewalld service does not remove all existing rules from the iptables configuration if both following conditions are met:
-
firewalldis using thenftablesbackend. -
There are no firewall rules created with the
--directoption.
This change aims at reducing unnecessary operations (firewall rules flushes) and improves integration with other software.
The ss utility adds visibility improvement to TCP bound-inactive sockets
The iproute2 suite provides a collection of utilities to control TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive sockets. You can view those sockets with the following command options:
-
ss --all: to dump all sockets including TCP bound-inactive ones -
ss --bound-inactive: to dump only bound-inactive sockets
Jira:RHEL-6113[1]
nispor rebased to version 1.2.10
The nispor packages have been upgraded to upstream version 1.2.10, which provides several enhancements and bug fixes over the previous version:
-
Added support for
NetStateFilterto use the kernel filter on network routes and interfaces. - Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per (VF).
-
Newly supported bonding options:
lacp_active,arp_missed_max, andns_ip6_target.
4.6. Kernel
Kernel version in RHEL 8.10
Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553.
rtla rebased to version 6.6 of the upstream kernel source code
The rtla utility has been upgraded to the latest upstream version, which provides multiple bug fixes and enhancements. Notable changes include:
-
Added the
-Coption to specify additional control groups forrtlathreads to run in, apart from the mainrtlathread. -
Added the
--house-keepingoption to placertlathreads on a housekeeping CPU and to put measurement threads on different CPUs. -
Added support to the
timerlattracer so that you can runtimerlat histandtimerlat topthreads in user space.
Jira:RHEL-10081[1]
rteval was upgraded to the upstream version 3.7
With this update, the rteval utility has been upgraded to the upstream version 3.7. The most significant feature in this update concerns the isolcpus kernel parameter. This includes the ability to detect and use the isolcpus mechanism for measurement modules in rteval. As a result, it is easier for isolcpus users to use rteval to get accurate latency numbers and to achieve best latency results measured on a realtime kernel.
Jira:RHEL-8967[1]
SGX is now fully supported
Software Guard Extensions (SGX) is an Intel® technology for protecting software code and data from disclosure and modification.
The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using the Flexible Launch Control mechanism to use the SGX technology. Version 2 adds Enclave Dynamic Memory Management (EDMM). Notable features include:
- Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave.
- Dynamic addition of regular enclave pages to an initialized enclave.
- Expanding an initialized enclave to accommodate more threads.
- Removing regular and TCS pages from an initialized enclave.
In this release, SGX moves from Technology Preview to a fully supported feature.
Bugzilla:2041881[1]
The Intel data streaming accelerator driver is now fully supported
The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM).
In this release, IDXD moves from a Technology Preview to a fully supported feature.
Jira:RHEL-10097[1]
rteval now supports adding and removing arbitrary CPUs from the default measurement CPU list
With the rteval utility, you can add (using the + sign) or subtract (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an entire new list. Additionally, --measurement-run-on-isolcpus is introduced for adding the set of all isolated CPUs to the default measurement CPU list. This options covers the most common usecase of a real-time application running on isolated CPUs. Other usecases require a more generic feature. For example, some real-time applications used one isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU list. As a result, you can now not only add, but also remove arbitrary CPUs from the default measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus.
Jira:RHEL-21926[1]
4.7. Boot loader
DEP/NX support in the pre-boot stage
The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has been available in RHEL at the operating system level.
This release adds DEP/NX support in the GRUB and shim boot loaders. This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver that might execute certain attacks without the DEP/NX protection.
Jira:RHEL-15856[1]
Support for TD RTMR measurement in GRUB and shim
Intel® Trust Domain Extension (Intel® TDX) is a confidential computing technology that deploys hardware-isolated virtual machines (VMs) called Trust Domains (TDs).
TDX extends the Virtual Machine Extensions (VMX) instructions and the Multi-key Total Memory Encryption (MKTME) feature with the TD VM guest. In a TD guest VM, all components in the boot chain, such as grub2 and shim, must log the event and measurement hash to runtime measurement registers (RTMR).
TD guest runtime measurement in RTMR is the base for attestation applications. Applications on the TD guest rely on TD measurement to provide trust evidence to get confidential information, such as the key from the relaying part through the attestation service.
With this release, the GRUB and shim boot loaders now support the TD measurement protocol.
For more information about Intel® TDX, see Documentation for Intel® Trust Domain Extensions.
Jira:RHEL-15583[1]
4.8. File systems and storage
The Storage RHEL System Roles now support shared LVM device management
The RHEL System Roles now support the creation and management of shared logical volumes and volume groups.
multipathd now supports detecting FPIN-Li events for NVMe devices
Previously, the multipathd command would only monitor Integrity Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre Channel fabric and use it to mark paths as marginal. This feature was only supported for multipath devices on top of SCSI devices, and multipathd was unable to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this feature.
With this update, multipathd supports detecting FPIN-Li events for both SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric connection, while other paths are available. This helps to avoid IO delays in such situations.
4.9. Dynamic programming languages, web and database servers
Python 3.12 available in RHEL 8
RHEL 8.10 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, and the ubi8/python-312 container image.
Notable enhancements compared to the previously released Python 3.11 include:
-
Python introduces a new
typestatement and new type parameter syntax for generic classes and functions. - Formatted string literal (f-strings) have been formalized in the grammar and can now be integrated into the parser directly.
- Python now provides a unique per-interpreter global interpreter lock (GIL).
- You can now use the buffer protocol from Python code.
-
Dictionary, list, and set comprehensions in
CPythonare now inlined. This significantly increases the speed of a comprehension execution. -
CPythonnow supports the Linuxperfprofiler. -
CPythonnow provides stack overflow protection on supported platforms.
To install packages from the python3.12 stack, use, for example:
yum install python3.12 yum install python3.12-pip
# yum install python3.12
# yum install python3.12-pipTo run the interpreter, use, for example:
python3.12 python3.12 -m pip --help
$ python3.12
$ python3.12 -m pip --helpSee Installing and using Python for more information.
For information about the length of support of Python 3.12, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new environment variable in Python to control parsing of email addresses
To mitigate CVE-2023-27043, a backward incompatible change to ensure stricter parsing of email addresses was introduced in Python 3.
This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you set this variable to true, the previous, less strict parsing behavior is the default for the entire system:
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=trueHowever, individual calls to the affected functions can still enable stricter behavior.
You can achieve the same result by creating the /etc/python/email.cfg configuration file with the following content:
[email_addr_parsing] PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
[email_addr_parsing]
PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = trueFor more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing stricter parsing of email addresses in Python.
Jira:RHELDOCS-17369[1]
A new module stream: ruby:3.3
RHEL 8.10 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. This version provides several performance improvements, bug and security fixes, and new features over Ruby 3.1 distributed with RHEL 8.7.
Notable enhancements include:
-
You can use the new
Prismparser instead ofRipper.Prismis a portable, error tolerant, and maintainable recursive descent parser for the Ruby language. - YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it provides major performance improvements.
-
The
Regexpmatching algorithm has been improved to reduce the impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities. - The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production.
- A new M:N thread scheduler is now available.
Other notable changes:
-
You must now use the
LramaLALR parser generator instead ofBison. - Several deprecated methods and constants have been removed.
-
The
Raccgem has been promoted from a default gem to a bundled gem.
To install the ruby:3.3 module stream, use:
yum module install ruby:3.3
# yum module install ruby:3.3
If you want to upgrade from an earlier ruby module stream, see Switching to a later stream.
For information about the length of support of Ruby 3.3, see Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-17090[1]
A new module stream: php:8.2
RHEL 8.10 adds PHP 8.2, which provides several bug fixes and enhancements over version 8.0.
With PHP 8.2, you can:
- Define a custom type that is limited to one of a discrete number of possible values using the Enumerations (Enums) feature.
-
Declare a property with the
readonlymodifier to prevent modification of the property after initialization. - Use fibers, full-stack, and interruptible functions.
- Use readonly classes.
- Declare several new standalone types.
-
Use a new
Randomextension. - Define constraints in traits.
To install the php:8.2 module stream, use the following command:
yum module install php:8.2
# yum module install php:8.2
If you want to upgrade from an earlier php stream, see Switching to a later stream.
For details regarding PHP usage on RHEL 8, see Using the PHP scripting language.
For information about the length of support for the php module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Jira:RHEL-14705[1]
The name() method of the perl-DateTime-TimeZone module now returns the time zone name
The perl-DateTime-TimeZone module has been updated to version 2.62, which changed the value that is returned by the name() method from the time zone alias to the main time zone name.
For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API related to time zone name and alias.
A new module stream: nginx:1.24
The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides several bug fixes, security fixes, new features, and enhancements over the previously released version 1.22.
New features and changes related to Transport Layer Security (TLS):
-
Encryption keys are now automatically rotated for TLS session tickets when using shared memory in the
ssl_session_cachedirective. - Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy.
-
You can now disable looking up IPv4 addresses while resolving by using the
ipv4=offparameter of theresolverdirective. -
nginx now supports the
$proxy_protocol_tlv_*variables, which store the values of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV protocol. -
The
ngx_http_gzip_static_modulemodule now supports byte ranges.
Other changes:
- Header lines are now represented as linked lists in the internal API.
-
nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and uwsgi back ends in the
$r->header_in()method of thengx_http_perl_module, and during lookups of the$http_...,$sent_http_...,$sent_trailer_...,$upstream_http_..., and$upstream_trailer_...variables. - nginx now displays a warning if protocol parameters of a listening socket are redefined.
- nginx now closes connections with lingering if pipelining was used by the client.
-
The logging level of various SSL errors has been lowered, for example, from
CriticaltoInformational.
To install the nginx:1.24 stream, use:
yum module install nginx:1.24
# yum module install nginx:1.24
To upgrade from an earlier nginx stream, switch to a later stream.
For more information, see Setting up and configuring NGINX.
For information about the length of support for the nginx module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle article.
Jira:RHEL-14714[1]
A new module stream: mariadb:10.11
MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available version 10.5 include:
-
A new
sys_schemafeature. - Atomic Data Definition Language (DDL) statements.
-
A new
GRANT ... TO PUBLICprivilege. -
Separate
SUPERandREAD ONLY ADMINprivileges. -
A new
UUIDdatabase data type. - Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now requires correctly configured SSL to start.
-
Support for the natural sort order through the
natural_sort_key()function. -
A new
SFORMATfunction for arbitrary text formatting. - Changes to the UTF-8 charset and the UCA-14 collation.
-
systemdsocket activation files available in the/usr/share/directory. Note that they are not a part of the default configuration in RHEL as opposed to upstream. -
Error messages containing the
MariaDBstring instead ofMySQL. - Error messages available in the Chinese language.
- Changes to the default logrotate file.
-
For MariaDB and MySQL clients, the connection property specified on the command line (for example,
--port=3306), now forces the protocol type of communication between the client and the server, such astcp,socket,pipe, ormemory.
For more information about changes in MariaDB 10.11, see Notable differences between MariaDB 10.5 and MariaDB 10.11.
For more information about MariaDB, see Using MariaDB.
To install the mariadb:10.11 stream, use:
yum module install mariadb:10.11
# yum module install mariadb:10.11
If you want to upgrade from the mariadb:10.5 module stream, see Upgrading from MariaDB 10.5 to MariaDB 10.11.
For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
A new module stream: postgresql:16
RHEL 8.10 introduces PostgreSQL 16, which provides several new features and enhancements over version 15.
Notable enhancements include:
- Enhanced bulk loading improves performance.
-
The
libpqlibrary now supports connection-level load balancing. You can use the newload_balance_hostsoption for more efficient load balancing. -
You can now create custom configuration files and include them in the
pg_hba.confandpg_ident.conffiles. -
PostgreSQL now supports regular expression matching on database and role entries in the
pg_hba.conffile.
Other changes include:
-
PostgreSQL is no longer distributed with the
postmasterbinary. Users who start thepostgresqlserver by using the providedsystemdunit file (thesystemctl start postgrescommand) are not affected by this change. If you previously started thepostgresqlserver directly through thepostmasterbinary, you must now use thepostgresbinary instead. - PostgreSQL no longer provides documentation in PDF format within the package. Use the online documentation instead.
See also Using PostgreSQL.
To install the postgresql:16 stream, use the following command:
yum module install postgresql:16
# yum module install postgresql:16
If you want to upgrade from an earlier postgresql stream within RHEL 8, follow the procedure described in Switching to a later stream and then migrate your PostgreSQL data as described in Migrating to a RHEL 8 version of PostgreSQL.
For information about the length of support for the postgresql module streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.
Git rebased to version 2.43.0
The Git version control system has been updated to version 2.43.0, which provides bug fixes, enhancements, and performance improvements over the previously released version 2.39.
Notable enhancements include:
-
You can now use the new
--sourceoption with thegit check-attrcommand to read the.gitattributesfile from the provided tree-ish object instead of the current working directory. -
Git can now pass information from the
WWW-Authenticateresponse-type header to credential helpers. -
In case of an empty commit, the
git format-patchcommand now writes an output file containing a header of the commit instead of creating an empty file. -
You can now use the
git blame --contents=<file> <revision> -- <path>command to find the origins of lines starting at<file>contents through the history that leads to<revision>. -
The
git log --formatcommand now accepts the%(decorate)placeholder for further customization to extend the capabilities provided by the--decorateoption.
Jira:RHEL-17103[1]
Git LFS rebased to version 3.4.1
The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug fixes, enhancements, and performance improvements over the previously released version 3.2.0.
Notable changes include:
-
The
git lfs pushcommand can now read references and object IDs from standard input. - Git LFS now handles alternative remotes without relying on Git.
-
Git LFS now supports the
WWW-Authenticateresponse-type header as a credential helper.
Jira:RHEL-17102[1]
Increased performance of the Python interpreter
All supported versions of Python in RHEL 8 are now compiled with the -O3 optimization flag, which is the default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter itself.
The change is available with the release of the following advisories:
-
python3.12- RHSA-2024:6961 -
python3.11- RHSA-2024:6962 -
python3- RHSA-2024:6975 -
the
python39module - RHSA-2024:5962
Jira:RHEL-49614[1], Jira:RHEL-49636, Jira:RHEL-49644, Jira:RHEL-49638
A new nodejs:22 module stream is now available
A new module stream, nodejs:22, is now available with the release of the RHEA-2025:0734 advisory.
Node.js 22 included in RHEL 8.10 provides numerous new features, bug fixes, security fixes, and performance improvements over Node.js 20 available since RHEL 8.9.
Notable changes include:
-
The
V8JavaScript engine has been upgraded to version 12.4. -
The
V8 Maglevcompiler is now enabled by default on architectures where it is available (AMD and Intel 64-bit architectures and the 64-bit ARM architecture). -
Maglevimproves performance for short-lived CLI programs. -
The
npmpackage manager has been upgraded to version 10.9.0. -
The
node --watchmode is now considered stable. Inwatchmode, changes in watched files cause theNode.jsprocess to restart. -
The browser-compatible implementation of
WebSocketis now considered stable and enabled by default. As a result, a WebSocket client to Node.js is available without external dependencies. -
Node.jsnow includes an experimental feature for execution of scripts frompackage.json. To use this feature, execute thenode --run <script-in-package.json>command.
To install the nodejs:22 module stream, enter:
dnf module install nodejs:22
# dnf module install nodejs:22
If you want to upgrade from the nodejs20 stream, see Switching to a later stream.
For information about the length of support for the nodejs Application Streams, see Red Hat Enterprise Linux Application Streams Life Cycle.
Rust Toolset rebased to version 1.88.0
RHEL 8.10 is distributed with Rust Toolset in version 1.88.0. This update includes the following notable enhancements:
- Rust 2024 Edition is now stable. This is a major opt-in release that enables significant language changes and is the largest edition released to date.
-
Leverage the 2024 Edition with
letchains, allowing fluent&&-chaining ofletstatements withinifandwhileconditions to reduce nesting and improve readability. -
For high-performance computing, when you enable target features, you can call multiple
std::archintrinsics directly in safe Rust, which gives you direct access to specific CPU features. -
asyncclosures are now supported, providing first-class solutions for asynchronous programming. These closures allow borrowing from captures and properly express higher-ranked function signatures with the AsyncFn traits. -
Trait upcasting allows coercing a reference to a trait object to a reference of its supertrait, simplifying common patterns, especially with the
Anytrait. - Cargo now automatically cleans its cache, removing old downloaded files not accessed in 1-3 months, which helps manage disk space.
Rust Toolset is a rolling Application Stream, and Red Hat only supports the latest version. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-81602[1]
4.10. Compilers and development tools
New GCC Toolset 14
GCC Toolset 14 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
The following tools and versions are provided by GCC Toolset 14 available with the release of the RHEA-2024:8851 advisory:
- GCC 14.2
- GDB 14.2
-
binutils2.41 -
annobin12.70 -
dwz0.14
To install GCC Toolset 14, run the following command as root:
yum install gcc-toolset-14
# yum install gcc-toolset-14To run a tool from GCC Toolset 14:
scl enable gcc-toolset-14 <tool>
$ scl enable gcc-toolset-14 <tool>To run a shell session where tool versions from GCC Toolset 14 override system versions of these tools:
scl enable gcc-toolset-14 bash
$ scl enable gcc-toolset-14 bash
GCC Toolset 14 components are also available in the gcc-toolset-14-toolchain container image.
For more information, see GCC Toolset 14 and Using GCC Toolset.
Jira:RHEL-34596[1], Jira:RHEL-30411
GCC Toolset 14: GCC rebased to version 14.2
In GCC Toolset 14, the GNU Compiler Collection (GCC) has been updated to version 14.2 with the release of the RHEA-2024:8864 advisory.
Notable changes include:
- Optimization and diagnostic improvements
-
A new
-fhardenedumbrella option, which enables a set of hardening flags -
A new
-fharden-control-flow-redundancyoption to detect attacks that transfer control into the middle of functions -
A new
strubtype attribute to control stack scrubbing properties of functions and variables -
A new
-finline-stringopsoption to force inline expansion of certainmem*functions - Support for new OpenMP 5.1, 5.2, and 6.0 features
- Several new C23 features
- Multiple new C++23 and C++26 features
- Several resolved C++ defect reports
- New and improved experimental support for C++20, C++23, and C++26 in the C++ library
- Support for new CPUs in the 64-bit ARM architecture
- Multiple new instruction set architecture (ISA) extensions in the 64-bit Intel architecture, for example: AVX10.1, AVX-VNNI-INT16, SHA512, and SM4
- New warnings in the GCC’s static analyzer
- Certain warnings changed to errors; for details, see Porting to GCC 14
- Various bug fixes
For more information about changes in GCC 14, see the upstream GCC release notes.
Jira:RHEL-30412[1]
GCC Toolset 14: GDB rebased to version 14.2
In GCC Toolset 14, GDB has been updated to version 14.2 with the release of the RHBA-2024:8862 advisory. The following paragraphs list notable changes since GDB 12.1.
General:
-
The
info breakpointscommand now displays enabled breakpoint locations of disabled breakpoints as in they-state. -
Added support for debug sections compressed with Zstandard (
ELFCOMPRESS_ZSTD) for ELF. -
The Text User Interface (TUI) no longer styles the source and assembly code highlighted by the current position indicator by default. To re-enable styling, use the new command
set style tui-current-position. -
A new
$_inferior_thread_countconvenience variable contains the number of live threads in the current inferior. -
For breakpoints with multiple code locations, GDB now prints the code location using the
<breakpoint_number>.<location_number>syntax. -
When a breakpoint is hit, GDB now sets the
$_hit_bpnumand$_hit_locnoconvenience variables to the hit breakpoint number and code location number. You can now disable the last hit breakpoint by using thedisable $_hit_bpnumcommand, or disable only the specific breakpoint code location by using thedisable $_hit_bpnum.$_hit_locnocommand. -
Added support for the
NO_COLORenvironment variable. - Added support for integer types larger than 64 bits.
-
You can use new commands for multi-target feature configuration to configure remote target feature sets (see the
set remote <name>-packetandshow remote <name>-packetin Commands). - Added support for the Debugger Adapter Protocol.
-
You can now use the new
inferiorkeyword to make breakpoints inferior-specific (seebreakorwatchin Commands). -
You can now use the new
$_shell()convenience function to execute a shell command during expression evaluation.
Changes to existing commands:
break,watch-
Using the
threadortaskkeywords multiple times with thebreakandwatchcommands now results in an error instead of using the thread or task ID of the last instance of the keyword. -
Using more than one of the
thread,task, andinferiorkeywords in the samebreakorwatchcommand is now invalid.
-
Using the
printf,dprintf-
The
printfanddprintfcommands now accept the%Voutput format, which formats an expression the same way as theprintcommand. You can also modify the output format by using additional print options in brackets[…]following the command, for example:printf "%V[-array-indexes on]", <array>.
-
The
list-
You can now use the
.argument to print the location around the point of execution in the current frame, or around the beginning of themain()function if the inferior has not started yet. -
Attempting to list more source lines in a file than are available now issues a warning, referring the user to the
.argument.
-
You can now use the
document user-defined- It is now possible to document user-defined aliases.
New commands:
-
set print nibbles [on|off](default:off),show print nibbles- controls whether theprint/tcommand displays binary values in groups of four bits (nibbles). -
set debug infcall [on|off](default:off),show debug infcall- prints additional debug messages about inferior function calls. -
set debug solib [on|off](default:off),show debug solib- prints additional debug messages about shared library handling. -
set print characters <LIMIT>,show print characters,print -characters <LIMIT>- controls how many characters of a string are printed. -
set debug breakpoint [on|off](default:off),show debug breakpoint- prints additional debug messages about breakpoint insertion and removal. -
maintenance print record-instruction [ N ]- prints the recorded information for a given instruction. -
maintenance info frame-unwinders- lists the frame unwinders currently in effect in the order of priority (highest first). -
maintenance wait-for-index-cache- waits until all pending writes to the index cache are completed. -
info main- prints information on the main symbol to identify an entry point into the program. -
set tui mouse-events [on|off](default:on),show tui mouse-events- controls whether mouse click events are sent to the TUI and Python extensions (whenon), or the terminal (whenoff).
Machine Interface (MI) changes:
- MI version 1 has been removed.
-
MI now reports
no-historywhen reverse execution history is exhausted. -
The
threadandtaskbreakpoint fields are no longer reported twice in the output of the-break-insertcommand. - Thread-specific breakpoints can no longer be created on non-existent thread IDs.
-
The
--simple-valuesargument to the-stack-list-arguments,-stack-list-locals,-stack-list-variables, and-var-list-childrencommands now considers reference types as simple if the target is simple. -
The
-break-insertcommand now accepts a new-g thread-group-idoption to create inferior-specific breakpoints. -
Breakpoint-created notifications and the output of the
-break-insertcommand can now include an optionalinferiorfield for the main breakpoint and each breakpoint location. -
The async record stating the
breakpoint-hitstopped reason now contains an optional fieldlocnogiving the code location number in case of a multi-location breakpoint.
Changes in the GDB Python API:
Events
-
A new
gdb.ThreadExitedEventevent. -
A new
gdb.executable_changedevent registry, which emits theExecutableChangedEventobjects that haveprogspaceandreloadattributes. -
New
gdb.events.new_progspaceandgdb.events.free_progspaceevent registries, which emit theNewProgpspaceEventandFreeProgspaceEventevent types. Both of these event types have a single attributeprogspaceto specify thegdb.Progspaceprogram space that is being added to or removed from GDB.
-
A new
The
gdb.unwinder.Unwinderclass-
The
nameattribute is now read-only. -
The name argument of the
__init__function must be of thestrtype, otherwise aTypeErroris raised. -
The
enabledattribute now accepts only thebooltype.
-
The
The
gdb.PendingFrameclass-
New methods:
name,is_valid,pc,language,find_sal,block, andfunction, which mirror similar methods of thegdb.Frameclass. -
The
frame-idargument of thecreate_unwind_infofunction can now be either an integer or agdb.Valueobject for thepc,sp, andspecialattributes.
-
New methods:
-
A new
gdb.unwinder.FrameIdclass, which can be passed to thegdb.PendingFrame.create_unwind_infofunction. -
The
gdb.disassembler.DisassemblerResultclass can no longer be sub-classed. -
The
gdb.disassemblermodule now includes styling support. -
A new
gdb.execute_mi(COMMAND, [ARG]…)function, which invokes a GDB/MI command and returns result as a Python dictionary. -
A new
gdb.block_signals()function, which returns a context manager that blocks any signals that GDB needs to handle. -
A new
gdb.Threadsubclass of thethreading.Threadclass, which calls thegdb.block_signalsfunction in itsstartmethod. -
The
gdb.parse_and_evalfunction has a newglobal_contextparameter to restrict parsing on global symbols. The
gdb.Inferiorclass-
A new
argumentsattribute, which holds the command-line arguments to the inferior, if known. -
A new
main_nameattribute, which holds the name of the inferior’smainfunction, if known. -
New
clear_env,set_env, andunset_envmethods, which can modify the inferior’s environment before it is started.
-
A new
The
gdb.Valueclass-
A new
assignmethod to assign a value of an object. -
A new
to_arraymethod to convert an array-like value to an array.
-
A new
The
gdb.Progspaceclass-
A new
objfile_for_addressmethod, which returns thegdb.Objfileobject that covers a given address (if exists). -
A new
symbol_fileattribute holding thegdb.Objfileobject that corresponds to theProgspace.filenamevariable (orNoneif the filename isNone). -
A new
executable_filenameattribute, which holds the string with a filename that is set by theexec-fileorfilecommands, orNoneif no executable file is set.
-
A new
The
gdb.Breakpointclass-
A new
inferiorattribute, which contains the inferior ID (an integer) for breakpoints that are inferior-specific, orNoneif no such breakpoints are set.
-
A new
The
gdb.Typeclass-
New
is_array_likeandis_string_likemethods, which reflect whether a type might be array- or string-like regardless of the type’s actual type code.
-
New
-
A new
gdb.ValuePrinterclass, which can be used as the base class for the result of applying a pretty-printer. -
A newly implemented
gdb.LazyString.__str__method. The
gdb.Frameclass-
A new
static_linkmethod, which returns the outer frame of a nested function frame. -
A new
gdb.Frame.languagemethod that returns the name of the frame’s language.
-
A new
The
gdb.Commandclass-
GDB now reformats the doc string for the
gdb.Commandclass and thegdb.Parametersub-classes to remove unnecessary leading whitespace from each line before using the string as the help output.
-
GDB now reformats the doc string for the
The
gdb.Objfileclass-
A new
is_fileattribute.
-
A new
-
A new
gdb.format_address(ADDRESS, PROGSPACE, ARCHITECTURE)function, which uses the same format as when printing address, symbol, and offset information from the disassembler. -
A new
gdb.current_languagefunction, which returns the name of the current language. -
A new Python API for wrapping GDB’s disassembler, including
gdb.disassembler.register_disassembler(DISASSEMBLER, ARCH),gdb.disassembler.Disassembler,gdb.disassembler.DisassembleInfo,gdb.disassembler.builtin_disassemble(INFO, MEMORY_SOURCE), andgdb.disassembler.DisassemblerResult. -
A new
gdb.print_optionsfunction, which returns a dictionary of the prevailing print options, in the form accepted by thegdb.Value.format_stringfunction. The
gdb.Value.format_stringfunction-
gdb.Value.format_stringnow uses the format provided by theprintcommand if it is called during aprintor other similar operation. -
gdb.Value.format_stringnow accepts thesummarykeyword.
-
-
A new
gdb.BreakpointLocationPython type. -
The
gdb.register_window_typemethod now restricts the set of acceptable window names.
Architecture-specific changes:
AMD and Intel 64-bit architectures
-
Added support for disassembler styling using the
libopcodeslibrary, which is now used by default. You can modify how the disassembler output is styled by using theset style disassembler *commands. To use the Python Pygments styling instead, use the newmaintenance set libopcodes-styling offcommand.
-
Added support for disassembler styling using the
The 64-bit ARM architecture
- Added support for dumping memory tag data for the Memory Tagging Extension (MTE).
- Added support for the Scalable Matrix Extension 1 and 2 (SME/SME2). Some features are still considered experimental or alpha, for example, manual function calls with ZA state or tracking Scalable Vector Graphics (SVG) changes based on DWARF.
- Added support for Thread Local Storage (TLS) variables.
- Added support for hardware watchpoints.
The 64-bit IBM Z architecture
-
Record and replay support for the new
arch14instructions on IBM Z targets, except for the specialized-function-assist instructionNNPA.
-
Record and replay support for the new
IBM Power Systems, Little Endian
- Added base enablement support for POWER11.
Jira:RHELDOCS-18598[1], Jira:RHEL-36225, Jira:RHEL-36518
GCC Toolset 14: annobin rebased to version 12.70
In GCC Toolset 14, annobin has been updated to version 12.70 with the release of the RHBA-2024:8863 advisory. The updated set of the annobin tools for testing binaries provides various bug fixes, introduces new tests, and updates the tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers. With the enhanced tools, you can detect new issues in programs that are built in a non-standard way.
Jira:RHEL-30409[1]
GCC Toolset 13: GCC supports AMD Zen 5
With the release of the RHBA-2024:8829 advisory, the GCC Toolset 13 version of GCC adds support for the AMD Zen 5 processor microarchitecture. To enable the support, use the -march=znver5 command-line option.
Jira:RHEL-36524[1]
LLVM Toolset updated to 19.1.7
LLVM Toolset has been updated to version 19.1.7 with the release of the RHBA-2025:7552 advisory.
Notable changes of the LLVM compiler:
- LLVM now uses debug records, a more efficient representation for debug information.
Notable updates of the Clang:
- C++14 sized deallocation is now enabled by default.
- C++17 support has been completed.
- Improvements to C++20 support, especially around modules, concepts, and Class Template Argument Deduction (CTAD) have been added.
- Improvements to C23, C2c, C23, and C2y support have been added.
For more information, see the LLVM release notes and Clang release notes.
LLVM Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-36524[1]
LLVM Toolset updated to 18.1.8
LLVM Toolset has been updated to version 18.1.8 with the release of the RHBA-2024:8828 advisory.
Notable LLVM updates:
-
The constant expression variants of the following instructions have been removed:
and,or,lshr,ashr,zext,sext,fptrunc,fpext,fptoui,fptosi,uitofp,sitofp. -
The
llvm.exp10intrinsic has been added. -
The
code_modelattribute for global variables has been added. - The backend for the AArch64, AMDGPU, PowerPC, RISC-V, SystemZ and x86 architectures has been improved.
- LLVM tools have been improved.
Notable Clang enhancements:
C++20 feature support:
-
Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the
-Xclang -fno-skip-odr-check-in-gmfoption.
-
Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the
C++23 feature support:
-
A new diagnostic flag
-Wc++23-lambda-attributeshas been added to warn about the use of attributes on lambdas.
-
A new diagnostic flag
C++2c feature support:
-
Clang now allows using the
_character as a placeholder variable name multiple times in the same scope. - Attributes now expect unevaluated strings in attribute parameters that are string literals.
- The deprecated arithmetic conversion on enumerations from C++26 has been removed.
- The specification of template parameter initialization has been improved.
-
Clang now allows using the
- For a complete list of changes, see the upstream release notes for Clang.
ABI changes in Clang:
-
Following the SystemV ABI for x86_64, the
__int128arguments are no longer split between a register and a stack slot. - For more information, see the list of ABI changes in Clang.
Notable backwards incompatible changes:
- A bug fix in the reversed argument order for templated operators breaks code in C++20 that was previously accepted in C++17.
-
The
GCC_INSTALL_PREFIXCMake variable (which sets the default--gcc-toolchain=) is deprecated and will be removed. Specify the--gcc-install-dir=or--gcc-triple=option in a configuration file instead. -
The default extension name for precompiled headers (PCH) generation (
-c -xc-headerand-c -xc++-header) is now.pchinstead of.gch. -
When
-include a.hprobes thea.h.gchfile, the include now ignoresa.h.gchif it is not a Clang PCH file or a directory containing any Clang PCH file. -
A bug that caused
__has_cpp_attributeand__has_c_attributeto return incorrect values for certain C++-11-style attributes has been fixed. -
A bug in finding a matching
operator!=while adding a reversedoperator==has been fixed. - The name mangling rules for function templates have been changed to accept that functions can be overloaded on their template parameter lists or requires-clauses.
-
The
-Wenum-constexpr-conversionwarning is now enabled by default on system headers and macros. It will be turned into a hard (non-downgradable) error in the next Clang release. - A path to the imported modules for C++20 named modules can no longer be hardcoded. You must specify all the dependent modules from the command line.
-
It is no longer possible to import modules by using
import <module>; Clang uses explicitly-built modules. - For more details, see the list of potentially breaking changes.
For more information, see the LLVM release notes and Clang release notes.
LVM Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-30907[1]
Rust Toolset rebased to version 1.79.0
Rust Toolset has been updated to version 1.79.0 with the release of the RHBA-2024:8827 advisory. Notable enhancements since the previously available version 1.75.0 include:
-
A new
offset_of!macro - Support for C-string literals
-
Support for inline
constexpressions - Support for bounds in associated type position
- Improved automatic temporary lifetime extension
-
Debug assertions for
unsafepreconditions
Rust Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-30073[1]
Go Toolset rebased to version 1.23
Go Toolset has been updated to version 1.23 with the release of the RHBA-2025:3823 advisory.
Notable enhancements include:
The
for-rangeloop accepts iterator functions of the following types:-
func(func() bool) -
func(func(K) bool) func(func(K, V) bool)Calls of the iterator argument function create the iteration values for the
for-rangeloop. For reference links, see the upstream release notes.
-
- The Go Toolchain can collect usage and breakage statistics to help the Go team to understand how the Go Toolchain is used and working. By default, Go Telemetry does not upload telemetry data and stores it only locally. For further information, see the upstream Go Telemetry documentation.
-
The
go vetsub-command includes thestdversionanalyzer which flags references to symbols that are too new for the version of Go you use in the referring file. -
The
cmdandcgofeatures support the-ldflagsoption to pass flags to the C linker. Thegocommand uses this flag automatically to avoidargument list too longerrors when you use a very largeCGO_LDFLAGSenvironment variable. -
The
traceutility tolerates partially broken traces and attempts to recover the trace data. This is especially useful in case of crashes, because you can get the trace leading up to the crash. -
The traceback printed by the runtime after an unhandled panic or other fatal error carries indentation to distinguish the stack trace of the
goroutinefrom the firstgoroutine. - The compiler build time overhead of using profile-guided optimization was reduced to single-digit percentage.
-
The new
-bindnowlinker flag enables immediate function binding when building a dynamically-linked ELF binary. -
The
//go:linknamelinker directive no longer refer to internal symbols in the standard library and the runtime that are not marked with//go:linknameon their definition. -
If a program no longer refers to a
TimerorTicker, garbage collection cleans them up immediately even if theirStopmethod has not been called. The timer channel associated with aTimerorTickeris now unbuffered with capacity 0. This ensures that, every time aResetorStopmethod is called, no stale values are not sent or received after the call. -
The new
uniquepackage provides facilities for canonicalizing values, such asinterningorhash-consing. -
The new
iterpackage provides the basic definitions to work with user-defined iterators. -
The
slicesandmapspackages introduce several new functions that work with iterators. -
The new
structspackage provides types for struct fields that modify properties of the containing struct type, such as memory layout. Minor changes are made in the following packages:
-
archive/tar -
crypto/tls -
crypto/x509 -
database/sql -
debug/elf -
encoding/binary -
go/ast -
go/types -
math/rand/v2 -
net -
net/http -
net/http/httptest -
net/netips -
path/filepath -
reflect -
runtime/debug -
runtime/pprof -
runtime/trace -
slices -
sync -
sync/atomic -
syscall -
testing/fstest -
text/template -
time -
unicode/utf16
-
For more information, see the upstream release notes.
Go Toolset is a rolling Application Stream, and Red Hat supports only the latest version. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-83447[1]
Go Toolset rebased to version 1.22
Go Toolset has been updated to version 1.22 with the release of the RHSA-2024:8876 advisory.
Notable enhancements include:
- Variables in for loops are now created per iteration, preventing accidental sharing bugs. Additionally, for loops can now range over integers.
- Commands in workspaces can now use a vendor directory for the dependencies of the workspace.
-
The
go getcommand no longer supports the legacyGOPATHmode. This change does not affect thego buildandgo testcommands. -
The
vettool has been updated to match the new behavior of the for loops. - CPU performance has been improved by keeping type-based garbage collection metadata nearer to each heap object.
- Go now provides improved inlining optimizations and better profile-guided optimization support for higher performance.
-
A new
math/rand/v2package is available. - Go now provides enhanced HTTP routing patterns with support for methods and wildcards.
For more information, see the Go upstream release notes.
Go Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
Jira:RHEL-46972[1]
elfutils rebased to version 0.190
The elfutils package has been updated to version 0.190. Notable improvements include:
-
The
libelflibrary now supports relative relocation (RELR). -
The
libdwlibrary now recognizes.debug_[ct]u_indexsections. -
The
eu-readelfutility now supports a new-Ds,--use-dynamic --symboloption to show symbols through the dynamic segment without using ELF sections. -
The
eu-readelfutility can now show.gdb_indexversion 9. -
A new
eu-scrlinesutility compiles a list of source files associated with a specified DWARF or ELF file. -
A
debuginfodserver schema has changed for a 60% compression in file name representation (this requires reindexing).
valgrind updated to 3.22
The valgrind package has been updated to version 3.22. Notable improvements include:
-
valgrindmemchecknow checks that the values given to the C functionsmemalign,posix_memalign, andaligned_alloc, and the C++17 alignednewoperator are valid alignment values. -
valgrindmemchecknow supports mismatch detection for C++14 sized and C++17 alignednewanddeleteoperators. -
Added support for lazy reading of DWARF debugging information, resulting in faster startup when
debuginfopackages are installed.
Clang resource directory moved
The Clang resource directory, where Clang stores its internal headers and libraries, has been moved from /usr/lib64/clang/17 to /usr/lib/clang/17.
A new grafana-selinux package
Previously, the default installation of grafana-server ran as an unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t SELinux type.
Updated GCC Toolset 13
GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.
Notable changes introduced in RHEL 8.10 include:
- The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
-
binutilsnow support AMD CPUs based on theznver5core through the-march=znver5compiler switch. -
annobinhas been updated to version 12.32. -
The
annobinplugin for GCC now defaults to using a more compressed format for the notes that it stores in object files, resulting in smaller object files and faster link times, especially in large, complex programs.
The following tools and versions are provided by GCC Toolset 13:
| Tool | Version |
|---|---|
| GCC | 13.2.1 |
| GDB | 12.1 |
| binutils | 2.40 |
| dwz | 0.14 |
| annobin | 12.32 |
To install GCC Toolset 13, run the following command as root:
yum install gcc-toolset-13
# yum install gcc-toolset-13To run a tool from GCC Toolset 13:
scl enable gcc-toolset-13 tool
$ scl enable gcc-toolset-13 toolTo run a shell session where tool versions from GCC Toolset 13 override system versions of these tools:
scl enable gcc-toolset-13 bash
$ scl enable gcc-toolset-13 bashFor more information, see GCC Toolset 13 and Using GCC Toolset.
Jira:RHEL-25405[1]
LLVM Toolset rebased to version 17.0.6
LLVM Toolset has been updated to version 17.0.6.
Notable enhancements include:
- The opaque pointers migration is now completed.
- Removed support for the legacy pass manager in middle-end optimization.
Clang changes:
- C++20 coroutines are no longer considered experimental.
-
Improved code generation for the
std::movefunction and similar in unoptimized builds.
For more information, see the LLVM and Clang upstream release notes.
Rust Toolset rebased to version 1.75.0
Rust Toolset has been updated to version 1.75.0.
Notable enhancements include:
- Constant evaluation time is now unlimited
- Cleaner panic messages
- Cargo registry authentication
-
async fnand opaque return types in traits
Go Toolset rebased to version 1.21.0
Go Toolset has been updated to version 1.21.0.
Notable enhancements include:
-
min,max, andclearbuilt-ins have been added. - Official support for profile guided optimization has been added.
- Package initialization order is now more precisely defined.
- Type inferencing is improved.
- Backwards compatibility support is improved.
For more information, see the Go upstream release notes.
Jira:RHEL-11872[1]
papi supports new processor microarchitectures
With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures:
- AMD Zen 4
- 4th Generation Intel® Xeon® Scalable Processors
Jira:RHEL-9336[1], Jira:RHEL-9320, Jira:RHEL-9337
Ant rebased to version 1.10.9
The ant:1.10 module stream has been updated to version 1.10.9. This version provides support for code signing, using a provider class and provider argument.
The updated ant:1.10 module stream provides only the ant and ant-lib packages. Remaining packages related to Ant are distributed in the javapackages-tools module in the unsupported CodeReady Linux Builder (CRB) repository and have not been updated.
Packages from the updated ant:1.10 module stream cannot be used in parallel with packages from the javapackages-tools module. If you want to use the complete set of Ant-related packages, you must uninstall the ant:1.10 module and disable it, enable the CRB repository, and install the javapackages-tools module.
New package: maven-openjdk21
The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for OpenJDK 21 and configures Maven to use the system OpenJDK 21.
Jira:RHEL-17126[1]
cmake rebased to version 3.26
The cmake package has been updated to version 3.26. Notable improvements include:
- Added support for the C17 and C18 language standards.
-
cmakecan now query the/etc/os-releasefile for operating system identification information. -
Added support for the CUDA 20 and
nvtx3libraries. - Added support for the Python stable application binary interface.
- Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool.
Go Toolset rebased to version 1.24.4
Go Toolset has been updated to version 1.24.4 with the release of the RHSA-2025:10672 advisory.
Notable enhancements and changes include:
Language:
- Generic type aliases are now fully supported, allowing type aliases to be parameterized for increased flexibility with generics.
Tools:
-
The Go module system supports
tooldirectives ingo.modfiles, enabling direct management of executable dependencies. -
The
go build,go install, andgo testcommands now support the-jsonflag for structured output. -
The new
GOAUTHenvironment variable provides enhanced authentication for private modules.
-
The Go module system supports
Runtime and Performance:
- Runtime improvements reduce CPU overhead by 2–3% on average.
- Notable changes include a new map implementation based on Swiss Tables and more efficient memory allocation.
Standard Library:
-
The new
os.Roottype enables directory-limited filesystem access. -
The
testing.B.Loopmethod improves benchmarking. -
The
runtime.AddCleanupfunction provides a more flexible finalization mechanism. -
The new
weakpackage introduces weak pointers.
-
The new
Cryptography:
-
New packages for ML-KEM post-quantum key exchange (
crypto/mlkem), HKDF, PBKDF2, and SHA-3 are now available. - The Go Cryptographic Module is now under review for FIPS 140-3 certification.
-
New packages for ML-KEM post-quantum key exchange (
Additional updates:
-
The
vettool includes a new analyzer for detecting common mistakes in tests and examples. - The objdump tool now supports more architectures.
-
Cgointroduces annotations for improved performance and correctness.
-
The
For more information, see the upstream release notes.
Go Toolset is a rolling Application Stream, and Red Hat supports only the latest version. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.
4.11. Identity Management
Identity Management users can now use external identity providers to authenticate to IdM
With this enhancement, you can now associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), GitHub, and Google.
If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.
Jira:RHELPLAN-123140[1]
ipa rebased to version 4.9.13
The ipa package has been updated from version 4.9.12 to 4.9.13. Notable changes include:
- The installation of an IdM replica now occurs against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests.
-
The performance of the
cert-findcommand has been improved dramatically for situations with a large number of certificates. -
The
ansible-freeipapackage has been rebased from version 1.11 to 1.12.1.
For more information, see the upstream release notes.
Deleting expired KCM Kerberos tickets
Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) and you had already reached the storage space limit, the new credential was rejected. The user storage space is limited by the max_uid_ccaches configuration option that has a default value of 64. With this update, if you have already reached the storage space limit, your oldest expired credential is removed and the new credential is added to the KCM. If there are no expired credentials, the operation fails and an error is returned. To prevent this issue, you can free some space by removing credentials using the kdestroy command.
Support for bcrypt password hashing algorithm for local users
With this update, you can enable the bcrypt password hashing algorithm for local users. To switch to the bcrypt hashing algorithm:
-
Edit the
/etc/authselect/system-authand/etc/authselect/password-authfiles by changing thepam_unix.so sha512setting topam_unix.so blowfish. Apply the changes:
authselect apply-changes
# authselect apply-changesCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Change the password for a user by using the
passwdcommand. -
In the
/etc/shadowfile, verify that the hashing algorithm is set to$2b$, indicating that thebcryptpassword hashing algorithm is now used.
The idp Ansible module allows associating IdM users with external IdPs
With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP authentication for an IdM user.
After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.
IdM now supports the idoverrideuser, idoverridegroup and idview Ansible modules
With this update, the ansible-freeipa package now contains the following modules:
idoverrideuser- Allows you to override user attributes for users stored in the Identity Management (IdM) LDAP server, for example, the user login name, home directory, certificate, or SSH keys.
idoverridegroup- Allows you to override attributes for groups stored in the IdM LDAP server, for example, the name of the group, its GID, or description.
idview- Allows you to organize user and group ID overrides and apply them to specific IdM hosts.
In the future, you will be able to use these modules to enable AD users to use smart cards to log in to IdM.
The delegation of DNS zone management enabled in ansible-freeipa
You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the dnszone module to set a per-zone access delegation permission.
The ansible-freeipa ipauser and ipagroup modules now support a new renamed state
With this update, you can use the renamed state in ansible-freeipa ipauser module to change the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to change the group name of an existing IdM group.
The runasuser_group parameter is now available in ansible-freeipa ipasudorule
With this update, you can set Groups of RunAs Users for a sudo rule by using the ansible-freeipa ipasudorule module. The option is already available in the Identity Management (IdM) command-line interface and the IdM Web UI.
389-ds-base rebased to version 1.4.3.39
The 389-ds-base package has been updated to version 1.4.3.39.
The HAProxy protocol is now supported for the 389-ds-base package
Previously, Directory Server did not differentiate incoming connections between proxy and non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to receive client IP addresses via an additional TCP header so that access control instructions (ACIs) can be correctly evaluated and client traffic can be logged.
If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4samba rebased to version 4.19.4
The samba packages have been upgraded to upstream version 4.19.4, which provides bug fixes and enhancements over the previous version. The most notable changes are:
-
Command-line options in the
smbgetutility have been renamed and removed for a consistent user experience. However, this can break existing scripts or jobs that use the utility. See thesmbget --helpcommand andsmbget(1)man page for further details about the new options. If the
winbind debug traceidoption is enabled, thewinbindservice now logs, additionally, the following fields:-
traceid: Tracks the records belonging to the same request. -
depth: Tracks the request nesting level.
-
- Samba no longer uses its own cryptography implementations and, instead, now fully uses cryptographic functionality provided by the GnuTLS library.
-
The
directory name cache sizeoption was removed.
Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.
Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.
After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.
Jira:RHEL-16483[1]
New SSSD option: exop_force
You can use the exop_force option to force a password change even if no grace logins are left. Previously, SSSD did not attempt password changes if the LDAP server indicated that there were no grace logins remaining. Now, if you set ldap_pwmodify_mode = exop_force in the [domain/…] section of the sssd.conf file, SSSD tries to change the password even if no grace logins are left.
4.12. The web console
RHEL web console can now generate Ansible and shell scripts
In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to implement a specific kdump configuration on multiple systems.
Jira:RHELDOCS-17060[1]
Simplified managing storage and resizing partitions on Storage
The Storage section of the web console is now redesigned. The new design improved visibility across all views. The overview page now presents all storage objects in a comprehensive table, which makes it easier to perform operations directly. You can click any row to view detailed information and any supplementary actions. Additionally, you can now resize partitions from the Storage section.
Jira:RHELDOCS-17056[1]
4.13. Red Hat Enterprise Linux System Roles
The ad_integration RHEL system role now supports configuring dynamic DNS update options
With this update, the ad_integration RHEL system role supports configuring options for dynamic DNS updates using SSSD when integrated with Active Directory (AD). By default, SSSD will attempt to automatically refresh the DNS record:
- When the identity provider comes online (always).
- At a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours.
You can change these and other settings using the new variables in ad_integration. For example, you can set ad_dyndns_refresh_interval to 172800 to change the DNS record refresh interval to 48 hours. For more details regarding the role variables, see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/ directory.
Jira:RHELDOCS-17372[1]
The metrics RHEL System Role now supports configuring PMIE webhooks
With this update, you can automatically configure the global webhook_endpoint PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL System Role. This enables you to provide a custom URL for your environment that receives messages about important performance events, and is typically used with external tools such as Event-Driven Ansible.
The bootloader RHEL system role
This update introduces the bootloader RHEL system role. You can use this feature for stable and consistent configuration of boot loaders and kernels on your RHEL systems. For more details regarding requirements, role variables, and example playbooks, see the README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory.
The logging role supports general queue and general action parameters in output modules
Previously, it was not possible to configure general queue parameters and general action parameters with the logging role. With this update, the logging RHEL System Role supports configuration of general queue parameters and general action parameters in output modules.
Support for new ha_cluster System Role features
The ha_cluster System Role now supports the following features:
-
Enablement of the repositories containing resilient storage packages, such as
dlmorgfs2. A Resilient Storage subscription is needed to access the repository. - Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes.
- Configuration of node attributes.
For information about the parameters you configure to implement these features, see Configuring a high-availability cluster by using the ha_cluster RHEL System Role.
Jira:RHEL-4624[1], Jira:RHEL-22108, Jira:RHEL-14090
New RHEL System Role for configuring fapolicyd
With the new fapolicyd RHEL System Role, you can use Ansible playbooks to manage and configure the fapolicyd framework. The fapolicyd software framework controls the execution of applications based on a user-defined policy.
The network RHEL System role now supports new route types
With this enhancement, you can now use the following route types with the network RHEL System Role:
-
blackhole -
prohibit -
unreachable
Jira:RHEL-21491[1]
New rhc_insights.display_name option in the rhc role to set display names
You can now configure or update the display name of the system registered to Red Hat Insights by using the new rhc_insights.display_name parameter. The parameter allows you to name the system based on your preference to easily manage systems in the Insights Inventory. If your system is already connected with Red Hat Insights, use the parameter to update the existing display name. If the display name is not set explicitly on registration, it is set to the hostname by default. It is not possible to automatically revert the display name to the hostname, but it can be set so manually.
The RHEL system roles now support LVM snapshot management
With this enhancement, you can use the new snapshot RHEL system roles to create, configure, and manage LVM snapshots.
The postgresql RHEL System Role now supports PostgreSQL 16
The postgresql RHEL System Role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 16.
For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL System Role.
New rhc_insights.ansible_host option in the rhc role to set Ansible hostnames
You can now configure or update the Ansible hostname for the systems registered to Red Hat Insights by using the new rhc_insights.ansible_host parameter. When set, the parameter changes the ansible_host configuration in the /etc/insights-client/insights-client.conf file to your selected Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will update the existing Ansible hostname.
ForwardToSyslog flag is now supported in the journald system role
In the journald RHEL System Role, the journald_forward_to_syslog variable controls whether the received messages should be forwarded to the traditional syslog daemon or not. The default value of this variable is false. With this enhancement, you can now configure the ForwardToSyslog flag by setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems such as Splunk, the logs are available in the /var/log files.
ratelimit_burst variable is only used if ratelimit_interval is set in logging system role
Previously, in the logging RHEL System Role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also required to set ratelimit_interval.
With this enhancement, if ratelimit_interval is not set, the role does not set ratelimit.burst. If you want to set ratelimit.burst, you must set both ratelimit_interval and ratelimit_burst variables.
Use the logging_max_message_size parameter instead of rsyslog_max_message_size in the logging system role
Previously, even though the rsyslog_max_message_size parameter was not supported, the logging RHEL System Role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log messages.
The ad_integration RHEL System Role now supports custom SSSD settings
Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the [sssd] section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.
The ad_integration RHEL System Role now supports custom SSSD domain configuration settings
Previously, when using the ad_integration RHEL System Role, it was not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings.
New logging_preserve_fqdn variable for the logging RHEL System Role
Previously, it was not possible to configure a fully qualified domain name (FQDN) using the logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog entries.
Support for creation of volumes without creating a file system
With this enhancement, you can now create a new volume without creating a file system by specifying the fs_type=unformatted option.
Similarly, existing file systems can be removed using the same approach by ensuring that the safe mode is disabled.
The rhc system role now supports RHEL 7 systems
You can now manage RHEL 7 systems by using the rhc system role. Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start managing your system using the rhc system role.
Using the rhc_insights.remediation parameter has no impact on RHEL 7 systems as the Insights Remediation feature is currently not available on RHEL 7.
New mssql_ha_prep_for_pacemaker variable
Previously, the microsoft.sql.server RHEL System Role did not have a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and you want to use another HA solution.
The sshd role now configures certificate-based SSH authentications
With the sshd RHEL System Role, you can now configure and manage multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications more secure because certificates are signed by a trusted CA and provide fine-grained access control, expiration dates, and centralized management.
selinux role now supports configuring SELinux in disabled mode
With this update, the selinux RHEL System Role supports configuring SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. This is useful for configuration scenarios before you enable SELinux to permissive or enforcing mode on a system.
selinux role now prints a message when specifying a non-existent module
With this release, the selinux RHEL System Role prints an error message when you specify a non-existent module in the selinux_modules.path variable.
4.14. Virtualization
RHEL now supports Multi-FD migration of virtual machines
With this update, multiple file descriptors (multi-FD) migration of virtual machines is now supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, which can speed up the process by utilizing all the available network bandwidth.
It is recommended to use this feature on high-speed networks (20 Gbps and higher).
Jira:RHELDOCS-16970[1]
Secure Execution VMs on IBM Z now support cryptographic coprocessors
With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual machine (VM) with IBM Secure Execution on IBM Z.
By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now use hardware encryption without compromising the security of the VM.
Jira:RHEL-11597[1]
You can now replace SPICE with VNC in the web console
With this update, you can use the web console to replace the SPICE remote display protocol with the VNC protocol in an existing virtual machine (VM).
Because the support for the SPICE protocol is deprecated in RHEL 8 and will be removed in RHEL 9, VMs that use the SPICE protocol fail to migrate to RHEL 9. However, RHEL 8 VMs use SPICE by default, so you must switch from SPICE to VNC for a successful migration.
Jira:RHELDOCS-18289[1]
New virtualization features in the RHEL web console
With this update, the RHEL web console includes new features in the Virtual Machines page. You can now:
-
Add an SSH public key during virtual machine (VM) creation. This public key will be stored in the
~/.ssh/authorized_keysfile of the designated non-root user on the newly created VM, which provides you with an immediate SSH access to the specified user account. -
Select a
pre-formatted block devicetype when creating a new storage pool. This is a more robust alternative to aphysical disk devicetype, as it prevents unintentional reformatting of a raw disk device.
This update also changes some default behavior in the Virtual Machines page:
-
In the
Add diskdialog, theAlways attachoption is now set by default.
Jira:RHELDOCS-18323[1]
4.15. RHEL in cloud environments
New cloud-init clean option for deleting generated configuration files
The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary configuration files generated by cloud-init on your instance. For example, to delete cloud-init configuration files that define network setup, use the following command:
cloud-init clean --configs network
cloud-init clean --configs networkJira:RHEL-7312[1]
RHEL instances on EC2 now support IPv6 IMDS connections
With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet.
4.16. Containers
The Container Tools packages have been updated
The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc tools, are now available. Notable bug fixes and enhancements over the previous version include:
Notable changes in Podman v4.9:
-
You can now use Podman to load the modules on-demand by using the
podman --module <your_module_name>command and to override the system and user configuration files. -
A new
podman farmcommand with a set of thecreate,set,remove, andupdatesubcommands has been added. With these commands, you can farm out builds to machines running podman for different architectures. -
A new
podman-composecommand has been added, which runs Compose workloads by using an external compose provider such as Docker compose. -
The
podman buildcommand now supports the--layer-labeland--cwoptions. -
The
podman generate systemdcommand is deprecated. Use Quadlet to run containers and pods undersystemd. -
The
podman buildcommand now supportsContainerfileswith the HereDoc syntax. -
The
podman machine initandpodman machine setcommands now support a new--usboption. Use this option to allow USB passthrough for the QEMU provider. -
The
podman kube playcommand now supports a new--publish-alloption. Use this option to expose all containerPorts on the host.
For more information about notable changes, see upstream release notes.
Jira:RHELPLAN-167794[1]
Podman now supports containers.conf modules
You can use Podman modules to load a predetermined set of configurations. Podman modules are containers.conf files in the Tom’s Obvious Minimal Language (TOML) format.
These modules are located in the following directories, or their subdirectories:
-
For rootless users:
$HOME/.config/containers/containers.conf.modules -
For root users:
/etc/containers/containers.conf.modules, or/usr/share/containers/containers.conf.modules
You can load the modules on-demand with the podman --module <your_module_name> command to override the system and user configuration files. Working with modules involve the following facts:
-
You can specify modules multiple times by using the
--moduleoption. -
If
<your_module_name>is the absolute path, the configuration file will be loaded directly. - The relative paths are resolved relative to the three module directories mentioned previously.
-
Modules in
$HOMEoverride those in the/etc/and/usr/share/directories.
For more information, see the upstream documentation.
Jira:RHELPLAN-167830[1]
The Podman v4.9 RESTful API now displays data of progress
With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the registry.
Jira:RHELPLAN-167822[1]
SQLite is now fully supported as a default database backend for Podman
With Podman v4.9, the SQLite database backend for Podman, previously available as Technology Preview, is now fully supported. The SQLite database provides better stability, performance, and consistency when working with container metadata. The SQLite database backend is the default backend for new installations of RHEL 8.10. If you upgrade from a previous RHEL version, the default backend is BoltDB.
If you have explicitly configured the database backend by using the database_backend option in the containers.conf file, then Podman will continue to use the specified backend.
Jira:RHELPLAN-168179[1]
Administrators can set up isolation for firewall rules by using nftables
You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking interface (CNI) networking, the predecessor to Netavark, there was no way to set up container networking on systems without iptables installed. With this enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated firewall rules.
Jira:RHELDOCS-16955[1]
Containerfile now supports multi-line instructions
You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of image layers caused by performing multiple RUN directives.
For example, the original Containerfile can contain the following RUN directives:
RUN dnf update RUN dnf -y install golang RUN dnf -y install java
RUN dnf update
RUN dnf -y install golang
RUN dnf -y install javaInstead of multiple RUN directives, you can use the HereDoc notation:
RUN <<EOF dnf update dnf -y install golang dnf -y install java EOF
RUN <<EOF
dnf update
dnf -y install golang
dnf -y install java
EOFJira:RHELPLAN-168184[1]
Toolbx is now available
With Toolbx, you can install the development and debugging tools, editors, and Software Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base operating system. The Toolbx container is based on the registry.access.redhat.com/ubi8.10/toolbox:latest image.
Jira:RHELDOCS-16241[1]
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}