Este conteúdo não está disponível no idioma selecionado.

Chapter 4. New features


This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.5.

4.1. Installer and image creation

Minimal RHEL installation now installs only the s390utils-core package

In RHEL 8.4 and later, the s390utils-base package is split into an s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must manually install the package after completing the RHEL installation or explicitly install s390utils-base using a Kickstart file.

Bugzilla:1932480[1]

4.2. Security

NSS rebased to 3.101

The NSS cryptographic toolkit packages have been rebased to upstream version 3.101, which provides many bug fixes and enhancements. The most notable changes are the following:

  • DTLS 1.3 protocol is now supported (RFC 9147).
  • PBMAC1 support has been added to PKCS#12 (RFC 9579).
  • The X25519Kyber768Draft00 hybrid post-quantum key agreement has experimental support (draft-tls-westerbaan-xyber768d00).
  • lib::pkix is the default validator in RHEL 10.
  • RSA certificates with keys shorter than 2048 bits stop working, in accordance with the system-wide cryptographic policy (breaking fix).

Jira:RHEL-46840[1]

Libreswan accepts IPv6 SAN extensions

Previously, IPsec connection failed when setting up certificate-based authentication with a certificate that contained a subjectAltName (SAN) extension with an IPv6 address. With this update, the pluto daemon has been modified to accept IPv6 SAN as well as IPv4. As a result, IPsec connection is now correctly established with IPv6 address embedded in the certificate as an ID.

Jira:RHEL-32720[1]

Custom key sizes in ssh-keygen

You can now configure the size of keys generated by the /usr/libexec/openssh/sshd-keygen script by setting environment variables SSH_RSA_BITS and SSH_ECDSA_BITS in the /etc/sysconfig/sshd environment file.

Jira:RHEL-26454[1]

fips-mode-setup checks for use of Argon2 KDF in open LUKS volumes before enabling FIPS mode

The fips-mode-setup system management command now detects key derivation functions (KDF) used in currently open LUKS volumes, and aborts if it detects usage of Argon2 KDF. This is because Argon2 KDF is not FIPS-compatible, so preventing its use helps ensure FIPS compliance. As a result, switching into FIPS mode on a system with open LUKS volumes that use Argon2 as a KDF is blocked until those volumes are closed or converted to a different KDF.

Jira:RHEL-39026

New SELinux boolean to allow QEMU Guest Agent executing confined commands

Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the virt_qemu_ga_unconfined_t domain.

Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined that allows guest-agent to make the transition to virt_qemu_ga_unconfined_t for executables located in any of the following directories:

  • /etc/qemu-ga/fsfreeze-hook.d/
  • /usr/libexec/qemu-ga/fsfreeze-hook.d/
  • /var/run/qemu-ga/fsfreeze-hook.d/

In addition, the necessary rules for transitions for the qemu-ga daemon have been added to the SELinux policy boolean.

As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the virt_qemu_ga_run_unconfined boolean.

Jira:RHEL-31211

OpenSSL rebased to 3.2.2

The OpenSSL packages have been rebased to upstream version 3.2.2. This update brings various enhancements and bug fixes, most notably the following:

  • The openssl req command with the -extensions option no longer mishandles extensions when creating certificate signing requests (CSR). Previously, the command fetched, parsed, and checked the name of the configuration file section for consistency but the name was not used for adding extensions to the created CSR file. With this fix, the extension is added to the generated CSR. As a side effect of this change, if the section specifies an extension incompatible with its use in the CSR, the command might fail with an error like error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server_cert, name=authorityKeyIdentifier, value=keyid, issuer:always.
  • The default X.500 distinguished name (DN) formatting has been changed to use the UTF-8 formatter. This also causes the removal of space characters around the equal sign (=) that separates DN element types from their values.
  • Certificate compression extension (RFC 8879) is now supported.
  • The QUIC protocol can now be used on the client side as a Technology Preview.
  • The Argon2d, Argon2i, and Argon2id key derivation functions (KDF) are supported.
  • Brainpool curves have been added to the TLS 1.3 protocol (RFC 8734) but Brainpool curves remain disabled in all supported system-wide cryptographic policies.

Jira:RHEL-26271

crypto-policies provide algorithm selection in Java

The crypto-policies packages have been updated to extend its control to algorithm selection in Java. This is caused by the evolution of the Java cryptographic agility configuration and crypto-policies needing to catch up to provide a better mapping for a more consistent system-wide configuration. Specifically, the update has the following changes:

  • DTLS 1.0 is now controlled by the protocol option, is disabled by default, and can be reenabled by using the protocol@java = DTLS1.0+ scoped directive.
  • The anon and NULL ciphersuites are now controlled by cipher@java = NULL and disabled by default.
  • The list of signature algorithms is now controlled by the sign@java scoped directive and aligned to the system-wide defaults.
  • The list of signature algorithms is now controlled by the sign option and aligned to the system-wide defaults. If necessary, you can re-enable the use of desired algorithms specifically with Java with a sign@java = <algorithm1>+ <algorithm2>+ scoped directive.
  • Elliptic curve (EC) keys smaller than 256 bits are disabled unconditionally to align with upstream guidance.

As a result, the list of cryptographic algorithms allowed for use with Java by default better matches system-wide defaults. For information on interoperability see the /etc/crypto-policies/back-ends/java.config file and configure your active cryptographic policy accordingly.

Jira:RHEL-45620[1]

The selinux-policy git repository for Centos Stream 10 is now publicly accessible

CentOS Stream contributors now can participate in the development of the SELinux policy by contributing to the c10s branch of the fedora-selinux/selinux-policy git repository.

Jira:RHEL-22960

clevis rebased to version 20

The clevis packages have been upgraded to version 20. The most notable enhancements and fixes include the following:

  • Increased security by fixing potential problems reported by static analyzer tools in the clevis luks command, udisks2 integration, and the Shamir’s Secret Sharing (SSS) thresholding scheme.
  • Password generation now uses the jose utility instead of pwmake. This ensures enough entropy for passwords generated during the Clevis binding step.

Jira:RHEL-29282

ca-certificates provide trusted CA roots in the OpenSSL directory format

This update populates the /etc/pki/ca-trust/extracted/pem/directory-hash/ directory with trusted CA root certificates. As a consequence, lookups and validations are faster when OpenSSL is configured to load certificates from this directory, for example, by setting the SSL_CERT_DIR environment variable to /etc/pki/ca-trust/extracted/pem/directory-hash/.

Jira:RHEL-21094[1]

The nbdkit service is confined by SELinux

The nbdkit-selinux sub-package adds new rules to the SELinux policy, and as a result, nbdkit is confined in SELinux. Therefore, the systems that run nbdkit are more resilient against privilege escalation attacks.

Jira:RHEL-5174

libreswan rebased to 4.15

The libreswan packages have been rebased to upstream version 4.15. This version provides substantial improvements over the previous version 4.9 that was provided in previous releases.

  • Removed a dependency on libxz through libsystemd.
  • In IKEv1, default proposals have been set to aes-sha1 for Encapsulating Security Payload (ESP) and sha1 for Authentication Header (AH).
  • IKEv1 rejects ESP proposals that combine Authenticated Encryption with Associated Data (AEAD) and non-empty INTEG.
  • IKEv1 rejects exchange when a connection has no proposals.
  • IKEv1 has now a more limited default cryptosuite:

    IKE={AES_CBC,3DES_CBC}-{HMAC_SHA2_256,HMAC_SHA2_512HMAC_SHA1}-{MODP2048,MODP1536,DH19,DH31}
    ESP={AES_CBC,3DES_CBC}-{HMAC_SHA1_96,HMAC_SHA2_512_256,HMAC_SHA2_256_128}-{AES_GCM_16_128,AES_GCM_16_256}
    AH=HMAC_SHA1_96+HMAC_SHA2_512_256+HMAC_SHA2_256_128
  • Failures of the libcap-ng library are no longer fatal.
  • TFC padding is now set for AEAD algorithms in the pluto utility.

Jira:RHEL-50006[1]

jose rebased to version 14

The jose package has been upgraded to upstream version 14. jose is a C-language implementation of the Javascript Object Signing and Encryption (JOSE) standards. The most important enhancements and fixes include the following:

  • Improved bound checks for the len function for the oct JWK Type in OpenSSL.
  • The protected JSON Web Encryption (JWE) headers no longer contain zip.
  • jose avoids potential denial of service (DoS) attacks by using high decompression chunks.

Jira:RHEL-38079

Four RHEL services removed from SELinux permissive mode

The following SELinux domains for RHEL services have been removed from SELinux permissive mode:

  • afterburn_t
  • bootupd_t
  • mptcpd_t
  • rshim_t

Previously, these services from packages recently added to RHEL 9 were temporarily set to SELinux permissive mode, which allows gathering information about additional denials while the rest of the system is in SELinux enforcing mode. This temporary setting has now been removed, and as a result, these services now run in SELinux enforcing mode.

Jira:RHEL-22173

The bootupd service is SELinux confined

The bootupd service supports updating the bootloader, and therefore needs to be confined. This update to the SELinux policy adds additional rules, and as a result, the bootupd service runs in the bootupd_t SELinux domain.

Jira:RHEL-22172

4.3. RHEL for Edge

Support available to file system customization for the simplified-installer and raw image types

With this enhancement, now you can add file system customizations to a blueprint when building the following image types:

  • simplified-installer
  • edge-raw-image
  • edge-ami
  • edge-vsphere

With some additional exceptions for OSTree systems, you can choose arbitrary directory names at the /root level of the file system, for example: /local,/mypartition, /$PARTITION.

In logical volumes, these changes are made on top of the LVM partitioning system. The following directories are supported: /var,/var/log, and /var/lib/containers on a separate logical volume.

Jira:RHELDOCS-17515[1]

4.4. Shells and command-line tools

The default value for the DefaultLimitCore systemd configuration option is now set to unlimited:unlimited

Previously, the default value for the DefaultLimitCore systemd configuration option was set to 0:infinity. As a result, all processes started by systemd had a soft process limit for core files set to 0, and no core files were created by default. However, the process adjusted the limit as required.

With this update, the default value for DefaultLimitCore is set to unlimited:unlimited. As a result, the core file size is not limited by default. The default size of the crash dumps in the /etc/systemd/coredump.conf systemd-coredump component configuration file is 1GiB. Note that you can gather crash dumps for sporadic crashes, but ensure that the use of disk space by crash dumps remains conservative.

Note

The crash dumps stored by systemd-coredump are removed after 14 days if not used.

Jira:RHEL-15501

openCryptoki rebased to version 3.23.0

The openCryptoki packages are updated to version 3.23.0, which provides multiple bug fixes and enhancements. Notable changes include:

  • EP11: Added support for FIPS-session mode
  • Various updates are available for protection against RSA timing attacks

Jira:RHEL-23673[1]

librtas rebased to version 2.0.6

The librtas package is updated to version 2.0.6. With this update, you can use the lockdown-compatible ABI provided by the kernel.

Jira:RHEL-10566[1]

4.5. Infrastructure services

The BIND 9.18 is now supported in RHEL

BIND 9.18 has been added in RHEL 9.5 in the new bind9.18 package. The notable feature enhancements include the following:

  • Added support for DNS over TLS (DoT) and DNS over HTTPS (DoH) in the named daemon
  • Added support for both incoming and outgoing zone transfers over TLS
  • Improved support for OpenSSL 3.0 interfaces
  • New configuration options for tuning TCP and UDP send and receive buffers
  • Various improvements to the dig utility

Jira:RHEL-14898[1]

4.6. Networking

NetworkManager now supports the leftsubnet parameter for IPsec VPNs

With this update, NetworkManager supports the leftsubnet parameter to define the private subnet behind the local participant used to configure subnet-to-subnet scenarios in Internet Protocol Security (IPsec) VPNs.

Jira:RHEL-26776

nmstate now supports the congestion window clamp (cwnd) option

With this update, you can use the cwnd option of the nmstate utility to set a maximum limit on the TCP congestion window size. This way you can control the maximum amount of unacknowledged data expressed as a number of packets that can be in transit over the network at any given time. The following example YAML file sets the cwnd option:

---
interfaces:
  - name: eth1
    type: ethernet
    state: up
    ipv4:
      address:
        - ip: 192.0.2.251
          prefix-length: 24
      dhcp: false
      enabled: true

routes:
  config:
    - destination: 198.51.100.0/24
      metric: 150
      next-hop-address: 192.0.2.1
      next-hop-interface: eth1
      table-id: 254
      cwnd: 20

Jira:RHEL-19409

The NetworkManager-libreswan plugin supports the rightcert option

You can use the rightcert option when configuring Libreswan connections through NetworkManager. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using a certificate.

Jira:RHEL-30370

The nmstate utility now supports the rightcert option

You can use the rightcert option when configuring Libreswan connections through the nmstate utility. With this option, you can authenticate the "right" side participant of the IPsec (Internet Protocol Security) connection using the certificate. The following example YAML file sets the rightcert option:

---
interfaces:
- name: hosta_conn
   type: ipsec
   ipv4:
     enabled: true
     dhcp: true
   libreswan:
     left: 192.0.2.1
     leftid: '%fromcert'
     leftrsasigkey: '%cert'
     leftmodecfgclient: false
     leftcert: leftcert.example.com
     right: 192.0.2.2
     rightid: '%fromcert'
     rightrsasigkey: '%cert'
     rightcert: rightcert.example.com
     rightsubnet: 192.0.2.2/32

Jira:RHEL-28898

nmstate now supports the leftsubnet option

You can define entire subnets for IPsec (Internet Protocol Security) connections when configuring Libreswan connections through the nmstate utility by using the leftsubnet option. This ensures secure communication between different network segments. The following example YAML file sets the leftsubnet option:

interfaces:
- name: hosta
   type: ipsec
   ipv4:
     enabled: true
     dhcp: true
   libreswan:
     left: 192.0.2.246
     leftid: _<hosta.example.org>_
     leftcert: _<hosta.example.org>_
     leftsubnet: 192.0.4.0/24
     leftmodecfgclient: no
     right: 192.0.2.157
     rightid: _<hostb.example.org>_
     rightsubnet: 192.0.3.0/24
     ikev2: insist

Note that the IPsec technology requires a peer-to-peer configuration, including another server with appropriate IP addresses and IPsec settings.

Jira:RHEL-26755

NetworkManager supports connecting to IPsec VPNs that use IPv6 addressing

Previously, NetworkManager supported only IPv4 addressing when using the NetworkManager-libreswan plugin to connect to Internet Protocol Security (IPsec) VPN. With this update, you can connect to IPsec VPNs that use IPv6 addressing.

Jira:RHEL-21875

You can use both firewalld and nftables services simultaneously

The firewalld and nftables systemd services are available to use simultaneously. Previously, users could enable only one of these services at a time. With this enhancement, these systemd services no longer conflict with each other.

Jira:RHEL-17002[1]

4.7. Kernel

Kernel version in RHEL 9.5

Red Hat Enterprise Linux 9.5 is distributed with the kernel version 5.14.0-503.11.1.

The eBPF facility has been rebased to Linux kernel version 6.8

Notable changes and enhancements include:

  • Support exceptions allowing asserting conditions in BPF programs that should never be true but are hard for the verifier to infer.
  • Improved working with per-cpu objects such as support for local per-cpu kptr and support for allocating and storing per-cpu objects in maps.
  • Support for BPF v4 CPU instructions for arm32 and s390x.
  • Several new open-coded iterators for task, task_vma, css, and css_task.
  • New kfunc that acquires the associated cgroup of a task within a specific cgroup v1 hierarchy.
  • Support for BPF link_info for uprobe multi-link along with bpftool integration.
  • Several improvements and bug fixes in the BPF verifier allowing more precise program verification and improving the BPF program developer experience.
  • Verifier improvement which prevents the creation of infinite loops by combining tail calls and fentry/fexit programs.
  • Change in BPF verifier logic to validate global subprograms lazily instead of unconditionally before the main program, so they can be guarded using BPF CO-RE techniques.
  • Add the ability to pin the BPF timer to the current CPU.
  • Support uid/gid options when mounting bpffs.

Jira:RHEL-23644[1]

rteval now supports relative CPU lists for loads

With this enhancement, the --loads-cpulist now accepts relative CPU lists as arguments. The syntax is the same for the default measurement CPU list when using the parameter --measurement-cpulist.

Jira:RHEL-25206[1]

A support for 420xx devices is added to QAT

With this update, QAT supports 420xx devices. It includes a new device driver that supports updates to the firmware loader and other capabilities. Compared to 4xxx devices, the 420xx devices now have more acceleration engines, 16 service engines, and 1 administrative engine, and support the wireless cipher algorithms ZUC and Snow 3G.

Jira:RHEL-17715[1]

Introducing noswap option when mounting TMPFS filesystem

TMPFS is an in-memory filesystem largely utilized for quickly sharing information across multiple processes. Starting with version 2.2, glibc expects a tmpfs filesystem to be mounted at dev/shm to support POSIX shared memory. This mount point is necessary for shm_open and shm_unlink subroutines to function correctly. TMPFS blocks can be swapped out when there is a memory shortage, which poses a problem for certain performance- or privacy-critical workloads.

Passing the new noswap mount option when mounting a TMPFS filesystem disables swap for that particular mount point of TMPFS.

Jira:RHEL-31975[1]

Introducing rteval container for real-time performance testing

The rteval container provides tools and methods for accurately measuring system latencies. With this feature, users can measure the real-time performance of their systems. It evaluates the configuration of the Linux kernel for optimal real-time performance to analyze performance based on specific application needs.

Note that no specific tuning guidelines are provided in the RHEL 9.5 release, and support is limited to customers with a Real-Time subscription.

Jira:RHELDOCS-19122[1]

NVMf-FC kdump is now supported on the IBM Power

NVMf-FC kdump now supports the IBM Power system for running kexec-tools. This allows the capture of system memory dumps over a fiber channel network using the NVMe storage devices for high-speed and low-latency access to storage for crash dump data.

Jira:RHEL-11471[1]

4.8. File systems and storage

File system quotas for tmpfs file system are now supported

The /tmp directory is typically mounted using tmpfs, and it is accessible to all users by default. This presents a risk where a single user can potentially fill up the entire system memory by writing excessively to this directory.

With this update, system administrators can now implement file system quotas to limit the space or memory users can consume on a tmpfs file system, preventing memory exhaustion.

Jira:RHEL-7768[1]

NVMe TP 8006 in-band authentication with NVMe/TCP is now supported

NVMe TP 8006 in-band authentication for NVMe over Fabrics (NVMe-oF) was introduced in RHEL 9.2 as a Technology Preview, which is now fully supported. This feature provides DH-HMAC-CHAP in-band authentication protocol for NVMe-oF, which is defined in the NVMe Technical Proposal 8006. For details, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-connect(1) man page.

Jira:RHEL-61452

4.9. High availability and clusters

New pcs status wait command

The pcs command-line interface now provides a pcs status wait command. This command ensures that Pacemaker has completed any actions required by changes to the Cluster Information Base (CIB) and does not need to take any further actions in order to make the actual cluster state match the requested cluster state.

Jira:RHEL-25854

pcs support for new commands to query the status of a resource in a cluster

The pcs command-line interface now provides pcs status query resource commands to query various attributes of a single resource in a cluster. These commands query:

  • the existence of the resource
  • the type of the resource
  • the state of the resource
  • various information about the members of a collective resource
  • on which nodes the resource is running

You can use these commands for pcs-based scripting since there is no need to parse plain text outputs.

Jira:RHEL-21051

New pcs resource defaults and pcs resource op defaults option for displaying configuration in text, JSON, and command formats

The pcs resource defaults and pcs resource op defaults commands and their aliases pcs stonith defaults and pcs stonith op defaults now provide the --output-format option.

  • Specifying --output-format=text displays the configured resource defaults or operation defaults in plain text format, which is the default value for this option.
  • Specifying --output-format=cmd displays the pcs resource defaults or pcs resource op defaults commands created from the current cluster defaults configuration. You can use these commands to re-create configured resource defaults or resource operation defaults on a different system.
  • Specifying --output-format=json displays the configured resource defaults or resource operation defaults in JSON format, which is suitable for machine parsing.

Jira:RHEL-16231

New Pacemaker option to leave a panicked node shut down without rebooting automatically

You can now set the PCMK_panic_action variable in the /etc/sysconfig/pacemaker configuration file to off or sync-off. When you set this variable to off or sync-off, a node remains shut down after a panic condition instead of rebooting automatically.

Jira:RHEL-39057

Support for new pcsd Web UI features

The pcsd Web UI now supports the following features:

  • When you set the placement-strategy cluster property to default, the pcsd Web UI displays a warning near the utilization attributes for nodes and resources. This warning notes that the utilization has no effect due to placement-strategy configuration.
  • The pscd Web UI supports dark mode, which you can set through the user menu in the masthead.

Jira:RHEL-21895, Jira:RHEL-7726

4.10. Dynamic programming languages, web and database servers

Increased performance of the Python interpreter

All supported versions of Python in RHEL 9 are now compiled with GCC’s -O3 optimization flag, which is the default in upstream. As a result, you can observe increased performance of your Python applications and the interpreter itself.

Jira:RHEL-49615[1], Jira:RHEL-49635, Jira:RHEL-49637

httpd rebased to 2.4.62

The httpd package has been updated to version 2.4.62 that includes various bug fixes, security fixes, and new features. Notable feature include :

  • The following directives have been added:

    • CGIScriptTimeout directive is added in the mod_cgi module .
    • AliasPreservePath directive in the mod_alias module to map the full path after alias in a location.
    • RedirectRelative directive in mod_alias to allow relative redirect targets to be issued as-is.
    • DeflateAlterETag directive in the mod_deflate module to control the modification of ETag. The NoChange parameter mimics 2.2.x behavior.
  • An optional third argument for the ProxyRemote server is added in the mod_proxy module which configures basic authentication credentials to pass to the remote proxy.
  • LDAPConnectionPoolTTL directive now accepts negative values to allow reusing the connections of any age. Previously, an error was encountered in the mod_ldap module when you parsed the configuration file with a negative value.
  • You can now use the -T option to allow truncating the subsequent rotated log files without the initial log file being truncated in the rotatelogs binary.

Jira:RHEL-14668

mod_md rebased to version 2.4.26

The mod_md module has been updated to version 2.4.26. Notable changes over the previous version include:

  • The following directives have been added:

    • MDCheckInterval to control the number of server checks for detected revocations.
    • MDMatchNames all|servernames to allow more control over how the MDomains are matched to the VirtualHosts.
    • MDChallengeDns01Version . When you set the value of this directive to 2, it provides the command with the challenge value on the teardown invocation. By default, in version 1, only the setup invocation gets this parameter.
  • For Managed Domain in manual mode, the mod_md_verification module now checks if all used ServerName and ServerAlias reports a warning instead of an error (AH10040).
  • You can now configure the MDChallengeDns01 directive for individual domains.

Jira:RHEL-25075[1]

PostgreSQL 16 now provides the pgvector extension

The postgresql:16 module stream is now distributed with the pgvector extension. With the pgvector extension, you can store and query high-dimensional vector embeddings directly within PostgreSQL databases and perform a vector similarity search. Vector embeddings are numerical representations of data that are often used in machine learning and AI applications to capture the semantic meaning of text, images, or other data types.

Jira:RHEL-34669

A new db_converter tool to convert a libdb database to the GDBM format

The deprecated Berkeley DB (libdb) now provides the db_converter tool for converting a lidbd database to the GNU dbm (GDBM) database format. The db_converter tool is distributed in the libdb-utils subpackage.

For more information about alternatives to libdb, see the Red Hat Knowledgebase article Available replacements for the deprecated Berkeley DB (libdb) in RHEL.

Jira:RHEL-35607

4.11. Compilers and development tools

System GCC rebased to version 11.5

The system version of GCC in RHEL 9 has been updated to version 11.5. This update provides numerous bug fixes.

Jira:RHEL-35635

A new tunable for glibc is available to improve performance by placing dynamic objects closer together

Previously, the dynamic loader of glibc placed dynamic objects randomly throughout the available address space to enhance security. Consequently, objects were often too far apart, which led to inefficient calls between them.

With this update, you can now place objects closer together, specifically, in the first 2 Gb of address space, by setting the following tunable:

export GLIBC_TUNABLES=glibc.cpu.prefer_map_32bit_exec=1

Setting this tunable might result in improved performance for some applications at the expense of a small reduction in address space layout randomization (ASLR).

Jira:RHEL-20172[1]

glibc now supports dynamic linking of Intel APX-enabled functions

An incompatible dynamic linker trampoline was identified as a potential source of incompatibilities for Intel Advanced Performance Extensions (APX) applications. As a workaround, it was possible to use the BIND_NOW executable or use only the standard calling convention. With this update, the dynamic linker of glibc preserves APX-related registers.

Note

Because of this change, additional space is needed beyond the top of the stack. Users who strictly limit this space might need to adjust or evaluate the stack limits.

Jira:RHEL-25046[1]

Optimization of AMD Zen 3 and Zen 4 performance in glibc

Previously, AMD Zen 3 and Zen 4 processors sometimes used the Enhanced Repeat Move String (ERMS) version of the memcpy and memmove library routines regardless of the most optimal choice. With this update to glibc, AMD Zen 3 and Zen 4 processors use the most optimal versions of memcpy and memmove.

Jira:RHEL-25531[1]

System version of GDB rebased to version 14.2 and GDB removed from GCC Toolset

GDB has been updated to version 14.2. Starting with RHEL 9.5, GDB is transitioning into a rolling Application Stream with its system version rebased in minor releases of RHEL. Therefore, GDB is not included in GCC Toolset 14 in RHEL 9.

The following paragraphs list notable changes in GDB 14.2 since GDB 12.1.

General:

  • The info breakpoints command now displays enabled breakpoint locations of disabled breakpoints as in the y- state.
  • Added support for debug sections compressed with Zstandard (ELFCOMPRESS_ZSTD) for ELF.
  • The Text User Interface (TUI) no longer styles the source and assembly code highlighted by the current position indicator by default. To re-enable styling, use the new command set style tui-current-position.
  • A new $_inferior_thread_count convenience variable contains the number of live threads in the current inferior.
  • For breakpoints with multiple code locations, GDB now prints the code location using the <breakpoint_number>.<location_number> syntax.
  • When a breakpoint is hit, GDB now sets the $_hit_bpnum and $_hit_locno convenience variables to the hit breakpoint number and code location number. You can now disable the last hit breakpoint by using the disable $_hit_bpnum command, or disable only the specific breakpoint code location by using the disable $_hit_bpnum.$_hit_locno command.
  • Added support for the NO_COLOR environment variable.
  • Added support for integer types larger than 64 bits.
  • You can use new commands for multi-target feature configuration to configure remote target feature sets (see the set remote <name>-packet and show remote <name>-packet in Commands).
  • Added support for the Debugger Adapter Protocol.
  • You can now use the new inferior keyword to make breakpoints inferior-specific (see break or watch in Commands).
  • You can now use the new $_shell() convenience function to execute a shell command during expression evaluation.

Changes to existing commands:

  • break, watch

    • Using the thread or task keywords multiple times with the break and watch commands now results in an error instead of using the thread or task ID of the last instance of the keyword.
    • Using more than one of the thread, task, and inferior keywords in the same break or watch command is now invalid.
  • printf, dprintf

    • The printf and dprintf commands now accept the %V output format, which formats an expression the same way as the print command. You can also modify the output format by using additional print options in brackets […​] following the command, for example: printf "%V[-array-indexes on]", <array>.
  • list

    • You can now use the . argument to print the location around the point of execution in the current frame, or around the beginning of the main() function if the inferior has not started yet.
    • Attempting to list more source lines in a file than are available now issues a warning, referring the user to the . argument.
  • document user-defined

    • It is now possible to document user-defined aliases.

New commands:

  • set print nibbles [on|off] (default: off), show print nibbles - controls whether the print/t command displays binary values in groups of four bits (nibbles).
  • set debug infcall [on|off] (default: off), show debug infcall - prints additional debug messages about inferior function calls.
  • set debug solib [on|off] (default: off), show debug solib - prints additional debug messages about shared library handling.
  • set print characters <LIMIT>, show print characters, print -characters <LIMIT> - controls how many characters of a string are printed.
  • set debug breakpoint [on|off] (default: off), show debug breakpoint - prints additional debug messages about breakpoint insertion and removal.
  • maintenance print record-instruction [ N ] - prints the recorded information for a given instruction.
  • maintenance info frame-unwinders - lists the frame unwinders currently in effect in the order of priority (highest first).
  • maintenance wait-for-index-cache - waits until all pending writes to the index cache are completed.
  • info main - prints information on the main symbol to identify an entry point into the program.
  • set tui mouse-events [on|off] (default: on), show tui mouse-events - controls whether mouse click events are sent to the TUI and Python extensions (when on), or the terminal (when off).

Machine Interface (MI) changes:

  • MI version 1 has been removed.
  • MI now reports no-history when reverse execution history is exhausted.
  • The thread and task breakpoint fields are no longer reported twice in the output of the -break-insert command.
  • Thread-specific breakpoints can no longer be created on non-existent thread IDs.
  • The --simple-values argument to the -stack-list-arguments, -stack-list-locals, -stack-list-variables, and -var-list-children commands now considers reference types as simple if the target is simple.
  • The -break-insert command now accepts a new -g thread-group-id option to create inferior-specific breakpoints.
  • Breakpoint-created notifications and the output of the -break-insert command can now include an optional inferior field for the main breakpoint and each breakpoint location.
  • The async record stating the breakpoint-hit stopped reason now contains an optional field locno giving the code location number in case of a multi-location breakpoint.

Changes in the GDB Python API:

  • Events

    • A new gdb.ThreadExitedEvent event.
    • A new gdb.executable_changed event registry, which emits the ExecutableChangedEvent objects that have progspace and reload attributes.
    • New gdb.events.new_progspace and gdb.events.free_progspace event registries, which emit the NewProgpspaceEvent and FreeProgspaceEvent event types. Both of these event types have a single attribute progspace to specify the gdb.Progspace program space that is being added to or removed from GDB.
  • The gdb.unwinder.Unwinder class

    • The name attribute is now read-only.
    • The name argument of the __init__ function must be of the str type, otherwise a TypeError is raised.
    • The enabled attribute now accepts only the bool type.
  • The gdb.PendingFrame class

    • New methods: name, is_valid, pc, language, find_sal, block, and function, which mirror similar methods of the gdb.Frame class.
    • The frame-id argument of the create_unwind_info function can now be either an integer or a gdb.Value object for the pc, sp, and special attributes.
  • A new gdb.unwinder.FrameId class, which can be passed to the gdb.PendingFrame.create_unwind_info function.
  • The gdb.disassembler.DisassemblerResult class can no longer be sub-classed.
  • The gdb.disassembler module now includes styling support.
  • A new gdb.execute_mi(COMMAND, [ARG]…​) function, which invokes a GDB/MI command and returns result as a Python dictionary.
  • A new gdb.block_signals() function, which returns a context manager that blocks any signals that GDB needs to handle.
  • A new gdb.Thread subclass of the threading.Thread class, which calls the gdb.block_signals function in its start method.
  • The gdb.parse_and_eval function has a new global_context parameter to restrict parsing on global symbols.
  • The gdb.Inferior class

    • A new arguments attribute, which holds the command-line arguments to the inferior, if known.
    • A new main_name attribute, which holds the name of the inferior’s main function, if known.
    • New clear_env, set_env, and unset_env methods, which can modify the inferior’s environment before it is started.
  • The gdb.Value class

    • A new assign method to assign a value of an object.
    • A new to_array method to convert an array-like value to an array.
  • The gdb.Progspace class

    • A new objfile_for_address method, which returns the gdb.Objfile object that covers a given address (if exists).
    • A new symbol_file attribute holding the gdb.Objfile object that corresponds to the Progspace.filename variable (or None if the filename is None).
    • A new executable_filename attribute, which holds the string with a filename that is set by the exec-file or file commands, or None if no executable file is set.
  • The gdb.Breakpoint class

    • A new inferior attribute, which contains the inferior ID (an integer) for breakpoints that are inferior-specific, or None if no such breakpoints are set.
  • The gdb.Type class

    • New is_array_like and is_string_like methods, which reflect whether a type might be array- or string-like regardless of the type’s actual type code.
  • A new gdb.ValuePrinter class, which can be used as the base class for the result of applying a pretty-printer.
  • A newly implemented gdb.LazyString.__str__ method.
  • The gdb.Frame class

    • A new static_link method, which returns the outer frame of a nested function frame.
    • A new gdb.Frame.language method that returns the name of the frame’s language.
  • The gdb.Command class

    • GDB now reformats the doc string for the gdb.Command class and the gdb.Parameter sub-classes to remove unnecessary leading whitespace from each line before using the string as the help output.
  • The gdb.Objfile class

    • A new is_file attribute.
  • A new gdb.format_address(ADDRESS, PROGSPACE, ARCHITECTURE) function, which uses the same format as when printing address, symbol, and offset information from the disassembler.
  • A new gdb.current_language function, which returns the name of the current language.
  • A new Python API for wrapping GDB’s disassembler, including gdb.disassembler.register_disassembler(DISASSEMBLER, ARCH), gdb.disassembler.Disassembler, gdb.disassembler.DisassembleInfo, gdb.disassembler.builtin_disassemble(INFO, MEMORY_SOURCE), and gdb.disassembler.DisassemblerResult.
  • A new gdb.print_options function, which returns a dictionary of the prevailing print options, in the form accepted by the gdb.Value.format_string function.
  • The gdb.Value.format_string function

    • gdb.Value.format_string now uses the format provided by the print command if it is called during a print or other similar operation.
    • gdb.Value.format_string now accepts the summary keyword.
  • A new gdb.BreakpointLocation Python type.
  • The gdb.register_window_type method now restricts the set of acceptable window names.

Architecture-specific changes:

  • AMD and Intel 64-bit architectures

    • Added support for disassembler styling using the libopcodes library, which is now used by default. You can modify how the disassembler output is styled by using the set style disassembler * commands. To use the Python Pygments styling instead, use the new maintenance set libopcodes-styling off command.
  • The 64-bit ARM architecture

    • Added support for dumping memory tag data for the Memory Tagging Extension (MTE).
    • Added support for the Scalable Matrix Extension 1 and 2 (SME/SME2). Some features are still considered experimental or alpha, for example, manual function calls with ZA state or tracking Scalable Vector Graphics (SVG) changes based on DWARF.
    • Added support for Thread Local Storage (TLS) variables.
    • Added support for hardware watchpoints.
  • The 64-bit IBM Z architecture

    • Record and replay support for the new arch14 instructions on IBM Z targets, except for the specialized-function-assist instruction NNPA.
  • IBM Power Systems, Little Endian

    • Added base enablement support for POWER11.

For more details about rolling Application Streams, see the Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-36211, Jira:RHEL-10550, Jira:RHEL-39555

elfutils rebased to version 0.191

The elfutils package has been updated to version 0.191. Notable improvements include:

  • Changes in the libdw library:

    • The dwarf_addrdie function now supports binaries lacking a debug_aranges section.
    • Support for DWARF package files has been improved.
    • A new dwarf_cu_dwp_section_info function has been added.
  • Caching eviction logic in the debuginfod server has been enhanced to improve retention of small, frequent, or slow files, such as vdso.debug.
  • The eu-srcfiles utility can now fetch the source files of a DWARF/ELF file and place them into a zip archive.

Jira:RHEL-29194

SystemTap rebased to version 5.1

The SystemTap tracing and probing tool has been updated to version 5.1. Notable changes include:

  • An experimental --build-as=USER flag to reduce privileges during script compilation.
  • Improved support for probing processes running in containers, identified by host PID.
  • New probes for userspace hardware breakpoints and watchpoints.
  • Support for the --remote operation of --runtime=bpf mode.
  • Improved robustness of kernel-user transport.

Jira:RHEL-29528

valgrind rebased to version 3.23.0

The Valgrind suite has been updated to version 3.23.0. Notable enhancements include:

  • The --track-fds=yes option now warns against double closing of file descriptors, generates suppressible errors, and supports XML output.
  • The --show-error-list=no|yes option now accepts a new value, all, to also print the suppressed errors.
  • On the 64-bit IBM Z architecture, Valgrind now supports neural network processing assist (NNPA) facility vector instructions: VCNF, VCLFNH, VCFN, VCLFNL, VCRNF, and NNPA (z16/arch14).
  • On the 64-bit ARM architecture, Valgrind now supports dotprod instructions (sdot/udot).
  • On the AMD and Intel 64-bit architectures, Valgrind now provides more accurate instruction support for the x86_64-v3 microarchitecture.
  • Valgrind now provides wrappers for the wcpncpy, memccpy, strlcat, and strlcpy functions that can detect memory overlap.
  • Valgrind now supports the following Linux syscalls: mlock2, fchmodat2, and pidfd_getfd.

Jira:RHEL-29534, Jira:RHEL-10551

libabigail rebased to version 2.5

The libabigail library has been updated to version 2.5. Notable changes include:

  • Improved suppression specification for strict conversions of flexible array data members.
  • Added support for pointer-to-member types in C++ binaries.
  • Improved weak mode of the abicompat tool.
  • A new abidb tool to manage the ABI of operating systems.
  • Numerous bug fixes.

Jira:RHEL-30013, Jira:RHEL-7325, Jira:RHEL-7332

New GCC Toolset 14

GCC Toolset 14 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the AppStream repository.

The following tools and versions are provided by GCC Toolset 14:

  • GCC 14.2
  • binutils 2.41
  • annobin 12.70
  • dwz 0.14

Note that the system version of GDB has been rebased and GDB is no longer included in GCC Toolset.

To install GCC Toolset 14, enter the following command as root:

# dnf install gcc-toolset-14

To run a tool from GCC Toolset 14:

$ scl enable gcc-toolset-14 <tool>

To run a shell session where tool versions from GCC Toolset 14 override system versions of these tools:

$ scl enable gcc-toolset-14 bash

GCC Toolset 14 components are also available in the gcc-toolset-14-toolchain container image.

For more information, see GCC Toolset 14 and Using GCC Toolset.

Jira:RHEL-29758[1], Jira:RHEL-29852

GCC Toolset 14: GCC rebased to version 14.2

In GCC Toolset 14, the GNU Compiler Collection (GCC) has been updated to version 14.2.

Notable changes include:

  • Optimization and diagnostic improvements
  • A new -fhardened umbrella option, which enables a set of hardening flags
  • A new -fharden-control-flow-redundancy option to detect attacks that transfer control into the middle of functions
  • A new strub type attribute to control stack scrubbing properties of functions and variables
  • A new -finline-stringops option to force inline expansion of certain mem* functions
  • Support for new OpenMP 5.1, 5.2, and 6.0 features
  • Several new C23 features
  • Multiple new C++23 and C++26 features
  • Several resolved C++ defect reports
  • New and improved experimental support for C++20, C++23, and C++26 in the C++ library
  • Support for new CPUs in the 64-bit ARM architecture
  • Multiple new instruction set architecture (ISA) extensions in the 64-bit Intel architecture, for example: AVX10.1, AVX-VNNI-INT16, SHA512, and SM4
  • New warnings in the GCC’s static analyzer
  • Certain warnings changed to errors; for details, see Porting to GCC 14
  • Various bug fixes

For more information about changes in GCC 14, see the upstream GCC release notes.

Jira:RHEL-29853[1]

GCC Toolset 14: annobin rebased to version 12.70

In GCC Toolset 14, annobin has been updated to version 12.70. The updated set of the annobin tools for testing binaries provides various bug fixes, introduces new tests, and updates the tools to build and work with newer versions of the GCC, Clang, LLVM, and Go compilers. With the enhanced tools, you can detect new issues in programs that are built in a non-standard way.

Jira:RHEL-29850[1]

GCC Toolset 14: binutils rebased to version 2.41

RHEL 9.5 is distributed with GCC Toolset 14 binutils version 2.41. New features include:

  • binutils tools support architecture extensions in the 64-bit Intel and ARM architectures.
  • The linker now accepts the --remap-inputs <PATTERN>=<FILE> command-line option to replace any input file that matches <PATTERN> with <FILE>. In addition, you can use the --remap-inputs-file=<FILE> option to specify a file containing any number of these remapping directives.
  • For ELF targets, you can use the linker command-line option --print-map-locals to include local symbols in a linker map.
  • For most ELF-based targets, you can use the --enable-linker-version option to insert the version of the linker as a string into the .comment section.
  • The linker script syntax has a new command for output sections, ASCIZ "<string>", which inserts a zero-terminated string at the current location.
  • You can use the new -z nosectionheader linker command-line option to omit ELF section header.

Jira:RHEL-29851[1]

LLVM Toolset updated to 18.1.8

LLVM Toolset has been updated to version 18.1.8.

Notable LLVM updates:

  • The constant expression variants of the following instructions have been removed: and, or, lshr, ashr, zext, sext, fptrunc, fpext, fptoui, fptosi, uitofp, sitofp.
  • The llvm.exp10 intrinsic has been added.
  • The code_model attribute for global variables has been added.
  • The backend for the AArch64, AMDGPU, PowerPC, RISC-V, SystemZ and x86 architectures has been improved.
  • LLVM tools have been improved.

Notable Clang enhancements:

  • C++20 feature support:

    • Clang no longer performs One Definition Rule (ODR) checks for declarations in the global module fragment. To enable more strict behavior, use the -Xclang -fno-skip-odr-check-in-gmf option.
  • C++23 feature support:

    • A new diagnostic flag -Wc++23-lambda-attributes has been added to warn about the use of attributes on lambdas.
  • C++2c feature support:

    • Clang now allows using the _ character as a placeholder variable name multiple times in the same scope.
    • Attributes now expect unevaluated strings in attribute parameters that are string literals.
    • The deprecated arithmetic conversion on enumerations from C++26 has been removed.
    • The specification of template parameter initialization has been improved.
  • For a complete list of changes, see the upstream release notes for Clang.

ABI changes in Clang:

  • Following the SystemV ABI for x86_64, the __int128 arguments are no longer split between a register and a stack slot.
  • For more information, see the list of ABI changes in Clang.

Notable backwards incompatible changes:

  • A bug fix in the reversed argument order for templated operators breaks code in C++20 that was previously accepted in C++17.
  • The GCC_INSTALL_PREFIX CMake variable (which sets the default --gcc-toolchain=) is deprecated and will be removed. Specify the --gcc-install-dir= or --gcc-triple= option in a configuration file instead.
  • The default extension name for precompiled headers (PCH) generation (-c -xc-header and -c -xc++-header) is now .pch instead of .gch.
  • When -include a.h probes the a.h.gch file, the include now ignores a.h.gch if it is not a Clang PCH file or a directory containing any Clang PCH file.
  • A bug that caused __has_cpp_attribute and __has_c_attribute to return incorrect values for certain C++-11-style attributes has been fixed.
  • A bug in finding a matching operator!= while adding a reversed operator== has been fixed.
  • The name mangling rules for function templates have been changed to accept that functions can be overloaded on their template parameter lists or requires-clauses.
  • The -Wenum-constexpr-conversion warning is now enabled by default on system headers and macros. It will be turned into a hard (non-downgradable) error in the next Clang release.
  • A path to the imported modules for C++20 named modules can no longer be hardcoded. You must specify all the dependent modules from the command line.
  • It is no longer possible to import modules by using import <module>; Clang uses explicitly-built modules.
  • For more details, see the list of potentially breaking changes.

For more information, see the LLVM release notes and Clang release notes.

LVM Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

Jira:RHEL-28687

Rust Toolset rebased to version 1.79.0

Rust Toolset has been updated to version 1.79.0. Notable enhancements since the previously available version 1.75.0 include:

  • A new offset_of! macro
  • Support for C-string literals
  • Support for inline const expressions
  • Support for bounds in associated type position
  • Improved automatic temporary lifetime extension
  • Debug assertions for unsafe preconditions

Rust Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

Jira:RHEL-30070

Go Toolset rebased to version 1.22

Go Toolset has been updated to version 1.22.

Notable enhancements include:

  • Variables in for loops are now created per iteration, preventing accidental sharing bugs. Additionally, for loops can now range over integers.
  • Commands in workspaces can now use a vendor directory for the dependencies of the workspace.
  • The go get command no longer supports the legacy GOPATH mode. This change does not affect the go build and go test commands.
  • The vet tool has been updated to match the new behavior of the for loops.
  • CPU performance has been improved by keeping type-based garbage collection metadata nearer to each heap object.
  • Go now provides improved inlining optimizations and better profile-guided optimization support for higher performance.
  • A new math/rand/v2 package is available.
  • Go now provides enhanced HTTP routing patterns with support for methods and wildcards.

For more information, see the Go upstream release notes.

Go Toolset is a rolling Application Stream, and only the latest version is supported. For more information, see the Red Hat Enterprise Linux Application Streams Life Cycle document.

Jira:RHEL-29527[1]

PCP rebased to version 6.2.2

Performance Co-Pilot (PCP) has been updated to version 6.2.2. Notable changes over the previously available version 6.2.0 include:

New tools and agents

  • pcp2openmetrics: a new tool to push PCP metrics in Open Metrics format to remote end points
  • pcp-geolocate: a new tool to report latitude and longitude metric labels
  • pmcheck: a new tool to interrogate and control PCP components
  • pmdauwsgi: a new PCP agent that exports instrumentation from uWSGI servers

Enhanced tools

  • pmdalinux: added new kernel metrics (hugepages, filesystems, TCP, softnet, virtual machine balloon)
  • pmdalibvirt: added support for metric labels, added new balloon, vCPU, and domain info metrics
  • pmdabpf: improved eBPF networking metrics for use with the pcp-atop utility

Jira:RHEL-30198

Grafana rebased to version 10.2.6

The Grafana platform has been updated to version 10.2.6.

Notable enhancements include:

  • Support for zooming in on the y axis of time series and candlestick visualizations by holding shift while clicking and dragging.
  • Streamlined data source selection when creating a dashboard.
  • Updated User Interface, including updates to navigation and the command palette.
  • Various improvements to transformations, including the new unary operation mode for the Add field from calculation transformation.
  • Various improvements to dashboards and data visualizations, including a redesigned empty dashboard and dashboard panel.
  • New geomap and canvas panels.

Other changes:

  • Various improvements to users, access, authentication, authorization, and security.
  • Alerting improvements along with new alerting features.
  • Public dashboards now available.

For a complete list of changes since the previously available Grafana version 9.2, see the upstream documentation.

Jira:RHEL-31246[1]

GCC Toolset 13: GCC supports AMD Zen 5

The GCC Toolset 13 version of GCC adds support for the AMD Zen 5 processor microarchitecture. To enable the support, use the -march=znver5 command-line option.

Jira:RHEL-36523[1]

Red Hat build of OpenJDK 17 is now the default Java implementation in RHEL 9

The default RHEL 9 Java implementation is being changed from OpenJDK 11, which has reached its End Of Life (EOL), to OpenJDK 17. After this update, the java-17-openjdk packages, which provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit, will also provide the java and java-devel packages. For more information, see the OpenJDK documentation.

Existing packages in RHEL 9 that call java/bin or java-openjdk/bin directly will be immediately able to use OpenJDK 17.

Existing packages in RHEL 9 that require the java or java-devel packages directly, namely tomcat and systemtap-runtime-java, will pull the appropriate dependency automatically.

Ant, Maven, and packages that are using Java indirectly through the javapackages-tools package will be fully transitioned in an asynchronous update shortly after the general availability of RHEL 9.5.

If you need to install OpenJDK for the first time or if the default package is not installed through a dependency chain, use DNF:

# dnf install java-17-openjdk-devel

For more information, see Installing multiple minor versions of Red Hat build of OpenJDK on RHEL by using yum.

Important

The current java-11-openjdk packages in RHEL 9 will not receive any further updates. However, Red Hat will provide Extended Life Cycle support (ELS) phase 1 with updates for Red Hat build of OpenJDK 11 until October 31, 2027. See Red Hat build of OpenJDK 11 Extended Lifecycle Support (ELS-1) Availability for details.

For information specific to the OpenJDK ELS program and the OpenJDK lifecycle, see the OpenJDK Life Cycle and Support Policy.

Note

If you have the alternatives command set to manual mode for java and related components, OpenJDK 11 will still be used after the update. To use OpenJDK 17 in this case, change the alternatives setting to auto, for example:

# alternatives --auto java
# alternatives --auto javac

Use the alternatives --list command to verify the settings.

Jira:RHEL-56094[1]

4.12. Identity Management

python-jwcrypto rebased to version 1.5.6

The python-jwcrypto package has been updated to version 1.5.6. This version includes a security fix to an issue where an attacker could cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio.

Jira:RHELDOCS-18197[1]

ansible-freeipa rebased to 1.13.2

The ansible-freeipa package has been rebased from version 1.12.1 to 1.13.2 Notable enhancements include:

  • The ansible-freeipa package requires the ansible-core package version 2.15 minimum. Both ansible-core 2.15 and the latest version of ansible-freeipa are available in the Appstream repository. For this reason, no manual update of ansible-core is required.
  • You can now create an inventory of Identity Management (IdM) servers for ansible-freeipa playbooks dynamically. The freeipa plugin gathers data about the IdM servers in the domain, and selects only those that have a specified IdM server role assigned. For example, if you want to search the logs of all IdM DNS servers in the domain to detect possible issues, the plugin ensures that all IdM replicas with the DNS server role are detected and automatically added to the managed nodes.
  • You can now more efficiently run ansible-freeipa playbooks that use a single Ansible task to add, modify, and delete multiple Identity Management (IdM) users, user groups, hosts, and services. Previously, each entry in a list of users had its dedicated API call. With this enhancement, several API calls are combined into one API call within a task. The same applies to lists of user groups, hosts and services.

    As a result, the speed of adding, modifying, and deleting these IdM objects by using the ipauser, ipagroup, ipahost and ipaservice modules is increased. The biggest benefit can be seen when the client context is used.

  • ansible-freeipa now additionally provides the roles and modules as an Ansible collection in the ansible-freeipa-collection subpackage. To use the new collection:

    1. Install the ansible-freeipa-collection subpackage.
    2. Add the freeipa.ansible_freeipa prefix to the names of roles and modules. Use the fully-qualified names to follow Ansible recommendations. For example, to refer to the ipahbacrule module, use freeipa.ansible_freeipa.ipahbacrule.

    You can simplify the use of the modules that are part of the freeipa.ansible_freeipa collection by applying module_defaults.

Jira:RHEL-35565

ipa rebased to version 4.12.0

The ipa package has been updated from version 4.11 to 4.12.0. Notable changes include:

  • You can enforce LDAP authentication to fail for a user that does not provide an OTP token.
  • You can enroll an Identity Management (IdM) client using a trusted Active Directory user.
  • Documentation for identity mapping in FreeIPA is now available.
  • The python-dns package has been rebased to version 2.6.1-1.el10.
  • The ansible-freeipa package has been rebased from version 1.12.1 to 1.13.2.

For more information, see the FreeIPA and ansible-freeipa upstream release notes.

Jira:RHEL-39140

certmonger rebased to version 0.79.20

The certmonger package has been rebased to version 0.79.20. The update includes various bug fixes and enhancements, most notably:

  • Enhanced handling of new certificates in the internal token and improved the removal process on renewal.
  • Removed restrictions on tokens for CKM_RSA_X_509 cryptographic mechanism.
  • Fixed the documentation for the getcert add-scep-ca, --ca-cert, and --ra-cert options.
  • Renamed the D-Bus service and configuration files to match canonical name.
  • Added missing .TP tags in the getcert-resubmit man page.
  • Migrated to the SPDX license format.
  • Included owner and permissions information in the getcert list output.
  • Removed the requirement for an NSS database in the cm_certread_n_parse function.
  • Added translations using Webplate for Simplified Chinese, Georgian, and Russian.

Jira:RHEL-12493

samba rebased to version 4.20.2

The samba packages have been upgraded to upstream version 4.20.2, which provides bug fixes and enhancements over the previous version. The most notable changes are:

  • The smbacls utility can now save and restore discretionary access control list (DACL) entries. This feature mimics the functionality of the Windows icacls.exe utility.
  • Samba now supports conditional access control entries (ACEs).
  • Samba no longer reads currently logged on users from the /var/run/utmp file. This feature was removed from the NetWkstaGetInfo level 102 and NetWkstaEnumUsers level 0 and 1 functions because /var/run/utmp uses a time format that is not year 2038 safe.

Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 and will be removed in a future release.

Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba automatically updates its tdb database files. Red Hat does not support downgrading tdb database files.

After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file.

Jira:RHEL-33645[1]

389-ds-base rebased to version 2.5.2

The 389-ds-base package has been updated to version 2.5.2. Notable bug fixes and enhancements over version 2.4.5 include:

Jira:RHEL-31777

Improved MIT krb5 TCP connection timeout handling

Previously, TCP connections timed out after 10 seconds. With this update, MIT krb5 TCP connection handling has been modified to no longer use a default timeout. The request_timeout setting now limits the total request duration rather than the duration of individual TCP connections. This change addresses integration issues with SSSD, especially for two-factor authentication use cases. As a result, users experience more consistent handling of TCP connections, as the request_timeout setting now effectively controls the global request maximum duration.

Jira:RHEL-17132[1]

New SSSD option: failover_primary_timeout

You can use the failover_primary_timeout option to specify the time interval in seconds for the sssd service to attempt reconnecting to the primary IdM server after switching to a backup server. The default value is 31 seconds. Previously, if the primary server was unavailable, SSSD would automatically switch to a backup server after the fixed timeout of 31 seconds.

Jira:RHEL-17659[1]

4.13. Desktop

GNOME Online Accounts can restrict which features providers can use

You can use the new goa.conf file in the system configuration directory, usually named /etc/goa.conf, to limit what features each provider can use.

In the goa.conf file, the group name defines the provider type, and the keys define boolean switches to disable the respective features. If you do not set any key or section for a feature, the feature is enabled.

For example, to disable the mail feature for Google accounts, use the following setting:

[google]
mail=false

You can use the all special section name to cover every provider. The value in the specific provider has precedence, if it exists and contains a valid boolean value. Note that some combinations of disabled features can lead to incomplete or invalid accounts being read by the GOA users, such as the Evolution application. Always test the changes first. Restart the GNOME Online Accounts for the changed configuration to take effect.

Jira:RHEL-40831

4.14. The web console

New package: cockpit-files

The cockpit-files package provides the File manager page in the RHEL web console. With the File manager, you can perform the following actions:

  • Browse files and directories on file systems you can access
  • Sort files and directories by various criteria
  • Filter displayed files by a sub-string
  • Copy, move, delete, and rename files and directories
  • Create directories
  • Upload files
  • Bookmark file paths
  • Use keyboard shortcuts for the actions

Jira:RHELDOCS-16362[1]

4.15. Red Hat Enterprise Linux System Roles

Support for new ha_cluster system role features

The ha_cluster system role now supports the following features:

  • Configuring utilization attributes for node and primitive resources.
  • Configuring node addresses and SBD options by using the ha_cluster_node_options variable. If both ha_cluster_node_options and ha_cluster variables are defined, their values are merged, with values from ha_cluster_node_options having precedence.
  • Configuring access control lists (ACLs).
  • Configuring Pacemaker alerts to take an external action when a cluster event such as node failure or resource starting or stopping occurs.
  • Easy installation of agents for cloud environments by setting the ha_cluster_install_cloud_agents variable to true.

Jira:RHEL-30111, Jira:RHEL-17271, Jira:RHEL-33532, Jira:RHEL-27186

Support for configuring GFS2 file systems by using RHEL system roles

Red Hat Enterprise Linux 9.5 supports the configuration and management of the Red Hat Global File System 2 (GFS2) by using the gfs2 RHEL system role. The role creates GFS2 file systems in a Pacemaker cluster managed with the pcs command-line interface.

Previously, setting up GFS2 file systems in a supported configuration required you to follow a long series of steps to configure the storage and cluster resources. The gfs2 role simplifies the process. Using the role, you can specify only the minimum information needed to configure GFS2 file systems in a RHEL high availability cluster.

The gfs2 role performs the following tasks:

  • Installing the packages necessary for configuring a GFS2 file system in a Red Hat high availability cluster
  • Setting up the dlm and lvmlockd cluster resources
  • Creating the LVM volume groups and logical volumes required by the GFS2 file system
  • Creating the GFS2 file system and cluster resources with the necessary resource constraints

Jira:RHELDOCS-18629[1]

New sudo RHEL system role

sudo is a critical part of RHEL system configuration. With the new sudo RHEL system role, you can consistently manage sudo configuration at scale across your RHEL systems.

Jira:RHEL-37549

The storage RHEL system role can now manage Stratis pools

With this enhancement, you can use the storage RHEL system role to complete the following tasks:

  • Create a new encrypted and unencrypted Stratis pool
  • Add new volumes to the existing Stratis pool
  • Add new disks to the Stratis pool

For details on how to manage Stratis pools and other related information, see the resources in the /usr/share/doc/rhel-system-roles/storage/ directory.

Jira:RHEL-31854

New variables in the journald RHEL system role: journald_rate_limit_interval_sec and journald_rate_limit_burst

The following two variables have been added to the journald RHEL system role:

  • journald_rate_limit_interval_sec (integer, defaults to 30): Configures a time interval in seconds, within which only the journald_rate_limit_burst log messages are handled. The journald_rate_limit_interval_sec variable corresponds to the RateLimitIntervalSec setting in the journald.conf file.
  • journald_rate_limit_burst (integer, defaults to 10 000): Configures the upper limit of log messages, which are handled within the time defined by journald_rate_limit_interval_sec. The journald_rate_limit_burst variable corresponds to the RateLimitBurst setting in the journald.conf file.

As a result, you can use these settings to tune the performance of the journald service to handle applications that log many messages in a short period of time.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/journald/ directory.

Jira:RHEL-30170

New variables in the podman RHEL system role: podman_registry_username and podman_registry_password

The podman RHEL system role now enables you to specify the container image registry credentials either globally or on a per-specification basis. For that purpose, you must configure both role variables:

  • podman_registry_username (string, defaults to unset): Configures the username for authentication with the container image registry. You must also set the podman_registry_password variable. You can override podman_registry_username on a per-specification basis with the registry_username variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification.
  • podman_registry_password (string, defaults to unset): Configures the password for authentication with the container image registry. You must also set the podman_registry_username variable. You can override podman_registry_password on a per-specification basis with the registry_password variable. Each operation involving credentials would then be performed according to the detailed rules and protocols defined in that specification. For security, encrypt the password using the Ansible Vault feature.

As a result, you can use the podman RHEL system role to manage containers with images, whose registries require authentication for access.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/ directory.

Jira:RHEL-30185

New variable in the postfix RHEL system role: postfix_files

The postfix RHEL system role now enables you to configure extra files for the Postfix mail transfer agent. For that purpose, you can use the following role variable:

postfix_files
Defines a list of files to be placed in the /etc/postfix/ directory that can be converted into Postfix Lookup Tables if needed. This variable enables you to configure Simple Authentication and Security Layer (SASL) credentials, and similar. For security, encrypt files that contain credentials and other secrets using the Ansible Vault feature.

As a result, you can use the postfix RHEL system role to create these extra files and integrate them in your Postfix configuration.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/postfix/ directory.

Jira:RHEL-46854

The snapshot RHEL system role now supports managing snapshots of LVM thin pools

With thin provisioning, you can use the snapshot RHEL system role to manage snapshots of LVM thin pools. These thin snapshots are space-efficient and only grow as data is written or modified after the snapshot is taken. The role automatically detects if the specified volume is scheduled for a thin pool. The added feature could be useful in environments where you need to take frequent snapshots without consuming a lot of physical storage.

Jira:RHEL-48227

New option in the logging RHEL system role: reopen_on_truncate

The files input type of the logging_inputs variable now supports the following option:

reopen_on_truncate (boolean, defaults to false)
Configures the rsyslog service to re-open the input log file if it was truncated, such as during log rotation. The reopen_on_truncate role option corresponds to the reopenOnTruncate parameter for rsyslog.

As a result, you can configure rsyslog in an automated fashion through the logging RHEL system role to re-open an input log file if it was truncated.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/ directory.

Jira:RHEL-46590[1]

New variable in the logging RHEL system role: logging_custom_config_files

You can provide custom logging configuration files by using the following variable for the logging RHEL system role:

logging_custom_config_files (list)
Configures a list of configuration files to copy to the default logging configuration directory. For example, for the rsyslog service it is the /etc/rsyslog.d/ directory. This assumes the default logging configuration loads and processes the configuration files in that directory. The default rsyslog configuration has a directive such as $IncludeConfig /etc/rsyslog.d/*.conf.

As a result, you can use customized configurations not provided by the logging RHEL system role.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/ directory.

Jira:RHEL-40273

The logging RHEL system role can set ownership and permissions for rsyslog files and directories

The files output type of the logging_outputs variable now supports the following options:

  • mode (raw, defaults to null): Configures the FileCreateMode parameter associated with the omfile module in the rsyslog service.
  • owner (string, defaults to null): Configures the fileOwner or fileOwnerNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets fileOwnerNum. Otherwise, it sets fileOwner.
  • group (string, defaults to null): Configures the fileGroup or fileGroupNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets fileGroupNum. Otherwise, it sets fileGroup.
  • dir_mode (defaults to null): Configures the DirCreateMode parameter associated with the omfile module in rsyslog.
  • dir_owner (defaults to null): Configures the dirOwner or dirOwnerNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets dirOwnerNum. Otherwise, it sets dirOwner.
  • dir_group (defaults to null): Configures the dirGroup or dirGroupNum parameter associated with the omfile module in rsyslog. If the value is an integer, it sets dirGroupNum. Otherwise, it sets dirGroup.

As a result, you can set ownership and permissions for files and directories created by rsyslog.

Note that the file or directory properties are the same as the corresponding variables in the Ansible file module.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/logging/ directory. Alternatively, review the output of the ansible-doc file command.

Jira:RHEL-34935[1]

Using the storage RHEL system role creates fingerprints on managed nodes

If not already present, storage creates a unique identifier (fingerprint) every time you run this role. The fingerprint has the form of the # system_role:storage string written to the /etc/fstab file on your managed nodes. As a result, you can track which nodes are managed by storage.

Jira:RHEL-30888

New variables in the podman RHEL system role: podman_registry_certificates and podman_validate_certs

The following two variables have been added to the podman RHEL system role:

  • podman_registry_certificates (list of dictionary elements): Enables you to manage TLS certificates and keys used to connect to the specified container image registry.
  • podman_validate_certs (boolean, defaults to null): Controls whether pulling images from container image registries will validate TLS certificates or not. The default null value means that it is used whatever the default configured by the containers.podman.podman_image module is. You can override the podman_validate_certs variable on a per-specification basis with the validate_certs variable.

As a result, you can use the podman RHEL system role to configure TLS settings for connecting to container image registries.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/ directory. Alternatively, you can review the containers-certs(5) manual page.

Jira:RHEL-33547

New variable in the podman RHEL system role: podman_credential_files

Some operations need to pull container images from registries in an automated or unattended way and cannot use the podman_registry_username and podman_registry_password variables.

Therefore, the podman RHEL system role now accepts the containers-auth.json file to authenticate against container image registries. For that purpose, you can use the following role variable:

podman_credential_files (list of dictionary elements)
Each dictionary element in the list defines a file with user credentials for authentication to private container image registries. For security, encrypt these credentials using the Ansible Vault feature. You can specify file name, mode, owner, group of the file, and can specify the contents in different ways. See the role documentation for more details.

As a result, you can input container image registry credentials for automated and unattended operations.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/podman/ directory. Alternatively, you can review the containers-auth.json(5) and containers-registries.conf(5) manual pages.

Jira:RHEL-30183

The nbde_client RHEL system role now enables you to skip running certain configurations

With the nbde_client RHEL system role you can now disable the following mechanisms:

  • Initial ramdisk
  • NetworkManager flush module
  • Dracut flush module

The clevis-luks-askpass utility unlocks some storage volumes late in the boot process after the NetworkManager service puts the OS on the network. Therefore, no configuration changes to the mentioned mechanisms are necessary.

As a result, you can disable the mentioned configurations from being run to support advanced networking setups, or volume decryption to occur late in the boot process.

Jira:RHEL-45717

The ssh RHEL system role now recognizes the ObscureKeystrokeTiming and ChannelTimeout configuration options

The ssh RHEL system role has been updated to reflect addition of the following configuration options in the OpenSSH utility suite:

  • ObscureKeystrokeTiming (yes|no|interval specifier, defaults to 20): Configures whether the ssh utility should obscure the inter-keystroke timings from passive observers of network traffic.
  • ChannelTimeout: Configures whether and how quickly the ssh utility should close inactive channels.

When using the ssh RHEL system role, you can use the new options like in this example play:

---
- name: Non-exclusive sshd configuration
  hosts: managed-node-01.example.com
  tasks:
    - name: Configure ssh to obscure keystroke timing and set 5m session timeout
      ansible.builtin.include_role:
        name: rhel-system-roles.ssh
      vars:
        ssh_ObscureKeystrokeTiming: "interval:80"
        ssh_ChannelTimeout: "session=5m"

Jira:RHEL-40180

The src parameter was added to the network RHEL system role

The src parameter to the route sub-option of the ip option for the network_connections variable has been added. This parameter specifies the source IP address for a route. Typically, it is useful for the multi-WAN connections. These setups ensure that a machine has multiple public IP addresses, and outbound traffic uses a specific IP address tied to a particular network interface. As a result, support for the src parameter provides better control over traffic routing by ensuring a more robust and flexible network configuration capability in the described scenarios.

For more details, see the resources in the /usr/share/doc/rhel-system-roles/network/ directory.

Jira:RHEL-3252

The storage RHEL system role can now resize LVM physical volumes

If the size of a block device has changed and you use this device in an LVM, you can adjust the LVM physical volume as well. With this enhancement, you can use the storage RHEL system role to resize LVM physical volumes to match the size of the underlying block devices after you resized it. To enable automatic resizing, set grow_to_fill: true on the pool in your playbook.

Jira:RHEL-14862

4.16. Virtualization

RHEL supports live migrating VMs with attached NVIDIA vGPUs

With this update, you can now live migrate a running virtual machine with attached vGPUs to another KVM host. Currently, this is only possible with NVIDIA GPUs.

This functionality is available only with certain NVIDIA Virtual GPU Software Driver versions. Refer to the relevant NVIDIA vGPU documentation for more details.

Jira:RHELDOCS-16572[1]

nbdkit rebased to version 1.38

The nbdkit package has been rebased to upstream version 1.38, which provides various bug fixes and enhancements. The most notable changes are the following:

  • Block size advertising has been enhanced and a new read-only filter has been added.
  • The Python and OCaml bindings support more features of the server API.
  • Internal struct integrity checks have been added to make the server more robust.

For a complete list of changes, see the upstream release notes.

Jira:RHEL-31884

4.17. RHEL in cloud environments

OpenTelemetry Collector for RHEL on public cloud platforms

When running RHEL on a public cloud platform, you can now use the OpenTelemetry (OTel) framework to collect and send telemetry data, such as logs, metrics, and traces. This helps you maintain and debug your RHEL cloud instances. With this update, RHEL includes the OTel Collector service, which you can use to manage logs. The OTel Collector gathers, processes, transforms, and exports logs to and from various formats and external back ends. You can also use the OTel Collector to aggregate the collected data and generate metrics useful for analytics services. For example, you can configure OTel Collector to send data to Amazon Web Services (AWS) CloudWatch, which enhances the scope and accuracy of data obtained by CloudWatch from RHEL instances .

For details, see Configuring the OpenTelemetry Collector for RHEL on public cloud platforms.

Jira:RHELDOCS-18125[1]

awscli2 is generally available for RHEL on AWS

With the awscli2 utility, you can now use Amazon Web Services (AWS) APIs from a RHEL instance to deploy new infrastructure offerings, as well as manage existing deployments. Note that installing awscli2 from a Red Hat Enterprise Linux repository ensures that awscli2 is installed from a trusted source and receives automatic updates. As a result, you can gather information regarding cloud deployment services, manage infrastructure resources, and refer to built-in documentation provided with awscli2.

Jira:RHEL-14523[1]

Log collection on Azure is now disabled by default

Previously, the Windows Azure Linux Agent (WALA) in Microsoft Azure collected debugging logs on virtual machines (VMs) by default. However, these agent logs might contain confidential information. To improve data security, WALA is now disabled by default, and does not collect any data on the VM. To re-enable log collection, do the following:

  1. Edit the /etc/waagent.conf file.
  2. Set the Logs.Collect parameter value to y.

Jira:RHEL-7273[1]

4.18. Supportability

The --api-url option is now available

With the --api-url option you can call another API as per requirement. For instance, the API for an OCP cluster. Example: sos collect --cluster-type=ocp --cluster-option ocp.api-url=_<API_URL> --alloptions.

Jira:RHEL-24523

The new --skip-cleaning-files option is now available

The --skip-cleaning-files option for the sos report command allows you to skip cleaning selected files. The option supports globs and wildcards. Example: sos report -o host --batch --clean --skip-cleaning-files 'hostname'.

Jira:RHEL-30893[1]

The plugin option names now use only hyphens instead of underscores

To ensure consistency across sos global options, the plugin option names now use only hyphens instead of underscores For example, the networking plugin namespace_pattern option is now namespace-pattern and must be specified by using the --plugin-option networking.namespace-pattern=<pattern> syntax.

Jira:RHELDOCS-18655[1]

4.19. Containers

Image mode for RHEL now supports FIPS mode

With this enhancement, you can enable the FIPS mode when building a bootc image to configure the system to use only FIPS-approved modules. You can use bootc-image-builder, which requires enabling the FIPS crypto policy in the Containerfile configuration, or use the RHEL Anaconda installation, that additionally to enabling FIPS mode in the Containerfile, also requires adding the fips=1 kernel argument when booting the system installation. See Installing the system with FIPS mode enabled for more details.

The following is a Containerfile with instructions to enable the fips=1 kernel argument:

FROM registry.redhat.io/rhel9/rhel-bootc:latest#
# Enable fips=1 kernel argument:
https://containers.github.io/bootc/building/kernel-arguments.html
COPY 01-fips.toml /usr/lib/bootc/kargs.d/
# Install and enable the FIPS crypto policy
RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS

Jira:RHELDOCS-18585[1]

Image mode for RHEL now supports logically bound app images

With this enhancement, you have support for container images that are lifecycle bound to the base bootc image. This helps unite different operational processes for applications and operating systems and the app images are referenced from the base image as image files or an equivalent. As a result, you can manage multiple container images for system installations, for example, for a disconnected installation, the system must all be mirrored, not just one.

Jira:RHELDOCS-18666[1]

Podman and Buildah support adding OCI artifacts to image indexes

With this update, you can create artifact manifests and add them to image indexes.

The buildah manifest add command now supports the following options:

  • the --artifact option to create artifact manifests
  • the --artifact-type, --artifact-config-type, --artifact-layer-type, --artifact-exclude-titles, and --subject options to finetune the contents of the artifact manifests it creates.

The buildah manifest annotate command now supports the following options:

  • the --index option to set annotations on the index itself instead of a one of the entries in the image index
  • the --subject option for setting the subject field of an image index.

The buildah manifest create command now supports the --annotation option to add annotations to the new image index.

Jira:RHEL-33572

Option is available to disable Podman healthcheck event

This enhancement adds a new healthcheck_events option in the containers.conf configuration file under the [engine] section to disable the generation of health_status events. Set healthcheck_events=false to disable logging healthchek events.

Jira:RHEL-34603

Runtime resource changes in Podman are persistent

The updates of container configuration by using the podman update command are persistent. Note that this enhancement is for both SQLite and BoltDB database backends.

Jira:RHEL-33567

Building multi-architecture images is fully supported

The podman farm build command that creates multi-architecture container images is now fully supported.

A farm is a group of machines that have a unix Podman socket running in them. The nodes in the farm can have different machines of various architectures. The podman farm build command is faster than the podman build --arch --platform command.

You can use podman farm build to perform the following actions:

  • Build an image on all nodes in a farm.
  • Bundle an image on all nodes in a farm up into a manifest list.
  • Execute the podman build command on all the farm nodes.
  • Push the images to the registry specified by using the --tag option.
  • Locally create a manifest list.
  • Push the manifest list to the registry.

The manifest list contains one image per native architecture type present in the farm.

Jira:RHEL-34609

Quadlets for pods in Podman are available

Beginning with Podman v5.0, you can use Quadlet to automatically generate a systemd service file from a pod description.

Jira:RHEL-33574

The Podman v2.0 RESTful API has been updated

The new fields has been added to the libpod/images/json endpoint:

  • The isManifest boolean field to determine if the target is a manifest or not. The libpod endpoint returns both images and manifest lists.
  • The os and arch fields for image listing.

Jira:RHEL-34612

Kubernetes YAML now supports a data volume container as an init container

A list of images to automatically mount as volumes can now be specified in Kubernetes YAML by using the "io.podman.annotations.kube.image.automount/$ctrname" annotation. Image-based mounts using podman run --mount type=image,source=<image>,dst=<path>,subpath=<path> now support a new option, subpath, to mount only part of the image into the container.

Jira:RHEL-34605

The Container Tools packages have been updated

The updated Container Tools RPM meta-package, which contains the Podman, Buildah, Skopeo, crun, and runc tools, is now available. Podman v5.0 contains the following notable bug fixes and enhancements over the previous version:

  • The podman manifest add command now supports a new --artifact option to add OCI artifacts to a manifest list.
  • The podman create, podman run, and podman push commands now support the --retry and --retry-delay options to configure retries for pushing and pulling images.
  • The podman run and podman exec commands now support the --preserve-fd option to pass a list of file descriptors into the container. It is an alternative to --preserve-fds, which passes a specific number of file descriptors.
  • Quadlet now supports templated units.
  • The podman kube play command can now create image-based volumes by using the volume.podman.io/image annotation.
  • Containers created with the podman kube play command can now include volumes from other containers by using a new annotation, io.podman.annotations.volumes-from.
  • Pods created with the podman kube play command can now set user namespace options by using the io.podman.annotations.userns annotation in the pod definition.
  • The --gpus option to podman create and podman run is now compatible with Nvidia GPUs.
  • The --mount option to podman create and podman run supports a new mount option, no-dereference, to mount a symlink instead of its dereferenced target into a container.
  • Podman now supports the new --config global option to point to a Docker configuration where registry login credentials can be sourced.
  • The podman ps --format command now supports the new .Label format specifier.
  • The uidmapping and gidmapping options to the podman run --userns=auto option can now map to host IDs by prefixing host IDs with the @ symbol.
  • Quadlet now supports systemd-style drop-in directories.
  • Quadlet now supports creating pods by using the new .pod unit files.
  • Quadlet now supports two new keys, Entrypoint and StopTimeout, in .container files.
  • Quadlet now supports specifying the Ulimit key multiple times in .container files to set more than one ulimit on a container.
  • Quadlet now supports setting the Notify key to healthy in .container files, to only notify that a container has started when its health check begins passing.
  • The output of the podman inspect command for containers has changed. The Entrypoint field changes from a string to an array of strings and StopSignal from an integer to a string.
  • The podman inspect command for containers now returns nil for health checks when inspecting containers without health checks.
  • It is no longer possible to create new BoltDB databases. Attempting to do so results in an error. All new Podman installations now use the SQLite database backend. Existing BoltDB databases remain usable.
  • Support for CNI networking is gated by a build tag and is not enabled by default.
  • Podman now prints warnings when used on cgroups v1 systems. Support for cgroups v1 is deprecated and will be removed in a future release. You can set the PODMAN_IGNORE_CGROUPSV1_WARNING environment variable to suppress warnings.
  • Network statistics sent over the Docker-compatible API are now per-interface, and not aggregated, which improves Docker compatibility.
  • The default tool for rootless networking has been changed from slirp4netns to pasta for improved performance. As a result, networks named pasta are no longer supported.
  • Using multiple filters with the List Images REST API now combines the filters with AND instead of OR, improving Docker compatibility.
  • The parsing for a number of Podman CLI options which accept arrays has been changed to no longer accept string-delimited lists, and instead to require the option to be passed multiple times. These options are:

    • The --annotation option to podman manifest annotate and podman manifest add
    • The --configmap, --log-opt, and --annotation options to podman kube play
  • The --pubkeysfile option to podman image trust set

    • The --encryption-key and --decryption-key options to podman create, podman run, podman push and podman pull
    • The --env-file option to podman exec, the --bkio-weight-device, --device-read-bps, --device-write-bps, --device-read-iops, --device-write-iops, --device, --label-file, --chrootdirs, --log-opt, --env-file options to podman create and podman run
    • The --hooks-dir and --module global options
  • The podman system reset command no longer waits for running containers to stop, and instead immediately sends the SIGKILL signal.
  • The podman network inspect command now includes running containers that use the network in its output.
  • The podman compose command is now supported on other architectures in addition to AMD and Intel 64-bit architectures (x86-64-v2) and the 64-bit ARM architecture (ARMv8.0-A)..
  • The --no-trunc option to the podman kube play and podman kube generate commands has been deprecated. Podman now complies to the Kubernetes specification for annotation size, which removes the need for this option.
  • Connections from the podman system connection command and farms from the podman farm command are now written to a new configuration file called podman-connections.conf file. As a result, Podman no longer writes to the containers.conf file. Podman still respects existing connections from containers.conf.
  • Most podman farm subcommands no longer need to connect to the machines in the farm to run.
  • The podman create and podman run commands no longer require specifying an entrypoint on the command line when the container image does not define one. In this case, an empty command is passed to the OCI runtime, and the resulting behavior is runtime-specific.
  • A new API endpoint, /libpod/images/$name/resolve, has been added to resolve a potential short name to a list of fully-qualified image references Podman, which you can use to pull the image.

For more information about notable changes, see upstream release notes.

Jira:RHEL-32714

The --compat-volumes option is available for Podman and Buildah

You can use the new --compat-volumes option with the buildah build, podman build, and podman farm build commands. This option triggers special handling for the contents of directories marked using the VOLUME instruction such that their contents can subsequently only be modified by ADD and COPY instructions. Any changes made in those locations by RUN Instructions will be discarded. Previously, this behavior was the default, but it is now disabled by default.

Jira:RHEL-52239

A new rhel10-beta/rteval container image

The real-time registry.redhat.io/rhel10-beta/rteval container image is now available in the Red Hat Container Registry to run latency analysis on either a standalone RHEL installation. With rhel10-beta/rteval container image, you can perform latency testing within a containerized setup to determine if such a solution is viable for your real-time workloads or to compare results against a bare-metal run of rteval. To use this feature, subscribe to RHEL with real-time support. No tuning guidelines are provided.

Jira:RHELDOCS-18522[1]

The containers.conf file is now read-only

The system connections and farm information stored in the containers.conf file is now read-only. The system connections and farm information will now be stored in the podman.connections.json file, managed only by Podman. Podman continues to support the old configuration options such as [engine.service_destinations] and the [farms] section. You can still add connections or farms manually if needed however, it is not possible to delete a connection from the containers.conf file with the podman system connection rm command.

You can still manually edit the containers.conf file if needed. System connections that were added by Podman v4.0 remain unchanged after the upgrade to Podman v5.0.

Jira:RHEL-40637

macvlan and ipvlan network interface names are configurable in containers.conf

To specify macvlan and ipvlan networks, you can adjust the name of the network interface created inside containers by using the new interface_name field in the containers.conf configuration file.

Jira:RHELDOCS-18769[1]

bootc-image-builder now supports defining and injecting custom Kickstart files to ISO builds

With this enhancement, now you can define a Kickstart by setting users, customize partitioning, inject key, and inject the kickstart file to an ISO build to configure the installation process. The resulting disk image creates a self-contained installer that automates and deploys devices, disconnected systems, edge devices, between others. As a result, it is much easier to create customized media with bootc-image-builder.

Jira:RHELDOCS-18734[1]

Support to building GCP images by using bootc-image-builder

By using the bootc-image-builder tool you can now generate .gce disk images and provision the instances on the Google Compute Engine (GCE) platform.

Jira:RHELDOCS-18472[1]

Support to creating and deploying VMDK with bootc-image-builder

With this enhancement, now you can create a Virtual Machine Disk (VMDK) from a bootc image, by using the bootc-image-builder tool, and deploy VMDK images to VMware vSphere.

Jira:RHELDOCS-18398[1]

The podman pod inspect command now provides a JSON array regardless of the number of pods

Previously, the podman pod inspect command omitted the JSON array when inspecting a single pod. With this update, the podman pod inspect command now produces a JSON array in the output regardless of the number of pods inspected.

Jira:RHELDOCS-18770[1]

The composefs filesystem is now available

The composefs read-only filesystem is now fully supported. This is generally intended only to be used by the bootc/ostree and podman projects at the current time. With composefs, you can use these projects to create and use read-only images, share file data between images, and validate images on runtime. As a result, you have a fully verified filesystem tree mounted, with opportunistic fine-grained sharing of identical files.

Jira:RHEL-18157[1]

Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja oBlog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.