From 2e9dffb10fe42d8c6d024f8b359911cb5e0d495e Mon Sep 17 00:00:00 2001 From: Andrea Waltlova Date: Mon, 11 Nov 2024 12:44:47 +0100 Subject: [PATCH] Remove mock data files Signed-off-by: Andrea Waltlova --- app/data/8.0.html | 12755 --------------- app/data/8.1.html | 11706 -------------- app/data/8.10.html | 20315 ------------------------ app/data/8.2.html | 14002 ----------------- app/data/8.3.html | 16212 ------------------- app/data/8.4.html | 18113 --------------------- app/data/8.5.html | 19046 ----------------------- app/data/8.6.html | 18706 ---------------------- app/data/8.7.html | 21000 ------------------------- app/data/8.8.html | 21323 ------------------------- app/data/8.9.html | 21622 -------------------------- app/data/9.0.html | 16600 -------------------- app/data/9.1.html | 16304 ------------------- app/data/9.2.html | 19545 ----------------------- app/data/9.3.html | 22462 --------------------------- app/services/fetch_graphql_data.py | 70 - 16 files changed, 269781 deletions(-) delete mode 100644 app/data/8.0.html delete mode 100644 app/data/8.1.html delete mode 100644 app/data/8.10.html delete mode 100644 app/data/8.2.html delete mode 100644 app/data/8.3.html delete mode 100644 app/data/8.4.html delete mode 100644 app/data/8.5.html delete mode 100644 app/data/8.6.html delete mode 100644 app/data/8.7.html delete mode 100644 app/data/8.8.html delete mode 100644 app/data/8.9.html delete mode 100644 app/data/9.0.html delete mode 100644 app/data/9.1.html delete mode 100644 app/data/9.2.html delete mode 100644 app/data/9.3.html delete mode 100644 app/services/fetch_graphql_data.py diff --git a/app/data/8.0.html b/app/data/8.0.html deleted file mode 100644 index 9cfd689..0000000 --- a/app/data/8.0.html +++ /dev/null @@ -1,12755 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.0
-
-

Release Notes for Red Hat Enterprise Linux 8.0

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.0 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionalities, and - other details. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your input on our documentation. Please let us know how we could make it better. To do so: -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-

- Based on Fedora 28 and the upstream kernel 4.18, Red Hat Enterprise Linux 8.0 provides users with a - stable, secure, consistent foundation across hybrid cloud deployments with the tools needed to support - traditional and emerging workloads. Highlights of the release include: -

-

Distribution

-
-
    -
  • - Content is available through the BaseOS and - Application Stream (AppStream) repositories. -
    • -
  • - The AppStream repository supports a new - extension of the traditional RPM format - modules. This - allows for multiple major versions of a component to be available for install. -
    • -
-
-

- See Chapter 3, Distribution of content in RHEL - 8 for more information. -

-

Software Management

-
-
    -
  • - The YUM package manager is now based on the - DNF technology and it provides support for - modular content, increased performance, and a well-designed stable API for integration with - tooling. -
    • -
-
-

- See Section 5.1.4, - “Software management” for more details. -

-

Shells and command-line tools

-
-
    -
  • - RHEL 8 provides the following version control - systems: Git 2.18, Mercurial 4.8, and Subversion 1.10. -
    • -
-
-

- See Section 5.1.6, “Shells and command-line tools” for - details. -

-

Dynamic programming languages, web and - database servers

-
-
    -
  • - Python 3.6 is the default Python implementation in RHEL 8; limited - support for Python 2.7 is provided. No version of Python is - installed by default. -
    • -
  • - Node.js is new in RHEL. Other dynamic programming languages have been - updated since RHEL 7: PHP 7.2, Ruby 2.5, Perl 5.26, SWIG 3.0 are now available. -
    • -
  • - The following database servers are - distributed with RHEL 8: MariaDB 10.3, MySQL 8.0, PostgreSQL 10, PostgreSQL 9.6, and Redis 5. -
    • -
  • - RHEL 8 provides the Apache HTTP Server 2.4 and introduces a new - web server, nginx 1.14. -
    • -
  • - Squid has been updated to version 4.4, and a new proxy caching server is now included: Varnish Cache 6.0. -
    • -
-
-

- See Section 5.1.7, “Dynamic - programming languages, web and database servers” for more information. -

-

Desktop

-
-
    -
  • - GNOME Shell has been rebased to version - 3.28. -
    • -
  • - The GNOME session and the GNOME Display Manager use Wayland as their default display server. The - X.Org server, which is the default display - server in RHEL 7, is available as well. -
    • -
-
-

- See Section 5.1.8, “Desktop” for more - information. -

-

Installer and image creation

-
-
    -
  • - The Anaconda installer can utilize LUKS2 disk encryption, and install the system - on NVDIMM devices. -
    • -
  • - The Image Builder tool enables users to - create customized system images in a variety of formats, including images prepared for - deployment on clouds of various providers. -
    • -
  • - Installation from a DVD using Hardware Management Console (HMC) and Support Element (SE) on IBM - Z are available in RHEL 8. -
    • -
-
-

- See Section 5.1.2, “Installer and image creation” for - further details. -

-

Kernel

-
-
    -
  • - The extended Berkeley Packet Filtering (eBPF) feature enables the user space to attach - custom programs onto a variety of points (sockets, trace points, packet reception) to receive - and process data. This feature is available as a Technology - Preview. -
    • -
  • - BPF Compiler Collection (BCC), a tool for - creating efficient kernel tracing and manipulation programs, is available as a Technology Preview. -
    • -
-
-

- See Section 5.3.1, “Kernel” - for more information. -

-

File systems and storage

-
-
    -
  • - The LUKS version 2 (LUKS2) format replaces - the legacy LUKS (LUKS1) format. The dm-crypt subsystem and the - cryptsetup tool now uses LUKS2 as the default format for encrypted - volumes. -
    • -
-
-

- See Section 5.1.12, - “File systems and storage” for more information. -

-

Security

-
-
    -
  • - System-wide cryptographic policies, which - configures the core cryptographic subsystems, covering the TLS, IPsec, SSH, DNSSEC, and Kerberos - protocols, are applied by default. With the new update-crypto-policies command, the administrator can easily switch - between modes: default, legacy, future, and fips. -
    • -
  • - Support for smart cards and Hardware - Security Modules (HSM) with PKCS #11 is now consistent across the system. -
    • -
-
-

- See Section 5.1.15, “Security” for more - information. -

-

Networking

-
-
    -
  • - The nftables framework replaces iptables in the role of the default network packet filtering - facility. -
    • -
  • - The firewalld daemon now uses nftables - as its default backend. -
    • -
  • - Support for IPVLAN virtual network drivers - that enable the network connectivity for multiple containers has been introduced. -
    • -
  • - The eXpress Data Path (XDP), XDP for Traffic - Control (tc), and Address Family eXpress - Data Path (AF_XDP), as parts of the extended - Berkeley Packet Filtering (eBPF) feature, - are available as Technology Previews. For - more details, see Section 5.3.7, “Networking” in Technology Previews. -
    • -
-
-

- See Section 5.1.14, “Networking” in - New features for additional features. -

-

Virtualization

-
-
    -
  • - A more modern PCI Express-based machine type (Q35) is now supported and automatically - configured in virtual machines created in RHEL 8. This provides a variety of improvements in - features and compatibility of virtual devices. -
    • -
  • - Virtual machines can now be created and managed using the RHEL 8 web console, also known as - Cockpit. -
    • -
  • - The QEMU emulator introduces the sandboxing feature, which provides - configurable limitations to what systems calls QEMU can perform, and thus makes virtual machines - more secure. -
    • -
-
-

- See Section 5.1.16, - “Virtualization” for more information. -

-

Compilers and development tools

-
-
    -
  • - The GCC compiler based on version 8.2 brings - support for more recent C++ language standard versions, better optimizations, new code hardening - techniques, improved warnings, and new hardware features. -
    • -
  • - Various tools for code generation, manipulation, and debugging can now experimentally handle the - DWARF5 debugging information format. -
    • -
  • - Kernel support for eBPF tracing is available - for some tools, such as BCC, PCP, and - SystemTap. -
    • -
  • - The glibc libraries based on version 2.28 add support for Unicode - 11, newer Linux system calls, key improvements in the DNS stub resolver, additional security - hardening, and improved performance. -
    • -
  • - RHEL 8 provides OpenJDK 11, OpenJDK 8, IcedTea-Web, and various Java tools, such as Ant, Maven, or Scala. -
    • -
-
-

- See Section 5.1.11, “Compilers and development - tools” for additional details. -

-

High availability and clusters

-
-
    -
  • - The Pacemaker cluster resource manager has - been upgraded to upstream version 2.0.0, which provides a number of bug fixes and enhancements. -
    • -
  • - In RHEL 8, the pcs configuration system - fully supports Corosync 3, knet, and node names. -
    • -
-
-

- See Section 5.1.13, “High availability and clusters” - for more information. -

-

Additional resources

-
- -
-

Red Hat Customer Portal Labs

-

- Red Hat Customer Portal Labs is a set of tools in a - section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.0 is distributed with the kernel version 4.18.0-80, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Binary DVD ISO image is larger than 4.7 GB, and as a result, it might not - fit on a single-layer DVD. A dual-layer DVD or USB key is recommended when using - the Binary DVD ISO image to create bootable installation media. You can also use - the Image Builder tool to create customized RHEL images. For more information - about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced 8 RHEL installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. RHEL 8.0.1 release

-
-
-
-
-
-
-
-

4.1. New features

-
-
-
-
-

RHEL system roles updated

-

- The rhel-system-roles packages, which provide a configuration - interface for RHEL subsystems, have been updated. Notable changes include: -

-
-
-
    -
  • - Handling of absent profiles in the network role has been - improved. When deleting an existing NetworkManager on-disk profile configuration by setting - the persistent state to absent, only the persistent - configuration for the profile is now removed, and the current runtime configuration remains - unchanged. As a result, the corresponding network device is no longer brought down in the - described situation. -
    • -
  • -

    - Specifying a Maximum Transmission Unit (MTU) size for VLAN and MACVLAN interfaces in the - network role has been fixed. As a result, setting MTU size - on VLAN and MACVLAN interfaces using the network role no - longer fails with the following error message: -

    - 
    failure: created connection failed to normalize: nm-connection-error-quark:
-connection.type: property is missing (6)
    -
    • -
  • - The selinux and timesync roles now - include all their documented input variables in their defaults files (defaults/main.yml). This makes it easy to determine what input - variables are supported by the roles by examining the content of their respective defaults - files. -
    • -
  • - The kdump and timesync roles have - been fixed to not fail in check mode. -
    • -
-
-

- (BZ#1685902, BZ#1674004, BZ#1685904) -

-
-

sos-collector rebased to version 1.7 -

-

- The sos-collector packages have been updated to version 1.7 in RHEL - 8.0.1. Notable changes include: -

-
-
-
    -
  • - sos-collector can now collect sosreports from Red Hat - Enterprise Linux CoreOS (RHCOS) nodes in the same way as from regular RHEL nodes. Users do - not need to make any changes to the way they run sos-collector. - Identification of when a node is RHCOS or RHEL is automatic. -
    • -
  • - When collecting from RHCOS nodes, sos-collector will create a - temporary container on the node and use the support-tools - container to generate a sosreport. This container will be removed after completion. -
    • -
  • - Using the --cluster-type=none option allows users to skip all - cluster-related checks or modifications to the sosreport - command that gets run on the nodes, and simply collect from a static list of nodes passed - through the --nodes parameter. -
    • -
  • - Red Hat Satellite is now a supported cluster type to allow collecting sosreports from the - Satellite and any Capsules. -
    • -
-
-

- (BZ#1695764) -

-
-

Upgraded compiler toolsets

-

- The following compiler toolsets, distributed as Application Streams, have been upgraded with - RHEL 8.0.1: -

-
-
-
    -
  • - Rust Toolset, which provides the Rust programming language compiler rustc, the cargo build tool and - dependency manager, and required libraries, to version 1.35 -
    • -
  • - Go Toolset, which provides the Go (golang) programming language - tools and libraries, to version 1.11.6. -
    • -
-
-

- (BZ#1731500) -

-
-

Enabling and disabling SMT

-

- Simultaneous Multi-Threading (SMT) configuration is now available in RHEL 8. Disabling SMT in - the web console allows you to mitigate a class of CPU security vulnerabilities such as: -

-
-
- -
-

- (BZ#1713186) -

-
-
-
-
-
-

4.2. Known issues

-
-
-
-
-

Performance deterioration in IPSec tunnels

-

- Using the aes256_sha2 or the aes-gcm256 IPSec cipher set in RHEL 8.0.1 has a negative performance - impact on IPSec tunnels. Users with specific VPN settings will experience 10% performance - deterioration for IPSec tunnels. This regression is not caused by Microarchitectural Data - Sampling (MDS) mitigations; it can be observed with the mitigations both on and off. -

-
-

- (BZ#1731362) -

-
-
-
-
-
-
-

Chapter 5. RHEL 8.0.0 release

-
-
-
-
-
-
-
-

5.1. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8. -

-
-
-
-
-

5.1.1. The web console

-
-
-
-
-
Note
-
-

- The web console’s Subscriptions page is now provided by the new subscription-manager-cockpit package. -

-
-
-
-

A firewall interface has been added to the web console

-

- The Networking page in the RHEL 8 web - console now includes a Firewall section. - In this section, users can enable or disable the firewall, as well as add, remove, and - modify firewall rules. -

-
-

- (BZ#1647110) -

-
-

The web console is now available by default

-

- Packages for the RHEL 8 web console, also known as Cockpit, are now part of Red Hat - Enterprise Linux default repositories, and can therefore be immediately installed on a - registered RHEL 8 system. -

-
-

- In addition, on a non-minimal installation of RHEL 8, the web console is automatically installed - and firewall ports required by the console are automatically open. A system message has also - been added prior to login that provides information about how to enable or access the web - console. -

-

- (JIRA:RHELPLAN-10355) -

-
-

Better IdM integration for the web console

-

- If your system is enrolled in an Identity Management (IdM) domain, the RHEL 8 web console - now uses the domain’s centrally managed IdM resources by default. This includes the - following benefits: -

-
-
-
    -
  • - The IdM domain’s administrators can use the web console to manage the local machine. -
    • -
  • - The console’s web server automatically switches to a certificate issued by the IdM - certificate authority (CA) and accepted by browsers. -
    • -
  • - Users with a Kerberos ticket in the IdM domain do not need to provide login credentials - to access the web console. -
    • -
  • - SSH hosts known to the IdM domain are accessible to the web console without manually - adding an SSH connection. -
    • -
-
-

- Note that for IdM integration with the web console to work properly, the user first needs to run - the ipa-advise utility with the enable-admins-sudo option in the IdM master system. -

-

- (JIRA:RHELPLAN-3010) -

-
-

The web console is now compatible with mobile browsers

-

- With this update, the web console menus and pages can be navigated on mobile browser - variants. This makes it possible to manage systems using the RHEL 8 web console from a - mobile device. -

-
-

- (JIRA:RHELPLAN-10352) -

-
-

The web console front page now displays missing updates and - subscriptions

-

- If a system managed by the RHEL 8 web console has outdated packages or a lapsed - subscription, a warning is now displayed on the web console front page of the system. -

-
-

- (JIRA:RHELPLAN-10353) -

-
-

The web console now supports PBD enrollment

-

- With this update, you can use the the RHEL 8 web console interface to apply Policy-Based - Decryption (PBD) rules to disks on managed systems. This uses the Clevis decryption client - to facilitate a variety of security management functions in the web console, such as - automatic unlocking of LUKS-encrypted disk partitions. -

-
-

- (JIRA:RHELPLAN-10354) -

-
-

Virtual Machines can now be managed using the web console

-

- The Virtual Machines page can now be added to the RHEL 8 web - console interface, which enables the user to create and manage libvirt-based virtual - machines. -

-
-

- (JIRA:RHELPLAN-2896) -

-
-
-
-
-
-

5.1.2. Installer and image creation

-
-
-
-
-

Installing RHEL from a DVD using SE and HMC is now fully supported on IBM - Z

-

- The installation of Red Hat Enterprise Linux 8 on IBM Z hardware from a DVD using the Support Element (SE) and Hardware Management Console (HMC) is now - fully supported. This addition simplifies the installation process on IBM Z with SE and HMC. -

-
-

- When booting from a binary DVD, the installer prompts the user to enter additional kernel - parameters. To set the DVD as an installation source, append inst.repo=hmc to the kernel parameters. The installer then enables - SE and HMC file access, fetches the images for stage2 - from the DVD, and provides access to the packages on the DVD for software selection. -

-

- The new feature eliminates the requirement of an external network setup and expands the - installation options. -

-

- (BZ#1500792) -

-
-

Installer now supports the LUKS2 disk encryption format

-

- Red Hat Enterprise Linux 8 installer now uses the LUKS2 format by default but you can select - a LUKS version from Anaconda’s Custom - Partitioning window or by using the new options in Kickstart’s autopart, logvol, part, and RAID commands. -

-
-

- LUKS2 provides many improvements and features, for example, it extends the capabilities of the - on-disk format and provides flexible ways of storing metadata. -

-

- (BZ#1547908) -

-
-

Anaconda supports - System Purpose in RHEL 8

-

- Previously, Anaconda did not provide - system purpose information to Subscription - Manager. In Red Hat Enterprise Linux 8.0, you can set the intended - purpose of the system during installation by using Anaconda’s System Purpose window or Kickstart’s syspurpose command. When the installation completes, Subscription Manager uses the system - purpose information when subscribing the system. -

-
-

- (BZ#1612060) -

-
-

Pykickstart supports System Purpose in - RHEL 8

-

- Previously, it was not possible for the pykickstart library to - provide system purpose information to Subscription - Manager. In Red Hat Enterprise Linux 8.0, pykickstart parses the new syspurpose command and records the intended purpose of the system - during automated and partially-automated installation. The information is then passed to - Anaconda, saved on the newly-installed - system, and available for Subscription - Manager when subscribing the system. -

-
-

- (BZ#1612061) -

-
-

Anaconda supports a - new kernel boot parameter in RHEL 8

-

- Previously, you could only specify a base repository from the kernel boot parameters. In Red - Hat Enterprise Linux 8, a new kernel parameter, inst.addrepo=<name>,<url>, allows you to specify an - additional repository during installation. -

-
-

- This parameter has two mandatory values: the name of the repository and the URL that points to - the repository. For more information, see https://anaconda-installer.readthedocs.io/en/latest/boot-options.html#inst-addrepo -

-

- (BZ#1595415) -

-
-

Anaconda supports a - unified ISO in RHEL 8

-

- In Red Hat Enterprise Linux 8.0, a unified ISO automatically loads the BaseOS and AppStream - installation source repositories. -

-
-

- This feature works for the first base repository that is loaded during installation. For - example, if you boot the installation with no repository configured and have the unified ISO as - the base repository in the GUI, or if you boot the installation using the inst.repo= option that points to the unified ISO. As a result, the - AppStream repository is enabled under the Additional - Repositories section of the Installation Source GUI window. You cannot - remove the AppStream repository or change its settings but you can disable it in Installation Source. This feature does not - work if you boot the installation using a different base repository and then change it to the - unified ISO. If you do that, the base repository is replaced. However, the AppStream repository - is not replaced and points to the original file. -

-

- (BZ#1610806) -

-
-

Anaconda can install modular packages in Kickstart scripts

-

- The Anaconda installer has been extended to handle all features related to application - streams: modules, streams and profiles. Kickstart scripts can now enable module and stream - combinations, install module profiles, and install modular packages. For more information, - see Performing - an advanced RHEL installation. -

-
-

- (JIRA:RHELPLAN-1943) -

-
-

The nosmt boot option is now available in - the RHEL 8 installation options

-

- The nosmt boot option is available in the installation options - that are passed to a newly-installed RHEL 8 system. -

-
-

- (BZ#1677411) -

-
-

RHEL 8 supports installing from a repository on a local hard - drive

-

- Previously, installing RHEL from a hard drive required an ISO image as the installation - source. However, the RHEL 8 ISO image might be too large for some file systems; for example, - the FAT32 file system cannot store files larger than 4 GiB. -

-
-

- In RHEL 8, you can enable installation from a repository on a local hard drive. You only need to - specify the directory instead of the ISO image. For - example:`inst.repo=hd:<device>:<path to the repository>` -

-

- (BZ#1502323) -

-
-

Custom system image creation with Image Builder is available in RHEL - 8

-

- The Image Builder tool enables users to create customized RHEL images. Image Builder is - available in AppStream in the lorax-composer package. -

-
-

- With Image Builder, users can create custom system images which include additional packages. - Image Builder functionality can be accessed through: -

-
-
    -
  • - a graphical user interface in the web console -
    • -
  • - a command line interface in the composer-cli tool. -
    • -
-
-

- Image Builder output formats include, among others: -

-
-
    -
  • - live ISO disk image -
    • -
  • - qcow2 file for direct use with a virtual machine or OpenStack -
    • -
  • - file system image file -
    • -
  • - cloud images for Azure, VMWare and AWS -
    • -
-
-

- To learn more about Image Builder, see the documentation title Composing - a customized RHEL system image. -

-

- (JIRA:RHELPLAN-7291, BZ#1628645, BZ#1628646, BZ#1628647, BZ#1628648) -

-
-

Added new kickstart commands: authselect - and modules

-

- With this release, the following kickstart commands are added: -

-
-
-
    -
  • - authselect: Use the authselect - command to set up the system authentication options during installation. You can use - authselect as a replacement for deprecated auth or authconfig Kickstart - commands. For more information, see the authselect section - in the Performing - an advanced installation guide. -
    • -
  • - module: Use the module command - to enable a package module stream within the kickstart script. For more information, see - the module section in the Performing - an advanced installation guide. -
    • -
-
-

- (BZ#1972210) -

-
-
-
-
-
-

5.1.3. Kernel

-
-
-
-
-

Kernel version in RHEL 8.0

-

- Red Hat Enterprise Linux 8.0 is distributed with the kernel version 4.18.0-80. -

-
-

- (BZ#1797671) -

-
-

ARM 52-bit physical addressing is now available

-

- With this update, support for 52-bit physical addressing (PA) for the 64-bit ARM - architecture is available. This provides larger address space than previous 48-bit PA. -

-
-

- (BZ#1643522) -

-
-

The IOMMU code supports 5-level page tables in RHEL 8

-

- The I/O memory management unit (IOMMU) code in the Linux kernel has been updated to support - 5-level page tables in Red Hat Enterprise Linux 8. -

-
-

- (BZ#1485546) -

-
-

Support for 5-level paging

-

- New P4d_t software page table type has been added into the - Linux kernel in order to support 5-level paging in Red Hat Enterprise Linux 8. -

-
-

- (BZ#1485532) -

-
-

Memory management supports 5-level page tables

-

- With Red Hat Enterprise Linux 7, existing memory bus had 48/46 bit of virtual/physical - memory addressing capacity, and the Linux kernel implemented 4 levels of page tables to - manage these virtual addresses to physical addresses. The physical bus addressing line put - the physical memory upper limit capacity at 64 TB. -

-
-

- These limits have been extended to 57/52 bit of virtual/physical memory addressing with 128 PiB - of virtual address space and 4 PB of physical memory capacity. -

-

- With the extended address range, the memory management in Red Hat Enterprise Linux 8 adds - support for 5-level page table implementation, to be able to handle the expanded address range. -

-

- (BZ#1485525) -

-
-

kernel-signing-ca.cer is moved to kernel-core in RHEL 8

-

- In all versions of Red Hat Enterprise Linux 7, the kernel-signing-ca.cer public key was located in the kernel-doc package. However, in Red Hat Enterprise Linux 8, kernel-signing-ca.cer has been relocated to the kernel-core package for every architecture. -

-
-

- (BZ#1638465) -

-
-

Spectre V2 mitigation default changed from IBRS to Retpolines -

-

- The default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the - 6th Generation Intel Core Processors and its close derivatives [1] has changed from Indirect - Branch Restricted Speculation (IBRS) to Retpolines in Red Hat Enterprise Linux 8. Red Hat - has implemented this change as a result of Intel’s recommendations to align with the - defaults used in the Linux community and to restore lost performance. However, note that - using Retpolines in some cases may not fully mitigate Spectre V2. Intel’s Retpoline document - [2] describes any cases of exposure. This document also states that the risk of an attack is - low. -

-
-

- For use cases where complete Spectre V2 mitigation is desired, a user can select IBRS through - the kernel boot line by adding the spectre_v2=ibrs flag. -

-

- If one or more kernel modules were not built with the Retpoline support, the /sys/devices/system/cpu/vulnerabilities/spectre_v2 file will indicate - vulnerability and the /var/log/messages file will identify the - offending modules. See How to - determine which modules are responsible for spectre_v2 returning "Vulnerable: Retpoline with - unsafe module(s)"? for further information. -

-

- [1] "6th generation Intel Core Processors and its close derivatives" are what the Intel’s - Retpolines document refers to as "Skylake-generation". -

-

- [2] Retpoline: - A Branch Target Injection Mitigation - White Paper -

-

- (BZ#1651806) -

-
-

Intel® Omni-Path Architecture (OPA) Host Software

-

- Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise - Linux 8. -

-
-

- Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high - performance data transfers (high bandwidth, high message rate, low latency) between compute and - I/O nodes in a clustered environment. -

-

- For instructions on installing Intel Omni-Path Architecture documentation, see: https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_RHEL_8_RN_K51383.pdf -

-

- (BZ#1683712) -

-
-

NUMA supports more nodes in RHEL 8

-

- With this update, the Non-Uniform Memory Access (NUMA) node count has been increased from 4 - NUMA nodes to 8 NUMA nodes in Red Hat Enterprise Linux 8 on systems with the 64-bit ARM - architecture. -

-
-

- (BZ#1550498) -

-
-

IOMMU passthrough is now enabled by default in RHEL 8

-

- The Input/Output Memory Management Unit (IOMMU) passthrough has been enabled by default. - This provides improved performance for AMD systems because Direct Memory Access (DMA) - remapping is disabled for the host. This update brings consistency with Intel systems where - DMA remapping is also disabled by default. Users may disable such behavior (and enable DMA - remapping) by specifying either iommu.passthrough=off or iommu=nopt parameters on the kernel command line, including the - hypervisor. -

-
-

- (BZ#1658391) -

-
-

RHEL8 kernel now supports 5-level page tables

-

- Red Hat Enterprise Linux kernel now fully supports future Intel processors with up to 5 - levels of page tables. This enables the processors to support up to 4PB of physical memory - and 128PB of virtual address space. Applications that utilize large amounts of memory can - now use as much memory as possible as provided by the system without the constraints of - 4-level page tables. -

-
-

- (BZ#1623590) -

-
-

RHEL8 kernel supports enhanced IBRS for future Intel CPUs

-

- Red Hat Enterprise Linux kernel now supports the use of enhanced Indirect Branch Restricted - Speculation (IBRS) capability to mitigate the Spectre V2 vulnerability. When enabled, IBRS - will perform better than Retpolines (default) to mitigate Spectre V2 and will not interfere - with Intel Control-flow Enforcement technology. As a result, the performance penalty of - enabling the mitigation for Spectre V2 will be smaller on future Intel CPUs. -

-
-

- (BZ#1614144) -

-
-

bpftool for inspection and manipulation of - eBPF-based programs and maps added

-

- The bpftool utility that serves for inspection and simple - manipulation of programs and maps based on extended Berkeley Packet Filtering (eBPF) has - been added into the Linux kernel. bpftool is a part of the - kernel source tree, and is provided by the bpftool package, which is included as a - sub-package of the kernel package. -

-
-

- (BZ#1559607) -

-
-

The kernel-rt sources have been - updated

-

- The kernel-rt sources have been updated to use the latest RHEL - kernel source tree. The latest kernel source tree is now using the upstream v4.18 realtime - patch set, which provides a number of bug fixes and enhancements over the previous version. -

-
-

- (BZ#1592977) -

-
-
-
-
-
-

5.1.4. Software management

-
-
-
-
-

YUM performance - improvement and support for modular content

-

- On Red Hat Enterprise Linux 8, installing software is ensured by the new version of the - YUM tool, which is based on the DNF technology (YUM v4). -

-
-

- YUM v4 has the following advantages over the - previous YUM v3 used on RHEL 7: -

-
-
    -
  • - Increased performance -
    • -
  • - Support for modular content -
    • -
  • - Well-designed stable API for integration with tooling -
    • -
-
-

- For detailed information about differences between the new YUM v4 tool and the previous version YUM v3 from RHEL 7, see Changes in DNF CLI compared to - YUM. -

-

- YUM v4 is compatible with YUM v3 when using from the command line, - editing or creating configuration files. -

-

- For installing software, you can use the yum command and its - particular options in the same way as on RHEL 7. -

-

- Selected yum plug-ins and utilities have been ported to the new DNF back end, and can be - installed under the same names as in RHEL 7. They also provide compatibility symlinks, so the - binaries, configuration files and directories can be found in usual locations. -

-

- Note that the legacy Python API provided by YUM - v3 is no longer available. Users are advised to migrate their plug-ins - and scripts to the new API provided by YUM - v4 (DNF Python API), which is stable and fully supported. The DNF Python - API is available at DNF API - Reference. -

-

- The Libdnf and Hawkey APIs (both C and Python) are unstable, and will likely change during Red - Hat Enterprise Linux 8 life cycle. -

-

- For more details on changes of YUM packages - and tools availability, see Considerations - in adopting RHEL 8. -

-

- Some of the YUM v3 features may behave - differently in YUM v4. If any such change - negatively impacts your workflows, please open a case with Red Hat Support, as described in How do I open and manage a - support case on the Customer Portal? -

-

- (BZ#1581198) -

-
-

Notable RPM features in RHEL 8

-

- Red Hat Enterprise Linux 8 is distributed with RPM 4.14. This version introduces many - enhancements over RPM 4.11, which is available in RHEL 7. The most notable features include: -

-
-
-
    -
  • - The debuginfo packages can be installed in parallel -
    • -
  • - Support for weak dependencies -
    • -
  • - Support for rich or boolean dependencies -
    • -
  • - Support for packaging files above 4 GB in size -
    • -
  • - Support for file triggers -
    • -
-
-

- Also, the most notable changes include: -

-
-
    -
  • - Stricter spec-parser -
    • -
  • - Simplified signature checking the output in non-verbose mode -
    • -
  • - Additions and deprecation in macros -
    • -
-
-

- (BZ#1581990) -

-
-

RPM now validates - the entire package contents before starting an installation

-

- On Red Hat Enterprise Linux 7, the RPM - utility verified payload contents of individual files while unpacking. However, this is - insufficient for multiple reasons: -

-
-
-
    -
  • - If the payload is damaged, it is only noticed after executing script actions, which are - irreversible. -
    • -
  • - If the payload is damaged, upgrade of a package aborts after replacing some files of the - previous version, which breaks a working installation. -
    • -
  • - The hashes on individual files are performed on uncompressed data, which makes RPM vulnerable to decompressor - vulnerabilities. -
    • -
-
-

- On Red Hat Enterprise Linux 8, the entire package is validated prior to the installation in a - separate step, using the best available hash. -

-

- Packages built on Red Hat Enterprise Linux 8 use a new SHA-256 hash - on the compressed payload. On signed packages, the payload hash is additionally protected by the - signature, and thus cannot be altered without breaking a signature and other hashes on the - package header. Older packages use the MD5 hash of the header and - payload unless it is disabled by configuration. -

-

- The %_pkgverify_level macro can be used to additionally enable - enforcing signature verification before installation or disable the payload verification - completely. In addition, the %_pkgverify_flags macro can be used to - limit which hashes and signatures are allowed. For example, it is possible to disable the use of - the weak MD5 hash at the cost of compatibility with older packages. -

-

- (JIRA:RHELPLAN-10596) -

-
-
-
-
-
-

5.1.5. Infrastructure services

-
-
-
-
-

Notable changes in the recommended Tuned profile in RHEL 8

-

- With this update, the recommended Tuned profile (reported by the tuned-adm recommend command) is now selected based on the - following rules - the first rule that matches takes effect: -

-
-
-
    -
  • -

    - If the syspurpose role (reported by the syspurpose show command) contains atomic, and at the same time: -

    -
    -
      -
    • - if Tuned is running on bare metal, the atomic-host profile is selected -
      • -
    • - if Tuned is running in a virtual machine, the atomic-guest profile is selected -
      • -
    -
    -
    • -
  • - If Tuned is running in a virtual machine, the virtual-guest - profile is selected -
    • -
  • - If the syspurpose role contains desktop or workstation and the - chassis type (reported by dmidecode) is Notebook, Laptop, or Portable, then the balanced - profile is selected -
    • -
  • - If none of the above rules matches, the throughput-performance profile is selected -
    • -
-
-

- (BZ#1565598) -

-
-

Files produced by named can be written in the working - directory

-

- Previously, the named daemon stored some - data in the working directory, which has been read-only in Red Hat Enterprise Linux. With - this update, paths have been changed for selected files into subdirectories, where writing - is allowed. Now, default directory Unix and SELinux permissions allow writing into the - directory. Files distributed inside the directory are still read-only to named. -

-
-

- (BZ#1588592) -

-
-

Geolite Databases have been replaced by Geolite2 Databases

-

- Geolite Databases that were present in Red Hat Enterprise Linux 7 were replaced by Geolite2 - Databases on Red Hat Enterprise Linux 8. -

-
-

- Geolite Databases were provided by the GeoIP package. This package - together with the legacy database is no longer supported in the upstream. -

-

- Geolite2 Databases are provided by multiple packages. The libmaxminddb package includes the library and the mmdblookup command line tool, which enables manual searching of - addresses. The geoipupdate binary from the legacy GeoIP package is now provided by the geoipupdate package, and is capable of downloading both legacy - databases and the new Geolite2 databases. -

-

- (JIRA:RHELPLAN-6746) -

-
-

CUPS logs are handled by journald

-

- In RHEL 8, the CUPS logs are no longer stored in specific files within the /var/log/cups directory, which was used in RHEL 7. In RHEL 8, all - types of CUPS logs are centrally-logged in the systemd journald - daemon together with logs from other programs. To access the CUPS logs, use the journalctl -u cups command. For more information, see Accessing - the CUPS logs in the systemd journal. -

-
-

- (JIRA:RHELPLAN-12764) -

-
-

Notable BIND features in RHEL 8

-

- RHEL 8 includes BIND (Berkeley Internet Name Domain) in version 9.11. This version of the - DNS server introduces multiple new features and feature changes compared to version 9.10. -

-
-

- New features: -

-
-
    -
  • - A new method of provisioning secondary servers called Catalog Zones has been added. -
    • -
  • - Domain Name System Cookies are now sent by the named - service and the dig utility. -
    • -
  • - The Response Rate Limiting feature - can now help with mitigation of DNS amplification attacks. -
    • -
  • - Performance of response-policy zone (RPZ) has been improved. -
    • -
  • - A new zone file format called map has been added. Zone data - stored in this format can be mapped directly into memory, which enables zones to load - significantly faster. -
    • -
  • - A new tool called delv (domain entity lookup and - validation) has been added, with dig-like semantics for looking up DNS data and - performing internal DNS Security Extensions (DNSSEC) validation. -
    • -
  • - A new mdig command is now available. This command is a - version of the`dig` command that sends multiple pipelined queries and then waits for - responses, instead of sending one query and waiting for the response before sending the - next query. -
    • -
  • - A new prefetch option, which improves the recursive - resolver performance, has been added. -
    • -
  • - A new in-view zone option, which allows zone data to be - shared between views, has been added. When this option is used, multiple views can serve - the same zones authoritatively without storing multiple copies in memory. -
    • -
  • - A new max-zone-ttl option, which enforces maximum TTLs for - zones, has been added. When a zone containing a higher TTL is loaded, the load fails. - Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated. -
    • -
  • - New quotas have been added to limit queries that are sent by recursive resolvers to - authoritative servers experiencing denial-of-service attacks. -
    • -
  • - The nslookup utility now looks up both IPv6 and IPv4 - addresses by default. -
    • -
  • - The named service now checks whether other name server - processes are running before starting up. -
    • -
  • - When loading a signed zone, named now checks whether a - Resource Record Signature’s (RSIG) inception time is in the future, and if so, it - regenerates the RRSIG immediately. -
    • -
  • - Zone transfers now use smaller message sizes to improve message compression, which - reduces network usage. -
    • -
-
-

- Feature changes: -

-
-
    -
  • - The version 3 XML schema for the statistics channel, - including new statistics and a flattened XML tree for faster parsing, is provided by the - HTTP interface. The legacy version 2 XML schema is no - longer supported. -
    • -
  • - The named service now listens on both IPv6 and IPv4 - interfaces by default. -
    • -
  • - The named service no longer supports GeoIP. Access control - lists (ACLs) defined by presumed location of query sender are unavailable. -
    • -
-
-

- (JIRA:RHELPLAN-1820) -

-
-
-
-
-
-

5.1.6. Shells and command-line tools

-
-
-
-
-

The nobody user replaces nfsnobody

-

- In Red Hat Enterprise Linux 7, there was: -

-
-
-
    -
  • - the nobody user and group pair with the ID of 99, and -
    • -
  • - the nfsnobody user and group pair with the ID of 65534, - which is the default kernel overflow ID, too. -
    • -
-
-

- Both of these have been merged into the nobody user and group pair, - which uses the 65534 ID in Red Hat Enterprise Linux 8. New installations no longer create the - nfsnobody pair. -

-

- This change reduces the confusion about files that are owned by nobody but have nothing to do with NFS. -

-

- (BZ#1591969) -

-
-

Version control systems in RHEL 8

-

- RHEL 8 provides the following version control systems: -

-
-
-
    -
  • - Git 2.18, a distributed revision control system with a - decentralized architecture. -
    • -
  • - Mercurial 4.8, a lightweight distributed version control - system, designed for efficient handling of large projects. -
    • -
  • - Subversion 1.10, a centralized version control system. -
    • -
-
-

- Note that the Concurrent Versions System (CVS) and Revision Control System (RCS), available in - RHEL 7, are not distributed with RHEL 8. -

-

- (BZ#1693775) -

-
-

Notable changes in Subversion 1.10

-

- Subversion 1.10 introduces a number of new features since the - version 1.7 distributed in RHEL 7, as well as the following compatibility changes: -

-
-
-
    -
  • - Due to incompatibilities in the Subversion libraries used - for supporting language bindings, Python 3 bindings for - Subversion 1.10 are unavailable. As a consequence, - applications that require Python bindings for Subversion are unsupported. -
    • -
  • - Repositories based on Berkeley DB are no longer supported. - Before migrating, back up repositories created with Subversion 1.7 by using the svnadmin dump command. After installing RHEL 8, restore the - repositories using the svnadmin load command. -
    • -
  • - Existing working copies checked out by the Subversion 1.7 - client in RHEL 7 must be upgraded to the new format before they can be used from Subversion 1.10. After installing RHEL 8, run the svn upgrade command in each working copy. -
    • -
  • - Smartcard authentication for accessing repositories using https:// is no longer supported. -
    • -
-
-

- (BZ#1571415) -

-
-

Notable changes in dstat

-

- RHEL 8 is distributed with a new version of the dstat tool. - This tool is now a part of the Performance Co-Pilot (PCP) toolkit. The /usr/bin/dstat file and the dstat - package name is now provided by the pcp-system-tools package. -

-
-

- The new version of dstat introduces the following enhancements over - dstat available in RHEL 7: -

-
-
    -
  • - python3 support -
    • -
  • - Historical analysis -
    • -
  • - Remote host analysis -
    • -
  • - Configuration file plugins -
    • -
  • - New performance metrics -
    • -
-
-

- (BZ#1684947) -

-
-
-
-
-
-

5.1.7. Dynamic programming languages, web and database servers

-
-
-
-
-

Python 3 is the default Python implementation in RHEL 8

-

- Red Hat Enterprise Linux 8 is distributed with Python 3.6. The - package might not be installed by default. To install Python 3.6, use the yum install python3 command. -

-
-

- Python 2.7 is available in the python2 - package. However, Python 2 will have a shorter life cycle and its - aim is to facilitate a smoother transition to Python 3 for - customers. -

-

- Neither the default python package nor the unversioned /usr/bin/python executable is distributed with RHEL 8. Customers are - advised to use python3 or python2 - directly. Alternatively, administrators can configure the unversioned python command using the alternatives - command. -

-

- For more information, see Introduction - to Python. -

-

- (BZ#1580387) -

-
-

Python scripts must specify major version in interpreter directives at - RPM build time

-

- In RHEL 8, executable Python scripts are expected to use interpreter directives (hashbangs) - specifying explicitly at least the major Python version. -

-
-

- The /usr/lib/rpm/redhat/brp-mangle-shebangs buildroot policy (BRP) - script is run automatically when building any RPM package. This script attempts to correct - interpreter directives in all executable files. When the script encounters ambiguous Python - interpreter directives that do not specify the major version of Python, it generates errors and - the RPM build fails. Examples of such ambiguous interpreter directives include: -

-
-
    -
  • - #! /usr/bin/python -
    • -
  • - #! /usr/bin/env python -
    • -
-
-

- To modify interpreter directives in the Python scripts causing these build errors at RPM build - time, use the pathfix.py script from the platform-python-devel package: -

- 
pathfix.py -pn -i %{__python3} PATH ...
-

- Multiple PATHs can be specified. If a PATH is a directory, pathfix.py recursively scans for any Python scripts matching the - pattern ^[a-zA-Z0-9_]+\.py$, not only those with an ambiguous - hashbang. Add the command for running pathfix.py to the %prep section or at the end of the %install section. -

-

- For more information, see Handling - interpreter directives in Python scripts. -

-

- (BZ#1583620) -

-
-

Notable changes in PHP

-

- Red Hat Enterprise Linux 8 is distributed with PHP 7.2. This - version introduces the following major changes over PHP 5.4, - which is available in RHEL 7: -

-
-
-
    -
  • - PHP uses FastCGI Process Manager (FPM) by default (safe for - use with a threaded httpd) -
    • -
  • - The php_value and php-flag - variables should no longer be used in the httpd - configuration files; they should be set in pool configuration instead: /etc/php-fpm.d/*.conf -
    • -
  • - PHP script errors and warnings are logged to the /var/log/php-fpm/www-error.log file instead of /var/log/httpd/error.log -
    • -
  • - When changing the PHP max_execution_time configuration - variable, the httpd ProxyTimeout setting should be increased to match -
    • -
  • - The user running PHP scripts is now configured in the FPM - pool configuration (the /etc/php-fpm.d/www.conf file; the - apache user is the default) -
    • -
  • - The php-fpm service needs to be restarted after a - configuration change or after a new extension is installed -
    • -
  • - The zip extension has been moved from the php-common package to a separate package, php-pecl-zip -
    • -
-
-

- The following extensions have been removed: -

-
-
    -
  • - aspell -
    • -
  • - mysql (note that the mysqli - and pdo_mysql extensions are still available, provided by - php-mysqlnd package) -
    • -
  • - memcache -
    • -
-
-

- (BZ#1580430, BZ#1691688) -

-
-

Notable changes in Ruby

-

- RHEL 8 provides Ruby 2.5, which introduces numerous new - features and enhancements over Ruby 2.0.0 available in RHEL 7. - Notable changes include: -

-
-
-
    -
  • - Incremental garbage collector has been added. -
    • -
  • - The Refinements syntax has been added. -
    • -
  • - Symbols are now garbage collected. -
    • -
  • - The $SAFE=2 and $SAFE=3 safe - levels are now obsolete. -
    • -
  • - The Fixnum and Bignum classes - have been unified into the Integer class. -
    • -
  • - Performance has been improved by optimizing the Hash class, - improved access to instance variables, and the Mutex class - being smaller and faster. -
    • -
  • - Certain old APIs have been deprecated. -
    • -
  • - Bundled libraries, such as RubyGems, Rake, RDoc, Psych, Minitest, and test-unit, have been updated. -
    • -
  • - Other libraries, such as mathn, DL, ext/tk, and XMLRPC, which were previously distributed with Ruby, are deprecated or no longer included. -
    • -
  • - The SemVer versioning scheme is now used for Ruby versioning. -
    • -
-
-

- (BZ#1648843) -

-
-

Notable changes in Perl

-

- Perl 5.26, distributed with RHEL 8, introduces the following - changes over the version available in RHEL 7: -

-
-
-
    -
  • - Unicode 9.0 is now supported. -
    • -
  • - New op-entry, loading-file, - and loaded-file SystemTap - probes are provided. -
    • -
  • - Copy-on-write mechanism is used when assigning scalars for improved performance. -
    • -
  • - The IO::Socket::IP module for handling IPv4 and IPv6 - sockets transparently has been added. -
    • -
  • - The Config::Perl::V module to access perl -V data in a structured way has been added. -
    • -
  • - A new perl-App-cpanminus package has been added, which - contains the cpanm utility for getting, extracting, - building, and installing modules from the Comprehensive Perl Archive Network (CPAN) - repository. -
    • -
  • - The current directory . has been removed from the @INC module search path for security reasons. -
    • -
  • - The do statement now returns a deprecation warning when it - fails to load a file because of the behavioral change described above. -
    • -
  • - The do subroutine(LIST) call is no longer supported and - results in a syntax error. -
    • -
  • - Hashes are randomized by default now. The order in which keys and values are returned - from a hash changes on each perl run. To disable the - randomization, set the PERL_PERTURB_KEYS environment - variable to 0. -
    • -
  • - Unescaped literal { characters in regular expression - patterns are no longer permissible. -
    • -
  • - Lexical scope support for the $_ variable has been removed. -
    • -
  • - Using the defined operator on an array or a hash results in - a fatal error. -
    • -
  • - Importing functions from the UNIVERSAL module results in a - fatal error. -
    • -
  • - The find2perl, s2p, a2p, c2ph, and pstruct tools have been removed. -
    • -
  • - The ${^ENCODING} facility has been removed. The encoding pragma’s default mode is no longer supported. To - write source code in other encoding than UTF-8, use the - encoding’s Filter option. -
    • -
  • - The perl packaging is now aligned with upstream. The perl package installs also core modules, while the /usr/bin/perl interpreter is provided by the perl-interpreter package. In previous releases, the perl package included just a minimal interpreter, whereas the - perl-core package included both the interpreter and the - core modules. -
    • -
  • - The IO::Socket::SSL Perl module no longer loads a - certificate authority certificate from the ./certs/my-ca.pem file or the ./ca directory, a server private key from the ./certs/server-key.pem file, a server certificate from the - ./certs/server-cert.pem file, a client private key from the - ./certs/client-key.pem file, and a client certificate from - the ./certs/client-cert.pem file. Specify the paths to the - files explicitly instead. -
    • -
-
-

- (BZ#1511131) -

-
-

Node.js new in RHEL

-

- Node.js, a software development platform for building fast and - scalable network applications in the JavaScript programming language, is provided for the - first time in RHEL. It was previously available only as a Software Collection. RHEL 8 - provides Node.js 10. -

-
-

- (BZ#1622118) -

-
-

Notable changes in SWIG

-

- RHEL 8 includes the Simplified Wrapper and Interface Generator (SWIG) version 3.0, which - provides numerous new features, enhancements, and bug fixes over the version 2.0 distributed - in RHEL 7. Most notably, support for the C++11 standard has been implemented. SWIG now supports also Go 1.6, PHP 7, Octave 4.2, and Python 3.5. -

-
-

- (BZ#1660051) -

-
-

Notable changes in Apache httpd -

-

- RHEL 8 is distributed with the Apache HTTP Server 2.4.37. This version introduces the - following changes over httpd available in RHEL 7: -

-
-
-
    -
  • - HTTP/2 support is now provided by the mod_http2 package, - which is a part of the httpd module. -
    • -
  • - Automated TLS certificate provisioning and renewal using the Automatic Certificate - Management Environment (ACME) protocol is now supported with the mod_md package (for use with certificate providers such as - Let’s Encrypt) -
    • -
  • - The Apache HTTP Server now supports loading TLS certificates and private keys from - hardware security tokens directly from PKCS#11 modules. As - a result, a mod_ssl configuration can now use PKCS#11 URLs to identify the TLS private key, and, - optionally, the TLS certificate in the SSLCertificateKeyFile and SSLCertificateFile directives. -
    • -
  • - The multi-processing module (MPM) configured by default with the Apache HTTP Server has - changed from a multi-process, forked model (known as prefork) to a high-performance multi-threaded model, event. Any third-party modules that are not thread-safe need - to be replaced or removed. To change the configured MPM, edit the /etc/httpd/conf.modules.d/00-mpm.conf file. See the httpd.conf(5) man page for more information. -
    • -
-
-

- For more information about changes in httpd and its usage, see Setting - up the Apache HTTP web server. -

-

- (BZ#1632754, BZ#1527084, BZ#1581178) -

-
-

The nginx web server new in RHEL -

-

- RHEL 8 introduces nginx 1.14, a web and proxy server supporting - HTTP and other protocols, with a focus on high concurrency, performance, and low memory - usage. nginx was previously available only as a Software - Collection. -

-
-

- The nginx web server now supports loading TLS private keys from - hardware security tokens directly from PKCS#11 modules. As a - result, an nginx configuration can use PKCS#11 URLs to identify the TLS private key in the ssl_certificate_key directive. -

-

- (BZ#1545526) -

-
-

Database servers in RHEL 8

-

- RHEL 8 provides the following database servers: -

-
-
-
    -
  • - MySQL 8.0, a multi-user, multi-threaded SQL database - server. It consists of the MySQL server daemon, mysqld, and many client programs. -
    • -
  • - MariaDB 10.3, a multi-user, multi-threaded SQL database - server. For all practical purposes, MariaDB is - binary-compatible with MySQL. -
    • -
  • - PostgreSQL 10 and PostgreSQL 9.6, an advanced object-relational database - management system (DBMS). -
    • -
  • - Redis 5, an advanced key-value store. It is often referred - to as a data structure server because keys can contain strings, hashes, lists, sets, and - sorted sets. Redis is provided for the first time in RHEL. -
    • -
-
-

- Note that the NoSQL MongoDB database server is not included in RHEL - 8.0 because it uses the Server Side Public License (SSPL). -

-

- (BZ#1647908) -

-
-

Notable changes in MySQL 8.0

-

- RHEL 8 is distributed with MySQL 8.0, which provides, for - example, the following enhancements: -

-
-
-
    -
  • - MySQL now incorporates a transactional data dictionary, - which stores information about database objects. -
    • -
  • - MySQL now supports roles, which are collections of - privileges. -
    • -
  • - The default character set has been changed from latin1 to - utf8mb4. -
    • -
  • - Support for common table expressions, both nonrecursive and recursive, has been added. -
    • -
  • - MySQL now supports window functions, which perform a - calculation for each row from a query, using related rows. -
    • -
  • - InnoDB now supports the NOWAIT - and SKIP LOCKED options with locking read statements. -
    • -
  • - GIS-related functions have been improved. -
    • -
  • - JSON functionality has been enhanced. -
    • -
  • - The new mariadb-connector-c packages provide a common - client library for MySQL and MariaDB. This library is usable with any version of the MySQL and MariaDB database - servers. As a result, the user is able to connect one build of an application to any of - the MySQL and MariaDB servers - distributed with RHEL 8. -
    • -
-
-

- In addition, the MySQL 8.0 server distributed with RHEL 8 is - configured to use mysql_native_password as the default - authentication plug-in because client tools and libraries in RHEL 8 are incompatible with the - caching_sha2_password method, which is used by default in the - upstream MySQL 8.0 version. -

-

- To change the default authentication plug-in to caching_sha2_password, edit the /etc/my.cnf.d/mysql-default-authentication-plugin.cnf file as - follows: -

- 
[mysqld]
-default_authentication_plugin=caching_sha2_password
-

- See also Using - MySQL. -

-

- (BZ#1649891, BZ#1519450, BZ#1631400) -

-
-

Notable changes in MariaDB 10.3 -

-

- MariaDB 10.3 provides numerous new features over the version - 5.5 distributed in RHEL 7, such as: -

-
-
-
    -
  • - Common table expressions -
    • -
  • - System-versioned tables -
    • -
  • - FOR loops -
    • -
  • - Invisible columns -
    • -
  • - Sequences -
    • -
  • - Instant ADD COLUMN for InnoDB -
    • -
  • - Storage-engine independent column compression -
    • -
  • - Parallel replication -
    • -
  • - Multi-source replication -
    • -
-
-

- In addition, the new mariadb-connector-c packages provide a common - client library for MySQL and MariaDB. - This library is usable with any version of the MySQL and MariaDB database servers. As a result, the user is able to connect - one build of an application to any of the MySQL and MariaDB servers distributed with RHEL 8. -

-

- Other notable changes include: -

-
-
    -
  • - MariaDB Galera Cluster, a synchronous multi-master cluster, - is now a standard part of MariaDB. -
    • -
  • - InnoDB is used as the default storage engine instead of - XtraDB. -
    • -
  • - The mariadb-bench subpackage has been removed. -
    • -
  • - The default allowed level of the plug-in maturity has been changed to one level less - than the server maturity. As a result, plug-ins with a lower maturity level that were - previously working, will no longer load. -
    • -
-
-

- See also Using - MariaDB. -

-

- (BZ#1637034, BZ#1519450, BZ#1688374) -

-
-

Notable changes in PostgreSQL

-

- RHEL 8.0 provides two versions of the PostgreSQL database - server, distributed in two streams of the postgresql module: - PostgreSQL 10 (the default stream) and PostgreSQL 9.6. RHEL 7 includes PostgreSQL version 9.2. -

-
-

- Notable changes in PostgreSQL 9.6 are, for example: -

-
-
    -
  • - Parallel execution of the sequential operations: scan, - join, and aggregate -
    • -
  • - Enhancements to synchronous replication -
    • -
  • - Improved full-text search enabling users to search for phrases -
    • -
  • - The postgres_fdw data federation driver now supports remote - join, sort, UPDATE, and DELETE operations -
    • -
  • - Substantial performance improvements, especially regarding scalability on - multi-CPU-socket servers -
    • -
-
-

- Major enhancements in PostgreSQL 10 include: -

-
-
    -
  • - Logical replication using the publish and subscribe keywords -
    • -
  • - Stronger password authentication based on the SCRAM-SHA-256 - mechanism -
    • -
  • - Declarative table partitioning -
    • -
  • - Improved query parallelism -
    • -
  • - Significant general performance improvements -
    • -
  • - Improved monitoring and control -
    • -
-
-

- See also Using - PostgreSQL. -

-

- (BZ#1660041) -

-
-

Notable changes in Squid

-

- RHEL 8.0 is distributed with Squid 4.4, a high-performance - proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. This - release provides numerous new features, enhancements, and bug fixes over the version 3.5 - available in RHEL 7. -

-
-

- Notable changes include: -

-
-
    -
  • - Configurable helper queue size -
    • -
  • - Changes to helper concurrency channels -
    • -
  • - Changes to the helper binary -
    • -
  • - Secure Internet Content Adaptation Protocol (ICAP) -
    • -
  • - Improved support for Symmetric Multi Processing (SMP) -
    • -
  • - Improved process management -
    • -
  • - Removed support for SSL -
    • -
  • - Removed Edge Side Includes (ESI) custom parser -
    • -
  • - Multiple configuration changes -
    • -
-
-

- (BZ#1656871) -

-
-

Varnish Cache new in RHEL

-

- Varnish Cache, a high-performance HTTP reverse proxy, is - provided for the first time in RHEL. It was previously available only as a Software - Collection. Varnish Cache stores files or fragments of files in - memory that are used to reduce the response time and network bandwidth consumption on future - equivalent requests. RHEL 8.0 is distributed with Varnish Cache 6.0. -

-
-

- (BZ#1633338) -

-
-
-
-
-
-

5.1.8. Desktop

-
-
-
-
-

GNOME Shell, version 3.28 in RHEL 8

-

- GNOME Shell, version 3.28 is available in Red Hat Enterprise Linux (RHEL) 8. Notable - enhancements include: -

-
-
-
    -
  • - New GNOME Boxes features -
    • -
  • - New on-screen keyboard -
    • -
  • - Extended devices support, most significantly integration for the Thunderbolt 3 interface -
    • -
  • - Improvements for GNOME Software, dconf-editor and GNOME Terminal -
    • -
-
-

- (BZ#1649404) -

-
-

Wayland is the - default display server

-

- With Red Hat Enterprise Linux 8, the GNOME session and the GNOME Display Manager (GDM) use - Wayland as their default display server - instead of the X.org server, which was - used with the previous major version of RHEL. -

-
-

- Wayland provides multiple advantages and - improvements over X.org. Most notably: -

-
-
    -
  • - Stronger security model -
    • -
  • - Improved multi-monitor handling -
    • -
  • - Improved user interface (UI) scaling -
    • -
  • - The desktop can control window handling directly. -
    • -
-
-

- Note that the following features are currently unavailable or do not work as expected: -

-
-
    -
  • - Multi-GPU setups are not supported under Wayland. -
    • -
  • - The NVIDIA binary driver does not - work under Wayland. -
    • -
  • - The xrandr utility does not work under Wayland due to its different approach - to handling, resolutions, rotations, and layout. Note that other X.org utilities for manipulating the - screen do not work under Wayland, - either. -
    • -
  • - Screen recording, remote desktop, and accessibility do not always work correctly under - Wayland. -
    • -
  • - No clipboard manager is available. -
    • -
  • - Wayland ignores keyboard grabs - issued by X11 applications, such as virtual machines viewers. -
    • -
  • - Wayland inside guest virtual - machines (VMs) has stability and performance problems, so it is recommended to use the - X11 session for virtual environments. -
    • -
-
-

- If you upgrade to RHEL 8 from a RHEL 7 system where you used the X.org GNOME session, your system continues to - use X.org. The system also automatically - falls back to X.org when the following - graphics drivers are in use: -

-
-
    -
  • - The NVIDIA binary driver -
    • -
  • - The cirrus driver -
    • -
  • - The mga driver -
    • -
  • - The aspeed driver -
    • -
-
-

- You can disable the use of Wayland manually: -

-
-
    -
  • - To disable Wayland in GDM, set the WaylandEnable=false option in the /etc/gdm/custom.conf file. -
    • -
  • - To disable Wayland in the GNOME - session, select the legacy X11 option by using the cogwheel menu on the login screen - after entering your login name. -
    • -
-
-

- For more details on Wayland, see https://wayland.freedesktop.org/. -

-

- (BZ#1589678) -

-
-

Locating RPM packages that are in repositories not enabled by - default

-

- Additional repositories for desktop are not enabled by default. The disablement is indicated - by the enabled=0 line in the corresponding .repo file. If you attempt to install a package from such - repository using PackageKit, PackageKit shows an error message announcing that the - application is not available. To make the package available, replace previously used enabled=0 line in the respective .repo file with enabled=1. -

-
-

- (JIRA:RHELPLAN-2878) -

-
-

GNOME Sofware for - package management

-

- The gnome-packagekit package that provided a collection of - tools for package management in graphical environment on Red Hat Enterprise Linux 7 is no - longer available. On Red Hat Enterprise Linux 8, similar functionality is provided by the - GNOME Software utility, which enables - you to install and update applications and gnome-shell extensions. GNOME Software is distributed in the gnome-software package. -

-
-

- (JIRA:RHELPLAN-3001) -

-
-

Fractional scaling available for GNOME Shell on Wayland

-

- On a GNOME Shell on Wayland session, the - fractional scaling feature is available. The feature makes it possible to scale the GUI by - fractions, which improves the appearance of scaled GUI on certain displays. -

-
-

- Note that the feature is currently considered experimental and is, therefore, disabled by - default. -

-

- To enable fractional scaling, run the following command: -

- 
# gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']"
-

- (BZ#1668883) -

-
-
-
-
-
-

5.1.9. Hardware enablement

-
-
-
-
-

Firmware updates using fwupd are - available

-

- RHEL 8 supports firmware updates, such as UEFI capsule, Device Firmware Upgrade (DFU), and - others, using the fwupd daemon. The daemon allows session - software to update device firmware on a local machine automatically. -

-
-

- To view and apply updates, you can use: -

-
-
    -
  • - A GUI software manager, such as GNOME Software -
    • -
  • - The fwupdmgr command-line tool -
    • -
-
-

- The metadata files are automatically downloaded from the Linux Vendor Firmware Service (LVFS) - secure portal, and submitted into fwupd over D-Bus. The updates - that need to be applied are downloaded displaying user notifications and update details. The - user must explicitly agree with the firmware update action before the update is performed. -

-

- Note that the access to LVFS is disabled by default. -

-

- To enable the access to LVFS, either click the slider in the sources dialog in GNOME Software, or run the fwupdmgr enable-remote lvfs command. If you use fwupdmgr to get the updates list, you will be asked if you want to - enable LVFS. -

-

- With access to LVFS, you will get firmware updates directly from the hardware vendor. Note that - such updates have not been verified by Red Hat QA. -

-

- (BZ#1504934) -

-
-

Memory Mode for Optane DC Persistent Memory technology is fully - supported

-

- Intel Optane DC Persistent Memory storage devices provide data center-class persistent - memory technology, which can significantly increase transaction throughput. -

-
-

- To use the Memory Mode technology, your system does not require any special drivers or specific - certification. Memory Mode is transparent to the operating system. -

-

- (BZ#1718422) -

-
-
-
-
-
-

5.1.10. Identity Management

-
-
-
-
-

New password syntax checks in Directory Server

-

- This enhancement adds new password syntax checks to Directory Server. Administrators can - now, for example, enable dictionary checks, allow or deny using character sequences and - palindromes. As a result, if enabled, the password policy syntax check in Directory Server - enforces more secure passwords. -

-
-

- (BZ#1334254) -

-
-

Directory Server now provides improved internal operations logging - support

-

- Several operations in Directory Server, initiated by the server and clients, cause - additional operations in the background. Previously, the server only logged for internal - operations the Internal connection keyword, and the operation - ID was always set to -1. With this enhancement, Directory - Server logs the real connection and operation ID. You can now trace the internal operation - to the server or client operation that caused this operation. -

-
-

- (BZ#1358706) -

-
-

The tomcatjss library supports OCSP - checking using the responder from the AIA extension

-

- With this enhancement, the tomcatjss library supports Online - Certificate Status Protocol (OCSP) checking using the responder from the Authority - Information Access (AIA) extension of a certificate. As a result, administrators of Red Hat - Certificate System can now configure OCSP checking that uses the URL from the AIA extension. -

-
-

- (BZ#1636564) -

-
-

The pki subsystem-cert-find and pki subsystem-cert-show commands now show the serial number - of certificates

-

- With this enhancement, the pki subsystem-cert-find and pki subsystem-cert-show commands in Certificate System show the - serial number of certificates in their output. The serial number is an important piece of - information and often required by multiple other commands. As a result, identifying the - serial number of a certificate is now easier. -

-
-

- (BZ#1566360) -

-
-

The pki user and pki group commands have been deprecated in Certificate - System

-

- With this update, the new pki <subsystem>-user - and pki <subsystem>-group - commands replace the pki user and pki group commands in Certificate System. The replaced commands - still works, but they display a message that the command is deprecated and refer to the new - commands. -

-
-

- (BZ#1394069) -

-
-

Certificate System now supports offline renewal of system - certificates

-

- With this enhancement, administrators can use the offline renewal feature to renew system - certificates configured in Certificate System. When a system certificate expires, - Certificate System fails to start. As a result of the enhancement, administrators no longer - need workarounds to replace an expired system certificate. -

-
-

- (BZ#1669257) -

-
-

Certificate System can now create CSRs with SKI extension for external - CA signing

-

- With this enhancement, Certificate System supports creating a certificate signing request - (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority - (CA) signing. Certain CAs require this extension either with a particular value or derived - from the CA public key. As a result, administrators can now use the pki_req_ski parameter in the configuration file passed to the - pkispawn utility to create a CSR with SKI extension. -

-
-

- (BZ#1656856) -

-
-

SSSD no longer uses the fallback_homedir - value from the [nss] section as fallback for AD - domains

-

- Prior to RHEL 7.7, the SSSD fallback_homedir parameter in an - Active Directory (AD) provider had no default value. If fallback_homedir was not set, SSSD used instead the value from - the same parameter from the [nss] section in the /etc/sssd/sssd.conf file. To increase security, SSSD in RHEL 7.7 - introduced a default value for fallback_homedir. As a - consequence, SSSD no longer falls back to the value set in the [nss] section. If you want to use a different value than the - default for the fallback_homedir parameter in an AD domain, you - must manually set it in the domain’s section. -

-
-

- (BZ#1652719) -

-
-

SSSD now allows you to select one of the multiple Smartcard - authentication devices

-

- By default, the System Security Services Daemon (SSSD) tries to detect a device for - Smartcard authentication automatically. If there are multiple devices connected, SSSD - selects the first one it detects. Consequently, you cannot select a particular device, which - sometimes leads to failures. -

-
-

- With this update, you can configure a new p11_uri option for the - [pam] section of the sssd.conf - configuration file. This option enables you to define which device is used for Smartcard - authentication. -

-

- For example, to select a reader with the slot id 2 detected by the - OpenSC PKCS#11 module, add: -

- 
p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
-

- to the [pam] section of sssd.conf. -

-

- For details, see the man sssd.conf page. -

-

- (BZ#1620123) -

-
-

Local users are cached by SSSD and served through the nss_sss module

-

- In RHEL 8, the System Security Services Daemon (SSSD) serves users and groups from the /etc/passwd and /etc/groups files by default. The sss nsswitch module precedes files in the /etc/nsswitch.conf file. -

-
-

- The advantage of serving local users through SSSD is that the nss_sss module has a fast memory-mapped cache that speeds up Name Service Switch - (NSS) lookups compared to accessing the disk and opening the files on each NSS request. - Previously, the Name service cache daemon (nscd) helped accelerate - the process of accessing the disk. However, using nscd - in parallel with SSSD is cumbersome, as both SSSD and nscd use their own independent caching. Consequently, - using nscd in setups where SSSD is also serving users - from a remote domain, for example LDAP or Active Directory, can cause unpredictable behavior. -

-

- With this update, the resolution of local users and groups is faster in RHEL 8. Note that the - root user is never handled by SSSD, therefore root resolution cannot be impacted by a potential bug in - SSSD. Note also that if SSSD is not running, the nss_sss - module handles the situation gracefully by falling back to nss_files to avoid problems. You do not have to configure - SSSD in any way, the files domain is added automatically. -

-

- (JIRA:RHELPLAN-10439) -

-
-

KCM replaces KEYRING as the default credential cache storage -

-

- In RHEL 8, the default credential cache storage is the Kerberos Credential Manager (KCM) - which is backed by the sssd-kcm deamon. KCM - overcomes the limitations of the previously used KEYRING, such as its being difficult to use - in containerized environments because it is not namespaced, and to view and manage quotas. -

-
-

- With this update, RHEL 8 contains a credential cache that is better suited for containerized - environments and that provides a basis for building more features in future releases. -

-

- (JIRA:RHELPLAN-10440) -

-
-

Active Directory users can now administer Identity Management -

-

- With this update, RHEL 8 allows adding a user ID override for an Active Directory (AD) user - as a member of an Identity Management (IdM) group. An ID override is a record describing - what a specific AD user or group properties should look like within a specific ID view, in - this case the Default Trust View. As a consequence of the update, the IdM LDAP server is - able to apply access control rules for the IdM group to the AD user. -

-
-

- AD users are now able to use the self service features of IdM UI, for example to upload their - SSH keys, or change their personal data. An AD administrator is able to fully administer IdM - without having two different accounts and passwords. Note that currently, selected features in - IdM may still be unavailable to AD users. -

-

- (JIRA:RHELPLAN-10442) -

-
-

sssctl prints an HBAC rules - report for an IdM domain

-

- With this update, the sssctl utility of the System - Security Services Daemon (SSSD) can print an access control report for an Identity - Management (IdM) domain. This feature meets the need of certain environments to see, for - regulatory reasons, a list of users and groups that can access a specific client machine. - Running sssctl access-report domain_name on an IdM client prints the parsed subset - of host-based access control (HBAC) rules in the IdM domain that apply to the client - machine. -

-
-

- Note that no other providers than IdM support this feature. -

-

- (JIRA:RHELPLAN-10443) -

-
-

Identity Management packages are available as a module

-

- In RHEL 8, the packages necessary for installing an Identity Management (IdM) server and - client are shipped as a module. The client stream is the - default stream of the idm module and you can download - the packages necessary for installing the client without enabling the stream. -

-
-

- The IdM server module stream is called the DL1 stream. The - stream contains multiple profiles corresponding to different types of IdM servers: server, dns, - adtrust, client, and default. To download the packages in a specific profile of the DL1 stream: -

-
-
    -
  1. - Enable the stream. -
    2. -
  2. - Switch to the RPMs delivered through the stream. -
    3. -
  3. - Run the yum module install idm:DL1/profile_name - command. -
    4. -
-
-

- To switch to a new module stream once you have already enabled a specific stream and downloaded - packages from it: -

-
-
    -
  1. - Remove all the relevant installed content and disable the current module stream. -
    2. -
  2. - Enable the new module stream. -
    3. -
-
-

- (JIRA:RHELPLAN-10438) -

-
-

Session recording solution for RHEL 8 added

-

- A session recording solution has been added to Red Hat Enterprise Linux 8 (RHEL 8). A new - tlog package and its associated web console session player - enable to record and playback the user terminal sessions. The recording can be configured - per user or user group via the System Security Services Daemon (SSSD) service. All terminal - input and output is captured and stored in a text-based format in a system journal. The - input is inactive by default for security reasons not to intercept raw passwords and other - sensitive information. -

-
-

- The solution can be used for auditing of user sessions on security-sensitive systems. In the - event of a security breach, the recorded sessions can be reviewed as a part of a forensic - analysis. The system administrators are now able to configure the session recording locally and - view the result from the RHEL 8 web console interface or from the Command-Line Interface using - the tlog-play utility. -

-

- (JIRA:RHELPLAN-1473) -

-
-

authselect simplifies the - configuration of user authentication

-

- This update introduces the authselect utility that - simplifies the configuration of user authentication on RHEL 8 hosts, replacing the authconfig utility. authselect comes with a safer approach to PAM stack - management that makes the PAM configuration changes simpler for system administrators. authselect can be used to configure authentication - methods such as passwords, certificates, smart cards, and fingerprint. Note that authselect does not configure services required to - join remote domains. This task is performed by specialized tools, such as realmd or ipa-client-install. -

-
-

- (JIRA:RHELPLAN-10445) -

-
-

SSSD now enforces AD GPOs by default

-

- The default setting for the SSSD option ad_gpo_access_control - is now enforcing. In RHEL 8, SSSD enforces access control rules - based on Active Directory Group Policy Objects (GPOs) by default. -

-
-

- Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading - from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control option in the /etc/sssd/sssd.conf file to permissive. -

-

- (JIRA:RHELPLAN-51289) -

-
-
-
-
-
-

5.1.11. Compilers and development tools

-
-
-
-
-

Boost updated to version 1.66

-

- The Boost C++ library has been updated - to upstream version 1.66. The version of Boost included in Red Hat - Enterprise Linux 7 is 1.53. For details, see the upstream changelogs: https://www.boost.org/users/history/ -

-
-

- This update introduces the following changes breaking compatibility with previous versions: -

-
-
    -
  • - The bs_set_hook() function, the splay_set_hook() function from splay containers, and the - bool splay = true extra parameter in the splaytree_algorithms() function in the Intrusive library have been removed. -
    • -
  • - Comments or string concatenation in JSON files are no longer supported by the parser in - the Property Tree library. -
    • -
  • - Some distributions and special functions from the Math library have been fixed to behave - as documented and raise an overflow_error instead of - returning the maximum finite value. -
    • -
  • - Some headers from the Math library - have been moved into the directory libs/math/include_private. -
    • -
  • - Behavior of the basic_regex<>::mark_count() and basic_regex<>::subexpression(n) functions from the - Regex library has been changed to - match their documentation. -
    • -
  • - Use of variadic templates in the Variant library may break - metaprogramming functions. -
    • -
  • - The boost::python::numeric API has been removed. Users can - use boost::python::numpy instead. -
    • -
  • - Arithmetic operations on pointers to non-object types are no longer provided in the - Atomic library. -
    • -
-
-

- (BZ#1494495) -

-
-

Unicode 11.0.0 support

-

- The Red Hat Enterprise Linux core C library, glibc, has been updated to support the - Unicode standard version 11.0.0. As a result, all wide character and multi-byte character - APIs including transliteration and conversion between character sets provide accurate and - correct information conforming to this standard. -

-
-

- (BZ#1512004) -

-
-

The boost package is now independent of - Python

-

- With this update, installing the boost package no longer - installs the Boost.Python library as a dependency. In order to - use Boost.Python, you need to explicitly install the boost-python3 or boost-python3-devel - packages. -

-
-

- (BZ#1616244) -

-
-

A new compat-libgfortran-48 package - available

-

- For compatibility with Red Hat Enterprise Linux 6 and 7 applications using the Fortran - library, a new compat-libgfortran-48 compatibility package is - now available, which provides the libgfortran.so.3 library. -

-
-

- (BZ#1607227) -

-
-

Retpoline support in GCC

-

- This update adds support for retpolines to GCC. A retpoline is a software construct used by - the kernel to reduce overhead of mitigating Spectre Variant 2 attacks described in - CVE-2017-5715. -

-
-

- (BZ#1535774) -

-
-

Enhanced support for the 64-bit ARM architecture in toolchain - components

-

- Toolchain components, GCC and binutils, now provide extended support for the 64-bit ARM - architecture. For example: -

-
-
-
    -
  • - GCC and binutils now support - Scalable Vector Extension (SVE). -
    • -
  • - Support for the FP16 data type, provided by ARM v8.2, has - been added to GCC. The FP16 - data type improves performance of certain algorithms. -
    • -
  • - Tools from binutils now support the ARM v8.3 architecture - definition, including Pointer Authentication. The Pointer Authentication feature - prevents malicious code from corrupting the normal execution of a program or the kernel - by crafting their own function pointers. As a result, only trusted addresses are used - when branching to different places in the code, which improves security. -
    • -
-
-

- (BZ#1504980, BZ#1550501, BZ#1504995, BZ#1504993, BZ#1504994) -

-
-

Optimizations to glibc for IBM POWER - systems

-

- This update provides a new version of glibc that is optimized - for both IBM POWER 8 and IBM POWER 9 architectures. As a result, IBM POWER 8 and IBM POWER 9 - systems now automatically switch to the appropriate, optimized glibc variant at run time. -

-
-

- (BZ#1376834) -

-
-

GNU C Library updated to version 2.28

-

- Red Hat Enterprise Linux 8 includes version 2.28 of the GNU C Library (glibc). Notable - improvements include: -

-
-
-
    -
  • -

    - Security hardening features: -

    -
    -
      -
    • - Secure binary files marked with the AT_SECURE - flag ignore the LD_LIBRARY_PATH environment - variable. -
      • -
    • - Backtraces are no longer printed for stack checking failures to speed up - shutdown and avoid running more code in a compromised environment. -
      • -
    -
    -
    • -
  • -

    - Performance improvements: -

    -
    -
      -
    • - Performance of the malloc() function has been - improved with a thread local cache. -
      • -
    • - Addition of the GLIBC_TUNABLES environment - variable to alter library performance characteristics. -
      • -
    • - Implementation of thread semaphores has been improved and new scalable pthread_rwlock_xxx() functions have been added. -
      • -
    • - Performance of the math library has been improved. -
      • -
    -
    -
    • -
  • - Support for Unicode 11.0.0 has been added. -
    • -
  • - Improved support for 128-bit floating point numbers as defined by the ISO/IEC/IEEE - 60559:2011, IEEE 754-2008, and ISO/IEC TS 18661-3:2015 standards has been added. -
    • -
  • -

    - Domain Name Service (DNS) stub resolver improvements related to the /etc/resolv.conf configuration file: -

    -
    -
      -
    • - Configuration is automatically reloaded when the file is changed. -
      • -
    • - Support for an arbitrary number of search domains has been added. -
      • -
    • - Proper random selection for the rotate option - has been added. -
      • -
    -
    -
    • -
  • -

    - New features for development have been added, including: -

    -
    -
      -
    • - Linux wrapper functions for the preadv2 and - pwritev2 kernel calls -
      • -
    • - New functions including reallocarray() and - explicit_bzero() -
      • -
    • - New flags for the posix_spawnattr_setflags() - function such as POSIX_SPAWN_SETSID -
      • -
    -
    -
    • -
-
-

- (BZ#1512010, BZ#1504125, BZ#506398) -

-
-

CMake available in RHEL

-

- The CMake build system version 3.11 is available in Red Hat Enterprise Linux 8 as the cmake package. -

-
-

- (BZ#1590139, BZ#1502802) -

-
-

make version 4.2.1

-

- Red Hat Enterprise Linux 8 is distributed with the make build - tool version 4.2.1. Notable changes include: -

-
-
-
    -
  • - When a recipe fails, the name of the makefile and line number of the recipe are shown. -
    • -
  • - The --trace option has been added to enable tracing of - targets. When this option is used, every recipe is printed before invocation even if it - would be suppressed, together with the file name and line number where this recipe is - located, and also with the prerequisites causing it to be invoked. -
    • -
  • - Mixing explicit and implicit rules no longer cause make to - terminate execution. Instead, a warning is printed. Note that this syntax is deprecated - and may be completely removed in the future. -
    • -
  • - The $(file …​) function has been added to write text to a - file. When called without a text argument, it only opens and immediately closes the - file. -
    • -
  • - A new option, --output-sync or -O, causes an output from multiple jobs to be grouped per job - and enables easier debugging of parallel builds. -
    • -
  • - The --debug option now accepts also the n (none) flag to disable all currently enabled debugging - settings. -
    • -
  • -

    - The != shell assignment operator has been added as an - alternative to the $(shell …​) function to increase - compatibility with BSD makefiles. For more details and differences between the - operator and the function, see the GNU make manual. -

    -

    - Note that as a consequence, variables with a name ending in exclamation mark and - immediately followed by assignment, such as variable!=value, are now interpreted as the new syntax. - To restore the previous behavior, add a space after the exclamation mark, such as - variable! =value. -

    -
    • -
  • - The ::= assignment operator defined by the POSIX standard - has been added. -
    • -
  • - When the .POSIX variable is specified, make observes the POSIX standard requirements for handling - backslash and new line. In this mode, any trailing space before the backslash is - preserved, and each backslash followed by a new line and white space characters is - converted to a single space character. -
    • -
  • - Behavior of the MAKEFLAGS and MFLAGS variables is now more precisely defined. -
    • -
  • - A new variable, GNUMAKEFLAGS, is parsed for make flags identically to MAKEFLAGS. As a consequence, GNU make-specific flags can be stored outside MAKEFLAGS and portability of makefiles is increased. -
    • -
  • - A new variable, MAKE_HOST, containing the host architecture - has been added. -
    • -
  • - The new variables, MAKE_TERMOUT and MAKE_TERMERR, indicate whether make is writing standard output and error to a terminal. -
    • -
  • - Setting the -r and -R options - in the MAKEFLAGS variable inside a makefile now works - correctly and removes all built-in rules and variables, respectively. -
    • -
  • - The .RECIPEPREFIX setting is now remembered per recipe. - Additionally, variables expanded in that recipe also use that recipe prefix setting. -
    • -
  • - The .RECIPEPREFIX setting and all target-specific variables - are displayed in the output of the -p option as if in a - makefile, instead of as comments. -
    • -
-
-

- (BZ#1641015) -

-
-

SystemTap version - 4.0

-

- Red Hat Enterprise Linux 8 is distributed with the SystemTap instrumentation tool version - 4.0. Notable improvements include: -

-
-
-
    -
  • - The extended Berkeley Packet Filter (eBPF) backend has been improved, especially strings - and functions. To use this backend, start SystemTap with the --runtime=bpf option. -
    • -
  • - A new export network service for use with the Prometheus monitoring system has been - added. -
    • -
  • - The system call probing implementation has been improved to use the kernel tracepoints - if necessary. -
    • -
-
-

- (BZ#1641032) -

-
-

Improvements in binutils version - 2.30

-

- Red Hat Enterprise Linux 8 includes version 2.30 of the binutils package. Notable improvements include: -

-
-
-
    -
  • - Support for new IBM Z architecture extensions has been improved. -
    • -
-
-

- Linkers: -

-
-
    -
  • - The linker now puts code and read-only data into separate segments by default. As a - result, the created executable files are bigger and more safe to run, because the - dynamic loader can disable execution of any memory page containing read-only data. -
    • -
  • - Support for GNU Property notes which provide hints to the dynamic loader about the - binary file has been added. -
    • -
  • - Previously, the linker generated invalid executable code for the Intel Indirect Branch - Tracking (IBT) technology. As a consequence, the generated executable files could not - start. This bug has been fixed. -
    • -
  • - Previously, the gold linker merged property notes - improperly. As a consequence, wrong hardware features could be enabled in the generated - code, and the code could terminate unexpectedly. This bug has been fixed. -
    • -
  • - Previously, the gold linker created note sections with - padding bytes at the end to achieve alignment according to architecture. Because the - dynamic loader did not expect the padding, it coud terminate unexpectedly the program it - was loading. This bug has been fixed. -
    • -
-
-

- Other tools: -

-
-
    -
  • - The readelf and objdump tools - now have options to follow links into separate debug information files and display - information in them, too. -
    • -
  • - The new --inlines option extends the existing --line-numbers option of the objdump tool to display nesting information for inlined - functions. -
    • -
  • - The nm tool gained a new option --with-version-strings to display version information of a - symbol after its name, if present. -
    • -
  • - Support for the ARMv8-R architecture and Cortex-R52, Cortex-M23, and Cortex-M33 - processors has been added to the assembler. -
    • -
-
-

- (BZ#1641004, BZ#1637072, BZ#1501420, BZ#1504114, BZ#1614908, BZ#1614920) -

-
-

Performance - Co-Pilot version 4.3.0

-

- Red Hat Enterprise Linux 8 is distributed with Performance Co-Pilot (PCP) version 4.3.0. - Notable improvements include: -

-
-
-
    -
  • - The pcp-dstat tool now includes historical analysis and - Comma-separated Values (CSV) format output. -
    • -
  • - The log utilities can use metric labels and help text records. -
    • -
  • - The pmdaperfevent tool now reports the correct CPU numbers - at the lower Simultaneous Multi Threading (SMT) levels. -
    • -
  • - The pmdapostgresql tool now supports Postgres series 10.x. -
    • -
  • - The pmdaredis tool now supports Redis series 5.x. -
    • -
  • - The pmdabcc tool has been enhanced with dynamic process - filtering and per-process syscalls, ucalls, and ustat. -
    • -
  • - The pmdammv tool now exports metric labels, and the format - version is increased to 3. -
    • -
  • - The pmdagfs2 tool supports additional glock and glock - holder metrics. -
    • -
  • - Several fixes have been made to the SELinux policy. -
    • -
-
-

- (BZ#1641034) -

-
-

Memory Protection Keys

-

- This update enables hardware features which allow per-thread page protection flag changes. - The new glibc system call wrappers have been added for the - pkey_alloc(), pkey_free(), and - pkey_mprotect() functions. In addition, the pkey_set() and pkey_get() functions - have been added to allow access to the per-thread protection flags. -

-
-

- (BZ#1304448) -

-
-

GCC now defaults to z13 on IBM Z

-

- With this update, by default GCC on the IBM Z architecture builds code for the z13 - processor, and the code is tuned for the z14 processor. This is equivalent to using the - -march=z13 and -mtune=z14 options. - Users can override this default by explicitly using options for target architecture and - tuning. -

-
-

- (BZ#1571124) -

-
-

elfutils updated to version 0.174 -

-

- In Red Hat Enterprise Linux 8, the elfutils package is available in version - 0.174. Notable changes include: -

-
-
-
    -
  • - Previously, the eu-readelf tool could show a - variable with a negative value as if it had a large unsigned value, or show a large - unsigned value as a negative value. This has been corrected and eu-readelf now looks up the size and signedness of - constant value types to display them correctly. -
    • -
  • - A new function dwarf_next_lines() for reading .debug_line data lacking CU has been added to the libdw library. This function can be - used as alternative to the dwarf_getsrclines() and dwarf_getsrcfiles() functions. -
    • -
  • - Previously, files with more than 65280 sections could cause errors in the libelf and libdw libraries and all tools using - them. This bug has been fixed. As a result, extended shnum - and shstrndx values in ELF file headers are handled - correctly. -
    • -
-
-

- (BZ#1641007) -

-
-

Valgrind updated to version 3.14

-

- Red Hat Enterprise Linux 8 is distributed with the Valgrind executable code analysis tool - version 3.14. Notable changes include: -

-
-
-
    -
  • - A new --keep-debuginfo option has been added to enable - retention of debug info for unloaded code. As a result, saved stack traces can include - file and line information for code that is no longer present in memory. -
    • -
  • - Suppressions based on source file name and line number have been added. -
    • -
  • - The Helgrind tool has been extended with an option --delta-stacktrace to specify computation of full - history stack traces. Notably, using this option together with --history-level=full can improve Helgrind performance by up to 25%. -
    • -
  • - False positive rate in the Memcheck tool for optimised code - on the Intel and AMD 64-bit arcitectures and the ARM 64-bit architecture has been - reduced. Note that you can use the --expensive-definedness-checks to control handling of - definedness checks and improve the rate at the expense of performance. -
    • -
  • - Valgrind can now recognize more instructions of the little-endian variant of IBM Power - Systems. -
    • -
  • - Valgrind can now process most of the integer and string vector instructions of the IBM Z - architecture z13 processor. -
    • -
-
-

- For more information about the new options and their known limitations, see the valgrind(1) manual page. -

-

- (BZ#1641029, BZ#1501419) -

-
-

GDB version 8.2

-

- Red Hat Enterprise Linux 8 is distributed with the GDB debugger version 8.2 Notable changes - include: -

-
-
-
    -
  • - The IPv6 protocol is supported for remote debugging with GDB and gdbserver. -
    • -
  • - Debugging without debug information has been improved. -
    • -
  • - Symbol completion in the GDB user interface has been improved to offer better - suggestions by using more syntactic constructions such as ABI tags or namespaces. -
    • -
  • - Commands can now be executed in the background. -
    • -
  • - Debugging programs created in the Rust programming language is now possible. -
    • -
  • - Debugging C and C++ languages has been improved with parser support for the _Alignof and alignof operators, - C++ rvalue references, and C99 variable-length automatic arrays. -
    • -
  • - GDB extension scripts can now use the Guile scripting language. -
    • -
  • - The Python scripting language interface for extensions has been improved with new API - functions, frame decorators, filters, and unwinders. Additionally, scripts in the .debug_gdb_scripts section of GDB configuration are loaded - automatically. -
    • -
  • - GDB now uses Python version 3 to run its scripts, including pretty printers, frame - decorators, filters, and unwinders. -
    • -
  • - The ARM and 64-bit ARM architectures have been improved with process execution record - and replay, including Thumb 32-bit and system call instructions. -
    • -
  • - GDB now supports the Scalable Vector Extension (SVE) on the 64-bit ARM architecture. -
    • -
  • - Support for Intel PKU register and Intel Processor Trace has been added. -
    • -
  • - Record and replay functionality has been extended to include the rdrand and rdseed instructions - on Intel based systems. -
    • -
  • - Functionality of GDB on the IBM Z architecture has been extended with support for - tracepoints and fast tracepoints, vector registers and ABI, and the Catch system call. Additionally, GDB now supports more recent - instructions of the architecture. -
    • -
  • - GDB can now use the SystemTap static user space probes (SDT) on the 64-bit ARM - architecture. -
    • -
-
-

- (BZ#1641022, BZ#1497096, BZ#1505346, BZ#1592332, BZ#1550502) -

-
-

glibc localization for RHEL is distributed - in multiple packages

-

- In RHEL 8, glibc locales and translations are no longer - provided by the single glibc-common package. Instead, every - locale and language is available in a glibc-langpack-CODE - package. Additionally, in most cases not all locales are installed by default, only these - selected in the installer. Users must install all further locale packages that they need - separately, or if they wish they can install glibc-all-langpacks to get the locales archive containing all the - glibc locales installed as before. -

-
-

- For more information, see Using - langpacks. -

-

- (BZ#1512009) -

-
-

GCC version 8.2

-

- In Red Hat Enterprise Linux 8, the GCC toolchain is based on the GCC 8.2 release series. - Notable changes include: -

-
-
-
    -
  • - Numerous general optimizations have been added, such as alias analysis, vectorizer - improvements, identical code folding, inter-procedural analysis, store merging - optimization pass, and others. -
    • -
  • - The Address Sanitizer has been improved. The Leak Sanitizer and Undefined Behavior - Sanitizer have been added. -
    • -
  • - Debug information can now be produced in the DWARF5 format. This capability is - experimental. -
    • -
  • - The source code coverage analysis tool GCOV has been extended with various improvements. -
    • -
  • - New warnings and improved diagnostics have been added for static detection of more - programming errors. -
    • -
  • - GCC has been extended to provide tools to ensure additional hardening of the generated - code. Improvements related to security include built-ins for overflow checking, - additional protection against stack clash, checking target addresses of control-flow - instructions, warnings for bounded string manipulation functions, and warnings to detect - out-of-bounds array indices. -
    • -
-
-

- Improvements to architecture and processor support include: -

-
-
    -
  • - Multiple new architecture-specific options for the Intel AVX-512 architecture, a number - of its microarchitectures, and Intel Software Guard Extensions (SGX) have been added. -
    • -
  • - Code generation can now target the 64-bit ARM architecture LSE extensions, ARMv8.2-A - 16-bit Floating-Point Extensions (FPE), and ARMv8.2-A, ARMv8.3-A, and ARMv8.4-A - architecture versions. -
    • -
  • - Support for the z13 and z14 processors of the IBM Z architecture has been added. -
    • -
-
-

- Notable changes related to languages and standards include: -

-
-
    -
  • - The default standard used when compiling code in the C language has changed to C17 with - GNU extensions. -
    • -
  • - The default standard used when compiling code in the C++ language has changed to C++14 - with GNU extensions. -
    • -
  • - The C++ runtime library now supports the C++11 and C++14 standards. -
    • -
  • - The C++ compiler now implements the C++14 standard. -
    • -
  • - Support for the C language standard C11 has been improved. -
    • -
  • - The new __auto_type GNU C extension provides a subset of - the functionality of C++11 auto keyword in the C language. -
    • -
  • - The _FloatN and _FloatNx type - names specified by the ISO/IEC TS 18661-3:2015 standard are now recognized by the C - front end. -
    • -
  • - Passing an empty class as an argument now takes up no space on the Intel 64 and AMD64 - architectures, as required by the platform ABI. -
    • -
  • - The value returned by the C++11 alignof operator has been - corrected to match the C _Alignof operator and return - minimum alignment. To find the preferred alignment, use the GNU extension __alignof__. -
    • -
  • - The main version of the libgfortran library for Fortran - language code has been changed to 5. -
    • -
  • - Support for the Ada (GNAT), GCC Go, and Objective C/C++ languages has been removed. Use - the Go Toolset for Go code development. -
    • -
-
-

- (JIRA:RHELPLAN-7437, BZ#1512593, BZ#1512378) -

-
-

The Go cryptographic library FIPS mode now honors system - settings

-

- Previously, the Go standard cryptographic library always used its FIPS mode unless it was - explicitly disabled at build time of the application using the library. As a consequence, - users of Go-based applications could not control whether the FIPS mode was used. With this - change, the library does not default to FIPS mode when the system is not configured in FIPS - mode. As a result, users of Go-based applications on RHEL systems have more control over the - use of the FIPS mode of the Go cryptographic library. -

-
-

- (BZ#1633351) -

-
-

strace updated to version 4.24 -

-

- Red Hat Enterprise Linux 8 is distributed with the strace tool - version 4.24. Notable changes include: -

-
-
-
    -
  • - System call tampering features have been added with the -e inject= option. This includes injection of errors, return - values, delays, and signals. -
    • -
  • -

    - System call qualification syntax has been improved: -

    -
    -
      -
    • - The -e trace=/regex option has been added to - filter system calls with regular expressions. -
      • -
    • - Prepending a question mark to a system call qualification in the -e trace= option lets strace continue, even if the qualification does - not match any system call. -
      • -
    • - Personality designation has been added to system call qualifications in the - -e trace option. -
      • -
    -
    -
    • -
  • - Decoding of kvm vcpu exit reason has been added. To do so, - use the -e kvm=vcpu option. -
    • -
  • - The libdw library from elfutils is now used for stack unwinding when the -k option is used. Additionally, symbol demangling is - performed using the libiberty library. -
    • -
  • - Previously, the -r option caused strace to ignore the -t option. - This has been fixed, and the two options are now independent. -
    • -
  • - The -A option has been added for opening output files in - append mode. -
    • -
  • - The -X option has been added for configuring xlat output formatting. -
    • -
  • - Decoding of socket addresses with the -yy option has been - improved. Additionally, block and character device number printing in -yy mode has been added. -
    • -
  • - It is now possible to trace both 64-bit and 32-bit binaries with a single strace tool on the IBM Z architecture. As a consequence, the - separate strace32 package no longer exists in RHEL 8. -
    • -
-
-

- Additionally, decoding of the following items has been added, improved or updated: -

-
-
    -
  • - netlink protocols, messages and attributes -
    • -
  • - arch_prctl, bpf, getsockopt, io_pgetevent, keyctl, prctl, pkey_alloc, pkey_free, pkey_mprotect, ptrace, rseq, setsockopt, socket, statx and other system - calls -
    • -
  • - Multiple commands for the ioctl system call -
    • -
  • - Constants of various types -
    • -
  • - Path tracing for execveat, inotify_add_watch, inotify_init, - select, symlink, symlinkat system calls and mmap - system calls with indirect arguments -
    • -
  • - Lists of signal codes -
    • -
-
-

- (BZ#1641014) -

-
-

Compiler toolsets in RHEL 8

-

- RHEL 8.0 provides the following compiler toolsets as Application Streams: -

-
-
-
    -
  • - Clang and LLVM Toolset 7.0.1, which provides the LLVM compiler infrastructure framework, - the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for - code analysis. See the Using - Clang and LLVM Toolset document. -
    • -
  • - Rust Toolset 1.31, which provides the Rust programming language compiler rustc, the cargo build tool and - dependency manager, the cargo-vendor plugin, and required - libraries. See the Using - Rust Toolset document. -
    • -
  • - Go Toolset 1.11.5, which provides the Go programming language tools and libraries. Go is - alternatively known as golang. See the Using - Go Toolset document. -
    • -
-
-

- (BZ#1695698, - BZ#1613515, BZ#1613516, BZ#1613518) -

-
-

Java implementations and Java tools in RHEL 8

-

- The RHEL 8 AppStream repository includes: -

-
-
-
    -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 - Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK - 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
  • - The icedtea-web packages, which provide an implementation - of Java Web Start. -
    • -
  • - The ant module, providing a Java library and command-line - tool for compiling, assembling, testing, and running Java applications. Ant has been updated to version 1.10. -
    • -
  • - The maven module, providing a software project management - and comprehension tool. Maven was previously available only - as a Software Collection or in the unsupported Optional channel. -
    • -
  • - The scala module, providing a general purpose programming - language for the Java platform. Scala was previously - available only as a Software Collection. -
    • -
-
-

- In addition, the java-1.8.0-ibm packages are distributed through - the Supplementary repository. Note that packages in this repository are unsupported by Red Hat. -

-

- (BZ#1699535) -

-
-

C++ ABI change in std::string and std::list

-

- The Application Binary Interface (ABI) of the std::string and - std::list classes from the libstdc++ library changed between RHEL 7 (GCC 4.8) and RHEL 8 - (GCC 8) to conform to the C++11 standard. The libstdc++ library - supports both the old and new ABI, but some other C++ system libraries do not. As a - consequence, applications that dynamically link against these libraries will need to be - rebuilt. This affects all C++ standard modes, including C++98. It also affects applications - built with Red Hat Developer Toolset compilers for RHEL 7, which kept the old ABI to - maintain compatibility with the system libraries. -

-
-

- (BZ#1704867) -

-
-
-
-
-
-

5.1.12. File systems and storage

-
-
-
-
-

Support for Data Integrity Field/Data Integrity Extension - (DIF/DIX)

-

- DIF/DIX is supported on configurations where the hardware vendor has qualified it and - provides full support for the particular host bus adapter (HBA) and storage array - configuration on RHEL. -

-
-

- DIF/DIX is not supported on the following configurations: -

-
-
    -
  • - It is not supported for use on the boot device. -
    • -
  • - It is not supported on virtualized guests. -
    • -
  • - Red Hat does not support using the Automatic Storage Management library (ASMLib) when - DIF/DIX is enabled. -
    • -
-
-

- DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and - including) the application. The method for activating the DIF on storage devices is - device-dependent. -

-

- For further information on the DIF/DIX feature, see What is DIF/DIX. -

-

- (BZ#1649493) -

-
-

XFS now supports shared copy-on-write data extents

-

- The XFS file system supports shared copy-on-write data extent functionality. This feature - enables two or more files to share a common set of data blocks. When either of the files - sharing common blocks changes, XFS breaks the link to common blocks and creates a new file. - This is similar to the copy-on-write (COW) functionality found in other file systems. -

-
-

- Shared copy-on-write data extents are: -

-
-
-
Fast
-
- Creating shared copies does not utilize disk I/O. -
-
Space-efficient
-
- Shared blocks do not consume additional disk space. -
-
Transparent
-
- Files sharing common blocks act like regular files. -
-
-
-

- Userspace utilities can use shared copy-on-write data extents for: -

-
-
    -
  • - Efficient file cloning, such as with the cp --reflink - command -
    • -
  • - Per-file snapshots -
    • -
-
-

- This functionality is also used by kernel subsystems such as Overlayfs and NFS for more - efficient operation. -

-

- Shared copy-on-write data extents are now enabled by default when creating an XFS file system, - starting with the xfsprogs package version 4.17.0-2.el8. -

-

- Note that Direct Access (DAX) devices currently do not support XFS with shared copy-on-write - data extents. To create an XFS file system without this feature, use the following command: -

- 
# mkfs.xfs -m reflink=0 block-device
-

- Red Hat Enterprise Linux 7 can mount XFS file systems with shared copy-on-write data extents - only in the read-only mode. -

-

- (BZ#1494028) -

-
-

Maximum XFS file system size is 1024 TiB

-

- The maximum supported size of an XFS file system has been increased from 500 TiB to 1024 - TiB. -

-
-

- File systems larger than 500 TiB require that: -

-
-
    -
  • - the metadata CRC feature and the free inode btree feature are both enabled in the file - system format, and -
    • -
  • - the allocation group size is at least 512 GiB. -
    • -
-
-

- In RHEL 8, the mkfs.xfs utility creates file systems that meet - these requirements by default. -

-

- Growing a smaller file system that does not meet these requirements to a new size greater than - 500 TiB is not supported. -

-

- (BZ#1563617) -

-
-

ext4 file system now supports metadata checksum

-

- With this update, ext4 metadata is protected by checksums. This enables the file system to recognize the corrupt - metadata, which avoids damage and increases the file system resilience. -

-
-

- (BZ#1695584) -

-
-

VDO now supports all architectures

-

- Virtual Data Optimizer (VDO) is now available on all of the architectures supported by RHEL - 8. -

-
-

- For the list of supported architectures, see Chapter 2, Architectures. -

-

- (BZ#1534087) -

-
-

The BOOM boot manager simplifies the process of creating boot - entries

-

- BOOM is a boot manager for Linux systems that use boot loaders supporting the BootLoader - Specification for boot entry configuration. It enables flexible boot configuration and - simplifies the creation of new or modified boot entries: for example, to boot snapshot - images of the system created using LVM. -

-
-

- BOOM does not modify the existing boot loader configuration, and only inserts additional - entries. The existing configuration is maintained, and any distribution integration, such as - kernel installation and update scripts, continue to function as before. -

-

- BOOM has a simplified command-line interface (CLI) and API that ease the task of creating boot - entries. -

-

- (BZ#1649582) -

-
-

LUKS2 is now the default format for encrypting volumes

-

- In RHEL 8, the LUKS version 2 (LUKS2) format replaces the legacy LUKS (LUKS1) format. The - dm-crypt subsystem and the cryptsetup tool now uses LUKS2 as the default format for - encrypted volumes. LUKS2 provides encrypted volumes with metadata redundancy and - auto-recovery in case of a partial metadata corruption event. -

-
-

- Due to the internal flexible layout, LUKS2 is also an enabler of future features. It supports - auto-unlocking through the generic kernel-keyring token built in libcryptsetup that allow users unlocking of LUKS2 volumes using a - passphrase stored in the kernel-keyring retention service. -

-

- Other notable enhancements include: -

-
-
    -
  • - The protected key setup using the wrapped key cipher scheme. -
    • -
  • - Easier integration with Policy-Based Decryption (Clevis). -
    • -
  • - Up to 32 key slots - LUKS1 provides only 8 key slots. -
    • -
-
-

- For more details, see the cryptsetup(8) and cryptsetup-reencrypt(8) man pages. -

-

- (BZ#1564540) -

-
-

NVMe/FC is fully supported on Broadcom Emulex and Marvell Qlogic Fibre - Channel adapters

-

- The NVMe over Fibre Channel (NVMe/FC) transport type is now fully supported in Initiator - mode when used with Broadcom Emulex and Marvell Qlogic Fibre Channel 32Gbit adapters that - feature NVMe support. -

-
-

- NVMe over Fibre Channel is an additional fabric transport type for the Nonvolatile Memory - Express (NVMe) protocol, in addition to the Remote Direct Memory Access (RDMA) protocol that was - previously introduced in Red Hat Enterprise Linux. -

-

- Enabling NVMe/FC: -

-
-
    -
  • -

    - To enable NVMe/FC in the lpfc driver, edit the /etc/modprobe.d/lpfc.conf file and add the following - option: -

    - 
    lpfc_enable_fc4_type=3
    -
    • -
  • -

    - To enable NVMe/FC in the qla2xxx driver, edit the /etc/modprobe.d/qla2xxx.conf file and add the following - option: -

    - 
    qla2xxx.ql2xnvmeenable=1
    -
    • -
-
-

- Additional restrictions: -

-
-
    -
  • - Multipath is not supported with NVMe/FC. -
    • -
  • - NVMe clustering is not supported with NVMe/FC. -
    • -
  • - kdump is not supported with NVMe/FC. -
    • -
  • - Booting from Storage Area Network (SAN) NVMe/FC is not supported. -
    • -
-
-

- (BZ#1649497) -

-
-

New scan_lvs configuration - setting

-

- A new lvm.conf configuration file setting, scan_lvs, has been added and set to 0 by default. The new default - behavior stops LVM from looking for PVs that may exist on top of LVs; that is, it will not - scan active LVs for more PVs. The default setting also prevents LVM from creating PVs on top - of LVs. -

-
-

- Layering PVs on top of LVs can occur by way of VM images placed on top of LVs, in which case it - is not safe for the host to access the PVs. Avoiding this unsafe access is the primary reason - for the new default behavior. Also, in environments with many active LVs, the amount of device - scanning done by LVM can be significantly decreased. -

-

- The previous behavior can be restored by changing this setting to 1. -

-

- (BZ#1676598) -

-
-

New overrides section of the DM Multipath - configuration file

-

- The /etc/multipath.conf file now includes an overrides section that allows you to set a configuration value - for all of your devices. These attributes are used by DM Multipath for all devices unless - they are overwritten by the attributes specified in the multipaths section of the /etc/multipath.conf file for paths that contain the device. This - functionality replaces the all_devs parameter of the devices section of the configuration file, which is no longer - supported. -

-
-

- (BZ#1643294) -

-
-

Installing and booting from NVDIMM devices is now supported -

-

- Prior to this update, Nonvolatile Dual Inline Memory Module (NVDIMM) devices in any mode - were ignored by the installer. -

-
-

- With this update, kernel improvements to support NVDIMM devices provide improved system - performance capabilities and enhanced file system access for write-intensive applications like - database or analytic workloads, as well as reduced CPU overhead. -

-

- This update introduces support for: -

-
-
    -
  • - The use of NVDIMM devices for installation using the nvdimm - Kickstart command and the GUI, making it possible to install and boot from NVDIMM - devices in sector mode and reconfigure NVDIMM devices into sector mode during - installation. -
    • -
  • - The extension of Kickstart scripts for Anaconda with commands for handling - NVDIMM devices. -
    • -
  • - The ability of grub2, efibootmgr, and efivar system - components to handle and boot from NVDIMM devices. -
    • -
-
-

- (BZ#1499442) -

-
-

The detection of marginal paths in DM Multipath has been - improved

-

- The multipathd service now supports improved detection of - marginal paths. This helps multipath devices avoid paths that are likely to fail repeatedly, - and improves performance. Marginal paths are paths with persistent but intermittent I/O - errors. -

-
-

- The following options in the /etc/multipath.conf file control - marginal paths behavior: -

-
-
    -
  • - marginal_path_double_failed_time, -
    • -
  • - marginal_path_err_sample_time, -
    • -
  • - marginal_path_err_rate_threshold, and -
    • -
  • - marginal_path_err_recheck_gap_time. -
    • -
-
-

- DM Multipath disables a path and tests it with repeated I/O for the configured sample time if: -

-
-
    -
  • - the listed multipath.conf options are set, -
    • -
  • - a path fails twice in the configured time, and -
    • -
  • - other paths are available. -
    • -
-
-

- If the path has more than the configured err rate during this testing, DM Multipath ignores it - for the configured gap time, and then retests it to see if it is working well enough to be - reinstated. -

-

- For more information, see the multipath.conf man page. -

-

- (BZ#1643550) -

-
-

Multiqueue scheduling on block devices

-

- Block devices now use multiqueue scheduling in Red Hat Enterprise Linux 8. This enables the - block layer performance to scale well with fast solid-state drives (SSDs) and multi-core - systems. -

-
-

- The traditional schedulers, which were available in RHEL 7 and earlier versions, have been - removed. RHEL 8 supports only multiqueue schedulers. -

-

- (BZ#1647612) -

-
-
-
-
-
-

5.1.13. High availability and clusters

-
-
-
-
-

New pcs commands to list available - watchdog devices and test watchdog devices

-

- In order to configure SBD with Pacemaker, a functioning watchdog device is required. This - release supports the pcs stonith sbd watchdog list command to - list available watchdog devices on the local node, and the pcs stonith sbd watchdog test command to test a watchdog device. - For information on the sbd command line tool, see the sbd(8) man page. -

-
-

- (BZ#1578891) -

-
-

The pcs command now supports filtering - resource failures by an operation and its interval

-

- Pacemaker now tracks resource failures per a resource operation on top of a resource name, - and a node. The pcs resource failcount show command now allows - filtering failures by a resource, node, operation, and interval. It provides an option to - display failures aggregated per a resource and node or detailed per a resource, node, - operation, and its interval. Additionally, the pcs resource cleanup command now allows filtering failures by a - resource, node, operation, and interval. -

-
-

- (BZ#1591308) -

-
-

Timestamps enabled in corosync - log

-

- The corosync log did not previously contain timestamps, which - made it difficult to relate it to logs from other nodes and daemons. With this release, - timestamps are present in the corosync log. -

-
-

- (BZ#1615420) -

-
-

New formats for pcs cluster setup, pcs cluster node add and pcs cluster node remove commands

-

- In Red Hat Enterprise Linux 8, pcs fully supports Corosync 3, - knet, and node names. Node names are now required and replace - node addresses in the role of node identifier. Node addresses are now optional. -

-
-
-
    -
  • - In the pcs host auth command, node addresses default to - node names. -
    • -
  • - In the pcs cluster setup and pcs cluster node add commands, node addresses default to the - node addresses specified in the pcs host auth command. -
    • -
-
-

- With these changes, the formats for the commands to set up a cluster, add a node to a cluster, - and remove a node from a cluster have changed. For information on these new command formats, see - the help display for the pcs cluster setup, pcs cluster node add and pcs cluster node remove commands. -

-

- (BZ#1158816) -

-
-

New pcs commands

-

- Red Hat Enterprise Linux 8 introduces the following new commands. -

-
-
-
    -
  • - RHEL 8 introduces a new command, pcs cluster node add-guest | remove-guest, which replaces the - pcs cluster remote-node add | remove command in RHEL 7. -
    • -
  • - RHEL 8 introduces a new command, pcs quorum unblock, which - replaces the pcs cluster quorum unblock command in RHEL 7. -
    • -
  • - The pcs resource failcount reset command has been removed - as it duplicates the functionality of the pcs resource cleanup command. -
    • -
  • -

    - RHEL 8 introduces new commands which replace the pcs resource [show] command in RHEL 7: -

    -
    -
      -
    • - The pcs resource [status] command in RHEL 8 - replaces the pcs resource [show] command in - RHEL 7. -
      • -
    • - The pcs resource config command in RHEL 8 - replaces the pcs resource [show] --full command - in RHEL 7. -
      • -
    • - The pcs resource config resource id - command in RHEL 8 replaces the pcs resource show resource id - command in RHEL 7. -
      • -
    -
    -
    • -
  • -

    - RHEL 8 introduces new commands which replace the pcs stonith [show] command in RHEL 7: -

    -
    -
      -
    • - The pcs stonith [status] command in RHEL 8 - replaces the pcs stonith [show] command in RHEL - 7. -
      • -
    • - The pcs stonith config command in RHEL 8 - replaces the pcs stonith [show] --full command - in RHEL 7. -
      • -
    • - The pcs stonith config resource id - command in RHEL 8 replaces the pcs stonith show resource id - command in RHEL 7. -
      • -
    -
    -
    • -
-
-

- (BZ#1654280) -

-
-

Pacemaker 2.0.0 in RHEL 8

-

- The pacemaker packages have been upgraded to the upstream - version of Pacemaker 2.0.0, which provides a number of bug fixes and enhancements over the - previous version: -

-
-
-
    -
  • - The Pacemaker detail log is now /var/log/pacemaker/pacemaker.log by default (not directly in - /var/log or combined with the corosync log under /var/log/cluster). -
    • -
  • - The Pacemaker daemon processes have been renamed to make reading the logs more - intuitive. For example, pengine has been renamed to pacemaker-schedulerd. -
    • -
  • - Support for the deprecated default-resource-stickiness and - is-managed-default cluster properties has been dropped. The - resource-stickiness and is-managed properties should be set in resource defaults - instead. Existing configurations (though not newly created ones) with the deprecated - syntax will automatically be updated to use the supported syntax. -
    • -
  • - For a more complete list of changes, see Pacemaker 2.0 upgrade in Red Hat - Enterprise Linux 8. -
    • -
-
-

- It is recommended that users who are upgrading an existing cluster using Red Hat Enterprise - Linux 7 or earlier, run pcs cluster cib-upgrade on any cluster node - before and after upgrading RHEL on all cluster nodes. -

-

- (BZ#1543494) -

-
-

Master resources renamed to promotable clone resources

-

- Red Hat Enterprise Linux (RHEL) 8 supports Pacemaker 2.0, in which a master/slave resource - is no longer a separate type of resource but a standard clone resource with a promotable meta-attribute set to true. The following changes have been implemented in support of - this update: -

-
-
-
    -
  • - It is no longer possible to create master resources with the pcs command. Instead, it is possible to create promotable clone resources. Related keywords and commands - have been changed from master to promotable. -
    • -
  • - All existing master resources are displayed as promotable clone resources. -
    • -
  • - When managing a RHEL7 cluster in the Web UI, master resources are still called master, - as RHEL7 clusters do not support promotable clones. -
    • -
-
-

- (BZ#1542288) -

-
-

New commands for authenticating nodes in a cluster

-

- Red Hat Enterprise Linux (RHEL) 8 incorporates the following changes to the commands used to - authenticate nodes in a cluster. -

-
-
-
    -
  • - The new command for authentication is pcs host auth. This - command allows users to specify host names, addresses and pcsd ports. -
    • -
  • - The pcs cluster auth command authenticates only the nodes - in a local cluster and does not accept a node list -
    • -
  • - It is now possible to specify an address for each node. pcs/pcsd will then communicate - with each node using the specified address. These addresses can be different than the - ones corosync uses internally. -
    • -
  • - The pcs pcsd clear-auth command has been replaced by the - pcs pcsd deauth and pcs host deauth commands. The new commands allow users to - deauthenticate a single host as well as all hosts. -
    • -
  • - Previously, node authentication was bidirectional, and running the pcs cluster auth command caused all specified nodes to be - authenticated against each other. The pcs host auth - command, however, causes only the local host to be authenticated against the specified - nodes. This allows better control of what node is authenticated against what other nodes - when running this command. On cluster setup itself, and also when adding a node, pcs automatically synchronizes tokens on the cluster, so all - nodes in the cluster are still automatically authenticated as before and the cluster - nodes can communicate with each other. -
    • -
-
-

- Note that these changes are not backward compatible. Nodes that were authenticated on a RHEL 7 - system will need to be authenticated again. -

-

- (BZ#1549535) -

-
-

The pcs commands now support display, - cleanup, and synchronization of fencing history

-

- Pacemaker’s fence daemon tracks a history of all fence actions taken (pending, successful, - and failed). With this release, the pcs commands allow users to - access the fencing history in the following ways: -

-
-
-
    -
  • - The pcs status command shows failed and pending fencing - actions -
    • -
  • - The pcs status --full command shows the entire fencing - history -
    • -
  • - The pcs stonith history command provides options to display - and clean up fencing history -
    • -
  • - Although fencing history is synchronized automatically, the pcs stonith history command now supports an update option that allows a user to manually synchronize - fencing history should that be necessary -
    • -
-
-

- (BZ#1620190, BZ#1615891) -

-
-
-
-
-
-

5.1.14. Networking

-
-
-
-
-

nftables replaces iptables as the default network packet filtering - framework

-

- The nftables framework provides packet classification - facilities and it is the designated successor to the iptables, - ip6tables, arptables, and ebtables tools. It offers numerous improvements in convenience, - features, and performance over previous packet-filtering tools, most notably: -

-
-
-
    -
  • - lookup tables instead of linear processing -
    • -
  • - a single framework for both the IPv4 and IPv6 protocols -
    • -
  • - rules all applied atomically instead of fetching, updating, and storing a complete - ruleset -
    • -
  • - support for debugging and tracing in the ruleset (nftrace) - and monitoring trace events (in the nft tool) -
    • -
  • - more consistent and compact syntax, no protocol-specific extensions -
    • -
  • - a Netlink API for third-party applications -
    • -
-
-

- Similarly to iptables, nftables use - tables for storing chains. The chains contain individual rules for performing actions. The nft tool replaces all tools from the previous packet-filtering - frameworks. The libnftables library can be used for low-level - interaction with nftables Netlink API over the libmnl library. -

-

- The iptables, ip6tables, ebtables and arptables tools are - replaced by nftables-based drop-in replacements with the same name. While external behavior is - identical to their legacy counterparts, internally they use nftables with legacy netfilter kernel - modules through a compatibility interface where required. -

-

- Effect of the modules on the nftables ruleset can be observed using - the nft list ruleset command. Since these tools add tables, chains, - and rules to the nftables ruleset, be aware that nftables rule-set operations, such as the nft flush ruleset command, might affect rule sets installed using the - formerly separate legacy commands. -

-

- To quickly identify which variant of the tool is present, version information has been updated - to include the back-end name. In RHEL 8, the nftables-based iptables tool prints the following version string: -

- 
$ iptables --version
-iptables v1.8.0 (nf_tables)
-

- For comparison, the following version information is printed if legacy iptables tool is present: -

- 
$ iptables --version
-iptables v1.8.0 (legacy)
-

- (BZ#1644030) -

-
-

Notable TCP features in RHEL 8

-

- Red Hat Enterprise Linux 8 is distributed with TCP networking stack version 4.18, which - provides higher performances, better scalability, and more stability. Performances are - boosted especially for busy TCP server with a high ingress connection rate. -

-
-

- Additionally, two new TCP congestion algorithms, BBR and NV, are available, offering lower latency, and better throughput than - cubic in most scenarios. -

-

- (BZ#1562998) -

-
-

firewalld uses nftables by default

-

- With this update, the nftables filtering subsystem is the - default firewall backend for the firewalld daemon. To change - the backend, use the FirewallBackend option in the /etc/firewalld/firewalld.conf file. -

-
-

- This change introduces the following differences in behavior when using nftables: -

-
-
    -
  1. -

    - iptables rule executions always occur before firewalld rules -

    -
    -
      -
    • - DROP in iptables - means a packet is never seen by firewalld -
      • -
    • - ACCEPT in iptables - means a packet is still subject to firewalld - rules -
      • -
    -
    -
    2. -
  2. - firewalld direct rules are still implemented through iptables while other firewalld - features use nftables -
    3. -
  3. - direct rule execution occurs before firewalld generic - acceptance of established connections -
    4. -
-
-

- (BZ#1509026) -

-
-

Notable change in wpa_supplicant - in RHEL 8

-

- In Red Hat Enterprise Linux (RHEL) 8, the wpa_supplicant package is built with CONFIG_DEBUG_SYSLOG enabled. This allows reading the wpa_supplicant log using the journalctl utility instead of checking the contents of the /var/log/wpa_supplicant.log file. -

-
-

- (BZ#1582538) -

-
-

NetworkManager now - supports SR-IOV virtual functions

-

- In Red Hat Enterprise Linux 8.0, NetworkManager allows configuring the - number of virtual functions (VF) for interfaces that support single-root I/O virtualization - (SR-IOV). Additionally, NetworkManager - allows configuring some attributes of the VFs, such as the MAC address, VLAN, the spoof checking setting and allowed bitrates. Note that all - properties related to SR-IOV are available in the sriov - connection setting. For more details, see the nm-settings(5) - man page. -

-
-

- (BZ#1555013) -

-
-

IPVLAN virtual network drivers are now supported

-

- In Red Hat Enterprise Linux 8.0, the kernel includes support for IPVLAN virtual network - drivers. With this update, IPVLAN virtual Network Interface Cards (NICs) enable the network - connectivity for multiple containers exposing a single MAC address to the local network. - This allows a single host to have a lot of containers overcoming the possible limitation on - the number of MAC addresses supported by the peer networking equipment. -

-
-

- (BZ#1261167) -

-
-

NetworkManager - supports a wildcard interface name match for connections

-

- Previously, it was possible to restrict a connection to a given interface using only an - exact match on the interface name. With this update, connections have a new match.interface-name property which supports wildcards. This - update enables users to choose the interface for a connection in a more flexible way using a - wildcard pattern. -

-
-

- (BZ#1555012) -

-
-

Improvements in the networking stack 4.18

-

- Red Hat Enterprise Linux 8.0 includes the networking stack upgraded to upstream version - 4.18, which provides several bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Introduced new offload features, such as UDP_GSO, and, for - some device drivers, GRO_HW. -
    • -
  • - Improved significant scalability for the User Datagram Protocol (UDP). -
    • -
  • - Improved the generic busy polling code. -
    • -
  • - Improved scalability for the IPv6 protocol. -
    • -
  • - Improved scalability for the routing code. -
    • -
  • - Added a new default transmit queue scheduling algorithm,fq_codel, which improves a transmission delay. -
    • -
  • - Improved scalability for some transmit queue scheduling algorithms. For example, pfifo_fast is now lockless. -
    • -
  • - Improved scalability of the IP reassembly unit by removing the garbage collection kernel - thread and ip fragments expire only on timeout. As a result, CPU usage under DoS is much - lower, and the maximum sustainable fragments drop rate is limited by the amount of - memory configured for the IP reassembly unit. -
    • -
-
-

- (BZ#1562987) -

-
-

New tools to convert iptables to nftables

-

- This update adds the iptables-translate and ip6tables-translate tools to convert the existing iptables or ip6tables rules into the - equivalent ones for nftables. Note that some extensions lack - translation support. If such an extension exists, the tool prints the untranslated rule - prefixed with the # sign. For example: -

-
- 
| % iptables-translate -A INPUT -j CHECKSUM --checksum-fill
-| nft # -A INPUT -j CHECKSUM --checksum-fill
-

- Additionally, users can use the iptables-restore-translate and - ip6tables-restore-translate tools to translate a dump of rules. - Note that before that, users can use the iptables-save or ip6tables-save commands to print a dump of current rules. For - example: -

- 
| % sudo iptables-save >/tmp/iptables.dump
-| % iptables-restore-translate -f /tmp/iptables.dump
-| # Translated by iptables-restore-translate v1.8.0 on Wed Oct 17 17:00:13 2018
-| add table ip nat
-| ...
-

- (BZ#1564596) -

-
-

New features added to VPN using NetworkManager

-

- In Red Hat Enterprise Linux 8.0, NetworkManager provides the following new - features to VPN: -

-
-
-
    -
  • - Support for the Internet Key Exchange version 2 (IKEv2) protocol. -
    • -
  • - Added some more Libreswan options, - such as the rightid, leftcert, - narrowing, rekey, fragmentation options. For more details on the supported - options, see the nm-settings-libreswan man page. -
    • -
  • - Updated the default ciphers. This means that when the user does not specify the ciphers, - the NetworkManager-libreswan plugin - allows the Libreswan application to - choose the system default cipher. The only exception is when the user selects an IKEv1 - aggressive mode configuration. In this case, the ike = aes256-sha1;modp1536 and eps = aes256-sha1 values are passed to Libreswan. -
    • -
-
-

- (BZ#1557035) -

-
-

A new data chunk type, I-DATA, added to - SCTP

-

- This update adds a new data chunk type, I-DATA, and stream - schedulers to the Stream Control Transmission Protocol (SCTP). Previously, SCTP sent user - messages in the same order as they were sent by a user. Consequently, a large SCTP user - message blocked all other messages in any stream until completely sent. When using I-DATA chunks, the Transmission Sequence Number (TSN) field is - not overloaded. As a result, SCTP now can schedule the streams in different ways, and I-DATA allows user messages interleaving (RFC 8260). Note that - both peers must support the I-DATA chunk type. -

-
-

- (BZ#1273139) -

-
-

NetworkManager supports configuring ethtool offload features

-

- With this enhancement, NetworkManager supports configuring - ethtool offload features, and users no longer need to use init - scripts or a NetworkManager dispatcher script. As a result, - users can now configure the offload feature as a part of the connection profile using one of - the following methods: -

-
-
-
    -
  • - By using the nmcli utility -
    • -
  • - By editing key files in the /etc/NetworkManager/system-connections/ directory -
    • -
  • - By editing the /etc/sysconfig/network-scripts/ifcfg-* files -
    • -
-
-

- Note that this feature is currently not supported in graphical interfaces and in the nmtui utility. -

-

- (BZ#1335409) -

-
-

TCP BBR support in RHEL 8

-

- A new TCP congestion control algorithm, Bottleneck Bandwidth and Round-trip time (BBR) is - now supported in Red Hat Enterprise Linux (RHEL) 8. BBR attempts to determine the bandwidth - of the bottleneck link and the Round-trip time (RTT). Most congestion algorithms are based - on packet loss (including CUBIC, the default Linux TCP congestion control algorithm), which - have problems on high-throughput links. BBR does not react to loss events directly, it - adjusts the TCP pacing rate to match it with the available bandwidth. Users of TCP BBR - should switch to the fq queueing setting on all the involved - interfaces. -

-
-

- Note that users should explicitly use fq and not fq_codel. -

-

- For more details, see the tc-fq man page. -

-

- (BZ#1515987) -

-
-

lksctp-tools, version 1.0.18 in RHEL - 8

-

- The lksctp-tools package, version 3.28 is available in Red Hat - Enterprise Linux (RHEL) 8. Notable enhancements and bug fixes include: -

-
-
-
    -
  • - Integration with Travis CI and Coverity Scan -
    • -
  • - Support for the sctp_peeloff_flags function -
    • -
  • - Indication of which kernel features are available -
    • -
  • - Fixes on Coverity Scan issues -
    • -
-
-

- (BZ#1568622) -

-
-

Blacklisting SCTP module by default in RHEL 8

-

- To increase security, a set of kernel modules have been moved to the kernel-modules-extra package. These are not installed by default. - As a consequence, non-root users cannot load these components as they are blacklisted by - default. To use one of these kernel modules, the system administrator must install kernel-modules-extra and explicitly remove the module blacklist. - As a result, non-root users will be able to load the software component automatically. -

-
-

- (BZ#1642795) -

-
-

Notable changes in driverctl - 0.101

-

- Red Hat Enterprise Linux 8.0 is distributed with driverctl - 0.101. This version includes the following bug fixes: -

-
-
-
    -
  • - The shellcheck warnings have been fixed. -
    • -
  • - The bash-completion is installed as driverctl instead of - driverctl-bash-completion.sh. -
    • -
  • - The load_override function for non-PCI buses has been - fixed. -
    • -
  • - The driverctl service loads all overrides before it reaches - the basic.target systemd target. -
    • -
-
-

- (BZ#1648411) -

-
-

Added rich rules priorities to firewalld

-

- The priority option has been added to rich rules. This allows - users to define the desirable priority order during the rule execution and provides more - advanced control over rich rules. -

-
-

- (BZ#1648497) -

-
-

NVMe over RDMA is supported in RHEL 8

-

- In Red Hat Enterprise Linux (RHEL) 8, Nonvolatile Memory Express (NVMe) over Remote Direct - Memory Access (RDMA) supports Infiniband, RoCEv2, and iWARP only in initiator mode. -

-
-

- Note that Multipath is supported in failover mode only. -

-

- Additional restrictions: -

-
-
    -
  • - Kdump is not supported with NVMe/RDMA. -
    • -
  • - Booting from NVMe device over RDMA is not supported. -
    • -
-
-

- (BZ#1680177) -

-
-

The nf_tables back end does not support - debugging using dmesg

-

- Red Hat Enterprise Linux 8.0 uses the nf_tables back end for - firewalls that does not support debugging the firewall using the output of the dmesg utility. To debug firewall rules, use the xtables-monitor -t or nft monitor trace commands to decode rule evaluation events. -

-
-

- (BZ#1645744) -

-
-

Red Hat Enterprise Linux supports VRF

-

- The kernel in RHEL 8.0 supports virtual routing and forwarding (VRF). VRF devices, combined - with rules set using the ip utility, enable administrators to - create VRF domains in the Linux network stack. These domains isolate the traffic on layer 3 - and, therefore, the administrator can create different routing tables and reuse the same IP - addresses within different VRF domains on one host. -

-
-

- (BZ#1440031) -

-
-

iproute, version 4.18 in RHEL 8 -

-

- The iproute package is distributed with the version 4.18 in Red - Hat Enterprise Linux (RHEL) 8. The most notable change is that the interface alias marked as - ethX:Y, such as eth0:1, is no longer supported. To work around this problem, users should - remove the alias suffix, which is the colon and the following number before entering ip link show. -

-
-

- (BZ#1589317) -

-
-
-
-
-
-

5.1.15. Security

-
-
-
-
-

SWID tag of the RHEL 8.0 release

-

- To enable identification of RHEL 8.0 installations using the ISO/IEC 19770-2:2015 mechanism, - software identification (SWID) tags are installed in files /usr/lib/swidtag/redhat.com/com.redhat.RHEL-8-<architecture>.swidtag - and /usr/lib/swidtag/redhat.com/com.redhat.RHEL-8.0-<architecture>.swidtag. - The parent directory of these tags can also be found by following the /etc/swid/swidtags.d/redhat.com symbolic link. -

-
-

- The XML signature of the SWID tag files can be verified using the xmlsec1 verify command, for example: -

- 
xmlsec1 verify --trusted-pem /etc/pki/swid/CA/redhat.com/redhatcodesignca.cert /usr/share/redhat.com/com.redhat.RHEL-8-x86_64.swidtag
-

- The certificate of the code signing certification authority can also be obtained from the Product Signing Keys - page on the Customer Portal. -

-

- (BZ#1636338) -

-
-

System-wide cryptographic policies are applied by default

-

- Crypto-policies is a component in Red Hat Enterprise Linux 8, which configures the core - cryptographic subsystems, covering the TLS, IPsec, DNSSEC, Kerberos, and SSH protocols. It - provides a small set of policies, which the administrator can select using the update-crypto-policies command. -

-
-

- The DEFAULT system-wide cryptographic policy offers secure settings - for current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and - SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if larger than 2047 - bits. -

-

- See the Consistent - security by crypto policies in Red Hat Enterprise Linux 8 article on the Red Hat Blog - and the update-crypto-policies(8) man page for more information. -

-

- (BZ#1591620) -

-
-

OpenSSH rebased to - version 7.8p1

-

- The openssh packages have been upgraded to upstream version - 7.8p1. Notable changes include: -

-
-
-
    -
  • - Removed support for the SSH version 1 protocol. -
    • -
  • - Removed support for the hmac-ripemd160 message - authentication code. -
    • -
  • - Removed support for RC4 (arcfour) ciphers. -
    • -
  • - Removed support for Blowfish ciphers. -
    • -
  • - Removed support for CAST ciphers. -
    • -
  • - Changed the default value of the UseDNS option to no. -
    • -
  • - Disabled DSA public key algorithms by default. -
    • -
  • - Changed the minimal modulus size for Diffie-Hellman - parameters to 2048 bits. -
    • -
  • - Changed semantics of the ExposeAuthInfo configuration - option. -
    • -
  • - The UsePrivilegeSeparation=sandbox option is now mandatory - and cannot be disabled. -
    • -
  • - Set the minimal accepted RSA key size to 1024 bits. -
    • -
-
-

- (BZ#1622511) -

-
-

The automatic OpenSSH server keys - generation is now handled by sshd-keygen@.service -

-

- OpenSSH creates RSA, ECDSA, and ED25519 server host keys - automatically if they are missing. To configure the host key creation in RHEL 8, use the - sshd-keygen@.service instantiated service. -

-
-

- For example, to disable the automatic creation of the RSA key type: -

- 
# systemctl mask sshd-keygen@rsa.service
-

- See the /etc/sysconfig/sshd file for more information. -

-

- (BZ#1228088) -

-
-

ECDSA keys are supported for SSH authentication

-

- This release of the OpenSSH suite introduces support for ECDSA - keys stored on PKCS #11 smart cards. As a result, users can now use both RSA and ECDSA keys - for SSH authentication. -

-
-

- (BZ#1645038) -

-
-

libssh implements SSH as a core - cryptographic component

-

- This change introduces libssh as a core cryptographic component - in Red Hat Enterprise Linux 8. The libssh library implements - the Secure Shell (SSH) protocol. -

-
-

- Note that the client side of libssh follows the configuration set - for OpenSSH through system-wide crypto policies, but the - configuration of the server side cannot be changed through system-wide crypto policies. -

-

- (BZ#1485241) -

-
-

TLS 1.3 support in cryptographic libraries

-

- This update enables Transport Layer Security (TLS) 1.3 by default in all major back-end - crypto libraries. This enables low latency across the operating system communications layer - and enhances privacy and security for applications by taking advantage of new algorithms, - such as RSA-PSS or X25519. -

-
-

- (BZ#1516728) -

-
-

NSS now use SQL by default

-

- The Network Security Services (NSS) libraries now use the SQL file format for the trust - database by default. The DBM file format, which was used as a default database format in - previous releases, does not support concurrent access to the same database by multiple - processes and it has been deprecated in upstream. As a result, applications that use the NSS - trust database to store keys, certificates, and revocation information now create databases - in the SQL format by default. Attempts to create databases in the legacy DBM format fail. - The existing DBM databases are opened in read-only mode, and they are automatically - converted to the SQL format. Note that NSS support the SQL file format since Red Hat - Enterprise Linux 6. -

-
-

- (BZ#1489094) -

-
-

PKCS #11 support for smart cards and HSMs is now consistent across the - system

-

- With this update, using smart cards and Hardware Security Modules (HSM) with PKCS #11 - cryptographic token interface becomes consistent. This means that the user and the - administrator can use the same syntax for all related tools in the system. Notable - enhancements include: -

-
-
-
    -
  • - Support for the PKCS #11 Uniform Resource Identifier (URI) scheme that ensures a - simplified enablement of tokens on RHEL servers both for administrators and application - writers. -
    • -
  • - A system-wide registration method for smart cards and HSMs using the pkcs11.conf. -
    • -
  • - Consistent support for HSMs and smart cards is available in NSS, GnuTLS, and OpenSSL - (through the openssl-pkcs11 engine) applications. -
    • -
  • - The Apache HTTP server (httpd) now seamlessly supports - HSMs. -
    • -
-
-

- For more information, see the pkcs11.conf(5) man page. -

-

- (BZ#1516741) -

-
-

Firefox now works with system-wide registered PKCS #11 drivers -

-

- The Firefox web browser automatically loads the p11-kit-proxy - module and every smart card that is registered system-wide in p11-kit through the pkcs11.conf file - is automatically detected. For using TLS client authentication, no additional setup is - required and keys from a smart card are automatically used when a server requests them. -

-
-

- (BZ#1595638) -

-
-

RSA-PSS is now supported in OpenSC

-

- This update adds support for the RSA-PSS cryptographic signature scheme to the OpenSC smart card driver. The new scheme enables a secure - cryptographic algorithm required for the TLS 1.3 support in the client software. -

-
-

- (BZ#1595626) -

-
-

Notable changes in Libreswan in RHEL - 8

-

- The libreswan packages have been upgraded to upstream version - 3.27, which provides many bug fixes and enhancements over the previous versions. Most - notable changes include: -

-
-
-
    -
  • - Support for RSA-PSS (RFC 7427) through authby=rsa-sha2, - ECDSA (RFC 7427) through authby=ecdsa-sha2, CURVE25519 - using the dh31 keyword, and CHACHA20-POLY1305 for IKE and - ESP through the chacha20_poly1305 encryption keyword has - been added for the IKEv2 protocol. -
    • -
  • - Support for the alternative KLIPS kernel module has been removed from Libreswan, as upstream has deprecated KLIPS entirely. -
    • -
  • - The Diffie-Hellman groups DH22, DH23, and DH24 are no longer supported (as per RFC - 8247). -
    • -
-
-

- Note that the authby=rsasig has been changed to always use the RSA - v1.5 method, and the authby=rsa-sha2 option uses the RSASSA-PSS - method. The authby=rsa-sha1 option is not valid as per RFC 8247. - That is the reason Libreswan no longer supports SHA-1 with digital - signatures. -

-

- (BZ#1566574) -

-
-

System-wide cryptographic policies change the default IKE version in - Libreswan to IKEv2

-

- The default IKE version in the Libreswan IPsec implementation has been changed from IKEv1 - (RFC 2409) to IKEv2 (RFC 7296). The default IKE and ESP/AH algorithms for use with IPsec - have been updated to comply with system-wide crypto policies, RFC 8221, and RFC 8247. - Encryption key sizes of 256 bits are now preferred over key sizes of 128 bits. -

-
-

- The default IKE and ESP/AH ciphers now include AES-GCM, CHACHA20POLY1305, and AES-CBC for - encryption. For integrity checking, they provide AEAD and SHA-2. The Diffie-Hellman groups now - contain DH19, DH20, DH21, DH14, DH15, DH16, and DH18. -

-

- The following algorithms have been removed from the default IKE and ESP/AH policies: AES_CTR, - 3DES, SHA1, DH2, DH5, DH22, DH23, and DH24. With the exceptions of DH22, DH23, and DH24, these - algorithms can be enabled by the ike= or phase2alg=/esp=/ah= option in IPsec configuration files. -

-

- To configure IPsec VPN connections that still require the IKEv1 protocol, add the ikev2=no option to connection configuration files. See the ipsec.conf(5) man page for more information. -

-

- (BZ#1645606) -

-
-

IKE version-related changes in Libreswan

-

- With this enhancement, Libreswan handles internet key exchange (IKE) settings differently: -

-
-
-
    -
  • - The default internet key exchange (IKE) version has been changed from 1 to 2. -
    • -
  • - Connections can now either use the IKEv1 or IKEv2 protocol, but not both. -
    • -
  • -

    - The interpretation of the ikev2 option has been - changed: -

    -
    -
      -
    • - The values insist is interpreted as IKEv2-only. -
      • -
    • - The values no and never are interpreted as IKEv1-only. -
      • -
    • - The values propose, yes and, permit are - no longer valid and result in an error, because it was not clear which IKE - versions resulted from these values -
      • -
    -
    -
    • -
-
-

- (BZ#1648776) -

-
-

New features in OpenSCAP in RHEL - 8

-

- The OpenSCAP suite has been upgraded to upstream version 1.3.0, - which introduces many enhancements over the previous versions. The most notable features - include: -

-
-
-
    -
  • - API and ABI have been consolidated - updated, deprecated and/or unused symbols have been - removed. -
    • -
  • - The probes are not run as independent processes, but as threads within the oscap process. -
    • -
  • - The command-line interface has been updated. -
    • -
  • - Python 2 bindings have been replaced with Python 3 bindings. -
    • -
-
-

- (BZ#1614273) -

-
-

SCAP Security Guide now supports - system-wide cryptographic policies

-

- The scap-security-guide packages have been updated to use - predefined system-wide cryptographic policies for configuring the core cryptographic - subsystems. The security content that conflicted with or overrode the system-wide - cryptographic policies has been removed. -

-
-

- Note that this change applies only on the security content in scap-security-guide, and you do not need to update the OpenSCAP - scanner or other SCAP components. -

-

- (BZ#1618505) -

-
-

OpenSCAP command-line interface has been improved

-

- The verbose mode is now available in all oscap modules and - submodules. The tool output has improved formatting. -

-
-

- Deprecated options have been removed to improve the usability of the command-line interface. -

-

- The following options are no longer available: -

-
-
    -
  • - --show in oscap xccdf generate report has been completely removed. -
    • -
  • - --probe-root in oscap oval eval has been removed. It can be replaced by - setting the environment variable, OSCAP_PROBE_ROOT. -
    • -
  • - --sce-results in oscap xccdf eval has been replaced by --check-engine-results -
    • -
  • - validate-xml submodule has been dropped from CPE, OVAL, and - XCCDF modules. validate submodules can be used instead to - validate SCAP content against XML schemas and XSD schematrons. -
    • -
  • - oscap oval list-probes command has been removed, the list - of available probes can be displayed using oscap --version - instead. -
    • -
-
-

- OpenSCAP allows to evaluate all rules in a given XCCDF benchmark regardless of the profile by - using --profile '(all)'. -

-

- (BZ#1618484) -

-
-

SCAP Security Guide PCI-DSS profile aligns with version 3.2.1 -

-

- The scap-security-guide packages provide the PCI-DSS (Payment - Card Industry Data Security Standard) profile for Red Hat Enterprise Linux 8 and this - profile has been updated to align with the latest PCI-DSS version - 3.2.1. -

-
-

- (BZ#1618528) -

-
-

SCAP Security Guide supports OSPP 4.2

-

- The scap-security-guide packages provide a draft of the OSPP - (Protection Profile for General Purpose Operating Systems) profile version 4.2 for Red Hat - Enterprise Linux 8. This profile reflects mandatory configuration controls identified in the - NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems - (Protection Profile Version 4.2). SCAP Security Guide provides automated checks and scripts - that help users to meet requirements defined in the OSPP. -

-
-

- (BZ#1618518) -

-
-

Notable changes in rsyslog in RHEL - 8

-

- The rsyslog packages have been upgraded to upstream version - 8.37.0, which provides many bug fixes and enhancements over the previous versions. Most - notable changes include: -

-
-
-
    -
  • - Enhanced processing of rsyslog - internal messages; possibility of rate-limiting them; fixed possible deadlock. -
    • -
  • - Enhanced rate-limiting in general; the actual spam - source is now logged. -
    • -
  • - Improved handling of oversized messages - the user can now set how to treat them both in - the core and in certain modules with separate actions. -
    • -
  • - mmnormalize rule bases can now be embedded in the config file instead of creating separate files for them. -
    • -
  • - All config variables, including variables in JSON, are now - case-insensitive. -
    • -
  • - Various improvements of PostgreSQL output. -
    • -
  • - Added a possibility to use shell variables to control config processing, such as conditional loading of additional - configuration files, executing statements, or including a text in config. Note that an excessive use of this feature can make - it very hard to debug problems with rsyslog. -
    • -
  • - 4-digit file creation modes can be now specified in config. -
    • -
  • - Reliable Event Logging Protocol (RELP) input can now bind also only on a specified - address. -
    • -
  • - The default value of the enable.body option of mail output - is now aligned to documentation -
    • -
  • - The user can now specify insertion error codes that should be ignored in MongoDB output. -
    • -
  • - Parallel TCP (pTCP) input has now the configurable backlog for better load-balancing. -
    • -
  • - To avoid duplicate records that might appear when journald - rotated its files, the imjournal option has been added. - Note that use of this option can affect performance. -
    • -
-
-

- Note that the system with rsyslog can be configured to provide - better performance as described in the Configuring system logging without - journald or with minimized journald usage Knowledgebase article. -

-

- (BZ#1613880) -

-
-

New rsyslog module: - omkafka

-

- To enable kafka centralized data storage - scenarios, you can now forward logs to the kafka infrastructure using the new omkafka module. -

-
-

- (BZ#1542497) -

-
-

rsyslog imfile now supports symlinks

-

- With this update, the rsyslog imfile module delivers better performance and more configuration - options. This allows you to use the module for more complicated file monitoring use cases. - For example, you can now use file monitors with glob patterns anywhere along the configured - path and rotate symlink targets with increased data throughput. -

-
-

- (BZ#1614179) -

-
-

The default rsyslog configuration file - format is now non-legacy

-

- The configuration files in the rsyslog packages now use the - non-legacy format by default. The legacy format can be still used, however, mixing current - and legacy configuration statements has several constraints. Configurations carried from - previous RHEL releases should be revised. See the rsyslog.conf(5) man page for more information. -

-
-

- (BZ#1619645) -

-
-

Audit 3.0 replaces audispd with auditd

-

- With this update, functionality of audispd has been moved to - auditd. As a result, audispd - configuration options are now part of auditd.conf. In addition, - the plugins.d directory has been moved under /etc/audit. The current status of auditd and its plug-ins can now be checked by running the service auditd state command. -

-
-

- (BZ#1616428) -

-
-

tangd_port_t allows changes of the default - port for Tang

-

- This update introduces the tangd_port_t SELinux type that - allows the tangd service run as confined with SELinux enforcing - mode. That change helps to simplify configuring a Tang server to listen on a user-defined - port and it also preserves the security level provided by SELinux in enforcing mode. -

-
-

- See the Configuring - automated unlocking of encrypted volumes using policy-based decryption section for more - information. -

-

- (BZ#1664345) -

-
-

New SELinux booleans

-

- This update of the SELinux system policy introduces the following booleans: -

-
-
-
    -
  • - colord_use_nfs -
    • -
  • - mysql_connect_http -
    • -
  • - pdns_can_network_connect_db -
    • -
  • - ssh_use_tcpd -
    • -
  • - sslh_can_bind_any_port -
    • -
  • - sslh_can_connect_any_port -
    • -
  • - virt_use_pcscd -
    • -
-
-

- To get a list of booleans including their meaning, and to find out if they are enabled or - disabled, install the selinux-policy-devel package and use: -

- 
# semanage boolean -l
-

- (JIRA:RHELPLAN-10347) -

-
-

SELinux now supports systemd No New Privileges

-

- This update introduces the nnp_nosuid_transition policy - capability that enables SELinux domain transitions under No New Privileges (NNP) or nosuid if - nnp_nosuid_transition is allowed between the old and new - contexts. The selinux-policy packages now contain a - policy for systemd services that use the - NNP security feature. -

-
-

- The following rule describes allowing this capability for a service: -

- 
   allow source_domain  target_type:process2 { nnp_transition nosuid_transition };
-

- For example: -

- 
   allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };
-

- The distribution policy now also contains an m4 macro interface, which can be used in SELinux - security policies for services that use the init_nnp_daemon_domain() function. -

-

- (BZ#1594111) -

-
-

Support for a new map permission check on the mmap syscall

-

- The SELinux map permission has been added to control memory - mapped access to files, directories, sockets, and so on. This allows the SELinux policy to - prevent direct memory access to various file system objects and ensure that every such - access is revalidated. -

-
-

- (BZ#1592244) -

-
-

SELinux now supports getrlimit permission - in the process class

-

- This update introduces a new SELinux access control check, process:getrlimit, which has been added for the prlimit() function. This enables SELinux policy developers to - control when one process attempts to read and then modify the resource limits of another - process using the process:setrlimit permission. Note that - SELinux does not restrict a process from manipulating its own resource limits through prlimit(). See the prlimit(2) and - getrlimit(2) man pages for more information. -

-
-

- (BZ#1549772) -

-
-

selinux-policy now supports VxFS - labels

-

- This update introduces support for Veritas File System (VxFS) security extended attributes - (xattrs). This enables to store proper SELinux labels with objects on the file system - instead of the generic vxfs_t type. As a result, systems with VxFS with full support for - SELinux are more secure. -

-
-

- (BZ#1483904) -

-
-

Compile-time security hardening flags are applied more - consistently

-

- Compile-time security hardening flags are applied more consistently on RPM packages in the - RHEL 8 distribution, and the redhat-rpm-config package now - automatically provides security hardening flags. The applied compile-time flags also help to - meet Common Criteria (CC) requirements. The following security hardening flags are applied: -

-
-
-
    -
  • - For detection of buffer-overflow errors: D_FORTIFY_SOURCE=2 -
    • -
  • - Standard library hardening that checks for C++ arrays, vectors, and strings: D_GLIBCXX_ASSERTIONS -
    • -
  • - For Stack Smashing Protector (SSP): fstack-protector-strong -
    • -
  • - For exception hardening: fexceptions -
    • -
  • - For Control-Flow Integrity (CFI): fcf-protection=full (only - on AMD and Intel 64-bit architectures) -
    • -
  • - For Address Space Layout Randomization (ASLR): fPIE (for - executables) or fPIC (for libraries) -
    • -
  • - For protection against the Stack Clash vulnerability: fstack-clash-protection (except ARM) -
    • -
  • - Link flags to resolve all symbols on startup: -Wl, -z,now -
    • -
-
-

- See the gcc(1) man page for more information. -

-

- (JIRA:RHELPLAN-2306) -

-
-
-
-
-
-

5.1.16. Virtualization

-
-
-
-
-

qemu-kvm 2.12 in RHEL 8

-

- Red Hat Enterprise Linux 8 is distributed with qemu-kvm 2.12. - This version fixes multiple bugs and adds a number of enhancements over the version 1.5.3, - available in Red Hat Enterprise Linux 7. -

-
-

- Notably, the following features have been introduced: -

-
-
    -
  • - Q35 guest machine type -
    • -
  • - UEFI guest boot -
    • -
  • - NUMA tuning and pinning in the guest -
    • -
  • - vCPU hot plug and hot unplug -
    • -
  • - guest I/O threading -
    • -
-
-

- Note that some of the features available in qemu-kvm 2.12 are not - supported on Red Hat Enterprise Linux 8. For detailed information, see "Feature support and - limitations in RHEL 8 virtualization" on the Red Hat Customer Portal. -

-

- (BZ#1559240) -

-
-

The Q35 machine - type is now supported by virtualization

-

- Red hat Enterprise Linux 8 introduces the support for Q35, a more modern PCI Express-based - machine type. This provides a variety of improvements in features and performance of virtual - devices, and ensures that a wider range of modern devices are compatible with - virtualization. In addition, virtual machines created in Red Hat Enterprise Linux 8 are set - to use Q35 by default. -

-
-

- Also note that the previously default PC - machine type has become deprecated and should only be used when virtualizing older operating - systems that do not support Q35. -

-

- (BZ#1599777) -

-
-

Post-copy virtual machine migration

-

- RHEL 8 makes it possible to perform a post-copy migration of KVM virtual machines (VMs). - When used, post-copy migration pauses the migrating VM’s vCPUs on the source host, transfers - only a minimum of memory pages, activates the VM’s vCPUs on the destination host, and - transfers the remaining memory pages while the VM is running on the destination. -

-
-

- This significantly reduces the downtime of the migrated VM, and also guarantees that the - migration finishes regardless of how rapidly the memory pages of the source VM change. As such, - it is optimal for migrating VMs in heavy continuous use, which would not be possible to migrate - with the standard pre-copy migration. -

-

- (JIRA:RHELPLAN-14323) -

-
-

virtio-gpu is now supported by KVM - virtualization

-

- The virtio-gpu display device has been introduced for KVM - virtual machines (VMs). virtio-gpu improves VM graphical - performance and also enables various enhancements for virtual GPU devices to be implemented - in the future. -

-
-

- (JIRA:RHELPLAN-14329) -

-
-

KVM supports UMIP in RHEL 8

-

- KVM virtualization now supports the User-Mode Instruction Prevention (UMIP) feature, which - can help prevent user-space applications from accessing to system-wide settings. This - reduces the potential vectors for privilege escalation attacks, and thus makes the KVM - hypervisor and its guest machines more secure. -

-
-

- (BZ#1494651) -

-
-

Additional information in KVM guest crash reports

-

- The crash information that KVM hypervisor generates if a guest terminates unexpectedly or - becomes unresponsive has been expanded. This makes it easier to diagnose and fix problems in - KVM virtualization deployments. -

-
-

- (BZ#1508139) -

-
-

NVIDIA vGPU is now compatible with the VNC console

-

- When using the NVIDIA virtual GPU (vGPU) feature, it is now possible to use the VNC console - to display the visual output of the guest. -

-
-

- (BZ#1497911) -

-
-

Ceph is supported by virtualization

-

- With this update, Ceph storage is supported by KVM virtualization on all CPU architectures - supported by Red Hat. -

-
-

- (BZ#1578855) -

-
-

Interactive boot loader for KVM virtual machines on IBM Z

-

- When booting a KVM virtual machine on an IBM Z host, the QEMU boot loader firmware can now - present an interactive console interface of the guest OS. This makes it possible to - troubleshoot guest OS boot problems without access to the host environment. -

-
-

- (BZ#1508137) -

-
-

IBM z14 ZR1 supported in virtual machines

-

- The KVM hypervisor now supports the CPU model of the IBM z14 ZR1 server. This enables using - the features of this CPU in KVM virtual machines that run on an IBM Z system. -

-
-

- (BZ#1592337) -

-
-

KVM supports Telnet - 3270 on IBM Z

-

- When using RHEL 8 as a host on an IBM Z system, it is now possible to connect to virtual - machines on the host using Telnet 3270 - clients. -

-
-

- (BZ#1570029) -

-
-

QEMU sandboxing has been added

-

- In Red Hat Enterprise Linux 8, the QEMU emulator introduces the sandboxing feature. QEMU - sandboxing provides configurable limitations to what systems calls QEMU can perform, and - thus makes virtual machines more secure. Note that this feature is enabled and configured by - default. -

-
-

- (JIRA:RHELPLAN-10628) -

-
-

PV TLB Flush Hyper-V - enlightenment

-

- RHEL 8 adds the PV TLB Flush Hyper-V Enlightenment feature. - This improves the performance of Windows virtual machines (VMs) that run in overcommitted - environments on the KVM hypervisor. -

-
-

- (JIRA:RHELPLAN-14330) -

-
-

New machine types for KVM virtual machines on IBM POWER

-

- Multiple new rhel-pseries machine types have been enabled for KVM hypervisors running on IBM - POWER 8 and IBM POWER 9 systems. This makes it possible for virtual machines (VMs) hosted on - RHEL 8 on an IBM POWER system to correctly use the CPU features of these machine types. In - addition, this allows for migrating VMs on IBM POWER to a more recent version of the KVM - hypervisor. -

-
-

- (BZ#1585651, BZ#1595501) -

-
-

GFNI and CLDEMOT instruction sets enabled for Intel Xeon - SnowRidge

-

- Virtual machines (VMs) running in a RHEL 8 host on an Intel Xeon SnowRidge system are now - able to use the GFNI and CLDEMOT instruction sets. This may significantly increase the - performance of such VMs in certain scenarios. -

-
-

- (BZ#1494705) -

-
-

IPv6 enabled for OVMF

-

- The IPv6 protocol is now enabled on Open Virtual Machine Firmware (OVMF). This makes it - possible for virtual machines that use OVMF to take advantage of a variety of network boot - improvements that IPv6 provides. -

-
-

- (BZ#1536627) -

-
-

A VFIO-based block driver for NVMe devices has been added

-

- The QEMU emulator introduces a driver based on virtual function I/O (VFIO) for Non-volatile - Memory Express (NVMe) devices. The driver communicates directly with NVMe devices attached - to virtual machines (VMs) and avoids using the kernel system layer and its NVMe drivers. As - a result, this enhances the performance of NVMe devices in virtual machines. -

-
-

- (BZ#1519004) -

-
-

Multichannel support for the Hyper-V Generic UIO driver

-

- RHEL 8 now supports the multichannel feature for the Hyper-V Generic userspace I/O (UIO) - driver. This makes it possible for RHEL 8 VMs running on the Hyper-V hypervisor to use the - Data Plane Development Kit (DPDK) Netvsc Poll Mode driver (PMD), which enhances the - networking capabilities of these VMs. -

-
-

- Note, however, that the Netvsc interface status currently displays as Down even when it is - running and usable. -

-

- (BZ#1650149) -

-
-

Improved huge page support

-

- When using RHEL 8 as a virtualization host, users can modify the size of pages that back - memory of a virtual machine (VM) to any size that is supported by the CPU. This can - significantly improve the performance of the VM. -

-
-

- To configure the size of VM memory pages, edit the VM’s XML configuration and add the - <hugepages> element to the <memoryBacking> section. -

-

- (JIRA:RHELPLAN-14607) -

-
-

VMs on POWER 9 hosts can use THP

-

- In RHEL 8 hosts running on the IBM POWER 9 architecture, virtual machines (VMs) benefit from - the transparent huge pages (THP) feature. THP enables the host kernel to dynamically assign - huge memory pages to processes and thus improves the performance of VMs with large amounts - of memory. -

-
-

- (JIRA:RHELPLAN-13440) -

-
-
-
-
-
-

5.1.17. Supportability

-
-
-
-
-

sosreport can - report eBPF-based programs and maps

-

- The sosreport tool has been enhanced to - report any loaded extended Berkeley Packet Filtering (eBPF) programs and maps in Red Hat - Enterprise Linux 8. -

-
-

- (BZ#1559836) -

-
-
-
-
-
-
-

5.2. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.0 that have a significant impact on - users. -

-
-
-
-
-

5.2.1. Desktop

-
-
-
-
-

PackageKit can now - operate on rpm packages

-

- With this update, the support for operating on rpm packages has - been added into PackageKit. -

-
-

- (BZ#1559414) -

-
-
-
-
-
-

5.2.2. Graphics infrastructures

-
-
-
-
-

QEMU does not handle 8-byte ggtt entries - correctly

-

- QEMU occasionally splits an 8-byte ggtt entry write to two - consecutive 4-byte writes. Each of these partial writes can trigger a separate host ggtt write. Sometimes the two ggtt - writes are combined incorrectly. Consequently, translation to a machine address fails, and - an error log occurs. -

-
-

- (BZ#1598776) -

-
-
-
-
-
-

5.2.3. Identity Management

-
-
-
-
-

The Enterprise Security Client uses the opensc library for token detection

-

- Red Hat Enterprise Linux 8.0 only supports the opensc library - for smart cards. With this update, the Enterprise Security Client (ESC) use opensc for token detection instead of the removed coolkey library. As a result, applications correctly detect - supported tokens. -

-
-

- (BZ#1538645) -

-
-

Certificate System now supports rotating debug logs

-

- Previously, Certificate System used a custom logging framework, which did not support log - rotation. As a consequence, debug logs such as /var/log/pki/instance_name/ca/debug - grew indefinitely. With this update, Certificate System uses the java.logging.util framework, which supports log rotation. As a - result, you can configure log rotation in the /var/lib/pki/instance_name/conf/logging.properties - file. -

-
-

- For further information on log rotation, see documentation for the java.util.logging package. -

-

- (BZ#1565073) -

-
-

Certificate System no longer logs SetAllPropertiesRule operation warnings when the service - starts

-

- Previously, Certificate System logged warnings on the SetAllPropertiesRule operation in the /var/log/messages log file when the service started. The problem - has been fixed, and the mentioned warnings are no longer logged. -

-
-

- (BZ#1424966) -

-
-

The Certificate System KRA client parses Key Request responses correctly

-

- Previously, Certificate System switched to a new JSON library. As a consequence, - serialization for certain objects differed, and the Python key recovery authority (KRA) - client failed to parse Key Request responses. The client has - been modified to support responses using both the old and the new JSON library. As a result, - the Python KRA client parses Key Request responses correctly. -

-
-

- (BZ#1623444) -

-
-
-
-
-
-

5.2.4. Compilers and development tools

-
-
-
-
-

GCC no longer produces false positive warnings about out-of-bounds - access

-

- Previously, when compiling with the -O3 optimization level - option, the GNU Compiler Collection (GCC) occasionally returned a false positive warning - about an out-of-bounds access, even if the compiled code did not contain it. The - optimization has been fixed and GCC no longer displays the false positive warning. -

-
-

- (BZ#1246444) -

-
-

ltrace displays large structures - correctly

-

- Previously, the ltrace tool could not correctly print large - structures returned from functions. Handling of large structures in ltrace has been improved and they are now printed correctly. -

-
-

- (BZ#1584322) -

-
-

GCC built-in function __builtin_clz - returns correct values on IBM Z

-

- Previously, the FLOGR instruction of the IBM Z architecture was - incorrectly folded by the GCC compiler. As a consequence, the __builtin_clz function using this instruction could return wrong - results when the code was compiled with the -funroll-loops GCC - option. This bug has been fixed and the function now provides correct results. -

-
-

- (BZ#1652016) -

-
-

GDB provides nonzero exit status when last command in batch mode - fails

-

- Previously, GDB always exited with status 0 when running in - batch mode, regardless of errors in the commands. As a consequence, it was not possible to - determine whether the commands succeeded. This behavior has been changed and GDB now exits - with status 1 when an error occurs in the last command. This - preserves compatibility with the previous behavior where all commands are executed. As a - result, it is now possible to determine if GDB batch mode execution is successful. -

-
-

- (BZ#1491128) -

-
-
-
-
-
-

5.2.5. File systems and storage

-
-
-
-
-

Higher print levels no longer cause iscsiadm to terminate unexpectedly

-

- Previously, the iscsiadm utility terminated unexpectedly when - the user specified a print level higher than 0 with the --print - or -P option. This problem has been fixed, and all print levels - now work as expected. -

-
-

- (BZ#1582099) -

-
-

multipathd no longer disables the path - when it fails to get the WWID of a path

-

- Previously, the multipathd service treated a failed attempt at - getting a path’s WWID as getting an empty WWID. If multipathd - failed to get the WWID of a path, it sometimes disabled that path. -

-
-

- With this update, multipathd continues to use the old WWID if it - fails to get the WWID when checking to see if it has changed. -

-

- As a result, multipathd no longer disables paths when it fails to - get the WWID, when checking if the WWID has changed. -

-

- (BZ#1673167) -

-
-
-
-
-
-

5.2.6. High availability and clusters

-
-
-
-
-

New /etc/sysconfig/pcsd option to reject - client-initiated SSL/TLS renegotiation

-

- When TLS renegotiation is enabled on the server, a client is allowed to send a renegotiation - request, which initiates a new handshake. Computational requirements of a handshake are - higher on a server than on a client. This makes the server vulnerable to DoS attacks. With - this fix, the setting PCSD_SSL_OPTIONS in the /etc/sysconfig/pcsd configuration file accepts the OP_NO_RENEGOTIATION option to reject renegotiations. Note that - the client can still open multiple connections to a server with a handshake performed in all - of them. -

-
-

- (BZ#1566430) -

-
-

A removed cluster node is no longer displayed in the cluster - status

-

- Previously, when a node was removed with the pcs cluster node remove command, the removed node remained - visible in the output of a pcs status display. With this fix, - the removed node is no longer displayed in the cluster status. -

-
-

- (BZ#1595829) -

-
-

Fence agents can now be configured using either newer, preferred - parameter names or deprecated parameter names

-

- A large number of fence agent parameters have been renamed while the old parameter names are - still supported as deprecated. Previously, pcs was not able to - set the new parameters unless used with the --force option. - With this fix, pcs now supports the renamed fence agent - parameters while maintaining support for the deprecated parameters. -

-
-

- (BZ#1436217) -

-
-

The pcs command now correctly reads the - XML status of a cluster for display

-

- The pcs command runs the crm_mon - utility to get the status of a cluster in XML format. The crm_mon utility prints XML to standard output and warnings to - standard error output. Previously pcs mixed XML and warnings - into one stream and was then unable to parse it as XML. With this fix, standard and error - outputs are separated in pcs and reading the XML status of a - cluster works as expected. -

-
-

- (BZ#1578955) -

-
-

Users no longer advised to destroy clusters when creating new clusters - with nodes from existing clusters

-

- Previously, when a user specified nodes from an existing cluster when running the pcs cluster setup command or when creating a cluster with the - pcsd Web UI, pcs reported that as an error and suggested that - the user destroy the cluster on the nodes. As a result, users would destroy the cluster on - the nodes, breaking the cluster the nodes were part of as the remaining nodes would still - consider the destroyed nodes to be part of the cluster. With this fix, users are instead - advised to remove nodes from their cluster, better informing them of how to address the - issue without breaking their clusters. -

-
-

- (BZ#1596050) -

-
-

pcs commands no longer interactively ask - for credentials

-

- When a non-root user runs a pcs command that requires root - permission, pcs connects to the locally running pcsd daemon and passes the command to it, since the pcsd daemon runs with root permissions and is capable of running - the command. Previously, if the user was not authenticated to the local pcsd daemon, pcs asked for a user - name and a password interactively. This was confusing to the user and required special - handling in scripts running pcs. With this fix, if the user is - not authenticated then pcs exits with an error advising what to - do: Either run pcs as root or authenticate using the new pcs client local-auth command. As a result, pcs commands do not interactively ask for credentials, improving - the user experience. -

-
-

- (BZ#1554310) -

-
-

The pcsd daemon now starts with its - default self-generated SSL certificate when crypto-policies - is set to FUTURE.

-

- A crypto-policies setting of FUTURE requires RSA keys in SSL certificates to be at least 3072b - long. Previously, the pcsd daemon would not start when this - policy was set since it generates SSL certificates with a 2048b key. With this update, the - key size of pcsd self-generated SSL certificates has been - increased to 3072b and pcsd now starts with its default - self-generated SSL certificate. -

-
-

- (BZ#1638852) -

-
-

The pcsd service now starts when the - network is ready

-

- Previously, When a user configured pcsd to bind to a specific - IP address and the address was not ready during boot when pcsd - attempted to start up, then pcsd failed to start and a manual - intervention was required to start pcsd. With this fix, pcsd.service depends on network-online.target. As a result, pcsd starts when the network is ready and is able to bind to an - IP address. -

-
-

- (BZ#1640477) -

-
-
-
-
-
-

5.2.7. Networking

-
-
-
-
-

Weak TLS algorithms are no longer allowed for glib-networking

-

- Previously, the glib-networking package was not compatible with - RHEL 8 System-wide Crypto Policy. As a consequence, applications using the glib library for networking might allow Transport Layer Security - (TLS) connections using weak algorithms than the administrator intended. With this update, - the system-wide crypto policy is applied, and now applications using glib for networking allow only TLS connections that are - acceptable according to the policy. -

-
-

- (BZ#1640534) -

-
-
-
-
-
-

5.2.8. Security

-
-
-
-
-

SELinux policy now allows iscsiuio - processes to connect to the discovery portal

-

- Previously, SELinux policy was too restrictive for iscsiuio - processes and these processes were not able to access /dev/uio* - devices using the mmap system call. As a consequence, - connection to the discovery portal failed. This update adds the missing rules to the SELinux - policy and iscsiuio processes work as expected in the described - scenario. -

-
-

- (BZ#1626446) -

-
-
-
-
-
-

5.2.9. Subscription management

-
-
-
-
-

dnf and yum - can now access the repos regardless of subscription-manager - values

-

- Previously, the dnf or yum - commands ignored the https:// prefix from a URL added by the - subscription-manager service. The - updated dnf or yum commands do not - ignore invalid https:// URLs. As a consequence, dnf and yum failed to access the - repos. To fix the problem, a new configuration variable, proxy_scheme has been added to the /etc/rhsm/rhsm.conf file and the value can be set to either http or https. If no value is - specified, subscription-manager set - http by default which is more commonly used. -

-
-

- Note that if the proxy uses http, most users should not change - anything in the configuration in /etc/rhsm/rhsm.conf. If the proxy - uses https, users should update the value of proxy_scheme to https. Then, in both - cases, users need to run the subscription-manager repos --list - command or wait for the rhsmcertd daemon process to regenerate the - /etc/yum.repos.d/redhat.repo properly. -

-

- (BZ#1654531) -

-
-
-
-
-
-

5.2.10. Virtualization

-
-
-
-
-

Mounting ephemeral disks on Azure now works more reliably

-

- Previously, mounting an ephemeral disk on a virtual machine (VM) running on the Microsoft - Azure platform failed if the VM was "stopped(deallocated)" and then started. This update - ensures that reconnecting disks is handled correctly in the described circumstances, which - prevents the problem from occurring. -

-
-

- (BZ#1615599) -

-
-
-
-
-
-
-

5.3. Technology previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.0. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features - Support Scope. -

-
-
-
-
-

5.3.1. Kernel

-
-
-
-
-

eBPF available as a - Technology Preview

-

- The extended Berkeley Packet Filtering - (eBPF) feature is available as a Technology Preview for both - networking and tracing. eBPF enables the - user space to attach custom programs onto a variety of points (sockets, trace points, packet - reception) to receive and process data. The feature includes a new system call bpf(), which supports creating various types of maps, and also to - insert various types of programs into the kernel. Note that the bpf() syscall can be successfully used only by a user with the - CAP_SYS_ADMIN capability, such as a root user. See the bpf(2) man page for more information. -

-
-

- (BZ#1559616) -

-
-

BCC is available as a Technology - Preview

-

- BPF Compiler Collection (BCC) is a user space tool kit for - creating efficient kernel tracing and manipulation programs that is available as a - Technology Preview in Red Hat Enterprise Linux 8. BCC provides - tools for I/O analysis, networking, and monitoring of Linux operating systems using the - extended Berkeley Packet Filtering (eBPF). -

-
-

- (BZ#1548302) -

-
-

Control Group v2 - available as a Technology Preview in RHEL 8

-

- Control Group v2 mechanism is a unified - hierarchy control group. Control Group - v2 organizes processes hierarchically and distributes system - resources along the hierarchy in a controlled and configurable manner. -

-
-

- Unlike the previous version, Control Group - v2 has only a single hierarchy. This single hierarchy enables the Linux - kernel to: -

-
-
    -
  • - Categorize processes based on the role of their owner. -
    • -
  • - Eliminate issues with conflicting policies of multiple hierarchies. -
    • -
-
-

- Control Group v2 supports numerous - controllers: -

-
-
    -
  • -

    - CPU controller regulates the distribution of CPU cycles. This controller implements: -

    -
    -
      -
    • - Weight and absolute bandwidth limit models for normal scheduling policy. -
      • -
    • - Absolute bandwidth allocation model for real time scheduling policy. -
      • -
    -
    -
    • -
  • -

    - Memory controller regulates the memory distribution. Currently, the following types - of memory usages are tracked: -

    -
    -
      -
    • - Userland memory - page cache and anonymous memory. -
      • -
    • - Kernel data structures such as dentries and inodes. -
      • -
    • - TCP socket buffers. -
      • -
    -
    -
    • -
  • - I/O controller regulates the distribution of I/O resources. -
    • -
  • - Writeback controller interacts with both Memory and I/O controllers and is Control Group v2 specific. -
    • -
-
-

- The information above was based on link: https://www.kernel.org/doc/Documentation/cgroup-v2.txt. - You can refer to the same link to obtain more information about particular Control Group v2 controllers. -

-

- (BZ#1401552) -

-
-

early kdump available as a Technology - Preview in Red Hat Enterprise Linux 8

-

- The early kdump feature allows the crash kernel and initramfs - to load early enough to capture the vmcore information even for - early crashes. For more details about early kdump, see the - /usr/share/doc/kexec-tools/early-kdump-howto.txt file. -

-
-

- (BZ#1520209) -

-
-

The ibmvnic device driver available as a - Technology Preview

-

- With Red Hat Enterprise Linux 8.0, the IBM Virtual Network Interface Controller (vNIC) - driver for IBM POWER architectures, ibmvnic, is available as a - Technology Preview. vNIC is a PowerVM virtual networking technology that delivers enterprise - capabilities and simplifies network management. It is a high-performance, efficient - technology that when combined with SR-IOV NIC provides bandwidth control Quality of Service - (QoS) capabilities at the virtual NIC level. vNIC significantly reduces virtualization - overhead, resulting in lower latencies and fewer server resources, including CPU and memory, - required for network virtualization. -

-
-

- (BZ#1524683) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol - which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which - supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in - RHEL 8. -

-
-

- (BZ#1605216) -

-
-
-
-
-
-

5.3.2. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is - available as a Technology Preview. Note that the rest of the graphics stack is currently - unverified for the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-
-
-
-
-

5.3.3. Hardware enablement

-
-
-
-
-

The cluster-aware MD RAID1 is available as a technology - preview.

-

- RAID1 cluster is not enabled by default in the kernel space. If you want to have a try with - RAID1 cluster, you need to build the kernel with RAID1 cluster as a module first, use the - following steps: -

-
-
-
    -
  1. - Enter the make menuconfig command. -
    2. -
  2. - Enter the make && make modules && make modules_install && make install - command. -
    3. -
  3. - Enter the reboot command. -
    4. -
-
-

- (BZ#1654482) -

-
-
-
-
-
-

5.3.4. Identity Management

-
-
-
-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones - hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other - DNS servers. This might affect the availability of DNS zones that are not configured in - accordance with recommended naming practices. -

-

- (BZ#1664718) -

-
-

Identity Management JSON-RPC API available as Technology - Preview

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as Technology Preview. -

-
-

- In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API - commands. Previously, enhancements could change the behavior of a command in an incompatible - way. Users are now able to continue using existing tools and scripts even if the IdM API - changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the - managing client. -
    • -
  • - Developers to use a specific version of an IdM call, even if the IdM version changes on - the server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-
-
-
-
-

5.3.5. File systems and storage

-
-
-
-
-

Aero adapters available as a Technology Preview

-

- The following Aero adapters are available as a Technology Preview: -

-
-
-
    -
  • - PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the mpt3sas driver -
    • -
  • - PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the megaraid_sas driver -
    • -
-
-

- (BZ#1663281) -

-
-

Stratis is now available

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- (JIRA:RHELPLAN-1212) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top - of another. Changes are recorded in the upper file system, while the lower file system - remains unmodified. This allows multiple users to share a file-system image, such as a - container or a DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs - warnings when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other - specialized use cases, such as squashed kdump initramfs. - Its use is supported primarily for container COW content, not for persistent storage. - You must place any persistent storage on non-OverlayFS volumes. You can use only the - default container engine configuration: one level of overlay, one lowerdir, and both - lower and upper levels are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might - change in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped - with MAP_SHARED are inconsistent with - subsequent modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on - RHEL 8, but you can enable full POSIX compliance for them with a module - option or mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and - index=on options to improve POSIX - compliance. These two options make the format of the upper layer - incompatible with an overlay without these options. That is, you might - get unexpected results or errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, - use the following command and see if the ftype=1 option - is enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see - Non-standard behavior in the Linux - kernel documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8.0, file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address - space. To use DAX, a system must have some form of persistent memory available, usually in - the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file - system that supports DAX must be created on the NVDIMM(s). Also, the file system must be - mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct - mapping of storage into the application’s address space. -

-
-

- (BZ#1627455) -

-
-
-
-
-
-

5.3.6. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on the podman container - platform, with the container bundle feature being available as a Technology Preview. There - is one exception to this feature being Technology Preview: Red Hat fully supports the use of - Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-
-
-
-
-

5.3.7. Networking

-
-
-
-
-

XDP available as a - Technology Preview

-

- The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a - means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet - processing at an early point in the kernel ingress data path, allowing efficient - programmable packet analysis, filtering, and manipulation. -

-
-

- (BZ#1503672) -

-
-

eBPF for tc available as a Technology Preview

-

- As a Technology Preview, the Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley - Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and - egress queueing disciplines. This enables programmable packet processing inside the kernel - network data path. -

-
-

- (BZ#1699825) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet - processing. It accompanies XDP and grants efficient redirection - of programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

KTLS available as a Technology Preview

-

- In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a - Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption - algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for - offloading TLS record encryption to Network Interface Controllers (NICs) that support this - functionality. -

-
-

- (BZ#1570255) -

-
-

TIPC available as a Technology - Preview

-

- The Transparent Inter Process Communication (TIPC) is a - protocol specially designed for efficient communication within clusters of loosely paired - nodes. It works as a kernel module and provides a tipc tool in - iproute2 package to allow designers to create applications that - can communicate quickly and reliably with other applications regardless of their location - within the cluster. This feature is available as a Technology Preview. -

-
-

- (BZ#1581898) -

-
-

The systemd-resolved service is now - available as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an - Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-
-
-
-
-

5.3.8. Red Hat Enterprise Linux system roles

-
-
-
-
-

The postfix role of RHEL system roles - available as a Technology Preview

-

- Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat - Enterprise Linux subsystems, which makes system configuration easier through the inclusion - of Ansible Roles. This interface enables managing system configurations across multiple - versions of Red Hat Enterprise Linux, as well as adopting new major releases. -

-
-

- The rhel-system-roles packages are distributed through the - AppStream repository. -

-

- The postfix role is available as a Technology Preview. -

-

- The following roles are fully supported: -

-
-
    -
  • - kdump -
    • -
  • - network -
    • -
  • - selinux -
    • -
  • - timesync -
    • -
-
-

- For more information, see the Knowledgebase article about RHEL system roles. -

-

- (BZ#1812552) -

-
-
-
-
-
-

5.3.9. Virtualization

-
-
-
-
-

AMD SEV for KVM virtual machines

-

- As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature - for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine - (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases - the security of the VM if the host is successfully infected by malware. -

-
-

- Note that the number of VMs that can use this feature at a time on a single host is determined - by the host hardware. Current AMD EPYC processors support up to 15 running VMs using SEV. -

-

- Also note that for VMs with SEV configured to be able to boot, you must also configure the VM - with a hard memory limit. To do so, add the following to the VM’s XML configuration: -

- 
<memtune>
-  <hard_limit unit='KiB'>N</hard_limit>
-</memtune>
-

- The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if - the guest is assigned 2 GiB RAM, N should be 2359296 or greater. -

-

- (BZ#1501618, BZ#1501607) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into - multiple virtual devices referred to as mediated devices. These - mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As - a result, these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning - a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical - display output on the host from working. -

-

- (BZ#1528684) -

-
-

Nested virtualization now available on IBM POWER 9

-

- As a Technology Preview, it is now possible to use the nested virtualization features on - RHEL 8 host machines running on IBM POWER 9 systems. Nested virtualization enables KVM - virtual machines (VMs) to act as hypervisors, which allows for running VMs inside VMs. -

-
-

- Note that nested virtualization also remains a Technology Preview on AMD64 and Intel 64 systems. -

-

- Also note that for nested virtualization to work on IBM POWER 9, the host, the guest, and the - nested guests currently all need to run one of the following operating systems: -

-
-
    -
  • - RHEL 8 -
    • -
  • - RHEL 7 for POWER 9 -
    • -
-
-

- (BZ#1505999, BZ#1518937) -

-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual - machines

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on - a Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the - following Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-
-
-
-
-

5.3.10. Containers

-
-
-
-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

5.4. Deprecated functionality

-
-
-
-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will - likely not be supported in the next major version release, and are not recommended for new - deployments on the current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the - latest version of release documentation. For information about the length of support, see Red Hat Enterprise - Linux Life Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a - package can be removed from the product. Product documentation then identifies more recent packages - that offer functionality similar, identical, or more advanced to the one deprecated, and provides - further recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, - see Considerations - in adopting RHEL 9. -

-
-
-
-
-

5.4.1. Installer and image creation

-
-
-
-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you - modify your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-

Several Kickstart commands and options have been deprecated -

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in - the logs. -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still - available and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-
-
-
-
-

5.4.2. File systems and storage

-
-
-
-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by - default. This change affects only NFS version 3 because version 4 requires the Transmission - Control Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-

The elevator kernel command line parameter - is deprecated

-

- The elevator kernel command line parameter was used in earlier - RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is - deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is - typically the optimal setting. If you require a different scheduler, Red Hat recommends that you - use udev rules or the Tuned service to configure it. Match the - selected devices and switch the scheduler only for those devices. -

-

- For more information, see the following article: Why does the 'elevator=' parameter no - longer work in RHEL8. -

-

- (BZ#1665295) -

-
-

The VDO Ansible module in VDO packages

-

- The VDO Ansible module is currently provided by the vdo RPM - package. In a future release, the VDO Ansible module will be moved to the Ansible RPM - packages. -

-
-

- (BZ#1669537) -

-
-
-
-
-
-

5.4.3. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided - by default. The basic installation provides a new version of the ifup and ifdown scripts which call - the NetworkManager service through the - nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local - scripts are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
~]# yum install network-scripts
-

- The ifup and ifdown scripts link to - the installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-
-
-
-
-

5.4.4. Kernel

-
-
-
-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, - is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE - feature is available as an unsupported Technology Preview. However, due to stability issues, - this feature has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

5.4.5. Security

-
-
-
-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux - 8. Authentication mechanisms that depend on DSA keys do not work in the default - configuration. Note that OpenSSH clients do not accept DSA host - keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and - earlier allow to start a negotiation with a Client Hello - message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this - feature may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer - Portal and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-
-
-
-
-

5.4.6. Virtualization

-
-
-
-
-

Virtual machine snapshots are not properly supported in RHEL 8 -

-

- The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it - is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL - 8. -

-
-

- Note that a new VM snapshot mechanism is under development and will be fully implemented in a - future minor release of RHEL 8. -

-

- (BZ#1686057) -

-
-

The Cirrus VGA - virtual GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-

virt-manager has - been deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The - RHEL 8 web console, also known as Cockpit, is intended to become its - replacement in a subsequent release. It is, therefore, recommended that you use the web - console for managing virtualization in a GUI. However, in Red Hat Enterprise Linux 8.0, some - features may only be accessible from either virt-manager or the command line. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-
-
-
-
-

5.4.7. Deprecated packages

-
-
-
-

- The following packages have been deprecated and will probably not be included in a future major - release of Red Hat Enterprise Linux: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - authd -
    • -
  • - custodia -
    • -
  • - hostname -
    • -
  • - libidn -
    • -
  • - net-tools -
    • -
  • - network-scripts -
    • -
  • - nss-pam-ldapd -
    • -
  • - sendmail -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-
-

5.5. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8. -

-
-
-
-
-

5.5.1. The web console

-
-
-
-
-

Logging to RHEL web console with session_recording shell is not - possible

-

- Currently, the RHEL web console logins will fail for tlog recording-enabled users. RHEL web - console requires a user’s shell to be present in the /etc/shells directory to allow a successful login. However, if - tlog-rec-session is added to /etc/shells, a recorded user is able to disable recording by - changing the shell from tlog-rec-session to another shell from - /etc/shells, using the "chsh" utility. Red Hat does not - recommend adding tlog-rec-session to /etc/shells for this reason. -

-
-

- (BZ#1631905) -

-
-
-
-
-
-

5.5.2. Installer and image creation

-
-
-
-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart - commands during installation. Without this package, the installation fails if auth or authconfig are used. - However, by design, the authselect-compat package is only - available in the AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to - the installer or use the authselect Kickstart command during - installation. -

-

- (BZ#1640697) -

-
-

The xorg-x11-drv-fbdev, xorg-x11-drv-vesa, and xorg-x11-drv-vmware video drivers are not installed by - default

-

- Workstations with specific models of NVIDIA graphics cards and workstations with specific - AMD accelerated processing units will not display the graphical login window after a RHEL - 8.0 Server installation. -

-
-

- To work around this problem, perform a RHEL 8.0 Workstation - installation on a workstation machine. If a RHEL 8.0 Server - installation is required on the workstation, manually install the base-x package group after installation by running the yum -y groupinstall base-x command. -

-

- In addition, virtual machines relying on EFI for graphics support, such as Hyper-V, are also - affected. If you selected the Server with GUI base environment on - Hyper-V, you might be unable to log in due to a black screen displayed on reboot. To work around - this problem on Hyper-v, enable multi- or single-user mode using the following steps: -

-
-
    -
  1. - Reboot the virtual machine. -
    2. -
  2. - During the booting process, select the required kernel using the up and down arrow keys - on your keyboard. -
    3. -
  3. - Press the e key on your keyboard to edit the kernel command - line. -
    4. -
  4. - Add systemd.unit=multi-user.target to the kernel command - line in GRUB. -
    5. -
  5. - Press Ctrl-X to start the virtual machine. -
    6. -
  6. - After logging in, run the yum -y groupinstall base-x - command. -
    7. -
  7. - Reboot the virtual machine to access the graphical mode. -
    8. -
-
-

- (BZ#1687489) -

-
-

Installation fails when using the reboot --kexec command

-

- The RHEL 8 installation fails when using a Kickstart file that contains the reboot --kexec command. To avoid the problem, use the reboot command instead of reboot --kexec in your Kickstart file. -

-
-

- (BZ#1672405) -

-
-

Copying the content of the Binary DVD.iso - file to a partition omits the .treeinfo and .discinfo files

-

- During local installation, while copying the content of the RHEL 8 Binary DVD.iso image file - to a partition, the * in the cp <path>/\* <mounted partition>/dir command fails to - copy the .treeinfo and .discinfo - files. These files are required for a successful installation. As a result, the BaseOS and - AppStream repositories are not loaded, and a debug-related log message in the anaconda.log file is the only record of the problem. -

-
-

- To work around the problem, copy the missing .treeinfo and .discinfo files to the partition. -

-

- (BZ#1692746) -

-
-

Anaconda installation includes low limits of minimal resources setting - requirements

-

- Anaconda initiates the installation on systems with minimal resource settings required - available and do not provide previous message warning about the required resources for - performing the installation successfully. As a result, the installation can fail and the - output errors do not provide clear messages for possible debug and recovery. To work around - this problem, make sure that the system has the minimal resources settings required for - installation: 2GB memory on PPC64(LE) and 1GB on x86_64. As a result, it should be possible - to perform a successful installation. -

-
-

- (BZ#1696609) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec - Kickstart command or the inst.kexec kernel boot parameters do - not provide the same predictable system state as a full reboot. As a consequence, switching - to the installed system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-
-
-
-
-

5.5.3. Kernel

-
-
-
-
-

The i40iw module - does not load automatically on boot

-

- Due to many i40e NICs not supporting iWarp and the i40iw module not fully supporting - suspend/resume, this module is not automatically loaded by default to ensure suspend/resume - works properly. To work around this problem, manually edit the /lib/udev/rules.d/90-rdma-hw-modules.rules file to enable - automated load of i40iw. -

-
-

- Also note that if there is another RDMA device installed with a i40e device on the same machine, - the non-i40e RDMA device triggers the rdma - service, which loads all enabled RDMA stack modules, including the i40iw module. -

-

- (BZ#1623712) -

-
-

The system sometimes becomes unresponsive when many devices are - connected

-

- When Red Hat Enterprise Linux 8 configures a large number of devices, a large number of - console messages occurs on the system console. This happens, for example, when there are a - large number of logical unit numbers (LUNs), with multiple paths to each LUN. The flood of - console messages, in addition to other work the kernel is doing, might cause the kernel - watchdog to force a kernel panic because the kernel appears to be hung. -

-
-

- Because the scan happens early in the boot cycle, the system becomes unresponsive when many - devices are connected. This typically occurs at boot time. -

-

- If kdump is enabled on your machine during the device scan event - after boot, the hard lockup results in a capture of a vmcore image. -

-

- To work around this problem, increase the watchdog lockup timer. To do so, add the watchdog_thresh=N option to - the kernel command line. Replace N with the number of seconds: -

-
-
    -
  • - If you have less than a thousand devices, use 30. -
    • -
  • - If you have more than a thousand devices, use 60. -
    • -
-
-

- For storage, the number of device is the number of paths to all the LUNs: generally, the number - of /dev/sd* devices. -

-

- After applying the workaround, the system no longer becomes unresponsive when configuring a - large amount of devices. -

-

- (BZ#1598448) -

-
-

KSM sometimes ignores NUMA memory policies

-

- When the kernel shared memory (KSM) feature is enabled with the merge_across_nodes=1 parameter, KSM ignores memory policies set - by the mbind() function, and may merge pages from some memory areas to Non-Uniform Memory - Access (NUMA) nodes that do not match the policies. -

-
-

- To work around this problem, disable KSM or set the merge_across_nodes parameter to 0 if - using NUMA memory binding with QEMU. As a result, NUMA memory policies configured for the KVM VM - will work as expected. -

-

- (BZ#1153521) -

-
-

The qede driver hangs the NIC and makes it - unusable

-

- Due to a bug, the qede driver for the 41000 and 45000 QLogic - series NICs can cause Firmware upgrade and debug data collection operations to fail and make - the NIC unusable or in hung state until reboot (PCI reset) of the host makes the NIC - operational again. -

-
-

- This issue has been detected in all of the following scenarios: -

-
-
    -
  • - when upgrading Firmware of the NIC using the inbox driver -
    • -
  • - when collecting debug data running the ethtool -d ethx - command -
    • -
  • - running the sosreport command as it includes ethtool -d ethx. -
    • -
  • - when the inbox driver initiates automatic debug data collection, such as IO timeout, - Mail Box Command timeout and a Hardware Attention. -
    • -
-
-

- A future erratum from Red Hat will be released via Red Hat Bug Advisory (RHBA) to address this - issue. To work around this problem, create a case in https://access.redhat.com/support to request a - supported fix for the issue until the RHBA is released. -

-

- (BZ#1697310) -

-
-

Radix tree symbols were added to kernel-abi-whitelists

-

- The following radix tree symbols have been added to the kernel-abi-whitelists package in Red Hat Enterprise Linux 8: -

-
-
-
    -
  • - __radix_tree_insert -
    • -
  • - __radix_tree_next_slot -
    • -
  • - radix_tree_delete -
    • -
  • - radix_tree_gang_lookup -
    • -
  • - radix_tree_gang_lookup_tag -
    • -
  • - radix_tree_next_chunk -
    • -
  • - radix_tree_preload -
    • -
  • - radix_tree_tag_set -
    • -
-
-

- The symbols above were not supposed to be present and will be removed from the RHEL8 whitelist. -

-

- (BZ#1695142) -

-
-

podman fails to checkpoint a container in - RHEL 8

-

- The version of the Checkpoint and Restore In Userspace (CRIU) package is outdated in Red Hat - Enterprise Linux 8. As a consequence, CRIU does not support container checkpoint and restore - functionality and the podman utility fails to checkpoint - containers. When running the podman container checkpoint - command, the following error message is displayed: 'checkpointing a container requires at - least CRIU 31100' -

-
-

- (BZ#1689746) -

-
-

early-kdump and standard kdump fail if the add_dracutmodules+=earlykdump option is used in dracut.conf

-

- Currently, an inconsistency occurs between the kernel version being installed for early-kdump and the kernel version initramfs is generated for. As a consequence, booting with early-kdump enabled, early-kdump - fails. In addition, if early-kdump detects that it is being - included in a standard kdump initramfs image, it forces an - exit. Therefore the standard kdump service also fails when - trying to rebuild kdump initramfs if early-kdump is added as a default dracut module. As a consequence, early-kdump and standard kdump both - fail. To work around this problem, do not add add_dracutmodules+=earlykdump or any equivalent configuration in - the dracut.conf file. As a result, early-kdump is not included by dracut by default, which prevents the problem from occuring. - However, if an early-kdump image is required, it has to be - created manually. -

-
-

- (BZ#1662911) -

-
-

Debug kernel fails to boot in crash capture environment in RHEL - 8

-

- Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel, and a stack trace is generated instead. To work around this - problem, increase the crash kernel memory accordingly. As a result, the debug kernel - successfully boots in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

Network interface is renamed to kdump-<interface-name> when fadump is used

-

- When firmware-assisted dump (fadump) is utilized to capture a - vmcore and store it to a remote machine using SSH or NFS protocol, the network interface is - renamed to kdump-<interface-name> if <interface-name> is generic, for example, *eth#, or net#. - This problem occurs because the vmcore capture scripts in the initial RAM disk (initrd) add the kdump- prefix to the network interface name to - secure persistent naming. The same initrd is used also for a - regular boot, so the interface name is changed for the production kernel too. -

-
-

- (BZ#1745507) -

-
-
-
-
-
-

5.5.4. Software management

-
-
-
-
-

Running yum list under a non-root user - causes YUM crash

-

- When running the yum list command under a non-root user after - the libdnf package has been updated, YUM can terminate unexpectedly. If you hit - this bug, run yum list under root to resolve the problem. As a - result, subsequent attempts to run yum list under a non-root - user no longer cause YUM crash. -

-
-

- (BZ#1642458) -

-
-

YUM v4 skips - unavailable repositories by default

-

- YUM v4 defaults to the - "skip_if_unavailable=True" setting for all repositories. As a consequence, if the required - repository is not available, the packages from the repository are not considered in the - install, search, or update operations. Subsequently, some yum - commands and yum-based scripts succeed with exit code 0 even if there are unavailable - repositories. -

-
-

- Currently, there is no other workaround available than updating the libdnf package. -

-

- (BZ#1679509) -

-
-
-
-
-
-

5.5.5. Infrastructure services

-
-
-
-
-

The nslookup and host utilities ignore replies from name servers with - recursion not available

-

- If more name servers are configured and recursion is not available for a name server, the - nslookup and host utilities ignore - replies from such name server unless it is the one that is last configured. In case of the - last configured name server, answer is accepted even without the recursion available flag. However, if the last configured name - server is not responding or unreachable, name resolution fails. -

-
-

- To work around the problem: -

-
-
    -
  • - Ensure that configured name servers always reply with the recursion available flag set. -
    • -
  • - Allow recursion for all internal clients. -
    • -
-
-

- To troubleshoot the problem, you can also use the dig utility to - detect whether recursion is available or not. -

-

- (BZ#1599459) -

-
-
-
-
-
-

5.5.6. Shells and command-line tools

-
-
-
-
-

Python binding of the net-snmp package is unavailable

-

- The Net-SNMP suite of tools does not provide binding for Python 3, which is the default Python implementation in RHEL 8. Consequently, python-net-snmp, python2-net-snmp, - or python3-net-snmp packages are unavailable in RHEL 8. -

-
-

- (BZ#1584510) -

-
-

systemd in debug mode produces unnecessary - log messages

-

- The systemd system and service manager in debug mode produces - unnecessary log messages that start with: -

-
- 
"Failed to add rule for system call ..."
-

- List the messages by running: -

- 
journalctl -b _PID=1
-

- These debug messages are harmless, and you can safely ignore them. -

-

- Currently, there is no workaround available. -

-

- (BZ#1658691) -

-
-

ksh with the KEYBD trap mishandles multibyte characters

-

- The Korn Shell (KSH) is unable to correctly handle multibyte characters when the KEYBD trap is enabled. Consequently, when the user enters, for - example, Japanese characters, ksh displays an incorrect string. - To work around this problem, disable the KEYBD trap in the - /etc/kshrc file by commenting out the following line: -

-
- 
trap keybd_trap KEYBD
-

- For more details, see a related Knowledgebase solution. -

-

- (BZ#1503922) -

-
-
-
-
-
-

5.5.7. Dynamic programming languages, web and database servers

-
-
-
-
-

Database servers are not installable in parallel

-

- The mariadb and mysql modules - cannot be installed in parallel in RHEL 8.0 due to conflicting RPM packages. -

-
-

- By design, it is impossible to install more than one version (stream) of the same module in - parallel. For example, you need to choose only one of the available streams from the postgresql module, either 10 (default) - or 9.6. Parallel installation of components is possible in Red Hat - Software Collections for RHEL 6 and RHEL 7. In RHEL 8, different versions of database servers - can be used in containers. -

-

- (BZ#1566048) -

-
-

Problems in mod_cgid logging

-

- If the mod_cgid Apache httpd module is used under a threaded - multi-processing module (MPM), which is the default situation in RHEL 8, the following - logging problems occur: -

-
-
-
    -
  • - The stderr output of the CGI script is not prefixed with - standard timestamp information. -
    • -
  • - The stderr output of the CGI script is not correctly - redirected to a log file specific to the VirtualHost, if - configured. -
    • -
-
-

- (BZ#1633224) -

-
-

The IO::Socket::SSL Perl module does not - support TLS 1.3

-

- New features of the TLS 1.3 protocol, such as session resumption or post-handshake - authentication, were implemented in the RHEL 8 OpenSSL library - but not in the Net::SSLeay Perl module, and thus are - unavailable in the IO::Socket::SSL Perl module. Consequently, - client certificate authentication might fail and reestablishing sessions might be slower - than with the TLS 1.2 protocol. -

-
-

- To work around this problem, disable usage of TLS 1.3 by setting the SSL_version option to the !TLSv1_3 value - when creating an IO::Socket::SSL object. -

-

- (BZ#1632600) -

-
-

Generated Scala documentation is unreadable

-

- When generating documentation using the scaladoc command, the - resulting HTML page is unusable due to missing JavaScript resources. -

-
-

- (BZ#1641744) -

-
-
-
-
-
-

5.5.8. Desktop

-
-
-
-
-

qxl does not work on VMs based on - Wayland

-

- The qxl driver is not able to provide kernel mode setting - features on certain hypervisors. Consequently, the graphics based on the Wayland protocol - are not available to virtual machines (VMs) that use qxl, and - the Wayland-based login screen does not start. -

-
-

- To work around the problem, use either : -

-
-
    -
  • - The Xorg display server instead of - GNOME Shell on Wayland on VMs based - on QuarkXpress Element Library (QXL) graphics. -
    • -
-
-

- Or -

-
-
    -
  • - The virtio driver instead of the qxl driver for your VMs. -
    • -
-
-

- (BZ#1641763) -

-
-

The console prompt is not displayed when running systemctl isolate multi-user.target

-

- When running the systemctl isolate multi-user.target command - from GNOME Terminal in a GNOME Desktop session, only a cursor is displayed, and not the - console prompt. To work around the problem, press the Ctrl+Alt+F2 keys. As a result, the console prompt appears. -

-
-

- The behavior applies both to GNOME Shell on - Wayland and X.Org - display server. -

-

- (BZ#1678627) -

-
-
-
-
-
-

5.5.9. Graphics infrastructures

-
-
-
-
-

Desktop running on X.Org hangs when changing to low - screen resolutions

-

- When using the GNOME desktop with the X.Org display server, the desktop becomes - unresponsive if you attempt to change the screen resolution to low values. To work around - the problem, do not set the screen resolution to a value lower than 800 × 600 pixels. -

-
-

- (BZ#1655413) -

-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in - the kexec context correctly. Instead, radeon falls over, which - causes the rest of the kdump service to - fail. -

-
-

- To work around this problem, blacklist radeon in kdump by adding the following line to the - /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After - starting kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-
-
-
-
-

5.5.10. Hardware enablement

-
-
-
-
-

Backup slave MII status does not work when using the ARP link - monitor

-

- By default, devices managed by the i40e driver, do source pruning, which drops packets that - have the source Media Access Control (MAC) address that matches one of the receive filters. - As a consequence, backup slave Media Independent Interface (MII) status does not work when - using the Address Resolution Protocol (ARP) monitoring in channel bonding. To work around - this problem, disable source pruning by the following command: -

-
- 
# ethtool --set-priv-flags <ethX> disable-source-pruning on
-

- As a result, the backup slave MII status will work as expected. -

-

- (BZ#1645433) -

-
-

The HP NMI watchdog in some cases does not generate a crash - dump

-

- The hpwdt driver for the HP NMI watchdog is sometimes not able - to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- As a consequence, hpwdt in some cases cannot call a panic to - generate a crash dump. -

-

- (BZ#1602962) -

-
-
-
-
-
-

5.5.11. Identity Management

-
-
-
-
-

The KCM credential cache is not suitable for a large number of - credentials in a single credential cache

-

- The Kerberos Credential Manager (KCM) can handle ccache sizes of up to 64 kB. If it contains - too many credentials, Kerberos operations, such as kinit, fail due to a hardcoded limit on - the buffer used to transfer data between the sssd-kcm component and the underlying - database. -

-
-

- To work around this problem, add the ccache_storage = memory option - in the kcm section of the /etc/sssd/sssd.conf file. This instructs the kcm responder to only store the credential - caches in-memory, not persistently. If you do this, restarting the system or sssd-kcm clears the credential caches. -

-

- (BZ#1448094) -

-
-

Changing /etc/nsswitch.conf requires a - manual system reboot

-

- Any change to the /etc/nsswitch.conf file, for example running - the authselect select profile_id command, requires a system - reboot so that all relevant processes use the updated version of the /etc/nsswitch.conf file. If a system reboot is not possible, - restart the service that joins your system to Active Directory, which is the System Security Services Daemon (SSSD) or winbind. -

-
-

- (BZ#1657295) -

-
-

Conflicting timeout values prevent SSSD from connecting to - servers

-

- Some of the default timeout values related to the failover operations used by the System - Security Services Daemon (SSSD) are conflicting. Consequently, the timeout value reserved - for SSSD to talk to a single server prevents SSSD from trying other servers before the - connecting operation as a whole time out. To work around the problem, set the value of the - ldap_opt_timeout timeout parameter higher than the value of the - dns_resolver_timeout parameter, and set the value of the dns_resolver_timeout parameter higher than the value of the dns_resolver_op_timeout parameter. -

-
-

- (BZ#1382750) -

-
-

SSSD can look up only unique certificates in ID overrides

-

- When multiple ID overrides contain the same certificate, the System Security Services Daemon - (SSSD) is unable to resolve queries for the users that match the certificate. An attempt to - look up these users does not return any user. Note that looking up users by using their user - name or UID works as expected. -

-
-

- (BZ#1446101) -

-
-

SSSD does not correctly handle multiple certificate matching rules with - the same priority

-

- If a given certificate matches multiple certificate matching rules with the same priority, - the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use - a single certificate matching rule whose LDAP filter consists of the filters of the - individual rules concatenated with the | (or) operator. For - examples of certificate matching rules, see the sss-certamp(5) man page. -

-
-

- (BZ#1447945) -

-
-

SSSD returns incorrect LDAP group membership for local users -

-

- If the System Security Services Daemon (SSSD) serves users from the local files, the files - provider does not include group memberships from other domains. As a consequence, if a local - user is a member of an LDAP group, the id local_user command - does not return the user’s LDAP group membership. To work around the problem, either revert - the order of the databases where the system is looking up the group membership of users in - the /etc/nsswitch.conf file, replacing sss files with files sss, or disable - the implicit files domain by adding -

-
- 
enable_files_domain=False
-

- to the [sssd] section in the /etc/sssd/sssd.conf file. -

-

- As a result, id local_user returns correct LDAP group membership - for local users. -

-

- (BZ#1652562) -

-
-

Sudo rules might not work with id_provider=ad if sudo rules reference group names -

-

- System Security Services Daemon (SSSD) does not resolve Active Directory group names during - the initgroups operation because of an optimization of - communication between AD and SSSD by using a cache. The cache entry contains only a Security - Identifiers (SID) and not group names until the group is requested by name or ID. Therefore, - sudo rules do not match the AD group unless the groups are fully resolved prior to running - sudo. -

-
-

- To work around this problem, you need to disable the optimization: Open the /etc/sssd/sssd.conf file and add the ldap_use_tokengroups = false parameter in the [domain/example.com] section. -

-

- (BZ#1659457) -

-
-

Default PAM settings for systemd-user have - changed in RHEL 8 which may influence SSSD behavior

-

- The Pluggable authentication modules (PAM) stack has changed in Red Hat Enterprise Linux 8. - For example, the systemd user session now starts a PAM - conversation using the systemd-user PAM service. This service - now recursively includes the system-auth PAM service, which may - include the pam_sss.so interface. This means that the SSSD - access control is always called. -

-
-

- Be aware of the change when designing access control rules for RHEL 8 systems. For example, you - can add the systemd-user service to the allowed services list. -

-

- Please note that for some access control mechanisms, such as IPA HBAC or AD GPOs, the systemd-user service is has been added to the allowed services list - by default and you do not need to take any action. -

-

- (BZ#1669407) -

-
-

IdM server does not work in FIPS

-

- Due to an incomplete implementation of the SSL connector for Tomcat, an Identity Management - (IdM) server with a certificate server installed does not work on machines with the FIPS - mode enabled. -

-
-

- (BZ#1673296) -

-
-

Samba denies access when using the sss ID - mapping plug-in

-

- To use Samba as a file server on a RHEL host joined to an Active Directory (AD) domain, the - Samba Winbind service must be running even if SSSD is used to manage user and groups from - AD. If you join the domain using the realm join --client-software=sssd command or without specifying - the --client-software parameter in this command, realm creates only the /etc/sssd/sssd.conf file. When you run Samba on the domain member - with this configuration and add a configuration that uses the sss ID mapping back end to the /etc/samba/smb.conf file to share directories, changes in the ID - mapping back end can cause errors. Consequently, Samba denies access to files in certain - cases, even if the user or group exists and it is known by SSSD. -

-
-

- If you plan to upgrade from a previous RHEL version and the ldap_id_mapping parameter in the /etc/sssd/sssd.conf file is set to True, - which is the default, no workaround is available. In this case, do not upgrade the host to RHEL - 8 until the problem has been fixed. -

-

- Possible workarounds in other scenarios: -

-
-
    -
  • - For new installations, join the domain using the realm join --client-software=winbind command. This configures - the system to use Winbind instead of SSSD for all user and group lookups. In this case, - Samba uses the rid or ad ID - mapping plug-in in /etc/samba/smb.conf depending on whether - you set the --automatic-id-mapping option to yes (default) or no. If you plan - to use SSSD in future or on other systems, using --automatic-id-mapping=no allows an easier migration but - requires that you store POSIX UIDs and GIDs in AD for all users and groups. -
    • -
  • -

    - When upgrading from a previous RHEL version, and if the ldap_id_mapping parameter in the /etc/sssd/sssd.conf file is set to False and the system uses the uidNumber and gidNumber - attributes from AD for ID mapping: -

    -
    -
      -
    1. - Change the idmap config <domain> : backend = sss entry - in the /etc/samba/smb.conf file to idmap config <domain> : backend = ad -
      2. -
    2. - Use the systemctl status winbind command to - restart the Winbind. -
      3. -
    -
    -
    • -
-
-

- (BZ#1657665) -

-
-

The nuxwdog service fails in HSM - environments and requires to install the keyutils package - in non-HSM environments

-

- The nuxwdog watchdog service has been integrated into - Certificate System. As a consequence, nuxwdog is no longer - provided as a separate package. To use the watchdog service, install the pki-server package. -

-
-

- Note that the nuxwdog service has following known issues: -

-
-
    -
  • - The nuxwdog service does not work if you use a hardware - storage module (HSM). For this issue, no workaround is available. -
    • -
  • - In a non-HSM environment, Red Hat Enterprise Linux 8.0 does not automatically install - the keyutils package as a dependency. To install the - package manually, use the dnf install keyutils command. -
    • -
-
-

- (BZ#1652269) -

-
-

Adding ID overrides of AD users works only in the IdM CLI

-

- Currently, adding ID overrides of Active Directory (AD) users to Identity Management (IdM) - groups for the purpose of granting access to management roles fails in the IdM Web UI. To - work around the problem, use the IdM command-line interface (CLI) instead. -

-
-

- Note that if you installed the ipa-idoverride-memberof-plugin - package on the IdM server after previously performing certain operations using the ipa utility, Red Hat recommends cleaning up the ipa utility’s cache to force it to refresh its view about the IdM - server metadata. -

-

- To do so, remove the content of the ~/.cache/ipa directory for the - user under which the ipa utility is executed. For example, for - root: -

- 
# rm -r /root/.cache/ipa
-

- (BZ#1651577) -

-
-

No information about required DNS records displayed when enabling - support for AD trust in IdM

-

- When enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity - Management (IdM) installation with external DNS management, no information about required - DNS records is displayed. Forest trust to AD is not successful until the required DNS - records are added. To work around this problem, run the 'ipa dns-update-system-records - --dry-run' command to obtain a list of all DNS records required by IdM. When external DNS - for IdM domain defines the required DNS records, establishing forest trust to AD is - possible. -

-
-

- (BZ#1665051) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can - pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could - allow an attacker to impersonate a user by altering, for example, the UID or GID of an - object returned in an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and - decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa - are not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in - the /etc/sssd/sssd.conf file. The default behavior is planned to be - changed in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

5.5.12. Compilers and development tools

-
-
-
-
-

Synthetic functions generated by GCC confuse SystemTap

-

- GCC optimization can generate synthetic functions for partially inlined copies of other - functions. Tools such as SystemTap and GDB can not distinguish these synthetic functions - from real functions. As a consequence, SystemTap can place probes on both synthetic and real - function entry points, and thus register multiple probe hits for a single real function - call. -

-
-

- To work around this problem, SystemTap scripts must be adapted with measures such as detecting - recursion and suppressing probes related to inlined partial functions. For example, a script -

- 
probe kernel.function("can_nice").call { }
-

- can try to avoid the described problem as follows: -

- 
global in_can_nice%
-
-probe kernel.function("can_nice").call {
-  in_can_nice[tid()] ++;
-  if (in_can_nice[tid()] > 1) { next }
-  /* code for real probe handler */
-}
-
-probe kernel.function("can_nice").return {
-  in_can_nice[tid()] --;
-}
-

- Note that this example script does not take into account all possible scenarios, such as missed - kprobes or kretprobes, or genuine intended recursion. -

-

- (BZ#1169184) -

-
-

The ltrace tool does not report function - calls

-

- Because of improvements to binary hardening applied to all RHEL components, the ltrace tool can no longer detect function calls in binary files - coming from RHEL components. As a consequence, ltrace output is - empty because it does not report any detected calls when used on such binary files. There is - no workaround currently available. -

-
-

- As a note, ltrace can correctly report calls in custom binary files - built without the respective hardening flags. -

-

- (BZ#1618748, BZ#1655368) -

-
-
-
-
-
-

5.5.13. File systems and storage

-
-
-
-
-

Unable to discover an iSCSI target using the iscsiuio package

-

- Red Hat Enterprise Linux 8 does not allow concurrent access to PCI register areas. As a - consequence, a could not set host net params (err 29) error was - set and the connection to the discovery portal failed. To work around this problem, set the - kernel parameter iomem=relaxed in the kernel command line for - the iSCSI offload. This specifically involves any offload using the bnx2i driver. As a result, connection to the discovery portal is - now successful and iscsiuio package now works correctly. -

-
-

- (BZ#1626629) -

-
-

VDO volumes lose deduplication advice after moving to a - different-endian platform

-

- Virtual Data Optimizer (VDO) writes the Universal Deduplication Service (UDS) index header - in the endian format native to your platform. VDO considers the UDS index corrupt and - overwrites it with a new, blank index if you move your VDO volume to a platform that uses a - different endian. -

-
-

- As a consequence, any deduplication advice stored in the UDS index prior to being overwritten is - lost. VDO is then unable to deduplicate newly written data against the data that was stored - before you moved the volume, leading to lower space savings. -

-

- (BZ#1696492) -

-
-

The XFS DAX mount option is incompatible with shared copy-on-write data - extents

-

- An XFS file system formatted with the shared copy-on-write data extents feature is not - compatible with the -o dax mount option. As a consequence, - mounting such a file system with -o dax fails. -

-
-

- To work around the problem, format the file system with the reflink=0 metadata option to disable shared copy-on-write data - extents: -

- 
# mkfs.xfs -m reflink=0 block-device
-

- As a result, mounting the file system with -o dax is successful. -

-

- For more information, see Creating - a file system DAX namespace on an NVDIMM. -

-

- (BZ#1620330) -

-
-

Certain SCSI drivers might sometimes use an excessive amount of - memory

-

- Certain SCSI drivers use a larger amount of memory than in RHEL 7. In certain cases, such as - vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage might be - excessive, depending upon the system configuration. -

-
-

- The increased memory usage is caused by memory preallocation in the block layer. Both the - multiqueue block device scheduling (BLK-MQ) and the multiqueue SCSI stack (SCSI-MQ) preallocate - memory for each I/O request in RHEL 8, leading to the increased memory usage. -

-

- (BZ#1733278) -

-
-
-
-
-
-

5.5.14. Networking

-
-
-
-
-

nftables does not support - multi-dimensional IP set types

-

- The nftables packet-filtering framework does not support set - types with concatenations and intervals. Consequently, you cannot use multi-dimensional IP - set types, such as hash:net,port, with nftables. -

-
-

- To work around this problem, use the iptables framework with the - ipset tool if you require multi-dimensional IP set types. -

-

- (BZ#1593711) -

-
-

The TRACE target in the iptables-extensions(8) man page does not refer to the nf_tables variant

-

- The description of the TRACE target in the iptables-extensions(8) man page refers only to the compat variant, but Red Hat Enterprise Linux (RHEL) 8.0 uses the - nf_tables variant. The nftables-based iptables utility in - RHEL uses the meta nftrace expression internally. Therefore, - the kernel does not print TRACE events in the kernel log but - sends them to the user space instead. However, the man page does not reference the xtables-monitor command-line utility to display these events. -

-
-

- (BZ#1658734) -

-
-

RHEL 8 shows the status of an 802.3ad bond as "Churned" after a switch - was unavailable for an extended period of time

-

- Currently, when you configure an 802.3ad network bond and the switch is down for an extended - period of time, Red Hat Enterprise Linux properly shows the status of the bond as "Churned", - even after the connection returns to a working state. However, this is the intended - behavior, as the "Churned" status aims to tell the administrator that a significant link - outage occurred. To clear this status, restart the network bond or reboot the host. -

-
-

- (BZ#1708807) -

-
-

The ebtables command does not support - broute table

-

- The nftables-based ebtables - command in Red Hat Enterprise Linux 8.0 does not support the broute table. Consequently, users can not use this feature. -

-
-

- (BZ#1649790) -

-
-

IPsec network traffic fails during IPsec offloading when GRO is - disabled

-

- IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on - the device. If IPsec offloading is configured on a network interface and GRO is disabled on - that device, IPsec network traffic fails. -

-
-

- To work around this problem, keep GRO enabled on the device. -

-

- (BZ#1649647) -

-
-

NetworkManager now - uses the internal DHCP plug-in by default

-

- NetworkManager supports the internal and dhclient DHCP plug-ins. - By default, NetworkManager in Red Hat - Enterprise Linux (RHEL) 7 uses the dhclient and RHEL 8 the - internal plug-in. In certain situations, the plug-ins behave - differently. For example, dhclient can use additional settings - specified in the /etc/dhcp/ directory. -

-
-

- If you upgrade from RHEL 7 to RHEL 8 and NetworkManager behaves different, add the - following setting to the [main] section in the /etc/NetworkManager/NetworkManager.conf file to use the dhclient plug-in: -

- 
[main]
-dhcp=dhclient
-

- (BZ#1571655) -

-
-

Advanced options of IPsec based VPN cannot - be changed using gnome-control-center

-

- When configuring an IPsec based VPN connection using the gnome-control-center application, the Advanced dialog will only display the configuration, but will not - allow doing any change. As a consequence, users cannot change any advanced IPsec options. To - work around this problem, use the nm-connection-editor or nmcli tools to perform configuration of the advanced properties. -

-
-

- (BZ#1697326) -

-
-

The /etc/hosts.allow and /etc/hosts.deny files contain inaccurate - information

-

- The tcp_wrappers package is removed in Red Hat Enterprise Linux (RHEL) 8, but not its files, - /etc/hosts.allow and /etc/hosts.deny. As a consequence, these files contain outdated - information, which is not applicable for RHEL 8. -

-
-

- To work around this problem, use firewall rules for filtering access to the services. For - filtering based on usernames and hostnames, use the application-specific configuration. -

-

- (BZ#1663556) -

-
-

IP defragmentation cannot be sustainable under network traffic - overload

-

- In Red Hat Enterprise Linux 8, the garbage collection kernel thread has been removed and IP - fragments expire only on timeout. As a result, CPU usage under Denial of Service (DoS) is - much lower, and the maximum sustainable fragments drop rate is limited by the amount of - memory configured for the IP reassembly unit. With the default settings workloads requiring - fragmented traffic in presence of packet drops, packet reorder or many concurrent fragmented - flows may incur in relevant performance regression. -

-
-

- In this case, users can use the appropriate tuning of the IP fragmentation cache in the /proc/sys/net/ipv4 directory setting the ipfrag_high_thresh variable to limit the amount of memory and the - ipfrag_time variable to keep per seconds an IP fragment in memory. - For example, -

-

- echo 419430400 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 1 > - /proc/sys/net/ipv4/ipfrag_time -

-

- The above applies to IPv4 traffic. For IPv6 the relevant tunables are: ip6frag_high_thresh and ip6frag_time in - the /proc/sys/net/ipv6/ directory. -

-

- Note that any workload relying on high-speed fragmented traffic can cause stability and - performance issues, especially with packet drops, and such kind of deployments are highly - discouraged in production. -

-

- (BZ#1597671) -

-
-

Network interface name changes in RHEL 8

-

- In Red Hat Enterprise Linux 8, the same consistent network device naming scheme is used by - default as in RHEL 7. However, some kernel drivers, such as e1000e, nfp, qede, sfc, tg3 and bnxt_en changed their - consistent name on a fresh installation of RHEL 8. However, the names are preserved on - upgrade from RHEL 7. -

-
-

- (BZ#1701968) -

-
-
-
-
-
-

5.5.15. Security

-
-
-
-
-

libselinux-python is available only - through its module

-

- The libselinux-python package contains only Python 2 bindings - for developing SELinux applications and it is used for backward compatibility. For this - reason, libselinux-python is no longer available in the default - RHEL 8 repositories through the dnf install libselinux-python - command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# dnf module enable libselinux-python
-# dnf install libselinux-python
-

- Alternatively, install libselinux-python using its install profile - with a single command: -

- 
# dnf module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

libssh does not comply with the - system-wide crypto policy

-

- The libssh library does not follow system-wide cryptographic - policy settings. As a consequence, the set of supported algorithms is not changed when the - administrator changes the crypto policies level using the update-crypto-policies command. -

-
-

- To work around this problem, the set of advertised algorithms needs to be set individually by - every application that uses libssh. As a result, when the system is - set to the LEGACY or FUTURE policy level, applications that use libssh behave inconsistently when compared to OpenSSH. -

-

- (BZ#1646563) -

-
-

Certain rsyslog priority strings do not - work correctly

-

- Support for the GnuTLS priority string - for imtcp that allows fine-grained control over encryption is - not complete. Consequently, the following priority strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-

Negative effects of the default logging setup on performance -

-

- The default logging environment setup might consume 4 GB of memory or even more and - adjustments of rate-limit values are complex when systemd-journald is running with rsyslog. -

-
-

- See the Negative effects of - the RHEL default logging setup on performance and their mitigations Knowledgebase - article for more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

OpenSCAP rpmverifypackage does not work correctly

-

- The chdir and chroot system calls - are called twice by the rpmverifypackage probe. Consequently, - an error occurs when the probe is utilized during an OpenSCAP scan with custom Open - Vulnerability and Assessment Language (OVAL) content. -

-
-

- To work around this problem, do not use the rpmverifypackage_test - OVAL test in your content or use only the content from the scap-security-guide package where rpmverifypackage_test is not used. -

-

- (BZ#1646197) -

-
-

SCAP Workbench - fails to generate results-based remediations from tailored profiles

-

- The following error occurs when trying to generate results-based remediation roles from a - customized profile using the SCAP - Workbench tool: -

-
- 
Error generating remediation role .../remediation.sh: Exit code of oscap was 1: [output truncated]
-

- To work around this problem, use the oscap command with the --tailoring-file option. -

-

- (BZ#1640715) -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda - add-on as org_fedora_oscap instead of com_redhat_oscap which might cause confusion. That is done to - preserve backward compatibility with Red Hat Enterprise Linux 7. -

-
-

- (BZ#1665082) -

-
-

OpenSCAP rpmverifyfile does not work

-

- The OpenSCAP scanner does not correctly - change the current working directory in offline mode, and the fchdir function is not called with the correct arguments in the - OpenSCAP rpmverifyfile probe. Consequently, scanning arbitrary file - systems using the oscap-chroot command fails if rpmverifyfile_test is used in an SCAP content. As a result, oscap-chroot aborts in the described scenario. -

-
-

- (BZ#1636431) -

-
-

OpenSCAP does not provide offline scanning - of virtual machines and containers

-

- Refactoring of OpenSCAP codebase caused certain RPM probes to - fail to scan VM and containers file systems in offline mode. For that reason, the following - tools were removed from the openscap-utils package: oscap-vm and oscap-chroot. Also, the - openscap-containers package was completely removed. -

-
-

- (BZ#1618489) -

-
-

A utility for security and compliance scanning of containers is not - available

-

- In Red Hat Enterprise Linux 7, the oscap-docker utility can be - used for scanning of Docker containers based on Atomic technologies. In Red Hat Enterprise - Linux 8, the Docker- and Atomic-related OpenSCAP commands are not available. As a - result, oscap-docker or an equivalent utility for security and - compliance scanning of containers is not available in RHEL 8 at the moment. -

-
-

- (BZ#1642373) -

-
-

The OpenSSL TLS library does not detect if - the PKCS#11 token supports creation of raw RSA or RSA-PSS - signatures

-

- The TLS-1.3 protocol requires the support for RSA-PSS signature. If the PKCS#11 - token does not support raw RSA or RSA-PSS signatures, the server applications which use OpenSSL TLS library will fail to - work with the RSA key if it is held by the PKCS#11 token. As a result, TLS - communication will fail. -

-
-

- To work around this problem, configure server or client to use the TLS-1.2 version as the highest TLS - protocol version available. -

-

- (BZ#1681178) -

-
-

Apache httpd fails to start if it uses an - RSA private key stored in a PKCS#11 device and an RSA-PSS certificate

-

- The PKCS#11 standard does not differentiate between RSA and RSA-PSS key objects and uses the - CKK_RSA type for both. However, OpenSSL uses different types - for RSA and RSA-PSS keys. As a consequence, the openssl-pkcs11 - engine cannot determine which type should be provided to OpenSSL for PKCS#11 RSA key - objects. Currently, the engine sets the key type as RSA keys for all PKCS#11 CKK_RSA objects. When OpenSSL compares the types of an RSA-PSS - public key obtained from the certificate with the type contained in an RSA private key - object provided by the engine, it concludes that the types are different. Therefore, the - certificate and the private key do not match. The check performed in the X509_check_private_key() OpenSSL function returns an error in - this scenario. The httpd web server calls this function in its - startup process to check if the provided certificate and key match. Since this check always - fails for a certificate containing an RSA-PSS public key and a RSA private key stored in the - PKCS#11 module, httpd fails to start using this configuration. - There is no workaround available for this issue. -

-
-

- (BZ#1664802) -

-
-

httpd fails to start if it uses an ECDSA - private key without corresponding public key stored in a PKCS#11 device

-

- Unlike RSA keys, ECDSA private keys do not necessarily contain public key information. In - this case, you cannot obtain the public key from an ECDSA private key. For this reason, a - PKCS#11 device stores public key information in a separate object whether it is a public key - object or a certificate object. OpenSSL expects the EVP_PKEY - structure provided by an engine for a private key to contain the public key information. - When filling the EVP_PKEY structure to be provided to OpenSSL, - the engine in the openssl-pkcs11 package tries to fetch the - public key information only from matching public key objects and ignores the present - certificate objects. -

-
-

- When OpenSSL requests an ECDSA private key from the engine, the provided EVP_PKEY structure does not contain the public key information if the - public key is not present in the PKCS#11 device, even when a matching certificate that contains - the public key is available. As a consequence, since the Apache httpd web server calls the X509_check_private_key() function, which requires the public key, in - its start-up process, httpd fails to start in this scenario. To - work around the problem, store both the private and public key in the PKCS#11 device when using - ECDSA keys. As a result, httpd starts correctly when ECDSA keys are - stored in the PKCS#11 device. -

-

- (BZ#1664807) -

-
-

OpenSSH does not handle PKCS #11 URIs for keys with mismatching labels - correctly

-

- The OpenSSH suite can identify key pairs by a label. The label might differ on private and - public keys stored on a smart card. Consequently, specifying PKCS #11 URIs with the object - part (key label) can prevent OpenSSH from finding appropriate objects in PKCS #11. -

-
-

- To work around this problem, specify PKCS #11 URIs without the object part. As a result, OpenSSH - is able to use keys on smart cards referenced using PKCS #11 URIs. -

-

- (BZ#1671262) -

-
-

Output of iptables-ebtables is not 100% - compatible with ebtables

-

- In RHEL 8, the ebtables command is provided by the iptables-ebtables package, which contains an nftables-based reimplementation of the tool. This tool has a - different code base, and its output deviates in aspects, which are either negligible or - deliberate design choices. -

-
-

- Consequently, when migrating your scripts parsing some ebtables - output, adjust the scripts to reflect the following: -

-
-
    -
  • - MAC address formatting has been changed to be fixed in length. Where necessary, - individual byte values contain a leading zero to maintain the format of two characters - per octet. -
    • -
  • - Formatting of IPv6 prefixes has been changed to conform with RFC 4291. The trailing part - after the slash character no longer contains a netmask in the IPv6 address format but a - prefix length. This change applies to valid (left-contiguous) masks only, while others - are still printed in the old formatting. -
    • -
-
-

- (BZ#1674536) -

-
-

curve25519-sha256 is not supported by - default in OpenSSH

-

- The curve25519-sha256 SSH key exchange algorithm is missing in - the system-wide crypto policies configurations for the OpenSSH client and server even though - it is compliant with the default policy level. As a consequence, if a client or a server - uses curve25519-sha256 and this algorithm is not supported by - the host, the connection might fail. -

-
-

- To work around this problem, you can manually override the configuration of system-wide crypto - policies by modifying the openssh.config and opensshserver.config files in the /etc/crypto-policies/back-ends/ directory for the OpenSSH client and - server. Note that this configuration is overwritten with every change of system-wide crypto - policies. See the update-crypto-policies(8) man page for more - information. -

-

- (BZ#1678661) -

-
-

OpenSSL incorrectly handles PKCS #11 - tokens that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is - created with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- (BZ#1685470) -

-
-

SSH connections with VMware-hosted systems do not work

-

- The current version of the OpenSSH suite introduces a change of - the default IP Quality of Service (IPQoS) flags in SSH packets, which is not correctly - handled by the VMware virtualization platform. Consequently, it is not possible to establish - an SSH connection with systems on VMware. -

-
-

- To work around this problem, include the IPQoS=throughput in the - ssh_config file. As a result, SSH connections with VMware-hosted - systems work correctly. -

-

- See the RHEL 8 running in - VMWare Workstation unable to connect via SSH to other hosts Knowledgebase solution - article for more information. -

-

- (BZ#1651763) -

-
-
-
-
-
-

5.5.16. Subscription management

-
-
-
-
-

No message is printed for the successful setting and unsetting of service-level

-

- When the candlepin service does not have - a 'syspurpose' functionality, subscription manager uses a different code path to set the - service-level argument. This code path does not print the - result of the operation. As a consequence, no message is displayed when the service level is - set by subscription manager. This is especially problematic when the service-level set has a typo or is not truly available. -

-
-

- (BZ#1661414) -

-
-

syspurpose addons have no effect on the - subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. - Currently, only role, usage and - service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to - set values to the addons argument will not observe any effect - on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-
-
-
-
-

5.5.17. Virtualization

-
-
-
-
-

ESXi virtual machines that were customized using cloud-init and cloned - boot very slowly

-

- Currently, if the cloud-init service is used to modify a - virtual machine (VM) that runs on the VMware ESXi hypervisor to use static IP and the VM is - then cloned, the new cloned VM in some cases takes a very long time to reboot. This is - caused cloud-init rewriting the VM’s static IP to DHCP and then - searching for an available datasource. -

-
-

- To work around this problem, you can uninstall cloud-init after the - VM is booted for the first time. As a result, the subsequent reboots will not be slowed down. -

-

- (BZ#1666961, BZ#1706482) -

-
-

Enabling nested virtualization blocks live migration

-

- Currently, the nested virtualization feature is incompatible with live migration. Therefore, - enabling nested virtualization on a RHEL 8 host prevents migrating any virtual machines - (VMs) from the host, as well as saving VM state snapshots to disk. -

-
-

- Note that nested virtualization is currently provided as a Technology Preview in RHEL 8, and is - therefore not supported. In addition, nested virtualization is disabled by default. If you want - to enable it, use the kvm_intel.nested or kvm_amd.nested module parameters. -

-

- (BZ#1689216) -

-
-

Using cloud-init to provision virtual - machines on Microsoft Azure fails

-

- Currently, it is not possible to use the cloud-init utility to - provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. To work around this - problem, use one of the following methods: -

-
-
-
    -
  • - Use the WALinuxAgent package instead of cloud-init to provision VMs on Microsoft Azure. -
    • -
  • -

    - Add the following setting to the [main] section in the - /etc/NetworkManager/NetworkManager.conf file: -

    - 
    [main]
-dhcp=dhclient
    -
    • -
-
-

- (BZ#1641190) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a - Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the - GRUB boot menu. In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, - use Hyper-V Server 2019 as the host. -

-

- (BZ#1583445) -

-
-

virsh iface-\* commands do not work - consistently

-

- Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration - dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network - connections. Instead, use the NetworkManager program and its related management - applications. -

-
-

- (BZ#1664592) -

-
-

Linux virtual machine extensions for Azure sometimes do not - work

-

- RHEL 8 does not include the python2 package by default. As a - consequence, running Linux virtual machine extensions for Azure, also known as azure-linux-extensions, on a RHEL 8 VM in some cases fails. -

-
-

- To increase the probability that azure-linux-extensions will work - as expected, install python2 on the RHEL 8 VM manually: -

-

- # yum install python2 -

-

- (BZ#1561132) -

-
-
-
-
-
-

5.5.18. Supportability

-
-
-
-
-

redhat-support-tool does not collect sosreport automatically from opencase

-

- The redhat-support-tool command cannot create a sosreport archive. To work around this problem, run the sosreport command separately and then enter the redhat-support-tool addattachment -c command to upload the - archive or use web UI on the Customer Portal. As a result, a case will be created and sosreport will be uploaded. -

-
-

- Note that the findkerneldebugs, btextract, analyze diagnose commands do not work as expected and will be fixed in future - releases. -

-

- (BZ#1688274) -

-
-
-
-
-
-
-
-

Chapter 6. Notable changes to containers

-
-
-
-

- A set of container images is available for Red Hat Enterprise Linux (RHEL) 8.0. Notable changes include: -

-
-
    -
  • -

    - Docker is not included in RHEL 8.0. For working with containers, use the podman, buildah, skopeo, and runc tools. -

    -

    - For information on these tools and on using containers in RHEL 8, see Building, - running, and managing containers. -

    -
    • -
  • -

    - The podman tool has been released as a - fully supported feature. -

    -

    - The podman tool manages pods, container - images, and containers on a single node. It is built on the libpod library, which enables management - of containers and groups of containers, called pods. -

    -

    - To learn how to use podman, see Building, - running, and managing containers. -

    -
    • -
  • -

    - In RHEL 8 GA, Red Hat Universal Base Images (UBI) are newly available. UBIs replace some of - the images Red Hat previously provided, such as the standard and the minimal RHEL base - images. -

    -

    - Unlike older Red Hat images, UBIs are freely redistributable. This means they can be used in - any environment and shared anywhere. You can use them even if you are not a Red Hat - customer. -

    -

    - For UBI documentation, see Building, - running, and managing containers. -

    -
    • -
  • - In RHEL 8 GA, additional container images are available that provide AppStream components, for - which container images are distributed with Red Hat Software - Collections in RHEL 7. All of these RHEL 8 images are based on the ubi8 base image. -
    • -
  • - Container images ARM for the 64-bit ARM architecture are fully supported in RHEL 8. -
    • -
  • - The rhel-tools container has been removed in RHEL 8. The sos and redhat-support-tool tools are - provided in the support-tools container. System administrators can - also use this image as a base for building system tools container image. -
    • -
  • -

    - The support for rootless containers is available as a technology preview in RHEL 8. -

    -

    - Rootless containers are containers that are created and managed by regular system users - without administrative permissions. -

    -
    • -
-
-
-
-
-
-
-

Chapter 7. Internationalization

-
-
-
-
-
-
-
-

7.1. Red Hat Enterprise Linux 8 International Languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangu -

-
-
-
-
-
-
-
-

7.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • -

    - Internationalization is distributed in multiple packages, which allows for smaller - footprint installations. -

    -

    - For more information, see glibc localization for RHEL is distributed in multiple - packages. -

    -
    • -
  • - The glibc package updates for multiple locales are now - synchronized with the Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#1334254, BZ#1358706 -

-
-

- NetworkManager -

- 		-

- BZ#1555013, BZ#1555012, BZ#1557035, BZ#1335409, BZ#1571655 -

-
-

- PackageKit -

- 		-

- BZ#1559414 -

-
-

- WALinuxAgent -

- 		-

- BZ#1561132 -

-
-

- anaconda -

- 		-

- BZ#1499442, BZ#1500792, BZ#1547908, BZ#1612060, BZ#1595415, BZ#1610806, BZ#1533904, - BZ#1672405, - JIRA:RHELPLAN-1943, BZ#1677411, BZ#1502323, BZ#1696609 -

-
-

- audit -

- 		-

- BZ#1616428 -

-
-

- authselect -

- 		-

- BZ#1657295 -

-
-

- bcc -

- 		-

- BZ#1548302 -

-
-

- bind -

- 		-

- BZ#1588592 -

-
-

- boom-boot -

- 		-

- BZ#1649582 -

-
-

- boost -

- 		-

- BZ#1494495, BZ#1616244 -

-
-

- cloud-init -

- 		-

- BZ#1615599, BZ#1641190 -

-
-

- cmake -

- 		-

- BZ#1590139 -

-
-

- cockpit -

- 		-

- BZ#1619993, BZ#1631905 -

-
-

- criu -

- 		-

- BZ#1689746 -

-
-

- crypto-policies -

- 		-

- BZ#1591620, BZ#1645606, BZ#1678661, BZ#1660839 -

-
-

- cryptsetup -

- 		-

- BZ#1564540 -

-
-

- device-mapper-multipath -

- 		-

- BZ#1643550, BZ#1673167 -

-
-

- distribution -

- 		-

- BZ#1516728, BZ#1516741, BZ#1566048 -

-
-

- dnf -

- 		-

- BZ#1622580, BZ#1647760, BZ#1581191 -

-
-

- driverctl -

- 		-

- BZ#1648411 -

-
-

- edk2 -

- 		-

- BZ#1536627 -

-
-

- esc -

- 		-

- BZ#1538645 -

-
-

- firewalld -

- 		-

- BZ#1509026, BZ#1648497 -

-
-

- gcc -

- 		-

- BZ#1169184, BZ#1607227, BZ#1535774, BZ#1504980, BZ#1571124, BZ#1246444, - JIRA:RHELPLAN-7437, BZ#1652016 -

-
-

- gdb -

- 		-

- BZ#1491128 -

-
-

- gdm -

- 		-

- BZ#1589678, BZ#1641763, BZ#1678627 -

-
-

- glib-networking -

- 		-

- BZ#1640534 -

-
-

- glibc -

- 		-

- BZ#1512004, BZ#1376834, BZ#1512010, BZ#1304448, BZ#1512009, BZ#1512006, BZ#1514839, - BZ#1533608 -

-
-

- gnome-control-center -

- 		-

- BZ#1697326 -

-
-

- go-toolset-1.10-golang -

- 		-

- BZ#1633351 -

-
-

- grub2 -

- 		-

- BZ#1583445 -

-
-

- httpd -

- 		-

- BZ#1633224, BZ#1632754 -

-
-

- ipa-idoverride-memberof -

- 		-

- BZ#1651577 -

-
-

- ipa -

- 		-

- BZ#1664718, BZ#1664719, BZ#1665051 -

-
-

- iproute -

- 		-

- BZ#1640991, BZ#1589317 -

-
-

- iptables -

- 		-

- BZ#1644030, BZ#1564596, BZ#1646159, BZ#1658734, - BZ#1649790, BZ#1674536 -

-
-

- iscsi-initiator-utils -

- 		-

- BZ#1626629, BZ#1582099 -

-
-

- kernel-rt -

- 		-

- BZ#1592977 -

-
-

- kernel -

- 		-

- BZ#1598448, BZ#1559607, BZ#1643522, BZ#1485546, BZ#1562998, BZ#1494651, BZ#1485532, - BZ#1494028, BZ#1563617, BZ#1485525, BZ#1261167, BZ#1562987, BZ#1273139, BZ#1401552, - BZ#1638465, BZ#1598776, BZ#1503672, BZ#1633143, BZ#1596240, BZ#1534870, BZ#1153521, - BZ#1515987, BZ#1642795, BZ#1570255, BZ#1645744, BZ#1440031, BZ#1649647, BZ#1494705, - BZ#1650149, BZ#1655413, BZ#1651806, BZ#1620330, BZ#1665295, BZ#1505999, BZ#1645433, - BZ#1663281, BZ#1695142, BZ#1627455, BZ#1581898, BZ#1597671, BZ#1550498, BZ#1658391, - BZ#1623590, BZ#1614144, BZ#1519039, BZ#1524683, BZ#1694705 -

-
-

- kexec-tools -

- 		-

- BZ#1520209, BZ#1662911 -

-
-

- kmod-kvdo -

- 		-

- BZ#1534087, BZ#1639512, BZ#1696492 -

-
-

- ksh -

- 		-

- BZ#1503922 -

-
-

- libdnf -

- 		-

- BZ#1642458, BZ#1679509 -

-
-

- libreswan -

- 		-

- BZ#1566574, BZ#1648776, BZ#1657854 -

-
-

- libssh -

- 		-

- BZ#1485241 -

-
-

- libvirt -

- 		-

- BZ#1528684 -

-
-

- lksctp-tools -

- 		-

- BZ#1568622 -

-
-

- ltrace -

- 		-

- BZ#1618748, BZ#1584322 -

-
-

- lvm2 -

- 		-

- BZ#1676598, - BZ#1643543, BZ#1643545, BZ#1643547, BZ#1643549, BZ#1643562, BZ#1643576 -

-
-

- mariadb -

- 		-

- BZ#1637034 -

-
-

- mdadm -

- 		-

- BZ#1654482 -

-
-

- mutter -

- 		-

- BZ#1668883 -

-
-

- net-snmp -

- 		-

- BZ#1584510 -

-
-

- nfs-utils -

- 		-

- BZ#1592011, BZ#1639432 -

-
-

- nftables -

- 		-

- BZ#1593711 -

-
-

- nginx -

- 		-

- BZ#1545526 -

-
-

- nodejs-10-module -

- 		-

- BZ#1622118 -

-
-

- nss -

- 		-

- BZ#1489094, BZ#1645153 -

-
-

- nuxwdog -

- 		-

- BZ#1652269 -

-
-

- openldap -

- 		-

- BZ#1570056 -

-
-

- opensc -

- 		-

- BZ#1595638, BZ#1595626 -

-
-

- openscap -

- 		-

- BZ#1614273, BZ#1618484, BZ#1646197, BZ#1636431, BZ#1618489, BZ#1642373, BZ#1618464 -

-
-

- openssh -

- 		-

- BZ#1622511, BZ#1228088, BZ#1645038, BZ#1671262, BZ#1651763 -

-
-

- openssl-pkcs11 -

- 		-

- BZ#1664802, BZ#1664807 -

-
-

- openssl -

- 		-

- BZ#1685470 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1665082 -

-
-

- pacemaker -

- 		-

- BZ#1543494 -

-
-

- pcs -

- 		-

- BZ#1578891, BZ#1591308, BZ#1615420, BZ#1158816, BZ#1542288, BZ#1549535, BZ#1620190, - BZ#1566430, BZ#1595829, BZ#1436217, BZ#1578955, BZ#1596050, BZ#1554310, BZ#1638852, - BZ#1640477, BZ#1619620 -

-
-

- perl-IO-Socket-SSL -

- 		-

- BZ#1632600 -

-
-

- perl -

- 		-

- BZ#1511131 -

-
-

- pki-core -

- 		-

- BZ#1565073, BZ#1623444, BZ#1566360, BZ#1394069, BZ#1669257, - BZ#1656856, BZ#1673296 -

-
-

- postgresql-9.6-module -

- 		-

- BZ#1660041 -

-
-

- pykickstart -

- 		-

- BZ#1637872, BZ#1612061 -

-
-

- python-rtslib -

- 		-

- BZ#1666377 -

-
-

- qemu-kvm -

- 		-

- BZ#1559240, BZ#1508139, BZ#1497911, BZ#1578855, BZ#1651994, BZ#1621817, BZ#1508137, - BZ#1592337, BZ#1570029, BZ#1689216, - BZ#1585651, BZ#1519004 -

-
-

- redhat-release -

- 		-

- BZ#1636338 -

-
-

- redhat-support-tool -

- 		-

- BZ#1688274 -

-
-

- rsyslog -

- 		-

- BZ#1613880, BZ#1542497, BZ#1614179, BZ#1619645, BZ#1679512, - JIRA:RHELPLAN-10431 -

-
-

- scala-2.10-module -

- 		-

- BZ#1641744 -

-
-

- scap-security-guide -

- 		-

- BZ#1618505, BZ#1618528, BZ#1618518 -

-
-

- scap-workbench -

- 		-

- BZ#1640715 -

-
-

- selinux-policy -

- 		-

- BZ#1664345, - BZ#1594111, BZ#1592244, BZ#1549772, BZ#1483904, BZ#1626446 -

-
-

- setup -

- 		-

- BZ#1591969, BZ#1663556 -

-
-

- sos -

- 		-

- BZ#1559836 -

-
-

- squid -

- 		-

- BZ#1656871 -

-
-

- sssd -

- 		-

- BZ#1448094, BZ#1382750, BZ#1446101, BZ#1447945, BZ#1620123, BZ#1652562, BZ#1659457, BZ#1669407, BZ#1657665 -

-
-

- subscription-manager -

- 		-

- BZ#1654531, BZ#1661414 -

-
-

- subversion -

- 		-

- BZ#1571415 -

-
-

- swig-3.0-module -

- 		-

- BZ#1660051 -

-
-

- systemd -

- 		-

- BZ#1658691 -

-
-

- tomcatjss -

- 		-

- BZ#1424966, BZ#1636564 -

-
-

- tuned -

- 		-

- BZ#1565598 -

-
-

- valgrind -

- 		-

- BZ#1500481, BZ#1538009 -

-
-

- varnish -

- 		-

- BZ#1633338 -

-
-

- vdo -

- 		-

- BZ#1669537 -

-
-

- virt-manager -

- 		-

- BZ#1599777, BZ#1643609 -

-
-

- wpa_supplicant -

- 		-

- BZ#1582538, BZ#1537143 -

-
-

- xorg-x11-server -

- 		-

- BZ#1687489, BZ#1698565 -

-
-

- other -

- 		-

- JIRA:RHELPLAN-10347, BZ#1646563, JIRA:RHELPLAN-2306, BZ#1640697, BZ#1623712, - BZ#1649404, BZ#1581198, BZ#1581990, BZ#1649497, BZ#1695584, - BZ#1654280, BZ#1643294, BZ#1647612, BZ#1641015, BZ#1641032, BZ#1641004, BZ#1641034, - BZ#1647110, BZ#1641007, BZ#1641029, BZ#1641022, JIRA:RHELPLAN-1212, BZ#1649493, - BZ#1559616, BZ#1699825, - BZ#1646541, BZ#1647725, BZ#1686057, - BZ#1582530, BZ#1581496, BZ#1650618, BZ#1650675, BZ#1650701, - JIRA:RHELPLAN-10439, JIRA:RHELPLAN-10440, JIRA:RHELPLAN-10442, JIRA:RHELPLAN-10443, - JIRA:RHELPLAN-10438, JIRA:RHELPLAN-2878, JIRA:RHELPLAN-10355, JIRA:RHELPLAN-3010, - JIRA:RHELPLAN-10352, JIRA:RHELPLAN-10353, JIRA:RHELPLAN-1473, JIRA:RHELPLAN-10445, - JIRA:RHELPLAN-3001, JIRA:RHELPLAN-6746, JIRA:RHELPLAN-10354, JIRA:RHELPLAN-2896, - JIRA:RHELPLAN-10304, JIRA:RHELPLAN-10628, JIRA:RHELPLAN-10441, JIRA:RHELPLAN-10444, - JIRA:RHELPLAN-1842, JIRA:RHELPLAN-10596, JIRA:RHELPLAN-7291, JIRA:RHELPLAN-12764, BZ#1680177, - JIRA:RHELPLAN-14607, JIRA:RHELPLAN-1820, BZ#1684947, BZ#1683712, - BZ#1659609, BZ#1504934, BZ#1642765, BZ#1641014, BZ#1692746, BZ#1687900, - BZ#1690207, BZ#1693775, BZ#1580387, BZ#1583620, BZ#1580430, BZ#1648843, BZ#1647908, - BZ#1649891, BZ#1695698, - BZ#1697896, BZ#1698613, - BZ#1699535, BZ#1701968, - BZ#1704867 -

-
-
-
-
-
-
-
-

Acknowledgements

-
-
-
-

- Thank you to everyone who provided feedback as part of the RHEL 8 Readiness Challenge. The top 3 winners - are: -

-
-
    -
  • - Sterling Alexander -
    • -
  • - John Pittman -
    • -
  • - Jake Hunsaker -
    • -
-
-
-
-
-
-
-

Appendix B. Revision History

-
-
-
-
-
-
0.1-7
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.1-6
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.1-5
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-4
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-3
-
-

- Fri Apr 29 2022, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.1-2
-
- Thu Mar 17 2022, Lucie Maňásková (lmanasko@redhat.com) -
-
-
-

- Added JIRA:RHELPLAN-14323, JIRA:RHELPLAN-14329, and JIRA:RHELPLAN-14330 to the New features section - (Virtualization). -

-
-
-
0.1-1
-
-

- Thu Dec 23 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about the Soft-RoCE driver, rdma_rxe, - to Technology Previews BZ#1605216 and - Deprecated functionality BZ#1878207 (Kernel). -
    • -
-
-
-
0.1-0
-
-

- Thu Sep 23 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Removed an invalid new feature description (Virtualization). -
    • -
-
-
-
0.0-9
-
-

- Thu Aug 19 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.0-8
-
-

- Wed Jun 23 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the New features section (Installer). -
    • -
-
-
-
0.0-7
-
-

- Tue Apr 06 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Improved the list of supported architectures. -
    • -
-
-
-
0.0-6
-
-

- Thu Jan 28 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the Technology Previews chapter. -
    • -
-
-
-
0.0-5
-
-

- Thu Dec 10 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about handling AD GPOs in SSSD to New features (Identity - Management). -
    • -
-
-
-
0.0-4
-
-

- Tue Apr 28 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated information about in-place upgrades in Overview. -
    • -
-
-
-
0.0-3
-
-

- Thu Mar 12 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added the missing postfix RHEL system role to - Technology Previews. -
    • -
-
-
-
0.0-2
-
-

- Wed Feb 12 2020, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Provided a complete kernel version to Architectures and New Features chapters. -
    • -
-
-
-
0.0-1
-
-

- Tue Jul 30 2019, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.0.1 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Tue May 07 2019, Ioanna Gkioka (igkioka@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.0 Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.1.html b/app/data/8.1.html deleted file mode 100644 index 3a82411..0000000 --- a/app/data/8.1.html +++ /dev/null @@ -1,11706 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.1
-
-

Release Notes for Red Hat Enterprise Linux 8.1

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.1 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your input on our documentation. Please let us know how we could make it better. To do so: -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-

Installer and image creation

-

- Users can now disable modules during a Kickstart installation. -

-

- See Section 6.1.1, “Installer and image creation” for - further details. -

-

Red Hat Enterprise Linux system roles

-

- A new storage role has been added to RHEL system roles. -

-

- See Section 6.1.17, “Red Hat Enterprise Linux - system roles” for details. -

-

Infrastructure services

-

- RHEL 8.1 introduces a new routing protocol stack, FRR, which replaces Quagga - that was used on previous versions of RHEL. FRR provides TCP/IP-based routing - services with support for multiple IPv4 and IPv6 routing protocols. -

-

- The Tuned system tuning tool has been - rebased to version 2.12, which adds support for negation of CPU list. -

-

- The chrony suite has been rebased to - version 3.5, which adds support for more accurate synchronization of the system clock with hardware - timestamping in RHEL 8.1 kernel. -

-

- For more information, see Section 6.1.4, “Infrastructure services”. -

-

Security

-

- RHEL 8.1 introduces a new tool for generating SELinux policies for containers: udica. - With udica, you can create a tailored - security policy for better control of how a container accesses host system resources, such as storage, - devices, and network. This enables you to harden your container deployments against security violations - and it also simplifies achieving and maintaining regulatory compliance. -

-

- The fapolicyd software framework introduces a form - of application whitelisting and blacklisting based on a user-defined policy. The RHEL 8.1 application - whitelisting feature provides one of the most efficient ways to prevent running untrusted and possibly - malicious applications on the system. -

-

- A security compliance suite, OpenSCAP, now supports - SCAP 1.3 data streams and provides improved reports. -

-

- See Section 6.1.5, “Security” - for more information. -

-

Kernel

-

- Live patching for the kernel, kpatch, is now available, which enables you - to consume Critical and Important CVEs fixes without the need to reboot your system. -

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space. eBPF is utilized by a number of components in RHEL. In - RHEL 8.1, the BPF Compiler Collection (BCC) tools - package is fully supported on the AMD and Intel 64-bit architectures, and available as a Technology - Preview for other architectures. In addition, the bpftrace tracing language - and the eXpress Data Path (XDP) feature are - available as a Technology Preview. -

-

- For more information, see Section 6.1.7, “Kernel” and Section 6.5.2, “Kernel”. -

-

File systems and storage

-

- The LUKS version 2 (LUKS2) format now supports - re-encrypting block devices while the devices are in use. -

-

- See Section 6.1.9, “File systems and storage” for more - information. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - PHP 7.3 -
    • -
  • - Ruby 2.6 -
    • -
  • - Node.js 12 -
    • -
  • - nginx 1.16 -
    • -
-
-

- See Section 6.1.11, “Dynamic - programming languages, web and database servers” for details. -

-

Compiler toolsets

-

- RHEL 8.1 introduces a new compiler toolset, GCC Toolset - 9, an Application Stream packaged as a Software Collection, which provides - recent versions of development tools. -

-

- In addition, the following compiler toolsets have been upgraded: -

-
-
    -
  • - LLVM 8.0.1 -
    • -
  • - Rust Toolset 1.37 -
    • -
  • - Go Toolset 1.12.8 -
    • -
-
-

- See Section 6.1.12, “Compilers and development - tools” for more information. -

-

Identity Management

-

- Identity Management introduces a new command-line tool - Healthcheck. Healthcheck helps users find issues that may impact - the fitness of their IdM environments. -

-

- See Section 6.1.13, “Identity Management” for details. -

-

- Identity Management now supports Ansible roles and modules for installation and management. This update - makes installation and configuration of IdM-based solutions easier. -

-

- See Section 6.1.13, “Identity Management” for more information. -

-

Desktop

-

- Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in - the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails. Switching - between workspaces is possible by clicking on the required thumbnail. For more information,see Section 6.1.14, “Desktop”. -

-

- The Direct Rendering Manager (DRM) kernel graphics - subsystem has been rebased to upstream Linux kernel version 5.1. This version provides a number of - enhancements over the previous version, including support for new GPUs and APUs, and various driver - updates. See Section 6.1.14, - “Desktop” for further details. -

-

In-place upgrade from RHEL 7 to RHEL 8

-

- The following major enhancements have been introduced: -

-
-
    -
  • - Support for an in-place upgrade on the following architectures has been added: 64-bit ARM, IBM - POWER (little endian), IBM Z. -
    • -
  • - It is now possible to perform a pre-upgrade system assessment in the web console and apply - automated remediations using the new cockpit-leapp plug-in. -
    • -
  • - The /var or /usr directories can now - be mounted on a separate partition. -
    • -
  • - UEFI is now supported. -
    • -
  • - Leapp now upgrades packages from the - Supplementary repository. -
    • -
-
-

- For information about supported upgrade paths, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. For instructions on how to perform an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- If you are using CentOS Linux 7 or Oracle Linux 7, you can convert your operating system to RHEL 7 using - the convert2rhel utility prior to upgrading to RHEL 8. For - instructions, see Converting - from an RPM-based Linux distribution to RHEL. -

-

Additional resources

-
- -
-

Red Hat Customer Portal Labs

-

- Red Hat Customer Portal Labs is a set of tools in a - section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.1 is distributed with the kernel version 4.18.0-147, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Important Changes to External Kernel Parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel shipped - with Red Hat Enterprise Linux 8.1. These changes include added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
perf_v4_pmi = [X86,INTEL]
-
-

- This parameter disables the Intel PMU counter freezing feature. -

-

- The feature only exists starting from Arch Perfmon v4 (Skylake and newer). -

-

- Format: <bool> -

-
-
hv_nopvspin [X86,HYPER_V]
-
- This parameter disables the paravirtual spinlock optimizations which allow the hypervisor to - 'idle' the guest on lock contention. -
-
ipcmni_extend [KNL]
-
- This parameter extends the maximum number of unique System V IPC identifiers from 32,768 to - 16,777,216. -
-
kpti = [ARM64]
-
-

- This parameter controls the page table isolation of user and kernel address spaces. -

-

- The options are: -

-
-
    -
  • - Default: enabled on cores which need mitigation. -
    • -
  • - 0: force disabled -
    • -
  • - 1: force enabled -
    • -
-
-
-
mds = [X86,INTEL]
-
-

- This parameter controls the mitigation for the Micro-architectural Data Sampling (MDS) - vulnerability. -

-

- Certain CPUs are vulnerable to an exploit against CPU internal buffers which can forward - information to a disclosure gadget under certain conditions. In vulnerable processors, the - speculatively forwarded data can be used in a cache side channel attack, to access data to - which the attacker does not have direct access. -

-

- The options are: -

-
-
    -
  • - full - Enable MDS mitigation on vulnerable CPUs. -
    • -
  • - full,nosmt - Enable MDS mitigation and disable - Simultaneous Multi Threading (SMT) on vulnerable CPUs. -
    • -
  • -

    - off - Unconditionally disable MDS mitigation. -

    -

    - Not specifying this parameter is equivalent to mds=full. -

    -

    - For details see the upstream kernel - documentation. -

    -
    • -
-
-
-
mitigations = [X86,PPC,S390,ARM64]
-
-

- This parameter controls the optional mitigations for CPU vulnerabilities. This is a set of - curated, arch-independent options, each of which is an aggregation of existing arch-specific - options. -

-

- The options are: -

-
-
    -
  • -

    - off - Disable all optional CPU mitigations. This - improves the system performance, but it may also expose users to several CPU - vulnerabilities. -

    -

    - Equivalent to: -

    -
    -
      -
    • - nopti [X86,PPC] -
      • -
    • - kpti=0 [ARM64] -
      • -
    • - nospectre_v1 [X86,PPC] -
      • -
    • - nobp=0 [S390] -
      • -
    • - nospectre_v2 [X86,PPC,S390,ARM64] -
      • -
    • - spectre_v2_user=off [X86] -
      • -
    • - spec_store_bypass_disable=off [X86,PPC] -
      • -
    • - ssbd=force-off [ARM64] -
      • -
    • - l1tf=off [X86] -
      • -
    • - mds=off [X86] -
      • -
    -
    -
    • -
  • -

    - auto (default) - Mitigate all CPU vulnerabilities, - but leave Simultaneous Multi Threading (SMT) enabled, even if it is vulnerable. - This option is for users who do not want to be surprised by SMT getting disabled - across kernel upgrades, or who have other ways of avoiding SMT-based attacks. -

    -

    - Equivalent to: -

    -
    -
      -
    • - (default behavior) -
      • -
    -
    -
    • -
  • -

    - auto,nosmt - Mitigate all CPU vulnerabilities, - disabling Simultaneous Multi Threading (SMT) if needed. This option is for users - who always want to be fully mitigated, even if it means losing SMT. -

    -

    - Equivalent to: -

    -
    -
      -
    • - l1tf=flush,nosmt [X86] -
      • -
    • - mds=full,nosmt [X86] -
      • -
    -
    -
    • -
-
-
-
novmcoredd [KNL,KDUMP]
-
-

- This parameter disables device dump. -

-

- The device dump allows drivers to append dump data to vmcore so you can collect driver - specified debug info. Drivers can append the data without any limit and this data is stored - in memory, so this may cause significant memory stress. -

-

- Disabling the device dump can help save memory but the driver debug data will be no longer - available. -

-

- This parameter is only available when the CONFIG_PROC_VMCORE_DEVICE_DUMP kernel configuration is set. -

-
-
nospectre_v1 [X86]
-
-

- This parameter disables mitigations for Spectre Variant 1 (bounds check bypass). -

-

- With this option, data leaks are possible in the system. -

-
-
psi = [KNL]
-
-

- This parameter enables or disables pressure stall information tracking. -

-

- Format: <bool> -

-
-
random.trust_cpu={on,off} [KNL]
-
- This parameter enables or disables trusting the use of the CPU’s random number generator (if - available) to fully seed the kernel’s Cryptographic Random Number Generator (CRNG). The default - is controlled by the CONFIG_RANDOM_TRUST_CPU kernel config. -
-
vm_debug[=options] [KNL]
-
-

- Available with CONFIG_DEBUG_VM=y. -

-

- Enabling this parameter may slow down the system boot speed, especially on systems with a - large amount of memory. -

-

- All options are enabled by default, and this interface is meant to allow for selectively - enabling or disabling specific virtual memory debugging features. -

-

- The options are: -

-
-
    -
  • - P - Enable page structure init time poisoning. -
    • -
  • - - (dash) - Disable all of the above options. -
    • -
-
-
-
-
-

Updated kernel parameters

-
-
-
cgroup_no_v1 = [KNL]
-
-

- This parameter disables cgroup controllers and named hierarchies in version 1 (v1). -

-

- The parameter is like the cgroup_disable kernel parameter, but - only applies to cgroup v1. The blacklisted controllers remain available in cgroup2. The - "all" option blacklists all controllers and the "named" option disables the named mounts. - Specifying both "all" and "named" disables all v1 hierarchies. -

-

- Format: { { controller | "all" | "named" } [,{ controller | "all" | "named" }…​] } -

-
-
crashkernel = size[KMG][@offset[KMG]][KNL]
-
-

- The kexec system call allows Linux to switch to a 'crash - kernel' upon panic. This parameter reserves the physical memory region [offset, offset + - size] for that kernel image. If @offset is omitted, then a - suitable offset is selected automatically. -

-

- [KNL, x86_64] select a region under 4G first, and fall back to reserve region above 4G when - @offset has not been specified. -

-

- For more information, see the upstream kdump documentation. -

-
-
l1tf = [X86]
-
-

- This parameter controls the mitigation of the L1 Terminal Fault (L1TF) vulnerability on the - affected CPUs. -

-

- The options are: -

-
-
    -
  • - off - Disables hypervisor mitigations and does not emit - any warnings. It also drops the swap size and available RAM limit restriction on - both hypervisor and bare metal. -
    • -
  • -

    - flush - Is the default. -

    -

    - For details see the upstream kernel - documentation. -

    -
    • -
-
-
-
nospectre_v2 [X86,PPC_FSL_BOOK3E,ARM64]
-
-

- This parameter disables all mitigations for the Spectre variant 2 (indirect branch - prediction) vulnerability. -

-

- The system may allow data leaks with this parameter. -

-
-
pci=option[,option…​] [PCI]
-
-

- Various PCI subsystem options. -

-

- The options are: -

-
-
    -
  • - force_floating [S390] - Force usage of floating - interrupts. -
    • -
  • - nomio [S390] - Do not use memory input/output (MIO) - instructions. -
    • -
-
-
-
-
-

New /proc/sys/kernel parameters

-
-
-
hyperv_record_panic_msg
-
-

- This parameter controls whether the panic kernel message (kmsg) data is reported to Hyper-V - or not. -

-

- The values are: -

-
-
    -
  • - 0 - Do not report the panic kmsg data. -
    • -
  • - 1 - Report the panic kmsg data. This is the default - behavior. -
    • -
-
-
-
-
-

New /proc/sys/net parameters

-
-
-
bpf_jit_limit
-
-

- This parameter enforces a global limit for memory allocations to the Berkeley Packet Filter - Just-in-Time (BPF JIT) compiler in order to reject the unprivileged JIT requests once it has - been surpassed. -

-

- The bpf_jit_limit parameter contains the value of the global - limit in bytes. -

-
-
-
-

Updated /proc/sys/fs parameters

-
-
-
dentry-state
-
-

- Dentries are dynamically allocated and deallocated. -

-

- The user is able to retrieve the following values from reading the /proc/sys/fs/dentry-state file: -

-
-
    -
  • - nr_dentry - Shows the total number of dentries - allocated (active + unused). -
    • -
  • - nr_unused - Shows the number of dentries that are not - actively used, but are saved in the Least recently used (LRU) list for future reuse. -
    • -
  • - age_limit - Shows the age in seconds after which the - dcache entries can be reclaimed when the memory is - short. -
    • -
  • - want_pages - Is nonzero when the shrink_dcache_pages() function has been called and the - dcache is not pruned yet. -
    • -
  • - nr_negative - Shows the number of unused dentries that - are also negative dentries which do not map to any files. Instead, they help - speeding up rejection of non-existing files provided by the users. -
    • -
-
-
-
-
-

Updated /proc/sys/kernel parameters

-
-
-
msg_next_id, sem_next_id, and shm_next_id
-
-

- Notes: -

-
-
    -
  1. - The kernel does not guarantee that new object will have desired ID. It is up to the - userspace, how to handle an object with the "wrong" ID. -
    2. -
  2. - Toggle with the non-default value will be set back to -1 by the kernel after - successful Inter-process Communication (IPC) object allocation. If the IPC object - allocation syscall fails, it is undefined if the value remains unmodified or is - reset to -1. -
    3. -
-
-
-
-
-
-
-
-
-
-

Chapter 4. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

4.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Binary DVD ISO image is larger than 4.7 GB, and as a result, it might not - fit on a single-layer DVD. A dual-layer DVD or USB key is recommended when using - the Binary DVD ISO image to create bootable installation media. You can also use - the Image Builder tool to create customized RHEL images. For more information - about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

4.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

4.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

4.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 5. RHEL 8.1.1 release

-
-
-
-

- Red Hat makes Red Hat Enterprise Linux 8 content available quarterly, in between minor releases (8.Y). - The quarterly releases are numbered using the third digit (8.Y.1). The new features in the RHEL 8.1.1 - release are described below. -

-
-
-
-
-

5.1. New features

-
-
-
-
-

A new module stream: postgresql:12 -

-

- The RHEL 8.1.1 release introduces PostgreSQL 12, which provides a - number of new features and enhancements over version 10. Notable changes include: -

-
-
-
    -
  • - The PostgreSQL Audit Extension, pgaudit, which provides - detailed session and object audit logging through the standard PostgreSQL logging facility -
    • -
  • - Improvements to the partitioning functionality, for example, support for hash partitioning -
    • -
  • - Enhancements to query parallelism -
    • -
  • - Stored SQL procedures enabling transaction management -
    • -
  • - Various performance improvements -
    • -
  • - Enhancements to the administrative functionality -
    • -
  • - Support for the SQL/JSON path language -
    • -
  • - Stored generated columns -
    • -
  • - Nondeterministic collations -
    • -
  • - New authentication features, including encryption of TCP/IP connections when using GSSAPI - authentication or multi-factor authentication. -
    • -
-
-

- Note that support for Just-In-Time (JIT) compilation, available in upstream since PostgreSQL 11, is - not provided by the postgresql:12 module stream. -

-

- To install the postgresql:12 stream, use: -

- 
# yum module install postgresql:12
-

- If you want to upgrade from an earlier postgresql stream within RHEL 8, - follow the procedure described in Switching - to a later stream and then migrate your PostgreSQL data as described in Migrating - to a RHEL 8 version of PostgreSQL. -

-

- (JIRA:RHELPLAN-26926) -

-
-

Rust Toolset rebased to version 1.39

-

- Rust Toolset has been updated to version 1.39. Notable changes include: -

-
-
-
    -
  • - The async - .await syntax has been - added to stable Rust. You can now define async functions and - blocks and .await them. -
    • -
  • - Enhanced pipelined compilation improves build time for optimized, clean builds of some crate - graphs by 10-20%. -
    • -
  • - When the by-move bindings are in the - main pattern of a match expression, if guards can now reference those bindings. -
    • -
  • - Rust is supposed to detect memory-safety bugs at compile time, but the previous borrow - checker had limitations and allowed undefined behaviour and memory unsafety. The new NLL - borrow checker can find these problems and was raising warnings about that as a migration - step. These warnings are now hard errors. -
    • -
  • - The rustc compiler now provides a lint - when functions mem::{uninitialized, zeroed} are used to - initialize some of the types, for example, &T and Box<T>. -
    • -
  • - The following functions are now const fn in the standard - library: Vec::new, String::new, - LinkedList::new, str::len, [T]::len, str::as_bytes, abs, wrapping_abs, and overflowing_abs. -
    • -
-
-

- To install the Rust Toolset module stream, run the following command as root: -

- 
# yum module install rust-toolset
-

- For detailed instructions regarding usage, see Using Rust - Toolset. -

-

- (BZ#1680096) -

-
-

A new module: jmc:rhel8

-

- RHEL 8.1.1 introduces JDK Mission Control (JMC), a powerful profiler for HotSpot JVMs, as a new - jmc module. JMC provides an advanced set of tools for efficient and - detailed analysis of extensive data collected by the JDK Flight Recorder. The tool chain enables - developers and administrators to collect and analyze data from Java applications running locally - or deployed in production environments. Note that JMC requires JDK version 8 or later to run. - Target Java applications must run with at least OpenJDK version 11 so that JMC can access JDK - Flight Recorder features. -

-
-

- The jmc:rhel8 module stream has two profiles: -

-
-
    -
  • - The common profile, which installs the entire JMC application -
    • -
  • - The core profile, which installs only the core Java libraries - (jmc-core) -
    • -
-
-

- To install the common profile of the jmc:rhel8 module stream, use: -

- 
# yum module install jmc:rhel8/common
-

- Change the profile name to core to install only the jmc-core package. -

-

- (BZ#1716452) -

-
-

NET Core 3.1 now available in RHEL 8

-

- This update adds the .NET Core 3.1 Software Development Kit (SDK) and the .NET Core 3.1 Runtime - to RHEL 8. In addition, the ASP.NET Core 3.1 framework for building web application and services - is now available. -

-
-

- (BZ#1711405) -

-
-

A new installer for virtio-win drivers

-

- An interactive Windows Installer has been added to the virtio-win - package. This makes it possible to easily and efficiently install paravirtualized KVM drivers in - virtual machines that use Microsoft Windows as their guest operating systems. -

-
-

- (BZ#1745298) -

-
-

container-tools updated

-

- The container-tools module, which contains the podman, buildah, skopeo, and runc tools, has been - updated. The tools in the container are now built with FIPS mode enabled. In addition, this - update fixes several bugs and a security issue. -

-
-

- (BZ#1783277) -

-
-

conmon is now in a separate package -

-

- The conmon open container initiative (OCI) container runtime - monitor utility has been moved into a separate conmon package. It is no longer available in the - podman package. -

-
-

- (BZ#1753209) -

-
-
-
-
-
-
-

Chapter 6. RHEL 8.1.0 release

-
-
-
-
-
-
-
-

6.1. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.1. -

-
-
-
-
-

6.1.1. Installer and image creation

-
-
-
-
-

Modules can now be disabled during Kickstart installation

-

- With this enhancement, users can now disable a module to prevent the installation of - packages from the module. To disable a module during Kickstart installation, use the - command: -

-
-

- module --name=foo --stream=bar --disable -

-

- (BZ#1655523) -

-
-

Support for the repo.git section to - blueprints is now available

-

- A new repo.git blueprint section allows users to include extra - files in their image build. The files must be hosted in git repository that is accessible - from the lorax-composer build server. -

-
-

- (BZ#1709594) -

-
-

Image Builder now supports image creation for more cloud - providers

-

- With this update, the Image Builder expanded the number of Cloud Providers that the Image - Builder can create an image for. As a result, now you can create RHEL images that can be - deployed also on Google Cloud and Alibaba Cloud as well as run the custom instances on these - platforms. -

-
-

- (BZ#1689140) -

-
-
-
-
-
-

6.1.2. Software management

-
-
-
-
-

dnf-utils has been renamed to yum-utils

-

- With this update, the dnf-utils package, that is a part of the - YUM stack, has been renamed to yum-utils. For compatibility reasons, the package can still be - installed using the dnf-utils name, and will automatically - replace the original package when upgrading your system. -

-
-

- (BZ#1722093) -

-
-
-
-
-
-

6.1.3. Subscription management

-
-
-
-
-

subscription-manager now reports the role, - usage and add-ons values

-

- With this update, the subscription-manager can now display the - Role, Usage and Add-ons values for each subscription available in the current organization, - which is registered to either the Customer Portal or to the Satellite. -

-
-
-
    -
  • -

    - To show the available subscriptions with the addition of Role, Usage and Add-ons - values for those subscriptions use: -

    - 
    # subscription-manager list --available
    -
    • -
  • -

    - To show the consumed subscriptions including the additional Role, Usage and Add-ons - values use: -

    - 
    # subscription-manager list --consumed
    -
    • -
-
-

- (BZ#1665167) -

-
-
-
-
-
-

6.1.4. Infrastructure services

-
-
-
-
-

tuned rebased to version 2.12

-

- The tuned packages have been upgraded to upstream version 2.12, - which provides a number of bug fixes and enhancements over the previous version, notably: -

-
-
-
    -
  • - Handling of devices that have been removed and reattached has been fixed. -
    • -
  • - Support for negation of CPU list has been added. -
    • -
  • - Performance of runtime kernel parameter configuration has been improved by switching - from the sysctl tool to a new implementation specific to - Tuned. -
    • -
-
-

- (BZ#1685585) -

-
-

chrony rebased to version 3.5

-

- The chrony packages have been upgraded to upstream version 3.5, - which provides a number of bug fixes and enhancements over the previous version, notably: -

-
-
-
    -
  • - Support for more accurate synchronization of the system clock with hardware timestamping - in RHEL 8.1 kernel has been added. -
    • -
  • - Hardware timestamping has received significant improvements. -
    • -
  • - The range of available polling intervals has been extended. -
    • -
  • - The filter option has been added to NTP sources. -
    • -
-
-

- (BZ#1685469) -

-
-

New FRRouting - routing protocol stack is available

-

- With this update, Quagga has been - replaced by Free Range Routing (FRRouting, or FRR), which is a new routing protocol - stack. FRR is provided by the frr package available in the AppStream repository. -

-
-

- FRR provides TCP/IP-based routing services - with support for multiple IPv4 and IPv6 routing protocols, such as BGP, IS-IS, OSPF, PIM, and RIP. -

-

- With FRR installed, the system can act as a - dedicated router, which exchanges routing information with other routers in either internal or - external network. -

-

- (BZ#1657029) -

-
-

GNU enscript now supports ISO-8859-15 encoding

-

- With this update, support for ISO-8859-15 encoding has been added into the GNU enscript - program. -

-
-

- (BZ#1664366) -

-
-

Improved accuracy of measuring system clock offset in phc2sys

-

- The phc2sys program from the linuxptp packages now supports a more accurate method for - measuring the offset of the system clock. -

-
-

- (BZ#1677217) -

-
-

ptp4l now supports - team interfaces in active-backup mode

-

- With this update, support for team interfaces in active-backup mode has been added into the - PTP Boundary/Ordinary Clock (ptp4l). -

-
-

- (BZ#1685467) -

-
-

The PTP time synchronization on macvlan interfaces is now supported

-

- This update adds support for hardware timestamping on macvlan - interfaces into the Linux kernel. As a result, macvlan - interfaces can now use the Precision Time Protocol (PTP) for - time synchronization. -

-
-

- (BZ#1664359) -

-
-
-
-
-
-

6.1.5. Security

-
-
-
-
-

New package: fapolicyd

-

- The fapolicyd software framework introduces a form of - application whitelisting and blacklisting based on a user-defined policy. The application - whitelisting feature provides one of the most efficient ways to prevent running untrusted - and possibly malicious applications on the system. -

-
-

- The fapolicyd framework provides the following components: -

-
-
    -
  • - fapolicyd service -
    • -
  • - fapolicyd command-line utilities -
    • -
  • - yum plugin -
    • -
  • - rule language -
    • -
-
-

- Administrator can define the allow and deny execution rules, both with possibility of auditing, based on a - path, hash, MIME type, or trust for any application. -

-

- Note that every fapolicyd setup affects overall system performance. - The performance hit varies depending on the use case. The application whitelisting slow-downs - the open() and exec() system calls, - and therefore primarily affects applications that perform such system calls frequently. -

-

- See the fapolicyd(8), fapolicyd.rules(5), and fapolicyd.conf(5) man pages for more information. -

-

- (BZ#1673323) -

-
-

New package: udica

-

- The new udica package provides a tool for generation SELinux - policies for containers. With udica, you can create a tailored - security policy for better control of how a container accesses host system resources, such - as storage, devices, and network. This enables you to harden your container deployments - against security violations and it also simplifies achieving and maintaining regulatory - compliance. -

-
-

- See the Creating - SELinux policies for containers section in the RHEL 8 Using SELinux title for more - information. -

-

- (BZ#1673643) -

-
-

SELinux user-space tools updated to version 2.9

-

- The libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans SELinux - user-space tools have been upgraded to the latest upstream release 2.9, which provides many - bug fixes and enhancements over the previous version. -

-
-

- (BZ#1672638, BZ#1672642, BZ#1672637, BZ#1672640, BZ#1672635, BZ#1672641) -

-
-

SETools updated to version 4.2.2

-

- The SETools collection of tools and libraries has been upgraded to the latest upstream - release 4.2.2, which provides the following changes: -

-
-
-
    -
  • - Removed source policy references from man pages, as loading source policies is no longer - supported -
    • -
  • - Fixed a performance regression in alias loading -
    • -
-
-

- (BZ#1672631) -

-
-

selinux-policy rebased to 3.14.3 -

-

- The selinux-policy package has been upgraded to upstream - version 3.14.3, which provides a number of bug fixes and enhancements to the allow rules - over the previous version. -

-
-

- (BZ#1673107) -

-
-

A new SELinux type: boltd_t

-

- A new SELinux type, boltd_t, confines boltd, a system daemon for managing Thunderbolt 3 devices. As a - result, boltd now runs as a confined service in SELinux - enforcing mode. -

-
-

- (BZ#1684103) -

-
-

A new SELinux policy class: bpf -

-

- A new SELinux policy class, bpf, has been introduced. The bpf class enables users to control the Berkeley Packet Filter - (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended - Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux. -

-
-

- (BZ#1673056) -

-
-

OpenSCAP rebased to version 1.3.1

-

- The openscap packages have been upgraded to upstream version - 1.3.1, which provides many bug fixes and enhancements over the previous version, most - notably: -

-
-
-
    -
  • - Support for SCAP 1.3 source data streams: evaluating, XML schemas, and validation -
    • -
  • - Tailoring files are included in ARF result files -
    • -
  • - OVAL details are always shown in HTML reports, users do not have to provide the --oval-results option -
    • -
  • - HTML report displays OVAL test details also for OVAL tests included from other OVAL - definitions using the OVAL extend_definition element -
    • -
  • - OVAL test IDs are shown in HTML reports -
    • -
  • - Rule IDs are shown in HTML guides -
    • -
-
-

- (BZ#1718826) -

-
-

OpenSCAP now - supports SCAP 1.3

-

- The OpenSCAP suite now supports data - streams conforming to the latest version of the SCAP standard - SCAP 1.3. You can now use - SCAP 1.3 data streams, such as those contained in the scap-security-guide package, in the same way as SCAP 1.2 data - streams without any additional usability restrictions. -

-
-

- (BZ#1709429) -

-
-

scap-security-guide rebased to version - 0.1.46

-

- The scap-security-guide packages have been upgraded to upstream - version 0.1.46, which provides many bug fixes and enhancements over the previous version, - most notably: * SCAP content conforms to the latest version of SCAP standard, SCAP 1.3 * - SCAP content supports UBI images -

-
-

- (BZ#1718839) -

-
-

OpenSSH rebased to - 8.0p1

-

- The openssh packages have been upgraded to upstream version - 8.0p1, which provides many bug fixes and enhancements over the previous version, most - notably: -

-
-
-
    -
  • - Increased default RSA key size to 3072 bits for the ssh-keygen tool -
    • -
  • - Removed support for the ShowPatchLevel configuration option -
    • -
  • - Applied numerous GSSAPI key exchange code fixes, such as the fix of Kerberos cleanup - procedures -
    • -
  • - Removed fall back to the sshd_net_t SELinux context -
    • -
  • - Added support for Match final blocks -
    • -
  • - Fixed minor issues in the ssh-copy-id command -
    • -
  • - Fixed Common Vulnerabilities and Exposures (CVE) related to the scp utility (CVE-2019-6111, CVE-2018-20685, CVE-2019-6109) -
    • -
-
-

- Note, that this release introduces minor incompatibility of scp as - mitigation of CVE-2019-6111. If your scripts depend on advanced bash expansions of the path - during an scp download, you can use the -T switch to turn off these - mitigations temporarily when connecting to trusted servers. -

-

- (BZ#1691045) -

-
-

libssh now complies with the system-wide - crypto-policies

-

- The libssh client and server now automatically load the /etc/libssh/libssh_client.config file and the /etc/libssh/libssh_server.config, respectively. This - configuration file includes the options set by the system-wide crypto-policies component for the libssh back end and the options set in the /etc/ssh/ssh_config or /etc/ssh/sshd_config OpenSSH configuration file. With automatic - loading of the configuration file, libssh now use the - system-wide cryptographic settings set by crypto-policies. This - change simplifies control over the set of used cryptographic algorithms by applications. -

-
-

- (BZ#1610883, BZ#1610884) -

-
-

An option for rsyslog to preserve case of - FROMHOST is available

-

- This update to the rsyslog service introduces the option to - manage letter case preservation of the FROMHOST property for - the imudp and imtcp modules. - Setting the preservecase value to on means the FROMHOST property is - handled in a case sensitive manner. To avoid breaking existing configurations, the default - values of preservecase are on for - imtcp and off for imudp. -

-
-

- (BZ#1614181) -

-
-
-
-
-
-

6.1.6. Networking

-
-
-
-
-

PMTU discovery and route redirection is now supported with VXLAN and - GENEVE tunnels

-

- The kernel in Red Hat Enterprise Linux (RHEL) 8.0 did not handle Internet Control Message - Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network - Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery - and route redirection was not supported with VXLAN and GENEVE tunnels in RHEL releases prior - to 8.1. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect - Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by - adjusting the PMTU and modifying forwarding information. As a result, RHEL 8.1 supports PMTU - discovery and route redirection with VXLAN and GENEVE tunnels. -

-
-

- (BZ#1652222) -

-
-

Notable changes in XDP and networking eBPF features in kernel -

-

- The XDP and the networking eBPF features in the kernel package - have been upgraded to upstream version 5.0, which provides a number of bug fixes and - enhancements over the previous version: -

-
-
-
    -
  • - eBPF programs can now better interact with the TCP/IP stack, perform flow dissection, - have wider range of bpf helpers available, and have access - to new map types. -
    • -
  • - XDP metadata are now available to AF_XDP sockets. -
    • -
-
-

- (BZ#1687459) -

-
-

The new PTP_SYS_OFFSET_EXTENDED control - for ioctl() improves the accuracy of measured system-PHC - ofsets

-

- This enhancement adds the PTP_SYS_OFFSET_EXTENDED control for - more accurate measurements of the system precision time protocol (PTP) hardware clock (PHC) - offset to the ioctl() function. The PTP_SYS_OFFSET control which, for example, the chrony service uses to measure the offset between a PHC and the - system clock is not accurate enough. With the new PTP_SYS_OFFSET_EXTENDED control, drivers can isolate the reading - of the lowest bits. This improves the accuracy of the measured offset. Network drivers - typically read multiple PCI registers, and the driver does not read the lowest bits of the - PHC time stamp between two readings of the system clock. -

-
-

- (BZ#1677215) -

-
-

ipset rebased to version 7.1

-

- The ipset packages have been upgraded to upstream version 7.1, - which provides a number of bug fixes and enhancements over the previous version: -

-
-
-
    -
  • - The ipset protocol version 7 introduces the IPSET_CMD_GET_BYNAME and IPSET_CMD_GET_BYINDEX operations. Additionally, the user - space component can now detect the exact compatibility level that the kernel component - supports. -
    • -
  • - A significant number of bugs have been fixed, such as memory leaks and use-after-free - bugs. -
    • -
-
-

- (BZ#1649090) -

-
-
-
-
-
-

6.1.7. Kernel

-
-
-
-
-

Kernel version in RHEL 8.1

-

- Red Hat Enterprise Linux 8.1 is distributed with the kernel version 4.18.0-147. -

-
-

- (BZ#1797671) -

-
-

Live patching for the kernel is now available

-

- Live patching for the kernel, kpatch, provides a mechanism to - patch the running kernel without rebooting or restarting any processes. Live kernel patches - will be provided for selected minor release streams of RHEL covered under the Extended - Update Support (EUS) policy to remediate Critical and Important CVEs. -

-
-

- To subscribe to the kpatch stream for the RHEL 8.1 version of the - kernel, install the kpatch-patch-4_18_0-147 package provided by the - RHEA-2019:3695 - advisory. -

-

- For more information, see Applying - patches with kernel live patching in Managing, monitoring and updating the kernel. -

-

- (BZ#1763780) -

-
-

Extended Berkeley Packet - Filter in RHEL 8

-

- Extended Berkeley Packet Filter (eBPF) - is an in-kernel virtual machine that allows code execution in the kernel space, in the - restricted sandbox environment with access to a limited set of functions. The virtual - machine executes special assembly-like code. The code is then loaded to the kernel and - translated to the native machine code with just-in-time compilation. There are numerous - components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in - a different development phase, and thus not all components are currently fully supported. -

-
-

- In RHEL 8.1, the BPF Compiler Collection - (BCC) tools package is fully supported on the AMD and Intel 64-bit - architectures. The BCC tools package is a - collection of dynamic kernel tracing utilities that use the eBPF virtual machine. -

-

- The following eBPF components are currently - available as a Technology Preview: -

-
-
    -
  • - The BCC tools package on the - following architectures: the 64-bit ARM architecture, IBM Power Systems, Little Endian, - and IBM Z -
    • -
  • - The BCC library on all architectures -
    • -
  • - The bpftrace tracing language -
    • -
  • - The eXpress Data Path (XDP) feature -
    • -
-
-

- For details regarding the Technology Preview components, see Section 6.5.2, “Kernel”. -

-

- (BZ#1780124) -

-
-

Red Hat Enterprise Linux 8 now supports early kdump

-

- The early kdump feature allows the crash kernel and initramfs - to load early enough to capture the vmcore information even for - early crashes. -

-
-

- For more details about early kdump, see the /usr/share/doc/kexec-tools/early-kdump-howto.txt file. -

-

- (BZ#1520209) -

-
-

RHEL 8 now supports ipcmni_extend -

-

- A new kernel command line parameter ipcmni_extend has been - added to Red Hat Enterprise Linux 8. The parameter extends a number of unique System V - Inter-process Communication (IPC) identifiers from the current maximum of 32 KB (15 bits) up - to 16 MB (24 bits). As a result, users whose applications produce a lot of shared memory - segments are able to create a stronger IPC identifier without exceeding the 32 KB limit. -

-
-

- Note that in some cases using ipcmni_extend results in a small - performance overhead and it should be used only if the applications need more than 32 KB of - unique IPC identifier. -

-

- (BZ#1710480) -

-
-

The persistent memory initialization code supports parallel - initialization

-

- The persistent memory initialization code enables parallel initialization on systems with - multiple nodes of persistent memory. The parallel initialization greatly reduces the overall - memory initialization time on systems with large amounts of persistent memory. As a result, - these systems can now boot much faster. -

-
-

- (BZ#1634343) -

-
-

TPM userspace tool has been updated to the last version

-

- The tpm2-tools userspace tool has been updated to version 2.0. - With this update, tpm2-tools is able to fix many defects. -

-
-

- (BZ#1664498) -

-
-

The rngd daemon is now able to run with - non-root privileges

-

- The random number generator daemon (rngd) checks whether data - supplied by the source of randomness is sufficiently random and then stores the data in the - kernel’s random-number entropy pool. With this update, rngd is - able to run with non-root user privileges to enhance system security. -

-
-

- (BZ#1692435) -

-
-

Full support for the ibmvnic - driver

-

- With the introduction of Red Hat Enterprise Linux 8.0, the IBM Virtual Network Interface - Controller (vNIC) driver for IBM POWER architectures, ibmvnic, - was available as a Technology Preview. vNIC is a PowerVM virtual networking technology that - delivers enterprise capabilities and simplifies network management. It is a - high-performance, efficient technology that when combined with SR-IOV NIC provides bandwidth - control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantly - reduces virtualization overhead, resulting in lower latencies and fewer server resources, - including CPU and memory, required for network virtualization. -

-
-

- Starting with Red Hat Enterprise Linux 8.1 the ibmvnic device - driver is fully supported on IBM POWER9 systems. -

-

- (BZ#1665717) -

-
-

Intel ® Omni-Path Architecture (OPA) Host Software

-

- Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise - Linux 8.1. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and - setup for high performance data transfers (high bandwidth, high message rate, low latency) - between compute and I/O nodes in a clustered environment. -

-
-

- (BZ#1766186) -

-
-

UBSan has been enabled in the debug kernel - in RHEL 8

-

- The Undefined Behavior Sanitizer (UBSan) utility exposes undefined behavior flaws in C code - languages at runtime. This utility has now been enabled in the debug kernel because the - compiler behavior was, in some cases, different than developers' expectations. Especially, - in the case of compiler optimization, where subtle, obscure bugs would appear. As a result, - running the debug kernel with UBSan enabled allows the system - to easily detect such bugs. -

-
-

- (BZ#1571628) -

-
-

The fadump infrastructure now supports - re-registering in RHEL 8

-

- The support has been added for re-registering (unregistering and registering) of the - firmware-assisted dump (fadump) infrastructure after any memory - hot add/remove operation to update the crash memory ranges. The feature aims to prevent the - system from potential racing issues during unregistering and registering fadump from userspace during udev - events. -

-
-

- (BZ#1710288) -

-
-

The determine_maximum_mpps.sh script has - been introduced in RHEL for Real Time 8

-

- The determine_maximum_mpps.sh script has been introduced to - help use the queuelat test program. The script executes queuelat to determine the maximum packets per second a machine - can handle. -

-
-

- (BZ#1686494) -

-
-

kernel-rt source tree now matches the - latest RHEL 8 tree

-

- The kernel-rt sources have been upgraded to be based on the - latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and - enhancements over the previous version. -

-
-

- (BZ#1678887) -

-
-

The ssdd test has been added to RHEL for - Real Time 8

-

- The ssdd test has been added to enable stress testing of the - tracing subsystem. The test runs multiple tracing threads to verify locking is correct - within the tracing system. -

-
-

- (BZ#1666351) -

-
-
-
-
-
-

6.1.8. Hardware enablement

-
-
-
-
-

Memory Mode for Optane DC Persistent Memory technology is fully - supported

-

- Intel Optane DC Persistent Memory storage devices provide data center-class persistent - memory technology, which can significantly increase transaction throughput. -

-
-

- To use the Memory Mode technology, your system does not require any special drivers or specific - certification. Memory Mode is transparent to the operating system. -

-

- (BZ#1718422) -

-
-

IBM Z now supports system boot signature verification

-

- Secure Boot allows the system firmware to check the authenticity of cryptographic keys that - were used to sign the kernel space code. As a result,the feature improves security since - only code from trusted vendors can be executed. -

-
-

- Note that IBM z15 is required to use Secure Boot. -

-

- (BZ#1659399) -

-
-
-
-
-
-

6.1.9. File systems and storage

-
-
-
-
-

Support for Data Integrity Field/Data Integrity Extension - (DIF/DIX)

-

- DIF/DIX is supported on configurations where the hardware vendor has qualified it and - provides full support for the particular host bus adapter (HBA) and storage array - configuration on RHEL. -

-
-

- DIF/DIX is not supported on the following configurations: -

-
-
    -
  • - It is not supported for use on the boot device. -
    • -
  • - It is not supported on virtualized guests. -
    • -
  • - Red Hat does not support using the Automatic Storage Management library (ASMLib) when - DIF/DIX is enabled. -
    • -
-
-

- DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and - including) the application. The method for activating the DIF on storage devices is - device-dependent. -

-

- For further information on the DIF/DIX feature, see What is DIF/DIX. -

-

- (BZ#1649493) -

-
-

Optane DC memory systems now supports EDAC reports

-

- Previously, EDAC was not reporting memory corrected/uncorrected events if the memory address - was within a NVDIMM module. With this update, EDAC can properly report the events with the - correct memory module information. -

-
-

- (BZ#1571534) -

-
-

The VDO Ansible module has been moved to Ansible packages

-

- Previously, the VDO Ansible module was provided by the vdo RPM - package. Starting with this release, the module is provided by the ansible package instead. -

-
-

- The original location of the VDO Ansible module file was: -

- 
/usr/share/doc/vdo/examples/ansible/vdo.py
-

- The new location of the file is: -

- 
/usr/lib/python3.6/site-packages/ansible/modules/system/vdo.py
-

- The vdo package continues to distribute Ansible playbooks. -

-

- For more information on Ansible, see http://docs.ansible.com/. -

-

- (BZ#1669534) -

-
-

Aero adapters are now fully supported

-

- The following Aero adapters, previously available as a Technology Preview, are now fully - supported: -

-
-
-
    -
  • - PCI ID 0x1000:0x00e2 and 0x1000:0x00e6, controlled by the mpt3sas driver -
    • -
  • - PCI ID 0x1000:Ox10e5 and 0x1000:0x10e6, controlled by the megaraid_sas driver -
    • -
-
-

- (BZ#1663281) -

-
-

LUKS2 now supports online re-encryption

-

- The Linux Unified Key Setup version 2 (LUKS2) format now supports re-encrypting encrypted - devices while the devices are in use. For example, you do not have to unmount the file - system on the device to perform the following tasks: -

-
-
-
    -
  • - Change the volume key -
    • -
  • - Change the encryption algorithm -
    • -
-
-

- When encrypting a non-encrypted device, you must still unmount the file system, but the - encryption is now significantly faster. You can remount the file system after a short - initialization of the encryption. -

-

- Additionally, the LUKS2 re-encryption is now more resilient. You can select between several - options that prioritize performance or data protection during the re-encryption process. -

-

- To perform the LUKS2 re-encryption, use the cryptsetup reencrypt - subcommand. Red Hat no longer recommends using the cryptsetup-reencrypt utility for the LUKS2 format. -

-

- Note that the LUKS1 format does not support online re-encryption, and the cryptsetup reencrypt subcommand is not compatible with LUKS1. To - encrypt or re-encrypt a LUKS1 device, use the cryptsetup-reencrypt - utility. -

-

- For more information on disk encryption, see Encrypting - block devices using LUKS. -

-

- (BZ#1676622) -

-
-

New features of ext4 available in RHEL 8

-

- In RHEL8, following are the new fully supported features of ext4: -

-
-
-
    -
  • -

    - Non-default features: -

    -
    -
      -
    • - project -
      • -
    • - quota -
      • -
    • - mmp -
      • -
    -
    -
    • -
  • -

    - Non-default mount options: -

    -
    -
      -
    • - bsddf|minixdf -
      • -
    • - grpid|bsdgroups and nogrpid|sysvgroups -
      • -
    • - resgid=n and resuid=n -
      • -
    • - errors={continue|remount-ro|panic} -
      • -
    • - commit=nrsec -
      • -
    • - max_batch_time=usec -
      • -
    • - min_batch_time=usec -
      • -
    • - grpquota|noquota|quota|usrquota -
      • -
    • - prjquota -
      • -
    • - dax -
      • -
    • - lazytime|nolazytime -
      • -
    • - discard|nodiscard -
      • -
    • - init_itable|noinit_itable -
      • -
    • - jqfmt={vfsold|vfsv0|vfsv1} -
      • -
    • - usrjquota=aquota.user|grpjquota=aquota.group -
      • -
    -
    -
    • -
-
-

- For more information on features and mount options, see the ext4 - man page. Other ext4 features, mount options or both, or combination of features, mount options - or both may not be fully supported by Red Hat. If your special workload requires a feature or - mount option that is not fully supported in the Red Hat release, contact Red Hat support to - evaluate it for inclusion in our supported list. -

-

- (BZ#1741531) -

-
-

NVMe over RDMA now supports an Infiniband - in the target mode for IBM Coral systems

-

- In RHEL 8.1, NVMe over RDMA now supports an Infiniband in the - target mode for IBM Coral systems, with a single NVMe PCIe add in card as the target. -

-
-

- (BZ#1721683) -

-
-
-
-
-
-

6.1.10. High availability and clusters

-
-
-
-
-

Pacemaker now defaults the concurrent-fencing cluster property to true

-

- If multiple cluster nodes need to be fenced at the same time, and they use different - configured fence devices, Pacemaker will now execute the fencing simultaneously, rather than - serialized as before. This can result in greatly sped up recovery in a large cluster when - multiple nodes must be fenced. -

-
-

- (BZ#1715426) -

-
-

Extending a shared logical volume no longer requires a refresh on every - cluster node

-

- With this release, extending a shared logical volume no longer requires a refresh on every - cluster node after running the lvextend command on one cluster - node. For the full procedure to extend the size of a GFS2 file system, see Growing - a GFS2 file system. -

-
-

- (BZ#1649086) -

-
-

Maximum size of a supported RHEL HA cluster increased from 16 to 32 - nodes

-

- With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes. -

-
-

- (BZ#1693491) -

-
-

Commands for adding, changing, and removing corosync links have been - added to pcs

-

- The Kronosnet (knet) protocol now allows you to add and remove knet links in running - clusters. To support this feature, the pcs command now provides - commands to add, change, and remove knet links and to change a upd/udpu link in an existing - cluster. For information on adding and modifying links in an existing cluster, see Adding - and modifying links in an existing cluster. (BZ#1667058) -

-
-
-
-
-
-
-

6.1.11. Dynamic programming languages, web and database servers

-
-
-
-
-

A new module stream: php:7.3

-

- RHEL 8.1 introduces PHP 7.3, which provides a number of new - features and enhancements. Notable changes include: -

-
-
-
    -
  • - Enhanced and more flexible heredoc and nowdoc syntaxes -
    • -
  • - The PCRE extension upgraded to PCRE2 -
    • -
  • - Improved multibyte string handling -
    • -
  • - Support for LDAP controls -
    • -
  • - Improved FastCGI Process Manager (FPM) logging -
    • -
  • - Several deprecations and backward incompatible changes -
    • -
-
-

- For more information, see Migrating from PHP 7.2.x to PHP - 7.3.x. -

-

- Note that the RHEL 8 version of PHP 7.3 does not support the Argon2 password hashing algorithm. -

-

- To install the php:7.3 stream, use: -

- 
# yum module install php:7.3
-

- If you want to upgrade from the php:7.2 stream, see Switching - to a later stream. -

-

- (BZ#1653109) -

-
-

A new module stream: ruby:2.6

-

- A new module stream, ruby:2.6, is now available. Ruby 2.6.3, included in RHEL 8.1, provides numerous new features, - enhancements, bug and security fixes, and performance improvements over version 2.5 - distributed in RHEL 8.0. -

-
-

- Notable enhancements include: -

-
-
    -
  • - Constant names are now allowed to begin with a non-ASCII capital letter. -
    • -
  • - Support for an endless range has been added. -
    • -
  • - A new Binding#source_location method has been provided. -
    • -
  • - $SAFE is now a process global state and it can be set back - to 0. -
    • -
-
-

- The following performance improvements have been implemented: -

-
-
    -
  • - The Proc#call and block.call - processes have been optimized. -
    • -
  • - A new garbage collector managed heap, Transient heap (theap), has been introduced. -
    • -
  • - Native implementations of coroutines for individual architectures have been introduced. -
    • -
-
-

- In addition, Ruby 2.5, provided by the ruby:2.5 stream, has been upgraded to version 2.5.5, which provides a - number of bug and security fixes. -

-

- To install the ruby:2.6 stream, use: -

- 
# yum module install ruby:2.6
-

- If you want to upgrade from the ruby:2.5 stream, see Switching - to a later stream. -

-

- (BZ#1672575) -

-
-

A new module stream: nodejs:12 -

-

- RHEL 8.1 introduces Node.js 12, which provides a number of new - features and enhancements over version 10. Notable changes include: -

-
-
-
    -
  • - The V8 engine upgraded to version 7.4 -
    • -
  • - A new default HTTP parser, llhttp (no longer experimental) -
    • -
  • - Integrated capability of heap dump generation -
    • -
  • - Support for ECMAScript 2015 (ES6) modules -
    • -
  • - Improved support for native modules -
    • -
  • - Worker threads no longer require a flag -
    • -
  • - A new experimental diagnostic report feature -
    • -
  • - Improved performance -
    • -
-
-

- To install the nodejs:12 stream, use: -

- 
# yum module install nodejs:12
-

- If you want to upgrade from the nodejs:10 stream, see Switching - to a later stream. -

-

- (BZ#1685191) -

-
-

Judy-devel available in CRB

-

- The Judy-devel package is now available as a part of the mariadb-devel:10.3 module in the CodeReady Linux Builder repository - (CRB). As a result, developers are now able to build applications with the Judy library. -

-
-

- To install the Judy-devel package, enable the mariadb-devel:10.3 module first: -

- 
# yum module enable mariadb-devel:10.3
-# yum install Judy-devel
-

- (BZ#1657053) -

-
-

FIPS compliance in Python 3

-

- This update adds support for OpenSSL FIPS mode to Python 3. - Namely: -

-
-
-
    -
  • - In FIPS mode, the blake2, sha3, and shake hashes use the - OpenSSL wrappers and do not offer extended functionality (such as keys, tree hashing, or - custom digest size). -
    • -
  • - In FIPS mode, the hmac.HMAC class can be instantiated only - with an OpenSSL wrapper or a string with OpenSSL hash name as the digestmod argument. The argument must be specified (instead - of defaulting to the md5 algorithm). -
    • -
-
-

- Note that hash functions support the usedforsecurity argument, - which allows using insecure hashes in OpenSSL FIPS mode. The user is responsible for ensuring - compliance with any relevant standards. -

-

- (BZ#1731424) -

-
-

FIPS compliance changes in python3-wheel

-

- This update of the python3-wheel package removes a built-in - implementation for signing and verifying data that is not compliant with FIPS. -

-
-

- (BZ#1731526) -

-
-

A new module stream: nginx:1.16 -

-

- The nginx 1.16 web and proxy server, which provides a number of - new features and enhancements over version 1.14, is now available. For example: -

-
-
-
    -
  • - Numerous updates related to SSL (loading of SSL certificates and secret keys from - variables, variable support in the ssl_certificate and - ssl_certificate_key directives, a new ssl_early_data directive) -
    • -
  • - New keepalive-related directives -
    • -
  • - A new random directive for distributed load balancing -
    • -
  • - New parameters and improvements to existing directives (port ranges for the listen directive, a new delay - parameter for the limit_req directive, which enables - two-stage rate limiting) -
    • -
  • - A new $upstream_bytes_sent variable -
    • -
  • - Improvements to User Datagram Protocol (UDP) proxying -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - In the nginx:1.16 stream, the nginx package does not require the nginx-all-modules package, therefore nginx modules must be installed explicitly. When you install - nginx as module, the nginx-all-modules package is installed as a part of the common profile, which is the default profile. -
    • -
  • - The ssl directive has been deprecated; use the ssl parameter for the listen - directive instead. -
    • -
  • - nginx now detects missing SSL certificates during - configuration testing. -
    • -
  • - When using a host name in the listen directive, nginx now creates listening sockets for all addresses that - the host name resolves to. -
    • -
-
-

- To install the nginx:1.16 stream, use: -

- 
# yum module install nginx:1.16
-

- If you want to upgrade from the nginx:1.14 stream, see Switching - to a later stream. -

-

- (BZ#1690292) -

-
-

perl-IO-Socket-SSL rebased to version - 2.066

-

- The perl-IO-Socket-SSL package has been upgraded to version - 2.066, which provides a number of bug fixes and enhancements over the previous version, for - example: -

-
-
-
    -
  • - Improved support for TLS 1.3, notably a session reuse and an automatic post-handshake - authentication on the client side -
    • -
  • - Added support for multiple curves, automatic setting of curves, partial trust chains, - and support for RSA and ECDSA certificates on the same domain -
    • -
-
-

- (BZ#1632600) -

-
-

perl-Net-SSLeay rebased to version - 1.88

-

- The perl-Net-SSLeay package has been upgraded to version 1.88, - which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Improved compatibility with OpenSSL 1.1.1, such as manipulating a stack of certificates - and X509 stores, and selecting elliptic curves and groups -
    • -
  • - Improved compatibility with TLS 1.3, for example, a session reuse and a post-handshake - authentication -
    • -
  • - Fixed memory leak in the cb_data_advanced_put() subroutine. -
    • -
-
-

- (BZ#1632597) -

-
-
-
-
-
-

6.1.12. Compilers and development tools

-
-
-
-
-

GCC Toolset 9 available

-

- Red Hat Enterprise Linux 8.1 introduces GCC Toolset 9, an Application Stream containing more - up-to-date versions of development tools. -

-
-

- The following tools and versions are provided by GCC Toolset 9: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 9.1.1 -

-
-

- GDB -

- 		-

- 8.3 -

-
-

- Valgrind -

- 		-

- 3.15.0 -

-
-

- SystemTap -

- 		-

- 4.1 -

-
-

- Dyninst -

- 		-

- 10.1.0 -

-
-

- binutils -

- 		-

- 2.32 -

-
-

- elfutils -

- 		-

- 0.176 -

-
-

- dwz -

- 		-

- 0.12 -

-
-

- make -

- 		-

- 4.2.1 -

-
-

- strace -

- 		-

- 5.1 -

-
-

- ltrace -

- 		-

- 0.7.91 -

-
-

- annobin -

- 		-

- 8.79 -

-
-
-

- GCC Toolset 9 is available as an Application Stream in the form of a Software Collection in the - AppStream repository. GCC Toolset is a set of tools similar to Red Hat - Developer Toolset for RHEL 7. -

-

- To install GCC Toolset 9: -

- 
# yum install gcc-toolset-9
-

- To run a tool from GCC Toolset 9: -

- 
$ scl enable gcc-toolset-9 tool
-

- To run a shell session where tool versions from GCC Toolset 9 take precedence over system - versions of these tools: -

- 
$ scl enable gcc-toolset-9 bash
-

- For detailed instructions regarding usage, see Using - GCC Toolset. -

-

- (BZ#1685482) -

-
-

Upgraded compiler toolsets

-

- The following compiler toolsets, distributed as Application Streams, have been upgraded with - RHEL 8.1: -

-
-
-
    -
  • - Clang and LLVM Toolset, which provides the LLVM compiler infrastructure framework, the - Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for - code analysis, to version 8.0.1 -
    • -
  • - Rust Toolset, which provides the Rust programming language compiler rustc, the cargo build tool and - dependency manager, and required libraries, to version 1.37 -
    • -
  • - Go Toolset, which provides the Go (golang) programming - language tools and libraries, to version 1.12.8. -
    • -
-
-

- (BZ#1731502, BZ#1691975, BZ#1680091, BZ#1677819, BZ#1681643) -

-
-

SystemTap rebased to version 4.1

-

- The SystemTap instrumentation tool has been updated to upstream version 4.1. Notable - improvements include: -

-
-
-
    -
  • - The eBPF runtime backend can handle more features of the scripting language such as - string variables and rich formatted printing. -
    • -
  • - Performance of the translator has been significantly improved. -
    • -
  • - More types of data in optimized C code can now be extracted with DWARF4 debuginfo - constructs. -
    • -
-
-

- (BZ#1675740) -

-
-

General availability of the DHAT tool

-

- Red Hat Enterprise Linux 8.1 introduces the general availability of the DHAT tool. It is based on the valgrind tool version 3.15.0. -

-
-

- You can find changes/improvements in valgrind tool functionality - below: -

-
-
    -
  • - use --tool=dhat instead of --tool=exp-dhat, -
    • -
  • - --show-top-n and --sort-by options have been removed because dhat tool now prints the minimal data after the program ends, -
    • -
  • - a new viewer dh_view.html, which is a JavaScript programm, - contains the profile results. A short message explains how to view the results after the - run is ended, -
    • -
  • - the documentation for a viewer is located: /usr/libexec/valgrind/dh_view.html, -
    • -
  • - the documentation for the DHAT tool is located: /usr/share/doc/valgrind/html/dh-manual.html, -
    • -
  • - the support for amd64 (x86_64): the RDRAND and F16C insn set extensions is added, -
    • -
  • - in cachegrind the cg_annotate command has a new option, --show-percs, which prints percentages next to all - event counts, -
    • -
  • - in callgrind the callgrind_annotate command has a new option, --show-percs, which prints percentages next to all - event counts, -
    • -
  • - in massif the default value for --read-inline-info is now yes, -
    • -
  • - in memcheck option --xtree-leak=yes, which outputs leak result in - xtree format, automatically activates the option --show-leak-kinds=all, -
    • -
  • - the new option --show-error-list=no|yes displays - the list of the detected errors and the used suppression at the end of the run. - Previously, the user could specify the option -v - for valgrind command, which shows a lot of - information that might be confusing. The option -s is an equivalent to the option --show-error-list=yes. -
    • -
-
-

- (BZ#1683715) -

-
-

elfutils rebased to version 0.176

-

- The elfutils packages have been updated to upstream version 0.176. This version brings - various bug fixes, and resolves the following vulnerabilities: -

-
-
- -
-

- Notable improvements include: -

-
-
    -
  • - The libdw library has been extended with the dwelf_elf_begin() function which is a variant of elf_begin() that handles compressed files. -
    • -
  • - A new --reloc-debug-sections-only option has been added to - the eu-strip tool to resolve all trivial relocations - between debug sections in place without any other stripping. This functionality is - relevant only for ET_REL files in certain circumstances. -
    • -
-
-

- (BZ#1683705) -

-
-

Additional memory allocation checks in glibc

-

- Application memory corruption is a leading cause of application and security defects. Early - detection of such corruption, balanced against the cost of detection, can provide - significant benefits to application developers. -

-
-

- To improve detection, six additional memory corruption checks have been added to the malloc metadata in the GNU C Library (glibc), which is the core C library in RHEL. These additional checks - have been added at a very low cost to runtime performance. -

-

- (BZ#1651283) -

-
-

GDB can access more POWER8 registers

-

- With this update, the GNU debugger (GDB) and its remote stub gdbserver can access the following additional registers and - register sets of the POWER8 processor line of IBM: -

-
-
-
    -
  • - PPR -
    • -
  • - DSCR -
    • -
  • - TAR -
    • -
  • - EBB/PMU -
    • -
  • - HTM -
    • -
-
-

- (BZ#1187581) -

-
-

binutils disassembler can handle NFP - binary files

-

- The disassembler tool from the binutils package has been - extended to handle binary files for the Netronome Flow Processor (NFP) hardware series. This - functionality is required to enable further features in the bpftool Berkeley Packet Filter (BPF) code compiler. -

-
-

- (BZ#1644391) -

-
-

Partially writable GOT sections are now supported on the IBM Z - architecture

-

- The IBM Z binaries using the "lazy binding" feature of the loader can now be hardened by - generating partially writable Global offset table (GOT) sections. These binaries require a - read-write GOT, but not all entries to be writable. This update provides protection for the - entries from potential attacks. -

-
-

- (BZ#1525406) -

-
-

binutils now supports Arch13 processors of - IBM Z

-

- This update adds support for the extensions related to the Arch13 processors into the binutils packages on IBM Z architecture. As a result, it is now - possible to build kernels that can use features available in arch13-enabled CPUs on IBM Z. -

-
-

- (BZ#1659437) -

-
-

Dyninst rebased to version 10.1.0 -

-

- The Dyninst instrumentation library has been updated to - upstream version 10.1.0. Notable changes include: -

-
-
-
    -
  • - Dyninst supports the Linux PowerPC Little Endian (ppcle) - and 64-bit ARM (aarch64) architectures. -
    • -
  • - Start-up time has been improved by using parallel code analysis. -
    • -
-
-

- (BZ#1648441) -

-
-

Date formatting updates for the Japanese Reiwa era

-

- The GNU C Library now provides correct Japanese era name formatting for the Reiwa era - starting on May 1st, 2019. The time handling API data has been updated, including the data - used by the strftime and strptime - functions. All APIs will correctly print the Reiwa era including when strftime is used along with one of the era conversion specifiers - such as %EC, %EY, or %Ey. -

-
-

- (BZ#1577438) -

-
-

Performance Co-Pilot rebased to version 4.3.2

-

- In RHEL 8.1, the Performance Co-Pilot (PCP) tool has been updated to upstream version 4.3.2. - Notable improvements include: -

-
-
-
    -
  • - New metrics have been added - Linux kernel entropy, pressure stall information, Nvidia - GPU statistics, and more. -
    • -
  • - Tools such as pcp-dstat, pcp-atop, the perfevent PMDA, - and others have been updated to report the new metrics. -
    • -
  • - The pmseries and pmproxy - utilities for a performant PCP integration with Grafana have been updated. -
    • -
-
-

- This release is backward compatible for libraries, over-the-wire protocol and on-disk PCP - archive format. -

-

- (BZ#1685302) -

-
-
-
-
-
-

6.1.13. Identity Management

-
-
-
-
-

IdM now supports Ansible roles and modules for installation and - management

-

- This update introduces the ansible-freeipa package, which - provides Ansible roles and modules for Identity Management (IdM) deployment and management. - You can use Ansible roles to install and uninstall IdM servers, replicas, and clients. You - can use Ansible modules to manage IdM groups, topology, and users. There are also example - playbooks available. -

-
-

- This update simplifies the installation and configuration of IdM based solutions. -

-

- (JIRA:RHELPLAN-2542) -

-
-

New tool to test the overall fitness of IdM deployment: Healthcheck

-

- This update introduces the Healthcheck tool in Identity - Management (IdM). The tool provides tests verifying that the current IdM server is - configured and running correctly. -

-
-

- The major areas currently covered are: * Certificate configuration and expiration dates * - Replication errors * Replication topology * AD Trust configuration * Service status * File - permissions of important configuration files * Filesystem space -

-

- The Healthcheck tool is available in the command-line interface - (CLI). -

-

- (JIRA:RHELPLAN-13066) -

-
-

IdM now supports renewing expired system certificates when the server - is offline

-

- With this enhancement, administrators can renew expired system certificates when Identity - Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new - ipa-cert-fix command replaces the workaround to manually set - the date back to proceed with the renewal process. As a result, the downtime and support - costs reduce in the mentioned scenario. -

-
-

- (JIRA:RHELPLAN-13074) -

-
-

Identity Management supports trust with Windows Server 2019 -

-

- When using Identity Management, you can now establish a supported forest trust to Active - Directory forests that run by Windows Server 2019. The supported forest and domain - functional levels are unchanged and supported up to level Windows Server 2016. -

-
-

- (JIRA:RHELPLAN-15036) -

-
-

samba rebased to version - 4.10.4

-

- The samba packages have been upgraded to upstream - version 4.10.4, which provides a number of bug fixes and enhancements over the previous - version: -

-
-
-
    -
  • - Samba 4.10 fully supports Python 3. Note that future Samba versions will not have any - runtime support for Python 2. -
    • -
  • - The JavaScript Object Notation (JSON) logging feature now logs the Windows event ID and - logon type for authentication messages. -
    • -
  • - The new vfs_glusterfs_fuse file system in user space (FUSE) - module improves the performance when Samba accesses a GlusterFS volume. To enable this - module, add glusterfs_fuse to the vfs_objects parameter of the share in the /etc/samba/smb.conf file. Note that vfs_glusterfs_fuse does not replace the existing vfs_glusterfs module. -
    • -
  • - The server message block (SMB) client Python bindings are now deprecated and will be - removed in a future Samba release. This only affects users who use the Samba Python - bindings to write their own utilities. -
    • -
-
-

- Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the databases files before starting - Samba. Note that Red Hat does not support downgrading tdb database - files. -

-

- For further information about notable changes, read the upstream release notes before updating: - https://www.samba.org/samba/history/samba-4.10.0.html -

-

- (BZ#1638001) -

-
-

Updated system-wide certificate store location for OpenLDAP -

-

- The default location for trusted CAs for OpenLDAP has been updated to use the system-wide - certificate store (/etc/pki/ca-trust/source) instead of /etc/openldap/certs. This change has been made to simplify the - setting up of CA trust. -

-
-

- No additional setup is required to set up CA trust, unless you have service-specific - requirements. For example, if you require an LDAP server’s certificate to be only trusted for - LDAP client connections, in this case you must set up the CA certificates as you did previously. -

-

- (JIRA:RHELPLAN-7109) -

-
-

New ipa-crl-generation commands have been - introduced to simplify managing IdM CRL master

-

- This update introduces the ipa-crl-generation status/enable/disable commands. These - commands, run by the root user, simplify work with the Certificate Revocation List (CRL) in - IdM. Previously, moving the CRL generation master from one IdM CA server to another was a - lengthy, manual and error-prone procedure. -

-
-

- The ipa-crl-generation status command checks if the current host is - the CRL generation master. The ipa-crl-generation enable command - makes the current host the CRL generation master in IdM if the current host is an IdM CA server. - The ipa-crl-generation disable command stops CRL generation on the - current host. -

-

- Additionally, the ipa-server-install --uninstall command now - includes a safeguard checking whether the host is the CRL generation master. This way, IdM - ensures that the system administrator does not remove the CRL generation master from the - topology. -

-

- (JIRA:RHELPLAN-13068) -

-
-

OpenID Connect support in keycloak-httpd-client-install

-

- The keycloak-httpd-client-install identity provider previously - supported only the SAML (Security Assertion Markup Language) authentication with the mod_auth_mellon authentication module. This rebase introduces the - mod_auth_openidc authentication module support, which allows - you to configure also the OpenID Connect authentication. -

-
-

- The keycloak-httpd-client-install identity provider allows an - apache instance to be configured as an OpenID Connect client by configuring mod_auth_openidc. -

-

- (BZ#1553890) -

-
-

Setting up IdM as a hidden replica is now available as a Technology - Preview

-

- This enhancement enables administrators to set up an Identity Management (IdM) replica as a - hidden replica. A hidden replica is an IdM server that has all services running and - available. However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles - are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas. -

-
-

- Hidden replicas are primarily designed for dedicated services that can otherwise disrupt - clients. For example, a full backup of IdM requires to shut down all IdM services on the master - or replica. Since no clients use a hidden replica, administrators can temporarily shut down the - services on this host without affecting any clients. Other use cases include high-load - operations on the IdM API or the LDAP server, such as a mass import or extensive queries. -

-

- To install a new hidden replica, use the ipa-replica-install --hidden-replica command. To change the state of - an existing replica, use the ipa server-state command. -

-

- (BZ#1719767) -

-
-

SSSD now enforces AD GPOs by default

-

- The default setting for the SSSD option ad_gpo_access_control - is now enforcing. In RHEL 8, SSSD enforces access control rules - based on Active Directory Group Policy Objects (GPOs) by default. -

-
-

- Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading - from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control option in the /etc/sssd/sssd.conf file to permissive. -

-

- (JIRA:RHELPLAN-51289) -

-
-
-
-
-
-

6.1.14. Desktop

-
-
-
-
-

Modified workspace switcher in GNOME Classic

-

- Workspace switcher in the GNOME Classic environment has been modified. The switcher is now - located in the right part of the bottom bar, and it is designed as a horizontal strip of - thumbnails. Switching between workspaces is possible by clicking on the required thumbnail. - Alternatively, you can also use the combination of Ctrl+Alt+down/up - arrow keys to switch between workspaces. The content of the active - workspace is shown in the left part of the bottom bar in form of the window list. -

-
-

- When you press the Super key within the particular - workspace, you can see the window picker, which includes - all windows that are open in this workspace. However, the window - picker no longer displays the following elements that were available in the - previous release of RHEL: -

-
-
    -
  • - dock (vertical bar on the left side of the - screen) -
    • -
  • - workspace switcher (vertical bar on the right - side of the screen) -
    • -
  • - search entry -
    • -
-
-

- For particular tasks that were previously achieved with the help of these elements, adopt the - following approaches: -

-
-
    -
  • -

    - To launch applications, instead of using dock, you can: -

    -
    -
      -
    • - Use the Applications - menu on the top bar -
      • -
    • - Press the kdb:[Alt + F2] keys to make the Enter a Command screen - appear, and write the name of the executable into this screen. -
      • -
    -
    -
    • -
  • - To switch between workspaces, instead of using the vertical workspace switcher, use the horizontal workspace switcher in the right bottom bar. -
    • -
  • - If you require the search entry or the vertical - workspace switcher, use GNOME Standard - environment instead of GNOME Classic. -
    • -
-
-

- (BZ#1704360) -

-
-
-
-
-
-

6.1.15. Graphics infrastructures

-
-
-
-
-

DRM rebased to - Linux kernel version 5.1

-

- The Direct Rendering Manager (DRM) - kernel graphics subsystem has been rebased to upstream Linux kernel version 5.1, which - provides a number of bug fixes and enhancements over the previous version. Most notably: -

-
-
-
    -
  • - The mgag200 driver has been updated. The driver continues - providing support for HPE Proliant Gen10 Systems, which use Matrox G200 eH3 GPUs. The - updated driver also supports current and new Dell EMC PowerEdge Servers. -
    • -
  • - The nouveau driver has been updated to provide hardware - enablement to current and future Lenovo platforms that use NVIDIA GPUs. -
    • -
  • - The i915 display driver has been updated for continued - support of current and new Intel GPUs. -
    • -
  • - Bug fixes for Aspeed AST BMC display chips have been added. -
    • -
  • - Support for AMD Raven 2 set of Accelerated Processing Units (APUs) has been added. -
    • -
  • - Support for AMD Picasso APUs has been added. -
    • -
  • - Support for AMD Vega GPUs has been added. -
    • -
  • - Support for Intel Amber Lake-Y and Intel Comet Lake-U GPUs has been added. -
    • -
-
-

- (BZ#1685552) -

-
-

Support for AMD Picasso graphic cards

-

- This update introduces the amdgpu graphics driver. As a result - AMD Picasso graphics cards are now fully supported on RHEL 8. -

-
-

- (BZ#1685427) -

-
-
-
-
-
-

6.1.16. The web console

-
-
-
-
-

Enabling and disabling SMT

-

- Simultaneous Multi-Threading (SMT) configuration is now available in RHEL 8. Disabling SMT - in the web console allows you to mitigate a class of CPU security vulnerabilities such as: -

-
-
- -
-

- (BZ#1678956) -

-
-

Adding a search box in the Services page

-

- The Services page now has a search box for filtering services by: -

-
-
-
    -
  • - Name -
    • -
  • - Description -
    • -
  • - State -
    • -
-
-

- In addition, service states have been merged into one list. The switcher buttons at the top of - the page have also been changed to tabs to improve user experience of the Services page. -

-

- (BZ#1657752) -

-
-

Adding support for firewall zones

-

- The firewall settings on the Networking - page now supports: -

-
-
-
    -
  • - Adding and removing zones -
    • -
  • - Adding or removing services to arbitrary zones and -
    • -
  • - Configuring custom ports in addition to firewalld services. -
    • -
-
-

- (BZ#1678473) -

-
-

Adding improvements to Virtual Machines configuration

-

- With this update, the RHEL 8 web console includes a lot of improvements in the Virtual - Machines page. You can now: -

-
-
-
    -
  • - Manage various types of storage pools -
    • -
  • - Configure VM autostart -
    • -
  • - Import existing qcow images -
    • -
  • - Install VMs through PXE boot -
    • -
  • - Change memory allocation -
    • -
  • - Pause/resume VMs -
    • -
  • - Configure cache characteristics (directsync, writeback) -
    • -
  • - Change the boot order -
    • -
-
-

- (BZ#1658847) -

-
-
-
-
-
-

6.1.17. Red Hat Enterprise Linux system roles

-
-
-
-
-

A new storage role added to RHEL system - roles

-

- The storage role has been added to RHEL system roles provided - by the rhel-system-roles package. The storage role can be used to manage local storage using Ansible. -

-
-

- Currently, the storage role supports the following types of tasks: -

-
-
    -
  • - Managing file systems on whole disks -
    • -
  • - Managing LVM volume groups -
    • -
  • - Managing logical volumes and their file systems -
    • -
-
-

- For more information, see Managing - file systems and Configuring - and managing logical volumes. -

-

- (BZ#1691966) -

-
-
-
-
-
-

6.1.18. Virtualization

-
-
-
-
-

WALinuxAgent rebased to version - 2.2.38

-

- The WALinuxAgent package has been upgraded to - upstream version 2.2.38, which provides a number of bug fixes and enhancements over the - previous version. -

-
-

- In addition, WALinuxAgent is no longer compatible with - Python 2, and applications dependant on Python 2. As a result, applications and extensions - written in Python 2 will need to be converted to Python 3 to establish compatibility with WALinuxAgent. -

-

- (BZ#1722848) -

-
-

Windows automatically finds the needed virtio-win drivers

-

- Windows can now automatically find the virtio-win drivers it needs from the driver ISO - without requiring the user to select the folder in which they are located. -

-
-

- (BZ#1223668) -

-
-

KVM supports 5-level paging

-

- With Red Hat Enterprise Linux 8, KVM virtualization supports the 5-level paging feature. On - selected host CPUs, this significantly increases the physical and virtual address space that - the host and guest systems can use. -

-
-

- (BZ#1526548) -

-
-

Smart card sharing is now supported on Windows guests with ActivClient - drivers

-

- This update adds support for smart card sharing in virtual machines (VMs) that use a Windows - guest OS and ActivClient drivers. This enables smart card authentication for user logins - using emulated or shared smart cards on these VMs. -

-
-

- (BZ#1615840) -

-
-

New options have been added for virt-xml

-

- The virt-xml utility can now use the following command-line - options: -

-
-
-
    -
  • - --no-define - Changes done to the virtual machine (VM) by - the virt-xml command are not saved into persistent - configuration. -
    • -
  • - --start - Starts the VM after performing requested changes. -
    • -
-
-

- Using these two options together allows users to change the configuration of a VM and start the - VM with the new configuration without making the changes persistent. For example, the following - command changes the boot order of the testguest VM to - network for the next boot, and initiates the boot: -

- 
virt-xml testguest  --start --no-define --edit --boot network
-

- (JIRA:RHELPLAN-13960) -

-
-

IBM z14 GA2 CPUs supported by KVM

-

- With this update, KVM supports the IBM z14 GA2 CPU model. This makes it possible to create - virtual machines on IBM z14 GA2 hosts that use RHEL 8 as the host OS with an IBM z14 GA2 CPU - in the guest. -

-
-

- (JIRA:RHELPLAN-13649) -

-
-

Nvidia NVLink2 is now compatible with virtual machines on IBM - POWER9

-

- Nvidia VGPUs that support the NVLink2 feature can now be assigned to virtual machines (VMs) - running in a RHEL 8 host on an IBM POWER9 system. This makes it possible for these VMs to - use the full performance potential of NVLink2. -

-
-

- (JIRA:RHELPLAN-12811) -

-
-
-
-
-
-
-

6.2. New Drivers

-
-
-
-

Network Drivers

-
-
    -
  • - Serial Line Internet Protocol support (slip.ko.xz) -
    • -
  • - Platform CAN bus driver for Bosch C_CAN controller (c_can_platform.ko.xz) -
    • -
  • - virtual CAN interface (vcan.ko.xz) -
    • -
  • - Softing DPRAM CAN driver (softing.ko.xz) -
    • -
  • - serial line CAN interface (slcan.ko.xz) -
    • -
  • - CAN driver for EMS Dr. Thomas Wuensche CAN/USB interfaces (ems_usb.ko.xz) -
    • -
  • - CAN driver for esd CAN-USB/2 and CAN-USB/Micro interfaces (esd_usb2.ko.xz) -
    • -
  • - Socket-CAN driver for SJA1000 on the platform bus (sja1000_platform.ko.xz) -
    • -
  • - Socket-CAN driver for PLX90xx PCI-bridge cards with the SJA1000 chips (plx_pci.ko.xz) -
    • -
  • - Socket-CAN driver for EMS CPC-PCI/PCIe/104P CAN cards (ems_pci.ko.xz) -
    • -
  • - Socket-CAN driver for KVASER PCAN PCI cards (kvaser_pci.ko.xz) -
    • -
  • - Intel® 2.5G Ethernet Linux Driver (igc.ko.xz) -
    • -
  • - Realtek 802.11ac wireless PCI driver (rtwpci.ko.xz) -
    • -
  • - Realtek 802.11ac wireless core module (rtw88.ko.xz) -
    • -
  • - MediaTek MT76 devices support (mt76.ko.xz) -
    • -
  • - MediaTek MT76x0U (USB) support (mt76x0u.ko.xz) -
    • -
  • - MediaTek MT76x2U (USB) support (mt76x2u.ko.xz) -
    • -
-
-

Graphics Drivers and Miscellaneous Drivers

-
-
    -
  • - Virtual Kernel Mode Setting (vkms.ko.xz) -
    • -
  • - Intel GTT (Graphics Translation Table) routines (intel-gtt.ko.xz) -
    • -
  • - Xen frontend/backend page directory based shared buffer handling - (xen-front-pgdir-shbuf.ko.xz) -
    • -
  • - LED trigger for audio mute control (ledtrig-audio.ko.xz) -
    • -
  • - Host Wireless Adapter Radio Control Driver (hwa-rc.ko.xz) -
    • -
  • - Network Block Device (nbd.ko.xz) -
    • -
  • - Pericom PI3USB30532 Type-C mux driver (pi3usb30532.ko.xz) -
    • -
  • - Fairchild FUSB302 Type-C Chip Driver (fusb302.ko.xz) -
    • -
  • - TI TPS6598x USB Power Delivery Controller Driver (tps6598x.ko.xz) -
    • -
  • - Intel PCH Thermal driver (intel_pch_thermal.ko.xz) -
    • -
  • - PCIe AER software error injector (aer_inject.ko.xz) -
    • -
  • - Simple stub driver for PCI SR-IOV PF device (pci-pf-stub.ko.xz) -
    • -
  • - mISDN Digital Audio Processing support (mISDN_dsp.ko.xz) -
    • -
  • - ISDN layer 1 for Cologne Chip HFC-4S/8S chips (hfc4s8s_l1.ko.xz) -
    • -
  • - ISDN4Linux: Call diversion support (dss1_divert.ko.xz) -
    • -
  • - CAPI4Linux: Userspace /dev/capi20 interface (capi.ko.xz) -
    • -
  • - USB Driver for Gigaset 307x (bas_gigaset.ko.xz) -
    • -
  • - ISDN4Linux: Driver for HYSDN cards (hysdn.ko.xz) -
    • -
  • - mISDN Digital Audio Processing support (mISDN_dsp.ko.xz) -
    • -
  • - mISDN driver for Winbond w6692 based cards (w6692.ko.xz) -
    • -
  • - mISDN driver for CCD’s hfc-pci based cards (hfcpci.ko.xz) -
    • -
  • - mISDN driver for hfc-4s/hfc-8s/hfc-e1 based cards (hfcmulti.ko.xz) -
    • -
  • - mISDN driver for NETJet (netjet.ko.xz) -
    • -
  • - mISDN driver for AVM FRITZ!CARD PCI ISDN cards (avmfritz.ko.xz) -
    • -
-
-

Storage Drivers

-
-
    -
  • - NVMe over Fabrics TCP host (nvme-tcp.ko.xz) -
    • -
  • - NVMe over Fabrics TCP target (nvmet-tcp.ko.xz) -
    • -
  • - device-mapper writecache target (dm-writecache.ko.xz) -
    • -
-
-
-
-
-
-
-

6.3. Updated Drivers

-
-
-
-

Network Driver Updates

-
-
    -
  • - QLogic FastLinQ 4xxxx Ethernet Driver (qede.ko.xz) has been updated to version 8.37.0.20. -
    • -
  • - QLogic FastLinQ 4xxxx Core Module (qed.ko.xz) has been updated to version 8.37.0.20. -
    • -
  • - Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.10.0. -
    • -
  • - QLogic BCM57710/57711/57711E/57712/57712_MF/57800/57800_MF/57810/57810_MF/57840/57840_MF - Driver (bnx2x.ko.xz) has been updated to version 1.713.36-0. -
    • -
  • - Intel® Gigabit Ethernet Network Driver (igb.ko.xz) has been updated to version 5.6.0-k. -
    • -
  • - Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf.ko.xz) has been updated to - version 4.1.0-k-rh8.1.0. -
    • -
  • - Intel® 10 Gigabit PCI Express Network Driver (ixgbe.ko.xz) has been updated to version - 5.1.0-k-rh8.1.0. -
    • -
  • - Intel® Ethernet Switch Host Interface Driver (fm10k.ko.xz) has been updated to version - 0.26.1-k. -
    • -
  • - Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) has been updated to version - 0.7.4-k. -
    • -
  • - Intel® Ethernet Connection XL710 Network Driver (i40e.ko.xz) has been updated to version - 2.8.20-k. -
    • -
  • - The Netronome Flow Processor (NFP) driver (nfp.ko.xz) has been updated to version - 4.18.0-147.el8.x86_64. -
    • -
  • - Elastic Network Adapter (ENA) (ena.ko.xz) has been updated to version 2.0.3K. -
    • -
-
-

Graphics and Miscellaneous Driver Updates

-
-
    -
  • - Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version - 2.15.0.0. -
    • -
  • - hpe watchdog driver (hpwdt.ko.xz) has been updated to version 2.0.2. -
    • -
-
-

Storage Driver Updates

-
-
    -
  • - Driver for HP Smart Array Controller version 3.4.20-170-RH3 (hpsa.ko.xz) has been updated to - version 3.4.20-170-RH3. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version - 28.100.00.00. -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver 12.2.0.3 (lpfc.ko.xz) has been updated to - version 0:12.2.0.3. -
    • -
  • - QLogic QEDF 25/40/50/100Gb FCoE Driver (qedf.ko.xz) has been updated to version 8.37.25.20. -
    • -
  • - Cisco FCoE HBA Driver (fnic.ko.xz) has been updated to version 1.6.0.47. -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version - 10.01.00.15.08.1-k1. -
    • -
  • - Driver for Microsemi Smart Family Controller version 1.2.6-015 (smartpqi.ko.xz) has been - updated to version 1.2.6-015. -
    • -
  • - QLogic FastLinQ 4xxxx iSCSI Module (qedi.ko.xz) has been updated to version 8.33.0.21. -
    • -
  • - Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version - 07.707.51.00-rc1. -
    • -
-
-
-
-
-
-
-

6.4. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.1 that have a significant impact on - users. -

-
-
-
-
-

6.4.1. Installer and image creation

-
-
-
-
-

Using the version or inst.version kernel boot parameters no longer stops the - installation program

-

- Previously, booting the installation program from the kernel command line using the version or inst.version boot - parameters printed the version, for example anaconda 30.25.6, - and stopped the installation program. -

-
-

- With this update, the version and inst.version parameters are ignored when the installation program is - booted from the kernel command line, and as a result, the installation program is not stopped. -

-

- (BZ#1637472) -

-
-

The xorg-x11-drv-fbdev, xorg-x11-drv-vesa, and xorg-x11-drv-vmware video drivers are now installed by - default

-

- Previously, workstations with specific models of NVIDIA graphics cards and workstations with - specific AMD accelerated processing units did not display the graphical login window after a - RHEL 8.0 Server installation. This issue also impacted virtual machines relying on EFI for - graphics support, such as Hyper-V. With this update, the xorg-x11-drv-fbdev, xorg-x11-drv-vesa, and xorg-x11-drv-vmware video drivers are installed by default and - the graphical login window is displayed after a RHEL 8.0 and later Server installation. -

-
-

- (BZ#1687489) -

-
-

Rescue mode no longer fails without displaying an error - message

-

- Previously, running rescue mode on a system with no Linux partitions resulted in the - installation program failing with an exception. With this update, the installation program - displays the error message “You don’t have any Linux partitions” when a system with no Linux - partitions is detected. -

-
-

- (BZ#1628653) -

-
-

The installation program now sets the lvm_metadata_backup Blivet flag for image - installations

-

- Previously, the installation program failed to set the lvm_metadata_backup Blivet flag for image installations. As a - consequence, LVM backup files were located in the /etc/lvm/ - subdirectory after an image installation. With this update, the installation program sets - the lvm_metadata_backup Blivet flag, and as a result, there are - no LVM backup files located in the /etc/lvm/ subdirectory after - an image installation. -

-
-

- (BZ#1673901) -

-
-

The RHEL 8 installation program now handles strings from RPM -

-

- Previously, when the python3-rpm library returned a string, the - installation program failed with an exception. With this update, the installation program - can now handle strings from RPM. -

-
-

- (BZ#1689909) -

-
-

The inst.repo kernel boot parameter now - works for a repository on a hard drive that has a non-root path

-

- Previously, the RHEL 8 installation process could not proceed without manual intervention if - the inst.repo=hd:<device>:<path> kernel boot - parameter was pointing to a repository (not an ISO image) on a hard drive, and a non-root - (/) path was used. With this update, the installation program can now propagate any <path> for a repository located on a hard drive, ensuring - the installation proceeds as normal. -

-
-

- (BZ#1689194) -

-
-

The --changesok option now allows the - installation program to change the root password

-

- Previously, using the --changesok option when installing Red - Hat Enterprise Linux 8 from a Kickstart file did not allow the installation program to - change the root password. With this update, the --changesok - option is successfully passed by Kickstart, and as a result, users specifying the pwpolicy root –changesok option in their Kickstart file can now - change the root password using the GUI, even if the password has already been set by - Kickstart. -

-
-

- (BZ#1584145) -

-
-

Image Building no longer fails when using lorax-composer API

-

- Previously, when using lorax-composer API from a subscribed - RHEL system, the image building process always failed. Anaconda could not access the - repositories, because the subscription certificates from the host are not passed through. To - fix the issue update lorax-composer, pykickstart, and Anaconda packages. - That will allow to pass supported CDN certificates. -

-
-

- (BZ#1663950) -

-
-
-
-
-
-

6.4.2. Shells and command-line tools

-
-
-
-
-

systemd in debug mode no longer produces - unnecessary log messages

-

- When using the systemd system and service manager in debug - mode, systemd previously produced unnecessary and harmless log - messages that started with: -

-
- 
"Failed to add rule for system call ..."
-

- With this update, systemd has been fixed to no longer produce these - unnecessary debug messages. -

-

- (BZ#1658691) -

-
-
-
-
-
-

6.4.3. Security

-
-
-
-
-

fapolicyd no longer prevents RHEL - updates

-

- When an update replaces the binary of a running application, the kernel modifies the - application binary path in memory by appending the " (deleted)" suffix. Previously, the - fapolicyd file access policy daemon treated such applications - as untrusted, and prevented them from opening and executing any other files. As a - consequence, the system was sometimes unable to boot after applying updates. -

-
-

- With the release of the RHBA-2020:5241 advisory, fapolicyd ignores the suffix in the binary path so the binary can - match the trust database. As a result, fapolicyd enforces the rules - correctly and the update process can finish. -

-

- (BZ#1897092) -

-
-

SELinux no longer prevents Tomcat from sending emails

-

- Prior to this update, the SELinux policy did not allow the tomcat_t and pki_tomcat_t domains to - connect to SMTP ports. Consequently, SELinux denied applications on the Tomcat server from - sending emails. With this update of the selinux-policy - packages, the policy allows processes from the Tomcat domains access SMTP ports, and SELinux - no longer prevents applications on Tomcat from sending emails. -

-
-

- (BZ#1687798) -

-
-

lockdev now runs correctly with - SELinux

-

- Previously, the lockdev tool could not transition into the - lockdev_t context even though the SELinux policy for lockdev_t was defined. As a consequence, lockdev was allowed to run in the ‘unconfined_t’ domain when used - by the root user. This introduced vulnerabilities into the system. With this update, the - transition into lockdev_t has been defined, and lockdev can now be used correctly with SELinux in enforcing mode. -

-
-

- (BZ#1673269) -

-
-

iotop now runs correctly with - SELinux

-

- Previously, the iotop tool could not transition into the iotop_t context even though the SELinux policy for iotop_t was defined. As a consequence, iotop was allowed to run in the ‘unconfined_t’ domain when used - by the root user. This introduced vulnerabilities into the system. With this update, the - transition into iotop_t has been defined, and iotop can now be used correctly with SELinux in enforcing mode. -

-
-

- (BZ#1671241) -

-
-

SELinux now properly handles NFS ‘crossmnt’

-

- The NFS protocol with the crossmnt option automatically creates - internal mounts when a process accesses a subdirectory already used as a mount point on the - server. Previously, this caused SELinux to check whether the process accessing an NFS - mounted directory had a mount permission, which caused AVC denials. In the current version, - SELinux permission checking skips these internal mounts. As a result, accessing an NFS - directory that is mounted on the server side does not require mount permission. -

-
-

- (BZ#1647723) -

-
-

An SELinux policy reload no longer causes false ENOMEM errors -

-

- Reloading the SELinux policy previously caused the internal security context lookup table to - become unresponsive. Consequently, when the kernel encountered a new security context during - a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this - update, the internal Security Identifier (SID) lookup table has been redesigned and no - longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an - SELinux policy reload. -

-
-

- (BZ#1656787) -

-
-

Unconfined domains can now use smc_socket

-

- Previously, the SELinux policy did not have the allow rules for the smc_socket class. Consequently, SELinux blocked an access to - smc_socket for the unconfined domains. With this update, the - allow rules have been added to the SELinux policy. As a result, the unconfined domains can - use smc_socket. -

-
-

- (BZ#1683642) -

-
-

Kerberos cleanup procedures are now compatible with GSSAPIDelegateCredentials and default cache from krb5.conf

-

- Previously, when the default_ccache_name option was configured - in the krb5.conf file, the kerberos credentials were not - cleaned up with the GSSAPIDelegateCredentials and GSSAPICleanupCredentials options set. This bug is now fixed by - updating the source code to clean up credential caches in the described use cases. After the - configuration, the credential cache gets cleaned up on exit if the user configures it. -

-
-

- (BZ#1683295) -

-
-

OpenSSH now correctly handles PKCS #11 URIs for keys with mismatching - labels

-

- Previously, specifying PKCS #11 URIs with the object part (key label) could prevent OpenSSH - from finding related objects in PKCS #11. With this update, the label is ignored if the - matching objects are not found, and keys are matched only by their IDs. As a result, OpenSSH - is now able to use keys on smart cards referenced using full PKCS #11 URIs. -

-
-

- (BZ#1671262) -

-
-

SSH connections with VMware-hosted systems now work properly -

-

- The previous version of the OpenSSH suite introduced a change - of the default IP Quality of Service (IPQoS) flags in SSH packets, which was not correctly - handled by the VMware virtualization platform. Consequently, it was not possible to - establish an SSH connection with systems on VMware. The problem has been fixed in VMWare - Workstation 15, and SSH connections with VMware-hosted systems now work correctly. -

-
-

- (BZ#1651763) -

-
-

curve25519-sha256 is now supported by - default in OpenSSH

-

- Previously, the curve25519-sha256 SSH key exchange algorithm - was missing in the system-wide crypto policies configurations for the OpenSSH client and - server even though it was compliant with the default policy level. As a consequence, if a - client or a server used curve25519-sha256 and this algorithm - was not supported by the host, the connection might fail. This update of the crypto-policies package fixes the bug, and SSH connections no - longer fail in the described scenario. -

-
-

- (BZ#1678661) -

-
-

Ansible playbooks for OSPP and PCI-DSS profiles no longer exit after - encountering a failure

-

- Previously, Ansible remediations for the Security Content Automation Protocol (OSPP) and the - Payment Card Industry Data Security Standard (PCI-DSS) profiles failed due to incorrect - ordering and other errors in the remediations. This update fixes the ordering and errors in - generated Ansible remediation playbooks, and Ansible remediations now work correctly. -

-
-

- (BZ#1741455) -

-
-

Audit transport=KRB5 now works - properly

-

- Prior to this update, Audit KRB5 transport mode did not work correctly. Consequently, Audit - remote logging using the Kerberos peer authentication did not work. With this update, the - problem has been fixed, and Audit remote logging now works properly in the described - scenario. -

-
-

- (BZ#1730382) -

-
-
-
-
-
-

6.4.4. Networking

-
-
-
-
-

The kernel now supports destination MAC addresses in bitmap:ipmac, hash:ipmac, and - hash:mac IP set types

-

- Previously, the kernel implementation of the bitmap:ipmac, - hash:ipmac, and hash:mac IP set - types only allowed matching on the source MAC address, while destination MAC addresses could - be specified, but were not matched against set entries. As a consequence, administrators - could create iptables rules that used a destination MAC address - in one of these IP set types, but packets matching the given specification were not actually - classified. With this update, the kernel compares the destination MAC address and returns a - match if the specified classification corresponds to the destination MAC address of a - packet. As a result, rules that match packets against the destination MAC address now work - correctly. -

-
-

- (BZ#1649087) -

-
-

The gnome-control-center application now - supports editing advanced IPsec settings

-

- Previously, the gnome-control-center application only displayed - the advanced options of IPsec VPN connections. Consequently, users could not change these - settings. With this update, the fields in the advanced settings are now editable, and users - can save the changes. -

-
-

- (BZ#1697329) -

-
-

The TRACE target in the iptables-extensions(8) man page has been updated

-

- Previously, the description of the TRACE target in the iptables-extensions(8) man page referred only to the compat variant, but Red Hat Enterprise Linux 8 uses the nf_tables variant. As a consequence, the man page did not - reference the xtables-monitor command-line utility to display - TRACE events. The man page has been updated and, as a result, - now mentions xtables-monitor. -

-
-

- (BZ#1658734) -

-
-

Error logging in the ipset service has - been improved

-

- Previously, the ipset service did not report configuration - errors with a meaningful severity in the systemd logs. The - severity level for invalid configuration entries was only informational, and the service did not report errors for an - unusable configuration. As a consequence, it was difficult for administrators to identify - and troubleshoot issues in the ipset service’s configuration. - With this update, ipset reports configuration issues as warnings in systemd logs and, if the - service fails to start, it logs an entry with the error - severity including further details. As a result, it is now easier to troubleshoot issues in - the configuration of the ipset service. -

-
-

- (BZ#1683711) -

-
-

The ipset service now ignores invalid - configuration entries during startup

-

- The ipset service stores configurations as sets in separate - files. Previously, when the service started, it restored the configuration from all sets in - a single operation, without filtering invalid entries that can be inserted by manually - editing a set. As a consequence, if a single configuration entry was invalid, the service - did not restore further unrelated sets. The problem has been fixed. As a result, the ipset service detects and removes invalid configuration entries - during the restore operation, and ignores invalid configuration entries. -

-
-

- (BZ#1683713) -

-
-

The ipset list command reports consistent - memory for hash set types

-

- When you add entries to a hash set type, the ipset utility must resize the in-memory representation to for new - entries by allocating an additional memory block. Previously, ipset set the total per-set allocated size to only the size of - the new block instead of adding the value to the current in-memory size. As a consequence, - the ip list command reported an inconsistent memory size. With - this update, ipset correctly calculates the in-memory size. As - a result, the ipset list command now displays the correct - in-memory size of the set, and the output matches the actual allocated memory for hash set types. -

-
-

- (BZ#1714111) -

-
-

The kernel now correctly updates PMTU when receiving ICMPv6 Packet Too Big message

-

- In certain situations, such as for link-local addresses, more than one route can match a - source address. Previously, the kernel did not check the input interface when receiving - Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup - could return a destination that did not match the input interface. Consequently, when - receiving an ICMPv6 Packet Too Big message, the kernel could - update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this - update, the kernel checks the input interface during the route lookup. As a result, the - kernel now updates the correct destination based on the source address and PMTU works as - expected in the described scenario. -

-
-

- (BZ#1721961) -

-
-

The /etc/hosts.allow and /etc/hosts.deny files no longer contain outdated references - to removed tcp_wrappers

-

- Previously, the /etc/hosts.allow and /etc/hosts.deny files contained outdated information about the - tcp_wrappers package. The files are removed in RHEL 8 as they - are no longer needed for tcp_wrappers which is removed. -

-
-

- (BZ#1663556) -

-
-
-
-
-
-

6.4.5. Kernel

-
-
-
-
-

tpm2-abrmd-selinux now has a proper - dependency on selinux-policy-targeted

-

- Previously, the tpm2-abrmd-selinux package had a dependency on - the selinux-policy-base package instead of the selinux-policy-targeted package. Consequently, if a system had - selinux-policy-minimum installed instead of selinux-policy-targeted, installation of the tpm2-abrmd-selinux package failed. This update fixes the bug and - tpm2-abrmd-selinux can be installed correctly in the described - scenario. -

-
-

- (BZ#1642000) -

-
-

All /sys/kernel/debug files can be - accessed

-

- Previously, the return value for "Operation not permitted" (EPERM) error remained set until - the end of the function regardless of the error. Consequently, any attempts to access - certain /sys/kernel/debug (debugfs) files failed with an - unwarranted EPERM error. This update moves the EPERM return value to the following block. As - a result, debugfs files can be accessed without problems in the - described scenario. -

-
-

- (BZ#1686755) -

-
-

NICs are no longer affected by a bug in the qede driver for the 41000 and 45000 FastLinQ series -

-

- Previously, firmware upgrade and debug data collection operations failed due to a bug in the - qede driver for the 41000 and 45000 FastLinQ series. It made - the NIC unusable. The reboot (PCI reset) of the host made the NIC operational again. -

-
-

- This issue could occur in the following scenarios: -

-
-
    -
  • - during the upgrade of Firmware of the NIC using the inbox driver -
    • -
  • - during the collection of debug data running the ethtool -d ethx command -
    • -
  • - while running an sosreport command that included ethtool -d ethx. -
    • -
  • - during the initiation of automatic debug data collection by the inbox driver, such as - I/O timeout, Mail Box Command time-out and a Hardware Attention. -
    • -
-
-

- To fix this issue, Red Hat released an erratum via Red Hat Bug Advisory (RHBA). Before the - release of RHBA, it was recommended to create a case in https://access.redhat.com/support to request - for supported fix. -

-

- (BZ#1697310) -

-
-

The generic EDAC GHES driver now detects - which DIMM reported an error

-

- Previously, the EDAC GHES driver was not able to detect which - DIMM reported an error. Consequently, the following error message appeared: -

-
- 
DIMM location: not present. DMI handle: 0x<ADDRESS>
-

- The driver has been now updated to scan the DMI (SMBIOS) tables to - detect the specific DIMM that matches the Desktop Management Interface (DMI) handle 0x<ADDRESS>. As a result, EDAC GHES correctly detects which specific DIMM reported a hardware - error. -

-

- (BZ#1721386) -

-
-

podman is able to checkpoint containers in - RHEL 8

-

- Previously, the version of the Checkpoint and Restore In Userspace (CRIU) package was - outdated. Consequently, CRIU did not support container checkpoint and restore functionality, - and the podman utility failed to checkpoint containers. When - running the podman container checkpoint command, the following - error message was displayed: -

-
- 
'checkpointing a container requires at least CRIU 31100'
-

- This update fixes the problem by upgrading the version of the CRIU package. As a result, podman now supports container checkpoint and restore functionality. -

-

- (BZ#1689746) -

-
-

early-kdump and standard kdump no longer fail if the add_dracutmodules+=earlykdump option is used in dracut.conf

-

- Previously, an inconsistency occurred between the kernel version being installed for early-kdump and the kernel version initramfs was generated for. As a consequence, booting failed - when early-kdump was enabled. In addition, if early-kdump detected that it was being included in a standard - kdump initramfs image, it forced an exit. Therefore the - standard kdump service also failed when trying to rebuild kdump initramfs if early-kdump was - added as a default dracut module. As a consequence, early-kdump and standard kdump both - failed. With this update, early-kdump uses the consistent - kernel name during the installation, only the version differs from the running kernel. Also, - the standard kdump service will forcibly drop early-kdump to avoid image generation failure. As a result, early-kdump and standard kdump no - longer fail in the described scenario. -

-
-

- (BZ#1662911) -

-
-

The first kernel with SME enabled now succeeds in dumping the - vmcore

-

- Previously, the encrypted memory in the first kernel with the active Secure Memory - Encryption (SME) feature caused a failure of the kdump - mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its - memory. With this update, the ioremap_encrypted() function has - been added to remap the encrypted memory and modify the related code. As a result, the - encrypted first kernel’s memory is now properly accessed, and the vmcore can be dumped and - parsed by the crash tools in the described scenario. -

-
-

- (BZ#1564427) -

-
-

The first kernel with SEV enabled now succeeds in dumping the - vmcore

-

- Previously, the encrypted memory in the first kernel with the active Secure Encrypted - Virtualization (SEV) feature caused a failure of the kdump - mechanism. Consequently, the first kernel was not able to dump the contents (vmcore) of its - memory. With this update, the ioremap_encrypted() function has - been added to remap the encrypted memory and modify the related code. As a result, the first - kernel’s encrypted memory is now properly accessed, and the vmcore can be dumped and parsed - by the crash tools in the described scenario. -

-
-

- (BZ#1646810) -

-
-

Kernel now reserves more space for SWIOTLB

-

- Previously, when Secure Encrypted Virtualization (SEV) or Secure Memory Encryption (SME) - features was enabled in the kernel, the Software Input Output Translation Lookaside Buffer - (SWIOTLB) technology had to be enabled as well and consumed a significant amount of memory. - Consequently, the capture kernel failed to boot or got an out-of-memory error. This update - fixes the bug by reserving extra crashkernel memory for SWIOTLB while SEV/SME is active. As - a result, the capture kernel has more memory reserved for SWIOTLB and the bug no longer - appears in the described scenario. -

-
-

- (BZ#1728519) -

-
-

C-state transitions can now be disabled during hwlatdetect runs

-

- To achieve real-time performance, the hwlatdetect utility needs - to be able to disable power saving in the CPU during test runs. This update allows hwlatdetect to turn off C-state transitions for the duration of - the test run and hwlatdetect is now able to detect hardware - latencies more accurately. -

-
-

- (BZ#1707505) -

-
-
-
-
-
-

6.4.6. Hardware enablement

-
-
-
-
-

The openmpi package can be installed - now

-

- Previously, a rebase on opensm package changed its soname mechanism. As a consequence, the openmpi package could not be installed due to unresolved - dependencies. This update fixes the problem. As a result, the openmpi package can be installed now without any issue. -

-
-

- (BZ#1717289) -

-
-
-
-
-
-

6.4.7. File systems and storage

-
-
-
-
-

The RHEL 8 installation program now uses the entry ID to set the - default boot entry

-

- Previously, the RHEL 8 installation program used the index of the first boot entry as the - default, instead of using the entry ID. As a consequence, adding a new boot entry became the - default, as it was sorted first and set to the first index. With this update, the - installation program uses the entry ID to set the default boot entry, and as a result, the - default entry is not changed, even if boot entries are added and sorted before the default. -

-
-

- (BZ#1671047) -

-
-

The system now boots successfully when SME is enabled with - smartpqi

-

- Previously, the system failed to boot on certain AMD machines when the Secure Memory - Encryption (SME) feature was enabled and the root disk was using the smartpqi driver. -

-
-

- When the boot failed, the system displayed a message similar to the following in the boot log: -

- 
smartpqi 0000:23:00.0: failed to allocate PQI error buffer
-

- This problem was caused by the smartpqi driver, which was falling - back to the Software Input Output Translation Lookaside Buffer (SWIOTLB) because the coherent - Direct Memory Access (DMA) mask was not set. -

-

- With this update, the coherent DMA mask is now correctly set. As a result, the system now boots - successfully when SME is enabled on machines that use the smartpqi - driver for the root disk. -

-

- (BZ#1712272) -

-
-

FCoE LUNs do not disappear after being created on the bnx2fc cards

-

- Previously, after creating a FCoE LUN on the bnx2fc cards, the - FCoE LUNs were not attached correctly. As a consequence, FCoE LUNs disappeared after being - created on the bnx2fc cards on RHEL 8.0. With this update, FCoE - LUNs are attached correctly. As a result, it is now possible to discover the FCoE LUNs after - they are created on the bnx2fc cards. -

-
-

- (BZ#1685894) -

-
-

VDO volumes no longer lose deduplication advice after moving to a - different-endian platform

-

- Previously, the Universal Deduplication Service (UDS) index lost all deduplication advice - after moving the VDO volume to a platform that used a different endian. As a consequence, - VDO was unable to deduplicate newly written data against the data that was stored before you - moved the volume, leading to lower space savings. -

-
-

- With this update, you can now move VDO volumes between platforms that use different endians - without losing deduplication advice. -

-

- (BZ#1696492) -

-
-

kdump service works on large IBM POWER systems

-

- Previously, RHEL8 kdump kernel did not start. As a consequence, - the kdump initrd file on large IBM POWER systems was not created. With this update, squashfs-tools-4.3-19.el8 component is added. This update adds a - limit (128) to the number of CPUs which the squashfs-tools-4.3-19.el8 component can use from the available - pool (instead of using all the available CPUs). This fixes the running out of resources - error. As a result, kdump service now works on large IBM POWER systems. -

-
-

- (BZ#1716278) -

-
-

Verbosity debug options now added to nfs.conf

-

- Previously, the /etc/nfs.conf file and the nfs.conf(5) man page did not include the following options: -

-
-
-
    -
  • - verbosity -
    • -
  • - rpc-verbosity -
    • -
-
-

- As a consequence, users were unaware of the availability of these debug flags. With this update, - these flags are now included in the [gssd] section of the /etc/nfs.conf file and are also documented in the nfs.conf(8) man page. -

-

- (BZ#1668026) -

-
-
-
-
-
-

6.4.8. Dynamic programming languages, web and database servers

-
-
-
-
-

Socket::inet_aton() can now be used from - multiple threads safely

-

- Previously, the Socket::inet_aton() function, used for - resolving a domain name from multiple Perl threads, called the unsafe gethostbyname() glibc function. - Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter - terminated unexpectedly. With this update, the Socket::inet_aton() implementation has been changed to use the - thread-safe getaddrinfo() glibc - function instead of gethostbyname(). As a result, the inet_aton() function from Perl Socket module can be used from multiple threads safely. -

-
-

- (BZ#1699793, BZ#1699958) -

-
-
-
-
-
-

6.4.9. Compilers and development tools

-
-
-
-
-

gettext returns untranslated text even - when out of memory

-

- Previously, the gettext() function for text localization - returned the NULL value instead of text when out of memory, resulting in applications - lacking text output or labels. The bug has been fixed and now, gettext() - returns untranslated text when out of memory as - expected. -

-
-

- (BZ#1663035) -

-
-

The locale command now warns about LOCPATH being set whenever it encounters an error during - execution

-

- Previously, the locale command did not provide any diagnostics - for the LOCPATH environment variable when it encountered errors - due to an invalid LOCPATH. The locale command is now set to warn that LOCPATH has been set any time it encounters an error during - execution. As a result, locale now reports LOCPATH along with any underlying errors that it encounters. -

-
-

- (BZ#1701605) -

-
-

gdb now can read and correctly represent - z registers in core files on - aarch64 SVE

-

- Previously, the gdb component failed to read z registers from core files with - aarch64 scalable vector extension (SVE) architecture. With this update, the gdb component is now able to read z - registers from core files. As a result, the info register command successfully shows the z register contents. -

-
-

- (BZ#1669953) -

-
-

GCC rebased to version 8.3.1

-

- The GNU Compiler Collection (GCC) has been updated to upstream version 8.3.1. This version - brings a large number of miscellaneous bug fixes. -

-
-

- (BZ#1680182) -

-
-
-
-
-
-

6.4.10. Identity Management

-
-
-
-
-

FreeRADIUS now resolves hostnames pointing to IPv6 addresses -

-

- In previous RHEL 8 versions of FreeRADIUS, the ipaddr utility - only supported IPv4 addresses. Consequently, for the radiusd - daemon to resolve IPv6 addresses, a manual update of the configuration was required after an - upgrade of the system from RHEL 7 to RHEL 8. This update fixes the underlying code, and - ipaddr in FreeRADIUS now uses IPv6 addresses, too. -

-
-

- (BZ#1685546) -

-
-

The Nuxwdog service no longer fails to - start the PKI server in HSM environments

-

- Previously, due to bugs, the keyutils package was not installed - as a dependency of the pki-core package. Additionally, the - Nuxwdog watchdog service failed to start the public key - infrastructure (PKI) server in environments that use a hardware security module (HSM). These - problems have been fixed. As a result, the required keyutils - package is now installed automatically as a dependency, and Nuxwdog starts the PKI server as expected in environments with - HSM. -

-
-

- (BZ#1695302) -

-
-

The IdM server now works correctly in the FIPS mode

-

- Previously, the SSL connector for Tomcat server was incompletely implemented. As a - consequence, the Identity Management (IdM) server with an installed certificate server did - not work on machines with the FIPS mode enabled. This bug has been fixed by adding JSSTrustManager and JSSKeyManager. - As a result, the IdM server works correctly in the described scenario. -

-
-

- Note that there are several bugs that prevent the IdM server from running in the FIPS mode in - RHEL 8. This update fixes just one of them. -

-

- (BZ#1673296) -

-
-

The KCM credential cache is now suitable for a large number of - credentials in a single credential cache

-

- Previously, if the Kerberos Credential Manager (KCM) contained a large number of - credentials, Kerberos operations, such as kinit, failed due to a limitation of the - size of entries in the database and the number of these entries. -

-
-

- This update introduces the following new configuration options to the kcm section of the sssd.conf file: -

-
-
    -
  • - max_ccaches (integer) -
    • -
  • - max_uid_ccaches (integer) -
    • -
  • - max_ccache_size (integer) -
    • -
-
-

- As a result, KCM can now handle a large number of credentials in a single ccache. -

-

- For further information on the configuration options, see sssd-kcm man page. -

-

- (BZ#1448094) -

-
-

Samba no longer denies access when using the sss ID mapping plug-in

-

- Previously, when you ran Samba on the domain member with this configuration and added a - configuration that used the sss ID mapping back end to the - /etc/samba/smb.conf file to share directories, changes in the - ID mapping back end caused errors. Consequently, Samba denied access to files in certain - cases, even if the user or group existed and it was known by SSSD. The problem has been - fixed. As a result, Samba no longer denies access when using the sss plug-in. -

-
-

- (BZ#1657665) -

-
-

Default SSSD time-out values no longer conflict with each - other

-

- Previously, there was a conflict between the default time-out values. The default values for - the following options have been changed to improve the failover capability: -

-
-
-
    -
  • - dns_resolver_op_timeout - set to 2s (previously 6s) -
    • -
  • - dns_resolver_timeout - set to 4s (previously 6s) -
    • -
  • - ldap_opt_timeout - set to 8s (previously 6s) -
    • -
-
-

- Also, a new dns_resolver_server_timeout option, with default value - of 1000 ms has been added, which specifies the time out duration for SSSD to switch from one DNS - server to another. -

-

- (BZ#1382750) -

-
-
-
-
-
-

6.4.11. Desktop

-
-
-
-
-

systemctl isolate multi-user.target now - displays the console prompt

-

- When running the systemctl isolate multi-user.target command - from GNOME Terminal in a GNOME Desktop session, only a cursor was displayed, and not the - console prompt. This update fixes gdm, and the console prompt - is now displayed as expected in the described situation. -

-
-

- (BZ#1678627) -

-
-
-
-
-
-

6.4.12. Graphics infrastructures

-
-
-
-
-

The 'i915' display driver now supports display configurations up to - 3×4K.

-

- Previously, it was not possible to have display configurations larger than 2×4K when using - the 'i915' display driver in an Xorg - session. With this update, the 'i915' driver now supports display configurations up to 3×4K. -

-
-

- (BZ#1664969) -

-
-

Linux guests no longer display an error when initializing the GPU - driver

-

- Previously, Linux guests returned a warning when initializing the GPU driver. This happened - because Intel Graphics Virtualization Technology –g (GVT -g) only simulates the DisplayPort (DP) interface for guest and leaves the ‘EDP_PSR_IMR’ - and ‘EDP_PSR_IIR’ registers as default memory-mapped I/O (MMIO) read/write registers. To - resolve this issue, handlers have been added to these registers and the warning is no longer - returned. -

-
-

- (BZ#1643980) -

-
-
-
-
-
-

6.4.13. The web console

-
-
-
-
-

It is possible to login to RHEL web console with session_recording - shell

-

- Previously, it was not possible for users of the tlog shell - (which enables session recording) to log in to the RHEL web console. This update fixes the - bug. The previous workaround of adding the tlog-rec-session - shell to /etc/shells/ should be reverted after installing this - update. -

-
-

- (BZ#1631905) -

-
-
-
-
-
-

6.4.14. Virtualization

-
-
-
-
-

Hot-plugging PCI devices to a pcie-to-pci bridge controller works - correctly

-

- Previously, if a guest virtual machine configuration contained a pcie-to-pci-bridge - controller that had no endpoint devices attached to it at the time the guest was started, - hot-plugging new devices to that controller was not possible. This update improves how - hot-plugging legacy PCI devices on a PCIe system is handled, which prevents the problem from - occurring. -

-
-

- (BZ#1619884) -

-
-

Enabling nested virtualization no longer blocks live migration -

-

- Previously, the nested virtualization feature was incompatible with live migration. As a - consequence, enabling nested virtualization on a RHEL 8 host prevented migrating any virtual - machines (VMs) from the host, as well as saving VM state snapshots to disk. This update - fixes the described problem, and the impacted VMs are now possible to migrate. -

-
-

- (BZ#1689216) -

-
-
-
-
-
-

6.4.15. Supportability

-
-
-
-
-

redhat-support-tool now creates an sosreport archive

-

- Previously, the redhat-support-tool utility was unable to - create an sosreport archive. The workaround was running the - sosreport command separately and then entering the redhat-support-tool addattachment -c command to upload the - archive. Users can also use the web UI on Customer Portal which creates the customer case - and uploads the sosreport archive. -

-
-

- In addition, command options such as findkerneldebugs, btextract, analyze, or diagnose do not work as expected and will be fixed in a future - release. -

-

- (BZ#1688274) -

-
-
-
-
-
-
-

6.5. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.1. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features - Support Scope. -

-
-
-
-
-

6.5.1. Networking

-
-
-
-
-

TIPC has full support

-

- The Transparent Inter Process Communication (TIPC) is a - protocol specially designed for efficient communication within clusters of loosely paired - nodes. It works as a kernel module and provides a tipc tool in - iproute2 package to allow designers to create applications that - can communicate quickly and reliably with other applications regardless of their location - within the cluster. This feature is now fully supported in RHEL 8. -

-
-

- (BZ#1581898) -

-
-

eBPF for tc available as a Technology Preview

-

- As a Technology Preview, the Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley - Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and - egress queueing disciplines. This enables programmable packet processing inside the kernel - network data path. -

-
-

- (BZ#1699825) -

-
-

nmstate available as a Technology - Preview

-

- Nmstate is a network API for hosts. The nmstate packages, - available as a Technology Preview, provide a library and the nmstatectl command-line utility to manage host network settings - in a declarative manner. The networking state is described by a pre-defined schema. - Reporting of the current state and changes to the desired state both conform to the schema. -

-
-

- For further details, see the /usr/share/doc/nmstate/README.md file - and the examples in the /usr/share/doc/nmstate/examples directory. -

-

- (BZ#1674456) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet - processing. It accompanies XDP and grants efficient redirection - of programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

XDP available as a - Technology Preview

-

- The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a - means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet - processing at an early point in the kernel ingress data path, allowing efficient - programmable packet analysis, filtering, and manipulation. -

-
-

- (BZ#1503672) -

-
-

KTLS available as a Technology Preview

-

- In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a - Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption - algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for - offloading TLS record encryption to Network Interface Controllers (NICs) that support this - functionality. -

-
-

- (BZ#1570255) -

-
-

The systemd-resolved service is now - available as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an - Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-
-
-
-
-

6.5.2. Kernel

-
-
-
-
-

Control Group v2 - available as a Technology Preview in RHEL 8

-

- Control Group v2 mechanism is a unified - hierarchy control group. Control Group - v2 organizes processes hierarchically and distributes system - resources along the hierarchy in a controlled and configurable manner. -

-
-

- Unlike the previous version, Control Group - v2 has only a single hierarchy. This single hierarchy enables the Linux - kernel to: -

-
-
    -
  • - Categorize processes based on the role of their owner. -
    • -
  • - Eliminate issues with conflicting policies of multiple hierarchies. -
    • -
-
-

- Control Group v2 supports numerous - controllers: -

-
-
    -
  • -

    - CPU controller regulates the distribution of CPU cycles. This controller implements: -

    -
    -
      -
    • - Weight and absolute bandwidth limit models for normal scheduling policy. -
      • -
    • - Absolute bandwidth allocation model for real time scheduling policy. -
      • -
    -
    -
    • -
  • -

    - Memory controller regulates the memory distribution. Currently, the following types - of memory usages are tracked: -

    -
    -
      -
    • - Userland memory - page cache and anonymous memory. -
      • -
    • - Kernel data structures such as dentries and inodes. -
      • -
    • - TCP socket buffers. -
      • -
    -
    -
    • -
  • - I/O controller regulates the distribution of I/O resources. -
    • -
  • - Writeback controller interacts with both Memory and I/O controllers and is Control Group v2 specific. -
    • -
-
-

- The information above was based on link: https://www.kernel.org/doc/Documentation/cgroup-v2.txt. - You can refer to the same link to obtain more information about particular Control Group v2 controllers. -

-

- (BZ#1401552) -

-
-

kexec fast reboot as a Technology - Preview

-

- The kexec fast reboot feature, continues to be available as a - Technology Preview. Rebooting is now significantly faster thanks to kexec fast reboot. To use this feature, load the kexec kernel - manually, and then reboot the operating system. -

-
-

- (BZ#1769727) -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) - is an in-kernel virtual machine that allows code execution in the kernel space, in the - restricted sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which - supports creating various types of maps, and also allows to load programs in a special - assembly-like code. The code is then loaded to the kernel and translated to the native machine - code with just-in-time compilation. Note that the bpf() syscall can - be successfully used only by a user with the CAP_SYS_ADMIN - capability, such as the root user. See the bpf(2) man page for more - information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. All - components are available as a Technology Preview, unless a specific component is indicated as - supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - The BPF Compiler Collection (BCC) - tools package, a collection of dynamic kernel tracing utilities that use the eBPF virtual machine. The BCC tools package is available as a - Technology Preview on the following architectures: the 64-bit ARM architecture, IBM - Power Systems, Little Endian, and IBM Z. Note that it is fully supported on the AMD and - Intel 64-bit architectures. -
    • -
  • - bpftrace, a high-level tracing language that utilizes the - eBPF virtual machine. -
    • -
  • - The eXpress Data Path (XDP) feature, a networking technology that enables fast packet - processing in the kernel using the eBPF virtual machine. -
    • -
-
-

- (BZ#1559616) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol - which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which - supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in - RHEL 8. -

-
-

- (BZ#1605216) -

-
-
-
-
-
-

6.5.3. Hardware enablement

-
-
-
-
-

The igc driver available as a Technology - Preview for RHEL 8

-

- The igc Intel 2.5G Ethernet Linux wired LAN driver is now - available on all architectures for RHEL 8 as a Technology Preview. The ethtool utility also supports igc - wired LANs. -

-
-

- (BZ#1495358) -

-
-
-
-
-
-

6.5.4. File systems and storage

-
-
-
-
-

NVMe/TCP is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks - (NVMe/TCP) and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology - Preview. -

-
-

- The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by - the nvme-cli and nvmetcli packages. -

-

- NVMe/TCP provides a storage transport option along with the existing NVMe over Fabrics (NVMe-oF) - transport, which include Remote Direct Memory Access (RDMA) and Fibre Channel (NVMe/FC). -

-

- (BZ#1696451) -

-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8.1, file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address - space. To use DAX, a system must have some form of persistent memory available, usually in - the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file - system that supports DAX must be created on the NVDIMM(s). Also, the file system must be - mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct - mapping of storage into the application’s address space. -

-
-

- (BZ#1627455) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top - of another. Changes are recorded in the upper file system, while the lower file system - remains unmodified. This allows multiple users to share a file-system image, such as a - container or a DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs - warnings when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other - specialized use cases, such as squashed kdump initramfs. - Its use is supported primarily for container COW content, not for persistent storage. - You must place any persistent storage on non-OverlayFS volumes. You can use only the - default container engine configuration: one level of overlay, one lowerdir, and both - lower and upper levels are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might - change in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped - with MAP_SHARED are inconsistent with - subsequent modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on - RHEL 8, but you can enable full POSIX compliance for them with a module - option or mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and - index=on options to improve POSIX - compliance. These two options make the format of the upper layer - incompatible with an overlay without these options. That is, you might - get unexpected results or errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, - use the following command and see if the ftype=1 option - is enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see - Non-standard behavior in the Linux - kernel documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- (JIRA:RHELPLAN-1212) -

-
-

A Samba server, available to IdM and AD users logged into IdM hosts, - can now be set up on an IdM domain member as a Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the - same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the - IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the - sss ID mapping back end. As a result, administrators can now - set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows - hosts cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not - support resolving IdM groups using the Distributed Computing Environment / Remote Procedure - Calls (DCE/RPC) protocols. As a consequence, AD users can only access the Samba shares and - printers from IdM clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- (JIRA:RHELPLAN-13195) -

-
-
-
-
-
-

6.5.5. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on the podman container - platform, with the container bundle feature being available as a Technology Preview. There - is one exception to this feature being Technology Preview: Red Hat fully supports the use of - Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-

Heuristics in corosync-qdevice available - as a Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is - zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to - corosync-qnetd where it is used in calculations to determine - which partition should be quorate. -

-
-

- (BZ#1784200) -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off action on the agent that does the fencing. A heuristics agent can - exploit this behavior to prevent the agent that does the actual fencing from fencing a node - under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make - sense for a node to fence the peer if it can know beforehand that it would not be able to take - over the services properly. For example, it might not make sense for a node to take over - services if it has problems reaching the networking uplink, making the services unreachable to - clients, a situation which a ping to a router might detect in that case. -

-

- (BZ#1775847) -

-
-
-
-
-
-

6.5.6. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology - Preview

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as Technology Preview. -

-
-

- In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API - commands. Previously, enhancements could change the behavior of a command in an incompatible - way. Users are now able to continue using existing tools and scripts even if the IdM API - changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the - managing client. -
    • -
  • - Developers to use a specific version of an IdM call, even if the IdM version changes on - the server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones - hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other - DNS servers. This might affect the availability of DNS zones that are not configured in - accordance with recommended naming practices. -

-

- (BZ#1664718) -

-
-
-
-
-
-

6.5.7. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is - available as a Technology Preview. Note that the rest of the graphics stack is currently - unverified for the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-
-
-
-
-

6.5.8. Red Hat Enterprise Linux system roles

-
-
-
-
-

The postfix role of RHEL system roles - available as a Technology Preview

-

- Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat - Enterprise Linux subsystems, which makes system configuration easier through the inclusion - of Ansible Roles. This interface enables managing system configurations across multiple - versions of Red Hat Enterprise Linux, as well as adopting new major releases. -

-
-

- The rhel-system-roles packages are distributed through the - AppStream repository. -

-

- The postfix role is available as a Technology Preview. -

-

- The following roles are fully supported: -

-
-
    -
  • - kdump -
    • -
  • - network -
    • -
  • - selinux -
    • -
  • - storage -
    • -
  • - timesync -
    • -
-
-

- For more information, see the Knowledgebase article about RHEL system roles. -

-

- (BZ#1812552) -

-
-

rhel-system-roles-sap available as a - Technology Preview

-

- The rhel-system-roles-sap package provides Red Hat Enterprise - Linux (RHEL) system roles for SAP, which can be used to automate the configuration of a RHEL - system to run SAP workloads. These roles greatly reduce the time to configure a system to - run SAP workloads by automatically applying the optimal settings that are based on best - practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions - offerings. Please contact Red Hat Customer Support if you need assistance with your - subscription. -

-
-

- The following new roles in the rhel-system-roles-sap package are - available as a Technology Preview: -

-
-
    -
  • - sap-preconfigure -
    • -
  • - sap-netweaver-preconfigure -
    • -
  • - sap-hana-preconfigure -
    • -
-
-

- For more information, see Red - Hat Enterprise Linux system roles for SAP. -

-

- Note: RHEL 8.1 for SAP Solutions is scheduled to be validated for use with SAP HANA on Intel 64 - architecture and IBM POWER9. Other SAP applications and database products, for example, SAP - NetWeaver and SAP ASE, can use RHEL 8.1 features. Please consult SAP Notes 2369910 and 2235581 - for the latest information about validated releases and SAP support. -

-

- (BZ#1660832) -

-
-

rhel-system-roles-sap rebased to version - 1.1.1

-

- With the RHBA-2019:4258 advisory, the - rhel-system-roles-sap package has been updated to provide - multiple bug fixes. Notably: -

-
-
-
    -
  • - SAP system roles work on hosts with non-English locales -
    • -
  • - kernel.pid_max is set by the sysctl module -
    • -
  • - nproc is set to unlimited for HANA (see SAP note 2772999 - step 9) -
    • -
  • - hard process limit is set before soft process limit -
    • -
  • - code that sets process limits now works identically to role sap-preconfigure -
    • -
  • - handlers/main.yml only works for non-uefi systems and is - silently ignored on uefi systems -
    • -
  • - removed unused dependency on rhel-system-roles -
    • -
  • - removed libssh2 from the sap_hana_preconfigure_packages -
    • -
  • - added further checks to avoid failures when certain CPU settings are not supported -
    • -
  • - converted all true and false to lowercase -
    • -
  • - updated minimum package handling -
    • -
  • - host name and domain name set correctly -
    • -
  • - many minor fixes -
    • -
-
-

- The rhel-system-roles-sap package is available as a Technology - Preview. -

-

- (BZ#1766622) -

-
-
-
-
-
-

6.5.9. Virtualization

-
-
-
-
-

Select Intel network adapters now support SR-IOV in RHEL guests on - Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a - Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel - network adapters supported by the ixgbevf and iavf drivers. This feature is enabled when the following - conditions are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine. -
    • -
-
-

- The feature is currently supported with Microsoft Windows Server 2019 and 2016. -

-

- (BZ#1348508) -

-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual - machines

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on - a Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the - following Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-

AMD SEV for KVM virtual machines

-

- As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature - for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine - (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases - the security of the VM if the host is successfully infected by malware. -

-
-

- Note that the number of VMs that can use this feature at a time on a single host is determined - by the host hardware. Current AMD EPYC processors support up to 15 running VMs using SEV. -

-

- Also note that for VMs with SEV configured to be able to boot, you must also configure the VM - with a hard memory limit. To do so, add the following to the VM’s XML configuration: -

- 
<memtune>
-  <hard_limit unit='KiB'>N</hard_limit>
-</memtune>
-

- The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if - the guest is assigned 2 GiB RAM, N should be 2359296 or greater. -

-

- (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into - multiple virtual devices referred to as mediated devices. These - mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As - a result, these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning - a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical - display output on the host from working. -

-

- (BZ#1528684) -

-
-

Nested virtualization now available on IBM POWER 9

-

- As a Technology Preview, it is now possible to use the nested virtualization features on - RHEL 8 host machines running on IBM POWER 9 systems. Nested virtualization enables KVM - virtual machines (VMs) to act as hypervisors, which allows for running VMs inside VMs. -

-
-

- Note that nested virtualization also remains a Technology Preview on AMD64 and Intel 64 systems. -

-

- Also note that for nested virtualization to work on IBM POWER 9, the host, the guest, and the - nested guests currently all need to run one of the following operating systems: -

-
-
    -
  • - RHEL 8 -
    • -
  • - RHEL 7 for POWER 9 -
    • -
-
-

- (BZ#1505999, BZ#1518937) -

-
-

Creating nested virtual machines

-

- As a Technology Preview, nested virtualization is available for KVM virtual machines (VMs) - in RHEL 8. With this feature, a VM that runs on a physical host can act as a hypervisor, and - host its own VMs. -

-
-

- Note that nested virtualization is only available on AMD64 and Intel 64 architectures, and the - nested host must be a RHEL 7 or RHEL 8 VM. -

-

- (JIRA:RHELPLAN-14047) -

-
-
-
-
-
-

6.5.10. Containers

-
-
-
-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

6.6. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8.1. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will - likely not be supported in the next major version release, and are not recommended for new - deployments on the current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the - latest version of release documentation. For information about the length of support, see Red Hat Enterprise - Linux Life Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a - package can be removed from the product. Product documentation then identifies more recent packages - that offer functionality similar, identical, or more advanced to the one deprecated, and provides - further recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, - see Considerations - in adopting RHEL 9. -

-
-
-
-
-

6.6.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated -

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in - the logs. -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still - available and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you - modify your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-
-
-
-
-

6.6.2. Software management

-
-
-
-
-

The rpmbuild --sign command has been - deprecated

-

- With this update, the rpmbuild --sign command has become - deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in - an error. It is recommended that you use the rpmsign command - instead. -

-
-

- (BZ#1688849) -

-
-
-
-
-
-

6.6.3. Security

-
-
-
-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer - Portal and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux - 8. Authentication mechanisms that depend on DSA keys do not work in the default - configuration. Note that OpenSSH clients do not accept DSA host - keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and - earlier allow to start a negotiation with a Client Hello - message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this - feature may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to - version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward - compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be - removed in the next major release. -

-
-

- (BZ#1657927) -

-
-
-
-
-
-

6.6.4. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided - by default. The basic installation provides a new version of the ifup and ifdown scripts which call - the NetworkManager service through the - nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local - scripts are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
~]# yum install network-scripts
-

- The ifup and ifdown scripts link to - the installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-
-
-
-
-

6.6.5. Kernel

-
-
-
-
-

Diskless boot has been deprecated

-

- Diskless booting allows multiple systems to share a root filesystem via the network. While - convenient, it is prone to introducing network latency in realtime workloads. With a future - minor update of RHEL for Real Time 8, the diskless booting will no longer be supported. -

-
-

- (BZ#1748980) -

-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, - is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE - feature is available as an unsupported Technology Preview. However, due to stability issues, - this feature has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

6.6.6. Hardware enablement

-
-
-
-
-

The qla3xxx driver is deprecated -

-

- The qla3xxx driver has been deprecated in RHEL 8. The driver - will likely not be supported in future major releases of this product, and thus it is not - recommended for new deployments. -

-
-

- (BZ#1658840) -

-
-

The dl2k, dnet, ethoc, and dlci drivers are deprecated

-

- The dl2k, dnet, ethoc, and dlci drivers have been - deprecated in RHEL 8. The drivers will likely not be supported in future major releases of - this product, and thus they are not recommended for new deployments. -

-
-

- (BZ#1660627) -

-
-
-
-
-
-

6.6.7. File systems and storage

-
-
-
-
-

The elevator kernel command line parameter - is deprecated

-

- The elevator kernel command line parameter was used in earlier - RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is - deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is - typically the optimal setting. If you require a different scheduler, Red Hat recommends that you - use udev rules or the Tuned service to configure it. Match the - selected devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- (BZ#1665295) -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by - default. This change affects only NFS version 3 because version 4 requires the Transmission - Control Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-
-
-
-
-

6.6.8. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of - the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow - the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary - security standards. -

-
-

- (BZ#1607766) -

-
-
-
-
-
-

6.6.9. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended - replacement. -

-
-

- (BZ#1569610) -

-
-
-
-
-
-

6.6.10. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- (BZ#1666722) -

-
-
-
-
-
-

6.6.11. Virtualization

-
-
-
-
-

virt-manager has - been deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The - RHEL 8 web console, also known as Cockpit, is intended to become its - replacement in a subsequent release. It is, therefore, recommended that you use the web - console for managing virtualization in a GUI. Note, however, that some features available in - virt-manager may not be yet available - the RHEL 8 web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

Virtual machine snapshots are not properly supported in RHEL 8 -

-

- The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it - is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL - 8. -

-
-

- Note that a new VM snapshot mechanism is under development and will be fully implemented in a - future minor release of RHEL 8. -

-

- (BZ#1686057) -

-
-

The Cirrus VGA - virtual GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-
-
-
-
-

6.6.12. Deprecated packages

-
-
-
-

- The following packages have been deprecated and will probably not be included in a future major - release of Red Hat Enterprise Linux: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - authd -
    • -
  • - custodia -
    • -
  • - hostname -
    • -
  • - libidn -
    • -
  • - net-tools -
    • -
  • - network-scripts -
    • -
  • - nss-pam-ldapd -
    • -
  • - sendmail -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-
-

6.7. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8. -

-
-
-
-
-

6.7.1. Installer and image creation

-
-
-
-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart - commands during installation. Without this package, the installation fails if auth or authconfig are used. - However, by design, the authselect-compat package is only - available in the AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to - the installer or use the authselect Kickstart command during - installation. -

-

- (BZ#1640697) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec - Kickstart command or the inst.kexec kernel boot parameters do - not provide the same predictable system state as a full reboot. As a consequence, switching - to the installed system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

Anaconda installation includes low limits of minimal resources setting - requirements

-

- Anaconda initiates the installation on systems with minimal resource settings required - available and do not provide previous message warning about the required resources for - performing the installation successfully. As a result, the installation can fail and the - output errors do not provide clear messages for possible debug and recovery. To work around - this problem, make sure that the system has the minimal resources settings required for - installation: 2GB memory on PPC64(LE) and 1GB on x86_64. As a result, it should be possible - to perform a successful installation. -

-
-

- (BZ#1696609) -

-
-

Installation fails when using the reboot --kexec command

-

- The RHEL 8 installation fails when using a Kickstart file that contains the reboot --kexec command. To avoid the problem, use the reboot command instead of reboot --kexec in your Kickstart file. -

-
-

- (BZ#1672405) -

-
-

Support secure boot for s390x in the installer

-

- RHEL 8.1 provides support for preparing boot disks for use in IBM Z environments that - enforce the use of secure boot. The capabilities of the server and Hypervisor used during - installation determine if the resulting on-disk format contains secure boot support or not. - There is no way to influence the on-disk format during installation. -

-
-

- Consequently, if you install RHEL 8.1 in an environment that supports secure boot, the system is - unable to boot when moved to an environment lacking secure boot support, as it is done in some - fail-over scenarios. -

-

- To work around this problem, you need to configure the zipl tool - that controls the on-disk boot format. zipl can be configured to - write the previous on-disk format even if the environment in which it is run supports secure - boot. Perform the following manual steps as root user once the installation of RHEL 8.1 is - completed: -

-
-
    -
  1. - Edit the configuration file /etc/zipl.conf -
    2. -
  2. -

    - Add a line containing "secure=0" to the section labelled "defaultboot". -

    - 
    Example contents of the `zipl.conf` file after the change:
    - 
    [defaultboot]
-defaultauto
-prompt=1
-timeout=5
-target=/boot
-secure=0
    -
    3. -
  3. - Run the zipl tool without parameters -
    4. -
-
-

- After performing these steps, the on-disk format of the RHEL 8.1 boot disk will no longer - contain secure boot support. As a result, the installation can be booted in environments that - lack secure boot support. -

-

- (BZ#1659400) -

-
-

RHEL 8 initial setup cannot be performed via SSH

-

- Currently, the RHEL 8 initial setup interface does not display when logged in to the system - using SSH. As a consequence, it is impossible to perform the initial setup on a RHEL 8 - machine managed via SSH. To work around this problem, perform the initial setup in the main - system console (ttyS0) and, afterwards, log in using SSH. -

-
-

- (BZ#1676439) -

-
-

The default value for the secure= boot - option is not set to auto

-

- Currently, the default value for the secure= boot option is not - set to auto. As a consequence, the secure boot feature is not available because the current - default is disabled. To work around this problem, manually set secure=auto in the [defaultboot] - section of the /etc/zipl.conf file. As a result, the secure - boot feature is made available. For more information, see the zipl.conf man page. -

-
-

- (BZ#1750326) -

-
-

Copying the content of the Binary DVD.iso - file to a partition omits the .treeinfo and .discinfo files

-

- During local installation, while copying the content of the RHEL 8 Binary DVD.iso image file - to a partition, the * in the cp <path>/\* <mounted partition>/dir command fails to - copy the .treeinfo and .discinfo - files. These files are required for a successful installation. As a result, the BaseOS and - AppStream repositories are not loaded, and a debug-related log message in the anaconda.log file is the only record of the problem. -

-
-

- To work around the problem, copy the missing .treeinfo and .discinfo files to the partition. -

-

- (BZ#1687747) -

-
-

Self-signed HTTPS server cannot be used in Kickstart - installation

-

- Currently, the installer fails to install from a self-signed https server when the - installation source is specified in the kickstart file and the --noverifyssl option is used: -

-
- 
url --url=https://SERVER/PATH --noverifyssl
-

- To work around this problem, append the inst.noverifyssl parameter - to the kernel command line when starting the kickstart installation. -

-

- For example: -

- 
inst.ks=<URL> inst.noverifyssl
-

- (BZ#1745064) -

-
-
-
-
-
-

6.7.2. Software management

-
-
-
-
-

yum repolist ends on first unavailable - repository with skip_if_unavailable=false

-

- The repository configuration option skip_if_unavailable is by - default set as follows: -

-
- 
skip_if_unavailable=false
-

- This setting forces the yum repolist command to end on first - unavailable repository with an error and exit status 1. Consequently, yum repolist does not continue listing available repositiories. -

-

- Note that it is possible to override this setting in each repository’s *.repo file. -

-

- However, if you want to keep the default settings, you can work around the problem by using - yum repolist with the following option: -

- 
--setopt=*.skip_if_unavailable=True
-

- (BZ#1697472) -

-
-
-
-
-
-

6.7.3. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the - subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. - Currently, only role, usage and - service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to - set values to the addons argument will not observe any effect - on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-
-
-
-
-

6.7.4. Shells and command-line tools

-
-
-
-
-

Applications using Wayland protocol cannot - be forwarded to remote display servers

-

- In Red Hat Enterprise Linux 8.1, most applications use the Wayland protocol by default - instead of the X11 protocol. As a consequence, the ssh server cannot forward the - applications that use the Wayland protocol but is able to forward the applications that use - the X11 protocol to a remote display server. -

-
-

- To work around this problem, set the environment variable GDK_BACKEND=x11 before starting the applications. As a result, the - application can be forwarded to remote display servers. -

-

- (BZ#1686892) -

-
-

systemd-resolved.service fails to start on - boot

-

- The systemd-resolved service occasionally fails to start on - boot. If this happens, restart the service manually after the boot finishes by using the - following command: -

-
- 
# systemctl start systemd-resolved
-

- However, the failure of systemd-resolved on boot does not impact - any other services. -

-

- (BZ#1640802) -

-
-
-
-
-
-

6.7.5. Infrastructure services

-
-
-
-
-

Support for DNSSEC in dnsmasq

-

- The dnsmasq package introduces Domain Name System - Security Extensions (DNSSEC) support for verifying hostname information received from root - servers. -

-
-

- Note that DNSSEC validation in dnsmasq is not compliant with FIPS 140-2. Do not enable DNSSEC in - dnsmasq on Federal Information Processing Standard (FIPS) systems, and use the compliant - validating resolver as a forwarder on the localhost. -

-

- (BZ#1549507) -

-
-
-
-
-
-

6.7.6. Security

-
-
-
-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet - the requirements by the FUTURE system-wide cryptographic - policy, the redhat-support-tool utility does not work with this - policy level at the moment. To work around this problem, use the DEFAULT crypto policy while connecting to the Customer Portal - API. -

-
-

- (BZ#1802026) -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config results in a process in which the kernel - boots with SELinux enabled and switches to disabled mode later in the boot process. This - might cause memory leaks and race conditions and consequently also kernel panics. To work - around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-
-

- (JIRA:RHELPLAN-34199) -

-
-

libselinux-python is available only - through its module

-

- The libselinux-python package contains only Python 2 bindings - for developing SELinux applications and it is used for backward compatibility. For this - reason, libselinux-python is no longer available in the default - RHEL 8 repositories through the dnf install libselinux-python - command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# dnf module enable libselinux-python
-# dnf install libselinux-python
-

- Alternatively, install libselinux-python using its install profile - with a single command: -

- 
# dnf module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman - value. This prevents the udica tool from analyzing a container - JavaScript Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, - udica can generate an SELinux policy for a UBI 8 container only - when you use the described workaround. -

-

- (BZ#1763210) -

-
-

Removing the rpm-plugin-selinux package - leads to removing all selinux-policy packages from the - system

-

- Removing the rpm-plugin-selinux package disables SELinux on the - machine. It also removes all selinux-policy packages from the - system. Repeated installation of the rpm-plugin-selinux package - then installs the selinux-policy-minimum SELinux policy, even - if the selinux-policy-targeted policy was previously present on - the system. However, the repeated installation does not update the SELinux configuration - file to account for the change in policy. As a consequence, SELinux is disabled even upon - reinstallation of the rpm-plugin-selinux package. -

-
-

- To work around this problem: -

-
-
    -
  1. - Enter the umount /sys/fs/selinux/ command. -
    2. -
  2. - Manually install the missing selinux-policy-targeted - package. -
    3. -
  3. - Edit the /etc/selinux/config file so that the policy is - equal to SELINUX=enforcing. -
    4. -
  4. - Enter the command load_policy -i. -
    5. -
-
-

- As a result, SELinux is enabled and running the same policy as before. -

-

- (BZ#1641631) -

-
-

SELinux prevents systemd-journal-gatewayd - to call newfstatat() on shared memory files created by - corosync

-

- SELinux policy does not contain a rule that allows the systemd-journal-gatewayd daemon to access files created by the - corosync service. As a consequence, SELinux denies systemd-journal-gatewayd to call the newfstatat() function on shared memory files created by corosync. -

-
-

- To work around this problem, create a local policy module with an allow rule which enables the - described scenario. See the audit2allow(1) man page for more - information on generating SELinux policy allow and dontaudit rules. As a result of the previous workaround, - systemd-journal-gatewayd can call the function on shared memory - files created by corosync with SELinux in enforcing mode. -

-

- (BZ#1746398) -

-
-

Negative effects of the default logging setup on performance -

-

- The default logging environment setup might consume 4 GB of memory or even more and - adjustments of rate-limit values are complex when systemd-journald is running with rsyslog. -

-
-

- See the Negative effects of - the RHEL default logging setup on performance and their mitigations Knowledgebase - article for more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

Parameter not known errors in the rsyslog output with config.enabled

-

- In the rsyslog output, an unexpected bug occurs in - configuration processing errors using the config.enabled - directive. As a consequence, parameter not known errors are - displayed while using the config.enabled directive except for - the include() statements. -

-
-

- To work around this problem, set config.enabled=on or use include() statements. -

-

- (BZ#1659383) -

-
-

Certain rsyslog priority strings do not - work correctly

-

- Support for the GnuTLS priority string - for imtcp that allows fine-grained control over encryption is - not complete. Consequently, the following priority strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. To work around this problem, upgrade the server to use - certificates signed with SHA-256 or stronger hash, or switch to the LEGACY policy. -

-
-

- (BZ#1628553) -

-
-

TLS 1.3 does not work in NSS in FIPS mode

-

- TLS 1.3 is not supported on systems working in FIPS mode. As a result, connections that - require TLS 1.3 for interoperability do not function on a system working in FIPS mode. -

-
-

- To enable the connections, disable the system’s FIPS mode or enable support for TLS 1.2 in the - peer. -

-

- (BZ#1724250) -

-
-

OpenSSL incorrectly handles PKCS #11 - tokens that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is - created with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- (BZ#1685470) -

-
-

The OpenSSL TLS library does not detect if - the PKCS#11 token supports creation of raw RSA or RSA-PSS - signatures

-

- The TLS-1.3 protocol requires the support for RSA-PSS signature. If the PKCS#11 - token does not support raw RSA or RSA-PSS signatures, the server applications which use OpenSSL TLS library will fail to - work with the RSA key if it is held by the PKCS#11 token. As a result, TLS - communication will fail. -

-
-

- To work around this problem, configure server or client to use the TLS-1.2 version as the highest TLS - protocol version available. -

-

- (BZ#1681178) -

-
-

OpenSSL generates a malformed status_request extension in the CertificateRequest message in TLS 1.3

-

- OpenSSL servers send a malformed status_request extension in - the CertificateRequest message if support for the status_request extension and client certificate-based - authentication are enabled. In such case, OpenSSL does not interoperate with implementations - compliant with the RFC 8446 protocol. As a result, clients that - properly verify extensions in the ‘CertificateRequest’ message abort connections with the - OpenSSL server. To work around this problem, disable support for the TLS 1.3 protocol on - either side of the connection or disable support for status_request on the OpenSSL server. This will prevent the - server from sending malformed messages. -

-
-

- (BZ#1749068) -

-
-

ssh-keyscan cannot retrieve RSA keys of - servers in FIPS mode

-

- The SHA-1 algorithm is disabled for RSA signatures in FIPS - mode, which prevents the ssh-keyscan utility from retrieving - RSA keys of servers operating in that mode. -

-
-

- To work around this problem, use ECDSA keys instead, or retrieve the keys locally from the /etc/ssh/ssh_host_rsa_key.pub file on the server. -

-

- (BZ#1744108) -

-
-

scap-security-guide PCI-DSS remediation of - Audit rules does not work properly

-

- The scap-security-guide package contains a combination of - remediation and a check that can result in one of the following scenarios: -

-
-
-
    -
  • - incorrect remediation of Audit rules -
    • -
  • - scan evaluation containing false positives where passed rules are marked as failed -
    • -
-
-

- Consequently, during the RHEL 8.1 installation process, scanning of the installed system reports - some Audit rules as either failed or errored. -

-

- To work around this problem, follow the instructions in the RHEL-8.1 workaround for remediating and - scanning with the scap-security-guide PCI-DSS profile Knowledgebase article. -

-

- (BZ#1754919) -

-
-

Certain sets of interdependent rules in SSG can fail

-

- Remediation of SCAP Security Guide (SSG) rules in a benchmark - can fail due to undefined ordering of rules and their dependencies. If two or more rules - need to be executed in a particular order, for example, when one rule installs a component - and another rule configures the same component, they can run in the wrong order and - remediation reports an error. To work around this problem, run the remediation twice, and - the second run fixes the dependent rules. -

-
-

- (BZ#1750755) -

-
-

A utility for security and compliance scanning of containers is not - available

-

- In Red Hat Enterprise Linux 7, the oscap-docker utility can be - used for scanning of Docker containers based on Atomic technologies. In Red Hat Enterprise - Linux 8, the Docker- and Atomic-related OpenSCAP commands are not available. -

-
-

- To work around this problem, see the Using OpenSCAP for scanning containers in - RHEL 8 article on the Customer Portal. As a result, you can use only an unsupported and - limited way for security and compliance scanning of containers in RHEL 8 at the moment. -

-

- (BZ#1642373) -

-
-

OpenSCAP does not provide offline scanning - of virtual machines and containers

-

- Refactoring of OpenSCAP codebase caused certain RPM probes to - fail to scan VM and containers file systems in offline mode. For that reason, the following - tools were removed from the openscap-utils package: oscap-vm and oscap-chroot. Also, the - openscap-containers package was completely removed. -

-
-

- (BZ#1618489) -

-
-

OpenSCAP rpmverifypackage does not work correctly

-

- The chdir and chroot system calls - are called twice by the rpmverifypackage probe. Consequently, - an error occurs when the probe is utilized during an OpenSCAP scan with custom Open - Vulnerability and Assessment Language (OVAL) content. -

-
-

- To work around this problem, do not use the rpmverifypackage_test - OVAL test in your content or use only the content from the scap-security-guide package where rpmverifypackage_test is not used. -

-

- (BZ#1646197) -

-
-

SCAP Workbench - fails to generate results-based remediations from tailored profiles

-

- The following error occurs when trying to generate results-based remediation roles from a - customized profile using the SCAP - Workbench tool: -

-
- 
Error generating remediation role .../remediation.sh: Exit code of oscap was 1: [output truncated]
-

- To work around this problem, use the oscap command with the --tailoring-file option. -

-

- (BZ#1640715) -

-
-

OSCAP Anaconda Addon does not install all - packages in text mode

-

- The OSCAP Anaconda Addon plugin cannot modify the list of - packages selected for installation by the system installer if the installation is running in - text mode. Consequently, when a security policy profile is specified using Kickstart and the - installation is running in text mode, any additional packages required by the security - policy are not installed during installation. -

-
-

- To work around this problem, either run the installation in graphical mode or specify all - packages that are required by the security policy profile in the security policy in the %packages section in your Kickstart file. -

-

- As a result, packages that are required by the security policy profile are not installed during - RHEL installation without one of the described workarounds, and the installed system is not - compliant with the given security policy profile. -

-

- (BZ#1674001) -

-
-

OSCAP Anaconda Addon does not correctly - handle customized profiles

-

- The OSCAP Anaconda Addon plugin does not properly handle - security profiles with customizations in separate files. Consequently, the customized - profile is not available in the RHEL graphical installation even when you properly specify - it in the corresponding Kickstart section. -

-
-

- To work around this problem, follow the instructions in the Creating a single SCAP data stream from an - original DS and a tailoring file Knowledgebase article. As a result of this workaround, - you can use a customized SCAP profile in the RHEL graphical installation. -

-

- (BZ#1691305) -

-
-
-
-
-
-

6.7.7. Networking

-
-
-
-
-

The formatting of the verbose output of arptables now matches the format of the utility on RHEL - 7

-

- In RHEL 8, the iptables-arptables package provides an nftables-based replacement of the arptables utility. Previously, the verbose output of arptables separated counter values only with a comma, while arptables on RHEL 7 separated the described output with both a - space and a comma. As a consequence, if you used scripts created on RHEL 7 that parsed the - output of the arptables -v -L command, you had to adjust these - scripts. This incompatibility has been fixed. As a result, arptables on RHEL 8.1 now also separates counter values with both - a space and a comma. -

-
-

- (BZ#1676968) -

-
-

nftables does not support - multi-dimensional IP set types

-

- The nftables packet-filtering framework does not support set - types with concatenations and intervals. Consequently, you cannot use multi-dimensional IP - set types, such as hash:net,port, with nftables. -

-
-

- To work around this problem, use the iptables framework with the - ipset tool if you require multi-dimensional IP set types. -

-

- (BZ#1593711) -

-
-

IPsec network traffic fails during IPsec offloading when GRO is - disabled

-

- IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on - the device. If IPsec offloading is configured on a network interface and GRO is disabled on - that device, IPsec network traffic fails. -

-
-

- To work around this problem, keep GRO enabled on the device. -

-

- (BZ#1649647) -

-
-
-
-
-
-

6.7.8. Kernel

-
-
-
-
-

The i40iw module - does not load automatically on boot

-

- Due to many i40e NICs not supporting iWarp and the i40iw module not fully supporting - suspend/resume, this module is not automatically loaded by default to ensure suspend/resume - works properly. To work around this problem, manually edit the /lib/udev/rules.d/90-rdma-hw-modules.rules file to enable - automated load of i40iw. -

-
-

- Also note that if there is another RDMA device installed with a i40e device on the same machine, - the non-i40e RDMA device triggers the rdma - service, which loads all enabled RDMA stack modules, including the i40iw module. -

-

- (BZ#1623712) -

-
-

Network interface is renamed to kdump-<interface-name> when fadump is used

-

- When firmware-assisted dump (fadump) is utilized to capture a - vmcore and store it to a remote machine using SSH or NFS protocol, the network interface is - renamed to kdump-<interface-name> if <interface-name> is generic, for example, *eth#, or net#. - This problem occurs because the vmcore capture scripts in the initial RAM disk (initrd) add the kdump- prefix to the network interface name to - secure persistent naming. The same initrd is used also for a - regular boot, so the interface name is changed for the production kernel too. -

-
-

- (BZ#1745507) -

-
-

Systems with a large amount of persistent memory experience delays - during the boot process

-

- Systems with a large amount of persistent memory take a long time to boot because the - initialization of the memory is serialized. Consequently, if there are persistent memory - file systems listed in the /etc/fstab file, the system might - timeout while waiting for devices to become available. To work around this problem, - configure the DefaultTimeoutStartSec option in the /etc/systemd/system.conf file to a sufficiently large value. -

-
-

- (BZ#1666538) -

-
-

KSM sometimes ignores NUMA memory policies

-

- When the kernel shared memory (KSM) feature is enabled with the merge_across_nodes=1 parameter, KSM ignores memory policies set - by the mbind() function, and may merge pages from some memory areas to Non-Uniform Memory - Access (NUMA) nodes that do not match the policies. -

-
-

- To work around this problem, disable KSM or set the merge_across_nodes parameter to 0 if - using NUMA memory binding with QEMU. As a result, NUMA memory policies configured for the KVM VM - will work as expected. -

-

- (BZ#1153521) -

-
-

The system enters the emergency mode at boot-time when fadump is enabled

-

- The system enters the emergency mode when fadump (kdump) or dracut squash module is - enabled in the initramfs scheme because systemd manager fails to fetch the mount information and - configure the LV partition to mount. To work around this problem, add the following kernel - command line parameter rd.lvm.lv=<VG>/<LV> to - discover and mount the failed LV partition appropriately. As a result, the system will boot - successfully in the described scenario. -

-
-

- (BZ#1750278) -

-
-

Using irqpoll in the kdump kernel command - line causes a vmcore generation failure

-

- Due to an existing underlying problem with the nvme driver on - the 64-bit ARM architectures running on the Amazon Web Services (AWS) cloud platforms, the - vmcore generation fails if the irqpoll kdump command line - argument is provided to the first kernel. Consequently, no vmcore is dumped in the - /var/crash/ directory after a kernel crash. To work around this problem: -

-
-
-
    -
  1. - Add irqpoll to the KDUMP_COMMANDLINE_REMOVE key in the /etc/sysconfig/kdump - file. -
    2. -
  2. - Restart the kdump service by running the systemctl restart kdump command. -
    3. -
-
-

- As a result, the first kernel correctly boots and the vmcore is expected to be captured upon the - kernel crash. -

-

- (BZ#1654962) -

-
-

Debug kernel fails to boot in crash capture environment in RHEL - 8

-

- Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel, and a stack trace is generated instead. To work around this - problem, increase the crash kernel memory accordingly. As a result, the debug kernel - successfully boots in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

softirq changes can cause the localhost - interface to drop UDP packets when under heavy load

-

- Changes in the Linux kernel’s software interrupt (softirq) - handling are done to reduce denial of service (DOS) effects. Consequently, this leads to - situations where the localhost interface drops User Datagram Protocol (UDP) packets under - heavy load. -

-
-

- To work around this problem, increase the size of the network device backlog buffer to value - 6000: -

- 
echo 6000 > /proc/sys/net/core/netdev_max_backlog
-

- In Red Hat tests, this value was sufficient to prevent packet loss. More heavily loaded systems - might require larger backlog values. Increased backlogs have the effect of potentially - increasing latency on the localhost interface. -

-

- The result is to increase the buffer and allow more packets to be waiting for processing, which - reduces the chances of dropping localhost packets. -

-

- (BZ#1779337) -

-
-
-
-
-
-

6.7.9. Hardware enablement

-
-
-
-
-

The HP NMI watchdog in some cases does not generate a crash - dump

-

- The hpwdt driver for the HP NMI watchdog is sometimes not able - to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. As a consequence, - hpwdt in some cases cannot call a panic to generate a crash - dump. -

-
-

- (BZ#1602962) -

-
-

Installing RHEL 8.1 on a test system configured with a QL41000 card - results in a kernel panic

-

- While installing RHEL 8.1 on a test system configured with a QL41000 card, the system is unable to handle the kernel NULL - pointer dereference at 000000000000003c card. As a consequence, - it results in a kernel panic error. There is no work around available for this issue. -

-
-

- (BZ#1743456) -

-
-

The cxgb4 driver causes crash in the kdump - kernel

-

- The kdump kernel crashes while trying to save information in - the vmcore file. Consequently, the cxgb4 driver prevents the kdump - kernel from saving a core for later analysis. To work around this problem, add the - "novmcoredd" parameter to the kdump kernel command line to allow saving core files. -

-
-

- (BZ#1708456) -

-
-
-
-
-
-

6.7.10. File systems and storage

-
-
-
-
-

Certain SCSI drivers might sometimes use an excessive amount of - memory

-

- Certain SCSI drivers use a larger amount of memory than in RHEL 7. In certain cases, such as - vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage might be - excessive, depending upon the system configuration. -

-
-

- The increased memory usage is caused by memory preallocation in the block layer. Both the - multiqueue block device scheduling (BLK-MQ) and the multiqueue SCSI stack (SCSI-MQ) preallocate - memory for each I/O request in RHEL 8, leading to the increased memory usage. -

-

- (BZ#1698297) -

-
-

VDO cannot suspend until UDS has finished rebuilding

-

- When a Virtual Data Optimizer (VDO) volume starts after an unclean system shutdown, it - rebuilds the Universal Deduplication Service (UDS) index. If you try to suspend the VDO - volume using the dmsetup suspend command while the UDS index is - rebuilding, the suspend command might become unresponsive. The command finishes only after - the rebuild is done. -

-
-

- The unresponsiveness is noticeable only with VDO volumes that have a large UDS index, which - causes the rebuild to take a longer time. -

-

- (BZ#1737639) -

-
-

An NFS 4.0 patch can result in reduced performance under an open-heavy - workload

-

- Previously, a bug was fixed that, in some cases, could cause an NFS open operation to - overlook the fact that a file had been removed or renamed on the server. However, the fix - may cause slower performance with workloads that require many open operations. To work - around this problem, it might help to use NFS version 4.1 or higher, which have been - improved to grant delegations to clients in more cases, allowing clients to perform open - operations locally, quickly, and safely. -

-
-

- (BZ#1748451) -

-
-
-
-
-
-

6.7.11. Dynamic programming languages, web and database servers

-
-
-
-
-

nginx cannot load server certificates from - hardware security tokens

-

- The nginx web server supports loading TLS private keys from - hardware security tokens directly from PKCS#11 modules. However, it is currently impossible - to load server certificates from hardware security tokens through the PKCS#11 URI. To work - around this problem, store server certificates on the file system -

-
-

- (BZ#1668717) -

-
-

php-fpm causes SELinux AVC denials when - php-opcache is installed with PHP 7.2

-

- When the php-opcache package is installed, the FastCGI Process - Manager (php-fpm) causes SELinux AVC denials. To work around - this problem, change the default configuration in the /etc/php.d/10-opcache.ini file to the following: -

-
- 
opcache.huge_code_pages=0
-

- Note that this problem affects only the php:7.2 stream, not the - php:7.3 one. -

-

- (BZ#1670386) -

-
-
-
-
-
-

6.7.12. Compilers and development tools

-
-
-
-
-

The ltrace tool does not report function - calls

-

- Because of improvements to binary hardening applied to all RHEL components, the ltrace tool can no longer detect function calls in binary files - coming from RHEL components. As a consequence, ltrace output is - empty because it does not report any detected calls when used on such binary files. There is - no workaround currently available. -

-
-

- As a note, ltrace can correctly report calls in custom binary files - built without the respective hardening flags. -

-

- (BZ#1618748) -

-
-
-
-
-
-

6.7.13. Identity Management

-
-
-
-
-

AD users with expired accounts can be allowed to log in when using - GSSAPI authentication

-

- The accountExpires attribute that SSSD uses to see whether an - account has expired is not replicated to the global catalog by default. As a result, users - with expired accounts can log in when using GSSAPI authentication. To work around this - problem, the global catalog support can be disabled by specifying ad_enable_gc=False in the sssd.conf - file. With this setting, users with expired accounts will be denied access when using GSSAPI - authentication. -

-
-

- Note that SSSD connects to each LDAP server individually in this scenario, which can increase - the connection count. -

-

- (BZ#1081046) -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate - System

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual - steps are required to recover the system. -

-
-

- (BZ#1729215) -

-
-

Changing /etc/nsswitch.conf requires a - manual system reboot

-

- Any change to the /etc/nsswitch.conf file, for example running - the authselect select profile_id command, requires a system - reboot so that all relevant processes use the updated version of the /etc/nsswitch.conf file. If a system reboot is not possible, - restart the service that joins your system to Active Directory, which is the System Security Services Daemon (SSSD) or winbind. -

-
-

- (BZ#1657295) -

-
-

No information about required DNS records displayed when enabling - support for AD trust in IdM

-

- When enabling support for Active Directory (AD) trust in Red Hat Enterprise Linux Identity - Management (IdM) installation with external DNS management, no information about required - DNS records is displayed. Forest trust to AD is not successful until the required DNS - records are added. To work around this problem, run the 'ipa dns-update-system-records - --dry-run' command to obtain a list of all DNS records required by IdM. When external DNS - for IdM domain defines the required DNS records, establishing forest trust to AD is - possible. -

-
-

- (BZ#1665051) -

-
-

SSSD returns incorrect LDAP group membership for local users -

-

- If the System Security Services Daemon (SSSD) serves users from the local files, the files - provider does not include group memberships from other domains. As a consequence, if a local - user is a member of an LDAP group, the id local_user command - does not return the user’s LDAP group membership. To work around the problem, either revert - the order of the databases where the system is looking up the group membership of users in - the /etc/nsswitch.conf file, replacing sss files with files sss, or disable - the implicit files domain by adding -

-
- 
enable_files_domain=False
-

- to the [sssd] section in the /etc/sssd/sssd.conf file. -

-

- As a result, id local_user returns correct LDAP group membership - for local users. -

-

- (BZ#1652562) -

-
-

Default PAM settings for systemd-user have - changed in RHEL 8 which may influence SSSD behavior

-

- The Pluggable authentication modules (PAM) stack has changed in Red Hat Enterprise Linux 8. - For example, the systemd user session now starts a PAM - conversation using the systemd-user PAM service. This service - now recursively includes the system-auth PAM service, which may - include the pam_sss.so interface. This means that the SSSD - access control is always called. -

-
-

- Be aware of the change when designing access control rules for RHEL 8 systems. For example, you - can add the systemd-user service to the allowed services list. -

-

- Please note that for some access control mechanisms, such as IPA HBAC or AD GPOs, the systemd-user service is has been added to the allowed services list - by default and you do not need to take any action. -

-

- (BZ#1669407) -

-
-

SSSD does not correctly handle multiple certificate matching rules with - the same priority

-

- If a given certificate matches multiple certificate matching rules with the same priority, - the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use - a single certificate matching rule whose LDAP filter consists of the filters of the - individual rules concatenated with the | (or) operator. For - examples of certificate matching rules, see the sss-certamp(5) man page. -

-
-

- (BZ#1447945) -

-
-

Private groups fail to be created with auto_private_group = hybrid when - multiple domains are defined

-

- Private groups fail to be created with the option auto_private_group = hybrid when multiple - domains are defined and the hybrid option is used by any domain other than the first one. If - an implicit files domain is defined along with an AD or LDAP domain in the sssd.conf`file and is not marked as `MPG_HYBRID, then SSSD fails - to create a private group for a user who has uid=gid and the group with this gid does not - exist in AD or LDAP. -

-
-

- The sssd_nss responder checks for the value of the auto_private_groups option in the first domain only. As a - consequence, in setups where multiple domains are configured, which includes the default setup - on RHEL 8, the option auto_private_group has no effect. -

-

- To work around this problem, set enable_files_domain = false in the - sssd section of of sssd.conf. As a result, If the enable_files_domain option is set to false, then sssd does not add a - domain with id_provider=files at the start of the list of active - domains, and therefore this bug does not occur. -

-

- (BZ#1754871) -

-
-

python-ply is not FIPS compatible -

-

- The YACC module of the python-ply package uses the MD5 hashing - algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use - of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not - FIPS compatible. On a system in FIPS mode, all calls to ply.yacc.yacc() fail with the error message: -

-
- 
"UnboundLocalError: local variable 'sig' referenced before assignment"
-

- The problem affects python-pycparser and some use cases of python-cffi. To work around this problem, modify the line 2966 of the - file /usr/lib/python3.6/site-packages/ply/yacc.py, replacing sig = md5() with sig = md5(usedforsecurity=False). As a result, python-ply can be used in FIPS mode. -

-

- (BZ#1747490) -

-
-
-
-
-
-

6.7.14. Desktop

-
-
-
-
-

Limitations of the Wayland session

-

- With Red Hat Enterprise Linux 8, the GNOME environment and the GNOME Display Manager (GDM) - use Wayland as the default session type - instead of the X11 session, which was - used with the previous major version of RHEL. -

-
-

- The following features are currently unavailable or do not work as expected under Wayland: -

-
-
    -
  • - Multi-GPU setups are not supported under Wayland. -
    • -
  • - X11 configuration utilities, such as - xrandr, do not work under Wayland due to its different approach - to handling, resolutions, rotations, and layout. You can configure the display features - using GNOME settings. -
    • -
  • - Screen recording and remote desktop require applications to support the portal API on - Wayland. Certain legacy applications - do not support the portal API. -
    • -
  • - Pointer accessibility is not available on Wayland. -
    • -
  • - No clipboard manager is available. -
    • -
  • -

    - GNOME Shell on Wayland ignores - keyboard grabs issued by most legacy X11 applications. You can enable - an X11 application to issue - keyboard grabs using the /org/gnome/mutter/wayland/xwayland-grab-access-rules - GSettings key. By default, GNOME Shell on Wayland enables the following - applications to issue keyboard grabs: -

    -
    -
      -
    • - GNOME Boxes -
      • -
    • - Vinagre -
      • -
    • - Xephyr -
      • -
    • - virt-manager, virt-viewer, and remote-viewer -
      • -
    • - vncviewer -
      • -
    -
    -
    • -
  • - Wayland inside guest virtual - machines (VMs) has stability and performance problems. RHEL automatically falls back to - the X11 session when running in a - VM. -
    • -
-
-

- If you upgrade to RHEL 8 from a RHEL 7 system where you used the X11 GNOME session, your system continues to - use X11. The system also automatically falls - back to X11 when the following graphics - drivers are in use: -

-
-
    -
  • - The proprietary NVIDIA driver -
    • -
  • - The cirrus driver -
    • -
  • - The mga driver -
    • -
  • - The aspeed driver -
    • -
-
-

- You can disable the use of Wayland manually: -

-
-
    -
  • - To disable Wayland in GDM, set the - WaylandEnable=false option in the /etc/gdm/custom.conf file. -
    • -
  • - To disable Wayland in the GNOME - session, select the legacy X11 - option by using the cogwheel menu on the login screen after entering your login name. -
    • -
-
-

- For more details on Wayland, see https://wayland.freedesktop.org/. -

-

- (BZ#1797409) -

-
-

Drag-and-drop does not work between desktop and applications -

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. - Support for this feature will be added back in a future release. -

-
-

- (BZ#1717947) -

-
-

Disabling flatpak repositories from - Software Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- (BZ#1668760) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a - Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the - GRUB boot menu. In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, - use Hyper-V Server 2019 as the host. -

-

- (BZ#1583445) -

-
-

GNOME Shell on - Wayland performs slowly when using a software renderer -

-

- When using a software renderer, GNOME Shell as a Wayland compositor (GNOME Shell on Wayland) does not use a - cacheable framebuffer for rendering the screen. Consequently, GNOME Shell on Wayland is slow. To - workaround the problem, go to the GNOME Display Manager (GDM) login screen and switch to a - session that uses the X11 protocol - instead. As a result, the Xorg display - server, which uses cacheable memory, is used, and GNOME - Shell on Xorg in the described situation performs faster compared to - GNOME Shell on Wayland. -

-
-

- (BZ#1737553) -

-
-

System crash may result in fadump configuration loss

-

- This issue is observed on systems where firmware-assisted dump (fadump) is enabled, and the - boot partition is located on a journaling file system such as XFS. A system crash might - cause the boot loader to load an older initrd that does not - have the dump capturing support enabled. Consequently, after recovery, the system does not - capture the vmcore file, which results in fadump configuration - loss. -

-
-

- To work around this problem: -

-
-
    -
  • -

    - If /boot is a separate partition, perform the - following: -

    -
    -
      -
    1. - Restart the kdump service -
      2. -
    2. -

      - Run the following commands as the root user, or using a user account - with CAP_SYS_ADMIN rights: -

      - 
      # fsfreeze -f
-# fsfreeze -u
      -
      3. -
    -
    -
    • -
  • - If /boot is not a separate partition, reboot the system. -
    • -
-
-

- (BZ#1723501) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can - pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could - allow an attacker to impersonate a user by altering, for example, the UID or GID of an - object returned in an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and - decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa - are not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in - the /etc/sssd/sssd.conf file. The default behavior is planned to be - changed in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

6.7.15. Graphics infrastructures

-
-
-
-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in - the kexec context correctly. Instead, radeon falls over, which - causes the rest of the kdump service to - fail. -

-
-

- To work around this problem, blacklist radeon in kdump by adding the following line to the - /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After - starting kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-
-
-
-
-

6.7.16. The web console

-
-
-
-
-

Unprivileged users can access the Subscriptions page

-

- If a non-administrator navigates to the Subscriptions page of the web console, the - web console displays a generic error message “Cockpit had an unexpected internal error”. -

-
-

- To work around this problem, sign in to the web console with a privileged user and make sure to - check the Reuse my password for privileged - tasks checkbox. -

-

- (BZ#1674337) -

-
-
-
-
-
-

6.7.17. Virtualization

-
-
-
-
-

Using cloud-init to provision virtual - machines on Microsoft Azure fails

-

- Currently, it is not possible to use the cloud-init utility to - provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. To work around this - problem, use one of the following methods: -

-
-
-
    -
  • - Use the WALinuxAgent package instead of cloud-init to provision VMs on Microsoft Azure. -
    • -
  • -

    - Add the following setting to the [main] section in the - /etc/NetworkManager/NetworkManager.conf file: -

    - 
    [main]
-dhcp=dhclient
    -
    • -
-
-

- (BZ#1641190) -

-
-

RHEL 8 virtual machines on RHEL 7 hosts in some cases cannot be viewed - in higher resolution than 1920x1200

-

- Currently, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, certain - methods of displaying the the graphical output of the VM, such as running the application in - kiosk mode, cannot use greater resolution than 1920x1200. As a consequence, displaying VMs - using those methods only works in resolutions up to 1920x1200, even if the host hardware - supports higher resolutions. -

-
-

- (BZ#1635295) -

-
-

Low GUI display performance in RHEL 8 virtual machines on a Windows - Server 2019 host

-

- When using RHEL 8 as a guest operating system in graphical mode on a Windows Server 2019 - host, the GUI display performance is low, and connecting to a console output of the guest - currently takes significantly longer than expected. -

-
-

- This is a known issue on Windows 2019 hosts and is pending a fix by Microsoft. To work around - this problem, connect to the guest using SSH or use Windows Server 2016 as the host. -

-

- (BZ#1706541) -

-
-

Installing RHEL virtual machines sometimes fails

-

- Under certain circumstances, RHEL 7 and RHEL 8 virtual machines created using the virt-install utility fail to boot if the --location option is used. -

-
-

- To work around this problem, use the --extra-args option instead - and specify an installation tree reachable by the network, for example: -

- 
--extra-args="inst.repo=https://some/url/tree/path"
-

- This ensures that the RHEL installer finds the installation files correctly. -

-

- (BZ#1677019) -

-
-

Displaying multiple monitors of virtual machines that use Wayland is - not possible with QXL

-

- Using the remote-viewer utility to display more than one - monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to - become unresponsive and the Waiting for display - status message to be displayed indefinitely. -

-
-

- To work around this problem, use virtio-gpu instead of qxl as the GPU device for VMs that use Wayland. -

-

- (BZ#1642887) -

-
-

virsh iface-\* commands do not work - consistently

-

- Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration - dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network - connections. Instead, use the NetworkManager program and its related management - applications. -

-
-

- (BZ#1664592) -

-
-

Customizing an ESXi VM using cloud-init - and rebooting the VM causes IP setting loss and makes booting the VM very slow -

-

- Currently, if the cloud-init service is used to modify a - virtual machine (VM) that runs on the VMware ESXi hypervisor to use static IP and the VM is - then cloned, the new cloned VM in some cases takes a very long time to reboot. This is - caused cloud-init rewriting the VM’s static IP to DHCP and then - searching for an available datasource. -

-
-

- To work around this problem, you can uninstall cloud-init after the - VM is booted for the first time. As a result, the subsequent reboots will not be slowed down. -

-

- (BZ#1666961, BZ#1706482) -

-
-

RHEL 8 virtual machines sometimes cannot boot on Witherspoon - hosts

-

- RHEL 8 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on - Power9 S922LC for HPC hosts (also known as - Witherspoon) that use the DD2.2 or DD2.3 CPU. -

-
-

- Attempting to boot such a VM instead generates the following error message: -

- 
qemu-kvm: Requested safe indirect branch capability level not supported by kvm
-

- To work around this problem, configure the virtual machine’s XML configuration as follows: -

- 
<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
-  <qemu:commandline>
-    <qemu:arg value='-machine'/>
-    <qemu:arg value='cap-ibs=workaround'/>
-  </qemu:commandline>
-

- (BZ#1732726, BZ#1751054) -

-
-

IBM POWER virtual machines do not work correctly with zero memory NUMA - nodes

-

- Currently, when an IBM POWER virtual machine (VM) running on a RHEL 8 host is configured - with a NUMA node that uses zero memory (memory='0'), the VM - cannot boot. Therefore, Red Hat strongly recommends not using IBM POWER VMs with zero-memory - NUMA nodes on RHEL 8. -

-
-

- (BZ#1651474) -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 - fails

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 - becomes unresponsive with a "Migration status: active" status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- (BZ#1741436) -

-
-

SMT CPU topology is not detected by VMs when using host passthrough - mode on AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, - the TOPOEXT CPU feature flag is not present. Consequently, the - VM is not able to detect a virtual CPU topology with multiple threads per core. To work - around this problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- (BZ#1740002) -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number - of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to - boot, and displays a dracut-initqueue[392]: Warning: Could not boot error. -

-
-

- (BZ#1719687) -

-
-
-
-
-
-
-
-

Chapter 7. Notable changes to containers

-
-
-
-

- A set of container images is available for Red Hat Enterprise Linux (RHEL) 8.1. Notable changes include: -

-
-
    -
  • -

    - Rootless containers are fully supported in RHEL 8.1. -

    -

    - Rootless containers are containers that are created and managed by regular system users - without administrative permissions. This allows users to maintain their identity, including - such things as credentials to container registries. -

    -

    - You can try rootless containers using the podman and buildah commands. For more information: -

    -
    - -
    -
    • -
  • -

    - The toolbox RPM package is fully - supported in RHEL 8.1. -

    -

    - The toolbox command is a utility often - used with container-oriented operating systems, such as Red Hat CoreOS. With toolbox, you can troubleshoot and debug - host operating systems by launching a container that includes a large set of troubleshooting - tools for you to use, without having to install those tools on the host system. -

    -

    - Running the toolbox command starts a rhel-tools container that provides root - access to the host, for fixing or otherwise working with that host. -

    -
    • -
  • - See the new documentation - on Running containers with runlabels. -
    • -
  • - The podman package has been upgraded to - upstream version 1.4.2. For information on features added to podman since version 1.0.0, which was used in - RHEL 8.0, refer to descriptions of the latest podman releases on Github. -
    • -
-
-
-
-
-
-
-

Chapter 8. Internationalization

-
-
-
-
-
-
-
-

8.1. Red Hat Enterprise Linux 8 International Languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangu -

-
-
-
-
-
-
-
-

8.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - The glibc package updates for multiple locales are now - synchronized with the Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- NetworkManager-libreswan -

- 		-

- BZ#1697329 -

-
-

- anaconda -

- 		-

- BZ#1628653, BZ#1673901, BZ#1671047, BZ#1689909, BZ#1689194, - BZ#1584145, BZ#1637472, BZ#1696609, BZ#1672405, - BZ#1687747, BZ#1745064, BZ#1659400, BZ#1655523 -

-
-

- audit -

- 		-

- BZ#1730382 -

-
-

- authselect -

- 		-

- BZ#1657295 -

-
-

- bcc -

- 		-

- BZ#1667043 -

-
-

- binutils -

- 		-

- BZ#1618748, BZ#1644391, BZ#1525406, BZ#1659437 -

-
-

- bpftrace -

- 		-

- BZ#1687802 -

-
-

- chrony -

- 		-

- BZ#1685469 -

-
-

- cloud-init -

- 		-

- BZ#1641190, BZ#1666961 -

-
-

- cockpit-appstream -

- 		-

- BZ#1658847 -

-
-

- cockpit -

- 		-

- BZ#1631905, BZ#1678956, BZ#1657752, BZ#1678473, BZ#1666722 -

-
-

- corosync -

- 		-

- BZ#1693491 -

-
-

- criu -

- 		-

- BZ#1689746 -

-
-

- crypto-policies -

- 		-

- BZ#1678661, BZ#1660839 -

-
-

- cryptsetup -

- 		-

- BZ#1676622 -

-
-

- distribution -

- 		-

- BZ#1685191, BZ#1657927 -

-
-

- dnf-plugins-core -

- 		-

- BZ#1722093 -

-
-

- dnsmasq -

- 		-

- BZ#1549507 -

-
-

- dyninst -

- 		-

- BZ#1648441 -

-
-

- elfutils -

- 		-

- BZ#1683705 -

-
-

- enscript -

- 		-

- BZ#1664366 -

-
-

- fapolicyd -

- 		-

- BZ#1673323 -

-
-

- freeradius -

- 		-

- BZ#1685546 -

-
-

- frr -

- 		-

- BZ#1657029 -

-
-

- gcc-toolset-9 -

- 		-

- BZ#1685482 -

-
-

- gcc -

- 		-

- BZ#1680182 -

-
-

- gdb -

- 		-

- BZ#1669953, BZ#1187581 -

-
-

- gdm -

- 		-

- BZ#1678627 -

-
-

- glibc -

- 		-

- BZ#1663035, BZ#1701605, - BZ#1651283, BZ#1577438 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#1717947 -

-
-

- gnome-shell -

- 		-

- BZ#1704360 -

-
-

- gnome-software -

- 		-

- BZ#1668760 -

-
-

- gnutls -

- 		-

- BZ#1628553 -

-
-

- grub2 -

- 		-

- BZ#1583445, BZ#1723501 -

-
-

- initial-setup -

- 		-

- BZ#1676439 -

-
-

- ipa -

- 		-

- BZ#1665051, - JIRA:RHELPLAN-15036, BZ#1664719, BZ#1664718, BZ#1719767 -

-
-

- ipset -

- 		-

- BZ#1683711, BZ#1683713, - BZ#1649090 -

-
-

- iptables -

- 		-

- BZ#1658734, - BZ#1676968 -

-
-

- kernel-rt -

- 		-

- BZ#1678887 -

-
-

- kernel -

- 		-

- BZ#1647723, BZ#1656787, BZ#1649087, BZ#1721386, BZ#1564427, BZ#1686755, BZ#1664969, - BZ#1714111, BZ#1712272, BZ#1646810, BZ#1728519, BZ#1721961, BZ#1654962, BZ#1635295, - BZ#1706541, BZ#1666538, BZ#1685894, BZ#1643980, BZ#1602962, BZ#1697310, BZ#1593711, - BZ#1649647, BZ#1153521, BZ#1694705, BZ#1698297, BZ#1348508, BZ#1748451, BZ#1743456, - BZ#1708456, BZ#1710480, BZ#1634343, BZ#1652222, BZ#1687459, BZ#1571628, BZ#1571534, - BZ#1685552, BZ#1685427, BZ#1663281, BZ#1664359, BZ#1677215, BZ#1659399, BZ#1665717, - BZ#1581898, BZ#1519039, BZ#1627455, BZ#1501618, BZ#1401552, BZ#1495358, BZ#1633143, - BZ#1503672, BZ#1505999, BZ#1570255, BZ#1696451, BZ#1665295, BZ#1658840, BZ#1660627, - BZ#1569610 -

-
-

- kexec-tools -

- 		-

- BZ#1662911, BZ#1750278, BZ#1520209, BZ#1710288 -

-
-

- keycloak-httpd-client-install -

- 		-

- BZ#1553890 -

-
-

- kmod-kvdo -

- 		-

- BZ#1696492, BZ#1737639 -

-
-

- kpatch -

- 		-

- BZ#1763780 -

-
-

- libcacard -

- 		-

- BZ#1615840 -

-
-

- libdnf -

- 		-

- BZ#1697472 -

-
-

- libgnome-keyring -

- 		-

- BZ#1607766 -

-
-

- libselinux-python-2.8-module -

- 		-

- BZ#1666328 -

-
-

- libsemanage -

- 		-

- BZ#1672638 -

-
-

- libssh -

- 		-

- BZ#1610883 -

-
-

- libstoragemgmt -

- 		-

- BZ#1626415 -

-
-

- libvirt -

- 		-

- BZ#1664592, BZ#1526548, BZ#1528684 -

-
-

- linuxptp -

- 		-

- BZ#1677217, BZ#1685467 -

-
-

- lorax -

- 		-

- BZ#1663950, BZ#1709594, BZ#1689140 -

-
-

- lvm2 -

- 		-

- BZ#1649086 -

-
-

- mariadb-10.3-module -

- 		-

- BZ#1657053 -

-
-

- mutter -

- 		-

- BZ#1737553 -

-
-

- nfs-utils -

- 		-

- BZ#1668026, BZ#1592011 -

-
-

- nginx -

- 		-

- BZ#1668717, - BZ#1690292 -

-
-

- nmstate -

- 		-

- BZ#1674456 -

-
-

- nss -

- 		-

- BZ#1724250, - BZ#1645153 -

-
-

- openmpi -

- 		-

- BZ#1717289 -

-
-

- openscap -

- 		-

- BZ#1642373, BZ#1618489, BZ#1646197, BZ#1718826, BZ#1709429 -

-
-

- openssh -

- 		-

- BZ#1683295, - BZ#1671262, BZ#1651763, BZ#1744108, BZ#1691045 -

-
-

- openssl -

- 		-

- BZ#1685470, BZ#1681178, BZ#1749068 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1674001, - BZ#1691305 -

-
-

- pacemaker -

- 		-

- BZ#1715426 -

-
-

- pcp -

- 		-

- BZ#1685302 -

-
-

- pcs -

- 		-

- BZ#1619620 -

-
-

- perl-IO-Socket-SSL -

- 		-

- BZ#1632600 -

-
-

- perl-Net-SSLeay -

- 		-

- BZ#1632597 -

-
-

- perl-Socket -

- 		-

- BZ#1699793 -

-
-

- php-7.2-module -

- 		-

- BZ#1670386 -

-
-

- php -

- 		-

- BZ#1653109 -

-
-

- pki-core -

- 		-

- BZ#1695302, BZ#1673296, BZ#1729215 -

-
-

- pykickstart -

- 		-

- BZ#1637872 -

-
-

- python-ply -

- 		-

- BZ#1747490 -

-
-

- python-wheel -

- 		-

- BZ#1731526 -

-
-

- python3 -

- 		-

- BZ#1731424 -

-
-

- qemu-kvm -

- 		-

- BZ#1619884, BZ#1689216, - BZ#1651474, BZ#1740002, BZ#1719687, - BZ#1651994 -

-
-

- redhat-support-tool -

- 		-

- BZ#1688274 -

-
-

- rhel-system-roles-sap -

- 		-

- BZ#1660832 -

-
-

- rhel-system-roles -

- 		-

- BZ#1691966 -

-
-

- rng-tools -

- 		-

- BZ#1692435 -

-
-

- rpm -

- 		-

- BZ#1688849 -

-
-

- rsyslog -

- 		-

- JIRA:RHELPLAN-10431, BZ#1659383, BZ#1679512, - BZ#1614181 -

-
-

- rt-tests -

- 		-

- BZ#1686494, BZ#1707505, BZ#1666351 -

-
-

- ruby-2.6-module -

- 		-

- BZ#1672575 -

-
-

- s390utils -

- 		-

- BZ#1750326 -

-
-

- samba -

- 		-

- BZ#1638001, JIRA:RHELPLAN-13195 -

-
-

- scap-security-guide -

- 		-

- BZ#1741455, BZ#1754919, BZ#1750755, BZ#1718839 -

-
-

- scap-workbench -

- 		-

- BZ#1640715 -

-
-

- selinux-policy -

- 		-

- BZ#1673269, BZ#1671241, BZ#1683642, BZ#1641631, BZ#1746398, BZ#1673107, - BZ#1684103, BZ#1673056 -

-
-

- setools -

- 		-

- BZ#1672631 -

-
-

- setup -

- 		-

- BZ#1663556 -

-
-

- squashfs-tools -

- 		-

- BZ#1716278 -

-
-

- sssd -

- 		-

- BZ#1448094, BZ#1081046, BZ#1657665, BZ#1652562, BZ#1669407, - BZ#1447945, BZ#1382750, BZ#1754871 -

-
-

- subscription-manager -

- 		-

- BZ#1674337 -

-
-

- systemd -

- 		-

- BZ#1658691, BZ#1686892, - BZ#1640802 -

-
-

- systemtap -

- 		-

- BZ#1675740 -

-
-

- tpm2-abrmd-selinux -

- 		-

- BZ#1642000 -

-
-

- tpm2-tools -

- 		-

- BZ#1664498 -

-
-

- tuned -

- 		-

- BZ#1685585 -

-
-

- udica -

- 		-

- BZ#1763210, - BZ#1673643 -

-
-

- valgrind -

- 		-

- BZ#1683715 -

-
-

- vdo -

- 		-

- BZ#1669534 -

-
-

- virt-manager -

- 		-

- BZ#1677019 -

-
-

- virtio-win -

- 		-

- BZ#1223668 -

-
-

- xorg-x11-drv-qxl -

- 		-

- BZ#1642887 -

-
-

- xorg-x11-server -

- 		-

- BZ#1687489, BZ#1698565 -

-
-

- other -

- 		-

- BZ#1640697, BZ#1623712, BZ#1745507, BZ#1659609, BZ#1697896, BZ#1732726, - JIRA:RHELPLAN-2542, JIRA:RHELPLAN-13066, JIRA:RHELPLAN-13074, BZ#1731502, - BZ#1649493, BZ#1718422, - JIRA:RHELPLAN-7109, JIRA:RHELPLAN-13068, JIRA:RHELPLAN-13960, JIRA:RHELPLAN-13649, - JIRA:RHELPLAN-12811, BZ#1766186, - BZ#1741531, BZ#1721683, - BZ#1690207, JIRA:RHELPLAN-1212, BZ#1559616, BZ#1699825, - JIRA:RHELPLAN-14047, BZ#1769727, - BZ#1642765, JIRA:RHELPLAN-10304, BZ#1646541, BZ#1647725, BZ#1686057, BZ#1748980 -

-
-
-
-
-
-
-
-

Appendix B. Revision History

-
-
-
-
-
-
0.5-0
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.4-0
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.3-0
-
-

- Tue Nov 7 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fix broken links. -
    • -
-
-
-
0.2-9
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-8
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-7
-
-

- Fri Apr 29 2022, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.2-6
-
-

- Thu Dec 23 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about the Soft-RoCE driver, rdma_rxe, - to Technology Previews BZ#1605216 and - Deprecated Functionality BZ#1878207 (Kernel). -
    • -
-
-
-
0.2-5
-
-

- Thu Aug 19 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.2-4
-
-

- Fri May 21 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated information about OS conversion in Overview. -
    • -
-
-
-
0.2-3
-
-

- Tue Apr 06 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Improved the list of supported architectures. -
    • -
-
-
-
0.2-2
-
-

- Thu Feb 25 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Fixed CentOS Linux name. -
    • -
-
-
-
0.2-1
-
-

- Thu Feb 04 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a known issue (Virtualization). -
    • -
-
-
-
0.2-0
-
-

- Thu Jan 28 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the New Features chapter. -
    • -
  • - Updated the Technology Previews chapter. -
    • -
-
-
-
0.1-9
-
-

- Thu Dec 10 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about handling AD GPOs in SSSD to New features (Identity - Management). -
    • -
-
-
-
0.1-8
-
-

- Tue Dec 01, 2020 Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a bug fix for issue with fapolicyd (Security). -
    • -
-
-
-
0.1-7
-
-

- Fri Oct 30 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated Application Streams description in the Repositories section. -
    • -
-
-
-
0.1-6
-
-

- Tue Sep 15 2020, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Added a known issue to the kernel section. -
    • -
-
-
-
0.1-5
-
-

- Tue Apr 28 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated information about in-place upgrades in Overview. -
    • -
-
-
-
0.1-4
-
-

- Thu Apr 09 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added two known issues (Security). -
    • -
  • - Unified commands for installing modules. -
    • -
-
-
-
0.1-3
-
-

- Tue Mar 31 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a new feature related to pcs. -
    • -
-
-
-
0.1-2
-
-

- Fri Mar 27 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Moved an incorrectly placed Technology Preview description to the correct chapter. -
    • -
-
-
-
0.1-1
-
-

- Fri Mar 20 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated a command for installing the jmc:rhel8 module. -
    • -
-
-
-
0.1-0
-
-

- Thu Mar 12 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated information on RHEL System Roles. -
    • -
-
-
-
0.0-9
-
-

- Fri Mar 06 2020, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Provided Important Changes to External Kernel Parameters and New Drivers chapters. -
    • -
-
-
-
0.0-8
-
-

- Wed Feb 12 2020, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Provided a complete kernel version to Architectures and New Features chapters. -
    • -
-
-
-
0.0-7
-
-

- Tue Feb 04 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.1.1 Release Notes. -
    • -
-
-
-
0.0-6
-
-

- Thu Jan 23 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the Technology Previews section. -
    • -
-
-
-
0.0-5
-
-

- Fri Dec 20 2019, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a note about rhel-system-roles-sap rebase to - version 1.1.1 (System Roles). -
    • -
  • - Added a note that subscription-manager now reports the - role, usage, and add-on values (Subscription Management). -
    • -
  • - Updated notes related to Extended Berkeley - Packet Filter (eBPF) (Kernel). -
    • -
-
-
-
0.0-4
-
-

- Tue Dec 03 2019, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a Known Issue related to fadump (Kernel). -
    • -
-
-
-
0.0-3
-
-

- Tue Nov 26 2019, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the Bug Fixes section. -
    • -
  • - Updated the Technology Previews section. -
    • -
  • - Added a Known Issue related to irqpoll (Kernel). -
    • -
-
-
-
0.0-2
-
-

- Thu Nov 14 2019, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a note that TIPC now has full support. -
    • -
  • - Added a note that bcc-tool is now supported on x86_64 - architectures only. -
    • -
  • - Updated Overview with information about live patching for kernel, kpatch. -
    • -
  • - Updated the the Technology Previews section. -
    • -
-
-
-
0.0-1
-
-

- Tue Nov 05 2019, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.1 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Wed Jul 24 2019, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.1 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.10.html b/app/data/8.10.html deleted file mode 100644 index d6a6341..0000000 --- a/app/data/8.10.html +++ /dev/null @@ -1,20315 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.10
-
-

Release Notes for Red Hat Enterprise Linux 8.10

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.10 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information about installing Red Hat Enterprise Linux, see Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 8.10

-
-
-
-

Installer and image creation

-

- Key highlights for RHEL image builder: -

-
-
    -
  • - You can create different partitioning modes, such as auto-lvm, - lvm, and raw. -
    • -
  • - You can customize tailoring options for a profile and add it to your blueprint - customizations by using selected and unselected options, to add and remove rules. -
    • -
-
-

- For more information, see New features - Installer and image creation. -

-

Security

-

- SCAP Security Guide 0.1.72 contains updated CIS - profiles, a profile aligned with the PCI DSS policy version 4.0, and profiles for the latest DISA - STIG policies. -

-

- The Linux kernel cryptographic API (libkcapi) - 1.4.0 introduces new tools and options. Notably, with the new -T - option, you can specify target file names in hash-sum calculations. -

-

- The stunnel TLS/SSL tunneling service 5.71 - changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. Besides this change, version - 5.71 provides many new features such as support for modern PostgreSQL clients. -

-

- The OpenSSL TLS toolkit now contains API-level - protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. -

-

- See New features - Security - for more information. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following Application Streams are now available: -

-
-
    -
  • - Python 3.12 -
    • -
  • - Ruby 3.3 -
    • -
  • - PHP 8.2 -
    • -
  • - nginx 1.24 -
    • -
  • - MariaDB 10.11 -
    • -
  • - PostgreSQL 16 -
    • -
-
-

- The following components have been upgraded: -

-
-
    -
  • - Git to version 2.43.0 -
    • -
  • - Git LFS to version 3.4.1 -
    • -
-
-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Identity Management

-

- Identity Management (IdM) in RHEL 8.10 introduces delegating user authentication to external - identity providers (IdPs) that support the OAuth 2 Device Authorization Grant flow. This is now a - fully supported feature. -

-

- After performing authentication and authorization at the external IdP, the IdM user receives a - Kerberos ticket with single sign-on capabilities. -

-

- For more information, see New Features - Identity Management -

-

Containers

-

- Notable changes include: -

-
-
    -
  • - The podman farm build command for creating multi-architecture - container images is available as a Technology Preview. -
    • -
  • - Podman now supports containers.conf modules to load a - predetermined set of configurations. -
    • -
  • - The Container Tools packages have been updated. -
    • -
  • - Podman v4.9 RESTful API now displays data of progress when you pull or push an image to the - registry. -
    • -
  • - SQLite is now fully supported as a default database backend for Podman. -
    • -
  • - Containerfile now supports multi-line HereDoc instructions. -
    • -
  • - pasta as a network name has been deprecated. -
    • -
  • - The BoltDB database backend has been deprecated. -
    • -
  • - The container-tools:4.0 module has been deprecated. -
    • -
  • - The Container Network Interface (CNI) network stack is deprecated and will be removed in a - future release. -
    • -
-
-

- See New features - - Containers for more information. -

-
-
-
-
-
-

1.2. In-place upgrade and OS conversion

-
-
-
-

In-place upgrade from RHEL 7 to RHEL 8

-

- The possible in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.8 and RHEL 8.10 on the 64-bit Intel, IBM POWER 8 (little endian), - and IBM Z architectures -
    • -
  • - From RHEL 7.9 to RHEL 8.8 and RHEL 8.10 on systems with SAP HANA on the 64-bit Intel - architecture. -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- For instructions on performing an in-place upgrade on systems with SAP environments, see How to in-place upgrade SAP - environments from RHEL 7 to RHEL 8. -

-

- For information regarding how Red Hat supports the in-place upgrade process, see the In-place upgrade Support Policy. -

-

- Notable enhancements include: -

-
-
    -
  • - New logic has been implemented to determine the expected states of the systemd services after the upgrade. -
    • -
  • - Locally stored DNF repositories can now be used for the in-place upgrade. -
    • -
  • - You can now configure DNF to be able to upgrade by using proxy. -
    • -
  • - Issues with performing the in-place upgrade with custom DNF repositories accessed by using - HTTPS have been fixed. -
    • -
  • - If the /etc/pki/tls/openssl.cnf configuration file has been - modified, the file is now replaced with the target default OpenSSL configuration file during - the upgrade to prevent issues after the upgrade. See the pre-upgrade report for more - information. -
    • -
-
-

In-place upgrade from RHEL 6 to RHEL 8

-

- It is not possible to perform an in-place upgrade directly from RHEL 6 to RHEL 8. However, you can - perform an in-place upgrade from RHEL 6 to RHEL 7 and then perform a second in-place upgrade to RHEL - 8. For more information, see Upgrading - from RHEL 6 to RHEL 7. -

-

In-place upgrade from RHEL 8 to RHEL 9

-

- Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 using the Leapp utility are - provided by the document Upgrading - from RHEL 8 to RHEL 9. Major differences between RHEL 8 and RHEL 9 are documented in Considerations - in adopting RHEL 9. -

-

Conversion from a different Linux - distribution to RHEL

-

- If you are using Alma Linux 8, CentOS Linux 8, Oracle Linux 8, or Rocky Linux 8, you can convert - your operating system to RHEL 8 using the Red Hat-supported Convert2RHEL utility. For more information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using CentOS Linux 7 or Oracle Linux 7, you can convert your operating system to RHEL and - then perform an in-place upgrade to RHEL 8. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, - see the Convert2RHEL Support Policy - document. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-
- -
-
-
Note
-
-

- Release notes include links to access the original tracking tickets. Private tickets have no - links and instead feature this footnote.[1] -

-
-
-

-
-
-
[1] - - Release notes include links to access the original tracking tickets. Private tickets have no - links and instead feature this footnote. -
-
-
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of - user-space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.10. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Ability to use partitioning mode on the blueprint filesystem - customization

-

- With this update, while using RHEL image builder, you can customize your blueprint with the - chosen filesystem customization. You can choose one of the following partition modes while you - create an image: -

-
-
-
    -
  • - Default: auto-lvm -
    • -
  • - LVM: the image uses Logical Volume Manager (LVM) even without extra partitions -
    • -
  • - Raw: the image uses raw partitioning even with extra partitions -
    • -
-
-

- Jira:RHELDOCS-16337[1] -

-
-

Filesystem customization policy changes in image builder

-

- The following policy changes are in place when using the RHEL image builder filesystem - customization in blueprints: -

-
-

- Currently, mountpoint and minimum partition minsize can be set. The following image types do not support filesystem - customizations: image-installeredge-installeredge-simplified-installer The - following image types do not create partitioned operating systems images. Customizing their - filesystem is meaningless: edge-commitedge-containertarcontainer The blueprint now supports the mountpoint customization for tpm and its - sub-directories. -

-

- Jira:RHELDOCS-17261[1] -

-
-
-
-
-
-

4.2. Security

-
-
-
-
-

SCAP Security Guide rebased to 0.1.72

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.72. This - version provides bug fixes and various enhancements, most notably: -

-
-
-
    -
  • - CIS profiles are updated to align with the latest benchmarks. -
    • -
  • - The PCI DSS profile is aligned with the PCI DSS policy version 4.0. -
    • -
  • - STIG profiles are aligned with the latest DISA STIG policies. -
    • -
-
-

- For additional information, see the SCAP Security Guide release notes. -

-

- Jira:RHEL-25250[1] -

-
-

OpenSSL now contains protections against Bleichenbacher-like - attacks

-

- This release of the OpenSSL TLS toolkit introduces API-level protections against - Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now - returns a randomly generated deterministic message instead of an error if it detects an error - when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection - against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657. -

-
-

- You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function - on the RSA decryption context, but this makes your system more vulnerable. -

-

- Jira:RHEL-17689[1] -

-
-

librdkafka rebased to 1.6.1

-

- The librdkafka implementation of the Apache Kafka protocol has been - rebased to upstream version 1.6.1. This is the first major feature release for RHEL 8. The - rebase provides many important enhancements and bug fixes. For all relevant changes, see the - CHANGELOG.md document provided in the librdkafka package. -

-
-
-
Note
-
-

- This update changes configuration defaults and deprecates some configuration properties. - Read the Upgrade considerations section in CHANGELOG.md for - more details. The API (C & C++) and ABI © in this version are compatible with older - versions of librdkafka, but some changes to the configuration - properties may require changes to existing applications. -

-
-
-

- Jira:RHEL-12892[1] -

-
-

libkcapi rebased to 1.4.0

-

- The libkcapi library, which provides access to the Linux kernel - cryptographic API, has been rebased to upstream version 1.4.0. The update includes various - enhancements and bug fixes, most notably: -

-
-
-
    -
  • - Added the sm3sum and sm3hmac - tools. -
    • -
  • - Added the kcapi_md_sm3 and kcapi_md_hmac_sm3 APIs. -
    • -
  • - Added SM4 convenience functions. -
    • -
  • - Fixed support for link-time optimization (LTO). -
    • -
  • - Fixed LTO regression testing. -
    • -
  • - Fixed support for AEAD encryption of an arbitrary size with kcapi-enc. -
    • -
-
-

- Jira:RHEL-5366[1] -

-
-

stunnel rebased to 5.71

-

- The stunnel TLS/SSL tunneling service has been rebased to upstream - version 5.71. This update changes the behavior of OpenSSL 1.1 and later versions in FIPS mode. - If OpenSSL is in FIPS mode and stunnel default FIPS configuration - is set to no, stunnel adapts to - OpenSSL and FIPS mode is enabled. -

-
-

- Additional new features include: -

-
-
    -
  • - Added support for modern PostgreSQL clients. -
    • -
  • - You can use the protocolHeader service-level option to insert - custom connect protocol negotiation headers. -
    • -
  • - You can use the protocolHost option to control the client SMTP - protocol negotiation HELO/EHLO value. -
    • -
  • - Added client-side support for Client-side protocol = ldap. -
    • -
  • - You can now configure session resumption by using the service-level sessionResume option. -
    • -
  • - Added support to request client certificates in server mode with CApath (previously, only CAfile was - supported). -
    • -
  • - Improved file reading and logging performance. -
    • -
  • - Added support for configurable delay for the retry option. -
    • -
  • - In client mode, OCSP stapling is requested and verified when verifyChain is set. -
    • -
  • - In server mode, OCSP stapling is always available. -
    • -
  • - Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting OCSPrequire = no. -
    • -
-
-

- Jira:RHEL-2340[1] -

-
-

OpenSSH limits artificial delays in authentication

-

- OpenSSH’s response after login failure is artificially delayed to prevent user enumeration - attacks. This update introduces an upper limit so that such artificial delays do not become - excessively long when remote authentication takes too long, for example in privilege access - management (PAM) processing. -

-
-

- Jira:RHEL-1684 -

-
-

libkcapi now provides an option for specifying - target file names in hash-sum calculations

-

- This update of the libkcapi (Linux kernel cryptographic API) - packages introduces the new option -T for specifying target file - names in hash-sum calculations. The value of this option overrides file names specified in - processed HMAC files. You can use this option only with the -c - option, for example: -

-
- 
$ sha256hmac -c <hmac_file> -T <target_file>
-

- Jira:RHEL-15300[1] -

-
-

audit rebased to 3.1.2

-

- The Linux Audit system has been updated to version 3.1.2, which provides bug fixes, - enhancements, and performance improvements over the previously released version 3.0.7. Notable - enhancements include: -

-
-
-
    -
  • - The auparse library now interprets unnamed and anonymous - sockets. -
    • -
  • - You can use the new keyword this-hour in the start and end options of the ausearch and aureport tools. -
    • -
  • - User-friendly keywords for signals have been added to the auditctl program. -
    • -
  • - Handling of corrupt logs in auparse has been improved. -
    • -
  • - The ProtectControlGroups option is now disabled by default in - the auditd service. -
    • -
  • - Rule checking for the exclude filter has been fixed. -
    • -
  • - The interpretation of OPENAT2 fields has been enhanced. -
    • -
  • - The audispd af_unix plugin has been moved to a standalone - program. -
    • -
  • - The Python binding has been changed to prevent setting Audit rules from the Python API. This - change was made due to a bug in the Simplified Wrapper and Interface Generator (SWIG). -
    • -
-
-

- Jira:RHEL-15001[1] -

-
-
-
-
-
-

4.3. Shells and command-line tools

-
-
-
-
-

openCryptoki rebased to version - 3.22.0

-

- The opencryptoki package has been updated to version 3.22.0. - Notable changes include: -

-
-
-
    -
  • - Added support for the AES-XTS key type by using the CPACF protected keys. -
    • -
  • - Added support for managing certificate objects. -
    • -
  • - Added support for public sessions with the no-login option. -
    • -
  • - Added support for logging in as the Security Officer (SO). -
    • -
  • - Added support for importing and exporting the Edwards and Montgomery keys. -
    • -
  • - Added support for importing the RSA-PSS keys and certificates. -
    • -
  • - For security reasons, the 2 key parts of an AES-XTS key should not be the same. This update - adds checks to the key generation and import process to ensure this. -
    • -
  • - Various bug fixes have been implemented. -
    • -
-
-

- Jira:RHEL-11413[1] -

-
-
-
-
-
-

4.4. Infrastructure services

-
-
-
-
-

chrony rebased to version 4.5

-

- The chrony suite has been updated to version 4.5. Notable changes - include: -

-
-
-
    -
  • - Added periodic refresh of IP addresses of Network Time Protocol (NTP) sources specified by - hostname. The default interval is two weeks and it can be disabled by adding refresh 0 to the chrony.conf file. -
    • -
  • - Improved automatic replacement of unreachable NTP sources. -
    • -
  • - Improved logging of important changes made by the chronyc - utility. -
    • -
  • - Improved logging of source selection failures and falsetickers. -
    • -
  • - Added the hwtstimeout directive to configure timeout for late - hardware transmit timestamps. -
    • -
  • - Added experimental support for corrections provided by Precision Time Protocol (PTP) - transparent clocks to reach accuracy of PTP with hardware timestamping. -
    • -
  • - Fixed the presend option in interleaved mode. -
    • -
  • - Fixed reloading of modified sources specified by IP address from the sourcedir directories. -
    • -
-
-

- Jira:RHEL-21069 -

-
-

linuxptp rebased to version 4.2

-

- The linuxptp protocol has been updated to version 4.2. Notable - changes include: -

-
-
-
    -
  • - Added support for multiple domains in the phc2sys utility. -
    • -
  • - Added support for notifications on clock updates and changes in the Precision Time Protocol - (PTP) parent dataset, for example, clock class. -
    • -
  • - Added support for PTP Power Profile, namely IEEE C37.238-2011 and IEEE C37.238-2017. -
    • -
-
-

- Jira:RHEL-21326[1] -

-
-
-
-
-
-

4.5. Networking

-
-
-
-
-

firewalld now avoids unnecessary firewall rule - flushes

-

- The firewalld service does not remove all existing rules from the - iptables configuration if both following conditions are met: -

-
-
-
    -
  • - firewalld is using the nftables - backend. -
    • -
  • - There are no firewall rules created with the --direct option. -
    • -
-
-

- This change aims at reducing unnecessary operations (firewall rules flushes) and improves - integration with other software. -

-

- Jira:RHEL-47595 -

-
-

The ss utility adds visibility improvement to - TCP bound-inactive sockets

-

- The iproute2 suite provides a collection of utilities to control - TCP/IP networking traffic. TCP bound-inactive sockets are attached to an IP address and a port - number but neither connected nor listening on TCP ports. The socket services (ss) utility adds support for the kernel to dump TCP bound-inactive - sockets. You can view those sockets with the following command options: -

-
-
-
    -
  • - ss --all: to dump all sockets including TCP bound-inactive ones -
    • -
  • - ss --bound-inactive: to dump only bound-inactive sockets -
    • -
-
-

- Jira:RHEL-6113[1] -

-
-

nispor rebased to version 1.2.10

-

- The nispor packages have been upgraded to upstream version 1.2.10, - which provides a number of enhancements and bug fixes over the previous version: -

-
-
-
    -
  • - Added support for NetStateFilter to use the kernel filter on - network routes and interfaces. -
    • -
  • - Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual - Function (SR-IOV VF) information per (VF). -
    • -
  • - Newly supported bonding options: lacp_active, arp_missed_max, and ns_ip6_target. -
    • -
-
-

- Bugzilla:2153166 -

-
-
-
-
-
-

4.6. Kernel

-
-
-
-
-

Kernel version in RHEL 8.10

-

- Red Hat Enterprise Linux 8.10 is distributed with the kernel version 4.18.0-553. -

-
-
-

rtla rebased to version 6.6 of the upstream - kernel source code

-

- The rtla utility has been upgraded to the latest upstream version, - which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Added the -C option to specify additional control groups for - rtla threads to run in, apart from the main rtla thread. -
    • -
  • - Added the --house-keeping option to place rtla threads on a housekeeping CPU and to put measurement threads - on different CPUs. -
    • -
  • - Added support to the timerlat tracer so that you can run timerlat hist and timerlat top - threads in user space. -
    • -
-
-

- Jira:RHEL-10081[1] -

-
-

rteval was upgraded to the upstream version - 3.7

-

- With this update, the rteval utility has been upgraded to the - upstream version 3.7. The most significant feature in this update concerns the isolcpus kernel parameter. This includes the ability to detect and - use the isolcpus mechanism for measurement modules in rteval. As a result, it is easier for isolcpus users to use rteval to get - accurate latency numbers and to achieve best latency results measured on a realtime kernel. -

-
-

- Jira:RHEL-8967[1] -

-
-

SGX is now fully supported

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. -

-
-

- The RHEL kernel provides the SGX version 1 and 2 functionality. Version 1 enables platforms using - the Flexible Launch Control mechanism to use the - SGX technology. Version 2 adds Enclave Dynamic Memory - Management (EDMM). Notable features include: -

-
-
    -
  • - Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave. -
    • -
  • - Dynamic addition of regular enclave pages to an initialized enclave. -
    • -
  • - Expanding an initialized enclave to accommodate more threads. -
    • -
  • - Removing regular and TCS pages from an initialized enclave. -
    • -
-
-

- In this release, SGX moves from Technology Preview to a fully supported feature. -

-

- Bugzilla:2041881[1] -

-
-

The Intel data streaming accelerator driver is now fully supported -

-

- The Intel data streaming accelerator driver (IDXD) is a kernel driver that provides an Intel CPU - integrated accelerator. It includes a shared work queue with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- In this release, IDXD moves from a Technology Preview to a fully supported feature. -

-

- Jira:RHEL-10097[1] -

-
-

rteval now supports adding and removing - arbitrary CPUs from the default measurement CPU list

-

- With the rteval utility, you can add (using the + sign) or subtract - (using the - sign) CPUs to the default measurement CPU list when using the --measurement-cpulist parameter, instead of having to specify an - entire new list. Additionally, --measurement-run-on-isolcpus is - introduced for adding the set of all isolated CPUs to the default measurement CPU list. This - options covers the most common usecase of a real-time application running on isolated CPUs. - Other usecases require a more generic feature. For example, some real-time applications used one - isolated CPU for housekeeping, requiring it to be excluded from the default measurement CPU - list. As a result, you can now not only add, but also remove arbitrary CPUs from the default - measurement CPU list in a flexible way. Removing takes precedence over adding. This rule applies - to both, CPUs specified with +/- signs and to those defined with --measurement-run-on-isolcpus. -

-
-

- Jira:RHEL-21926[1] -

-
-
-
-
-
-

4.7. Boot loader

-
-
-
-
-

DEP/NX support in the pre-boot stage

-

- The memory protection feature known as Data Execution Prevention (DEP), No Execute (NX), or - Execute Disable (XD), blocks the execution of code that is marked as non-executable. DEP/NX has - been available in RHEL at the operating system level. -

-
-

- This release adds DEP/NX support in the GRUB and shim boot loaders. - This can prevent certain vulnerabilities during the pre-boot stage, such as a malicious EFI driver - that might execute certain attacks without the DEP/NX protection. -

-

- Jira:RHEL-15856[1] -

-
-

Support for TD RTMR measurement in GRUB and shim

-

- Intel® Trust Domain Extension (Intel® TDX) is a confidential computing technology that deploys - hardware-isolated virtual machines (VMs) called Trust Domains (TDs). -

-
-

- TDX extends the Virtual Machine Extensions (VMX) instructions and the Multi-key Total Memory - Encryption (MKTME) feature with the TD VM guest. In a TD guest VM, all components in the boot chain, - such as grub2 and shim, must log the event - and measurement hash to runtime measurement registers (RTMR). -

-

- TD guest runtime measurement in RTMR is the base for attestation applications. Applications on the - TD guest rely on TD measurement to provide trust evidence to get confidential information, such as - the key from the relaying part through the attestation service. -

-

- With this release, the GRUB and shim boot loaders now support the TD - measurement protocol. -

-

- For more information about Intel® TDX, see Documentation - for Intel® Trust Domain Extensions. -

-

- Jira:RHEL-15583[1] -

-
-
-
-
-
-

4.8. File systems and storage

-
-
-
-
-

The Storage RHEL System Roles now support shared LVM device - management

-

- The RHEL System Roles now support the creation and management of shared logical volumes and - volume groups. -

-
-

- Jira:RHEL-14022 -

-
-

multipathd now supports detecting FPIN-Li - events for NVMe devices

-

- Previously, the multipathd command would only monitor Integrity - Fabric Performance Impact Notification (PFIN-Li) events on SCSI devices. multipathd could listen for Link Integrity events sent by a Fibre - Channel fabric and use it to mark paths as marginal. This feature was only supported for - multipath devices on top of SCSI devices, and multipathd was unable - to mark Non-volatile Memory Express (NVMe) device paths as marginal by limiting the use of this - feature. -

-
-

- With this update, multipathd supports detecting FPIN-Li events for both - SCSI and NVMe devices. As a result, multipath now does not use paths without a good fabric - connection, while other paths are available. This helps to avoid IO delays in such situations. -

-

- Jira:RHEL-6677 -

-
-
-
-
-
-

4.9. Dynamic programming languages, web and database servers

-
-
-
-
-

Python 3.12 available in RHEL 8

-

- RHEL 8.10 introduces Python 3.12, provided by the new package python3.12 and a suite of packages built for it, as well as the ubi8/python-312 container image. -

-
-

- Notable enhancements compared to the previously released Python 3.11 include: -

-
-
    -
  • - Python introduces a new type statement and new type parameter - syntax for generic classes and functions. -
    • -
  • - Formatted string literal (f-strings) have been formalized in the grammar and can now be - integrated into the parser directly. -
    • -
  • - Python now provides a unique per-interpreter global interpreter lock (GIL). -
    • -
  • - You can now use the buffer protocol from Python code. -
    • -
  • - To improve security, the builtin hashlib implementations of the - SHA1, SHA3, SHA2-384, SHA2-512, and MD5 cryptographic algorithms have been replaced with - formally verified code from the HACL* project. The builtin implementations remain available - as fallback if OpenSSL does not provide them. -
    • -
  • - Dictionary, list, and set comprehensions in CPython are now - inlined. This significantly increases the speed of a comprehension execution. -
    • -
  • - CPython now supports the Linux perf profiler. -
    • -
  • - CPython now provides stack overflow protection on supported - platforms. -
    • -
-
-

- To install packages from the python3.12 stack, use, for example: -

- 
# yum install python3.12
-# yum install python3.12-pip
-

- To run the interpreter, use, for example: -

- 
$ python3.12
-$ python3.12 -m pip --help
-

- See Installing - and using Python for more information. -

-

- For information about the length of support of Python 3.12, see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Jira:RHEL-14942 -

-
-

A new environment variable in Python to control parsing of email - addresses

-

- To mitigate CVE-2023-27043, a backward - incompatible change to ensure stricter parsing of email addresses was introduced in Python 3. -

-
-

- This update introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING - environment variable. When you set this variable to true, the previous, - less strict parsing behavior is the default for the entire system: -

- 
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
-

- However, individual calls to the affected functions can still enable stricter behavior. -

-

- You can achieve the same result by creating the /etc/python/email.cfg - configuration file with the following content: -

- 
[email_addr_parsing]
-PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
-

- For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing - stricter parsing of email addresses in Python. -

-

- Jira:RHELDOCS-17369[1] -

-
-

A new module stream: ruby:3.3

-

- RHEL 8.10 introduces Ruby 3.3.0 in a new ruby:3.3 module stream. - This version provides a number of performance improvements, bug and security fixes, and new - features over Ruby 3.1 distributed with RHEL 8.7. -

-
-

- Notable enhancements include: -

-
-
    -
  • - You can use the new Prism parser instead of Ripper. Prism is a portable, error - tolerant, and maintainable recursive descent parser for the Ruby language. -
    • -
  • - YJIT, the Ruby just-in-time (JIT) compiler implementation, is no longer experimental and it - provides major performance improvements. -
    • -
  • - The Regexp matching algorithm has been improved to reduce the - impact of potential Regular Expression Denial of Service (ReDoS) vulnerabilities. -
    • -
  • - The new experimental RJIT (a pure-Ruby JIT) compiler replaces MJIT. Use YJIT in production. -
    • -
  • - A new M:N thread scheduler is now available. -
    • -
-
-

- Other notable changes: -

-
-
    -
  • - You must now use the Lrama LALR parser generator instead of - Bison. -
    • -
  • - Several deprecated methods and constants have been removed. -
    • -
  • - The Racc gem has been promoted from a default gem to a bundled - gem. -
    • -
-
-

- To install the ruby:3.3 module stream, use: -

- 
# yum module install ruby:3.3
-

- If you want to upgrade from an earlier ruby module stream, see Switching - to a later stream. -

-

- For information about the length of support of Ruby 3.3, see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Jira:RHEL-17090[1] -

-
-

A new module stream: php:8.2

-

- RHEL 8.10 adds PHP 8.2, which provides a number of bug fixes and enhancements over version 8.0. -

-
-

- With PHP 8.2, you can: -

-
-
    -
  • - Define a custom type that is limited to one of a discrete number of possible values using - the Enumerations (Enums) feature. -
    • -
  • - Declare a property with the readonly modifier to prevent - modification of the property after initialization. -
    • -
  • - Use fibers, full-stack, and interruptible functions. -
    • -
  • - Use readonly classes. -
    • -
  • - Declare several new standalone types. -
    • -
  • - Use a new Random extension. -
    • -
  • - Define constraints in traits. -
    • -
-
-

- To install the php:8.2 module stream, use the following command: -

- 
# yum module install php:8.2
-

- If you want to upgrade from an earlier php stream, see Switching - to a later stream. -

-

- For details regarding PHP usage on RHEL 8, see Using - the PHP scripting language. -

-

- For information about the length of support for the php module streams, - see the Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Jira:RHEL-14705[1] -

-
-

The name() method of the perl-DateTime-TimeZone module now returns the time zone - name

-

- The perl-DateTime-TimeZone module has been updated to version 2.62, - which changed the value that is returned by the name() method from - the time zone alias to the main time zone name. -

-
-

- For more information and an example, see the Knowledgebase article Change in the perl-DateTime-TimeZone API - related to time zone name and alias. -

-

- Jira:RHEL-35685 -

-
-

A new module stream: nginx:1.24

-

- The nginx 1.24 web and proxy server is now available as the nginx:1.24 module stream. This update provides a number of bug fixes, - security fixes, new features, and enhancements over the previously released version 1.22. -

-
-

- New features and changes related to Transport Layer Security (TLS): -

-
-
    -
  • - Encryption keys are now automatically rotated for TLS session tickets when using shared - memory in the ssl_session_cache directive. -
    • -
  • - Memory usage has been optimized in configurations with Secure Sockets Layer (SSL) proxy. -
    • -
  • - You can now disable looking up IPv4 addresses while resolving by using the ipv4=off parameter of the resolver - directive. -
    • -
  • - nginx now supports the $proxy_protocol_tlv_* variables, which - store the values ​​of the Type-Length-Value (TLV) fields that appear in the PROXY v2 TLV - protocol. -
    • -
  • - The ngx_http_gzip_static_module module now supports byte - ranges. -
    • -
-
-

- Other changes: -

-
-
    -
  • - Header lines are now represented as linked lists in the internal API. -
    • -
  • - nginx now concatenates identically named header strings passed to the FastCGI, SCGI, and - uwsgi back ends in the $r->header_in() method of the ngx_http_perl_module, and during lookups of the $http_..., $sent_http_..., $sent_trailer_..., $upstream_http_..., and $upstream_trailer_... variables. -
    • -
  • - nginx now displays a warning if protocol parameters of a listening socket are redefined. -
    • -
  • - nginx now closes connections with lingering if pipelining was used by the client. -
    • -
  • - The logging level of various SSL errors has been lowered, for example, from Critical to Informational. -
    • -
-
-

- To install the nginx:1.24 stream, use: -

- 
# yum module install nginx:1.24
-

- To upgrade from an earlier nginx stream, switch - to a later stream. -

-

- For more information, see Setting - up and configuring NGINX. -

-

- For information about the length of support for the nginx module - streams, see the Red Hat - Enterprise Linux Application Streams Life Cycle article. -

-

- Jira:RHEL-14714[1] -

-
-

A new module stream: mariadb:10.11 -

-

- MariaDB 10.11 is now available as a new module stream, mariadb:10.11. Notable enhancements over the previously available - version 10.5 include: -

-
-
-
    -
  • - A new sys_schema feature. -
    • -
  • - Atomic Data Definition Language (DDL) statements. -
    • -
  • - A new GRANT ... TO PUBLIC privilege. -
    • -
  • - Separate SUPER and READ ONLY ADMIN - privileges. -
    • -
  • - A new UUID database data type. -
    • -
  • - Support for the Secure Socket Layer (SSL) protocol version 3; the MariaDB server now - requires correctly configured SSL to start. -
    • -
  • - Support for the natural sort order through the natural_sort_key() function. -
    • -
  • - A new SFORMAT function for arbitrary text formatting. -
    • -
  • - Changes to the UTF-8 charset and the UCA-14 collation. -
    • -
  • - systemd socket activation files available in the /usr/share/ directory. Note that they are not a part of the - default configuration in RHEL as opposed to upstream. -
    • -
  • - Error messages containing the MariaDB string instead of MySQL. -
    • -
  • - Error messages available in the Chinese language. -
    • -
  • - Changes to the default logrotate file. -
    • -
  • - For MariaDB and MySQL clients, the connection property specified on the command line (for - example, --port=3306), now forces the protocol type of - communication between the client and the server, such as tcp, - socket, pipe, or memory. -
    • -
-
-

- For more information about changes in MariaDB 10.11, see Notable - differences between MariaDB 10.5 and MariaDB 10.11. -

-

- For more information about MariaDB, see Using - MariaDB. -

-

- To install the mariadb:10.11 stream, use: -

- 
# yum module install mariadb:10.11
-

- If you want to upgrade from the mariadb:10.5 module stream, see Upgrading - from MariaDB 10.5 to MariaDB 10.11. -

-

- For information about the length of support for the mariadb module - streams, see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Jira:RHEL-3637 -

-
-

A new module stream: postgresql:16 -

-

- RHEL 8.10 introduces PostgreSQL 16, which provides a number of new features and enhancements - over version 15. -

-
-

- Notable enhancements include: -

-
-
    -
  • - Enhanced bulk loading improves performance. -
    • -
  • - The libpq library now supports connection-level load balancing. - You can use the new load_balance_hosts option for more - efficient load balancing. -
    • -
  • - You can now create custom configuration files and include them in the pg_hba.conf and pg_ident.conf files. -
    • -
  • - PostgreSQL now supports regular expression matching on database and role entries in the - pg_hba.conf file. -
    • -
-
-

- Other changes include: -

-
-
    -
  • - PostgreSQL is no longer distributed with the postmaster binary. - Users who start the postgresql server by using the provided - systemd unit file (the systemctl start postgres command) are not affected by this - change. If you previously started the postgresql server - directly through the postmaster binary, you must now use the - postgres binary instead. -
    • -
  • - PostgreSQL no longer provides documentation in PDF format within the package. Use the online - documentation instead. -
    • -
-
-

- See also Using - PostgreSQL. -

-

- To install the postgresql:16 stream, use the following command: -

- 
# yum module install postgresql:16
-

- If you want to upgrade from an earlier postgresql stream within RHEL 8, - follow the procedure described in Switching - to a later stream and then migrate your PostgreSQL data as described in Migrating - to a RHEL 8 version of PostgreSQL. -

-

- For information about the length of support for the postgresql module - streams, see the Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Jira:RHEL-3636 -

-
-

Git rebased to version 2.43.0

-

- The Git version control system has been updated to version 2.43.0, which provides bug fixes, - enhancements, and performance improvements over the previously released version 2.39. -

-
-

- Notable enhancements include: -

-
-
    -
  • - You can now use the new --source option with the git check-attr command to read the .gitattributes file from the provided tree-ish object instead of - the current working directory. -
    • -
  • - Git can now pass information from the WWW-Authenticate - response-type header to credential helpers. -
    • -
  • - In case of an empty commit, the git format-patch command now - writes an output file containing a header of the commit instead of creating an empty file. -
    • -
  • - You can now use the git blame --contents=<file> <revision> -- <path> - command to find the origins of lines starting at <file> contents - through the history that leads to <revision>. -
    • -
  • - The git log --format command now accepts the %(decorate) placeholder for further customization to extend the - capabilities provided by the --decorate option. -
    • -
-
-

- Jira:RHEL-17103[1] -

-
-

Git LFS rebased to version 3.4.1

-

- The Git Large File Storage (LFS) extension has been updated to version 3.4.1, which provides bug - fixes, enhancements, and performance improvements over the previously released version 3.2.0. -

-
-

- Notable changes include: -

-
-
    -
  • - The git lfs push command can now read references and object IDs - from standard input. -
    • -
  • - Git LFS now handles alternative remotes without relying on Git. -
    • -
  • - Git LFS now supports the WWW-Authenticate response-type header - as a credential helper. -
    • -
-
-

- Jira:RHEL-17102[1] -

-
-

Increased performance of the Python interpreter

-

- All supported versions of Python in RHEL 8 are now compiled with the -O3 optimization flag, which is the default in upstream. As a result, - you can observe increased performance of your Python applications and the interpreter itself. -

-
-

- The change is available with the release of the following advisories: -

-
- -
-

- Jira:RHEL-49614[1], Jira:RHEL-49636, Jira:RHEL-49644, Jira:RHEL-49638 -

-
-
-
-
-
-

4.10. Compilers and development tools

-
-
-
-
-

elfutils rebased to version 0.190

-

- The elfutils package has been updated to version 0.190. Notable - improvements include: -

-
-
-
    -
  • - The libelf library now supports relative relocation (RELR). -
    • -
  • - The libdw library now recognizes .debug_[ct]u_index sections. -
    • -
  • - The eu-readelf utility now supports a new -Ds, --use-dynamic --symbol option - to show symbols through the dynamic segment without using ELF sections. -
    • -
  • - The eu-readelf utility can now show .gdb_index version 9. -
    • -
  • - A new eu-scrlines utility compiles a list of source files - associated with a specified DWARF or ELF file. -
    • -
  • - A debuginfod server schema has changed for a 60% compression in - file name representation (this requires reindexing). -
    • -
-
-

- Jira:RHEL-15924 -

-
-

valgrind updated to 3.22

-

- The valgrind package has been updated to version 3.22. Notable - improvements include: -

-
-
-
    -
  • - valgrind memcheck now checks that - the values given to the C functions memalign, posix_memalign, and aligned_alloc, - and the C++17 aligned new operator are valid alignment values. -
    • -
  • - valgrind memcheck now supports - mismatch detection for C++14 sized and C++17 aligned new and - delete operators. -
    • -
  • - Added support for lazy reading of DWARF debugging information, resulting in faster startup - when debuginfo packages are installed. -
    • -
-
-

- Jira:RHEL-15926 -

-
-

Clang resource directory moved

-

- The Clang resource directory, where Clang stores its internal headers and libraries, has been - moved from /usr/lib64/clang/17 to /usr/lib/clang/17. -

-
-

- Jira:RHEL-9299 -

-
-

A new grafana-selinux package

-

- Previously, the default installation of grafana-server ran as an - unconfined_service_t SELinux type. This update adds the new grafana-selinux package, which contains an SELinux policy for grafana-server and which is installed by default with grafana-server. As a result, grafana-server now runs as grafana_t - SELinux type. -

-
-

- Jira:RHEL-7503 -

-
-

Updated GCC Toolset 13

-

- GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream - repository. -

-
-

- Notable changes introduced in RHEL 8.10 include: -

-
-
    -
  • - The GCC compiler has been updated to version 13.2.1, which provides many bug fixes and - enhancements that are available in upstream GCC. -
    • -
  • - binutils now support AMD CPUs based on the znver5 core through the -march=znver5 compiler switch. -
    • -
  • - annobin has been updated to version 12.32. -
    • -
  • - The annobin plugin for GCC now defaults to using a more - compressed format for the notes that it stores in object files, resulting in smaller object - files and faster link times, especially in large, complex programs. -
    • -
-
-

- The following tools and versions are provided by GCC Toolset 13: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 13.2.1 -

-
-

- GDB -

- 		-

- 12.1 -

-
-

- binutils -

- 		-

- 2.40 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- annobin -

- 		-

- 12.32 -

-
-
-

- To install GCC Toolset 13, run the following command as root: -

- 
# yum install gcc-toolset-13
-

- To run a tool from GCC Toolset 13: -

- 
$ scl enable gcc-toolset-13 tool
-

- To run a shell session where tool versions from GCC Toolset 13 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-13 bash
-

- For more information, see GCC - Toolset 13 and Using - GCC Toolset. -

-

- Jira:RHEL-25405[1] -

-
-

LLVM Toolset rebased to version 17.0.6

-

- LLVM Toolset has been updated to version 17.0.6. -

-
-

- Notable enhancements include: -

-
-
    -
  • - The opaque pointers migration is now completed. -
    • -
  • - Removed support for the legacy pass manager in middle-end optimization. -
    • -
-
-

- Clang changes: -

-
-
    -
  • - C++20 coroutines are no longer considered experimental. -
    • -
  • - Improved code generation for the std::move function and similar - in unoptimized builds. -
    • -
-
-

- For more information, see the LLVM and Clang upstream - release notes. -

-

- Jira:RHEL-9028 -

-
-

Rust Toolset rebased to version 1.75.0

-

- Rust Toolset has been updated to version 1.75.0. -

-
-

- Notable enhancements include: -

-
-
    -
  • - Constant evaluation time is now unlimited -
    • -
  • - Cleaner panic messages -
    • -
  • - Cargo registry authentication -
    • -
  • - async fn and opaque return types in traits -
    • -
-
-

- Jira:RHEL-12964 -

-
-

Go Toolset rebased to version 1.21.0

-

- Go Toolset has been updated to version 1.21.0. -

-
-

- Notable enhancements include: -

-
-
    -
  • - min, max, and clear built-ins have been added. -
    • -
  • - Official support for profile guided optimization has been added. -
    • -
  • - Package initialization order is now more precisely defined. -
    • -
  • - Type inferencing is improved. -
    • -
  • - Backwards compatibility support is improved. -
    • -
-
-

- For more information, see the Go - upstream release notes. -

-

- Jira:RHEL-11872[1] -

-
-

papi supports new processor - microarchitectures

-

- With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures: -

-
-
-
    -
  • - AMD Zen 4 -
    • -
  • - 4th Generation Intel® Xeon® Scalable Processors -
    • -
-
-

- Jira:RHEL-9336[1], Jira:RHEL-9320, Jira:RHEL-9337 -

-
-

Ant rebased to version 1.10.9

-

- The ant:1.10 module stream has been updated to version 1.10.9. This - version provides support for code signing, using a provider class and provider argument. -

-
-
-
Note
-
-

- The updated ant:1.10 module stream provides only the ant and ant-lib packages. Remaining - packages related to Ant are distributed in the javapackages-tools module in the unsupported CodeReady Linux - Builder (CRB) repository and have not been updated. -

-

- Packages from the updated ant:1.10 module stream cannot be used - in parallel with packages from the javapackages-tools module. - If you want to use the complete set of Ant-related packages, you must uninstall the ant:1.10 module and disable it, enable the CRB repository, and - install the javapackages-tools module. -

-
-
-

- Jira:RHEL-5365 -

-
-

New package: maven-openjdk21

-

- The maven:3.8 module stream now includes the maven-openjdk21 subpackage, which provides the Maven JDK binding for - OpenJDK 21 and configures Maven to use the system OpenJDK 21. -

-
-

- Jira:RHEL-17126[1] -

-
-

cmake rebased to version 3.26

-

- The cmake package has been updated to version 3.26. Notable - improvements include: -

-
-
-
    -
  • - Added support for the C17 and C18 language standards. -
    • -
  • - cmake can now query the /etc/os-release file for operating system identification - information. -
    • -
  • - Added support for the CUDA 20 and nvtx3 libraries. -
    • -
  • - Added support for the Python stable application binary interface. -
    • -
  • - Added support for Perl 5 in the Simplified Wrapper and Interface Generator (SWIG) tool. -
    • -
-
-

- Jira:RHEL-7396 -

-
-
-
-
-
-

4.11. Identity Management

-
-
-
-
-

Identity Management users can now use external identity providers to - authenticate to IdM

-

- With this enhancement, you can now associate Identity Management (IdM) users with external - identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such - IdPs include Red Hat build of Keycloak, Microsoft Entra ID (formerly Azure Active Directory), - GitHub, and Google. -

-
-

- If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM - user to authenticate at the external IdP. After performing authentication and authorization at the - external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user - must authenticate with the SSSD version available in RHEL 8.7 or later. -

-

- Jira:RHELPLAN-123140[1] -

-
-

ipa rebased to version 4.9.13

-

- The ipa package has been updated from version 4.9.12 to 4.9.13. - Notable changes include: -

-
-
-
    -
  • - The installation of an IdM replica now occurs against a chosen server, not only for Kerberos - authentication but also for all IPA API and CA requests. -
    • -
  • - The performance of the cert-find command has been improved - dramatically for situations with a large number of certificates. -
    • -
  • - The ansible-freeipa package has been rebased from version 1.11 - to 1.12.1. -
    • -
-
-

- For more information, see the upstream release notes. -

-

- Jira:RHEL-16936 -

-
-

Deleting expired KCM Kerberos tickets

-

- Previously, if you attempted to add a new credential to the Kerberos Credential Manager (KCM) - and you had already reached the storage space limit, the new credential was rejected. The user - storage space is limited by the max_uid_ccaches configuration - option that has a default value of 64. With this update, if you have already reached the storage - space limit, your oldest expired credential is removed and the new credential is added to the - KCM. If there are no expired credentials, the operation fails and an error is returned. To - prevent this issue, you can free some space by removing credentials using the kdestroy command. -

-
-

- Jira:SSSD-6216 -

-
-

Support for bcrypt password hashing algorithm - for local users

-

- With this update, you can enable the bcrypt password hashing - algorithm for local users. To switch to the bcrypt hashing - algorithm: -

-
-
-
    -
  1. - Edit the /etc/authselect/system-auth and /etc/authselect/password-auth files by changing the pam_unix.so sha512 setting to pam_unix.so blowfish. -
    2. -
  2. -

    - Apply the changes: -

    - 
    # authselect apply-changes
    -
    3. -
  3. - Change the password for a user by using the passwd command. -
    4. -
  4. - In the /etc/shadow file, verify that the hashing algorithm is - set to $2b$, indicating that the bcrypt password hashing algorithm is now used. -
    5. -
-
-

- Jira:SSSD-6790 -

-
-

The idp Ansible module allows associating IdM - users with external IdPs

-

- With this update, you can use the idp ansible-freeipa module to associate Identity Management (IdM) users - with external identity providers (IdP) that support the OAuth 2 device authorization flow. If an - IdP reference and an associated IdP user ID exist in IdM, you can use them to enable IdP - authentication for an IdM user.  -

-
-

- After performing authentication and authorization at the external IdP, the IdM user receives a - Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version - available in RHEL 8.7 or later. -

-

- Jira:RHEL-16938 -

-
-

IdM now supports the idoverrideuser, idoverridegroup and idview Ansible - modules

-

- With this update, the ansible-freeipa package now contains the - following modules: -

-
-
-
-
idoverrideuser
-
- Allows you to override user attributes for users stored in the Identity Management (IdM) - LDAP server, for example, the user login name, home directory, certificate, or SSH keys. -
-
idoverridegroup
-
- Allows you to override attributes for groups stored in the IdM LDAP server, for example, the - name of the group, its GID, or description. -
-
idview
-
- Allows you to organize user and group ID overrides and apply them to specific IdM hosts. -
-
-
-

- In the future, you will be able to use these modules to enable AD users to use smart cards to log in - to IdM. -

-

- Jira:RHEL-16933 -

-
-

The delegation of DNS zone management enabled in ansible-freeipa

-

- You can now use the dnszone ansible-freeipa module to delegate DNS zone management. Use the permission or managedby variable of the - dnszone module to set a per-zone access delegation permission. -

-
-

- Jira:RHEL-19133 -

-
-

The ansible-freeipa ipauser and ipagroup modules now - support a new renamed state

-

- With this update, you can use the renamed state in ansible-freeipa ipauser module to change - the user name of an existing IdM user. You can also use this state in ansible-freeipa ipagroup module to - change the group name of an existing IdM group. -

-
-

- Jira:RHEL-4963 -

-
-

The runasuser_group parameter is now available - in ansible-freeipa ipasudorule

-

- With this update, you can set Groups of RunAs Users for a sudo rule - by using the ansible-freeipa ipasudorule module. The option is - already available in the Identity Management (IdM) command-line interface and the IdM Web UI. -

-
-

- Jira:RHEL-19129 -

-
-

389-ds-base rebased to version - 1.4.3.39

-

- The 389-ds-base package has been updated to version 1.4.3.39. -

-
-

- Jira:RHEL-19028 -

-
-

The HAProxy protocol is now supported for the 389-ds-base package

-

- Previously, Directory Server did not differentiate incoming connections between proxy and - non-proxy clients. With this update, you can use the new nsslapd-haproxy-trusted-ip multi-valued configuration attribute to - configure the list of trusted proxy servers. When nsslapd-haproxy-trusted-ip is configured under the cn=config entry, Directory Server uses the HAProxy protocol to - receive client IP addresses via an additional TCP header so that access control instructions - (ACIs) can be correctly evaluated and client traffic can be logged. -

-
-

- If an untrusted proxy server initiates a bind request, Directory Server rejects the request and - records the following message to the error log file: -

- 
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
-

- Jira:RHEL-19240 -

-
-

samba rebased to version 4.19.4

-

- The samba packages have been upgraded to upstream version 4.19.4, - which provides bug fixes and enhancements over the previous version. The most notable changes - are: -

-
-
-
    -
  • - Command-line options in the smbget utility have been renamed - and removed for a consistent user experience. However, this can break existing scripts or - jobs that use the utility. See the smbget --help command and - smbget(1) man page for further details about the new options. -
    • -
  • -

    - If the winbind debug traceid option is enabled, the winbind service now logs, additionally, the following fields: -

    -
    -
      -
    • - traceid: Tracks the records belonging to the same - request. -
      • -
    • - depth: Tracks the request nesting level. -
      • -
    -
    -
    • -
  • - Samba no longer uses its own cryptography implementations and, instead, now fully uses - cryptographic functionality provided by the GnuTLS library. -
    • -
  • - The directory name cache size option was removed. -
    • -
-
-

- Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 - and will be removed in a future release. -

-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Red Hat does not support - downgrading tdb database files. -

-

- After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file. -

-

- Jira:RHEL-16483[1] -

-
-
-
-
-
-

4.12. The web console

-
-
-
-
-

RHEL web console can now generate Ansible and shell scripts

-

- In the web console, you can now easily access and copy automation scripts on the kdump configuration page. You can then use the generated script to - implement a specific kdump configuration on multiple systems. -

-
-

- Jira:RHELDOCS-17060[1] -

-
-

Simplified managing storage and resizing partitions on Storage

-

- The Storage section of the web console is now redesigned. The new design improved visibility - across all views. The overview page now presents all storage objects in a comprehensive table, - which makes it easier to perform operations directly. You can click any row to view detailed - information and any supplementary actions. Additionally, you can now resize partitions from the - Storage section. -

-
-

- Jira:RHELDOCS-17056[1] -

-
-
-
-
-
-

4.13. Red Hat Enterprise Linux System Roles

-
-
-
-
-

The ad_integration RHEL system role now - supports configuring dynamic DNS update options

-

- With this update, the ad_integration RHEL system role supports - configuring options for dynamic DNS updates using SSSD when integrated with Active Directory - (AD). By default, SSSD will attempt to automatically refresh the DNS record: -

-
-
-
    -
  • - When the identity provider comes online (always). -
    • -
  • - At a specified interval (optional configuration); by default, the AD provider updates the - DNS record every 24 hours. -
    • -
-
-

- You can change these and other settings using the new variables in ad_integration. For example, you can set ad_dyndns_refresh_interval to 172800 to - change the DNS record refresh interval to 48 hours. For more details regarding the role variables, - see the resources in the /usr/share/doc/rhel-system-roles/ad_integration/ directory. -

-

- Jira:RHELDOCS-17372[1] -

-
-

The metrics RHEL System Role now supports - configuring PMIE webhooks

-

- With this update, you can automatically configure the global webhook_endpoint PMIE variable using the metrics_webhook_endpoint variable for the metrics RHEL System Role. This enables you to provide a custom URL - for your environment that receives messages about important performance events, and is typically - used with external tools such as Event-Driven Ansible. -

-
-

- Jira:RHEL-18170 -

-
-

The bootloader RHEL system role

-

- This update introduces the bootloader RHEL system role. You can use - this feature for stable and consistent configuration of bootloaders and kernels on your RHEL - systems. For more details regarding requirements, role variables, and example playbooks, see the - README resources in the /usr/share/doc/rhel-system-roles/bootloader/ directory. -

-
-

- Jira:RHEL-3241 -

-
-

The logging role supports general queue and - general action parameters in output modules

-

- Previously, it was not possible to configure general queue parameters and general action - parameters with the logging role. With this update, the logging RHEL System Role supports configuration of general queue - parameters and general action parameters in output modules. -

-
-

- Jira:RHEL-15440 -

-
-

Support for new ha_cluster System Role - features

-

- The ha_cluster System Role now supports the following features: -

-
-
-
    -
  • - Enablement of the repositories containing resilient storage packages, such as dlm or gfs2. A Resilient Storage - subscription is needed to access the repository. -
    • -
  • - Configuration of fencing levels, allowing a cluster to use multiple devices to fence nodes. -
    • -
  • - Configuration of node attributes. -
    • -
-
-

- For information about the parameters you configure to implement these features, see Configuring - a high-availability cluster by using the ha_cluster RHEL System Role. -

-

- Jira:RHEL-4624[1], Jira:RHEL-22108, Jira:RHEL-14090 -

-
-

New RHEL System Role for configuring fapolicyd

-

- With the new fapolicyd RHEL System Role, you can use Ansible - playbooks to manage and configure the fapolicyd framework. The - fapolicyd software framework controls the execution of applications - based on a user-defined policy. -

-
-

- Jira:RHEL-16542 -

-
-

The network RHEL System role now supports new - route types

-

- With this enhancement, you can now use the following route types with the network RHEL System Role: -

-
-
-
    -
  • - blackhole -
    • -
  • - prohibit -
    • -
  • - unreachable -
    • -
-
-

- Jira:RHEL-21491[1] -

-
-

New rhc_insights.display_name option in the - rhc role to set display names

-

- You can now configure or update the display name of the system registered to Red Hat Insights by - using the new rhc_insights.display_name parameter. The parameter - allows you to name the system based on your preference to easily manage systems in the Insights - Inventory. If your system is already connected with Red Hat Insights, use the parameter to - update the existing display name. If the display name is not set explicitly on registration, it - is set to the hostname by default. It is not possible to automatically revert the display name - to the hostname, but it can be set so manually. -

-
-

- Jira:RHEL-16965 -

-
-

The RHEL system roles now support LVM snapshot management

-

- With this enhancement, you can use the new snapshot RHEL system - roles to create, configure, and manage LVM snapshots. -

-
-

- Jira:RHEL-16553 -

-
-

The postgresql RHEL System Role now supports - PostgreSQL 16

-

- The postgresql RHEL System Role, which installs, configures, - manages, and starts the PostgreSQL server, now supports PostgreSQL 16. -

-
-

- For more information about this system role, see Installing - and configuring PostgreSQL by using the postgresql RHEL System Role. -

-

- Jira:RHEL-18963 -

-
-

New rhc_insights.ansible_host option in the - rhc role to set Ansible hostnames

-

- You can now configure or update the Ansible hostname for the systems registered to Red Hat - Insights by using the new rhc_insights.ansible_host parameter. When - set, the parameter changes the ansible_host configuration in the - /etc/insights-client/insights-client.conf file to your selected - Ansible hostname. If your system is already connected with Red Hat Insights, this parameter will - update the existing Ansible hostname. -

-
-

- Jira:RHEL-16975 -

-
-

ForwardToSyslog flag is now supported in the - journald system role

-

- In the journald RHEL System Role, the journald_forward_to_syslog variable controls whether the received - messages should be forwarded to the traditional syslog daemon or - not. The default value of this variable is false. With this - enhancement, you can now configure the ForwardToSyslog flag by - setting journald_forward_to_syslog to true in the inventory. As a result, when using remote logging systems - such as Splunk, the logs are available in the /var/log files. -

-
-

- Jira:RHEL-21123 -

-
-

ratelimit_burst variable is only used if ratelimit_interval is set in logging - system role

-

- Previously, in the logging RHEL System Role, when the ratelimit_interval variable was not set, the role would use the ratelimit_burst variable to set the rsyslog ratelimit.burst setting. But it had no effect because it is also - required to set ratelimit_interval. -

-
-

- With this enhancement, if ratelimit_interval is not set, the role does - not set ratelimit.burst. If you want to set ratelimit.burst, you must set both ratelimit_interval and ratelimit_burst - variables. -

-

- Jira:RHEL-19047 -

-
-

Use the logging_max_message_size parameter - instead of rsyslog_max_message_size in the logging system role

-

- Previously, even though the rsyslog_max_message_size parameter was - not supported, the logging RHEL System Role was using rsyslog_max_message_size instead of using the logging_max_message_size parameter. This enhancement ensures that - logging_max_message_size is used and not rsyslog_max_message_size to set the maximum size for the log - messages. -

-
-

- Jira:RHEL-15038 -

-
-

The ad_integration RHEL System Role now - supports custom SSSD settings

-

- Previously, when using the ad_integration RHEL System Role, it was - not possible to add custom settings to the [sssd] section in the - sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings. -

-
-

- Jira:RHEL-21134 -

-
-

The ad_integration RHEL System Role now - supports custom SSSD domain configuration settings

-

- Previously, when using the ad_integration RHEL System Role, it was - not possible to add custom settings to the domain configuration section in the sssd.conf file using the role. With this enhancement, the ad_integration role can now modify the sssd.conf file and, as a result, you can use custom SSSD settings. -

-
-

- Jira:RHEL-17667 -

-
-

New logging_preserve_fqdn variable for the - logging RHEL System Role

-

- Previously, it was not possible to configure a fully qualified domain name (FQDN) using the - logging system role. This update adds the optional logging_preserve_fqdn variable, which you can use to set the preserveFQDN configuration option in rsyslog to use the full FQDN instead of a short name in syslog - entries. -

-
-

- Jira:RHEL-15933 -

-
-

Support for creation of volumes without creating a file system

-

- With this enhancement, you can now create a new volume without creating a file system by - specifying the fs_type=unformatted option. -

-
-

- Similarly, existing file systems can be removed using the same approach by ensuring that the safe - mode is disabled. -

-

- Jira:RHEL-16213 -

-
-

The rhc system role now supports RHEL 7 - systems

-

- You can now manage RHEL 7 systems by using the rhc system role. - Register the RHEL 7 system to Red Hat Subscription Management (RHSM) and Insights and start - managing your system using the rhc system role. -

-
-

- Using the rhc_insights.remediation parameter has no impact on RHEL 7 - systems as the Insights Remediation feature is currently not available on RHEL 7. -

-

- Jira:RHEL-16977 -

-
-

New mssql_ha_prep_for_pacemaker - variable

-

- Previously, the microsoft.sql.server RHEL System Role did not have - a variable to control whether to configure SQL Server for Pacemaker. This update adds the mssql_ha_prep_for_pacemaker. Set the variable to false if you do not want to configure your system for Pacemaker and - you want to use another HA solution. -

-
-

- Jira:RHEL-19204 -

-
-

The sshd role now configures certificate-based - SSH authentications

-

- With the sshd RHEL System Role, you can now configure and manage - multiple SSH servers to authenticate by using SSH certificates. This makes SSH authentications - more secure because certificates are signed by a trusted CA and provide fine-grained access - control, expiration dates, and centralized management. -

-
-

- Jira:RHEL-5985 -

-
-

selinux role now supports configuring SELinux - in disabled mode

-

- With this update, the selinux RHEL System Role supports configuring - SELinux ports, file contexts, and boolean mappings on nodes that have SELinux set to disabled. - This is useful for configuration scenarios before you enable SELinux to permissive or enforcing - mode on a system. -

-
-

- Jira:RHEL-15871 -

-
-

selinux role now prints a message when - specifying a non-existent module

-

- With this release, the selinux RHEL System Role prints an error - message when you specify a non-existent module in the selinux_modules.path variable. -

-
-

- Jira:RHEL-19044 -

-
-
-
-
-
-

4.14. Virtualization

-
-
-
-
-

RHEL now supports Multi-FD migration of virtual machines

-

- With this update, multiple file descriptors (multi-FD) migration of virtual machines is now - supported. Multi-FD migration uses multiple parallel connections to migrate a virtual machine, - which can speed up the process by utilizing all the available network bandwidth. -

-
-

- It is recommended to use this feature on high-speed networks (20 Gbps and higher). -

-

- Jira:RHELDOCS-16970[1] -

-
-

Secure Execution VMs on IBM Z now support cryptographic - coprocessors

-

- With this update, you can now assign cryptographic coprocessors as mediated devices to a virtual - machine (VM) with IBM Secure Execution on IBM Z. -

-
-

- By assigning a cryptographic coprocessor as a mediated device to a Secure Execution VM, you can now - use hardware encryption without compromising the security of the VM. -

-

- Jira:RHEL-11597[1] -

-
-

You can now replace SPICE with VNC in the web console

-

- With this update, you can use the web console to replace the SPICE remote display protocol with - the VNC protocol in an existing virtual machine (VM). -

-
-

- Because the support for the SPICE protocol is deprecated in RHEL 8 and will be removed in RHEL 9, - VMs that use the SPICE protocol fail to migrate to RHEL 9. However, RHEL 8 VMs use SPICE by default, - so you must switch from SPICE to VNC for a successful migration. -

-

- Jira:RHELDOCS-18289[1] -

-
-

New virtualization features in the RHEL web console

-

- With this update, the RHEL web console includes new features in the Virtual Machines page. You - can now: -

-
-
-
    -
  • - Add an SSH public key during virtual machine (VM) creation. This public key will be stored - in the ~/.ssh/authorized_keys file of the designated non-root - user on the newly created VM, which provides you with an immediate SSH access to the - specified user account. -
    • -
  • - Select a pre-formatted block device type when creating a new - storage pool. This is a more robust alternative to a physical disk device type, as it prevents unintentional - reformatting of a raw disk device. -
    • -
-
-

- This update also changes some default behavior in the Virtual Machines page: -

-
-
    -
  • - In the Add disk dialog, the Always attach option is now set by default. -
    • -
-
-

- Jira:RHELDOCS-18323[1] -

-
-
-
-
-
-

4.15. RHEL in cloud environments

-
-
-
-
-

New cloud-init clean option for deleting generated configuration - files

-

- The cloud-init clean --configs option has been added for the cloud-init utility. You can use this option to delete unnecessary - configuration files generated by cloud-init on your instance. For - example, to delete cloud-init configuration files that define - network setup, use the following command: -

-
- 
cloud-init clean --configs network
-

- Jira:RHEL-7312[1] -

-
-

RHEL instances on EC2 now support IPv6 IMDS connections

-

- With this update, RHEL 8 and 9 instances on Amazon Elastic Cloud Compute (EC2) can use the IPv6 - protocol to connect to Instance Metadata Service (IMDS). As a result, you can configure RHEL - instances with cloud-init on EC2 with a dual-stack IPv4 and IPv6 - connection. In addition, you can launch EC2 instances of RHEL with cloud-init in IPv6-only subnet. -

-
-

- Jira:RHEL-7278 -

-
-
-
-
-
-

4.16. Containers

-
-
-
-
-

The Container Tools packages have been updated

-

- The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc - tools, are now available. Notable bug fixes and enhancements over the previous version include: -

-
-

- Notable changes in Podman v4.9: -

-
-
    -
  • - You can now use Podman to load the modules on-demand by using the podman --module <your_module_name> command and to override - the system and user configuration files. -
    • -
  • - A new podman farm command with a set of the create, set, remove, and update subcommands has - been added. With these commands, you can farm out builds to machines running podman for - different architectures. -
    • -
  • - A new podman-compose command has been added, which runs Compose - workloads by using an external compose provider such as Docker compose. -
    • -
  • - The podman build command now supports the --layer-label and --cw options. -
    • -
  • - The podman generate systemd command is deprecated. Use Quadlet - to run containers and pods under systemd. -
    • -
  • - The podman build command now supports Containerfiles with the HereDoc syntax. -
    • -
  • - The podman machine init and podman machine set commands now support a new --usb option. Use this option to allow USB passthrough for the - QEMU provider. -
    • -
  • - The podman kube play command now supports a new --publish-all option. Use this option to expose all - containerPorts on the host. -
    • -
-
-

- For more information about notable changes, see upstream release - notes. -

-

- Jira:RHELPLAN-167794[1] -

-
-

Podman now supports containers.conf - modules

-

- You can use Podman modules to load a predetermined set of configurations. Podman modules are - containers.conf files in the Tom’s Obvious Minimal Language (TOML) - format. -

-
-

- These modules are located in the following directories, or their subdirectories: -

-
-
    -
  • - For rootless users: $HOME/.config/containers/containers.conf.modules -
    • -
  • - For root users: /etc/containers/containers.conf.modules, or - /usr/share/containers/containers.conf.modules -
    • -
-
-

- You can load the modules on-demand with the podman --module <your_module_name> command to override the system - and user configuration files. Working with modules involve the following facts: -

-
-
    -
  • - You can specify modules multiple times by using the --module - option. -
    • -
  • - If <your_module_name> is the absolute path, the - configuration file will be loaded directly. -
    • -
  • - The relative paths are resolved relative to the three module directories mentioned - previously. -
    • -
  • - Modules in $HOME override those in the /etc/ and /usr/share/ directories. -
    • -
-
-

- For more information, see the upstream - documentation. -

-

- Jira:RHELPLAN-167830[1] -

-
-

The Podman v4.9 RESTful API now displays data of progress

-

- With this enhancement, the Podman v4.9 RESTful API now displays data of progress when you pull - or push an image to the registry. -

-
-

- Jira:RHELPLAN-167822[1] -

-
-

SQLite is now fully supported as a default database backend for - Podman

-

- With Podman v4.9, the SQLite database backend for Podman, previously available as Technology - Preview, is now fully supported. The SQLite database provides better stability, performance, and - consistency when working with container metadata. The SQLite database backend is the default - backend for new installations of RHEL 8.10. If you upgrade from a previous RHEL version, the - default backend is BoltDB. -

-
-

- If you have explicitly configured the database backend by using the database_backend option in the containers.conf file, then Podman will continue to use the specified - backend. -

-

- Jira:RHELPLAN-168179[1] -

-
-

Administrators can set up isolation for firewall rules by using nftables

-

- You can use Netavark, a Podman container networking stack, on systems without iptables installed. Previously, when using the container networking - interface (CNI) networking, the predecessor to Netavark, there was no way to set up container - networking on systems without iptables installed. With this - enhancement, the Netavark network stack works on systems with only nftables installed and improves isolation of automatically generated - firewall rules. -

-
-

- Jira:RHELDOCS-16955[1] -

-
-

Containerfile now supports multi-line - instructions

-

- You can use the multi-line HereDoc instructions (Here Document notation) in the Containerfile file to simplify this file and reduce the number of - image layers caused by performing multiple RUN directives. -

-
-

- For example, the original Containerfile can contain the following RUN directives: -

- 
RUN dnf update
-RUN dnf -y install golang
-RUN dnf -y install java
-

- Instead of multiple RUN directives, you can use the HereDoc notation: -

- 
RUN <<EOF
-dnf update
-dnf -y install golang
-dnf -y install java
-EOF
-

- Jira:RHELPLAN-168184[1] -

-
-

Toolbx is now available

-

- With Toolbx, you can install the development and debugging tools, editors, and Software - Development Kits (SDKs) into the Toolbx fully mutable container without affecting the base - operating system. The Toolbx container is based on the registry.access.redhat.com/ubi8.10/toolbox:latest image. -

-
-

- Jira:RHELDOCS-16241[1] -

-
-
-
-
-
-
-

Chapter 5. Available BPF Features

-
-
-
-

- This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel - of this minor version of Red Hat Enterprise Linux 8. The tables include the lists of: -

-
- -
-

- This chapter contains automatically generated output of the bpftool feature - command. -

-
-

Table 5.1. System configuration and other options

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionValue
-

- unprivileged_bpf_disabled -

- 		-

- 1 (bpf() syscall restricted to privileged users, without recovery) -

-
-

- JIT compiler -

- 		-

- 1 (enabled) -

-
-

- JIT compiler hardening -

- 		-

- 1 (enabled for unprivileged users) -

-
-

- JIT compiler kallsyms exports -

- 		-

- 1 (enabled for root) -

-
-

- Memory limit for JIT for unprivileged users -

- 		-

- 528482304 -

-
-

- CONFIG_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_SYSCALL -

- 		-

- y -

-
-

- CONFIG_HAVE_EBPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT_ALWAYS_ON -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF_MODULES -

- 		-

- n -

-
-

- CONFIG_CGROUPS -

- 		-

- y -

-
-

- CONFIG_CGROUP_BPF -

- 		-

- y -

-
-

- CONFIG_CGROUP_NET_CLASSID -

- 		-

- y -

-
-

- CONFIG_SOCK_CGROUP_DATA -

- 		-

- y -

-
-

- CONFIG_BPF_EVENTS -

- 		-

- y -

-
-

- CONFIG_KPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_UPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_TRACING -

- 		-

- y -

-
-

- CONFIG_FTRACE_SYSCALLS -

- 		-

- y -

-
-

- CONFIG_FUNCTION_ERROR_INJECTION -

- 		-

- y -

-
-

- CONFIG_BPF_KPROBE_OVERRIDE -

- 		-

- y -

-
-

- CONFIG_NET -

- 		-

- y -

-
-

- CONFIG_XDP_SOCKETS -

- 		-

- y -

-
-

- CONFIG_LWTUNNEL_BPF -

- 		-

- y -

-
-

- CONFIG_NET_ACT_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_ACT -

- 		-

- y -

-
-

- CONFIG_NET_SCH_INGRESS -

- 		-

- m -

-
-

- CONFIG_XFRM -

- 		-

- y -

-
-

- CONFIG_IP_ROUTE_CLASSID -

- 		-

- y -

-
-

- CONFIG_IPV6_SEG6_BPF -

- 		-

- n -

-
-

- CONFIG_BPF_LIRC_MODE2 -

- 		-

- n -

-
-

- CONFIG_BPF_STREAM_PARSER -

- 		-

- y -

-
-

- CONFIG_NETFILTER_XT_MATCH_BPF -

- 		-

- m -

-
-

- CONFIG_BPFILTER -

- 		-

- n -

-
-

- CONFIG_BPFILTER_UMH -

- 		-

- n -

-
-

- CONFIG_TEST_BPF -

- 		-

- m -

-
-

- CONFIG_HZ -

- 		-

- 1000 -

-
-

- bpf() syscall -

- 		-

- available -

-
-

- Large program size limit -

- 		-

- available -

-
-
-
-
-

Table 5.2. Available program types and supported helpers

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Program typeAvailable helpers
-

- socket_filter -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- kprobe -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_override_return, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_cls -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_act -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- xdp -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, bpf_redirect, - bpf_perf_event_output, bpf_csum_diff, bpf_get_current_task, - bpf_get_numa_node_id, bpf_xdp_adjust_head, bpf_redirect_map, - bpf_xdp_adjust_meta, bpf_xdp_adjust_tail, bpf_fib_lookup, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- perf_event -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_get_task_stack, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, - bpf_snprintf -

-
-

- cgroup_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_skb_cgroup_id, bpf_get_local_storage, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, - bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_sk_cgroup_id, - bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_current_cgroup_id, - bpf_get_local_storage, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_in -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_push_encap, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_out -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_xmit -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, - bpf_csum_diff, bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid, - bpf_get_numa_node_id, bpf_skb_change_head, bpf_lwt_push_encap, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sock_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_setsockopt, bpf_sock_map_update, bpf_getsockopt, - bpf_sock_ops_cb_flags_set, bpf_sock_hash_update, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_tail_call, bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_adjust_room, bpf_sk_redirect_map, bpf_sk_redirect_hash, - bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, - bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, - bpf_skc_lookup_tcp, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_device -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_msg -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_cgroup_classid, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_msg_redirect_hash, bpf_get_current_cgroup_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_msg_push_data, - bpf_msg_pop_data, bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock_addr -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_setsockopt, bpf_getsockopt, - bpf_bind, bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_seg6local -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lirc_mode2 -

- 		-

- not supported -

-
-

- sk_reuseport -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_skb_load_bytes_relative, bpf_sk_select_reuseport, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- flow_dissector -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sysctl -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_sysctl_get_name, bpf_sysctl_get_current_value, - bpf_sysctl_get_new_value, bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint_writable -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sockopt -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracing -

- 		-

- not supported -

-
-

- struct_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, - bpf_skb_store_bytes, bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, - bpf_clone_redirect, bpf_get_current_pid_tgid, bpf_get_current_uid_gid, - bpf_get_current_comm, bpf_get_cgroup_classid, bpf_skb_vlan_push, - bpf_skb_vlan_pop, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_perf_event_read, bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_get_stackid, bpf_csum_diff, bpf_skb_get_tunnel_opt, - bpf_skb_set_tunnel_opt, bpf_skb_change_proto, bpf_skb_change_type, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_current_task_under_cgroup, bpf_skb_change_tail, bpf_skb_pull_data, - bpf_csum_update, bpf_set_hash_invalid, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_xdp_adjust_head, bpf_probe_read_str, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_setsockopt, - bpf_skb_adjust_room, bpf_redirect_map, bpf_sk_redirect_map, bpf_sock_map_update, - bpf_xdp_adjust_meta, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_getsockopt, bpf_override_return, bpf_sock_ops_cb_flags_set, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_bind, bpf_xdp_adjust_tail, bpf_skb_get_xfrm_state, - bpf_get_stack, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_sock_hash_update, bpf_msg_redirect_hash, bpf_sk_redirect_hash, - bpf_lwt_push_encap, bpf_lwt_seg6_store_bytes, bpf_lwt_seg6_adjust_srh, - bpf_lwt_seg6_action, bpf_rc_repeat, bpf_rc_keydown, bpf_skb_cgroup_id, - bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_select_reuseport, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_msg_push_data, bpf_msg_pop_data, bpf_rc_pointer_rel, bpf_spin_lock, - bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, bpf_skb_ecn_set_ce, - bpf_get_listener_sock, bpf_skc_lookup_tcp, bpf_tcp_check_syncookie, - bpf_sysctl_get_name, bpf_sysctl_get_current_value, bpf_sysctl_get_new_value, - bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_send_signal, bpf_tcp_gen_syncookie, bpf_skb_output, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_tcp_send_ack, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_xdp_output, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_seq_printf, bpf_seq_write, - bpf_sk_cgroup_id, bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, - bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, - bpf_get_task_stack, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_inode_storage_get, bpf_inode_storage_delete, bpf_d_path, bpf_copy_from_user, - bpf_snprintf_btf, bpf_seq_printf_btf, bpf_skb_cgroup_classid, - bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_redirect_peer, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_bprm_opts_set, bpf_ktime_get_coarse_ns, bpf_ima_inode_hash, - bpf_sock_from_file, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_sys_bpf, bpf_btf_find_by_name_kind, bpf_sys_close -

-
-

- ext -

- 		-

- not supported -

-
-

- lsm -

- 		-

- not supported -

-
-

- sk_lookup -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-
-
-
-

Table 5.3. Available map types

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Map typeAvailable
-

- hash -

- 		-

- yes -

-
-

- array -

- 		-

- yes -

-
-

- prog_array -

- 		-

- yes -

-
-

- perf_event_array -

- 		-

- yes -

-
-

- percpu_hash -

- 		-

- yes -

-
-

- percpu_array -

- 		-

- yes -

-
-

- stack_trace -

- 		-

- yes -

-
-

- cgroup_array -

- 		-

- yes -

-
-

- lru_hash -

- 		-

- yes -

-
-

- lru_percpu_hash -

- 		-

- yes -

-
-

- lpm_trie -

- 		-

- yes -

-
-

- array_of_maps -

- 		-

- yes -

-
-

- hash_of_maps -

- 		-

- yes -

-
-

- devmap -

- 		-

- yes -

-
-

- sockmap -

- 		-

- yes -

-
-

- cpumap -

- 		-

- yes -

-
-

- xskmap -

- 		-

- yes -

-
-

- sockhash -

- 		-

- yes -

-
-

- cgroup_storage -

- 		-

- yes -

-
-

- reuseport_sockarray -

- 		-

- yes -

-
-

- percpu_cgroup_storage -

- 		-

- yes -

-
-

- queue -

- 		-

- yes -

-
-

- stack -

- 		-

- yes -

-
-

- sk_storage -

- 		-

- yes -

-
-

- devmap_hash -

- 		-

- yes -

-
-

- struct_ops -

- 		-

- no -

-
-

- ringbuf -

- 		-

- yes -

-
-

- inode_storage -

- 		-

- yes -

-
-

- task_storage -

- 		-

- no -

-
-
-
-
-
-
-
-
-

Chapter 6. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.10 that have a significant impact on users. -

-
-
-
-
-

6.1. Installer and image creation

-
-
-
-
-

Installer now accepts additional time zone definitions in Kickstart - files

-

- Anaconda switched to a different, more restrictive method of validating time zone selections. - This caused some time zone definitions, such as Japan, to be no longer valid despite being - accepted in previous versions. Legacy Kickstart files with these definitions had to be updated. - Otherwise, they would default to the Americas/New_York time zone. -

-
-

- The list of valid time zones was previously taken from pytz.common_timezones in the pytz Python - library. This update changes the validation settings for the timezone - Kickstart command to use pytz.all_timezones, which is a superset of the - common_timezones list, and allows significantly more time zones to be - specified. This change ensures that old Kickstart files made for Red Hat Enterprise Linux 6 still - specify valid time zones. -

-

- Note: This change only applies to the timezone Kickstart command. The - time zone selection in the graphical and text-based interactive interfaces remains unchanged. - Existing Kickstart files for Red Hat Enterprise Linux 8 that had valid time zone selections do not - require any updates. -

-

- Jira:RHEL-13151[1] -

-
-
-
-
-
-

6.2. Security

-
-
-
-
-

Rules for managing virtual routing with ip vrf - are added to the SELinux policy

-

- You can use the ip vrf command to manage virtual routing of other - network services. Previously, selinux-policy did not contain rules - to support this usage. With this update, SELinux policy rules allow explicit transitions from - the ip domain to the httpd, sshd, and named domains. These - transitions apply when the ip command uses the setexeccon library call. -

-
-

- Jira:RHEL-9981[1] -

-
-

SELinux policy allows staff_r confined users - to run sudo crontab

-

- Previously, the SELinux policy did not contain rules to allow confined users to run the sudo crontab command. As a consequence, confined users in the staff_r role could not use sudo crontab - to edit other users' crontab schedules. This update adds a rule to - the policy, and as a result, staff_r users can use sudo crontab to edit other users' crontab schedules. -

-
-

- Jira:RHEL-1388 -

-
-

SELinux policy contains rules for additional services and - applications

-

- This version of the selinux-policy package contains additional - rules. Most notably, users in the sysadm_r role can execute the - following commands: -

-
-
-
    -
  • - sudo traceroute -
    • -
  • - sudo tcpdump -
    • -
  • - sudo dnf -
    • -
-
-

- Jira:RHEL-15398, Jira:RHEL-1679, Jira:RHEL-9947 -

-
-

SELinux policy denies SSH login for unconfined users when unconfined_login is set to off

-

- Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH - when the unconfined_login boolean was set to off. As a consequence, with unconfined_login set to off, users still - could log in with SSHD as an unconfined domain. This update adds a rule to the SELinux policy, - and as a result, users cannot log in via sshd as unconfined when - unconfined_login is off. -

-
-

- Jira:RHEL-1628 -

-
-

SELinux policy allows rsyslogd to execute - confined commands

-

- Previously, the SELinux policy was missing a rule to allow the rsyslogd daemon to execute SELinux-confined commands, such as systemctl. As a consequence, commands executed as an argument of the - omprog directive failed. This update adds rules to the SELinux - policy so that executables in the /usr/libexec/rsyslog directory - that are run as an argument of omprog are in the syslogd_unconfined_script_t unconfined domain. As a result, commands - executed as an argument of omprog finish successfully. -

-
-

- Jira:RHEL-10087 -

-
-

Large SSHD configuration files no longer prevent login

-

- Previously, when the SSHD configuration file was larger than 256 KB, an error occurred when - logging into the system. As a consequence, remote systems were unreachable. This update removes - the file size limitation, and therefore users can log in to the system when the SSHD - configuration file is larger than 256 KB. -

-
-

- Jira:RHEL-5279 -

-
-
-
-
-
-

6.3. Software management

-
-
-
-
-

The yum needs-restarting --reboothint command - now recommends a reboot to update the CPU microcode

-

- To fully update the CPU microcode, you must reboot a system. Previously, when you installed the - microcode_ctl package, which contains the updated CPU microcode, - the yum needs-restarting --reboothint command did not recommend the - reboot. With this update, the issue has been fixed, and yum needs-restarting --reboothint now recommends a reboot to update - the CPU microcode. -

-
-

- Jira:RHEL-17356 -

-
-

systemd now correctly manages the /run/user/0 directory created by librepo

-

- Previously, if the librepo functions were called from an Insights - client before logging in root, the /run/user/0 directory could be - created with a wrong SELinux context type. This prevented systemd - from cleaning the directory after you logged out from root. -

-
-

- With this update, the librepo package now sets a default creation type - according to default file system labeling rules defined in a SELinux policy. As a result, systemd now correctly manages the /run/user/0 directory created by librepo. -

-

- Jira:RHEL-10720 -

-
-

systemd now correctly manages the /run/user/0 directory created by libdnf

-

- Previously, if the libdnf functions were called from an Insights - client before logging in root, the /run/user/0 directory could be - created with a wrong SELinux context type. This prevented systemd - from cleaning the directory after you logged out from root. -

-
-

- With this update, the libdnf package now sets a default creation type - according to default file system labeling rules defined in a SELinux policy. As a result, systemd now correctly manages the /run/user/0 directory created by libdnf. -

-

- Jira:RHEL-6421 -

-
-
-
-
-
-

6.4. Shells and command-line tools

-
-
-
-
-

ReaR now determines the presence of a BIOS bootloader when both BIOS and - UEFI bootloaders are installed

-

- Previously, in a hybrid bootloader setup (UEFI and BIOS), when UEFI was used to boot, - Relax-and-Recover (ReaR) restored only the UEFI bootloader and not the BIOS bootloader. This - would result in a system that had a GUID Partition Table (GPT), a - BIOS Boot Partition, but not a BIOS bootloader. In this situation, ReaR failed to create the - rescue image, the attempt to produce a backup or a rescue image by using the rear mkbackup or rear mkrescue command - would fail with the following error message: -

-
- 
ERROR: Cannot autodetect what is used as bootloader, see default.conf about 'BOOTLOADER'.
-

- With this update, ReaR determines the presence of both UEFI and BIOS bootloaders, restores them, and - does not fail when it does not encounter the BIOS bootloader on the system with the BIOS Boot - Partition in GPT. As a result, systems with the hybrid UEFI and BIOS - bootloader setup can be backed up and recovered multiple times. -

-

- Jira:RHEL-24729[1] -

-
-

ReaR no longer uses the logbsize, sunit and swidth mount options - during recovery

-

- Previously, when restoring an XFS file system with the parameters - different from the original ones by using the MKFS_XFS_OPTIONS - configuration setting, Relax-and-Recover (ReaR) mounted this file system with mount options - applicable for the original file system, but not for the restored file system. As a consequence, - the disk layout recreation would fail with the following error message when ReaR ran the mount command : -

-
- 
wrong fs type, bad option, bad superblock on and missing codepage or helper program, or other error.
-

- The kernel log displayed either of the following messages: -

- 
 logbuf size must be greater than or equal to log stripe size
- 
alignment check failed: sunit/swidth vs. agsize
-

- With this update, ReaR avoids using the logbsize, sunit and swidth mount options when mounting - recreated XFS file systems. As a result, when you use the MKFS_XFS_OPTIONS configuration setting, the disk layout recreation - succeeds. -

-

- Jira:RHEL-17354[1] -

-
-

ReaR recovery no longer fails on systems with a small thin pool metadata - size

-

- Previously, ReaR did not save the size of the pool metadata volume when saving a layout of an - LVM volume group with a thin pool. During recovery, ReaR recreated the pool with the default - size even if the system used a non-default pool metadata size. -

-
-

- As a consequence, when the original pool metadata size was smaller than the default size and no free - space was available in the volume group, the layout recreation during system recovery failed with a - message in the log similar to these examples: -

- 
Insufficient free space: 230210 extents needed, but only 230026 available
-

- or -

- 
Volume group "vg" has insufficient free space (16219 extents): 16226 required.
-

- With this update, the recovered system has a metadata volume with the same size as the original - system. As a result, the recovery of a system with a small thin pool metadata size and no extra free - space in the volume group finishes successfully. -

-

- Jira:RHEL-17353[1] -

-
-

The pkla-compact binary is executed when the - polkit is called on the logind-session-monitor event -

-

- Previously, re-verification of the authorizations for polkit actions was triggered by any logind-session-monitor event for all users. Each CheckAuthorization request executes the polkit-pkla-compat binary to check for legacy .pkla configuration files even if no such files are present on the - system, which causes CPU usage to increase by the polkit daemon. -

-
-

- Currently, only the logind-session changes that are relevant for the - polkit actions are observed. If the session’s state changes, the polkit objects assosiated with the - session trigger re-verification (CheckAuthorization). You must restart - (log out to login screen and re-login or reboot) the gnome-shell for a successful update. -

-

- The polkit-pkla-compat binary is now a soft dependency. As a result, - you can reduce the CPU intensity by uninstalling the polkit-pkla-compat - binary only if there are no .pkla files present in /etc/polkit-1/localauthority, /etc/polkit-1/localauthority.conf.d, /var/lib/polkit-1/localauthority and their respective sub directories. -

-

- Jira:RHEL-34022[1] -

-
-
-
-
-
-

6.5. Kernel

-
-
-
-
-

crash rebased to version 8.0.4

-

- The crash utility has been upgraded to version 8.0.4, which - provides multiple bug fixes. Notable fixes include: -

-
-
-
    -
  • - Fixed a segmentation fault when non-panicking CPUs failed to stop during a kernel panic. -
    • -
  • - Fixed a critical error incorrectly preventing the kernel from panicking when the panic_on_oops kernel parameter was disabled. -
    • -
  • - Fixed the crash utility resolving hashed freelist pointers for - the kernel compiled with the CONFIG_SLAB_FREELIST_HARDENED=y - configuration option. -
    • -
  • -

    - A change in the kernel module memory layout terminology replaced module_layout with module_memory - to better indicate memory-related aspects of the crash - utility. Prior to this change, the crash utility could not - start a session and returned an error message like this: -

    - 
     crash: invalid structure member offset: module_core_size
-             FILE: kernel.c LINE: 3787 FUNCTION: module_init()
    -
    • -
-
-

- Jira:RHEL-9010 -

-
-

tuna launches GUI when needed

-

- Previously, if you ran the tuna utility without any subcommand, it - would launch the GUI. This behavior was desirable if you had a display. In the opposite case, - tuna on a machine without a display would not exit gracefully. With - this update, tuna detects whether you have a display, and the GUI - is launched or not launched accordingly. -

-
-

- Jira:RHEL-19179[1] -

-
-
-
-
-
-

6.6. File systems and storage

-
-
-
-
-

Multipathd now checks if a device is incorrectly queuing I/O

-

- Previously, a multipath device restarted queuing I/O, even though it was configured to fail, - under the following conditions: -

-
-
-
    -
  • - The multipath device was configured with the queue_if_no_paths - parameter set to a number of retries. -
    • -
  • - A path device was removed from the multipath device that had no working paths and was no - longer queuing I/O. -
    • -
-
-

- With this update, the issue has been fixed. As a result, multipath devices no longer restarts - queuing I/O if the queuing is disabled and a path is removed while there are no usable paths. -

-

- Jira:RHEL-16563[1] -

-
-

The no_read_workqueue, no_write_workqueue, and try_verify_in_taskle options of the dm-crypt and dm-verity devices are - temporarily disabled

-

- Previously, the dm-crypt devices created by using either the no_read_workqueue or no_write_workqueue - option and dm-verity devices created by using the try_verify_in_tasklet option caused memory corruption. Consequently, - random kernel memory was corrupted, which caused various system problems. With this update, - these options are temporarily disabled. Note that this fix can cause dm-verity and dm-crypt to perform slower - on some workloads. -

-
-

- Jira:RHEL-22232[1] -

-
-
-
-
-
-

6.7. High availability and clusters

-
-
-
-
-

Issues with moving and banning clone and bundle resources now - corrected

-

- This bug fix addresses two limitations of moving bundled and clone resources: -

-
-
-
    -
  • - When a user tried to move a bundled resource out of its bundle or ban it from running in its - bundle, pcs created a constraint but the constraint had no - effect. This caused the move to fail with an error message. With this fix, pcs disallows moving and banning bundled resources from their - bundles and prints an error message noting that bundled resources cannot be moved out of - their bundles. -
    • -
  • - When a user tried to move a bundle or clone resource, pcs - exited with an error message noting that bundle or clone resources cannot be moved. This fix - relaxes validation of move commands. It is now possible to move clone and bundle resources. - When moving clone resources, you must specify a destination node if more than one instance - of a clone is running. Only one-replica bundles can be moved. -
    • -
-
-

- Jira:RHEL-7584 -

-
-

Output of pcs status command no longer shows - warning for expired constraints

-

- Previously, when moving a cluster resource created a temporary location constraint, the pcs status command displayed a warning even after the constraint - expired. With this fix, the pcs status command filters out expired - constraints and they no longer generate a warning message in the command output. -

-
-

- Jira:RHEL-7668 -

-
-

Disabling the auto_tie_breaker quorum option - no longer allowed when SBD fencing requires it

-

- Previously, pcs allowed a user to disable the auto_tie_breaker quorum option even when a cluster configuration - required this option for SBD fencing to work correctly. With this fix, pcs generates an error message when a user attempts to disable auto_tie_breaker on a system where SBD fencing requires that the - auto_tie_breaker option be enabled. -

-
-

- Jira:RHEL-7731 -

-
-

Configuring the tls and keep_active_partition_tie_breaker quorum device options without - specifying --force

-

- Previously, when configuring a quorum device, a user could not configure the tls and keep_active_partition_tie_breaker options for a quorum device model - net without specifying the --force - option. With this update, configuring these options no longer requires you to specify --force. -

-
-

- Jira:RHEL-7745 -

-
-
-
-
-
-

6.8. Compilers and development tools

-
-
-
-
-

ldconfig no longer crashes after an - interrupted system upgrade

-

- Previously, the ldconfig utility terminated unexpectedly with a - segmentation fault when processing incomplete shared objects left in the /usr/lib64 directory after an interrupted system upgrade. With this - update, ldconfig ignores temporary files written during system - upgrades. As a result, ldconfig no longer crashes after an - interrupted system upgrade. -

-
-

- Jira:RHEL-13720 -

-
-

Improved glibc compatibility with applications - using dlclose on shared objects involved in a dependency - cycle

-

- Previously, when unloading a shared object in a dependency cycle using the dlclose function in glibc, that object’s - ELF destructor might not have been called before all other objects were unloaded. As a - consequence of this late ELF destructor execution, applications experienced crashes and other - errors due to the initial shared object’s dependencies already being deinitialized. -

-
-

- With this update, glibc has been fixed to first call the ELF destructor - of the immediate object being unloaded before any other ELF destructors are executed. As a result, - compatibility with applications using dlclose on shared objects - involved in a dependency cycle is improved and crashes no longer occur. -

-

- Jira:RHEL-10481[1] -

-
-

Improved glibc wide-character write - performance

-

- Previously, the wide stdio stream implementation in glibc did not treat the default buffer size as large enough for - wide-character write operations and used a 16-byte fallback buffer instead, negatively impacting - performance. With this update, buffer management is fixed and the entire write buffer is used. - As a result, glibc wide-character write performance is improved. -

-
-

- Jira:RHEL-19824[1] -

-
-

glibc dynamic linker prevents reentrant malloc calls made by applications using TLS access from custom - malloc implementations

-

- Some applications provide a custom malloc dynamic memory allocation - implementation that uses global-dynamic thread-local storage (TLS) instead of initial-exec TLS. - Previously, applications with bundled malloc calls that use - global-dynamic TLS could experience reentrant calls into the application’s malloc subsystem. As a consequence, the application malloc call crashed due to stack exhaustion or unexpected state of - internal data structures. -

-
-

- With the release of the RHBA-2024:5834 advisory, the glibc dynamic linker detects TLS access from custom malloc implementations. If a TLS access during a malloc call is detected, further calls during TLS processing are skipped, - and reentrant malloc calls are prevented. -

-

- Jira:RHEL-39994 -

-
-
-
-
-
-

6.9. Identity Management

-
-
-
-
-

Automembership plug-in no longer cleans up groups by default

-

- Previously, the automember rebuild task first removed all the memberships values and then - rebuilt the memberships from scratch. As a result, the rebuild task was expensive, especially if - other be_txn plugins were enabled. -

-
-

- With this update, the Automembership plug-in has the following improvements: -

-
-
    -
  • - Only one rebuilt task is allowed at a time. -
    • -
  • -

    - The Automembership plug-in no longer cleans up previous members by default. Use the new - --cleanup CLI option to intentionally clean up memberships - before rebuilding from scratch: -

    - 
    # dsconf slapd-instance_name plugins automember fixup -f objectclass=posixaccount -s sub --cleanup "ou=people,dc=example,dc=com"
    -
    • -
  • - Improved logging to display fixup progress. -
    • -
-
-

- Jira:RHEL-5390[1] -

-
-

Allocated memory now released when an operation is completed

-

- Previously, memory allocated by the KCM for each operation was not being released until the - connection was closed. As a result, for client applications that opened a connection and ran - many operations on the same connection, it led to a noticeable memory increase because the - allocated memory was not released until the connection closed. With this update, the memory - allocated for an operation is now released as soon as the operation is completed. -

-
-

- Jira:SSSD-7015 -

-
-

IdM clients correctly retrieve information for trusted AD users when their - names contain mixed case characters

-

- Previously, if you attempted a user lookup or authentication of a user, and that trusted Active - Directory (AD) user contained mixed case characters in their names and they were configured with - overrides in IdM, an error was returned preventing users from accessing IdM resources. -

-
-

- With this update, a case-sensitive comparison is replaced with a case-insensitive comparison that - ignores the case of a character. As a result, IdM clients can now lookup users of an AD trusted - domain, even if their usernames contain mixed case characters and they are configured with overrides - in IdM. -

-

- Jira:SSSD-6096 -

-
-

SSSD correctly returns an error if no grace logins remain while changing a - password

-

- Previously, if a user’s LDAP password had expired, SSSD tried to change the password even after - the initial bind of the user failed as there were no more grace logins left. However, the error - returned to the user did not indicate the reason for the failure. With this update, the request - to change the password is aborted if the bind fails and SSSD returns an error message indicating - there are no more grace logins and the password must be changed by another means. -

-
-

- Jira:SSSD-6184 -

-
-

Removing systems from a domain using the realm leave command

-

- Previously, if multiple names were set for the ad_server option in - the sssd.conf file, running the realm leave command resulted in parsing errors and the system was not - removed from the domain. With this update, the ad_server option is - properly evaluated and the correct domain controller name is used and the system is correctly - removed from the domain. -

-
-

- Jira:SSSD-6081 -

-
-

KCM logs to the correct sssd.kcm.log - file

-

- Previously, logrotate correctly rotated the Kerberos Credential - Manager (KCM) log files but KCM incorrectly wrote the logs to the old log file, sssd_kcm.log.1. If KCM was restarted, it used the correct log file. - With this update, after logrotate is invoked, log files are rotated - and KCM correctly logs to the sssd_kcm.log file. -

-
-

- Jira:SSSD-6652 -

-
-

The realm leave --remove command no longer - asks for credentials

-

- Previously, the realm utility did not correctly check if a valid - Kerberos ticket was available when running the realm leave - operation. As a result, users were asked to enter a password even though a valid Kerberos ticket - was available. With this update, realm now correctly verifies if - there is a valid Kerberos ticket and no longer requests the user to enter a password when - running the realm leave --remove command. -

-
-

- Jira:SSSD-6425 -

-
-

IdM Vault encryption and decryption no longer fails in FIPS mode -

-

- Previously, IdM Vault used OpenSSL RSA-PKCS1v15 as the default padding wrapping algorithm. - However, none of the FIPS certified modules in RHEL supported PKCS#1 v1.5 as a FIPS approved - algorithm, causing IdM Vault to fail in FIPS mode. With this update, IdM Vault supports the - RSA-OAEP padding wrapping algorithm as a fallback. As a result, IdM Vault encryption and - decryption now work correctly in FIPS mode. -

-
-

- Jira:RHEL-12153[1] -

-
-

Non-CA IdM replica installation no longer fails with server affinity - configured

-

- In some scenarios, installing an IdM replica without a certificate authority (CA) failed with - CA_REJECTED errors. The failure occurred due to the certmonger service attempting to retrieve certificates and resulted - in incomplete replication details when adding a new replica to a complex topology. -

-
-

- With this update, the IdM replica installation process happens against a specific IdM server that - provides the necessary services such as Kerberos authentication and IdM API and CA requests. This - ensures complete replication details when adding a new replica. -

-

- Jira:RHEL-4964 -

-
-

Kerberos Key Distribution Centers version 1.20 and later now process - tickets generated from KDCs running version 1.18.2 and earlier

-

- Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running - Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, - when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC - running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request - because it lacked support for the AD-SIGNTICKET attribute. -

-
-

- With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running - Kerberos 1.20 and newer, as they no longer require AD-SIGNTICKET when a - Privileged Attribute Certificate (PAC) is present. -

-

- Jira:RHEL-10495 -

-
-

SELinux labeling for dirsrv files was moved to - DEBUG log level

-

- Previously, SELinux labeling for dirsrv files had the INFO log level. With this update, the DEBUG log level is used for the dirsrv - files the same way as it was in previous versions. -

-
-

- Jira:RHEL-5143 -

-
-

Directory Server no longer causes a segmentation fault when a backend is - configured without a related suffix

-

- Previously, if a backend was configured without a related suffix, Directory Server had a - segmentation fault during startup. With this update, Directory Server checks if the suffix is - associated with the backend before trying to access the suffix. As a result, the segmentation - fault no longer occurs. -

-
-

- Jira:RHEL-5107 -

-
-

Directory Server no longer fails after abandoning the paged result - search

-

- Previously, a race condition was a reason for heap corruption and Directory Server failure - during abandoning paged result search. With this update, the race condition was fixed, and - Directory Server failure no longer occurs. -

-
-

- Jira:RHEL-16338 -

-
-

Directory Server now starts correctly after an upgrade if you configured a - custom value for the connection table size

-

- Previously, if you set a custom value for the connection table size and the nsslapd-conntablesize attribute was present in the dse.ldif file, Directory Server did not start after an upgrade. With - this release, Directory Server starts correctly after the upgrade with nsslapd-conntablesize present in the dse.ldif file. -

-
-

- Jira:RHEL-14025 -

-
-

Directory Server no longer fails when Content Synchronization plug-in is - enabled dynamically

-

- Previously, if the Content Synchronization plug-in was enabled dynamically, the post-operation - plug-in callback caused a segmentation fault because the pre-operation сallback was not - registered. With this update, the post-operation plug-in callback verifies that the memory is - initialized and Directory Server no longer fails. -

-
-

- Jira:RHEL-5135 -

-
-
-
-
-
-

6.10. Red Hat Enterprise Linux system roles

-
-
-
-
-

Cluster start no longer times out when the SBD delay-start value is high

-

- Previously, when a user configured SBD fencing in a cluster by using the ha_cluster system role and set the delay-start option to a value close to or higher than 90 seconds, the - cluster start timed out. This is because the default systemd start - timeout is 90 seconds, which the system reached before the SBD start delay value. With this fix, - the ha_cluster system role overrides the sbd.service start timeout in systemd so - that it is higher than the value of delay-start. This allows the - system to start successfully even with high values of the delay-start option. -

-
-

- Jira:RHEL-4684[1] -

-
-

network role validates routing rules with - 0.0.0.0/0 or ::/0

-

- Previously, when the from: or to: - settings were set to the 0.0.0.0/0 or ::/0 addresses in the routing rule, the network RHEL system role failed to configure the routing rule and - rejected the settings as invalid. With this update, the network - role allows 0.0.0.0/0 and ::/0 for - from: and to: in routing rule - validation. As a result, the role successfully configures the routing rules without raising the - validation errors. -

-
-

- Jira:RHEL-16501 -

-
-

The ha_cluster system role now correctly - configures a firewall on a qnetd host

-

- Previously, when a user configured a qnetd host and set the ha_cluster_manage_firewall variable to true by using the ha_cluster system - role, the role did not enable high-availability services in the firewall. With this fix, the - ha_cluster system role now correctly configures a firewall on a - qnetd host. -

-
-

- Jira:RHEL-17874 -

-
-

keylime_server role correctly reports - registrar service status

-

- Previously, when the keylime_server role playbook provided - incorrect information, the role incorrectly reported the start as successful. With this update, - the role now correctly reports a failure when incorrect information is provided, and the timeout - when waiting for opened ports has been reduced from approximately 300 seconds to approximately - 30 seconds. -

-
-

- Jira:RHEL-21946 -

-
-

The postgresql RHEL system role now installs - the correct version of PostgreSQL

-

- Previously, if you tried to run the postgresql RHEL system role - with the postgresql_version: "15" variable defined on a RHEL - managed node, PostgreSQL version 13 was installed instead of version 15. This bug has been - fixed, and the postgresql role installs the version set in the - variable. -

-
-

- Jira:RHEL-21400 -

-
-

The podman RHEL system role now sets and - cancels linger properly for rootless containers

-

- Previously, the podman RHEL system role did not set and cancel - linger properly for rootless containers. Consequently, deploying secrets or containers for - rootless users produced errors in some cases, and failed to cancel linger when removing - resources in some cases. With this update, the podman RHEL system - role ensures that linger is enabled for rootless users before doing any secret or container - resource management, and ensures that linger is canceled for rootless users when there are no - more secrets or container resources to be managed. As a result, the role correctly manages - lingering for rootless users. -

-
-

- Jira:RHEL-22228 -

-
-

The podman RHEL system role now sets and - cancels linger properly for rootless containers

-

- Previously, the podman RHEL system role did not set and cancel - linger properly for rootless containers. Consequently, deploying secrets or containers for - rootless users produced errors in some cases, and failed to cancel linger when removing - resources in some cases. With this update, the podman RHEL system - role ensures that linger is enabled for rootless users before doing any secret or container - resource management, and ensures that linger is canceled for rootless users when there are no - more secrets or container resources to be managed. As a result, the role correctly manages - lingering for rootless users. -

-
-

- Jira:RHEL-22229 -

-
-

Running read-scale clusters and installing mssql-server-ha no longer requires certain variables

-

- Previously, if you used the mssql RHEL system role to configure a - read-scale cluster without certain variables (mssql_ha_virtual_ip, - mssql_ha_login, mssql_ha_login_password, and mssql_ha_cluster_run_role), the role failed with an error message - Variable not defined. However, these variables are not necessary to - run a read-scale cluster. The role also tried to install the mssql-server-ha, which is not required for a read-scale cluster. With - this fix, the requirement for these variables was removed. As a result, running a read-scale - cluster proceeds successfully without the error message. -

-
-

- Jira:RHEL-19202 -

-
-

The Kdump system role works correctly when the kexec_crash_size file is - busy

-

- The /sys/kernel/kexec_crash_size file provides the size of the - memory region allocated for crash kernel memory. -

-
-

- Previously, the Kdump system role failed when the /sys/kernel/kexec_crash_size file was busy. With this update, the system - role retries reading the file when it is available. As a result, the system role no longer fails - when the file is busy. -

-

- Jira:RHEL-3354 -

-
-

selinux role no longer uses the item loop variable

-

- Previously, the selinux RHEL system role used the  item loop variable. This might have resulted in the following warning - message when you called the selinux role from another role: -

-
- 
[WARNING]: TASK: fedora.linux_system_roles.selinux : Restore SELinux labels on filesystem tree: The loop variable 'item' is already in use.
-You should set the `loop_var` value in the `loop_control` option for the task to something else to avoid variable collisions and unexpected behavior.
-

- With this release, the selinux role uses __selinux_item as a loop variable. As a result, the warning that the - item variable is already in use is no longer displayed even if you call - the selinux role from another role. -

-

- Jira:RHEL-19042 -

-
-

Secret data is no longer logged with verbose logging

-

- Previously, some tasks that handle secret data would log the contents. As a consequence, the - logs showed secret data if verbose logging was being used. This update adds the no_log: true directive to tasks that can log secret data. As a - result, secret data is not logged with verbose logging. -

-
-

- Jira:RHEL-19242 -

-
-

A volume quadlet service name no longer fails

-

- Previously, starting the volume service name produced an error similar to the following one: -

-
- 
Could not find the requested service NAME.volume: host
-

- With this update, the volume quadlet service name is changed to basename-volume.service. As a result, the volume service starts with no - errors. -

-

- For more information, see Volume - unit man page. -

-

- Jira:RHEL-21402 -

-
-

nbde_server role now works with socket - overrides

-

- Previously, the nbde_server RHEL system role assumed that the only - file in the tangd socket override directory was the override.conf file for a custom port. Consequently, the role deleted - the directory if there was no port customization without checking other files, and the system - re-created the directory in subsequent runs. -

-
-

- With this release, the role has been fixed to prevent changing attributes of the port override file - and deleting the directory if there are other files. As a result, the role correctly works if tangd socket override files are managed also outside of the role. -

-

- Jira:RHEL-25509 -

-
-
-
-
-
-

6.11. Virtualization

-
-
-
-
-

A dump failure no longer blocks IBM Z VMs with Secure Execution from - running

-

- Previously, when a dump of an IBM Z virtual machine (VM) with Secure Execution failed, the VM - remained in a paused state and was blocked from running. For example, dumping a VM by using the - virsh dump command fails if there is not enough space on the disk. -

-
-

- The underlying code has been fixed and Secure Execution VMs resume operation successfully after a - dump failure. -

-

- Jira:RHEL-16696[1] -

-
-
-
-
-
-
-

Chapter 7. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.10. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

7.1. Infrastructure services

-
-
-
-
-

Socket API for TuneD available as a Technology Preview

-

- The socket API for controlling TuneD through a UNIX domain socket is now available as a - Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an - alternative communication method for cases where D-Bus is not available. By using the socket - API, you can control the TuneD daemon to optimize the performance, and change the values of - various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file. -

-
-

- Bugzilla:2113900 -

-
-
-
-
-
-

7.2. Networking

-
-
-
-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It - accompanies XDP and grants efficient redirection of - programmatically selected packets to user space applications for further processing. -

-
-

- Bugzilla:1633143[1] -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
-
    -
  • - Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the libxdp library is not available for architectures other than AMD - and Intel 64-bit. -
    • -
  • - The XDP hardware offloading. -
    • -
-
-

- Bugzilla:1889737 -

-
-

Multi-protocol Label Switching for TC available as a Technology - Preview

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route - traffic flow across enterprise networks. In an MPLS network, the router that receives packets - decides the further route of the packets based on the labels attached to the packet. With the - usage of labels, the MPLS network has the ability to handle packets with particular - characteristics. For example, you can add tc filters for managing - packets received from specific ports or carrying specific types of traffic, in a consistent way. -

-
-

- After packets enter the enterprise network, MPLS routers perform multiple operations on the packets, - such as push to add a label, swap to - update a label, and pop to remove a label. MPLS allows defining actions - locally based on one or multiple labels in RHEL. You can configure routers and set traffic control - (tc) filters to take appropriate actions on the packets based on the - MPLS label stack entry (lse) elements, such as label, traffic class, bottom of stack, and time to live. -

-

- For example, the following command adds a filter to the enp0s1 network interface to match incoming packets having the - first label 12323 and the second label 45832. On matching packets, the following actions are taken: -

-
-
    -
  • - the first MPLS TTL is decremented (packet is dropped if TTL reaches 0) -
    • -
  • - the first MPLS label is changed to 549386 -
    • -
  • -

    - the resulting packet is transmitted over enp0s2, - with destination MAC address 00:00:5E:00:53:01 - and source MAC address 00:00:5E:00:53:02 -

    - 
    # tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
-action mpls dec_ttl pipe \
-action mpls modify label 549386 pipe \
-action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
-action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
-action mirred egress redirect dev enp0s2
    -
    • -
-
-

- Bugzilla:1814836[1], Bugzilla:1856415 -

-
-

act_mpls module available as a Technology - Preview

-

- The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows - the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) - filters, for example, push and pop MPLS label stack entries with TC filters. The module also - allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set - independently. -

-
-

- Bugzilla:1839311[1] -

-
-

The systemd-resolved service is now available - as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, a Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- Bugzilla:1906489 -

-
-
-
-
-
-

7.3. Kernel

-
-
-
-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that - implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains - two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL - 8. -

-
-

- Bugzilla:1605216[1] -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space, in the restricted - sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which enables - creating various types of maps, and also allows to load programs in a special assembly-like code. - The code is then loaded to the kernel and translated to the native machine code with just-in-time - compilation. Note that the bpf() syscall can be successfully used only - by a user with the CAP_SYS_ADMIN capability, such as the root user. See - the bpf(2) manual page for more information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase. All components are available as a Technology Preview, unless a specific - component is indicated as supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space - for applications that prioritize packet processing performance. -
    • -
-
-

- Bugzilla:1559616[1] -

-
-

The kexec fast reboot feature is available as - a Technology Preview

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. The kexec fast reboot significantly speeds the - boot process as you can boot directly into the second kernel without passing through the Basic - Input/Output System (BIOS) or firmware first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
-
-

- Note that the kexec fast reboot capability is available with a limited - scope of support on RHEL 9 and later releases. -

-

- Bugzilla:1769727 -

-
-

The accel-config package available as a - Technology Preview

-

- The accel-config package is now available on Intel EM64T and AMD64 architectures as a - Technology Preview. This package helps in controlling and configuring data-streaming accelerator - (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the - json format. -

-
-

- Bugzilla:1843266[1] -

-
-
-
-
-
-

7.4. File systems and storage

-
-
-
-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address space. To - use DAX, a system must have some form of persistent memory available, usually in the form of one - or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the - capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with - the dax mount option. Then, a mmap of - a file on the dax-mounted file system results in a direct mapping of storage into the - application’s address space. -

-
-

- Bugzilla:1627455[1] -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top of - another. Changes are recorded in the upper file system, while the lower file system remains - unmodified. This allows multiple users to share a file-system image, such as a container or a - DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings - when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other specialized - use cases, such as squashed kdump initramfs. Its use is - supported primarily for container COW content, not for persistent storage. You must place - any persistent storage on non-OverlayFS volumes. You can use only the default container - engine configuration: one level of overlay, one lowerdir, and both lower and upper levels - are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change - in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped with - MAP_SHARED are inconsistent with subsequent - modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on RHEL - 8, but you can enable full POSIX compliance for them with a module option or - mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and index=on options to improve POSIX compliance. - These two options make the format of the upper layer incompatible with an - overlay without these options. That is, you might get unexpected results or - errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, use - the following command and see if the ftype=1 option is - enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel - documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- Bugzilla:1690207[1] -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager, which provides managed file systems on top of pools of - storage with additional features. It is provided as a Technology Preview. -

-
-

- With Stratis, you can perform the following storage tasks: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. For more - information, see the Setting - up Stratis file systems documentation. -

-

- RHEL 8.5 updated Stratis to version 2.4.2. For more information, see the Stratis 2.4.2 Release - Notes. -

-

- Jira:RHELPLAN-1212[1] -

-
-

NVMe/TCP host is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) - and its corresponding nvme_tcp.ko kernel module has been added as a - Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included - only for testing purposes and is not currently planned for full support. -

-
-

- Bugzilla:1696451[1] -

-
-

Setting up a Samba server on an IdM domain member is provided as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the same-named - package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For - example, the utility creates the /etc/samba/smb.conf with the ID - mapping configuration for the sss ID mapping back end. As a result, - administrators can now set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts - cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support - resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) - protocols. As a consequence, AD users can only access the Samba shares and printers from IdM - clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- Jira:RHELPLAN-13195[1] -

-
-
-
-
-
-

7.5. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on Podman, with the container bundle feature being available - as a Technology Preview. There is one exception to this feature being Technology Preview: Red - Hat fully supports the use of Pacemaker bundles for Red Hat OpenStack. -

-
-

- Bugzilla:1619620[1] -

-
-

Heuristics in corosync-qdevice available as a - Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is zero), - heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which - partition should be quorate. -

-
-

- Bugzilla:1784200 -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off - action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent - the agent that does the actual fencing from fencing a node under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make sense - for a node to fence the peer if it can know beforehand that it would not be able to take over the - services properly. For example, it might not make sense for a node to take over services if it has - problems reaching the networking uplink, making the services unreachable to clients, a situation - which a ping to a router might detect in that case. -

-

- Bugzilla:1775847[1] -

-
-
-
-
-
-

7.6. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- Bugzilla:1664719 -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- Bugzilla:1664718 -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- Bugzilla:1628987[1] -

-
-

sssd-idp sub-package available as a Technology Preview

-

- The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which - are client-side components that perform OAuth2 authentication against Identity Management (IdM) - servers. This feature is available only with IdM servers on RHEL 8.7 and later. -

-
-

- Bugzilla:2065692 -

-
-

SSSD internal krb5 idp plugin available as a Technology Preview -

-

- The SSSD krb5 idp plugin allows you to authenticate against an - external identity provider (IdP) using the OAuth2 protocol. This feature is available only with - IdM servers on RHEL 8.7 and later. -

-
-

- Bugzilla:2056483 -

-
-
-
-
-
-

7.7. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology - Preview. -

-
-

- You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can - manage the server using graphical applications. -

-

- A limited set of graphical applications is available on 64-bit ARM. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27394[1], Bugzilla:1667516, Bugzilla:1724302, - Bugzilla:1667225 -

-
-

GNOME for the IBM Z architecture available as a Technology Preview -

-

- The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview. -

-
-

- You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage - the server using graphical applications. -

-

- A limited set of graphical applications is available on IBM Z. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27737[1] -

-
-
-
-
-
-

7.8. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available - as a Technology Preview. Note that the rest of the graphics stack is currently unverified for - the 64-bit ARM architecture. -

-
-

- Bugzilla:1698565[1] -

-
-
-
-
-
-

7.9. Virtualization

-
-
-
-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines -

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a - Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel and AMD systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following - Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- Bugzilla:1519039[1] -

-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- Bugzilla:1501618[1], Bugzilla:1501607, Jira:RHELPLAN-7677 -

-
-

Intel vGPU available as a Technology Preview

-

- As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. -

-

- In addition, it is possible to enable a VNC console operated by Intel vGPU. By enabling it, users - can connect to a VNC console of the VM and see the VM’s desktop hosted by Intel vGPU. However, this - currently only works for RHEL guest operating systems. -

-

- Note that this feature is deprecated and will be removed entirely in a future RHEL major release. -

-

- Bugzilla:1528684[1] -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a - RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its - own VMs. -

-
-

- Jira:RHELPLAN-14047[1], Jira:RHELPLAN-24437 -

-
-

Technology Preview: Select Intel network adapters now provide SR-IOV in - RHEL guests on Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V - hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network - adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions - are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently provided with Microsoft Windows Server 2016 and later. -

-

- Bugzilla:1348508[1] -

-
-

Intel TDX in RHEL guests

-

- As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL - 8.8 and later guest operating systems. If the host system supports TDX, you can deploy - hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that - TDX currently does not work with kdump, and enabling TDX will cause - kdump to fail on the VM. -

-
-

- Bugzilla:1836977[1] -

-
-

Sharing files between hosts and VMs using virtiofs

-

- As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can - efficiently share files between your host system and its virtual machines (VM). -

-
-

- Bugzilla:1741615[1] -

-
-
-
-
-
-

7.10. RHEL in cloud environments

-
-
-
-
-

RHEL confidential VMs are now available on Azure as a Technology - Preview

-

- With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on - Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL - confidential VM images during boot on Azure. -

-
-

- Jira:RHELPLAN-122316[1] -

-
-
-
-
-
-

7.11. Containers

-
-
-
-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- Jira:RHELDOCS-16861[1] -

-
-

Building multi-architecture images is available as a Technology - Preview

-

- The podman farm build command, which you can use to create - multi-architecture container images, is available as a Technology Preview. -

-
-

- A farm is a group of machines that have a unix podman socket running in them. The nodes in the farm - can have different machines of different architectures. The podman farm build command is faster than the podman build --arch --platform command. -

-

- You can use podman farm build to perform the following actions: -

-
-
    -
  • - Build an image on all nodes in a farm. -
    • -
  • - Bundle nodes up into a manifest list. -
    • -
  • - Execute the podman build command on all the farm nodes. -
    • -
  • - Push the images to the registry specified by using the --tag - option. -
    • -
  • - Locally create a manifest list. -
    • -
  • -

    - Push the manifest list to the registry. -

    -

    - The manifest list contains one image per native architecture type that is present in the - farm. -

    -
    • -
-
-

- Jira:RHELPLAN-154435[1] -

-
-
-
-
-
-
-

Chapter 8. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in the - logs: -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still available - and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- Bugzilla:1642765[1] -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you modify - your Kickstart file to remove the option. -

-
-

- Bugzilla:1637872[1] -

-
-

The Kickstart autostep command has been - deprecated

-

- The autostep command has been deprecated. The related section about - this command has been removed from the RHEL - 8 documentation. -

-
-

- Bugzilla:1904251[1] -

-
-
-
-
-
-

8.2. Security

-
-
-
-
-

NSS SEED ciphers are deprecated

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends - enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- Bugzilla:1817533 -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal - and the update-crypto-policies(8) man page. -

-

- Bugzilla:1660839 -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. - Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note - that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- Bugzilla:1646541[1] -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- Bugzilla:2054741 -

-
-

SSL2 Client Hello - has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and earlier - allow to start a negotiation with a Client Hello message formatted - in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature - may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- Bugzilla:1645153[1] -

-
-

Runtime disabling SELinux using /etc/selinux/config is now deprecated

-

- Runtime disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config file has been deprecated. In RHEL 9, when you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. -

-
-

- If your scenario really requires to completely disable SELinux, Red Hat recommends disabling SELinux - by adding the selinux=0 parameter to the kernel command line as - described in the Changing - SELinux modes at boot time section of the Using - SELinux title. -

-

- Bugzilla:1932222 -

-
-

The ipa SELinux module removed from selinux-policy

-

- The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The - functionality is now included in the ipa-selinux subpackage. -

-
-

- If your scenario requires the use of types or interfaces from the ipa - module in a local SELinux policy, install the ipa-selinux package. -

-

- Bugzilla:1461914[1] -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard was updated to version 2.0 in - 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with - the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major - release. -

-
-

- Bugzilla:1657927[1] -

-
-

crypto-policies derived properties are now - deprecated

-

- With the introduction of scopes for crypto-policies directives in - custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as - well. See the crypto-policies(7) man page for recommended - replacements. -

-
-

- Bugzilla:2011208 -

-
-

RHEL 8 and 9 OpenSSL certificate and signing containers are now - deprecated

-

- The OpenSSL portable certificate and signing containers available in the ubi8/openssl and ubi9/openssl - repositories in the Red Hat Ecosystem Catalog are now deprecated due to low demand. -

-
-

- Jira:RHELDOCS-17974[1] -

-
-
-
-
-
-

8.3. Subscription management

-
-
-
-
-

The deprecated --token option of subscription-manager register will stop working at the end of - November 2024

-

- The deprecated --token=<TOKEN> option of the subscription-manager register command will no longer be a supported - authentication method from the end of November 2024. The default entitlement server, subscription.rhsm.redhat.com, will no longer be allowing token-based - authentication. As a consequence, if you use subscription-manager register --token=<TOKEN>, the registration - will fail with the following error message: -

-
- 
Token authentication not supported by the entitlement server
-

- To register your system, use other supported authorization methods, such as including paired options - --username / --password OR --org / --activationkey with the subscription-manager register command. -

-

- Bugzilla:2170082 -

-
-
-
-
-
-

8.4. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- The rpmbuild --sign command is deprecated since RHEL 8.1. Using - this command in future releases of Red Hat Enterprise Linux can result in an error. It is - recommended that you use the rpmsign command instead. -

-
-

- Bugzilla:1688849 -

-
-
-
-
-
-

8.5. Shells and command-line tools

-
-
-
-
-

Setting the TMPDIR variable in the ReaR - configuration file is deprecated

-

- Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement - such as export TMPDIR=…​, is deprecated. -

-
-

- To specify a custom directory for ReaR temporary files, export the variable in the shell environment - before executing ReaR. For example, execute the export TMPDIR=…​ - statement and then execute the rear command in the same shell session - or script. -

-

- Jira:RHELDOCS-18049[1] -

-
-

The OpenEXR component has been - deprecated

-

- The OpenEXR component has been deprecated. Hence, the support for - the EXR image format has been dropped from the imagecodecs module. -

-
-

- Bugzilla:1886310 -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type - of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- Bugzilla:1997366[1] -

-
-

The hidepid=n mount option is not supported in - RHEL 8 systemd

-

- The mount option hidepid=n, which controls who can access - information in /proc/[pid] directories, is not compatible with - systemd infrastructure provided in RHEL 8. -

-
-

- In addition, using this option might cause certain services started by systemd to produce SELinux AVC denial messages and prevent other - operations from completing. -

-

- For more information, see the related Knowledgebase solution Is mounting /proc with "hidepid=2" - recommended with RHEL7 and RHEL8?. -

-

- Bugzilla:2038929 -

-
-

The /usr/lib/udev/rename_device utility has - been deprecated

-

- The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been - deprecated. -

-
-

- Bugzilla:1875485 -

-
-

The ABRT tool has been deprecated

-

- The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been - deprecated in RHEL 8. As a replacement, use the systemd-coredump - tool to log and store core dumps, which are automatically generated files after a program - crashes. -

-
-

- Bugzilla:2055826[1] -

-
-

The ReaR crontab has been deprecated

-

- The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available - in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened. -

-
-

- If you require this functionality, after an upgrade to RHEL 9, configure periodic runs of ReaR - manually. -

-

- Bugzilla:2083301 -

-
-

The SQLite database backend in Bacula has been deprecated

-

- The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. - The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. - As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the - SQLite backend in new deployments. -

-
-

- Jira:RHEL-6859 -

-
-

The raw command has been deprecated -

-

- The raw (/usr/bin/raw) command has - been deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in - an error. -

-
-

- Jira:RHELPLAN-133171[1] -

-
-
-
-
-
-

8.6. Infrastructure services

-
-
-
-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and it - also downloads proprietary content. Therefore, the geoipupdate - package has been deprecated, and will be removed in the next major RHEL version. -

-
-

- Bugzilla:1874892[1] -

-
-
-
-
-
-

8.7. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by - default. The basic installation provides a new version of the ifup - and ifdown scripts which call the NetworkManager service through - the nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts - are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
# yum install network-scripts
-

- The ifup and ifdown scripts link to the - installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- Bugzilla:1647725[1] -

-
-

The dropwatch tool is deprecated

-

- The dropwatch tool has been deprecated. The tool will not be - supported in future releases, thus it is not recommended for new deployments. As a replacement - of this package, Red Hat recommends to use the perf - command line tool. -

-
-

- For more information on using the perf command line tool, - see the Getting - started with Perf section on the Red Hat customer portal or the perf man page. -

-

- Bugzilla:1929173 -

-
-

The xinetd service has been - deprecated

-

- The xinetd service has been deprecated and will be removed in RHEL - 9. As a replacement, use systemd. For further details, see How to convert xinetd - service to systemd. -

-
-

- Bugzilla:2009113[1] -

-
-

The cgdcbxd package is deprecated

-

- Control group data center bridging exchange daemon (cgdcbxd) is a - service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major - RHEL release. -

-
-

- Bugzilla:2006665 -

-
-

The WEP Wi-Fi connection method is deprecated

-

- The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8 and - will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 - (WPA3) or WPA2 connection methods. -

-
-

- Bugzilla:2029338 -

-
-

The unsupported xt_u32 module is now - deprecated

-

- Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. - Since RHEL 8.6, the xt_u32 module is deprecated and will be removed - in RHEL 9. -

-
-

- If you use xt_u32, migrate to the nftables - packet filtering framework. For example, first change your firewall to use iptables with native matches to incrementally replace individual rules, - and later use the iptables-translate and accompanying utilities to - migrate to nftables. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) - man page. -

-

- Bugzilla:2061288 -

-
-
-
-
-
-

8.8. Kernel

-
-
-
-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is - a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is - available as a Technology Preview. Furthermore, due to stability issues, this feature has been - deprecated and will be removed in RHEL 9. -

-
-

- Bugzilla:1878207[1] -

-
-

The Linux firewire sub-system and its - associated user-space components are deprecated in RHEL 8

-

- The firewire sub-system provides interfaces to use and maintain any - resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer - be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as - well. -

-
-

- Bugzilla:1871863[1] -

-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system through the network. While - convenient, diskless boot is prone to introducing network latency in real-time workloads. With - the 8.3 minor update of RHEL for Real Time 8, the diskless booting feature is no longer - supported. -

-
-

- Bugzilla:1748980 -

-
-

Kernel live patching now covers all RHEL minor releases

-

- Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of - RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important - Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently - covered kernels and use cases, the support window for each live patch has been decreased from 12 - to 6 months for every minor, major, and zStream version of the kernel. It means that on the day - a kernel live patch is released, it will cover every minor release and scheduled errata kernel - delivered in the past 6 months. -

-
-

- For more information about this feature, see Applying - patches with kernel live patching. -

-

- For details about available kernel live patches, see Kernel Live Patch life cycles. -

-

- Bugzilla:1958250 -

-
-

The crash-ptdump-command package is - deprecated

-

- The crash-ptdump-command package, which is a ptdump extension module for the crash utility, is deprecated and - might not be available in future RHEL releases. The ptdump command - fails to retrieve the log buffer when working in the Single Range Output mode and only works in - the Table of Physical Addresses (ToPA) mode. crash-ptdump-command - is currently not maintained upstream -

-
-

- Bugzilla:1838927[1] -

-
-
-
-
-
-

8.9. Boot loader

-
-
-
-
-

The kernelopts environment variable has been - deprecated

-

- In RHEL 8, the kernel command-line parameters for systems using the GRUB bootloader were defined - in the kernelopts environment variable. The variable was stored in - the /boot/grub2/grubenv file for each kernel boot entry. However, - storing the kernel command-line parameters using kernelopts was not - robust. Therefore, with a future major update of RHEL, kernelopts - will be removed and the kernel command-line parameters will be stored in the Boot Loader - Specification (BLS) snippet instead. -

-
-

- Bugzilla:2060759 -

-
-
-
-
-
-

8.10. File systems and storage

-
-
-
-
-

The elevator kernel command line parameter is - deprecated

-

- The elevator kernel command line parameter was used in earlier RHEL - releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is typically - the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the TuneD service to configure it. Match the selected - devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- Bugzilla:1665295[1] -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. - This change affects only NFS version 3 because version 4 requires the Transmission Control - Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- Bugzilla:1592011[1] -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured storage - events. It helps you investigate storage issues. -

-

- Bugzilla:1871953 -

-
-

VDO write modes other than async are - deprecated

-

- VDO supports several write modes in RHEL 8: -

-
-
-
    -
  • - sync -
    • -
  • - async -
    • -
  • - async-unsafe -
    • -
  • - auto -
    • -
-
-

- Starting with RHEL 8.4, the following write modes are deprecated: -

-
-
-
sync
-
- Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the - devices cannot take advantage of the VDO sync mode. -
-
async-unsafe
-
- VDO added this write mode as a workaround for the reduced performance of async mode, which complies to Atomicity, Consistency, Isolation, - and Durability (ACID). Red Hat does not recommend async-unsafe - for most use cases and is not aware of any users who rely on it. -
-
auto
-
- This write mode only selects one of the other write modes. It is no longer necessary when - VDO supports only a single write mode. -
-
-
-

- These write modes will be removed in a future major RHEL release. -

-

- The recommended VDO write mode is now async. -

-

- For more information on VDO write modes, see Selecting - a VDO write mode. -

-

- Jira:RHELPLAN-70700[1] -

-
-

VDO manager has been deprecated

-

- The python-based VDO management software has been deprecated and will be removed from RHEL 9. In - RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create - VDO volumes using the lvcreate command. -

-
-

- The existing volumes created using the VDO management software can be converted using the /usr/sbin/lvm_import_vdo script, provided by the lvm2 package. For more information on the LVM-VDO implementation, see Deduplicating - and compressing logical volumes on RHEL. -

-

- Bugzilla:1949163 -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution. -

-
-

- Bugzilla:1794513[1] -

-
-
-
-
-
-

8.11. High availability and clusters

-
-
-
-
-

pcs commands that support the clufter tool have been deprecated

-

- The pcs commands that support the clufter tool for analyzing cluster configuration formats have been - deprecated. These commands now print a warning that the command has been deprecated and sections - related to these commands have been removed from the pcs help - display and the pcs(8) man page. -

-
-

- The following commands have been deprecated: -

-
-
    -
  • - pcs config import-cman for importing CMAN / RHEL6 HA cluster - configuration -
    • -
  • - pcs config export for exporting cluster configuration to a list - of pcs commands which recreate the same cluster -
    • -
-
-

- Bugzilla:1851335[1] -

-
-
-
-
-
-

8.12. Dynamic programming languages, web and database servers

-
-
-
-
-

The mod_php module provided with PHP for use - with the Apache HTTP Server has been deprecated

-

- The mod_php module provided with PHP for use with the Apache HTTP - Server in RHEL 8 is available but not enabled in the default configuration. The module is no - longer available in RHEL 9. -

-
-

- Since RHEL 8, PHP scripts are run using the FastCGI Process Manager (php-fpm) by default. For more information, see Using - PHP with the Apache HTTP Server. -

-

- Bugzilla:2225332 -

-
-
-
-
-
-

8.13. Compilers and development tools

-
-
-
-
-

The gdb.i686 packages are deprecated -

-

- In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another - package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions - of GDB, gdb.x86_64, are fully capable of debugging 32-bit - applications. -

-
-

- If you use gdb.i686, note the following important issues: -

-
-
    -
  • - The gdb.i686 packages will no longer be updated. Users must - install gdb.x86_64 instead. -
    • -
  • - If you have gdb.i686 installed, installing gdb.x86_64 will cause yum to report - package gdb-8.2-14.el8.x86_64 obsoletes gdb < 8.2-14.el8 provided by gdb-8.2-12.el8.i686. - This is expected. Either uninstall gdb.i686 or pass dnf the --allowerasing option to - remove gdb.i686 and install gdb.x8_64. -
    • -
  • - Users will no longer be able to install the gdb.i686 packages - on 64-bit systems, that is, those with the libc.so.6()(64-bit) - packages. -
    • -
-
-

- Bugzilla:1853140[1] -

-
-

libdwarf has been deprecated

-

- The libdwarf library has been deprecated in RHEL 8. The library - will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for - applications that wish to process ELF/DWARF files. -

-
-

- Alternatives for the libdwarf-tools dwarfdump program are the binutils readelf program or the elfutils eu-readelf program, both used by passing the --debug-dump flag. -

-

- Bugzilla:1920624 -

-
-
-
-
-
-

8.14. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, which - integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, if - available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, - enable the ssh responder by adding ssh to - the services option in the sssd.conf file. - See the sssd.conf(5) man page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- Bugzilla:1871025 -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and - disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) - and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might experience - service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions on - re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, set - supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes, and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from the - previous step, remove them and upgrade. You do not need those settings after upgrading to - the latest Kerberos packages. -
    5. -
-
-

- Bugzilla:1877991 -

-
-

The SSSD version of libwbclient has been - removed

-

- The SSSD implementation of the libwbclient package was deprecated - in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of - libwbclient has now been removed. -

-
-

- Bugzilla:1947671 -

-
-

Standalone use of the ctdb service has been - deprecated

-

- Since RHEL 8.4, customers are advised to use the ctdb clustered - Samba service only when both of the following conditions apply: -

-
-
-
    -
  • - The ctdb service is managed as a pacemaker resource with the resource-agent ctdb. -
    • -
  • - The ctdb service uses storage volumes that contain either a - GlusterFS file system provided by the Red Hat Gluster Storage product or a GFS2 file system. -
    • -
-
-

- The stand-alone use case of the ctdb service has been deprecated and - will not be included in a next major release of Red Hat Enterprise Linux. For further information on - support policies for Samba, see the Knowledgebase article Support Policies for RHEL Resilient Storage - - ctdb General Policies. -

-

- Bugzilla:1916296[1] -

-
-

Limited support for FreeRADIUS

-

- In RHEL 8, the following external authentication modules are deprecated as part of the - FreeRADIUS offering: -

-
-
-
    -
  • - The MySQL, PostgreSQL, SQlite, and unixODBC database connectors -
    • -
  • - The Perl language module -
    • -
  • - The REST API module -
    • -
-
-
-
Note
-
-

- The PAM authentication module and other authentication modules that are provided as part of - the base package are not affected. -

-
-
-

- You can find replacements for the deprecated modules in community-supported packages, for example in - the Fedora project. -

-

- In addition, the scope of support for the freeradius package will be - limited to the following use cases in future RHEL releases: -

-
-
    -
  • - Using FreeRADIUS as an authentication provider with Identity Management (IdM) as the backend - source of authentication. The authentication occurs through the krb5 and LDAP authentication packages or as PAM authentication in - the main FreeRADIUS package. -
    • -
  • - Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the Python - 3 authentication package. -
    • -
-
-

- In contrast to these deprecations, Red Hat will strengthen the support of the following external - authentication modules with FreeRADIUS: -

-
-
    -
  • - Authentication based on krb5 and LDAP -
    • -
  • - Python 3 authentication -
    • -
-
-

- The focus on these integration options is in close alignment with the strategic direction of Red Hat - IdM. -

-

- Jira:RHELDOCS-17573[1] -

-
-

Indirect AD integration with IdM via WinSync has been deprecated -

-

- WinSync is no longer actively developed in RHEL 8 due to several functional limitations: -

-
-
-
    -
  • - WinSync supports only one Active Directory (AD) domain. -
    • -
  • - Password synchronization requires installing additional software on AD Domain Controllers. -
    • -
-
-

- For a more robust solution with better resource and security separation, Red Hat recommends using a - cross-forest trust for indirect integration with - Active Directory. See the Indirect - integration documentation. -

-

- Jira:RHELPLAN-100400[1] -

-
-

Running Samba as a PDC or BDC is deprecated

-

- The classic domain controller mode that enabled administrators to run Samba as an NT4-like - primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and - settings to configure these modes will be removed in a future Samba release. -

-
-

- As long as the Samba version in RHEL 8 provides the PDC and BDC modes, Red Hat supports these modes - only in existing installations with Windows versions which support NT4 domains. Red Hat recommends - not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and - Windows Server 2008 R2 do not support NT4 domains. -

-

- If you use the PDC to authenticate only Linux users, Red Hat suggests migrating to Red Hat Identity Management - (IdM) that is included in RHEL subscriptions. However, you cannot join Windows systems to an - IdM domain. Note that Red Hat continues supporting the PDC functionality IdM uses in the background. -

-

- Red Hat does not support running Samba as an AD domain controller (DC). -

-

- Bugzilla:1926114 -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612[1] -

-
-
-
-
-
-

8.15. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of the - libsecret library, as libgnome-keyring - is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. - The new libsecret library is the replacement that follows the - necessary security standards. -

-
-

- Bugzilla:1607766[1] -

-
-

LibreOffice is deprecated

-

- The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL - release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, - and 9. -

-
-

- As a replacement for the RPM packages, Red Hat recommends that you install LibreOffice from either - of the following sources provided by The Document Foundation: -

-
- -
-

- Jira:RHELDOCS-16300[1] -

-
-

Several bitmap fonts have been deprecated

-

- The following bitmap font packages have been deprecated: -

-
-
-
    -
  • - bitmap-console-fonts -
    • -
  • - bitmap-fixed-fonts -
    • -
  • - bitmap-fonts-compat -
    • -
  • - bitmap-lucida-typewriter-fonts -
    • -
-
-

- Bitmap fonts have a limited pixel size. When you try to set a font size that is unavailable, the - text might display in a different size or a different font, possibly a scalable one. This also - decreases the rendering quality of bitmap fonts and disrupts the user experience. -

-

- Additionally, the fontconfig system ignores the Portable Compiled - Format (PCF), one of the major bitmap font formats, because it contains no metadata to estimate the - language coverage. -

-

- Note that the bitmap-fangsongti-fonts bitmap font package continues to - be supported as a dependency of the Lorax tool. -

-

- Jira:RHELDOCS-17623[1] -

-
-
-
-
-
-

8.16. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement. -

-
-

- Bugzilla:1569610[1] -

-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- Jira:RHELPLAN-98983[1] -

-
-
-
-
-
-

8.17. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- Bugzilla:1666722 -

-
-

The remotectl command is deprecated -

-

- The remotectl command has been deprecated and will not be available - in future releases of RHEL. You can use the cockpit-certificate-ensure command as a replacement. However, note - that cockpit-certificate-ensure does not have feature parity with - remotectl. It does not support bundled certificates and keychain - files and requires them to be split out. -

-
-

- Jira:RHELPLAN-147538[1] -

-
-
-
-
-
-

8.18. Red Hat Enterprise Linux System Roles

-
-
-
-
-

The network System Role displays a deprecation - warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL System Role on an RHEL 8 control node to configure a - network team on RHEL 9 nodes, shows a warning about the deprecation. -

-
-

- Bugzilla:2021685 -

-
-

Ansible Engine has been deprecated

-

- Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited - scope of support, to enable supported RHEL Automation use cases, such as RHEL System Roles and - Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no - support after September 29, 2023. For more details on the supported use cases, see Scope of support for the - Ansible Core package included in the RHEL 9 AppStream. -

-
-

- Users must manually migrate their systems from Ansible Engine to Ansible Core. For that, follow the - steps: -

-
-

Procedure

-
    -
  1. -

    - Check if the system is running RHEL 8.7 or a later release: -

    - 
    # cat /etc/redhat-release
    -
    2. -
  2. -

    - Uninstall Ansible Engine 2.9: -

    - 
    # yum remove ansible
    -
    3. -
  3. -

    - Disable the ansible-2-for-rhel-8-x86_64-rpms repository: -

    - 
    # subscription-manager repos --disable
-ansible-2-for-rhel-8-x86_64-rpms
    -
    4. -
  4. -

    - Install the Ansible Core package from the RHEL 8 AppStream repository: -

    - 
    # yum install ansible-core
    -
    5. -
-
-

- For more details, see: Using - Ansible in RHEL 8.6 and later. -

-

- Bugzilla:2006081 -

-
-

The mssql_ha_cluster_run_role has been - deprecated

-

- The mssql_ha_cluster_run_role variable has been deprecated. - Instead, use the mssql_manage_ha_cluster variable. -

-
-

- Jira:RHEL-19203 -

-
-
-
-
-
-

8.19. Virtualization

-
-
-
-
-

virsh iface-* commands have become - deprecated

-

- The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a - future major version of RHEL. In addition, these commands frequently fail due to configuration - dependencies. -

-
-

- Therefore, it is recommended not to use virsh iface-* commands for - configuring and managing host network connections. Instead, use the NetworkManager program and its - related management applications, such as nmcli. -

-

- Bugzilla:1664592[1] -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager might not be yet - available in the RHEL web console. -

-
-

- Jira:RHELPLAN-10304[1] -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. -

-

- Bugzilla:1686057 -

-
-

The Cirrus VGA virtual - GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- Bugzilla:1651994[1] -

-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. Note that SPICE will remain supported - in RHEL 8, but Red Hat recommends using alternate solutions for remote display streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Bugzilla:1849563[1] -

-
-

KVM on IBM POWER has been deprecated

-

- Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM - POWER is still supported in RHEL 8, but will become unsupported in a future major release of - RHEL. -

-
-

- Jira:RHELPLAN-71200[1] -

-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA-2 algorithm, or later. -

-
-

- Bugzilla:1935497[1] -

-
-

Using SPICE to attach smart card readers to virtual machines has been - deprecated

-

- The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way - to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage - of smart cards in VMs has also become deprecated in RHEL 8. -

-
-

- In a future major version of RHEL, the functionality of attaching smart card readers to VMs will - only be supported by third party remote visualization solutions. -

-

- Bugzilla:2059626 -

-
-

RDMA-based live migration is deprecated

-

- With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) - has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this - feature will become unsupported in a future major release of RHEL. -

-
-

- Jira:RHELPLAN-153267[1] -

-
-
-
-
-
-

8.20. Containers

-
-
-
-
-

The Podman varlink-based API v1.0 has been removed

-

- The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 - introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API - v1.0 has been completely removed. -

-
-

- Jira:RHELPLAN-45858[1] -

-
-

container-tools:1.0 has been - deprecated

-

- The container-tools:1.0 module has been deprecated and will no - longer receive security updates. It is recommended to use a newer supported stable module - stream, such as container-tools:2.0 or container-tools:3.0. -

-
-

- Jira:RHELPLAN-59825[1] -

-
-

The container-tools:2.0 module has been - deprecated

-

- The container-tools:2.0 module has been deprecated and will no longer receive security updates. - It is recommended to use a newer supported stable module stream, such as container-tools:3.0. -

-
-

- Jira:RHELPLAN-85066[1] -

-
-

Flatpak images except GIMP has been deprecated

-

- The rhel8/firefox-flatpak, rhel8/thunderbird-flatpak, rhel8/inkscape-flatpak, and rhel8/libreoffice-flatpak RHEL 8 Flatpak Applications have been - deprecated and replaced by the RHEL 9 versions. The rhel8/gimp-flatpak Flatpak Application is not deprecated because - there is no replacement yet in RHEL 9. -

-
-

- Bugzilla:2142499 -

-
-

The CNI network stack has been deprecated

-

- The Container Network Interface (CNI) network stack is deprecated and will be removed from - Podman in a future minor release of RHEL. Previously, containers connected to the single - Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark - network stack. You can use the Netavark network stack with Podman and other Open Container - Initiative (OCI) container management applications. The Netavark network stack for Podman is - also compatible with advanced Docker functionalities. Containers in multiple networks can access - containers on any of those networks. -

-
-

- For more information, see Switching - the network stack from CNI to Netavark. -

-

- Jira:RHELDOCS-16755[1] -

-
-

container-tools:3.0 has been - deprecated

-

- The container-tools:3.0 module has been deprecated and will no - longer receive security updates. To continue to build and run Linux Containers on RHEL, use a - newer, stable, and supported module stream, such as container-tools:4.0. -

-
-

- For instructions on switching to a later stream, see Switching - to a later stream. -

-

- Jira:RHELPLAN-146398[1] -

-
-

The rhel8/openssl has been deprecated -

-

- The rhel8/openssl container image has been deprecated. -

-
-

- Jira:RHELDOCS-18107[1] -

-
-

The Inkscape and LibreOffice Flatpak images are deprecated

-

- The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as - Technology Previews, have been deprecated. -

-
-

- Red Hat recommends the following alternatives to these images: -

-
- -
-

- Jira:RHELDOCS-17102[1] -

-
-

pasta as a network name has been - deprecated

-

- The support for pasta as a network name value is deprecated and - will not be accepted in the next major release of Podman, version 5.0. You can use the pasta network name value to create a unique network mode within - Podman by employing the podman run --network and podman create --network commands. -

-
-

- Jira:RHELDOCS-17038[1] -

-
-

The BoltDB database backend has been deprecated

-

- The BoltDB database backend is deprecated as of RHEL 8.10. In a future version of RHEL, the - BoltDB database backend will be removed and will no longer be available to Podman. For Podman, - use the SQLite database backend, which is now the default as of RHEL 8.10. -

-
-

- Jira:RHELDOCS-17461[1] -

-
-

The CNI network stack has been deprecated

-

- The Container Network Interface (CNI) network stack is deprecated and will be removed in a - future release. Use the Netavark network stack instead. For more information, see Switching - the network stack from CNI to Netavark. -

-
-

- Jira:RHELDOCS-17518[1] -

-
-

container-tools:4.0 has been - deprecated

-

- The container-tools:4.0 module has been deprecated and will no - longer receive security updates. To continue to build and run Linux Containers on RHEL, use the - newer, stable, and supported module stream container-tools:rhel8. -

-
-

- For instructions on switching to a later stream, see Switching - to a later stream. -

-

- Jira:RHELPLAN-168223[1] -

-
-
-
-
-
-

8.21. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 7 and RHEL 8, see Changes - to packages in the Considerations in adopting RHEL 8 - document. -

-
-
Important
-
-

- The support status of deprecated packages remains unchanged within RHEL 8. For more - information about the length of support, see Red Hat Enterprise Linux - Life Cycle and Red - Hat Enterprise Linux Application Streams Life Cycle. -

-
-
-

- The following packages have been deprecated in RHEL 8: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - abrt -
    • -
  • - abrt-addon-ccpp -
    • -
  • - abrt-addon-kerneloops -
    • -
  • - abrt-addon-pstoreoops -
    • -
  • - abrt-addon-vmcore -
    • -
  • - abrt-addon-xorg -
    • -
  • - abrt-cli -
    • -
  • - abrt-console-notification -
    • -
  • - abrt-dbus -
    • -
  • - abrt-desktop -
    • -
  • - abrt-gui -
    • -
  • - abrt-gui-libs -
    • -
  • - abrt-libs -
    • -
  • - abrt-tui -
    • -
  • - adobe-source-sans-pro-fonts -
    • -
  • - adwaita-qt -
    • -
  • - alsa-plugins-pulseaudio -
    • -
  • - amanda -
    • -
  • - amanda-client -
    • -
  • - amanda-libs -
    • -
  • - amanda-server -
    • -
  • - ant-contrib -
    • -
  • - antlr3 -
    • -
  • - antlr32 -
    • -
  • - aopalliance -
    • -
  • - apache-commons-collections -
    • -
  • - apache-commons-compress -
    • -
  • - apache-commons-exec -
    • -
  • - apache-commons-jxpath -
    • -
  • - apache-commons-parent -
    • -
  • - apache-ivy -
    • -
  • - apache-parent -
    • -
  • - apache-resource-bundles -
    • -
  • - apache-sshd -
    • -
  • - apiguardian -
    • -
  • - arpwatch -
    • -
  • - aspnetcore-runtime-3.0 -
    • -
  • - aspnetcore-runtime-3.1 -
    • -
  • - aspnetcore-runtime-5.0 -
    • -
  • - aspnetcore-targeting-pack-3.0 -
    • -
  • - aspnetcore-targeting-pack-3.1 -
    • -
  • - aspnetcore-targeting-pack-5.0 -
    • -
  • - assertj-core -
    • -
  • - authd -
    • -
  • - auto -
    • -
  • - autoconf213 -
    • -
  • - autogen -
    • -
  • - autogen-libopts -
    • -
  • - awscli -
    • -
  • - base64coder -
    • -
  • - bash-doc -
    • -
  • - batik -
    • -
  • - batik-css -
    • -
  • - batik-util -
    • -
  • - bea-stax -
    • -
  • - bea-stax-api -
    • -
  • - bind-export-devel -
    • -
  • - bind-export-libs -
    • -
  • - bind-libs-lite -
    • -
  • - bind-pkcs11 -
    • -
  • - bind-pkcs11-devel -
    • -
  • - bind-pkcs11-libs -
    • -
  • - bind-pkcs11-utils -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb-chroot -
    • -
  • - bitmap-console-fonts -
    • -
  • - bitmap-fixed-fonts -
    • -
  • - bitmap-fonts-compat -
    • -
  • - bitmap-lucida-typewriter-fonts -
    • -
  • - bluez-hid2hci -
    • -
  • - boost-jam -
    • -
  • - boost-signals -
    • -
  • - bouncycastle -
    • -
  • - bpg-algeti-fonts -
    • -
  • - bpg-chveulebrivi-fonts -
    • -
  • - bpg-classic-fonts -
    • -
  • - bpg-courier-fonts -
    • -
  • - bpg-courier-s-fonts -
    • -
  • - bpg-dedaena-block-fonts -
    • -
  • - bpg-dejavu-sans-fonts -
    • -
  • - bpg-elite-fonts -
    • -
  • - bpg-excelsior-caps-fonts -
    • -
  • - bpg-excelsior-condenced-fonts -
    • -
  • - bpg-excelsior-fonts -
    • -
  • - bpg-fonts-common -
    • -
  • - bpg-glaho-fonts -
    • -
  • - bpg-gorda-fonts -
    • -
  • - bpg-ingiri-fonts -
    • -
  • - bpg-irubaqidze-fonts -
    • -
  • - bpg-mikhail-stephan-fonts -
    • -
  • - bpg-mrgvlovani-caps-fonts -
    • -
  • - bpg-mrgvlovani-fonts -
    • -
  • - bpg-nateli-caps-fonts -
    • -
  • - bpg-nateli-condenced-fonts -
    • -
  • - bpg-nateli-fonts -
    • -
  • - bpg-nino-medium-cond-fonts -
    • -
  • - bpg-nino-medium-fonts -
    • -
  • - bpg-sans-fonts -
    • -
  • - bpg-sans-medium-fonts -
    • -
  • - bpg-sans-modern-fonts -
    • -
  • - bpg-sans-regular-fonts -
    • -
  • - bpg-serif-fonts -
    • -
  • - bpg-serif-modern-fonts -
    • -
  • - bpg-ucnobi-fonts -
    • -
  • - brlapi-java -
    • -
  • - bsh -
    • -
  • - buildnumber-maven-plugin -
    • -
  • - byaccj -
    • -
  • - cal10n -
    • -
  • - cbi-plugins -
    • -
  • - cdparanoia -
    • -
  • - cdparanoia-devel -
    • -
  • - cdparanoia-libs -
    • -
  • - cdrdao -
    • -
  • - cmirror -
    • -
  • - codehaus-parent -
    • -
  • - codemodel -
    • -
  • - compat-exiv2-026 -
    • -
  • - compat-guile18 -
    • -
  • - compat-hwloc1 -
    • -
  • - compat-libpthread-nonshared -
    • -
  • - compat-libtiff3 -
    • -
  • - compat-openssl10 -
    • -
  • - compat-sap-c++-11 -
    • -
  • - compat-sap-c++-10 -
    • -
  • - compat-sap-c++-9 -
    • -
  • - createrepo_c-devel -
    • -
  • - ctags -
    • -
  • - ctags-etags -
    • -
  • - culmus-keteryg-fonts -
    • -
  • - culmus-shofar-fonts -
    • -
  • - custodia -
    • -
  • - cyrus-imapd-vzic -
    • -
  • - dbus-c++ -
    • -
  • - dbus-c++-devel -
    • -
  • - dbus-c++-glib -
    • -
  • - dbxtool -
    • -
  • - dejavu-fonts-common -
    • -
  • - dhcp-libs -
    • -
  • - directory-maven-plugin -
    • -
  • - directory-maven-plugin-javadoc -
    • -
  • - dirsplit -
    • -
  • - dleyna-connector-dbus -
    • -
  • - dleyna-core -
    • -
  • - dleyna-renderer -
    • -
  • - dleyna-server -
    • -
  • - dnssec-trigger -
    • -
  • - dnssec-trigger-panel -
    • -
  • - dotnet -
    • -
  • - dotnet-apphost-pack-3.0 -
    • -
  • - dotnet-apphost-pack-3.1 -
    • -
  • - dotnet-apphost-pack-5.0 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-hostfxr-3.0 -
    • -
  • - dotnet-hostfxr-3.1 -
    • -
  • - dotnet-hostfxr-5.0 -
    • -
  • - dotnet-runtime-2.1 -
    • -
  • - dotnet-runtime-3.0 -
    • -
  • - dotnet-runtime-3.1 -
    • -
  • - dotnet-runtime-5.0 -
    • -
  • - dotnet-sdk-2.1 -
    • -
  • - dotnet-sdk-2.1.5xx -
    • -
  • - dotnet-sdk-3.0 -
    • -
  • - dotnet-sdk-3.1 -
    • -
  • - dotnet-sdk-5.0 -
    • -
  • - dotnet-targeting-pack-3.0 -
    • -
  • - dotnet-targeting-pack-3.1 -
    • -
  • - dotnet-targeting-pack-5.0 -
    • -
  • - dotnet-templates-3.0 -
    • -
  • - dotnet-templates-3.1 -
    • -
  • - dotnet-templates-5.0 -
    • -
  • - dotnet5.0-build-reference-packages -
    • -
  • - dptfxtract -
    • -
  • - drpm -
    • -
  • - drpm-devel -
    • -
  • - dump -
    • -
  • - dvd+rw-tools -
    • -
  • - dyninst-static -
    • -
  • - eclipse-ecf -
    • -
  • - eclipse-ecf-core -
    • -
  • - eclipse-ecf-runtime -
    • -
  • - eclipse-emf -
    • -
  • - eclipse-emf-core -
    • -
  • - eclipse-emf-runtime -
    • -
  • - eclipse-emf-xsd -
    • -
  • - eclipse-equinox-osgi -
    • -
  • - eclipse-jdt -
    • -
  • - eclipse-license -
    • -
  • - eclipse-p2-discovery -
    • -
  • - eclipse-pde -
    • -
  • - eclipse-platform -
    • -
  • - eclipse-swt -
    • -
  • - ed25519-java -
    • -
  • - ee4j-parent -
    • -
  • - elfutils-devel-static -
    • -
  • - elfutils-libelf-devel-static -
    • -
  • - emacs-terminal -
    • -
  • - emoji-picker -
    • -
  • - enca -
    • -
  • - enca-devel -
    • -
  • - environment-modules-compat -
    • -
  • - evince-browser-plugin -
    • -
  • - exec-maven-plugin -
    • -
  • - farstream02 -
    • -
  • - felix-gogo-command -
    • -
  • - felix-gogo-runtime -
    • -
  • - felix-gogo-shell -
    • -
  • - felix-scr -
    • -
  • - felix-osgi-compendium -
    • -
  • - felix-osgi-core -
    • -
  • - felix-osgi-foundation -
    • -
  • - felix-parent -
    • -
  • - file-roller -
    • -
  • - fipscheck -
    • -
  • - fipscheck-devel -
    • -
  • - fipscheck-lib -
    • -
  • - firewire -
    • -
  • - fonts-tweak-tool -
    • -
  • - forge-parent -
    • -
  • - freeradius-mysql -
    • -
  • - freeradius-perl -
    • -
  • - freeradius-postgresql -
    • -
  • - freeradius-rest -
    • -
  • - freeradius-sqlite -
    • -
  • - freeradius-unixODBC -
    • -
  • - fuse-sshfs -
    • -
  • - fusesource-pom -
    • -
  • - future -
    • -
  • - gamin -
    • -
  • - gamin-devel -
    • -
  • - gavl -
    • -
  • - gcc-toolset-9 -
    • -
  • - gcc-toolset-9-annobin -
    • -
  • - gcc-toolset-9-build -
    • -
  • - gcc-toolset-9-perftools -
    • -
  • - gcc-toolset-9-runtime -
    • -
  • - gcc-toolset-9-toolchain -
    • -
  • - gcc-toolset-10 -
    • -
  • - gcc-toolset-10-annobin -
    • -
  • - gcc-toolset-10-binutils -
    • -
  • - gcc-toolset-10-binutils-devel -
    • -
  • - gcc-toolset-10-build -
    • -
  • - gcc-toolset-10-dwz -
    • -
  • - gcc-toolset-10-dyninst -
    • -
  • - gcc-toolset-10-dyninst-devel -
    • -
  • - gcc-toolset-10-elfutils -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client-devel -
    • -
  • - gcc-toolset-10-elfutils-devel -
    • -
  • - gcc-toolset-10-elfutils-libelf -
    • -
  • - gcc-toolset-10-elfutils-libelf-devel -
    • -
  • - gcc-toolset-10-elfutils-libs -
    • -
  • - gcc-toolset-10-gcc -
    • -
  • - gcc-toolset-10-gcc-c++ -
    • -
  • - gcc-toolset-10-gcc-gdb-plugin -
    • -
  • - gcc-toolset-10-gcc-gfortran -
    • -
  • - gcc-toolset-10-gdb -
    • -
  • - gcc-toolset-10-gdb-doc -
    • -
  • - gcc-toolset-10-gdb-gdbserver -
    • -
  • - gcc-toolset-10-libasan-devel -
    • -
  • - gcc-toolset-10-libatomic-devel -
    • -
  • - gcc-toolset-10-libitm-devel -
    • -
  • - gcc-toolset-10-liblsan-devel -
    • -
  • - gcc-toolset-10-libquadmath-devel -
    • -
  • - gcc-toolset-10-libstdc++-devel -
    • -
  • - gcc-toolset-10-libstdc++-docs -
    • -
  • - gcc-toolset-10-libtsan-devel -
    • -
  • - gcc-toolset-10-libubsan-devel -
    • -
  • - gcc-toolset-10-ltrace -
    • -
  • - gcc-toolset-10-make -
    • -
  • - gcc-toolset-10-make-devel -
    • -
  • - gcc-toolset-10-perftools -
    • -
  • - gcc-toolset-10-runtime -
    • -
  • - gcc-toolset-10-strace -
    • -
  • - gcc-toolset-10-systemtap -
    • -
  • - gcc-toolset-10-systemtap-client -
    • -
  • - gcc-toolset-10-systemtap-devel -
    • -
  • - gcc-toolset-10-systemtap-initscript -
    • -
  • - gcc-toolset-10-systemtap-runtime -
    • -
  • - gcc-toolset-10-systemtap-sdt-devel -
    • -
  • - gcc-toolset-10-systemtap-server -
    • -
  • - gcc-toolset-10-toolchain -
    • -
  • - gcc-toolset-10-valgrind -
    • -
  • - gcc-toolset-10-valgrind-devel -
    • -
  • - gcc-toolset-11-make-devel -
    • -
  • - gcc-toolset-12-annobin-annocheck -
    • -
  • - gcc-toolset-12-annobin-docs -
    • -
  • - gcc-toolset-12-annobin-plugin-gcc -
    • -
  • - gcc-toolset-12-binutils -
    • -
  • - gcc-toolset-12-binutils-devel -
    • -
  • - gcc-toolset-12-binutils-gold -
    • -
  • - GConf2 -
    • -
  • - GConf2-devel -
    • -
  • - gegl -
    • -
  • - genisoimage -
    • -
  • - genwqe-tools -
    • -
  • - genwqe-vpd -
    • -
  • - genwqe-zlib -
    • -
  • - genwqe-zlib-devel -
    • -
  • - geoipupdate -
    • -
  • - geronimo-annotation -
    • -
  • - geronimo-jms -
    • -
  • - geronimo-jpa -
    • -
  • - geronimo-parent-poms -
    • -
  • - gfbgraph -
    • -
  • - gflags -
    • -
  • - gflags-devel -
    • -
  • - glassfish-annotation-api -
    • -
  • - glassfish-el -
    • -
  • - glassfish-fastinfoset -
    • -
  • - glassfish-jaxb-core -
    • -
  • - glassfish-jaxb-txw2 -
    • -
  • - glassfish-jsp -
    • -
  • - glassfish-jsp-api -
    • -
  • - glassfish-legal -
    • -
  • - glassfish-master-pom -
    • -
  • - glassfish-servlet-api -
    • -
  • - glew-devel -
    • -
  • - glib2-fam -
    • -
  • - glog -
    • -
  • - glog-devel -
    • -
  • - gmock -
    • -
  • - gmock-devel -
    • -
  • - gnome-abrt -
    • -
  • - gnome-boxes -
    • -
  • - gnome-menus-devel -
    • -
  • - gnome-online-miners -
    • -
  • - gnome-shell-extension-disable-screenshield -
    • -
  • - gnome-shell-extension-horizontal-workspaces -
    • -
  • - gnome-shell-extension-no-hot-corner -
    • -
  • - gnome-shell-extension-window-grouper -
    • -
  • - gnome-themes-standard -
    • -
  • - gnu-free-fonts-common -
    • -
  • - gnu-free-mono-fonts -
    • -
  • - gnu-free-sans-fonts -
    • -
  • - gnu-free-serif-fonts -
    • -
  • - gnupg2-smime -
    • -
  • - gnuplot -
    • -
  • - gnuplot-common -
    • -
  • - gobject-introspection-devel -
    • -
  • - google-droid-kufi-fonts -
    • -
  • - google-gson -
    • -
  • - google-noto-kufi-arabic-fonts -
    • -
  • - google-noto-naskh-arabic-fonts -
    • -
  • - google-noto-naskh-arabic-ui-fonts -
    • -
  • - google-noto-nastaliq-urdu-fonts -
    • -
  • - google-noto-sans-balinese-fonts -
    • -
  • - google-noto-sans-bamum-fonts -
    • -
  • - google-noto-sans-batak-fonts -
    • -
  • - google-noto-sans-buginese-fonts -
    • -
  • - google-noto-sans-buhid-fonts -
    • -
  • - google-noto-sans-canadian-aboriginal-fonts -
    • -
  • - google-noto-sans-cham-fonts -
    • -
  • - google-noto-sans-cuneiform-fonts -
    • -
  • - google-noto-sans-cypriot-fonts -
    • -
  • - google-noto-sans-gothic-fonts -
    • -
  • - google-noto-sans-gurmukhi-ui-fonts -
    • -
  • - google-noto-sans-hanunoo-fonts -
    • -
  • - google-noto-sans-inscriptional-pahlavi-fonts -
    • -
  • - google-noto-sans-inscriptional-parthian-fonts -
    • -
  • - google-noto-sans-javanese-fonts -
    • -
  • - google-noto-sans-lepcha-fonts -
    • -
  • - google-noto-sans-limbu-fonts -
    • -
  • - google-noto-sans-linear-b-fonts -
    • -
  • - google-noto-sans-lisu-fonts -
    • -
  • - google-noto-sans-mandaic-fonts -
    • -
  • - google-noto-sans-meetei-mayek-fonts -
    • -
  • - google-noto-sans-mongolian-fonts -
    • -
  • - google-noto-sans-myanmar-fonts -
    • -
  • - google-noto-sans-myanmar-ui-fonts -
    • -
  • - google-noto-sans-new-tai-lue-fonts -
    • -
  • - google-noto-sans-ogham-fonts -
    • -
  • - google-noto-sans-ol-chiki-fonts -
    • -
  • - google-noto-sans-old-italic-fonts -
    • -
  • - google-noto-sans-old-persian-fonts -
    • -
  • - google-noto-sans-oriya-fonts -
    • -
  • - google-noto-sans-oriya-ui-fonts -
    • -
  • - google-noto-sans-phags-pa-fonts -
    • -
  • - google-noto-sans-rejang-fonts -
    • -
  • - google-noto-sans-runic-fonts -
    • -
  • - google-noto-sans-samaritan-fonts -
    • -
  • - google-noto-sans-saurashtra-fonts -
    • -
  • - google-noto-sans-sundanese-fonts -
    • -
  • - google-noto-sans-syloti-nagri-fonts -
    • -
  • - google-noto-sans-syriac-eastern-fonts -
    • -
  • - google-noto-sans-syriac-estrangela-fonts -
    • -
  • - google-noto-sans-syriac-western-fonts -
    • -
  • - google-noto-sans-tagalog-fonts -
    • -
  • - google-noto-sans-tagbanwa-fonts -
    • -
  • - google-noto-sans-tai-le-fonts -
    • -
  • - google-noto-sans-tai-tham-fonts -
    • -
  • - google-noto-sans-tai-viet-fonts -
    • -
  • - google-noto-sans-tibetan-fonts -
    • -
  • - google-noto-sans-tifinagh-fonts -
    • -
  • - google-noto-sans-ui-fonts -
    • -
  • - google-noto-sans-yi-fonts -
    • -
  • - google-noto-serif-bengali-fonts -
    • -
  • - google-noto-serif-devanagari-fonts -
    • -
  • - google-noto-serif-gujarati-fonts -
    • -
  • - google-noto-serif-kannada-fonts -
    • -
  • - google-noto-serif-malayalam-fonts -
    • -
  • - google-noto-serif-tamil-fonts -
    • -
  • - google-noto-serif-telugu-fonts -
    • -
  • - gphoto2 -
    • -
  • - graphviz-ruby -
    • -
  • - gsl-devel -
    • -
  • - gssntlmssp -
    • -
  • - gtest -
    • -
  • - gtest-devel -
    • -
  • - gtkmm24 -
    • -
  • - gtkmm24-devel -
    • -
  • - gtkmm24-docs -
    • -
  • - gtksourceview3 -
    • -
  • - gtksourceview3-devel -
    • -
  • - gtkspell -
    • -
  • - gtkspell-devel -
    • -
  • - gtkspell3 -
    • -
  • - guile -
    • -
  • - gutenprint-gimp -
    • -
  • - gutenprint-libs-ui -
    • -
  • - gvfs-afc -
    • -
  • - gvfs-afp -
    • -
  • - gvfs-archive -
    • -
  • - hamcrest-core -
    • -
  • - hawtjni -
    • -
  • - hawtjni -
    • -
  • - hawtjni-runtime -
    • -
  • - HdrHistogram -
    • -
  • - HdrHistogram-javadoc -
    • -
  • - highlight-gui -
    • -
  • - hivex-devel -
    • -
  • - hostname -
    • -
  • - hplip-gui -
    • -
  • - hspell -
    • -
  • - httpcomponents-project -
    • -
  • - hwloc-plugins -
    • -
  • - hyphen-fo -
    • -
  • - hyphen-grc -
    • -
  • - hyphen-hsb -
    • -
  • - hyphen-ia -
    • -
  • - hyphen-is -
    • -
  • - hyphen-ku -
    • -
  • - hyphen-mi -
    • -
  • - hyphen-mn -
    • -
  • - hyphen-sa -
    • -
  • - hyphen-tk -
    • -
  • - ibus-sayura -
    • -
  • - icedax -
    • -
  • - icu4j -
    • -
  • - idm-console-framework -
    • -
  • - inkscape -
    • -
  • - inkscape-docs -
    • -
  • - inkscape-view -
    • -
  • - iptables -
    • -
  • - ipython -
    • -
  • - isl -
    • -
  • - isl-devel -
    • -
  • - isorelax -
    • -
  • - istack-commons-runtime -
    • -
  • - istack-commons-tools -
    • -
  • - iwl3945-firmware -
    • -
  • - iwl4965-firmware -
    • -
  • - iwl6000-firmware -
    • -
  • - jacoco -
    • -
  • - jaf -
    • -
  • - jaf-javadoc -
    • -
  • - jakarta-oro -
    • -
  • - janino -
    • -
  • - jansi-native -
    • -
  • - jarjar -
    • -
  • - java-1.8.0-ibm -
    • -
  • - java-1.8.0-ibm-demo -
    • -
  • - java-1.8.0-ibm-devel -
    • -
  • - java-1.8.0-ibm-headless -
    • -
  • - java-1.8.0-ibm-jdbc -
    • -
  • - java-1.8.0-ibm-plugin -
    • -
  • - java-1.8.0-ibm-src -
    • -
  • - java-1.8.0-ibm-webstart -
    • -
  • - java-1.8.0-openjdk-accessibility -
    • -
  • - java-1.8.0-openjdk-accessibility-slowdebug -
    • -
  • - java_cup -
    • -
  • - java-atk-wrapper -
    • -
  • - javacc -
    • -
  • - javacc-maven-plugin -
    • -
  • - javaewah -
    • -
  • - javaparser -
    • -
  • - javapoet -
    • -
  • - javassist -
    • -
  • - javassist-javadoc -
    • -
  • - jaxen -
    • -
  • - jboss-annotations-1.2-api -
    • -
  • - jboss-interceptors-1.2-api -
    • -
  • - jboss-logmanager -
    • -
  • - jboss-parent -
    • -
  • - jctools -
    • -
  • - jdepend -
    • -
  • - jdependency -
    • -
  • - jdom -
    • -
  • - jdom2 -
    • -
  • - jetty -
    • -
  • - jetty-continuation -
    • -
  • - jetty-http -
    • -
  • - jetty-io -
    • -
  • - jetty-security -
    • -
  • - jetty-server -
    • -
  • - jetty-servlet -
    • -
  • - jetty-util -
    • -
  • - jffi -
    • -
  • - jflex -
    • -
  • - jgit -
    • -
  • - jline -
    • -
  • - jmc -
    • -
  • - jnr-netdb -
    • -
  • - jolokia-jvm-agent -
    • -
  • - js-uglify -
    • -
  • - jsch -
    • -
  • - json_simple -
    • -
  • - jss-javadoc -
    • -
  • - jtidy -
    • -
  • - junit5 -
    • -
  • - jvnet-parent -
    • -
  • - jzlib -
    • -
  • - kernel-cross-headers -
    • -
  • - khmeros-fonts-common -
    • -
  • - ksc -
    • -
  • - kurdit-unikurd-web-fonts -
    • -
  • - kyotocabinet-libs -
    • -
  • - langtable-data -
    • -
  • - ldapjdk-javadoc -
    • -
  • - lensfun -
    • -
  • - lensfun-devel -
    • -
  • - lftp-scripts -
    • -
  • - libaec -
    • -
  • - libaec-devel -
    • -
  • - libappindicator-gtk3 -
    • -
  • - libappindicator-gtk3-devel -
    • -
  • - libatomic-static -
    • -
  • - libavc1394 -
    • -
  • - libblocksruntime -
    • -
  • - libcacard -
    • -
  • - libcacard-devel -
    • -
  • - libcgroup -
    • -
  • - libcgroup-pam -
    • -
  • - libcgroup-tools -
    • -
  • - libchamplain -
    • -
  • - libchamplain-devel -
    • -
  • - libchamplain-gtk -
    • -
  • - libcroco -
    • -
  • - libcroco-devel -
    • -
  • - libcxl -
    • -
  • - libcxl-devel -
    • -
  • - libdap -
    • -
  • - libdap-devel -
    • -
  • - libdazzle-devel -
    • -
  • - libdbusmenu -
    • -
  • - libdbusmenu-devel -
    • -
  • - libdbusmenu-doc -
    • -
  • - libdbusmenu-gtk3 -
    • -
  • - libdbusmenu-gtk3-devel -
    • -
  • - libdc1394 -
    • -
  • - libdnet -
    • -
  • - libdnet-devel -
    • -
  • - libdv -
    • -
  • - libdwarf -
    • -
  • - libdwarf-devel -
    • -
  • - libdwarf-static -
    • -
  • - libdwarf-tools -
    • -
  • - libeasyfc -
    • -
  • - libeasyfc-gobject -
    • -
  • - libepubgen-devel -
    • -
  • - libertas-sd8686-firmware -
    • -
  • - libertas-usb8388-firmware -
    • -
  • - libertas-usb8388-olpc-firmware -
    • -
  • - libgdither -
    • -
  • - libGLEW -
    • -
  • - libgovirt -
    • -
  • - libguestfs-benchmarking -
    • -
  • - libguestfs-devel -
    • -
  • - libguestfs-gfs2 -
    • -
  • - libguestfs-gobject -
    • -
  • - libguestfs-gobject-devel -
    • -
  • - libguestfs-java -
    • -
  • - libguestfs-java-devel -
    • -
  • - libguestfs-javadoc -
    • -
  • - libguestfs-man-pages-ja -
    • -
  • - libguestfs-man-pages-uk -
    • -
  • - libguestfs-tools -
    • -
  • - libguestfs-tools-c -
    • -
  • - libhugetlbfs -
    • -
  • - libhugetlbfs-devel -
    • -
  • - libhugetlbfs-utils -
    • -
  • - libicu-doc -
    • -
  • - libIDL -
    • -
  • - libIDL-devel -
    • -
  • - libidn -
    • -
  • - libiec61883 -
    • -
  • - libindicator-gtk3 -
    • -
  • - libindicator-gtk3-devel -
    • -
  • - libiscsi-devel -
    • -
  • - libjose-devel -
    • -
  • - libkkc -
    • -
  • - libkkc-common -
    • -
  • - libkkc-data -
    • -
  • - libldb-devel -
    • -
  • - liblogging -
    • -
  • - libluksmeta-devel -
    • -
  • - libmalaga -
    • -
  • - libmcpp -
    • -
  • - libmemcached -
    • -
  • - libmemcached-libs -
    • -
  • - libmetalink -
    • -
  • - libmodulemd1 -
    • -
  • - libmongocrypt -
    • -
  • - libmtp-devel -
    • -
  • - libmusicbrainz5 -
    • -
  • - libmusicbrainz5-devel -
    • -
  • - libnbd-devel -
    • -
  • - libnice -
    • -
  • - libnice-gstreamer1 -
    • -
  • - liboauth -
    • -
  • - liboauth-devel -
    • -
  • - libpfm-static -
    • -
  • - libpng12 -
    • -
  • - libpsm2-compat -
    • -
  • - libpurple -
    • -
  • - libpurple-devel -
    • -
  • - libraw1394 -
    • -
  • - libreport-plugin-mailx -
    • -
  • - libreport-plugin-rhtsupport -
    • -
  • - libreport-plugin-ureport -
    • -
  • - libreport-rhel -
    • -
  • - libreport-rhel-bugzilla -
    • -
  • - librpmem -
    • -
  • - librpmem-debug -
    • -
  • - librpmem-devel -
    • -
  • - libsass -
    • -
  • - libsass-devel -
    • -
  • - libselinux-python -
    • -
  • - libsqlite3x -
    • -
  • - libtalloc-devel -
    • -
  • - libtar -
    • -
  • - libtdb-devel -
    • -
  • - libtevent-devel -
    • -
  • - libtpms-devel -
    • -
  • - libunwind -
    • -
  • - libusal -
    • -
  • - libvarlink -
    • -
  • - libverto-libevent -
    • -
  • - libvirt-admin -
    • -
  • - libvirt-bash-completion -
    • -
  • - libvirt-daemon-driver-storage-gluster -
    • -
  • - libvirt-daemon-driver-storage-iscsi-direct -
    • -
  • - libvirt-devel -
    • -
  • - libvirt-docs -
    • -
  • - libvirt-gconfig -
    • -
  • - libvirt-gobject -
    • -
  • - libvirt-lock-sanlock -
    • -
  • - libvirt-wireshark -
    • -
  • - libvmem -
    • -
  • - libvmem-debug -
    • -
  • - libvmem-devel -
    • -
  • - libvmmalloc -
    • -
  • - libvmmalloc-debug -
    • -
  • - libvmmalloc-devel -
    • -
  • - libvncserver -
    • -
  • - libwinpr-devel -
    • -
  • - libwmf -
    • -
  • - libwmf-devel -
    • -
  • - libwmf-lite -
    • -
  • - libXNVCtrl -
    • -
  • - libyami -
    • -
  • - log4j12 -
    • -
  • - log4j12-javadoc -
    • -
  • - lohit-malayalam-fonts -
    • -
  • - lohit-nepali-fonts -
    • -
  • - lorax-composer -
    • -
  • - lua-guestfs -
    • -
  • - lucene -
    • -
  • - lucene-analysis -
    • -
  • - lucene-analyzers-smartcn -
    • -
  • - lucene-queries -
    • -
  • - lucene-queryparser -
    • -
  • - lucene-sandbox -
    • -
  • - lz4-java -
    • -
  • - lz4-java-javadoc -
    • -
  • - mailman -
    • -
  • - mailx -
    • -
  • - make-devel -
    • -
  • - malaga -
    • -
  • - malaga-suomi-voikko -
    • -
  • - marisa -
    • -
  • - maven-antrun-plugin -
    • -
  • - maven-assembly-plugin -
    • -
  • - maven-clean-plugin -
    • -
  • - maven-dependency-analyzer -
    • -
  • - maven-dependency-plugin -
    • -
  • - maven-doxia -
    • -
  • - maven-doxia-sitetools -
    • -
  • - maven-install-plugin -
    • -
  • - maven-invoker -
    • -
  • - maven-invoker-plugin -
    • -
  • - maven-parent -
    • -
  • - maven-plugins-pom -
    • -
  • - maven-reporting-api -
    • -
  • - maven-reporting-impl -
    • -
  • - maven-resolver-api -
    • -
  • - maven-resolver-connector-basic -
    • -
  • - maven-resolver-impl -
    • -
  • - maven-resolver-spi -
    • -
  • - maven-resolver-transport-wagon -
    • -
  • - maven-resolver-util -
    • -
  • - maven-scm -
    • -
  • - maven-script-interpreter -
    • -
  • - maven-shade-plugin -
    • -
  • - maven-shared -
    • -
  • - maven-verifier -
    • -
  • - maven-wagon-file -
    • -
  • - maven-wagon-http -
    • -
  • - maven-wagon-http-shared -
    • -
  • - maven-wagon-provider-api -
    • -
  • - maven2 -
    • -
  • - meanwhile -
    • -
  • - mercurial -
    • -
  • - mercurial-hgk -
    • -
  • - metis -
    • -
  • - metis-devel -
    • -
  • - mingw32-bzip2 -
    • -
  • - mingw32-bzip2-static -
    • -
  • - mingw32-cairo -
    • -
  • - mingw32-expat -
    • -
  • - mingw32-fontconfig -
    • -
  • - mingw32-freetype -
    • -
  • - mingw32-freetype-static -
    • -
  • - mingw32-gstreamer1 -
    • -
  • - mingw32-harfbuzz -
    • -
  • - mingw32-harfbuzz-static -
    • -
  • - mingw32-icu -
    • -
  • - mingw32-libjpeg-turbo -
    • -
  • - mingw32-libjpeg-turbo-static -
    • -
  • - mingw32-libpng -
    • -
  • - mingw32-libpng-static -
    • -
  • - mingw32-libtiff -
    • -
  • - mingw32-libtiff-static -
    • -
  • - mingw32-openssl -
    • -
  • - mingw32-readline -
    • -
  • - mingw32-sqlite -
    • -
  • - mingw32-sqlite-static -
    • -
  • - mingw64-adwaita-icon-theme -
    • -
  • - mingw64-bzip2 -
    • -
  • - mingw64-bzip2-static -
    • -
  • - mingw64-cairo -
    • -
  • - mingw64-expat -
    • -
  • - mingw64-fontconfig -
    • -
  • - mingw64-freetype -
    • -
  • - mingw64-freetype-static -
    • -
  • - mingw64-gstreamer1 -
    • -
  • - mingw64-harfbuzz -
    • -
  • - mingw64-harfbuzz-static -
    • -
  • - mingw64-icu -
    • -
  • - mingw64-libjpeg-turbo -
    • -
  • - mingw64-libjpeg-turbo-static -
    • -
  • - mingw64-libpng -
    • -
  • - mingw64-libpng-static -
    • -
  • - mingw64-libtiff -
    • -
  • - mingw64-libtiff-static -
    • -
  • - mingw64-nettle -
    • -
  • - mingw64-openssl -
    • -
  • - mingw64-readline -
    • -
  • - mingw64-sqlite -
    • -
  • - mingw64-sqlite-static -
    • -
  • - modello -
    • -
  • - mojo-parent -
    • -
  • - mongo-c-driver -
    • -
  • - mousetweaks -
    • -
  • - mozjs52 -
    • -
  • - mozjs52-devel -
    • -
  • - mozjs60 -
    • -
  • - mozjs60-devel -
    • -
  • - mozvoikko -
    • -
  • - msv-javadoc -
    • -
  • - msv-manual -
    • -
  • - munge-maven-plugin -
    • -
  • - mythes-lb -
    • -
  • - mythes-mi -
    • -
  • - mythes-ne -
    • -
  • - nafees-web-naskh-fonts -
    • -
  • - nbd -
    • -
  • - nbdkit-devel -
    • -
  • - nbdkit-example-plugins -
    • -
  • - nbdkit-gzip-plugin -
    • -
  • - nbdkit-plugin-python-common -
    • -
  • - nbdkit-plugin-vddk -
    • -
  • - ncompress -
    • -
  • - ncurses-compat-libs -
    • -
  • - net-tools -
    • -
  • - netcf -
    • -
  • - netcf-devel -
    • -
  • - netcf-libs -
    • -
  • - network-scripts -
    • -
  • - network-scripts-ppp -
    • -
  • - nkf -
    • -
  • - nodejs-devel -
    • -
  • - nodejs-packaging -
    • -
  • - nss_nis -
    • -
  • - nss-pam-ldapd -
    • -
  • - objectweb-asm -
    • -
  • - objectweb-asm-javadoc -
    • -
  • - objectweb-pom -
    • -
  • - ocaml-bisect-ppx -
    • -
  • - ocaml-camlp4 -
    • -
  • - ocaml-camlp4-devel -
    • -
  • - ocaml-lwt -
    • -
  • - ocaml-mmap -
    • -
  • - ocaml-ocplib-endian -
    • -
  • - ocaml-ounit -
    • -
  • - ocaml-result -
    • -
  • - ocaml-seq -
    • -
  • - opencryptoki-tpmtok -
    • -
  • - opencv-contrib -
    • -
  • - opencv-core -
    • -
  • - opencv-devel -
    • -
  • - openhpi -
    • -
  • - openhpi-libs -
    • -
  • - OpenIPMI-perl -
    • -
  • - openssh-cavs -
    • -
  • - openssh-ldap -
    • -
  • - openssl-ibmpkcs11 -
    • -
  • - opentest4j -
    • -
  • - os-maven-plugin -
    • -
  • - overpass-mono-fonts -
    • -
  • - pakchois -
    • -
  • - pandoc -
    • -
  • - paps-libs -
    • -
  • - paranamer -
    • -
  • - paratype-pt-sans-caption-fonts -
    • -
  • - parfait -
    • -
  • - parfait-examples -
    • -
  • - parfait-javadoc -
    • -
  • - pcp-parfait-agent -
    • -
  • - pcp-pmda-rpm -
    • -
  • - pcp-pmda-vmware -
    • -
  • - pcsc-lite-doc -
    • -
  • - peripety -
    • -
  • - perl-B-Debug -
    • -
  • - perl-B-Lint -
    • -
  • - perl-Class-Factory-Util -
    • -
  • - perl-Class-ISA -
    • -
  • - perl-DateTime-Format-HTTP -
    • -
  • - perl-DateTime-Format-Mail -
    • -
  • - perl-File-CheckTree -
    • -
  • - perl-homedir -
    • -
  • - perl-libxml-perl -
    • -
  • - perl-Locale-Codes -
    • -
  • - perl-Mozilla-LDAP -
    • -
  • - perl-NKF -
    • -
  • - perl-Object-HashBase-tools -
    • -
  • - perl-Package-DeprecationManager -
    • -
  • - perl-Pod-LaTeX -
    • -
  • - perl-Pod-Plainer -
    • -
  • - perl-prefork -
    • -
  • - perl-String-CRC32 -
    • -
  • - perl-SUPER -
    • -
  • - perl-Sys-Virt -
    • -
  • - perl-tests -
    • -
  • - perl-YAML-Syck -
    • -
  • - phodav -
    • -
  • - php-recode -
    • -
  • - php-xmlrpc -
    • -
  • - pidgin -
    • -
  • - pidgin-devel -
    • -
  • - pidgin-sipe -
    • -
  • - pinentry-emacs -
    • -
  • - pinentry-gtk -
    • -
  • - pipewire0.2-devel -
    • -
  • - pipewire0.2-libs -
    • -
  • - platform-python-coverage -
    • -
  • - plexus-ant-factory -
    • -
  • - plexus-bsh-factory -
    • -
  • - plexus-cli -
    • -
  • - plexus-component-api -
    • -
  • - plexus-component-factories-pom -
    • -
  • - plexus-components-pom -
    • -
  • - plexus-i18n -
    • -
  • - plexus-interactivity -
    • -
  • - plexus-pom -
    • -
  • - plexus-velocity -
    • -
  • - plymouth-plugin-throbgress -
    • -
  • - pmreorder -
    • -
  • - postgresql-test-rpm-macros -
    • -
  • - powermock -
    • -
  • - prometheus-jmx-exporter -
    • -
  • - prometheus-jmx-exporter-openjdk11 -
    • -
  • - ptscotch-mpich -
    • -
  • - ptscotch-mpich-devel -
    • -
  • - ptscotch-mpich-devel-parmetis -
    • -
  • - ptscotch-openmpi -
    • -
  • - ptscotch-openmpi-devel -
    • -
  • - purple-sipe -
    • -
  • - pygobject2-doc -
    • -
  • - pygtk2 -
    • -
  • - pygtk2-codegen -
    • -
  • - pygtk2-devel -
    • -
  • - pygtk2-doc -
    • -
  • - python-nose-docs -
    • -
  • - python-nss-doc -
    • -
  • - python-podman-api -
    • -
  • - python-psycopg2-doc -
    • -
  • - python-pymongo-doc -
    • -
  • - python-redis -
    • -
  • - python-schedutils -
    • -
  • - python-slip -
    • -
  • - python-sqlalchemy-doc -
    • -
  • - python-varlink -
    • -
  • - python-virtualenv-doc -
    • -
  • - python2-backports -
    • -
  • - python2-backports-ssl_match_hostname -
    • -
  • - python2-bson -
    • -
  • - python2-coverage -
    • -
  • - python2-docs -
    • -
  • - python2-docs-info -
    • -
  • - python2-funcsigs -
    • -
  • - python2-ipaddress -
    • -
  • - python2-mock -
    • -
  • - python2-nose -
    • -
  • - python2-numpy-doc -
    • -
  • - python2-psycopg2-debug -
    • -
  • - python2-psycopg2-tests -
    • -
  • - python2-pymongo -
    • -
  • - python2-pymongo-gridfs -
    • -
  • - python2-pytest-mock -
    • -
  • - python2-sqlalchemy -
    • -
  • - python2-tools -
    • -
  • - python2-virtualenv -
    • -
  • - python3-bson -
    • -
  • - python3-click -
    • -
  • - python3-coverage -
    • -
  • - python3-cpio -
    • -
  • - python3-custodia -
    • -
  • - python3-docs -
    • -
  • - python3-flask -
    • -
  • - python3-gevent -
    • -
  • - python3-gobject-base -
    • -
  • - python3-hivex -
    • -
  • - python3-html5lib -
    • -
  • - python3-hypothesis -
    • -
  • - python3-ipatests -
    • -
  • - python3-itsdangerous -
    • -
  • - python3-jwt -
    • -
  • - python3-libguestfs -
    • -
  • - python3-mock -
    • -
  • - python3-networkx-core -
    • -
  • - python3-nose -
    • -
  • - python3-nss -
    • -
  • - python3-openipmi -
    • -
  • - python3-pillow -
    • -
  • - python3-ptyprocess -
    • -
  • - python3-pydbus -
    • -
  • - python3-pymongo -
    • -
  • - python3-pymongo-gridfs -
    • -
  • - python3-pyOpenSSL -
    • -
  • - python3-pytoml -
    • -
  • - python3-reportlab -
    • -
  • - python3-schedutils -
    • -
  • - python3-scons -
    • -
  • - python3-semantic_version -
    • -
  • - python3-slip -
    • -
  • - python3-slip-dbus -
    • -
  • - python3-sqlalchemy -
    • -
  • - python3-syspurpose -
    • -
  • - python3-virtualenv -
    • -
  • - python3-webencodings -
    • -
  • - python3-werkzeug -
    • -
  • - python38-asn1crypto -
    • -
  • - python38-numpy-doc -
    • -
  • - python38-psycopg2-doc -
    • -
  • - python38-psycopg2-tests -
    • -
  • - python39-numpy-doc -
    • -
  • - python39-psycopg2-doc -
    • -
  • - python39-psycopg2-tests -
    • -
  • - qemu-kvm-block-gluster -
    • -
  • - qemu-kvm-block-iscsi -
    • -
  • - qemu-kvm-block-ssh -
    • -
  • - qemu-kvm-hw-usbredir -
    • -
  • - qemu-kvm-device-display-virtio-gpu-gl -
    • -
  • - qemu-kvm-device-display-virtio-gpu-pci-gl -
    • -
  • - qemu-kvm-device-display-virtio-vga-gl -
    • -
  • - qemu-kvm-tests -
    • -
  • - qpdf -
    • -
  • - qpdf-doc -
    • -
  • - qperf -
    • -
  • - qpid-proton -
    • -
  • - qrencode -
    • -
  • - qrencode-devel -
    • -
  • - qrencode-libs -
    • -
  • - qt5-qtcanvas3d -
    • -
  • - qt5-qtcanvas3d-examples -
    • -
  • - rarian -
    • -
  • - rarian-compat -
    • -
  • - re2c -
    • -
  • - recode -
    • -
  • - redhat-lsb -
    • -
  • - redhat-lsb-core -
    • -
  • - redhat-lsb-cxx -
    • -
  • - redhat-lsb-desktop -
    • -
  • - redhat-lsb-languages -
    • -
  • - redhat-lsb-printing -
    • -
  • - redhat-lsb-submod-multimedia -
    • -
  • - redhat-lsb-submod-security -
    • -
  • - redhat-lsb-supplemental -
    • -
  • - redhat-lsb-trialuse -
    • -
  • - redhat-menus -
    • -
  • - redhat-support-lib-python -
    • -
  • - redhat-support-tool -
    • -
  • - reflections -
    • -
  • - regexp -
    • -
  • - relaxngDatatype -
    • -
  • - resteasy-javadoc -
    • -
  • - rhsm-gtk -
    • -
  • - rpm-plugin-prioreset -
    • -
  • - rpmemd -
    • -
  • - rsyslog-udpspoof -
    • -
  • - ruby-hivex -
    • -
  • - ruby-libguestfs -
    • -
  • - rubygem-abrt -
    • -
  • - rubygem-abrt-doc -
    • -
  • - rubygem-bson -
    • -
  • - rubygem-bson-doc -
    • -
  • - rubygem-bundler-doc -
    • -
  • - rubygem-mongo -
    • -
  • - rubygem-mongo-doc -
    • -
  • - rubygem-net-telnet -
    • -
  • - rubygem-xmlrpc -
    • -
  • - s390utils-cmsfs -
    • -
  • - samba-pidl -
    • -
  • - samba-test -
    • -
  • - samba-test-libs -
    • -
  • - samyak-devanagari-fonts -
    • -
  • - samyak-fonts-common -
    • -
  • - samyak-gujarati-fonts -
    • -
  • - samyak-malayalam-fonts -
    • -
  • - samyak-odia-fonts -
    • -
  • - samyak-tamil-fonts -
    • -
  • - sane-frontends -
    • -
  • - sanlk-reset -
    • -
  • - sat4j -
    • -
  • - scala -
    • -
  • - scotch -
    • -
  • - scotch-devel -
    • -
  • - SDL_sound -
    • -
  • - selinux-policy-minimum -
    • -
  • - sendmail -
    • -
  • - sgabios -
    • -
  • - sgabios-bin -
    • -
  • - shim-ia32 -
    • -
  • - shrinkwrap -
    • -
  • - sil-padauk-book-fonts -
    • -
  • - sisu-inject -
    • -
  • - sisu-mojos -
    • -
  • - sisu-plexus -
    • -
  • - skkdic -
    • -
  • - SLOF -
    • -
  • - smc-anjalioldlipi-fonts -
    • -
  • - smc-dyuthi-fonts -
    • -
  • - smc-fonts-common -
    • -
  • - smc-kalyani-fonts -
    • -
  • - smc-raghumalayalam-fonts -
    • -
  • - smc-suruma-fonts -
    • -
  • - softhsm-devel -
    • -
  • - sonatype-oss-parent -
    • -
  • - sonatype-plugins-parent -
    • -
  • - sos-collector -
    • -
  • - sparsehash-devel -
    • -
  • - spax -
    • -
  • - spec-version-maven-plugin -
    • -
  • - spice -
    • -
  • - spice-client-win-x64 -
    • -
  • - spice-client-win-x86 -
    • -
  • - spice-glib -
    • -
  • - spice-glib-devel -
    • -
  • - spice-gtk -
    • -
  • - spice-gtk-tools -
    • -
  • - spice-gtk3 -
    • -
  • - spice-gtk3-devel -
    • -
  • - spice-gtk3-vala -
    • -
  • - spice-parent -
    • -
  • - spice-protocol -
    • -
  • - spice-qxl-wddm-dod -
    • -
  • - spice-server -
    • -
  • - spice-server-devel -
    • -
  • - spice-qxl-xddm -
    • -
  • - spice-server -
    • -
  • - spice-streaming-agent -
    • -
  • - spice-vdagent-win-x64 -
    • -
  • - spice-vdagent-win-x86 -
    • -
  • - sssd-libwbclient -
    • -
  • - star -
    • -
  • - stax-ex -
    • -
  • - stax2-api -
    • -
  • - stringtemplate -
    • -
  • - stringtemplate4 -
    • -
  • - subscription-manager-initial-setup-addon -
    • -
  • - subscription-manager-migration -
    • -
  • - subscription-manager-migration-data -
    • -
  • - subversion-javahl -
    • -
  • - SuperLU -
    • -
  • - SuperLU-devel -
    • -
  • - supermin-devel -
    • -
  • - swig -
    • -
  • - swig-doc -
    • -
  • - swig-gdb -
    • -
  • - swtpm-devel -
    • -
  • - swtpm-tools-pkcs11 -
    • -
  • - system-storage-manager -
    • -
  • - systemd-tests -
    • -
  • - tcl-brlapi -
    • -
  • - testng -
    • -
  • - thai-scalable-laksaman-fonts -
    • -
  • - tibetan-machine-uni-fonts -
    • -
  • - timedatex -
    • -
  • - torque-libs -
    • -
  • - tpm-quote-tools -
    • -
  • - tpm-tools -
    • -
  • - tpm-tools-pkcs11 -
    • -
  • - treelayout -
    • -
  • - trousers -
    • -
  • - trousers-lib -
    • -
  • - tuned-profiles-compat -
    • -
  • - tuned-profiles-nfv-host-bin -
    • -
  • - tuned-utils-systemtap -
    • -
  • - tycho -
    • -
  • - uglify-js -
    • -
  • - unbound-devel -
    • -
  • - univocity-output-tester -
    • -
  • - univocity-parsers -
    • -
  • - usbguard-notifier -
    • -
  • - usbredir-devel -
    • -
  • - utf8cpp -
    • -
  • - uthash -
    • -
  • - velocity -
    • -
  • - vinagre -
    • -
  • - vino -
    • -
  • - virt-dib -
    • -
  • - virt-p2v-maker -
    • -
  • - vm-dump-metrics-devel -
    • -
  • - voikko-tools -
    • -
  • - vorbis-tools -
    • -
  • - weld-parent -
    • -
  • - wodim -
    • -
  • - woodstox-core -
    • -
  • - wqy-microhei-fonts -
    • -
  • - wqy-unibit-fonts -
    • -
  • - xdelta -
    • -
  • - xmlgraphics-commons -
    • -
  • - xmlstreambuffer -
    • -
  • - xinetd -
    • -
  • - xorg-x11-apps -
    • -
  • - xorg-x11-drv-qxl -
    • -
  • - xorg-x11-server-Xspice -
    • -
  • - xpp3 -
    • -
  • - xsane-gimp -
    • -
  • - xsom -
    • -
  • - xz-java -
    • -
  • - xz-java-javadoc -
    • -
  • - yajl-devel -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
  • - zsh-html -
    • -
-
-
-
-
-
-
-

8.22. Deprecated and unmaintained devices

-
-
-
-

- This section lists devices (drivers, adapters) that -

-
-
    -
  • - continue to be supported until the end of life of RHEL 8 but will likely not be supported in - future major releases of this product and are not recommended for new deployments. Support - for devices other than those listed remains unchanged. These are deprecated devices. -
    • -
  • - are available but are no longer being tested or updated on a routine basis in RHEL 8. Red - Hat may fix serious bugs, including security bugs, at its discretion. These devices should - no longer be used in production, and it is likely they will be disabled in the next major - release. These are unmaintained devices. -
    • -
-
-

- PCI device IDs are in the format of vendor:device:subvendor:subdevice. If no device ID is listed, - all devices associated with the corresponding driver have been deprecated. To check the PCI IDs of - the hardware on your system, run the lspci -nn command. -

-
-

Table 8.1. Deprecated devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- hns_roce -

- 		 
  -

- ebtables -

- 		 
  -

- arp_tables -

- 		 
  -

- ip_tables -

- 		 
  -

- ip6_tables -

- 		 
  -

- ip6_set -

- 		 
  -

- ip_set -

- 		 
  -

- nft_compat -

- 		 
  -

- usnic_verbs -

- 		 
  -

- vmw_pvrdma -

- 		 
  -

- hfi1 -

- 		 
  -

- bnx2 -

- 		-

- QLogic BCM5706/5708/5709/5716 Driver -

-
  -

- hpsa -

- 		-

- Hewlett-Packard Company: Smart Array Controllers -

-
-

- 0x10df:0x0724 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: OneConnect FCoE Initiator (Skyhawk) -

-
-

- 0x10df:0xe200 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe15000/LPe16000 Series 8Gb/16Gb Fibre Channel Adapter -

-
-

- 0x10df:0xf011 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf015 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf100 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe12000 Series 8Gb Fibre Channel Adapter -

-
-

- 0x10df:0xfc40 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn-X: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xe220 -

- 		-

- be2net -

- 		-

- Emulex Corporation: OneConnect NIC (Lancer) -

-
-

- 0x1000:0x005b -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2208 [Thunderbolt] -

-
-

- 0x1000:0x006E -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0080 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0081 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0082 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0083 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0084 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0085 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0086 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0087 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
  -

- myri10ge -

- 		-

- Myricom 10G driver (10GbE) -

-
  -

- netxen_nic -

- 		-

- QLogic/NetXen (1/10) GbE Intelligent Ethernet Driver -

-
-

- 0x1077:0x2031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP8324-based 16Gb Fibre Channel to PCI Express Adapter -

-
-

- 0x1077:0x2532 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP2532-based 8Gb Fibre Channel to PCI Express HBA -

-
-

- 0x1077:0x8031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: 8300 Series 10GbE Converged Network Adapter (FCoE) -

-
  -

- qla3xxx -

- 		-

- QLogic ISP3XXX Network Driver v2.03.00-k5 -

-
-

- 0x1924:0x0803 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFC9020 10G Ethernet Controller -

-
-

- 0x1924:0x0813 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFL9021 10GBASE-T Ethernet Controller -

-
  -

- Soft-RoCE (rdma_rxe) -

- 		 
  -

- HNS-RoCE -

- 		-

- HNS GE/10GE/25GE/50GE/100GE RDMA Network Controller -

-
  -

- liquidio -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Driver -

-
  -

- liquidio_vf -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Virtual Function Driver -

-
-
-
-
-

Table 8.2. Unmaintained devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- dl2k -

- 		 
  -

- dlci -

- 		 
  -

- dnet -

- 		 
  -

- hdlc_fr -

- 		 
  -

- rdma_rxe -

- 		 
  -

- nicvf -

- 		 
  -

- nicpf -

- 		 
  -

- siw -

- 		 
  -

- e1000 -

- 		-

- Intel® PRO/1000 Network Driver -

-
  -

- mptbase -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptsas -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptscsih -

- 		-

- Fusion MPT SCSI Host driver -

-
  -

- mptspi -

- 		-

- Fusion MPT SAS Host driver -

-
-

- 0x1000:0x0071 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MR SAS HBA 2004 -

-
-

- 0x1000:0x0073 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2008 [Falcon] -

-
-

- 0x1000:0x0079 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2108 [Liberator] -

-
  -

- nvmet_tcp -

- 		-

- NVMe/TCP target driver -

-
  -

- nvmet-fc -

- 		-

- NVMe/Fabrics FC target driver -

-
-
-
[a] - Disabled in RHEL 8.0, re-enabled in RHEL 8.4 due to customer requests. -
-
-
-
-
-
-
-
-
-
-
-

Chapter 9. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.10. -

-
-
-
-
-

9.1. Installer and image creation

-
-
-
-
-

During RHEL installation on IBM Z, udev does - not assign predictable interface names to RoCE cards enumerated by FID

-

- If you start a RHEL 8.7 or later installation with the net.naming-scheme=rhel-8.7 kernel command-line option, the udev device manager on the RHEL installation media ignores this - setting for RoCE cards enumerated by the function identifier (FID). As a consequence, udev assigns unpredictable interface names to these devices. There is - no workaround during the installation, but you can configure the feature after the installation. - For further details, see Determining - a predictable RoCE device name on the IBM Z platform. -

-
-

- (JIRA:RHEL-11397) -

-
-

Installation fails on IBM Power 10 systems with LPAR and secure boot - enabled

-

- RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. - Consequently, when logical partition (LPAR) is enabled with the secure boot option, the - installation fails with the error, Unable to proceed with RHEL-x.x Installation. -

-
-

- To work around this problem, install RHEL without enabling secure boot. After booting the system: -

-
-
    -
  1. - Copy the signed Kernel into the PReP partition using the dd - command. -
    2. -
  2. - Restart the system and enable secure boot. -
    3. -
-
-

- Once the firmware verifies the bootloader and the kernel, the system boots up successfully. -

-

- For more information, see https://www.ibm.com/support/pages/node/6528884 -

-

- Bugzilla:2025814[1] -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. -

-
-

- To work around this problem, do not run Anaconda on the production system. Instead, run Anaconda in - a temporary virtual machine to keep the SELinux policy unchanged on a production system. Running - anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this - issue. -

-

- Bugzilla:2050140 -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installation program or use the authselect Kickstart command during - installation. -

-

- Bugzilla:1640697[1] -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- Bugzilla:1697896[1] -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- Jira:RHEL-4707 -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation sources. - However, network access is not enabled by default, and as a result, these features cannot be - used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a repository - located on the network using boot options also resolves the problem. As a result, the network-based - installation features can be used. -

-

- Bugzilla:1757877[1] -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the Kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- Jira:RHEL-4711 -

-
-

IBM Power systems with HASH MMU mode fail to - boot with memory allocation failures

-

- IBM Power Systems with HASH memory allocation unit (MMU) mode - support kdump up to a maximum of 192 cores. Consequently, the - system fails to boot with memory allocation failures if kdump is - enabled on more than 192 cores. This limitation is due to RMA memory allocations during early - boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled - instead of using kdump. -

-
-

- Bugzilla:2028361[1] -

-
-

RHEL for Edge installer image fails to create mount points when installing - an rpm-ostree payload

-

- When deploying rpm-ostree payloads, used for example in a RHEL for - Edge installer image, the installer does not properly create some mount points for custom - partitions. As a consequence, the installation is aborted with the following error: -

-
- 
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
-

- To work around this issue: -

-
-
    -
  • - Use an automatic partitioning scheme and do not add any mount points manually. -
    • -
  • - Manually assign mount points only inside /var directory. For - example, /var/my-mount-point), and - the following standard directories: /, /boot, /var. -
    • -
-
-

- As a result, the installation process finishes successfully. -

-

- Jira:RHEL-4744 -

-
-

Images built with the stig profile remediation - fails to boot with FIPS error

-

- FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with - the xccdf_org.ssgproject.content_profile_stig profile remediation, - the system fails to boot with the following error: -

-
- 
Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist
-FATAL: FIPS integrity test failed
-Refusing to continue
-

- Enabling the FIPS policy manually after the system image installation with the fips-mode-setup --enable command does not work, because the /boot directory is on a different partition. System boots successfully if - FIPS is disabled. Currently, there is no workaround available. -

-
-
Note
-
-

- You can manually enable FIPS after installing the image by using the fips-mode-setup --enable command. -

-
-
-

- Jira:RHEL-4649 -

-
-
-
-
-
-

9.2. Security

-
-
-
-
-

OpenSC might not detect CardOS V5.3 card objects correctly

-

- The OpenSC toolkit does not correctly read cache from different PKCS #15 file offsets used in - some CardOS V5.3 cards. Consequently, OpenSC might not be able to list card objects and prevent - using them from different applications. -

-
-

- To work around the problem, turn off file caching by setting the use_file_caching = false option in the /etc/opensc.conf file. -

-

- Jira:RHEL-4077 -

-
-

sshd -T provides inaccurate information about - Ciphers, MACs and KeX algorithms

-

- The output of the sshd -T command does not contain the system-wide - crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did - not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. - Crypto policies are applied as command-line arguments to the sshd - executable in the sshd.service unit during the service’s start by - using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy - as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX - algorithms differ from sshd -T to what is provided by current - crypto policy level. As a result, the output from sshd -T - matches the currently configured crypto policy. -

-
-

- Bugzilla:2044354[1] -

-
-

RHV hypervisor may not work correctly when hardening the system during - installation

-

- When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise - Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and - remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work - around the problem, install the RHV-H system without applying any profile hardening, and after - the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV - hypervisor works correctly. -

-
-

- Jira:RHEL-1826 -

-
-

CVE OVAL feeds are now only in the compressed format, and data streams are - not in the SCAP 1.3 standard

-

- Red Hat provides CVE OVAL feeds in the bzip2-compressed format and are no longer available in - the XML file format. Because referencing compressed content is not standardized in the Security - Content Automation Protocol (SCAP) 1.3 specification, third-party SCAP scanners can have - problems scanning rules that use the feed. -

-
-

- Bugzilla:2028428 -

-
-

Certain Rsyslog priority strings do not work correctly

-

- Support for the GnuTLS priority string for imtcp that allows - fine-grained control over encryption is not complete. Consequently, the following priority - strings do not work properly in the Rsyslog remote logging application: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- Bugzilla:1679512 -

-
-

Server with GUI and Workstation installations are not possible with CIS Server - profiles

-

- The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software - selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not - possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either - of these software selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- If you need to align systems with the Server with GUI or Workstation software selections according to CIS benchmarks, use the CIS - Workstation Level 1 or Level 2 profiles instead. -

-

- Bugzilla:1843932 -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- Bugzilla:1834716 -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on - as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary to - keep compatibility with Red Hat Enterprise Linux 7. -

-
-

- Bugzilla:1665082[1] -

-
-

libvirt overrides xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding -

-

- The libvirt virtualization framework enables IPv4 forwarding - whenever a virtual network with a forward mode of route or nat is started. This overrides the configuration by the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - rule, and subsequent compliance scans report the fail result when - assessing this rule. -

-
-

- Apply one of these scenarios to work around the problem: -

-
-
    -
  • - Uninstall the libvirt packages if your scenario does not - require them. -
    • -
  • - Change the forwarding mode of virtual networks created by libvirt. -
    • -
  • - Remove the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - rule by tailoring your profile. -
    • -
-
-

- Bugzilla:2118758 -

-
-

The fapolicyd utility incorrectly allows - executing changed files

-

- Correctly, the IMA hash of a file should update after any change to the file, and fapolicyd should prevent execution of the changed file. However, this - does not happen due to differences in IMA policy setup and in file hashing by the evctml utility. As a result, the IMA hash is not updated in the - extended attribute of a changed file. Consequently, fapolicyd - incorrectly allows the execution of the changed file. -

-
-

- Jira:RHEL-520[1] -

-
-

The semanage fcontext command reorders local - modifications

-

- The semanage fcontext -l -C command lists local file context - modifications stored in the file_contexts.local file. The restorecon utility processes the entries in the file_contexts.local from the most recent entry to the oldest. - However, semanage fcontext -l -C lists the entries in a different - order. This mismatch between processing order and listing order might cause problems when - managing SELinux rules. -

-
-

- Jira:RHEL-24461[1] -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, TLS clients that use OpenSSL return a bad dh value - error and abort TLS connections to servers that use manually generated parameters. This is - because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with - Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, - and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL - ignore all other parameters and instead select known parameters of similar size. To work around - this problem, use only the compliant groups. -

-
-

- Bugzilla:1810911[1] -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic level - name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide - crypto policies only when you disable them through the workaround. -

-

- Bugzilla:1919155 -

-
-

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

-

- The file_caching option is enabled in the default OpenSC - configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning - process through OpenSC fails. -

-
-

- To work around the problem, add the following snippet to the /etc/opensc.conf file: -

- 
app pkcs15-init {
-        framework pkcs15 {
-                use_file_caching = false;
-        }
-}
-

- The smart-card provisioning through pkcs15-init only works if you apply - the previously described workaround. -

-

- Bugzilla:1947025 -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. -

-
-

- To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger - hash, or switch to the LEGACY policy. -

-

- Bugzilla:1628553[1] -

-
-

libselinux-python is available only through - its module

-

- The libselinux-python package contains only Python 2 bindings for - developing SELinux applications and it is used for backward compatibility. For this reason, - libselinux-python is no longer available in the default RHEL 8 - repositories through the yum install libselinux-python command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# yum module enable libselinux-python
-# yum install libselinux-python
-

- Alternatively, install libselinux-python using its install profile with - a single command: -

- 
# yum module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- Bugzilla:1666328[1] -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. - This prevents the udica tool from analyzing a container JavaScript - Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you - use the described workaround. -

-

- Bugzilla:1763210 -

-
-

Negative effects of the default logging setup on performance

-

- The default logging environment setup might consume 4 GB of memory or even more and adjustments - of rate-limit values are complex when systemd-journald is running - with rsyslog. -

-
-

- See the Negative effects of the - RHEL default logging setup on performance and their mitigations Knowledgebase article for - more information. -

-

- Jira:RHELPLAN-10431[1] -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots - with SELinux enabled and switches to disabled mode later in the boot process. This might cause - memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- Jira:RHELPLAN-34199[1] -

-
-

IKE over TCP connections do not work on custom TCP ports

-

- The tcp-remoteport Libreswan configuration option does not work - properly. Consequently, an IKE over TCP connection cannot be established when a scenario - requires specifying a non-default TCP port. -

-
-

- Bugzilla:1989050 -

-
-

scap-security-guide cannot configure - termination of idle sessions

-

- Even though the sshd_set_idle_timeout rule still exists in the data - stream, the former method for idle session timeout of configuring sshd is no longer available. Therefore, the rule is marked as not applicable and cannot harden anything. Other methods for - configuring idle session termination, such as systemd (Logind), are - also not available. As a consequence, scap-security-guide cannot - configure the system to reliably disconnect idle sessions after a certain amount of time. -

-
-

- You can work around this problem in one of the following ways, which might fulfill the security - requirement: -

-
-
    -
  • - Configuring the accounts_tmout rule. However, this variable - could be overridden by using the exec command. -
    • -
  • - Configuring the configure_tmux_lock_after_time and configure_bashrc_exec_tmux rules. This requires installing the - tmux package. -
    • -
  • - Upgrading to RHEL 8.7 or later where the systemd feature is - already implemented together with the proper SCAP rule. -
    • -
-
-

- Jira:RHEL-1804 -

-
-

The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical - installation

-

- The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security - profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take - tailoring into account by default when installing from archives or RPM packages. Consequently, - the installation displays the following error message instead of fetching an OSCAP tailored - profile: -

-
- 
There was an unexpected problem with the supplied content.
-

- To work around this problem, you must specify paths in the %addon org_fedora_oscap section of your Kickstart file, for example: -

- 
xccdf-path = /usr/share/xml/scap/sc_tailoring/ds-combined.xml
-tailoring-path = /usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml
-

- As a result, you can use the graphical installation for OSCAP tailored profiles only with the - corresponding Kickstart specifications. -

-

- Jira:RHEL-1810 -

-
-

OpenSCAP memory-consumption problems

-

- On systems with limited memory, the OpenSCAP scanner might stop prematurely or it might not - generate the results files. To work around this problem, you can customize the scanning profile - to deselect rules that involve recursion over the entire / file - system: -

-
-
-
    -
  • - rpm_verify_hashes -
    • -
  • - rpm_verify_permissions -
    • -
  • - rpm_verify_ownership -
    • -
  • - file_permissions_unauthorized_world_writable -
    • -
  • - no_files_unowned_by_user -
    • -
  • - dir_perms_world_writable_system_owned -
    • -
  • - file_permissions_unauthorized_suid -
    • -
  • - file_permissions_unauthorized_sgid -
    • -
  • - file_permissions_ungroupowned -
    • -
  • - dir_perms_world_writable_sticky_bits -
    • -
-
-

- For more details and more workarounds, see the related Knowledgebase article. -

-

- Bugzilla:2161499 -

-
-

Rebuilding the rpm database assigns incorrect - SELinux labeling

-

- Rebuilding the rpm database with the rpmdb --rebuilddb command assigns incorrect SELinux labels to the - rpm database files. As a consequence, some services that use the - rpm database might not work correctly. To work around this problem - after rebuilding the database, relabel the database by using the restorecon -Rv /var/lib/rpm command. -

-
-

- Bugzilla:2166153 -

-
-

ANSSI BP28 HP SCAP rules for Audit are incorrectly used on the 64-bit ARM - architecture

-

- The ANSSI BP28 High profile in the SCAP Security Guide (SSG) contains the following security - content automation protocol (SCAP) rules that configure the Linux Audit subsystem but are - invalid on the 64-bit ARM architecture: -

-
-
-
    -
  • - audit_rules_unsuccessful_file_modification_creat -
    • -
  • - audit_rules_unsuccessful_file_modification_open -
    • -
  • - audit_rules_file_deletion_events_rename -
    • -
  • - audit_rules_file_deletion_events_rmdir -
    • -
  • - audit_rules_file_deletion_events_unlink -
    • -
  • - audit_rules_dac_modification_chmod -
    • -
  • - audit_rules_dac_modification_chown -
    • -
  • - audit_rules_dac_modification_lchown -
    • -
-
-

- If you configure your RHEL system running on a 64-bit ARM machine by using this profile, the Audit - daemon does not start due to the use of invalid system calls. -

-

- To work around the problem, either use profile tailoring to remove the previously mentioned rules - from the data stream or remove the -S <syscall> snippets by - editing files in the /etc/audit/rules.d directory. The files must not - contain the following system calls: -

-
-
    -
  • - creat -
    • -
  • - open -
    • -
  • - rename -
    • -
  • - rmdir -
    • -
  • - unlink -
    • -
  • - chmod -
    • -
  • - chown -
    • -
  • - lchown -
    • -
-
-

- As a result of any of the two described workarounds, the Audit daemon can start even after you use - the ANSSI BP28 High profile on a 64-bit ARM system. -

-

- Jira:RHEL-1897 -

-
-
-
-
-
-

9.3. RHEL for Edge

-
-
-
-
-

composer-cli fails to build RHEL for Edge - images when nodejs or npm is - included

-

- Currently, while using RHEL image builder, you cannot customize your RHEL 8 Edge images with the - nodejs and npm packages, because it is - not possible to build a RHEL for Edge image with the nodejs - package. The NPM package manager expects its configuration in the {prefix}/etc/npmrc directory and the npm RPM packages a symlink at - the /usr/etc/npmrc directory pointing to /etc/npmrc. To work around this problem, install the nodejs and npm packages after building - your RHEL for Edge system. -

-
-

- Jira:RHELDOCS-17126[1] -

-
-
-
-
-
-

9.4. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the subscription-manager attach --auto output

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose - command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect - the output of running the subscription-manager attach --auto - command. Users who attempt to set values to the addons argument - will not observe any effect on the subscriptions that are auto-attached. -

-
-

- Bugzilla:1687900 -

-
-
-
-
-
-

9.5. Software management

-
-
-
-
-

YUM functionalities or - plug-ins might log messages even if a logging service is not available

-

- Certain YUM functionalities or plug-ins - might log messages to standard output or standard error when a logging service is not available. - The level of the log message indicates where the message is logged: -

-
-
-
    -
  • - Information messages are logged to standard output. -
    • -
  • - Error and debugging messages are logged to standard error. -
    • -
-
-

- As a consequence, when scripting YUM options, - unwanted log messages on standard output or standard error can affect the functionality of the - script. -

-

- To work around this issue, suppress the log messages from standard output and standard error by - using the yum -q command. This suppresses log messages but not command - results that are expected on standard output. -

-

- Jira:RHELPLAN-50409[1] -

-
-

cr_compress_file_with_stat() can cause a - memory leak

-

- The createrepo_c C library has the API cr_compress_file_with_stat() function. This function is declared with - char **dst as a second parameter. Depending on its other - parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. - This unpredictable behavior can cause a memory leak, because it does not inform the user when to - free dst contents. -

-
-

- To work around this problem, a new API cr_compress_file_with_stat_v2 - function has been added, which uses the dst parameter only as an input. - It is declared as char *dst. This prevents memory leak. -

-

- Note that the cr_compress_file_with_stat_v2 function is temporary and - will be present only in RHEL 8. Later, cr_compress_file_with_stat() - will be fixed instead. -

-

- Bugzilla:1973588[1] -

-
-

YUM transactions reported as successful when a scriptlet fails

-

- Since RPM version 4.6, post-install scriptlets are allowed to fail without being fatal to the - transaction. This behavior propagates up to YUM as well. This results in scriptlets which might - occasionally fail while the overall package transaction reports as successful. -

-
-

- There is no workaround available at the moment. -

-

- Note that this is expected behavior that remains consistent between RPM and YUM. Any issues in - scriptlets should be addressed at the package level. -

-

- Bugzilla:1986657 -

-
-
-
-
-
-

9.6. Shells and command-line tools

-
-
-
-
-

ipmitool is incompatible with certain server - platforms

-

- The ipmitool utility serves for monitoring, configuring, and - managing devices that support the Intelligent Platform Management Interface (IPMI). The current - version of ipmitool uses Cipher Suite 17 by default instead of the - previous Cipher Suite 3. Consequently, ipmitool fails to - communicate with certain bare metal nodes that announced support for Cipher Suite 17 during - negotiation, but do not actually support this cipher suite. As a result, ipmitool aborts with the no matching cipher suite error message. -

-
-

- For more details, see the related Knowledgebase article. -

-

- To solve this problem, update your baseboard management controller (BMC) firmware to use the Cipher - Suite 17. -

-

- Optionally, if the BMC firmware update is not available, you can work around this problem by forcing - ipmitool to use a certain cipher suite. When invoking a managing task - with ipmitool, add the -C option to the - ipmitool command together with the number of the cipher suite you want to use. See the following - example: -

- 
# ipmitool -I lanplus -H myserver.example.com -P mypass -C 3 chassis power status
-

- Jira:RHEL-6846 -

-
-

ReaR fails to recreate a volume group when you do not use clean disks for - restoring

-

- ReaR fails to perform recovery when you want to restore to disks that contain existing data. -

-
-

- To work around this problem, wipe the disks manually before restoring to them if they have been - previously used. To wipe the disks in the rescue environment, use one of the following commands - before running the rear recover command: -

-
-
    -
  • - The dd command to overwrite the disks. -
    • -
  • - The wipefs command with the -a - flag to erase all available metadata. -
    • -
-
-

- See the following example of wiping metadata from the /dev/sda disk: -

- 
# wipefs -a /dev/sda[1-9] /dev/sda
-

- This command wipes the metadata from the partitions on /dev/sda first, - and then the partition table itself. -

-

- Bugzilla:1925531 -

-
-

The ReaR rescue image on UEFI systems with - Secure Boot enabled fails to boot with the default settings

-

- ReaR image creation by using the rear mkrescue or rear mkbackup command fails with the following message: -

-
- 
grub2-mkstandalone may fail to make a bootable EFI image of GRUB2 (no /usr/*/grub*/x86_64-efi/moddep.lst file)
-(...)
-grub2-mkstandalone: error: /usr/lib/grub/x86_64-efi/modinfo.sh doesn't exist. Please specify --target or --directory.
-

- The missing files are part of the grub2-efi-x64-modules package. If you - install this package, the rescue image is created successfully without any errors. When the UEFI Secure Boot is enabled, the rescue image is not bootable because it - uses a boot loader that is not signed. -

-

- To work around this problem, add the following variables to the /etc/rear/local.conf or /etc/rear/site.conf - ReaR configuration file): -

- 
UEFI_BOOTLOADER=/boot/efi/EFI/redhat/grubx64.efi
-SECURE_BOOT_BOOTLOADER=/boot/efi/EFI/redhat/shimx64.efi
-

- With the suggested workaround, the image can be produced successfully even on systems without the - grub2-efi-x64-modules package, and it is bootable on systems with - Secure Boot enabled. In addition, during the system recovery, the bootloader of the recovered system - is set to the EFI shim bootloader. -

-

- For more information about UEFI, Secure Boot, and shim bootloader, see the UEFI: what happens when booting - the system Knowledge Base article. -

-

- Jira:RHELDOCS-18064[1] -

-
-

coreutils might report misleading EPERM error - codes

-

- GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter - returns an EPERM error code for unknown system calls, coreutils - might consequently report misleading EPERM error codes because EPERM can not be distinguished - from the actual Operation not permitted error returned by - a working statx() syscall. -

-
-

- To work around this problem, update the seccomp filter to either permit - the statx() syscall, or to return an ENOSYS error code for syscalls it - does not know. -

-

- Bugzilla:2030661 -

-
-

The %vmeff metric from the sysstat package displays incorrect values

-

- The sysstat package provides the %vmeff metric to measure the page reclaim efficiency. The values of - the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions. To work around - this problem, you can calculate the %vmeff value manually from the - /proc/vmstat file. For details, see Why the sar(1) tool reports %vmeff values - beyond 100 % in RHEL 8 and RHEL 9? -

-
-

- Jira:RHEL-12008 -

-
-

The %util and svctm columns produced by sar and - iostat utilities are invalid

-

- When you collect system usage statistics by using the sar or iostat utilities on a system with kernel version 4.18.0-55.el8 or later, the %util and - svctm columns produced by sar or iostat might contain invalid data. -

-
-

- Jira:RHEL-23074[1] -

-
-
-
-
-
-

9.7. Infrastructure services

-
-
-
-
-

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to - SHA-256

-

- By default in RHEL 8, postfix uses MD5 fingerprints with the TLS - for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, - which may cause TLS to incorrectly function in the default postfix configuration. To work around - this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration - file. -

-
-

- For more details, see the related Knowledgebase article Fix postfix TLS in the FIPS mode by switching - to SHA-256 instead of MD5. -

-

- Bugzilla:1711885 -

-
-

The brltty package is not multilib - compatible

-

- It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is - recommended. -

-
-

- Bugzilla:2008197 -

-
-
-
-
-
-

9.8. Networking

-
-
-
-
-

Outdated third-party modules which use the negative_advice() function can crash the kernel

-

- The core networking operation negative_advice() calls the inline - dst_negative_advice() and __dst_negative_advice() functions. The kernel in RHEL 8.10 patched a - security issue (CVE-2024-36971) in these inline functions. If a third-party module was compiled - before the fix, this module may call negative_advice() incorrectly. - Consequently, the third-party module can crash the kernel. To solve this problem, use an updated - module that correctly calls the negative_advice() function. -

-
-

- Jira:RHELDOCS-18748 -

-
-

RoCE interfaces lose their IP settings due to an unexpected change of the - network interface name

-

- The RDMA over Converged Ethernet (RoCE) interfaces lose their IP settings due to an unexpected - change of the network interface name if both conditions are met: -

-
-
-
    -
  • - User upgrades from a RHEL 8.6 system or earlier. -
    • -
  • - The RoCE card is enumerated by UID. -
    • -
-
-

- To work around this problem: -

-
-
    -
  1. -

    - Create the /etc/systemd/network/98-rhel87-s390x.link file - with the following content: -

    - 
    [Match]
-Architecture=s390x
-KernelCommandLine=!net.naming-scheme=rhel-8.7
-
-[Link]
-NamePolicy=kernel database slot path
-AlternativeNamesPolicy=database slot path
-MACAddressPolicy=persistent
    -
    2. -
  2. - Reboot the system for the changes to take effect. -
    3. -
  3. - Upgrade to RHEL 8.7 or newer. -
    4. -
-
-

- Note that RoCE interfaces that are enumerated by function ID (FID) and are non-unique, will still - use unpredictable interface names unless you set the net.naming-scheme=rhel-8.7 kernel parameter. In this case, the RoCE - interfaces will switch to predictable names with the ens prefix. -

-

- Jira:RHEL-11398[1] -

-
-

Systems with the IPv6_rpfilter option enabled - experience low network throughput

-

- Systems with the IPv6_rpfilter option enabled in the firewalld.conf file currently experience suboptimal performance and - low network throughput in high traffic scenarios, such as 100 Gbps links. To work around the - problem, disable the IPv6_rpfilter option. To do so, add the - following line in the /etc/firewalld/firewalld.conf file. -

-
- 
IPv6_rpfilter=no
-

- As a result, the system performs better, but also has reduced security. -

-

- Bugzilla:1871860[1] -

-
-
-
-
-
-

9.9. Kernel

-
-
-
-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define - a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus - device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff - memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism - (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration - space over the 256 byte offset with the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- Bugzilla:1868526[1] -

-
-

The tuned-adm profile powersave command causes - the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system matches - the mentioned specifications. -

-
-

- Bugzilla:1609288[1] -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is not - able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI to - the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI - handler for both these situations calls the kernel panic() function and - if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called and - vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, - use the virtual Power button to reset or power - cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated - System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even - smaller frequency. -

-

- Bugzilla:1602962[1] -

-
-

Reloading an identical crash extension may cause segmentation - faults

-

- When you load a copy of an already loaded crash extension file, it might trigger a segmentation - fault. Currently, the crash utility detects if an original file has been loaded. Consequently, - due to two identical files co-existing in the crash utility, a namespace collision occurs, which - triggers the crash utility to cause a segmentation fault. -

-
-

- You can work around the problem by loading the crash extension file only once. As a result, - segmentation faults no longer occur in the described scenario. -

-

- Bugzilla:1906482 -

-
-

Connections fail when attaching a virtual function to virtual - machine

-

- Pensando network cards that use the ionic device driver silently - accept VLAN tag configuration requests and attempt configuring network connections while - attaching network virtual functions (VF) to a virtual machine - (VM). Such network connections fail as this feature is not yet - supported by the card’s firmware. -

-
-

- Bugzilla:1930576[1] -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication - X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x - series deprecated openib Byte Transfer Layer (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous - cluster (same hardware and software configuration), UCX still uses openib BTL for MPI one-sided operations. As a consequence, this may - trigger execution errors. To work around this problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer over - UCX. -

-

- Bugzilla:1866402[1] -

-
-

vmcore capture fails after memory hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating the - device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. - The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel crash - is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after hot-plug - or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described scenario. -

-

- Bugzilla:1793389[1] -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit ARM - architecture that run on the Amazon Web Services Graviton 1 processor, causes vmcore generation to fail when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory upon a kernel crash. To work around this - problem: -

-
-
-
    -
  1. -

    - Append irqpoll to KDUMP_COMMANDLINE_REMOVE variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet log_buf_len swiotlb"
    -
    2. -
  2. -

    - Remove irqpoll from KDUMP_COMMANDLINE_APPEND variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory udev.children-max=2 panic=10 swiotlb=noforce novmcoredd"
    -
    3. -
  3. -

    - Restart the kdump service: -

    - 
    # systemctl restart kdump
    -
    4. -
-
-

- As a result, the first kernel boots correctly and the vmcore file is - expected to be captured upon the kernel crash. -

-

- Note that the Amazon Web Services Graviton 2 and Amazon Web Services Graviton 3 processors do not - require you to manually remove the irqpoll parameter in the /etc/sysconfig/kdump file. -

-

- The kdump service can use a significant amount of crash kernel memory - to dump the vmcore file. Ensure that the capture kernel has sufficient - memory available for the kdump service. -

-

- For related information on this Known Issue, see The irqpoll kernel command line parameter - might cause vmcore generation failure article. -

-

- Bugzilla:1654962[1] -

-
-

Hardware certification of the real-time kernel on systems with large - core-counts might require passing the skew-tick=1 boot - parameter

-

- Large or moderate sized systems with numerous sockets and large core-counts can experience - latency spikes due to lock contentions on xtime_lock, which is used - in the timekeeping system. As a consequence, latency spikes and delays in hardware - certifications might occur on multiprocessing systems. As a workaround, you can offset the timer - tick per CPU to start at a different time by adding the skew_tick=1 - boot parameter. -

-
-

- To avoid lock conflicts, enable skew_tick=1: -

-
-
    -
  1. -

    - Enable the skew_tick=1 parameter with grubby. -

    - 
    # grubby --update-kernel=ALL --args="skew_tick=1"
    -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
  3. -

    - Verify the new settings by displaying the kernel parameters you pass during boot. -

    - 
    cat /proc/cmdline
    -
    4. -
-
-

- Note that enabling skew_tick=1 causes a significant increase in power - consumption and, therefore, it must be enabled only if you are running latency sensitive real-time - workloads. -

-

- Jira:RHEL-9318[1] -

-
-

Debug kernel fails to boot in crash capture environment on RHEL 8 -

-

- Due to the memory-intensive nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel and a stack trace is generated instead. To work around this problem, - increase the crash kernel memory as required. As a result, the debug kernel boots successfully - in the crash capture environment. -

-
-

- Bugzilla:1659609[1] -

-
-

Allocating crash kernel memory fails at boot time

-

- On some Ampere Altra systems, allocating the crash kernel memory during boot fails when the - 32-bit region is disabled in BIOS settings. Consequently, the kdump - service fails to start. This is caused by memory fragmentation in the region below 4 GB with no - fragment being large enough to contain the crash kernel memory. -

-
-

- To work around this problem, enable the 32-bit memory region in BIOS as follows: -

-
-
    -
  1. - Open the BIOS settings on your system. -
    2. -
  2. - Open the Chipset menu. -
    3. -
  3. - Under Memory Configuration, enable the - Slave 32-bit option. -
    4. -
-
-

- As a result, crash kernel memory allocation within the 32-bit region succeeds and the kdump service works as expected. -

-

- Bugzilla:1940674[1] -

-
-

The QAT manager leaves no spare device for LKCF

-

- The Intel® QuickAssist Technology (QAT) manager (qatmgr) is a user - space process, which by default uses all QAT devices in the system. As a consequence, there are - no QAT devices left for the Linux Kernel Cryptographic Framework (LKCF). There is no need to - work around this situation, as this behavior is expected and a majority of users will use - acceleration from the user space. -

-
-

- Bugzilla:1920086[1] -

-
-

The Solarflare fails to create maximum number of virtual functions - (VFs)

-

- The Solarflare NICs fail to create a maximum number of VFs due to insufficient resources. You - can check the maximum number of VFs that a PCIe device can create in the /sys/bus/pci/devices/PCI_ID/sriov_totalvfs file. To workaround this - problem, you can either adjust the number of VFs or the VF MSI interrupt value to a lower value, - either from Solarflare Boot Manager on startup, or using Solarflare - sfboot utility. The default VF MSI interrupt value is 8. -

-
-
-
    -
  • - To adjust the VF MSI interrupt value using sfboot: -
    • -
-
- 
# sfboot vf-msix-limit=2
-
-
Note
-
-

- Adjusting VF MSI interrupt value affects the VF performance. -

-
-
-

- For more information about parameters to be adjusted accordingly, see the Solarflare Server Adapter user guide. -

-

- Bugzilla:1971506[1] -

-
-

Using page_poison=1 can cause a kernel - crash

-

- When using page_poison=1 as the kernel parameter on firmware with - faulty EFI implementation, the operating system can cause the kernel to crash. By default, this - option is disabled and it is not recommended to enable it, especially in production systems. -

-
-

- Bugzilla:2050411[1] -

-
-

The iwl7260-firmware breaks Wi-Fi on Intel - Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

-

- After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 8.7 and later, - the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, - Intel Wifi 6 cards may not work and display the error message: -

-
- 
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110
-kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms)
-kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
-

- An unconfirmed work around is to power off the system and back on again. Do not reboot. -

-

- Bugzilla:2106341[1] -

-
-

Secure boot on IBM Power Systems does not support migration

-

- Currently, on IBM Power Systems, logical partition (LPAR) does not boot after successful - physical volume (PV) migration. As a result, any type of automated migration with secure boot - enabled on a partition fails. -

-
-

- Bugzilla:2126777[1] -

-
-

weak-modules from kmod fails to work with module inter-dependencies

-

- The weak-modules script provided by the kmod package determines which modules are kABI-compatible with - installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to - lower release of the kernel for which they were built. As a consequence, modules with - inter-dependencies built against different kernel releases might be interpreted as - non-compatible, and therefore the weak-modules script fails to work - in this scenario. -

-
-

- To work around the problem, build or put the extra modules against the latest stock kernel before - you install the new kernel. -

-

- Bugzilla:2103605[1] -

-
-

kdump in Ampere Altra servers enters the OOM - state

-

- The firmware in Ampere Altra and Altra Max servers currently causes the kernel to allocate too - many event, interrupt and command queues, which consumes too much memory. As a consequence, the - kdump kernel enters the Out of memory (OOM) state. -

-
-

- To work around this problem, reserve extra memory for kdump by - increasing the value of the crashkernel= kernel option to 640M. -

-

- Bugzilla:2111855[1] -

-
-
-
-
-
-

9.10. File systems and storage

-
-
-
-
-

LVM mirror devices that store a LUKS volume - sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject - all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of - raid1 instead of mirror if you need to - stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 device. -

-

- Bugzilla:1730502[1] -

-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical volume. - This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) for - system boot entries. This specification requires that the /boot - file system is readable by the platform firmware. On EFI systems, the platform firmware can - read only the /boot configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does - not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- Bugzilla:1496229[1] -

-
-

LVM no longer allows creating volume groups with mixed block sizes -

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the - physical volumes (PVs) have different logical block sizes. LVM has adopted this change because - file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a - different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- Bugzilla:1768536 -

-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following limitations, - which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in combination - with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- Jira:RHELPLAN-27987[1], Bugzilla:1798631, - Bugzilla:1808012 -

-
-

System panics after enabling the IOMMU

-

- Enabling the Input-Output Memory Management Unit (IOMMU) on the kernel command line by setting - the intel_iommu parameter to on - results in system panic with general protection fault for the 0x6b6b6b6b6b6b6b6b: 0000 non-canonical address. -

-
-

- To work around this problem, ensure that intel_iommu is set to off. -

-

- Jira:RHEL-1765[1] -

-
-

Device-mapper multipath is not supported when using NVMe/TCP - driver.

-

- The use of device-mapper multipath on top of NVMe/TCP devices can cause reduced performance and - error handling. To avoid this problem, use native NVMe multipath instead of DM multipath tools. - For RHEL 8, you can add the option nvme_core.multipath=Y to the - kernel command line. -

-
-

- Bugzilla:2022359[1] -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- Bugzilla:2011699[1] -

-
-

XFS quota warnings are triggered too often

-

- Using the quota timer results in quota warnings triggering too often, which causes soft quotas - to be enforced faster than they should. To work around this problem, do not use soft quotas, - which will prevent triggering warnings. As a result, the amount of warning messages will not - enforce soft quota limit anymore, respecting the configured timeout. -

-
-

- Bugzilla:2059262[1] -

-
-
-
-
-
-

9.11. Dynamic programming languages, web and database servers

-
-
-
-
-

Git fails to clone or fetch from repositories - with potentially unsafe ownership

-

- To prevent remote code execution and mitigate CVE-2024-32004, stricter - ownership checks have been introduced in Git for cloning local - repositories. Since the update introduced in the RHSA-2024:4084 advisory, Git treats local repositories with potentially unsafe ownership as - dubious. -

-
-

- As a consequence, if you attempt to clone from a repository locally hosted through git-daemon and you are not the owner of the repository, Git returns a security alert about dubious ownership and fails to clone - or fetch from the repository. -

-

- To work around this problem, explicitly mark the repository as safe by executing the following - command: -

- 
git config --global --add safe.directory /path/to/repository
-

- Jira:RHELDOCS-18435[1] -

-
-

Creating virtual Python 3.11 environments fails when using the virtualenv utility

-

- The virtualenv utility in RHEL 8, provided by the python3-virtualenv package, is not compatible with Python 3.11. An - attempt to create a virtual environment by using virtualenv will - fail with the following error message: -

-
- 
$ virtualenv -p python3.11 venv3.11
-Running virtualenv with interpreter /usr/bin/python3.11
-ERROR: Virtual environments created by virtualenv < 20 are not compatible with Python 3.11.
-ERROR: Use `python3.11 -m venv` instead.
-

- To create Python 3.11 virtual environments, use the python3.11 -m venv - command instead, which uses the venv module from the standard library. -

-

- Bugzilla:2165702 -

-
-

python3.11-lxml does not provide the lxml.isoschematron submodule

-

- The python3.11-lxml package is distributed without the lxml.isoschematron submodule because it is not under an open source - license. The submodule implements ISO Schematron support. As an alternative, pre-ISO-Schematron - validation is available in the lxml.etree.Schematron class. The - remaining content of the python3.11-lxml package is unaffected. -

-
-

- Bugzilla:2157673 -

-
-

PAM plug-in version 1.0 does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) - plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 - and 2.0, version 2.0 is the default. -

-
-

- The MariaDB PAM plug-in version 1.0 does not work in RHEL 8. To work - around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5 module stream. -

-

- Bugzilla:1942330 -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

-

- When both the libldap and libldap_r - libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts - between these libraries might occur. Consequently, Apache httpd - child processes using the PHP ldap extension might terminate - unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration. -

-
-

- Since the RHEL 8.3 update to the Apache Portable Runtime (APR) library, you can work around the - problem by setting the APR_DEEPBIND environment variable, which enables - the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- Bugzilla:1819607[1] -

-
-

getpwnam() might fail when called by a 32-bit - application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- Bugzilla:1803161 -

-
-
-
-
-
-

9.12. Identity Management

-
-
-
-
-

Actions required when running Samba as a print server and updating from - RHEL 8.4 and earlier

-

- With this update, the samba package no longer creates the /var/spool/samba/ directory. If you use Samba as a print server and - use /var/spool/samba/ in the [printers] share to spool print jobs, SELinux prevents Samba users - from creating files in this directory. Consequently, print jobs fail and the auditd service logs a denied message in - /var/log/audit/audit.log. To avoid this problem after updating your - system from 8.4 and earlier: -

-
-
-
    -
  1. - Search the [printers] share in the /etc/samba/smb.conf file. -
    2. -
  2. - If the share definition contains path = /var/spool/samba/, - update the setting and set the path parameter to /var/tmp/. -
    3. -
  3. -

    - Restart the smbd service: -

    - 
    # systemctl restart smbd
    -
    4. -
-
-

- If you newly installed Samba on RHEL 8.5 or later, no action is required. The default /etc/samba/smb.conf file provided by the samba-common package in this case already uses the /var/tmp/ directory to spool print jobs. -

-

- Bugzilla:2009213[1] -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System -

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual steps - are required to recover the system. -

-
-

- Bugzilla:1729215 -

-
-

FIPS mode does not support using a shared secret to establish a - cross-forest trust

-

- Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP - authentication is not FIPS-compliant. To work around this problem, authenticate with an Active - Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS - mode enabled and an AD domain. -

-
-

- Jira:RHEL-4847 -

-
-

Downgrading authselect after the rebase to - version 1.2.2 breaks system authentication

-

- The authselect package has been rebased to the latest upstream - version 1.2.2. Downgrading authselect - is not supported and breaks system authentication for all users, including root. -

-
-

- If you downgraded the authselect package to 1.2.1 or earlier, perform the following steps to work around this - problem: -

-
-
    -
  1. - At the GRUB boot screen, select Red Hat Enterprise Linux with - the version of the kernel that you want to boot and press e to - edit the entry. -
    2. -
  2. - Type single as a separate word at the end of the line that - starts with linux and press Ctrl+X - to start the boot process. -
    3. -
  3. - Upon booting in single-user mode, enter the root password. -
    4. -
  4. -

    - Restore authselect configuration using the following command: -

    - 
    # authselect select sssd --force
    -
    5. -
-
-

- Bugzilla:1892761 -

-
-

IdM to AD cross-realm TGS requests fail

-

- The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with - AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). -

-
-

- Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with - the following error: -

- 
Generic error (see e-text) while getting credentials for <service principal>
-

- Jira:RHEL-4910 -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- Jira:RHELPLAN-155168[1] -

-
-

pki-core-debuginfo update from RHEL 8.6 to - RHEL 8.7 or later fails

-

- Updating the pki-core-debuginfo package from RHEL 8.6 to RHEL 8.7 - or later fails. To work around this problem, run the following commands: -

-
-
-
    -
  1. - yum remove pki-core-debuginfo -
    2. -
  2. - yum update -y -
    3. -
  3. - yum install pki-core-debuginfo -
    4. -
  4. - yum install idm-pki-symkey-debuginfo idm-pki-tools-debuginfo -
    5. -
-
-

- Jira:RHEL-13125[1] -

-
-

Migrated IdM users might be unable to log in due to mismatching domain - SIDs

-

- If you have used the ipa migrate-ds script to migrate users from - one IdM deployment to another, those users might have problems using IdM services because their - previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM - environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, - see the following Knowledgebase article: Migrated IdM users unable to log in due - to mismatching domain SIDs. -

-
-

- Jira:RHELPLAN-109613[1] -

-
-

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a - two-way cross-forest trust

-

- Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management - (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support - Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the - RC4 NTLM hash that the AD domain controller uses when attempting to authenticate. -

-
-

- Jira:RHEL-4898 -

-
-

Incorrect warning when setting expiration dates for a Kerberos - principal

-

- If you set a password expiration date for a Kerberos principal, the current timestamp is - compared to the expiration timestamp using a 32-bit signed integer variable. If the expiration - date is more than 68 years in the future, it causes an integer variable overflow resulting in - the following warning message being displayed: -

-
- 
Warning: Your password will expire in less than one hour on [expiration date]
-

- You can ignore this message, the password will expire correctly at the configured date and time. -

-

- Bugzilla:2125318 -

-
-

Slow enumeration of a large number of entries in the NIS maps on RHEL - 8

-

- When you install the nis_nss package on RHEL 8, the /etc/default/NSS configuration file is missing because the file is no - longer provided by the glibc-common package. As a consequence, - enumeration of a large number of entries in the NIS maps on RHEL 8 takes significantly longer - than on RHEL 7 because every request is processed individually by default and not in batches. -

-
-

- To work around this problem, create the /etc/default/nss file with the - following content and make sure to set the SETENT_BATCH_READ variable - to TRUE: -

- 
# /etc/default/nss
-# This file can theoretically contain a bunch of customization variables
-# for Name Service Switch in the GNU C library. For now there are only
-# four variables:
-#
-# NETID_AUTHORITATIVE
-# If set to TRUE, the initgroups() function will accept the information
-# from the netid.byname NIS map as authoritative. This can speed up the
-# function significantly if the group.byname map is large. The content
-# of the netid.byname map is used AS IS. The system administrator has
-# to make sure it is correctly generated.
-#NETID_AUTHORITATIVE=TRUE
-#
-# SERVICES_AUTHORITATIVE
-# If set to TRUE, the getservbyname{,_r}() function will assume
-# services.byservicename NIS map exists and is authoritative, particularly
-# that it contains both keys with /proto and without /proto for both
-# primary service names and service aliases. The system administrator
-# has to make sure it is correctly generated.
-#SERVICES_AUTHORITATIVE=TRUE
-#
-# SETENT_BATCH_READ
-# If set to TRUE, various setXXent() functions will read the entire
-# database at once and then hand out the requests one by one from
-# memory with every getXXent() call. Otherwise each getXXent() call
-# might result into a network communication with the server to get
-# the next entry.
-SETENT_BATCH_READ=TRUE
-#
-# ADJUNCT_AS_SHADOW
-# If set to TRUE, the passwd routines in the NIS NSS module will not
-# use the passwd.adjunct.byname tables to fill in the password data
-# in the passwd structure. This is a security problem if the NIS
-# server cannot be trusted to send the passwd.adjuct table only to
-# privileged clients. Instead the passwd.adjunct.byname table is
-# used to synthesize the shadow.byname table if it does not exist.
-#ADJUNCT_AS_SHADOW=TRUE
-

- Jira:RHEL-34075[1] -

-
-
-
-
-
-

9.13. Desktop

-
-
-
-
-

Disabling flatpak repositories from Software - Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- Bugzilla:1668760 -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft - Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. - In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use - Hyper-V Server 2019 or later as the host. -

-

- Bugzilla:1583445[1] -

-
-

Drag-and-drop does not work between desktop and applications

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. Support - for this feature will be added back in a future release. -

-
-

- Bugzilla:1717947 -

-
-

WebKitGTK fails to display web pages on IBM Z

-

- The WebKitGTK web browser engine fails when trying to display web pages on the IBM Z - architecture. The web page remains blank and the WebKitGTK process terminates unexpectedly. -

-
-

- As a consequence, you cannot use certain features of applications that use WebKitGTK to display web - pages, such as the following: -

-
-
    -
  • - The Evolution mail client -
    • -
  • - The GNOME Online Accounts settings -
    • -
  • - The GNOME Help application -
    • -
-
-

- Jira:RHEL-4158 -

-
-
-
-
-
-

9.14. Graphics infrastructures

-
-
-
-
-

The radeon driver fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in the - kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the system and kdump. After starting kdump, the force_rebuild 1 line might be - removed from the configuration file. -

-

- Note that in this scenario, no graphics is available during the dump process, but kdump works correctly. -

-

- Bugzilla:1694705[1] -

-
-

Multiple HDR displays on a single MST topology may not power on -

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, using - a DisplayPort hub (such as a laptop dock) with multiple monitors - which support HDR plugged into it may result in failure to turn on. This is due to the system - erroneously thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- Bugzilla:1812577[1] -

-
-

GUI in ESXi might crash due to low video memory

-

- The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 - hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect - multiple consoles or high-resolution monitors to the VM, the GUI requires at least 16 MB of - video memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly. -

-
-

- To work around the problem, configure the hypervisor to assign at least 16 MB of video memory to the - VM. As a result, the GUI on the VM no longer crashes. -

-

- If you encounter this issue, Red Hat recommends that you report it to VMware. -

-

- See also the following VMware article: VMs with high resolution VM console may experience - a crash on ESXi 7.0.1 (83194). -

-

- Bugzilla:1910358[1] -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z - server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 option - with -depth 24 in the Xvnc configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the server. -

-

- Bugzilla:1886147 -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the application - fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority - file to use regular user credentials for authentication. -

-
-

- To work around this problem, use the sudo -E command to run graphical - applications as a root user. -

-

- Bugzilla:1673073 -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit - ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- Jira:RHELPLAN-57914[1] -

-
-
-
-
-
-

9.15. Red Hat Enterprise Linux system roles

-
-
-
-
-

Using the RHEL system role with Ansible 2.9 can display a warning about - using dnf with the command - module

-

- Since RHEL 8.8, the RHEL system roles no longer use the warn - parameter in with the dnf module because this parameter was removed - in Ansible Core 2.14. However, if you use the latest rhel-system-roles package still with Ansible 2.9 and a role installs - a package, one of the following warnings can be displayed: -

-
- 
[WARNING]: Consider using the dnf module rather than running 'dnf'. If you need to use command because dnf is insufficient you can add 'warn: false' to
-this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
- 
[WARNING]: Consider using the yum, dnf or zypper module rather than running 'rpm'. If you need to use command because yum, dnf or zypper is insufficient
-you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
-

- If you want to hide these warnings, add the command_warnings = False - setting to the [Defaults] section of the ansible.cfg file. However, note that this setting disables all warnings - in Ansible. -

-

- Jira:RHELDOCS-17954 -

-
-

Unable to manage localhost by using the localhost hostname in the playbook or inventory

-

- With the inclusion of the ansible-core 2.13 package in RHEL, if you - are running Ansible on the same host you manage your nodes, you cannot do it by using the localhost hostname in your playbook or inventory. This happens - because ansible-core 2.13 uses the python38 module, and many of the libraries are missing, for example, - blivet for the storage role, gobject for the network role. To - workaround this problem, if you are already using the localhost - hostname in your playbook or inventory, you can add a connection, by using ansible_connection=local, or by creating an inventory file that lists - localhost with the ansible_connection=local option. With that, you are able to manage - resources on localhost. For more details, see the article RHEL system roles playbooks - fail when run on localhost. -

-
-

- Bugzilla:2041997 -

-
-

The rhc system role fails on already - registered systems when rhc_auth contains activation - keys

-

- Executing playbook files on already registered systems fails if activation keys are specified - for the rhc_auth parameter. To workaround this issue, do not - specify activation keys when executing the playbook file on the already registered system. -

-
-

- Bugzilla:2186908 -

-
-

Configuring the imuxsock input - basics type causes a problem

-

- Configuring the "imuxsock" input basics type through the logging - RHEL system role and the use_imuxsock option cause a problem in the - resulting configuration on the managed nodes. This role sets the name parameter, however, the "imuxsock" input type does not support - the name parameter. As a result, the rsyslog logging utility prints the parameter 'name' not known – typo in config file? error. -

-
-

- Jira:RHELDOCS-18326 -

-
-

For RHEL 9 UEFI managed nodes the bootloader_password variable of the bootloader RHEL system role does not work

-

- Previously, the bootloader_password variable incorrectly placed the - password information in the /boot/efi/EFI/redhat/user.cfg file. The - proper location was the /boot/grub2/user.cfg file. Consequently, - when you rebooted the managed node to modify any boot loader entry, GRUB2 did not prompt you for - a password. To work around this problem, you can manually move the user.cfg file from the incorrect /boot/efi/EFI/redhat/ directory to the correct /boot/grub2/ directory to achieve the expected behavior. -

-
-

- Jira:RHEL-45711 -

-
-
-
-
-
-

9.16. Virtualization

-
-
-
-
-

Using a large number of queues might cause Windows virtual machines to - fail

-

- Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device - is enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- Jira:RHEL-13336[1] -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the Milan CPU type might not be available - on these systems. In addition, VM live migration between Milan hosts with different feature flag - settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- Bugzilla:2077770[1] -

-
-

SMT CPU topology is not detected by VMs when using host passthrough mode on - AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the - TOPOEXT CPU feature flag is not present. Consequently, the VM is - not able to detect a virtual CPU topology with multiple threads per core. To work around this - problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- Bugzilla:1740002 -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible - on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a - physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they should - be configured with the device='disk' option rather than device='lun'. -

-

- Bugzilla:1777138[1] -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of - interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, - and displays a dracut-initqueue[392]: Warning: Could not boot - error. -

-
-

- Bugzilla:1719687 -

-
-

Virtual machines with iommu_platform=on fail - to start on IBM POWER

-

- RHEL 8 currently does not support the iommu_platform=on parameter - for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this - parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process. -

-
-

- Bugzilla:1910848 -

-
-

IBM POWER hosts now work correctly when using the ibmvfc driver

-

- When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors could previously - occur due to problems with the ibmvfc driver. As a consequence, a - kernel panic triggered on the host under certain circumstances, such as: -

-
-
-
    -
  • - Using the Live Partition Mobility (LPM) feature -
    • -
  • - Resetting a host adapter -
    • -
  • - Using SCSI error handling (SCSI EH) functions -
    • -
-
-

- With this update, the handling of ibmvfc has been fixed, and the - described kernel panics no longer occur. -

-

- Bugzilla:1961722[1] -

-
-

Using perf kvm record on IBM POWER Systems can - cause the VM to crash

-

- When using a RHEL 8 host on the little-endian variant of IBM POWER hardware, using the perf kvm record command to collect trace event samples for a KVM - virtual machine (VM) in some cases results in the VM becoming unresponsive. This situation - occurs when: -

-
-
-
    -
  • - The perf utility is used by an unprivileged user, and the -p option is used to identify the VM - for example perf kvm record -e trace_cycles -p 12345. -
    • -
  • - The VM was started using the virsh shell. -
    • -
-
-

- To work around this problem, use the perf kvm utility with the -i option to monitor VMs that were created using the virsh shell. For example: -

- 
# perf kvm record -e trace_imc/trace_cycles/  -p <guest pid> -i
-

- Note that when using the -i option, child tasks do not inherit - counters, and threads will therefore not be monitored. -

-

- Bugzilla:1924016[1] -

-
-

Windows Server 2016 virtual machines with Hyper-V enabled fail to boot when - using certain CPU models

-

- Currently, it is not possible to boot a virtual machine (VM) that uses Windows Server 2016 as - the guest operating system, has the Hyper-V role enabled, and uses one of the following CPU - models: -

-
-
-
    -
  • - EPYC-IBPB -
    • -
  • - EPYC -
    • -
-
-

- To work around this problem, use the EPYC-v3 CPU - model, or manually enable the xsaves CPU flag - for the VM. -

-

- Bugzilla:1942888[1] -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails -

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes - unresponsive with a Migration status: active status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- Bugzilla:1741436[1] -

-
-

Using virt-customize sometimes causes guestfs-firstboot to fail

-

- After modifying a virtual machine (VM) disk image using the virt-customize utility, the guestfs-firstboot service in some cases fails due to incorrect - SELinux permissions. This causes a variety of problems during VM startup, such as failing user - creation or system registration. -

-
-

- To avoid this problem, use the virt-customize command with the --selinux-relabel option. -

-

- Bugzilla:1554735 -

-
-

Deleting a forward interface from a macvtap virtual network resets all - connection counts of this network

-

- Currently, deleting a forward interface from a macvtap virtual - network with multiple forward interfaces also resets the connection status of the other forward - interfaces of the network. As a consequence, the connection information in the live network XML - is incorrect. Note, however, that this does not affect the functionality of the virtual network. - To work around the issue, restart the libvirtd service on your - host. -

-
-

- Bugzilla:1332758 -

-
-

Virtual machines with SLOF fail to boot in netcat interfaces

-

- When using a netcat (nc) interface to access the console of a - virtual machine (VM) that is currently waiting at the Slimline Open Firmware (SLOF) prompt, the - user input is ignored and VM stays unresponsive. To work around this problem, use the nc -C option when connecting to the VM, or use a telnet interface - instead. -

-
-

- Bugzilla:1974622[1] -

-
-

Attaching mediated devices to virtual machines in virt-manager in some cases fails

-

- The virt-manager application is currently able to detect mediated - devices, but cannot recognize whether the device is active. As a consequence, attempting to - attach an inactive mediated device to a running virtual machine (VM) using virt-manager fails. Similarly, attempting to create a new VM that - uses an inactive mediated device fails with a device not found - error. -

-
-

- To work around this issue, use the virsh nodedev-start or mdevctl start commands to activate the mediated device before using it in - virt-manager. -

-

- Bugzilla:2026985 -

-
-

RHEL 9 virtual machines fail to boot in POWER8 compatibility mode -

-

- Currently, booting a virtual machine (VM) that runs RHEL 9 as its guest operating system fails - if the VM also uses CPU configuration similar to the following: -

-
- 
  <cpu mode="host-model">
-    <model>power8</model>
-  </cpu>
-

- To work around this problem, do not use POWER8 compatibility mode in RHEL 9 VMs. -

-

- In addition, note that running RHEL 9 VMs is not possible on POWER8 hosts. -

-

- Bugzilla:2035158 -

-
-

SUID and SGID are not cleared automatically on virtiofs

-

- When you run the virtiofsd service with the killpriv_v2 feature, your system may not automatically clear the SUID - and SGID permissions after performing some file-system operations. Consequently, not clearing - the permissions might cause a potential security threat. To work around this issue, disable the - killpriv_v2 feature by entering the following command: -

-
- 
# virtiofsd -o no_killpriv_v2
-

- Bugzilla:1966475[1] -

-
-

Restarting the OVS service on a host might block network connectivity on - its running VMs

-

- When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that - are running on this host cannot recover the state of the networking device. As a consequence, - VMs might be completely unable to receive packets. -

-
-

- This problem only affects systems that use the packed virtqueue format in their virtio networking stack. -

-

- To work around this problem, use the packed=off parameter in the virtio networking device definition to disable packed virtqueue. With - packed virtqueue disabled, the state of the networking device can, in some situations, be recovered - from RAM. -

-

- Bugzilla:1792683 -

-
-

nodedev-dumpxml does not list attributes - correctly for certain mediated devices

-

- Currently, the nodedev-dumpxml does not list attributes correctly - for mediated devices that were created using the nodedev-create - command. To work around this problem, use the nodedev-define and - nodedev-start commands instead. -

-
-

- Bugzilla:2143160 -

-
-

Starting a VM with an NVIDIA A16 GPU sometimes causes the host GPU to stop - working

-

- Currently, if you start a VM that uses an NVIDIA A16 GPU passthrough device, the NVIDIA A16 GPU - physical device on the host system in some cases stops working. -

-
-

- To work around the problem, reboot the hypervisor and set the reset_method for the GPU device to bus: -

- 
# echo bus > /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method
-# cat /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method
-bus
-

- For details, see the Red Hat - Knowledgebase. -

-

- Jira:RHEL-2451[1] -

-
-
-
-
-
-

9.17. RHEL in cloud environments

-
-
-
-
-

Setting static IP in a RHEL virtual machine on a VMware host does not - work

-

- Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- To work around this issue, see the VMware Knowledge Base. -

-

- Jira:RHEL-12122 -

-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting - the kdump kernel in some cases fails when post-exec notifiers are - enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- Bugzilla:1865745[1] -

-
-

The SCSI host address sometimes changes when booting a Hyper-V VM with - multiple guest disks

-

- Currently, when booting a RHEL 8 virtual machine (VM) on the Hyper-V hypervisor, the host - portion of the Host, Bus, Target, Lun (HBTL) SCSI address - in some cases changes. As a consequence, automated tasks set up with the HBTL SCSI - identification or device node in the VM do not work consistently. This occurs if the VM has more - than one disk or if the disks have different sizes. -

-
-

- To work around the problem, modify your kickstart files, using one of the following methods: -

-

- Method 1: Use persistent identifiers for SCSI - devices. -

-

- You can use for example the following powershell script to determine the specific device - identifiers: -

- 
# Output what the /dev/disk/by-id/<value> for the specified hyper-v virtual disk.
-# Takes a single parameter which is the virtual disk file.
-# Note: kickstart syntax works with and without the /dev/ prefix.
-param (
-    [Parameter(Mandatory=$true)][string]$virtualdisk
-)
-
-$what = Get-VHD -Path $virtualdisk
-$part = $what.DiskIdentifier.ToLower().split('-')
-
-$p = $part[0]
-$s0 = $p[6] + $p[7] + $p[4] + $p[5] + $p[2] + $p[3] + $p[0] + $p[1]
-
-$p = $part[1]
-$s1 =  $p[2] + $p[3] + $p[0] + $p[1]
-
-[string]::format("/dev/disk/by-id/wwn-0x60022480{0}{1}{2}", $s0, $s1, $part[4])
-

- You can use this script on the hyper-v host, for example as follows: -

- 
PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_8.vhdx
-/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_9.vhdx
-/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-

- Afterwards, the disk values can be used in the kickstart file, for example as follows: -

- 
part / --fstype=xfs --grow --asprimary --size=8192 --ondisk=/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-part /home --fstype="xfs" --grow --ondisk=/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-

- As these values are specific for each virtual disk, the configuration needs to be done for each VM - instance. It may, therefore, be useful to use the %include syntax to - place the disk information into a separate file. -

-

- Method 2: Set up device selection by size. -

-

- A kickstart file that configures disk selection based on size must include lines similar to the - following: -

- 
...
-
-# Disk partitioning information is supplied in a file to kick start
-%include /tmp/disks
-
-...
-
-# Partition information is created during install using the %pre section
-%pre --interpreter /bin/bash --log /tmp/ks_pre.log
-
-	# Dump whole SCSI/IDE disks out sorted from smallest to largest ouputting
-	# just the name
-	disks=(`lsblk -n -o NAME -l -b -x SIZE -d -I 8,3`) || exit 1
-
-	# We are assuming we have 3 disks which will be used
-	# and we will create some variables to represent
-	d0=${disks[0]}
-	d1=${disks[1]}
-	d2=${disks[2]}
-
-	echo "part /home --fstype="xfs" --ondisk=$d2 --grow" >> /tmp/disks
-	echo "part swap --fstype="swap" --ondisk=$d0 --size=4096" >> /tmp/disks
-	echo "part / --fstype="xfs" --ondisk=$d1 --grow" >> /tmp/disks
-	echo "part /boot --fstype="xfs" --ondisk=$d1 --size=1024" >> /tmp/disks
-
-%end
-

- Bugzilla:1906870[1] -

-
-

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

-

- Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if - the VM was provisioned by the cloud-init tool and the guest - operating system of the VM has an NFSv3 mount entry in the /etc/fstab file. -

-
-

- Bugzilla:2081114[1] -

-
-
-
-
-
-

9.18. Supportability

-
-
-
-
-

The getattachment command fails to download - multiple attachments at once

-

- The redhat-support-tool command offers the getattachment subcommand for downloading attachments. However, getattachment is currently only able to download a single attachment - and fails to download multiple attachments. -

-
-

- As a workaround, you can download multiple attachments one by one by passing the case number and - UUID for each attachment in the getattachment subcommand. -

-

- Bugzilla:2064575 -

-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet the - requirements by the FUTURE system-wide cryptographic policy, the - redhat-support-tool utility does not work with this policy level at - the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- Jira:RHEL-2345 -

-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- Bugzilla:2011413[1] -

-
-
-
-
-
-

9.19. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- Jira:RHELPLAN-96940[1] -

-
-
-
-
-
-
-

Chapter 10. Internationalization

-
-
-
-
-
-
-
-

10.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

10.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA tickets are listed in this document for reference. The links lead to the release notes - in this document that describe the tickets. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- Jira:RHEL-19028, Jira:RHEL-19240, - Jira:RHEL-5390, - Jira:RHEL-5143, - Jira:RHEL-5107, - Jira:RHEL-16338, - Jira:RHEL-14025, - Jira:RHEL-5135 -

-
-

- Release Notes -

- 		-

- Jira:RHELDOCS-17954, - Jira:RHELDOCS-18326, - Jira:RHELDOCS-16861, Jira:RHELDOCS-16755, Jira:RHELDOCS-16612, Jira:RHELDOCS-17102, - Jira:RHELDOCS-17518 -

-
-

- SLOF -

- 		-

- Bugzilla:1910848 -

-
-

- accel-config -

- 		-

- Bugzilla:1843266 -

-
-

- anaconda -

- 		-

- Jira:RHEL-13151, - Bugzilla:2050140, - Jira:RHEL-4707, - Jira:RHEL-4711, - Jira:RHEL-4744 -

-
-

- ansible-collection-microsoft-sql -

- 		-

- Jira:RHEL-19204, Jira:RHEL-19202, - Jira:RHEL-19203 -

-
-

- ansible-freeipa -

- 		-

- Jira:RHEL-16938, - Jira:RHEL-16933, - Jira:RHEL-19133, - Jira:RHEL-4963, - Jira:RHEL-19129 -

-
-

- ant -

- 		-

- Jira:RHEL-5365 -

-
-

- apr -

- 		-

- Bugzilla:1819607 -

-
-

- audit -

- 		-

- Jira:RHEL-15001 -

-
-

- authselect -

- 		-

- Bugzilla:1892761 -

-
-

- bacula -

- 		-

- Jira:RHEL-6859 -

-
-

- brltty -

- 		-

- Bugzilla:2008197 -

-
-

- chrony -

- 		-

- Jira:RHEL-21069 -

-
-

- clang -

- 		-

- Jira:RHEL-9299 -

-
-

- cloud-init -

- 		-

- Jira:RHEL-7312, - Jira:RHEL-7278, - Jira:RHEL-12122 -

-
-

- cmake -

- 		-

- Jira:RHEL-7396 -

-
-

- cockpit -

- 		-

- Bugzilla:1666722 -

-
-

- coreutils -

- 		-

- Bugzilla:2030661 -

-
-

- corosync-qdevice -

- 		-

- Bugzilla:1784200 -

-
-

- crash -

- 		-

- Jira:RHEL-9010, Bugzilla:1906482 -

-
-

- crash-ptdump-command -

- 		-

- Bugzilla:1838927 -

-
-

- createrepo_c -

- 		-

- Bugzilla:1973588 -

-
-

- crypto-policies -

- 		-

- Jira:RHEL-2345, - Bugzilla:1919155, - Bugzilla:1660839 -

-
-

- device-mapper-multipath -

- 		-

- Jira:RHEL-6677, - Jira:RHEL-16563, - Bugzilla:2022359, - Bugzilla:2011699 -

-
-

- distribution -

- 		-

- Jira:RHEL-17090, Bugzilla:1657927 -

-
-

- dnf -

- 		-

- Bugzilla:1986657 -

-
-

- dnf-plugins-core -

- 		-

- Jira:RHEL-17356, - Jira:RHELPLAN-50409 -

-
-

- edk2 -

- 		-

- Bugzilla:1741615, - Bugzilla:1935497 -

-
-

- elfutils -

- 		-

- Jira:RHEL-15924 -

-
-

- fapolicyd -

- 		-

- Jira:RHEL-520, - Bugzilla:2054741 -

-
-

- fence-agents -

- 		-

- Bugzilla:1775847 -

-
-

- firewalld -

- 		-

- Bugzilla:1871860 -

-
-

- gcc-toolset-13-binutils -

- 		-

- Jira:RHEL-25405 -

-
-

- gdb -

- 		-

- Bugzilla:1853140 -

-
-

- git -

- 		-

- Jira:RHEL-17103 -

-
-

- git-lfs -

- 		-

- Jira:RHEL-17102 -

-
-

- glibc -

- 		-

- Jira:RHEL-13720, - Jira:RHEL-10481, - Jira:RHEL-19824 -

-
-

- gnome-shell-extensions -

- 		-

- Bugzilla:1717947 -

-
-

- gnome-software -

- 		-

- Bugzilla:1668760 -

-
-

- gnutls -

- 		-

- Bugzilla:1628553 -

-
-

- golang -

- 		-

- Jira:RHEL-11872 -

-
-

- grafana -

- 		-

- Jira:RHEL-7503 -

-
-

- grub2 -

- 		-

- Jira:RHEL-15856, Jira:RHEL-15583, Bugzilla:1583445 -

-
-

- initscripts -

- 		-

- Bugzilla:1875485 -

-
-

- ipa -

- 		-

- Jira:RHEL-16936, Jira:RHEL-12153, - Jira:RHEL-4964, - Jira:RHEL-10495, - Jira:RHEL-4847, - Jira:RHEL-4898, - Bugzilla:1664719, - Bugzilla:1664718 -

-
-

- ipmitool -

- 		-

- Jira:RHEL-6846 -

-
-

- kernel -

- 		-

- Bugzilla:2041881, Jira:RHEL-11597, - Bugzilla:1868526, - Bugzilla:1694705, - Bugzilla:1730502, - Bugzilla:1609288, - Bugzilla:1602962, - Bugzilla:1865745, - Bugzilla:1906870, - Bugzilla:1924016, - Bugzilla:1942888, - Bugzilla:1812577, - Bugzilla:1910358, Bugzilla:1930576, - Bugzilla:1793389, - Bugzilla:1654962, Bugzilla:1940674, - Bugzilla:1920086, Bugzilla:1971506, - Bugzilla:2059262, Bugzilla:2050411, Bugzilla:2106341, - Bugzilla:1605216, Bugzilla:1519039, - Bugzilla:1627455, - Bugzilla:1501618, Bugzilla:1633143, Bugzilla:1814836, - Bugzilla:1839311, - Bugzilla:1696451, - Bugzilla:1348508, - Bugzilla:1836977, Bugzilla:1878207, Bugzilla:1665295, - Bugzilla:1871863, - Bugzilla:1569610, Bugzilla:1794513 -

-
-

- kernel / DMA Engine -

- 		-

- Jira:RHEL-10097 -

-
-

- kernel / Networking / NIC Drivers -

- 		-

- Jira:RHEL-11398 -

-
-

- kernel / Networking / Protocol / tcp -

- 		-

- Jira:RHEL-6113 -

-
-

- kernel / Storage / Device Mapper / Crypt -

- 		-

- Jira:RHEL-22232 -

-
-

- kernel / Storage / Storage Drivers -

- 		-

- Jira:RHEL-1765 -

-
-

- kernel / Virtualization / KVM -

- 		-

- Jira:RHEL-2451 -

-
-

- kernel-rt / Other -

- 		-

- Jira:RHEL-9318 -

-
-

- kexec-tools -

- 		-

- Bugzilla:2111855 -

-
-

- kmod -

- 		-

- Bugzilla:2103605 -

-
-

- krb5 -

- 		-

- Jira:RHEL-4910, Bugzilla:2125318, - Bugzilla:1877991 -

-
-

- libdnf -

- 		-

- Jira:RHEL-6421 -

-
-

- libgnome-keyring -

- 		-

- Bugzilla:1607766 -

-
-

- libguestfs -

- 		-

- Bugzilla:1554735 -

-
-

- libkcapi -

- 		-

- Jira:RHEL-5366, Jira:RHEL-15300 -

-
-

- librdkafka -

- 		-

- Jira:RHEL-12892 -

-
-

- librepo -

- 		-

- Jira:RHEL-10720 -

-
-

- libreswan -

- 		-

- Bugzilla:1989050 -

-
-

- libselinux-python-2.8-module -

- 		-

- Bugzilla:1666328 -

-
-

- libvirt -

- 		-

- Bugzilla:1664592, Bugzilla:1332758, - Bugzilla:2143160, - Bugzilla:1528684 -

-
-

- linuxptp -

- 		-

- Jira:RHEL-21326 -

-
-

- llvm-toolset -

- 		-

- Jira:RHEL-9028 -

-
-

- lvm2 -

- 		-

- Bugzilla:1496229, Bugzilla:1768536 -

-
-

- mariadb -

- 		-

- Jira:RHEL-3637, Bugzilla:1942330 -

-
-

- maven -

- 		-

- Jira:RHEL-17126 -

-
-

- mesa -

- 		-

- Bugzilla:1886147 -

-
-

- nfs-utils -

- 		-

- Bugzilla:2081114, - Bugzilla:1592011 -

-
-

- nginx -

- 		-

- Jira:RHEL-14714 -

-
-

- nispor -

- 		-

- Bugzilla:2153166 -

-
-

- nss -

- 		-

- Bugzilla:1817533, Bugzilla:1645153 -

-
-

- nss_nis -

- 		-

- Bugzilla:1803161 -

-
-

- opencryptoki -

- 		-

- Jira:RHEL-11413 -

-
-

- opencv -

- 		-

- Bugzilla:1886310 -

-
-

- openmpi -

- 		-

- Bugzilla:1866402 -

-
-

- opensc -

- 		-

- Jira:RHEL-4077, - Bugzilla:1947025 -

-
-

- openscap -

- 		-

- Bugzilla:2161499 -

-
-

- openssh -

- 		-

- Jira:RHEL-1684, - Jira:RHEL-5279, - Bugzilla:2044354 -

-
-

- openssl -

- 		-

- Jira:RHEL-17689, - Bugzilla:1810911 -

-
-

- osbuild-composer -

- 		-

- Jira:RHEL-4649 -

-
-

- oscap-anaconda-addon -

- 		-

- Jira:RHEL-1826, - Bugzilla:1843932, - Bugzilla:1834716, - Bugzilla:1665082, - Jira:RHEL-1810 -

-
-

- papi -

- 		-

- Jira:RHEL-9336 -

-
-

- pcs -

- 		-

- Jira:RHEL-7584, - Jira:RHEL-7668, - Jira:RHEL-7731, - Jira:RHEL-7745, - Bugzilla:1619620, - Bugzilla:1851335 -

-
-

- perl-DateTime-TimeZone -

- 		-

- Jira:RHEL-35685 -

-
-

- php -

- 		-

- Jira:RHEL-14705 -

-
-

- pki-core -

- 		-

- Bugzilla:1729215, - Jira:RHEL-13125, - Bugzilla:1628987 -

-
-

- podman -

- 		-

- Jira:RHELPLAN-167794, - Jira:RHELPLAN-167830, Jira:RHELPLAN-167822, - Jira:RHELPLAN-168179, - Jira:RHELPLAN-168184, - Jira:RHELPLAN-154435, - Jira:RHELPLAN-168223 -

-
-

- policycoreutils -

- 		-

- Jira:RHEL-24461 -

-
-

- polkit -

- 		-

- Jira:RHEL-34022 -

-
-

- postfix -

- 		-

- Bugzilla:1711885 -

-
-

- postgresql -

- 		-

- Jira:RHEL-3636 -

-
-

- pykickstart -

- 		-

- Bugzilla:1637872 -

-
-

- python3.11-lxml -

- 		-

- Bugzilla:2157673 -

-
-

- python36-3.6-module -

- 		-

- Bugzilla:2165702 -

-
-

- qemu-kvm -

- 		-

- Jira:RHEL-11597, - Jira:RHEL-16696, - Jira:RHEL-13336, - Bugzilla:1740002, - Bugzilla:1719687, - Bugzilla:1966475, - Bugzilla:1792683, - Bugzilla:1651994 -

-
-

- rear -

- 		-

- Jira:RHEL-24729, - Jira:RHEL-17354, - Jira:RHEL-17353, - Bugzilla:1925531, - Bugzilla:2083301 -

-
-

- redhat-support-tool -

- 		-

- Bugzilla:2064575 -

-
-

- restore -

- 		-

- Bugzilla:1997366 -

-
-

- rhel-system-roles -

- 		-

- Jira:RHEL-18170, - Jira:RHEL-3241, Jira:RHEL-15440, - Jira:RHEL-4624, Jira:RHEL-16542, Jira:RHEL-21491, - Jira:RHEL-16965, - Jira:RHEL-16553, - Jira:RHEL-18963, - Jira:RHEL-16975, - Jira:RHEL-21123, - Jira:RHEL-19047, - Jira:RHEL-15038, - Jira:RHEL-21134, - Jira:RHEL-14022, - Jira:RHEL-17667, - Jira:RHEL-15933, - Jira:RHEL-16213, - Jira:RHEL-16977, Jira:RHEL-5985, - Jira:RHEL-4684, - Jira:RHEL-16501, - Jira:RHEL-17874, - Jira:RHEL-21946, - Jira:RHEL-21400, - Jira:RHEL-15871, - Jira:RHEL-22228, - Jira:RHEL-22229, - Jira:RHEL-3354, - Jira:RHEL-19042, - Jira:RHEL-19044, - Jira:RHEL-19242, - Jira:RHEL-21402, Jira:RHEL-25509, Bugzilla:2186908, - Bugzilla:2021685, - Bugzilla:2006081 -

-
-

- rpm -

- 		-

- Bugzilla:1688849 -

-
-

- rsyslog -

- 		-

- Bugzilla:1679512, - Jira:RHELPLAN-10431 -

-
-

- rteval -

- 		-

- Jira:RHEL-8967, Jira:RHEL-21926 -

-
-

- rtla -

- 		-

- Jira:RHEL-10081 -

-
-

- rust-toolset -

- 		-

- Jira:RHEL-12964 -

-
-

- samba -

- 		-

- Jira:RHEL-16483, Bugzilla:2009213, - Jira:RHELPLAN-13195 -

-
-

- scap-security-guide -

- 		-

- Jira:RHEL-25250, Bugzilla:2028428, - Bugzilla:2118758, - Jira:RHEL-1804, - Jira:RHEL-1897 -

-
-

- selinux-policy -

- 		-

- Jira:RHEL-9981, - Jira:RHEL-1388, - Jira:RHEL-15398, - Jira:RHEL-1628, - Jira:RHEL-10087, - Bugzilla:2166153, - Bugzilla:1461914 -

-
-

- sos -

- 		-

- Bugzilla:2011413 -

-
-

- spice -

- 		-

- Bugzilla:1849563 -

-
-

- sssd -

- 		-

- Jira:SSSD-7015, - Bugzilla:2065692, - Bugzilla:2056483, - Bugzilla:1947671 -

-
-

- sssd_kcm -

- 		-

- Jira:SSSD-7015 -

-
-

- stunnel -

- 		-

- Jira:RHEL-2340 -

-
-

- subscription-manager -

- 		-

- Bugzilla:2170082 -

-
-

- sysstat -

- 		-

- Jira:RHEL-12008, - Jira:RHEL-23074 -

-
-

- tuna -

- 		-

- Jira:RHEL-19179 -

-
-

- tuned -

- 		-

- Bugzilla:2113900 -

-
-

- udica -

- 		-

- Bugzilla:1763210 -

-
-

- valgrind -

- 		-

- Jira:RHEL-15926 -

-
-

- vdo -

- 		-

- Bugzilla:1949163 -

-
-

- virt-manager -

- 		-

- Bugzilla:2026985 -

-
-

- wayland -

- 		-

- Bugzilla:1673073 -

-
-

- webkit2gtk3 -

- 		-

- Jira:RHEL-4158 -

-
-

- xorg-x11-server -

- 		-

- Bugzilla:1698565 -

-
-

- other -

- 		-

- Jira:RHELDOCS-17369, - Jira:RHELDOCS-17372, - Jira:RHELDOCS-16955, - Jira:RHELDOCS-16241, Jira:RHELDOCS-16970, - Jira:RHELDOCS-17060, - Jira:RHELDOCS-17056, - Jira:RHELDOCS-16337, - Jira:RHELDOCS-17261, - Jira:RHELPLAN-123140, - Jira:RHELDOCS-18289, - Jira:RHELDOCS-18323, - Jira:SSSD-6184, - Bugzilla:2025814, - Bugzilla:2077770, - Bugzilla:1777138, - Bugzilla:1640697, - Bugzilla:1697896, - Bugzilla:1961722, - Jira:RHELDOCS-18064, - Jira:RHELDOCS-18049, - Bugzilla:1659609, - Bugzilla:1687900, - Bugzilla:1757877, - Bugzilla:1741436, - Jira:RHELPLAN-27987, Jira:RHELPLAN-34199, - Jira:RHELPLAN-57914, - Jira:RHELPLAN-96940, - Bugzilla:1974622, - Bugzilla:2028361, - Bugzilla:2041997, - Bugzilla:2035158, - Jira:RHELPLAN-109613, - Bugzilla:2126777, - Jira:RHELDOCS-17126, - Bugzilla:1690207, Bugzilla:1559616, Bugzilla:1889737, - Bugzilla:1906489, - Bugzilla:1769727, - Jira:RHELPLAN-27394, - Jira:RHELPLAN-27737, - Jira:RHELDOCS-16861, Bugzilla:1642765, - Bugzilla:1646541, Bugzilla:1647725, Bugzilla:1932222, - Bugzilla:1686057, Bugzilla:1748980, - Jira:RHELPLAN-71200, Jira:RHELPLAN-45858, - Bugzilla:1871025, Bugzilla:1871953, Bugzilla:1874892, Bugzilla:1916296, - Jira:RHELDOCS-17573, Jira:RHELPLAN-100400, - Bugzilla:1926114, Bugzilla:1904251, - Bugzilla:2011208, - Jira:RHELPLAN-59825, Bugzilla:1920624, Jira:RHELPLAN-70700, - Bugzilla:1929173, Jira:RHELPLAN-85066, - Jira:RHELPLAN-98983, Bugzilla:2009113, Bugzilla:1958250, - Bugzilla:2038929, - Bugzilla:2006665, Bugzilla:2029338, Bugzilla:2061288, Bugzilla:2060759, - Bugzilla:2055826, Bugzilla:2059626, - Jira:RHELPLAN-133171, Bugzilla:2142499, Jira:RHELDOCS-16755, Jira:RHELPLAN-146398, Jira:RHELDOCS-18107, Jira:RHELPLAN-153267, Bugzilla:2225332, - Jira:RHELPLAN-147538, Jira:RHELDOCS-16612, Jira:RHELDOCS-17102, - Jira:RHELDOCS-16300, Jira:RHELDOCS-17038, Jira:RHELDOCS-17461, - Jira:RHELDOCS-17518, Jira:RHELDOCS-17623 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.0-13
-
-

- Tue Sep 24 2024, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added an Enhancement RHEL-49614 (Dynamic - programming languages, web and database servers) -
    • -
-
-
-
0.0-12
-
-

- Tue Aug 27 2024, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a Bug Fix RHEL-39994 - (Compilers and development tools) -
    • -
-
-
-
0.0-11
-
-

- Wed Aug 14 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.0-10
-
-

- Wed Aug 14 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added an Enhancement RHEL-47595 - (Networking) -
    • -
-
-
-
0.0-9
-
-

- Fri Aug 09 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added a Known Issue RHEL-11397 - (Installer and image creation) -
    • -
-
-
-
0.0-8
-
-

- Thu Jul 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-7
-
-

- Thu Jul 11 2024, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a Known Issue RHEL-45711 - (System Roles) -
    • -
-
-
-
0.0-6
-
-

- Mon Jul 08 2024, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Fixed formatting and reference in RHEL-25405 (Compilers and development tools) -
    • -
-
-
-
0.0-5
-
-

- Wed Jul 03 2024, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a Known Issue RHEL-34075 - (Identity Management) -
    • -
-
-
-
0.0-4
-
-

- Tue Jun 25 2024, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a Known Issue RHELDOCS-18435 - (Dynamic programming languages, web and database servers) -
    • -
-
-
-
0.0-3
-
-

- Wed June 12 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.0-2
-
-

- Fri June 7 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Updated a Known Issue in Jira:RHELDOCS-18326 - (Red Hat Enterprise Linux System Roles) -
    • -
-
-
-
0.0-1
-
-

- Thu May 23 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.10 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Wed March 27 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.10 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.2.html b/app/data/8.2.html deleted file mode 100644 index 2e4aafc..0000000 --- a/app/data/8.2.html +++ /dev/null @@ -1,14002 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.2
-
-

Release Notes for Red Hat Enterprise Linux 8.2

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.2 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your input on our documentation. Please let us know how we could make it better. To do so: -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-

Installer and image creation

-

- In RHEL 8.2, you can register your system, attach RHEL subscriptions, and install from the Red Hat - Content Delivery Network (CDN) before package installation. You can also register your system to Red Hat - Insights during installation. Interactive GUI installations, as well as automated Kickstart - installations, support these new features. -

-

- For more information, see Section 5.1.1, “Installer and image creation”. -

-

Infrastructure services

-

- The Tuned system tuning tool has been - rebased to version 2.13, which adds support for architecture-dependent tuning and multiple include - directives. -

-

- For more information, see Section 5.1.4, “Infrastructure services”. -

-

Security

-

- System-wide cryptographic policies now support customization. The administrator can now define a - complete policy or modify only certain values. -

-

- RHEL 8.2 includes the setools-gui and setools-console-analyses packages that provide tools for SELinux-policy - analysis and data-flow inspections. -

-

- SCAP Security Guide now provides a profile compliant with the Australian Cyber Security Centre (ACSC) - Essential Eight Maturity Model. -

-

- See Section 5.1.5, “Security” - for more information. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - Python 3.8 -
    • -
  • - Maven 3.6 -
    • -
-
-

- See Section 5.1.10, “Dynamic - programming languages, web and database servers” for details. -

-

Compiler toolsets

-

- The following compiler toolsets have been updated in RHEL 8.2: -

-
-
    -
  • - GCC Toolset 9 -
    • -
  • - Clang and LLVM Toolset 9.0.1 -
    • -
  • - Rust Toolset 1.41 -
    • -
  • - Go Toolset 1.13 -
    • -
-
-

- See Section 5.1.11, “Compilers and development - tools” for more information. -

-

Identity Management

-

- Identity Management introduces a new command-line tool: Healthcheck. Healthcheck helps users find problems that might - impact the fitness of their IdM environments. -

-

- Identity Management now supports Ansible roles and modules for installation and management. This update - makes installation and configuration of IdM-based solutions easier. -

-

- See Section 5.1.12, “Identity Management” for more information. -

-

The web console

-

- The web console has been redesigned to use the PatternFly 4 user interface system design. -

-

- A session timeout has been added to the web console to improve security. -

-

- See Section 5.1.15, - “The web console” for more information. -

-

Desktop

-

- Workspace switcher in the GNOME Classic environment has been modified. The switcher is now located in - the right part of the bottom bar, and it is designed as a horizontal strip of thumbnails. Switching - between workspaces is possible by clicking on the required thumbnail. -

-

- The Direct Rendering Manager (DRM) kernel graphics - subsystem has been rebased to upstream Linux kernel version 5.3. This version provides a number of - enhancements over the previous version, including support for new GPUs and APUs, and various driver - updates. -

-

In-place upgrade

-

- In-place upgrade from RHEL 7 to RHEL 8 -

-

- The supported in-place upgrade path is: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.2 on the 64-bit Intel, IBM POWER 8 (little endian), and IBM Z - architectures -
    • -
  • - From RHEL 7.6 to RHEL 8.2 on architectures that require kernel version 4.14: 64-bit ARM, IBM - POWER 9 (little endian), and IBM Z (Structure A). Note that these architectures remain fully - supported in RHEL 7 but no longer receive minor release updates since RHEL 7.7. -
    • -
-
-

- For more information, see Supported - in-place upgrade paths for Red Hat Enterprise Linux. For instructions on performing an in-place - upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- Notable enhancements include: -

-
-
    -
  • - You can now use additional custom repositories for an in-place upgrade from RHEL 7 to RHEL 8. It - is also possible to upgrade without Red Hat Subscription Manager. -
    • -
  • - You can create your own actors to migrate your custom or third-party applications using the - Leapp utility. -
    • -
-
-

- For details, see Customizing your Red - Hat Enterprise Linux in-place upgrade. -

-

- If you are using CentOS Linux 7 or Oracle Linux 7, you can convert your operating system to RHEL 7 using - the supported convert2rhel utility prior to upgrading to RHEL - 8. For instructions, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- In-place upgrade from RHEL 6 to RHEL 8 -

-

- To upgrade from RHEL 6.10 to RHEL 8.2, follow instructions in Upgrading - from RHEL 6 to RHEL 8. -

-

- If you are using CentOS Linux 6 or Oracle Linux 6, you can convert your operating system to RHEL 6 using - the unsupported convert2rhel utility prior to upgrading to RHEL - 8. For instructions, see How to - convert from CentOS Linux or Oracle Linux to RHEL. -

-

Additional resources

-
- -
-

Red Hat Customer Portal Labs

-

- Red Hat Customer Portal Labs is a set of tools in a - section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.2 is distributed with the kernel version 4.18.0-193, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Binary DVD ISO image is larger than 4.7 GB, and as a result, it might not - fit on a single-layer DVD. A dual-layer DVD or USB key is recommended when using - the Binary DVD ISO image to create bootable installation media. You can also use - the Image Builder tool to create customized RHEL images. For more information - about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. RHEL 8.2.1 release

-
-
-
-

- Red Hat makes Red Hat Enterprise Linux 8 content available quarterly, in between minor releases (8.Y). - The quarterly releases are numbered using the third digit (8.Y.1). The new features in the RHEL 8.2.1 - release are described below. -

-
-
-
-
-

4.1. New features

-
-
-
-
-

JDK Mission Control rebased to version 7.1.1

-

- The JDK Mission Control (JMC) profiler for HotSpot JVMs, provided by the jmc:rhel8 module stream, has been upgraded to version 7.1.1 with the - RHEL 8.2.1 release. -

-
-

- This update includes numerous bug fixes and enhancements, including: -

-
-
    -
  • - Multiple rule optimizations -
    • -
  • - A new JOverflow view based on Standard Widget Toolkit (SWT) -
    • -
  • - A new flame graph view -
    • -
  • - A new way of latency visualization using the High Dynamic Range (HDR) Histogram -
    • -
-
-

- The jmc:rhel8 module stream has two profiles: -

-
-
    -
  • - The common profile, which installs the entire JMC application -
    • -
  • - The core profile, which installs only the core Java libraries - (jmc-core) -
    • -
-
-

- To install the common profile of the jmc:rhel8 module stream, use: -

- 
# yum module install jmc:rhel8/common
-

- Change the profile name to core to install only the jmc-core package. -

-

- (BZ#1792519) -

-
-

Rust Toolset rebased to version 1.43

-

- Rust Toolset has been updated to version 1.43. Notable changes include: -

-
-
-
    -
  • - Useful line numbers are now included in Option and Result panic messages where they were invoked. -
    • -
  • - Expanded support for matching on subslice patterns. -
    • -
  • - The matches! macro provides pattern matching that returns a - boolean value. -
    • -
  • - item fragments can be interpolated into traits, impls, and - extern blocks. -
    • -
  • - Improved type inference around primitives. -
    • -
  • - Associated constants for floats and integers. -
    • -
-
-

- To install the Rust Toolset module, run the following command as root: -

- 
# yum module install rust-toolset
-

- For usage information, see the Using Rust - Toolset documentation. -

-

- (BZ#1811997) -

-
-

Containers registries now support the skopeo sync command

-

- With this enhancement, users can use skopeo sync command to - synchronize container registries and local registries. The skopeo sync command is useful to synchronize a local container - registry mirror, and to populate registries running inside of air-gapped environments. -

-
-

- The skopeo sync command requires both source (--src) and destination (--dst) transports to - be specified separately. Available source and destination transports are docker (repository hosted on a container registry) and dir ( directory in a local directory path). The source transports also - include yaml (local YAML file path). For information on the usage of - skopeo sync, see the skopeo-sync man page. -

-

- (BZ#1811779) -

-
-

Configuration file container.conf is now - available

-

- With this enhancement, users and administrators can specify default configuration options and - command-line flags for container engines. Container engines read the /usr/share/containers/containers.conf and /etc/containers/containers.conf files if they exist. In the rootless - mode, container engines read the $HOME/.config/containers/containers.conf files. -

-
-

- Fields specified in the containers.conf file override the default - options, as well as options in previously read containers.conf files. - The container.conf file is shared between Podman and Buildah and - replaces the libpod.conf file. -

-

- (BZ#11826486) -

-
-

You can now log into and out from a registry server

-

- With this enhancement, you can log into and logout from a specified registry server using the - skopeo login and skopeo logout - commands. The skopeo login command reads in the username and - password from standard input. The username and password can also be set using the --username (or -u) and --password (or -p) options. -

-
-

- You can specify the path of the authentication file by setting the --authfile flag. The default path is ${XDG_RUNTIME_DIR}/containers/auth.json. For information on the usage of - skopeo login and skopeo logout, see the - skopeo-login and skopeo-logout man pages, - respectively. -

-

- (JIRA:RHELPLAN-47311) -

-
-

You can now reset the podman storage

-

- With this enhancement, users can use the podman system reset - command to reset podman storage back to initial state. The podman system reset command removes all pods, containers, images and - volumes. For more information, see the podman-system-reset man - page. -

-
-

- (JIRA:RHELPLAN-48941) -

-
-
-
-
-
-
-

Chapter 5. RHEL 8.2.0 release

-
-
-
-
-
-
-
-

5.1. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.2. -

-
-
-
-
-

5.1.1. Installer and image creation

-
-
-
-
-

Ability to register your system, attach RHEL subscriptions, and install - from the Red Hat CDN

-

- In RHEL 8.2, you can register your system, attach RHEL subscriptions, and install from the - Red Hat Content Delivery Network (CDN) before package installation. Interactive GUI - installations, as well as automated Kickstart installations, support this feature. Benefits - include: -

-
-
-
    -
  • - The use of the smaller Boot ISO image file removes the need to download the larger - Binary DVD ISO image file. -
    • -
  • - The CDN uses the latest packages that result in a fully subscribed and up-to-date system - immediately after installation. There is no requirement to install package updates after - installation. -
    • -
  • - Registration is performed before package installation, resulting in a shorter and more - streamlined installation process. -
    • -
  • - Integrated support for Red Hat Insights is available. -
    • -
-
-

- (BZ#1748281) -

-
-

Ability to register your system to Red Hat Insights during - installation

-

- In RHEL 8.2, you can register your system to Red Hat Insights during installation. - Interactive GUI installations, as well as automated Kickstart installations, support this - feature. -

-
-

- Benefits include: -

-
-
    -
  • - Easier to identify, prioritize, and resolve issues before business operations are - affected. -
    • -
  • - Proactively identify and remediate threats to security, performance, availability, and - stability with predictive analytics. -
    • -
  • - Avoid problems and unplanned downtime in your environment. -
    • -
-
-

- (BZ#1746391) -

-
-

Image Builder now offers cloud-init support for creating Azure - images

-

- With this enhancement, cloud-init support is available for Azure images created by Image - Builder. As a result, the creation of on-premise images with fast-provisioning and the - ability to add custom data is available to customers. -

-
-

- (BZ#1754711) -

-
-

Added new kickstart commands: rhsm and - zipl

-

- With this release, the following kickstart commands are added: -

-
-
-
    -
  • - rhsm: Use the rhsm command to - register system with Red Hat during installation. -
    • -
  • - zipl: Use the zipl command to - specify zipl configuration on IBM Z systems. -
    • -
-
-

- (BZ#1972214) -

-
-
-
-
-
-

5.1.2. Software management

-
-
-
-
-

User-Agent header string now includes - information read from the /etc/os-release file

-

- With this enhancement, the User-Agent header string, which is - normally included with the HTTP requests made by DNF, has been extended with information - read from the /etc/os-release file. -

-
-

- To obtain more information, see user_agent in the dnf.conf(5) man page. -

-

- (BZ#1676891) -

-
-

All dnf-automatic.timer timer units now - use the real-time clock by default

-

- Previously, the dnf-automatic.timer timer units used the - monotonic clock, which resulted in unpredictable activation time after the system boot. With - this update, the timer units run between 6 a.m. and 7 a.m. If the system is off during that - time, the timer units are activated within one hour after the system boot. -

-
-

- (BZ#1754609) -

-
-

The createrepo_c utility now skips - packages whose metadata contains the disallowed control characters

-

- To ensure a valid XML, the package metadata must not contain any control characters, with - the exception of: -

-
-
-
    -
  • - the horizontal tab -
    • -
  • - the newline character -
    • -
  • - the carriage return character -
    • -
-
-

- With this update, the createrepo_c utility does not include - packages with metadata containing disallowed control characters in a newly created repository, - and returns the following error message: -

- 
C_CREATEREPOLIB: Critical: Cannot dump XML for PACKAGE_NAME (PACKAGE_SUM): Forbidden control chars found (ASCII values <32 except 9, 10 and 13)
-

- (BZ#1743186) -

-
-
-
-
-
-

5.1.3. Shells and command-line tools

-
-
-
-
-

opencv rebased to version 3.4.6 -

-

- The opencv packages have been upgraded to upstream version - 3.4.6. Notable changes include: -

-
-
-
    -
  • - Support for new Open CL parameters, such as OPENCV_OPENCL_BUILD_EXTRA_OPTIONS and OPENCV_OPENCL_DEVICE_MAX_WORK_GROUP_SIZE. -
    • -
  • - The objdetect module now supports QR code detection - algorithm. -
    • -
  • - Multiple new methods, such as MatSize::dims or VideoCapture::getBackendName. -
    • -
  • - Multiple new functions, such as drawFrameAxes or getVersionMajor. -
    • -
  • - Various performance improvements, including improvements of the GaussianBlur function, - v_load_deinterleave and v_store_interleave intrinsics when using SSSE3 instructions. -
    • -
-
-

- (BZ#1694647) -

-
-
-
-
-
-

5.1.4. Infrastructure services

-
-
-
-
-

graphviz-python3 is now distributed in the - CRB repository

-

- This update adds the graphviz-python3 package to RHEL 8. The - package provides bindings required for usage of the Graphviz graph visualization software - from Python. -

-
-

- Note that the graphviz-python3 package is distributed in the - unsupported CodeReady Linux - Builder repository (CRB). -

-

- (BZ#1704875) -

-
-

tuned rebased to version 2.13.0 -

-

- The tuned packages have been upgraded to upstream version - 2.13.0. Notable enhancements include: -

-
-
-
    -
  • - Architecture-dependant tuning framework has been added. -
    • -
  • - Support for multiple include directives has been added. -
    • -
  • - Tuning in the sap-hana, latency-performance, and realtime profiles has been updated. -
    • -
-
-

- (BZ#1738250) -

-
-

powertop rebased to version 2.11 -

-

- The powertop package has been upgraded to version 2.11, which - provides a following notable change: -

-
-
-
    -
  • - Support for the EHL, TGL, ICL/ICX platforms -
    • -
-
-

- (BZ#1716721) -

-
-

BIND now supports .GeoIP2 instead of GeoLite Legacy GeoIP

-

- The GeoLite Legacy GeoIP library is no longer supported in BIND. With this update, GeoLite - Legacy GeoP has been replaced with GeoIP2, which is provided in the libmaxminddb data format. -

-
-

- Note that the new format may require some configuration changes, and the format also does not - support following legacy GeoIP access control list (ACL) settings: -

-
-
    -
  • - geoip netspeed -
    • -
  • - geoip org -
    • -
  • - ISO 3166 Alpha-3 country codes -
    • -
-
-

- (BZ#1564443) -

-
-

stale-answer now provides old cached - records in case of DDoS attack

-

- Previously, the Distributed Denial of Service (DDoS) attack caused the authoritative servers - to fail with the SERVFAIL error. With this update, the stale-answer functionality provides the expired records until a - fresh response is obtained. -

-
-

- To enable or disable the serve-stale feature, use either of these: -

-
-
    -
  • - Configuration file -
    • -
  • - Remote control channel (rndc) -
    • -
-
-

- (BZ#1664863) -

-
-

BIND rebased to version 9.11.13

-

- The bind packages have been upgraded to version 9.11.13. - Notable changes include: -

-
-
-
    -
  • - The tcp-highwater statistics variable has been added. This - variable shows maximum concurrent TCP clients recorded during a run. -
    • -
  • - The SipHash-2-4-based DNS Cookies (RFC 7873) algorithm has - been added. -
    • -
  • - Glue addresses for rooting priming queries are returned regardless of how the minimal-responses configuration option is set. -
    • -
  • - The named-checkconf command now ensures the validity of the - DNS64 network prefixes. -
    • -
  • - Automatic rollover per RFC 5011 no longer fails when the trusted-keys and managed-keys - statements are both configured for the same name. Instead, a warning message is logged. -
    • -
  • - Internationalized Domain Name (IDN) processing in the dig - and nslookup utilities is now disabled by default when they - are not run on terminal (for example, in a script). IDN processing in dig can be switched on by using the +idnin and +idnout options. -
    • -
-
-

- (BZ#1704328) -

-
-
-
-
-
-

5.1.5. Security

-
-
-
-
-

RHEL 8 now contains the DISA STIG profile

-

- Security Technical Implementation Guides (STIG) are a set of baseline recommendations - published by the Defense Information Systems Agency (DISA) to harden the security of - information systems and software that might otherwise be vulnerable. This release includes - the profile and Kickstart file for this security policy. With this enhancement, users can - check systems for compliance, remediate systems to be compliant, and install systems - compliant with DISA STIG for Red Hat Enterprise Linux 8. -

-
-

- (BZ#1755447) -

-
-

crypto-policies can now be - customized

-

- With this update, you can adjust certain algorithms or protocols of any policy level or set - a new complete policy file as the current system-wide cryptographic policy. This enables - administrators to customize the system-wide cryptographic policy as required by different - scenarios. -

-
-

- RPM packages should store policies provided by them in the /usr/share/crypto-policies/policies directory. The /etc/crypto-policies/policies directory contains local custom - policies. -

-

- For more information, see the Custom Policies section in the update-crypto-policies(8) man page and the Crypto Policy Definition Format section in the update-crypto-policies(8) man page. -

-

- (BZ#1690565) -

-
-

SCAP Security Guide now supports ACSC Essential Eight

-

- The scap-security-guide packages now provide the Australian - Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding - Kickstart file. With this enhancement, users can install a system that conforms with this - security baseline. Furthermore, you can use the OpenSCAP suite for checking security - compliance and remediation using this specification of minimum security controls defined by - ACSC. -

-
-

- (BZ#1755194) -

-
-

oscap-podman for security and compliance - scanning of containers is now available

-

- This update of the openscap packages introduces a new utility - for security and compliance scanning of containers. The oscap-podman tool provides an equivalent of the oscap-docker utility that serves for scanning container and - container images in RHEL 7. -

-
-

- (BZ#1642373) -

-
-

setroubleshoot can now analyze and react - to execmem access denials

-

- This update introduces a new setroubleshoot plugin. The plugin - can analyze execmem access denials (AVCs) and provide relevant - advice. As a result, setroubleshoot can now suggest a - possibility to switch a boolean if it allows access, or report the issue when no boolean can - allow access. -

-
-

- (BZ#1649842) -

-
-

New packages: setools-gui and setools-console-analyses

-

- The setools-gui package, which has been part of RHEL 7, is now - being introduced to RHEL 8. Graphical tools help inspect relations and data flows especially - in multi-level systems with highly specialized SELinux policies. With the apol graphical tool from the setools-gui package, you can inspect and analyze aspects of an - SELinux policy. Tools from the setools-console-analyses package - enable you to analyze domain transitions and SELinux policy information flows. -

-
-

- (BZ#1731519) -

-
-

Confined users in SELinux can now manage user session services -

-

- Previously, confined users were not able to manage user session services. As a result, they - could not execute systemctl --user or busctl --user commands or work in the RHEL web console. With this - update, confined users can manage user sessions. -

-
-

- (BZ#1727887) -

-
-

The lvmdbusd service is now confined by - SELinux

-

- The lvmdbusd service provides a D-Bus API to the logical volume - manager (LVM). Previously, the lvmdbusd daemon could not - transition to the lvm_t context even though the SELinux policy - for lvm_t was defined. As a consequence, the lvmdbusd daemon was executed in the unconfined_service_t domain and SELinux labeled lvmdbusd as unconfined. With this update, the lvmdbusd executable file has the lvm_exec_t context defined and lvmdbusd can now be used correctly with SELinux in enforcing - mode. -

-
-

- (BZ#1726166) -

-
-

semanage now supports listing and - modifying SCTP and DCCP ports.

-

- Previously, semanage port allowed listing and modifying of only - TCP and UDP ports. This update adds SCTP and DCCP protocol support to semanage port. As a result, administrators can now check if two - machines can communicate via SCTP and fully enable SCTP features to successfully deploy - SCTP-based applications. -

-
-

- (BZ#1563742) -

-
-

semanage export now shows customizations - related to permissive domains

-

- With this update, the semanage utility, which is part of the - policycoreutils package for SELinux, is able to display - customizations related to permissive domains. System administrators can now transfer - permissive local modifications between machines using the semanage export command. -

-
-

- (BZ#1417455) -

-
-

udica can add new allow rules generated - from SELinux denials to existing container policy

-

- When a container that is running under a policy generated by the udica utility triggers an SELinux denial, udica is now able to update the policy. The new parameter -a or --append-rules can be used to - append rules from an AVC file. -

-
-

- (BZ#1732704) -

-
-

New SELinux types enable services to run confined

-

- This update introduces new SELinux types that enable the following services to run as - confined services in SELinux enforcing mode instead of running in the unconfined_service_t domain: -

-
-
-
    -
  • - lldpd now runs as lldpad_t -
    • -
  • - rrdcached now runs as rrdcached_t -
    • -
  • - stratisd now runs as stratisd_t -
    • -
  • - timedatex now runs as timedatex_t -
    • -
-
-

- (BZ#1726246, BZ#1726255, BZ#1726259, BZ#1730204) -

-
-

Clevis is able to list policies in place for a given LUKS - device

-

- With this update, the clevis luks list command lists PBD - policies in place for a given LUKS device. This makes it easier to find information on - Clevis pins in use and pin configuration, for example, Tang server addresses, details on - tpm2 policies, and SSS thresholds. -

-
-

- (BZ#1766526) -

-
-

Clevis provides new commands for reporting key status and rebinding - expired keys

-

- The clevis luks report command now provides a simple way to - report whether keys for a particular binding require rotation. Regular key rotations in a - Tang server improve the security of Network-Bound Disk Encryption (NBDE) deployments, and - therefore the client should provide detection of expired keys. If the key is expired, Clevis - suggests using the clevis luks regen command which rebinds the - expired key slot with a current key. This significantly simplifies the process of key - rotation. -

-
-

- (BZ#1564559, BZ#1564566) -

-
-

Clevis can now extract the passphrase used for binding a particular - slot in a LUKS device

-

- With this update to the Clevis policy-based decryption framework, you can now extract the - passphrase used for binding a particular slot in a LUKS device. Previously, if the LUKS - installation passphrase was erased, Clevis could not perform LUKS administrative tasks, such - as re-encryption, enabling a new key slot with a user passphrase, and re-binding Clevis when - the administrator needs to change the sss threshold. This - update introduces the clevis luks pass command that shows the - passphrase used for binding a particular slot. -

-
-

- (BZ#1436780) -

-
-

Clevis now provides improved support for decrypting multiple LUKS - devices on boot

-

- The clevis packages have been updated to provide better support - for decrypting multiple LUKS-encrypted devices on boot. Prior to this improvement, the - administrator had to perform complicated changes to the system configuration to enable the - proper decryption of multiple devices by Clevis on boot. With this release, you can set up - the decryption by using the clevis luks bind command and - updating the initramfs through the dracut -fv --regenerate-all - command. -

-
-

- For more details, see the Configuring - automated unlocking of encrypted volumes using policy-based decryption section. -

-

- (BZ#1784524) -

-
-

openssl-pkcs11 rebased to 0.4.10 -

-

- The openssl-pkcs11 package has been upgraded to upstream - version 0.4.10, which provides many bug fixes and enhancements over the previous version. - The openssl-pkcs11 package provides access to PKCS #11 modules - through the engine interface. The major changes introduced by the new version are: -

-
-
-
    -
  • - If a public key object corresponding to the private key is not available when loading an - ECDSA private key, the engine loads the public key from a matching certificate, if - present. -
    • -
  • - You can use generic PKCS #11 URI (for example pkcs11:type=public) because the openssl-pkcs11 engine searches all tokens that match a given - PKCS #11 URI. -
    • -
  • - The system attempts to log in with a PIN only if a single device matches the URI search. - This prevents authentication failures due to providing the PIN to all matching tokens. -
    • -
  • - When accessing a device, the openssl-pkcs11 engine now - marks the RSA methods structure with the RSA_FLAG_FIPS_METHOD flag. In FIPS mode, OpenSSL requires the - flag to be set in the RSA methods structure. Note that the engine cannot detect whether - a device is FIPS-certified. -
    • -
-
-

- (BZ#1745082) -

-
-

rsyslog rebased to 8.1911.0

-

- The rsyslog utility has been upgraded to upstream version - 8.1911.0, which provides a number of bug fixes and enhancements over the previous version. - The following list includes notable enhancements: -

-
-
-
    -
  • - New omhttp module allows you to send messages over the HTTP - REST interface. -
    • -
  • - The file input module is enhanced to improve stability, error reporting, and truncation - detection. -
    • -
  • - New action.resumeIntervalMax parameter that can be used - with any action allows capping retry interval growth at a specified value. -
    • -
  • - New StreamDriver.PermitExpiredCerts option for TLS permits - connections even if a certificate has expired. -
    • -
  • - You can now suspend and resume output based on configured external file content. This is - useful in cases where the other end always accepts messages and silently drops them when - it is not able to process them all. -
    • -
  • - Error reporting for the file output module is improved and now contains real file names - and more information on causes of errors. -
    • -
  • - Disk queues now run multi-threaded, which improves performance. -
    • -
  • - You can set stricter TLS operation modes: checking of the extendedKeyUsage certificate field and stricter checking of - the CN/SAN certificate fields. -
    • -
-
-

- (BZ#1740683) -

-
-

rsyslog now provides the omhttp plugin for communication through an HTTP REST - interface

-

- With this update of the rsyslog packages, you can use the new - omhttp plugin for producing an output compatible with services - using a Representational State Transfer (REST) API, such as the Ceph storage platform, - Amazon Simple Storage Service (Amazon S3), and Grafana Loki. This new HTTP output module - provides a configurable REST path and message format, support for several batching formats, - compression, and TLS encryption. -

-
-

- For more details, see the /usr/share/doc/rsyslog/html/configuration/modules/omhttp.html file - installed on your system with the rsyslog-doc package. -

-

- (BZ#1676559) -

-
-

omelasticsearch in rsyslog now supports rebindinterval

-

- This update of the rsyslog packages introduces support for - setting the time of periodical reconnection in the omelasticsearch module. You can improve performance when sending - records to a cluster of Elasticsearch nodes by setting this parameter according to your - scenario. The value of the rebindinterval parameter indicates - the number of operations submitted to a node after which rsyslog closes the connection and establishes a new one. The - default value -1 means that rsyslog does not re-establish the connection. -

-
-

- (BZ#1692073) -

-
-

rsyslog mmkubernetes now provides metadata cache expiration -

-

- With this update of the rsyslog packages, you can use two new - parameters for the mmkubernetes module for setting metadata - cache expiration. This ensures that deleted Kubernetes objects are removed from the mmkubernetes static cache. The value of the cacheentryttl parameter indicates the maximum age of cache - entries in seconds. The cacheexpireinterval parameter has the - following values: -

-
-
-
    -
  • - -1 for disabling cache-expiration checks -
    • -
  • - 0 for enabling cache-expiration checks -
    • -
  • - greater than 0 for regular cache-expiration checks in seconds -
    • -
-
-

- (BZ#1692072) -

-
-

audit rebased to version 3.0-0.14 -

-

- The audit packages have been upgraded to upstream version - 3.0-0.14, which provides many bug fixes and enhancements over the previous version, most - notably: -

-
-
-
    -
  • - Added an option to interpret fields in the syslog plugin -
    • -
  • - Divided the 30-ospp-v42.rules file into more granular files -
    • -
  • - Moved example rules to the /usr/share/audit/sample-rules/ - directory -
    • -
  • - Fixed Audit KRB5 transport mode for remote logging -
    • -
-
-

- (BZ#1757986) -

-
-

Audit now contains many improvements from the kernel v5.5-rc1 -

-

- This addition to the Linux kernel contains the majority of enhancements, bug fixes, and - cleanups related to the Audit subsystem and introduced between the version 4.18 and 5.5-rc1. - The following list highlights important changes: -

-
-
-
    -
  • - Wider use of the exe field for filtering -
    • -
  • - Support for v3 namespaced capabilities -
    • -
  • - Improvements for filtering on remote file systems -
    • -
  • - Fix of the gid filter rule -
    • -
  • - Fixes of a use-after-free memory corruption and memory leaks -
    • -
  • - Improvements of event-record association -
    • -
  • - Cleanups of the fanoticy interface, Audit configuration - options, and the syscall interface -
    • -
  • - Fix of the Extended Verification Module (EVM) return value -
    • -
  • - Fixes and cleanups of several record formats -
    • -
  • - Simplifications and fixes of Virtual File System (VFS) auditing -
    • -
-
-

- (BZ#1716002) -

-
-

fapolicyd rebased to 0.9.1-2

-

- The fapolicyd packages that provide RHEL application - whitelisting have been upgraded to upstream version 0.9.1-2. Notable bug fixes and - enhancements include: -

-
-
-
    -
  • - Process identification is fixed. -
    • -
  • - The subject part and the object part are now positioned strictly in the rule. Both parts - are separated by a colon, and they contain the required permission (execute, open, any). -
    • -
  • - The subject and object attributes are consolidated. -
    • -
  • -

    - The new rule format is the following: -

    - 
    DECISION PERMISSION SUBJECT : OBJECT
    -

    - For example: -

    - 
    allow perm=open exe=/usr/bin/rpm : all
    -
    • -
-
-

- (BZ#1759895) -

-
-

sudo rebased to 1.8.29-3.el8

-

- sudo packages have been upgraded to upstream version 1.8.29-3, - which provides a number of bug fixes and enhancements over the previous version. The major - changes introduced by the new version are: -

-
-
-
    -
  • - sudo now writes Pluggable Authentication Module (PAM) - messages to the user’s terminal, if available, instead of the standard output or - standard error output. This prevents possible confusion of PAM output and command output - sent to files and pipes. -
    • -
  • - The notBefore and notAfter - options from LDAP and SSSD now work and display correctly with the sudo -l command. -
    • -
  • - The cvtsudoers command now rejects non-LDAP Data - Interchange Format (LDIF) input when converting from LDIF to sudoers and JSON formats. -
    • -
  • - With the new log_allowed and log_denied settings for sudoers, - you can disable logging and auditing of allowed and denied commands. -
    • -
  • - You can now use sudo with the -g option to specify a group that matches any of the target - user’s groups even if no groups are present in the runas_spec specification. Previously, you could only do so if - the group matched the target user’s primary group. -
    • -
  • - Fixed a bug that prevented sudo from matching the host name - to the value of ipa_hostname from sssd.conf, if specified. -
    • -
  • - A vulnerability that allowed a sudo user to run a command - as root when the Runas specification disallowed root access with the ALL keyword - is now fixed (CVE-2019-14287). -
    • -
  • - The use of unknown user and group IDs for permissive sudoers entries, for example using the ALL keyword, is now - disabled. You can enable it with the runas_allow_unknown_id - setting (CVE-2019-19232). -
    • -
-
-

- (BZ#1733961) -

-
-

The pam_namespace module now allows - specifying additional mount options for tmpfs

-

- The nosuid, noexec, and nodev mount options can now be used in the /etc/security/namespace.conf configuration file to respectively - disable setuid bit effect, disable running executables, and to prevent files from being - interpreted as character or block devices on the mounted tmpfs - filesystem. -

-
-

- Additional mount options are specified in the tmpfs(5) man page. -

-

- (BZ#1252859) -

-
-

pam_faillock can now read settings from - faillock.conf configuration file

-

- The pam_faillock module, a part of pluggable authentication - modules (PAM), can now read settings from the configuration file located at /etc/security/faillock.conf. This makes it easier to set up an - account lockout on authentication failures, provide user profiles for this functionality, - and handle different PAM configurations by simply editing the faillock.conf file. -

-
-

- (BZ#1537242) -

-
-
-
-
-
-

5.1.6. Networking

-
-
-
-
-

User-space applications can now retrieve the netns id selected by the kernel

-

- User-space applications can request the kernel to select a new netns ID and assign it to a network name space. With this - enhancement, users can specify the NLM_F_ECHO flag when sending - an RTM_NETNSID netlink message to - the kernel. The kernel then sends the netlink message back to - the user. This message includes the netns ID set to the value - the kernel selected. As a result, user-space applications now have a reliable option to - identify the netlink ID the kernel selected. -

-
-

- (BZ#1763661) -

-
-

firewalld rebased to version 0.8 -

-

- The firewalld packages have been updated to version 0.8. - Notable changes include: -

-
-
-
    -
  • - This version of firewalld includes all bug fixes since - version 0.7.0. -
    • -
  • - firewalld now uses the libnftables JSON interface to the nftables subsystem. This improves performance and reliability - of rule application. -
    • -
  • - In service definitions, the new helper element replaces - module. -
    • -
  • - This version allows custom helpers to use standard helper modules. -
    • -
-
-

- (BZ#1740670) -

-
-

ndptool can now specify a destination address in IPv6 header -

-

- With this update, the ndptool utility can send a Neighbor - Solicitation (NS) or a Neighbor Advertisement (NA) message to a specific destination by - specifying the address in the IPv6 header. As a result, a message can be sent to addresses - other than just the link-local address. -

-
-

- (BZ#1697595) -

-
-

nftables now supports multi-dimensional IP - set types

-

- With this enhancement, the nftables packet-filtering framework - supports set types with concatenations and intervals. As a result, administrators no longer - require workarounds to create multi-dimensional IP set types. -

-
-

- (BZ#1593711) -

-
-

nftables rebased to version - 0.9.3

-

- The nftables packages have been upgraded to upstream - version 0.9.3, which provides a number of bug fixes and enhancements over the previous - version: -

-
-
-
    -
  • - A JSON API has been added to the libnftables library. This - library provides a high-level interface to manage nftables rule sets from third-party applications. - To use the new API in Python, install the python3-nftables - package. -
    • -
  • - Statements support IP prefixes and ranges, such as 192.0.2.0/24 and 192.0.2.0-192.0.2.30. -
    • -
  • - Support for operating system fingerprints has been added to mark packets based on the - guessed operating system. For further details, see the osf expression section in the nft(8) man page. -
    • -
  • - Transparent proxy support has been added to redirect packets to a local socket without - changing the packet header in any way. For details, see the tproxy statement section in the nft(8) man page. -
    • -
  • - By default, nft displays textual names of the priority set - while creating the nft chains. To view standard priority numerical values, use the -y option. -
    • -
  • - The security mark support has been added. -
    • -
  • - The support for dynamic sets updates has been improved to set updates from the packet - path. -
    • -
  • - The support for transport header port matching has been added. -
    • -
-
-

- For further information about notable changes, read the upstream release notes before updating: -

-
- -
-

- (BZ#1643192) -

-
-

Rules for the firewalld service can now - use connection tracking helpers for services running on a non-standard port

-

- User-defined helpers in the firewalld service can now use - standard kernel helper modules. This enables administrators to create firewalld rules to use connection tracking helpers for services - running on a non-standard port. -

-
-

- (BZ#1733066) -

-
-

The whois package is now - available

-

- With this enhancement, the whois package is now available in - RHEL 8.2.0. As a result, retrieving information about a specific domain name or IP address - is now possible. -

-
-

- (BZ#1734183) -

-
-

eBPF for tc is now - fully supported

-

- The Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley - Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and - egress queueing disciplines. This enables programmable packet processing inside the kernel - network data path. eBPF for tc, - previously available as a technology preview, is now fully supported in RHEL 8.2. -

-
-

- (BZ#1755347) -

-
-
-
-
-
-

5.1.7. Kernel

-
-
-
-
-

Kernel version in RHEL 8.2

-

- Red Hat Enterprise Linux 8.2 is distributed with the kernel version 4.18.0-193. -

-
-

- See also Important Changes to External - Kernel Parameters and Device Drivers. -

-

- (BZ#1797671) -

-
-

Extended Berkeley Packet Filter for RHEL 8.2

-

- The Extended Berkeley Packet Filter - (eBPF) is an in-kernel virtual machine that allows code execution in - the kernel space, in the restricted sandbox environment with access to a limited set of - functions. The virtual machine executes a special assembly-like code. The eBPF bytecode first loads to the kernel, - followed by its verification, code translation to the native machine code with just-in-time - compilation, and then the virtual machine executes the code. -

-
-

- Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. In RHEL - 8.2, the following eBPF components are - supported: -

-
-
    -
  • - The BPF Compiler Collection (BCC) - tools package, which is a userspace collection of dynamic kernel tracing utilities that - use the eBPF virtual machine for - creating efficient kernel tracing and manipulation programs. The BCC provides tools for I/O analysis, - networking, and monitoring of Linux operating systems using eBPF. -
    • -
  • - The BCC library which allows the - development of tools similar to those provided in the BCC tools package. -
    • -
  • - The eBPF for Traffic Control (tc) - feature, which enables programmable packet processing inside the kernel network data - path. -
    • -
-
-

- All other eBPF components are available as - Technology Preview, unless a specific component is indicated as supported. -

-

- The following notable eBPF components are - currently available as Technology Preview: -

-
-
    -
  • - The bpftrace tracing language -
    • -
  • - The eXpress Data Path (XDP) feature -
    • -
-
-

- For more information regarding the Technology Preview components, see Technology Previews. -

-

- (BZ#1780124) -

-
-

Intel ® Omni-Path Architecture (OPA) Host Software

-

- Intel Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise - Linux 8.2. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and - setup for high performance data transfers (high bandwidth, high message rate, low latency) - between compute and I/O nodes in a clustered environment. -

-
-

- (BZ#1833541) -

-
-

Control Group v2 is - now fully supported in RHEL 8

-

- Control Group v2 mechanism is a unified - hierarchy control group. Control Group - v2 organizes processes hierarchically and distributes system - resources along the hierarchy in a controlled and configurable manner. -

-
-

- Unlike the previous version, Control Group - v2 has only a single hierarchy. This single hierarchy enables the Linux - kernel to: -

-
-
    -
  • - Categorize processes based on the role of their owner. -
    • -
  • - Eliminate issues with conflicting policies of multiple hierarchies. -
    • -
-
-

- Control Group v2 supports numerous - controllers. Some of the examples are: -

-
-
    -
  • -

    - CPU controller regulates the distribution of CPU cycles. This controller implements: -

    -
    -
      -
    • - Weight and absolute bandwidth limit models for normal scheduling policy. -
      • -
    • - Absolute bandwidth allocation model for real-time scheduling policy. -
      • -
    -
    -
    • -
  • - Cpuset controller confines processor and/or memory placement of processes to only those - of the mentioned resources that are specified in the cpuset - interface files. -
    • -
  • -

    - Memory controller regulates the memory distribution. Currently, the following types - of memory usages are tracked: -

    -
    -
      -
    • - Userland memory - page cache and anonymous memory. -
      • -
    • - Kernel data structures such as dentries and inodes. -
      • -
    • - TCP socket buffers. -
      • -
    -
    -
    • -
  • - I/O controller regulates the distribution of I/O resources. -
    • -
  • - Writeback controller interacts with both Memory and I/O controllers and is Control Group v2 specific. -
    • -
-
-

- The information above was based on Control Group - v2 upstream documentation. You can refer to the same link to obtain more information - about particular Control Group v2 - controllers. -

-

- Be warned that not all features mentioned in the upstream document are implemented yet in RHEL - 8. -

-

- (BZ#1401552) -

-
-

Randomizing free lists: Improved performance and utilization of - direct-mapped memory-side-cache

-

- With this enhancement, you can enable page allocator to randomize free lists and improve the - average utilization of a direct-mapped memory-side-cache. The kernel command-line option - page_alloc.shuffle, enables the page allocator to randomize the - free lists and sets the boolean flag to True. The sysfs file, which is located at /sys/module/page_alloc/parameters/shuffle reads the flag status, - shuffles the free lists, such that the Dynamic Random Access Memory (DRAM) is cached, and - the latency band between the DRAM and persistent memory is reduced. As a result, persistent - memory with a higher capacity and lower bandwidth is available on general purpose server - platforms. -

-
-

- (BZ#1620349) -

-
-

The TPM userspace tool has been updated to the last version -

-

- The tpm2-tools userspace tool has been updated to version - 3.2.1. This update provides several bug fixes, in particular relating to Platform - Configuration Register code and manual page clean ups. -

-
-

- (BZ#1725714) -

-
-

The C620-series PCH chipset now supports the Intel Trace Hub - feature

-

- This update adds hardware support for Intel Trace Hub (TH) in C620-series Platform - Controller Hub (PCH), also known as Lewisburg PCH. Users with C620-series PCH can now use - Intel TH. -

-
-

- (BZ#1714486) -

-
-

The perf tool now supports per die events - aggregation for CLX-AP and CPX processors

-

- With this update, the perf tool now provides support for - per-die event counts aggregation for some Intel CPUs with multiple dies. To enable this - mode, add the --per-die option in addition to the -a option for Xeon Cascade Lake-AP (CLX-AP) and Cooper Lake (CPX) - system processors. As a result, this update detects any imbalance between the dies. The - perf stat command captures the event counts and displays the - output as: -

-
- 
# perf stat -e cycles --per-die -a -- sleep 1
- Performance counter stats for 'system wide':
-S0-D0           8         21,029,877      cycles
-S0-D1           8         19,192,372      cycles
-

- (BZ#1660368) -

-
-

The threshold of crashkernel=auto is - decreased on IBM Z

-

- The lower threshold of the crashkernel=auto kernel command-line - parameter is now decreased from 4G to 1G on IBM Z systems. This implementation allows the - IBM Z to align with the threshold of the AMD64 and Intel 64 systems to share the same - reservation policy on the lower threshold of crashkernel=auto. - As a result, the crash kernel is able to automatically reserve memory for kdump on systems with less than 4GB RAM. -

-
-

- (BZ#1780432) -

-
-

The numactl manual entry clarifies the - memory usage output

-

- With this release of RHEL 8, the manual page for numactl - explicitly mentions that the memory usage information reflects only the resident pages on - the system. The reason for this addition is to eliminate potential confusion for users - whether the memory usage information relates to resident pages or virtual memory. -

-
-

- (BZ#1730738) -

-
-

The kexec-tools document is now updated to - include Kdump FCoE target support

-

- In this release, the /usr/share/doc/kexec-tools/supported-kdump-targets.txt file has - been updated to include Kdump Fibre Channel over Ethernet (FCoE) target support. As a - result, users can now have better understanding of the status and details of the kdump crash dumping mechanism on a FCoE target support. -

-
-

- (BZ#1690729) -

-
-

Firmware-assisted dump now supports PowerNV

-

- Firmware-assisted dump (fadump) mechanism is now supported on - the PowerNV platform. The feature is supported with the IBM POWER9 FW941 firmware version - and later. At the time of system failure, fadump, along with - the vmcore file, also exports the opalcore file. The opalcore file - contains information about the state of OpenPOWER Abstraction Layer (OPAL) memory at the - time of breakdown. The opalcore file is helpful in debugging - crashes of OPAL-based systems. -

-
-

- (BZ#1524687) -

-
-

kernel-rt source tree now matches the - latest RHEL 8 tree

-

- The kernel-rt sources have been updated to use the latest RHEL - kernel source tree. The realtime patch set has also been updated to the latest upstream - v5.2.21-rt13 version. Both of these updates provide a number of bug fixes and enhancements. -

-
-

- (BZ#1680161) -

-
-

rngd is now able to run with non-root - privileges

-

- The random number generator daemon (rngd) checks whether data - supplied by the source of randomness is sufficiently random and then stores the data in the - kernel’s random-number entropy pool. With this update, rngd is - able to run with non-root user privileges to enhance system security. -

-
-

- (BZ#1692435) -

-
-

Virtual Persistent Memory now supported for RHEL 8.2 and later on POWER - 9

-

- When running a RHEL 8.2 or later host with a PowerVM hypervisor on IBM POWER9 hardware, the - host can now use the Virtual Persistent Memory (vPMEM) feature. With vPMEM, data persists - across application and partition restarts until the physical server is turned off. As a - result, restarting workloads that use vPMEM is significantly faster. -

-
-

- The following requirements must be met for your system to be able to use vPMEM: -

-
-
    -
  • - Hardware Management Console (HMC) V9R1 M940 or later -
    • -
  • - Firmware level FW940 or later -
    • -
  • - E980 system firmware FW940 or later -
    • -
  • - L922 system firmware FW940 or later -
    • -
  • - PowerVM level V3.1.1 -
    • -
-
-

- Note that several known issues currently occur in RHEL 8 with vPMEM. For details, see the - following Knowledgebase articles: -

-
- -
-

- (BZ#1859262) -

-
-
-
-
-
-

5.1.8. File systems and storage

-
-
-
-
-

LVM now supports the dm-writecache caching - method

-

- LVM cache volumes now provide the dm-writecache caching method - in addition to the existing dm-cache method. -

-
-
-
-
dm-cache
-
- This method speeds up access to frequently used data by caching it on the faster volume. - The method caches both read and write operations. -
-
dm-writecache
-
- This method caches only write operations. The faster volume, usually an SSD or a - persistent memory (PMEM) disk, stores the write operations first and then migrates them - to the slower disk in the background. -
-
-
-

- To configure the caching method, use the --type cache or --type writecache option with the lvconvert utility. -

-

- For more information, see Enabling - caching to improve logical volume performance. -

-

- (BZ#1600174) -

-
-

VDO async policy is now ACID - compliant

-

- With this release, the VDO async write mode is now compliant - with Atomicity, Consistency, Isolation, Durability (ACID). If the system unexpectedly halts - while VDO is writing data in async mode, the recovered data is - now always consistent. -

-
-

- Due to the ACID compliance, the performance of async is now lower - compared to the previous release. To restore the original performance, you can change the write - mode on your VDO volume to async-unsafe mode, which is not ACID - compliant. -

-

- For more information, see Selecting - a VDO write mode. -

-

- (BZ#1657301) -

-
-

You can now import VDO volumes

-

- The vdo utility now enables you to import existing VDO volumes - that are currently not registered on your system. To import a VDO volume, use the vdo import command. -

-
-

- Additionally, you can modify the Universally Unique Identifier (UUID) of a VDO volume using the - vdo import command. -

-

- (BZ#1713749) -

-
-

New per-op error counter is now available - in the output of the mountstats and nfsiostat

-

- A minor supportability feature is available for the NFS client systems: the output of the - mountstats and nfsiostat commands - in nfs-utils have a per-op error - count. This enhancement allows these tools to display per-op - error counts and percentages that can assist in narrowing down problems on specific NFS - mount points on an NFS client machine. Note that these new statistics depend on kernel - changes that are inside the Red Hat Enterprise Linux 8.2 kernel. -

-
-

- (BZ#1719983) -

-
-

Writeback IOs with cgroup awareness is now - available in XFS

-

- With this release, XFS supports writeback IOs with cgroup - awareness. In general, cgroup writeback requires explicit - support from the underlying file system. Until now, writeback IOs on XFS was the attribute - for the root cgroup only. -

-
-

- (BZ#1274406) -

-
-

The FUSE file systems now implement copy_file_range()

-

- The copy_file_range() system call provides a way for file - systems to implement efficient data copy mechanism. With this update, GlusterFS, which is - using the Filesystem in Userspace (FUSE) framework takes advantage of this mechanism. Since - read/write functionality of FUSE file systems involves multiple copies of data, using copy_file_range() can significantly improve performance. -

-
-

- (BZ#1650518) -

-
-

Support for per-op statistics is now - available for the mountstats and nfsiostat commands

-

- A support feature is now available for the NFS client systems: the /proc/self/mountstats file has the per-op error counter. With this update, under each per-op statistics row, the ninth number indicates the number of - the operations that have been completed with a status value less then zero. This status - value indicates an error. For more information, see the updates to the mountstats and nfsiostat programs in - the nfs-utils that displays these new error counts. -

-
-

- (BZ#1636572) -

-
-

New mount stats lease_time and lease_expired are available in /proc/self/mountstats file

-

- A support feature is available for NFSv4.x client systems. The /proc/self/mountstats file has the lease_time and the lease_expired - fields at the end of the line starting with nfsv4:. The lease_time field indicates the number of seconds in the NFSv4 - lease time. The lease_expired field indicates the number of - seconds since the lease has expired, or 0 if the lease has not expired. -

-
-

- (BZ#1727369) -

-
-

Surprise removal of NVMe devices

-

- With this enhancement, you can surprise remove NVMe devices from the Linux operating system - without notifying the operating system beforehand. This will enhance the serviceability of - NVMe devices because no additional steps are required to prepare the devices for orderly - removal, which ensures the availability of servers by eliminating server downtime. -

-
-

- Note the following: -

-
-
    -
  • - Surprise removal of NVMe devices requires kernel-4.18.0-193.13.2.el8_2.x86_64 version or later. -
    • -
  • - Additional requirements from the hardware platform or the software running on the - platform might be necessary for successful surprise removal of NVMe devices. -
    • -
  • - Surprise removing an NVMe device that is critical to the system operation is not - supported. For example, you cannot remove an NVMe device that contains the operating - system or a swap partition. -
    • -
-
-

- (BZ#1634655) -

-
-
-
-
-
-

5.1.9. High availability and clusters

-
-
-
-
-

New command options to disable a resource only if this would not affect - other resources

-

- It is sometimes necessary to disable resources only if this would not have an effect on - other resources. Ensuring that this would be the case can be impossible to do by hand when - complex resource relations are set up. To address this need, the pcs resource disable command now supports the following options: -

-
-
-
    -
  • - pcs resource disable --simulate: show effects of disabling - specified resource(s) while not changing the cluster configuration -
    • -
  • - pcs resource disable --safe: disable specified resource(s) - only if no other resources would be affected in any way, such as being migrated from one - node to another -
    • -
  • - pcs resource disable --safe --no-strict: disable specified - resource(s) only if no other resources would be stopped or demoted -
    • -
-
-

- In addition, the pcs resource safe-disable command has been - introduced as an alias for pcs resource disable --safe. -

-

- (BZ#1631519) -

-
-

New command to show relations between resources

-

- The new pcs resource relations command allows you to display - the relations between cluster resources in a tree structure. -

-
-

- (BZ#1631514) -

-
-

New command to display the status of both a primary site and recovery - site cluster

-

- If you have configured a cluster to use as a recovery site, you can now configure that - cluster as a recovery site cluster with the pcs dr command. You - can then use the pcs dr command to display the status of both - your primary site cluster and your recovery site cluster from a single node. -

-
-

- (BZ#1676431) -

-
-

Expired resource constraints are now hidden by default when listing - constraints

-

- Listing resource constraints no longer by default displays expired constraints. To include - expired constaints, use the --all option of the pcs constraint command. This will list expired constraints, - noting the constraints and their associated rules as (expired) - in the display. -

-
-

- (BZ#1442116) -

-
-

Pacemaker support for configuring resources to remain stopped on clean - node shutdown

-

- When a cluster node shuts down, Pacemaker’s default response is to stop all resources - running on that node and recover them elsewhere. Some users prefer to have high availability - only for failures, and to treat clean shutdowns as scheduled outages. To address this, - Pacemaker now supports the shutdown-lock and shutdown-lock-limit cluster properties to specify that resources - active on a node when it shuts down should remain stopped until the node next rejoins. Users - can now use clean shutdowns as scheduled outages without any manual intervention. For - information on configuring resources to remain stopped on a clean node shutdown, see link: - Configuring - resources to remain stopped on clean node shutdown. -

-
-

- (BZ#1712584) -

-
-

Support for running the cluster environment in a single node -

-

- A cluster with only one member configured is now able to start and run resources in a - cluster environment. This allows a user to configure a separate disaster recovery site for a - multi-node cluster that uses a single node for backup. Note that a cluster with only one - node is not in itself fault tolerant. -

-
-

- (BZ#1700104) -

-
-
-
-
-
-

5.1.10. Dynamic programming languages, web and database servers

-
-
-
-
-

A new module: python38

-

- RHEL 8.2 introduces Python 3.8, provided by the new module python38 and the ubi8/python-38 - container image. -

-
-

- Notable enhancements compared to Python 3.6 include: -

-
-
    -
  • - New Python modules, for example, contextvars, dataclasses, or importlib.resources -
    • -
  • - New language features, such as assignment expressions (the so-called walrus operator, - :=) or positional-only parameters -
    • -
  • - Improved developer experience with the breakpoint() - built-in function, the = format string specification, and - compatibility between debug and non-debug builds of Python and extension modules -
    • -
  • - Performance improvements -
    • -
  • - Improved support for optional static type hints -
    • -
  • - An addition of the = specifier to formatted string literals - (f-strings) for easier debugging -
    • -
  • - Updated versions of packages, such as pip, requests, or Cython -
    • -
-
-

- Python 3.8 and packages built for it can be installed in parallel with Python 3.6 on the same - system. -

-

- Note that the python38 module does not include the same binary - bindings to system tools (RPM, DNF, SELinux, and others) that are provided for the python36 module. -

-

- To install packages from the python38 module, use, for example: -

- 
# yum install python38
-# yum install python38-Cython
-

- The python38:3.8 module stream will be enabled automatically. -

-

- To run the interpreter, use, for example: -

- 
$ python3.8
-$ python3.8 -m cython --help
-

- See Installing - and using Python for more information. -

-

- Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL - 8. Python 3.8 will have a shorter life cycle, see RHEL 8 - Application Streams Life Cycle. -

-

- (BZ#1747329) -

-
-

Changes in mod_wsgi installation -

-

- Previously, when the user tried to install the mod_wsgi module - using the yum install mod_wsgi command, the python3-mod_wsgi package was always installed. RHEL 8.2 - introduces Python 3.8 as an addition to Python 3.6. With this update, you need to specify - which version of mod_wsgi you want to install, otherwise an - error message is returned. -

-
-

- To install the Python 3.6 version of mod_wsgi: -

- 
# yum install python3-mod_wsgi
-

- To install the Python 3.8 version of mod_wsgi: -

- 
# yum install python38-mod_wsgi
-

- Note that the python3-mod_wsgi and python38-mod_wsgi packages conflict with each other, and only one - mod_wsgi module can be installed on a system due to a limitation of - the Apache HTTP Server. -

-

- This change introduced a dependency known issue described in BZ#1829692. -

-

- (BZ#1779705) -

-
-

Support for hardware-accelerated deflate in zlib on IBM Z

-

- This update adds support for a hardware-accelerated deflate algorithm to the zlib library in the IBM Z mainframes. As a result, performance of - compression and decompression on IBM Z vector machines has been improved. -

-
-

- (BZ#1659433) -

-
-

Performance improved when decompressing gzip on IBM Power Systems, little endian

-

- This update adds optimization for the 32-bit Cyclic Redundancy Check (CRC32) to the zlib library on IBM Power Systems, little endian. As a result, - performance of decompressing gzip files has been improved. -

-
-

- (BZ#1666798) -

-
-

A new module stream: maven:3.6 -

-

- RHEL 8.2 introduces a new module stream, maven:3.6. This - version of the Maven software project management and comprehension tool provides numerous - bug fixes and various enhancements over the maven:3.5 stream - distributed with RHEL 8.0. -

-
-

- To install the maven:3.6 stream, use: -

- 
# yum module install maven:3.6
-

- If you want to upgrade from the maven:3.5 stream, see Switching - to a later stream. -

-

- (BZ#1783926) -

-
-

mod_md now supports the ACMEv2 - protocol

-

- The mod_md module has been updated to version 2.0.8. This - update adds a number of features, notably support for version 2 of the Automatic Certificate - Management Environment (ACME) certificate issuance and management protocol, which is the - Internet Engineering Task Force (IETF) standard (RFC 8555). The original ACMEv1 protocol - remains supported but is deprecated by popular service providers. -

-
-

- (BZ#1747923) -

-
-

New extensions for PHP 7.3

-

- The php:7.3 module stream has been updated to provide two new - PHP extensions: rrd and Xdebug. -

-
-

- The rrd extension provides bindings to the RRDtool C library. RRDtool is a high - performance data logging and graphing system for time series data. -

-

- The Xdebug extension is included to assist you with debugging and - development. Note that the extension is provided only for development purposes and should not be - used in production environments. -

-

- For information about installing and using PHP in RHEL 8, see Using - the PHP scripting language. -

-

- (BZ#1769857, BZ#1764738) -

-
-

New packages: perl-LDAP and perl-Convert-ASN1

-

- This update adds the perl-LDAP and Perl-Convert-ASN1 packages to RHEL 8. The perl-LDAP package provides an LDAP client for the Perl language. - perl-LDAP requires the perl-Convert-ASN1 package, which encodes and decodes Abstract - Syntax Notation One (ASN.1) data structures using Basic Encoding Rules (BER) and - Distinguished Encoding Rules (DER). -

-
-

- (BZ#1663063, BZ#1746898) -

-
-

sscg now supports generating private key - files protected by a password

-

- The sscg utility is now able to generate private key files - protected by a password. This adds another level of protection for private keys, and it is - required by some services, such as FreeRADIUS. -

-
-

- (BZ#1717880) -

-
-
-
-
-
-

5.1.11. Compilers and development tools

-
-
-
-
-

grafana rebased to version 6.3.6 -

-

- The grafana package has been upgraded to version 6.3.6, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Database: Rewrites system statistics query for better performance. -
    • -
  • -

    - Explore: -

    -
    -
      -
    • - Fixes query field layout in split view for the Safari browsers. -
      • -
    • - Adds Live option for the supported data sources, adds the orgId to URL for sharing purposes. -
      • -
    • - Adds support for the new loki start and end - parameters for labels endpoint. -
      • -
    • - Adds support for toggling raw query mode in the Explore, allow switching - between metrics and logs. -
      • -
    • - Displays log lines context, does not parse log levels if provided by field - or label. -
      • -
    • - Supports new LogQL filtering syntax. -
      • -
    • - Uses new TimePicker from Grafana/UI. -
      • -
    • - Handles newlines in the LogRow Highlighter. -
      • -
    • - Fixes browsing back to the dashboard panel. -
      • -
    • - Fixes filter by series level in logs graph. -
      • -
    • - Fix issues when loading and graph/table are collapsed. -
      • -
    • - Fixes the selection/copy of log lines. -
      • -
    -
    -
    • -
  • - Dashboard: Fixes dashboards init failed loading error for - dashboards with panel links that had missing properties, and fixes timezone dashboard - setting while exporting to the comma-separated values (CSV) Data links. -
    • -
  • - Editor: Fixes issue where only entire lines were being copied. -
    • -
  • - LDAP: Integration of the multi ldap and ldap authentication components. -
    • -
  • - Profile/UserAdmin: Fixes user agent parser crashing the grafana-server on 32-bit builds. -
    • -
  • -

    - Prometheus: -

    -
    -
      -
    • - Prevents panel editor crash while switching to the Prometheus data source, changes brace-insertion behaviour to be less annoying. -
      • -
    • - Fixes queries with the label_replace and - removes the $1 match when loading the query editor. -
      • -
    • - Consistently allows multi-line queries in the editor, taking timezone into - account for the step alignment. -
      • -
    • - Uses the overridden panel range for $__range - instead of the dashboard range. -
      • -
    • - Adds time range filter to series labels query, escapes | literals in the interpolated PromQL variables. -
      • -
    • - Fixes while adding labels for metrics which contain colons in the Explore. -
      • -
    -
    -
    • -
  • - Auth: Allows expiration of the API keys, returns device, os and browser while listing - user auth tokens in HTTP API, supports list and revoke of user auth tokens in UI. -
    • -
  • - DataLinks: Correctly applies scoped variables to the data links, follows timezone while - displaying datapoint timestamp in the graph context menu, uses datapoint timestamp - correctly when interpolating the variables, fixes the incorrect interpolation of the - ${__series_name}. -
    • -
  • - Graph: Fixes legend issue clicking on series line icon and issue with horizontal - scrollbar being visible on windows, adds new fill gradient option. -
    • -
  • - Graphite: Avoids the glob of single-value array variables, fixes issues with alias - function being moved last, fixes issue with the seriesByTag - & function with variable parameter, uses POST for /metrics/find requests. -
    • -
  • - TimeSeries: Assumes values are all numbers. -
    • -
  • - Gauge/BarGauge: Fixes issue with lost thresholds and an issue loading Gauge with the - avg stat. -
    • -
  • - PanelLinks: Fixes crash issue with Gauge & Bar Gauge panels with panel links (drill - down links), fixes render issue while there is no panel description. -
    • -
  • - OAuth: Fixes the missing saved state OAuth login failure - due to SameSite cookie policy, fixes for wrong user token updated on the OAuth refresh in DS proxy. -
    • -
  • - Auth Proxy: Includes additional headers as a part of the cache key. -
    • -
  • - cli: Fix for recognizing when in dev mode, fixes the issue - of encrypt-datasource-passwords failing with the sql error. -
    • -
  • - Permissions: Show plugins in the navigation for non admin users but hides plugin - configuration. -
    • -
  • - TimePicker: Increases max height of quick range dropdown and fixes style issue for - custom range popover. -
    • -
  • - Loki: Displays live tailed logs in correct order in the Explore. -
    • -
  • - Timerange: Fixes a bug where custom time ranges were not following the Universal Time - Coordinated (UTC). -
    • -
  • - remote_cache: Fixes the redis connstr parsing. -
    • -
  • - Alerting: Add tags to alert rules, attempts to send email notifications to all the given - email addresses, improves alert rule testing, support for configuring the content field - for the Discord alert notifier. -
    • -
  • - Alertmanager: Replaces illegal characters with underscore in the label names. -
    • -
  • - AzureMonitor: Changes clashing built-in Grafana variables or macro names for the Azure - Logs. -
    • -
  • - CloudWatch: Made region visible for Amazon Web Services (AWS) Cloudwatch Expressions, - adds the AWS DocDB metrics. -
    • -
  • - GraphPanel: Do not sort series when legend table and sort column is not visible. -
    • -
  • - InfluxDB: Supports visualizing logs in the Explore. -
    • -
  • - MySQL/Postgres/MSSQL: Adds parsing for day, weeks, and year intervals in macros, adds - support for periodically reloading client certs. -
    • -
  • - Plugins: Replaces the dataFormats list with the skipDataQuery flag in the plugin.json file. -
    • -
  • - Refresh picker: Handles empty intervals. -
    • -
  • - Singlestat: Add y min/max configuration to the singlestat - sparklines. -
    • -
  • - Templating: Correctly displays the __text in the - multi-value variable after page reloads, supports selecting all the filtered values of a - multi-value variable. -
    • -
  • - Frontend: Fixes Json tree component not working issue. -
    • -
  • - InfluxDB: Fixes issues with single quotes not escaped in the label value filters. -
    • -
  • - Config: Fixes the connectionstring option for the remote_cache in the defaults.ini - file. -
    • -
  • - Elasticsearch: Fixes the empty query (via template variable) should be sent as wildcard, - fixes the default max concurrent shard requests, supports visualizing logs in the - Explore. -
    • -
  • - TablePanel: Fixes the annotations display. -
    • -
  • - Grafana-CLI: Fixes receiving flags via command line, wrapper for the grafana-cli within the RPM/DEB - packages and config/homepath are now global flags. -
    • -
  • - HTTPServer: Fixes the X-XSS-Protection header formatting, - options for returning new headers X-Content-Type-Options, - X-XSS-Protection and Strict-Transport-Security, fixes the Strict-Transport-Security header, serves Grafana with a - custom URL path prefix. -
    • -
-
-

- (BZ#1725278) -

-
-

pcp rebased to version 5.0.2

-

- The pcp package has been upgraded to version 5.0.2, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - The pcp-webapp-* packages are now replaced by the grafana-pcp package and pmproxy. -
    • -
  • - The pcp-collectl tool is now replaced by the pmrep configurations. -
    • -
  • -

    - New and improved performance metric domain agents (PMDAs): -

    -
    -
      -
    • - pmdamssql: New PMDA for Microsoft SQL Server - implementation. -
      • -
    • - pmdanetcheck: New PMDA to perform network - checks. -
      • -
    • - pmdaopenmetrics: Renames prometheus agent to openmetrics. -
      • -
    • - pmdanfsclient: Adds the per-op and per-mount - rpc error metrics. -
      • -
    • - pmdalmsensors: Improvements in the name parsing - and error handling. -
      • -
    • - pmdaperfevent: Supports hv_24x7 nest events on the multi-node system. -
      • -
    • -

      - pmdalinux: -

      -
      -
        -
      • - Correctly handles sparse or discontinuous numa nodes. -
        • -
      • - Uses cpu instname and not the instid for per-cpu numa stats. -
        • -
      • - Adds an active and total slabs to slabinfo v2 parsing -
        • -
      • - Fixes several unix socket, icmp6 - metrics, hugepage metric value. calculations, segfault in interrupts code with - large CPU counts -
        • -
      • - Fetches more network metrics in the --container namespace. -
        • -
      -
      -
      • -
    • - pmdabcc: Fixes the tracepoints module for the - bcc 0.10.0 and higher versions -
      • -
    • - pmdabpftrace: New PMDA for metrics from the - bpftrace scripts -
      • -
    • -

      - pmdaproc: -

      -
      -
        -
      • - Fixes memory leak in the pidlist - refresh. -
        • -
      • - Avoids excessive stat calls in cgroups_scan. -
        • -
      • - Retains cgroup paths and only - un-escape instance names. -
        • -
      -
      -
      • -
    • - pmdaroot: Improves handling of cached or - inactive the cgroup behaviour and refreshes the - container indom on cgroup fs change as well. -
      • -
    -
    -
    • -
  • -

    - Fixes to collector (server) tools: -

    -
    -
      -
    • - pmproxy: Openmetrics support via the /metrics endpoint, consolidates the pmseries/grafana REST API, and adds new async - PMWEBAPI(3) REST API implementation. -
      • -
    • - selinux: Numerous pcp policy updates. -
      • -
    • - python pmdas: Enables authentication support, - new set_comm_flags method to set the - communication flags. -
      • -
    • - python api: Exports the pmdaGetContext() and adds debugging wrapper. -
      • -
    • - perl api: Ensures context set up for PMDA store - as with python wrapper. -
      • -
    • - systemd: Adds 120s timeout in all the services - and fixes failure to start the pmlogger - service. -
      • -
    -
    -
    • -
  • -

    - Fixes to analysis (client) tools: -

    -
    -
      -
    • - pmchart: Fixes chart auto-scaling under fetch - error conditions. -
      • -
    • - pmrep: Fixes the wait.formula for collectl-dm-sD and collectl-sD. -
      • -
    • - pmseries: Provides support for the delta - keyword and better timestamps. -
      • -
    • - pcp-atop: Fixes the write mode (-w) to handle the proc vs hotproc - metrics. -
      • -
    • - pcp-atopsar: Fixes the mishandling of a few - command line arguments. -
      • -
    • - pcp-dstat: Fixes misaligned headers in CSV - output and handling of the --bits command line - option. -
      • -
    • - libpcp: Fixes the cockpit-pcp segv - with local context and multi-archive replay error handling for the corrupted - archive(s). -
      • -
    -
    -
    • -
-
-

- (BZ#1723598) -

-
-

grafana-pcp is now available in RHEL - 8.2

-

- The grafana-pcp package provides new grafana data sources and application plugins connecting PCP with grafana. With the grafana-pcp package, you can analyze historical PCP metrics and real-time PCP - metrics using the pmseries query language and pmwebapi live services respectively. For more information, see Performance Co-Pilot - Grafana Plugin. -

-
-

- (BZ#1685315) -

-
-

Updated GCC Toolset 9

-

- GCC Toolset 9 is a compiler toolset that provides recent versions of development tools. It - is available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- Notable changes introduced with RHEL 8.2 include: -

-
-
    -
  • - The GCC compiler has been updated to version 9.2.1, which provides many bug fixes and - enhancements that are available in upstream GCC. -
    • -
  • -

    - The GCC Toolset 9 components are now available in the two container images: -

    -
    -
      -
    • - rhel8/gcc-toolset-9-toolchain, which includes - the GCC compiler, the GDB debugger, and the make automation tool. -
      • -
    • -

      - rhel8/gcc-toolset-9-perftools, which - includes the performance monitoring tools, such as SystemTap and - Valgrind. -

      -

      - To pull a container image, run the following command as root: -

      - 
      # podman pull registry.redhat.io/<image_name>
      -
      • -
    -
    -
    • -
-
-

- The following tools and versions are provided by GCC Toolset 9: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 9.2.1 -

-
-

- GDB -

- 		-

- 8.3 -

-
-

- Valgrind -

- 		-

- 3.15.0 -

-
-

- SystemTap -

- 		-

- 4.1 -

-
-

- Dyninst -

- 		-

- 10.1.0 -

-
-

- binutils -

- 		-

- 2.32 -

-
-

- elfutils -

- 		-

- 0.176 -

-
-

- dwz -

- 		-

- 0.12 -

-
-

- make -

- 		-

- 4.2.1 -

-
-

- strace -

- 		-

- 5.1 -

-
-

- ltrace -

- 		-

- 0.7.91 -

-
-

- annobin -

- 		-

- 9.08 -

-
-
-

- To install GCC Toolset 9, run the following command as root: -

- 
# yum install gcc-toolset-9
-

- To run a tool from GCC Toolset 9: -

- 
$ scl enable gcc-toolset-9 tool
-

- To run a shell session where tool versions from GCC Toolset 9 take precedence over system - versions of these tools: -

- 
$ scl enable gcc-toolset-9 bash
-

- For more information, see Using - GCC Toolset. -

-

- (BZ#1789401) -

-
-

GCC Toolset 9 now supports NVIDIA PTX target offloading

-

- The GCC compiler in GCC Toolset 9 now supports OpenMP target offloading for NVIDIA PTX. -

-
-

- (BZ#1698607) -

-
-

The updated GCC compiler is now available for RHEL 8.2

-

- The system GCC compiler, version 8.3.1, has been updated to include numerous bug fixes and - enhancements available in the upstream GCC. -

-
-

- The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, - and Fortran programming languages. -

-

- For usage information, see Developing - C and C++ applications in RHEL 8. -

-

- (BZ#1747157) -

-
-

A new tunable for changing the maximum fastbin size in glibc

-

- The malloc function uses a series of fastbins that hold - reusable memory chunks up to a specific size. The default maximum chunk size is 80 bytes on - 32-bit systems and 160 bytes on 64-bit systems. This enhancement introduces a new glibc.malloc.mxfast tunable to glibc - that enables you to change the maximum fastbin size. -

-
-

- (BZ#1764218) -

-
-

Vectorized math library is now enabled for GNU Fortran in GCC Toolset - 9

-

- With this enhancement, GNU Fortran from GCC Toolset can now use routines from the vectorized - math library libmvec. Previously, the Fortran compiler in GCC - Toolset needed a Fortran header file before it could use routines from libmvec provided by the GNU C Library glibc. -

-
-

- (BZ#1764238) -

-
-

The glibc.malloc.tcache tunable has been - enhanced

-

- The glibc.malloc.tcache_count tunable allows to set the maximum - number of memory chunks of each size that can be stored in the per-thread cache (tcache). - With this update, the upper limit of the glibc.malloc.tcache_count tunable has been increased from 127 to - 65535. -

-
-

- (BZ#1746933) -

-
-

The glibc dynamic loader is enhanced to - provide a non-inheriting library preloading mechanism

-

- With this enhancement, the loader can now be invoked to load a user program with a --preload option followed by a colon-separated list of libraries - to preload. This feature allows users to invoke their programs directly through the loader - with a non-inheriting library preload list. -

-
-

- Previously, users had to use the LD_PRELOAD environment variable which was inherited by all - child processes through their environment. -

-

- (BZ#1747453) -

-
-

GDB now supports the ARCH(13) extension on the IBM Z - architecture

-

- With this enhancement, the GNU Debugger (GDB) now supports the new instructions implemented - by the ARCH(13) extension on the IBM Z architecture. -

-
-

- (BZ#1768593) -

-
-

elfutils rebased to version 0.178 -

-

- The elfutils package has been upgraded to version 0.178, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - elfclassify: a new tool to analyze ELF objects. -
    • -
  • - debuginfod: a new server, client tool, and library to index - and automatically fetch ELF, DWARF, and source from files and RPM archives through HTTP. -
    • -
  • - libebl is now directly compiled into libdw.so. -
    • -
  • - eu-readelf has multiple new flags for notes, section - numbering, and symbol tables. -
    • -
  • - libdw has improved multithreading support. -
    • -
  • - libdw supports additional GNU DWARF extensions. -
    • -
-
-

- (BZ#1744992) -

-
-

SystemTap rebased to version 4.2

-

- The SystemTap instrumentation tool has been updated to version 4.2. Notable enhancements - include: -

-
-
-
    -
  • - Backtraces can now include source file names and line numbers. -
    • -
  • - Numerous Berkeley Packet Filter (BPF) back-end extensions are now available, for - example, for looping, timing, and other processes. -
    • -
  • - A new service for managing SystemTap scripts is available. This service sends metrics to - a Prometheus-compatible monitoring system. -
    • -
  • - SystemTap has inherited functionality of a new HTTP file server for elfutils called debuginfod. This - server automatically sends debugging resources to SystemTap. -
    • -
-
-

- (BZ#1744989) -

-
-

Enhancements to IBM Z series performance counters

-

- IBM Z series type 0x8561, 0x8562, and 0x3907 (z14 ZR1) machines are now recognized by libpfm. Performance events for monitoring elliptic-curve - cryptography (ECC) operations on IBM Z series are now available. This allows monitoring of - additional subsystems on IBM Z series machines. -

-
-

- (BZ#1731019) -

-
-

Rust Toolset rebased to version 1.41

-

- Rust Toolset has been updated to version 1.41. Notable changes include: -

-
-
-
    -
  • - Implementing new traits is now easier because the orphan rule is less strict. -
    • -
  • - You can now attach the #[non_exhaustive] attribute to a - struct, an enum, or enum variants. -
    • -
  • - Using Box<T> in the Foreign Function Interface (FFI) - has more guarantees now. Box<T> will have the same - Application Binary Interface (ABI) as a T* pointer in the - FFI. -
    • -
  • - Rust is supposed to detect memory-safety bugs at compile time, but the previous borrow - checker had limitations and allowed undefined behaviour and memory unsafety. The new - non-lexical lifetimes (NLL) borrow checker can report memory unsafety problems as hard - errors. It now applies to the Rust 2015 and Rust 2018 editions. Previously, in Rust 2015 - the NLL borrow checker only raised warnings about such problems. -
    • -
-
-

- To install the rust-toolset module, run the following command as - root: -

- 
# yum module install rust-toolset
-

- For usage information, see Using Rust - Toolset. -

-

- (BZ#1776847) -

-
-

LLVM Toolset rebased to version 9.0.1

-

- LLVM Toolset has been upgraded to version 9.0.1. With this update, the asm goto statements are now supported. This change allows to - compile the Linux kernel on the AMD64 and Intel 64 architectures. -

-
-

- To install the llvm-toolset module, run the following command as - root: -

- 
# yum module install llvm-toolset
-

- For more information, see Using LLVM - Toolset. -

-

- (BZ#1747139) -

-
-

Go Toolset rebased to version 1.13

-

- Go Toolset has been upgraded to version 1.13. Notable enhancements include: -

-
-
-
    -
  • - Go can now use a FIPS-certified cryptographic module when the RHEL system is booted in - the FIPS mode. Users can enable this mode manually using the GOLANG_FIPS=1 environment variable. -
    • -
  • - The Delve debugger, version 1.3.2, is now available for Go. It is a source-level - debugger for the Go (golang) programming language. -
    • -
-
-

- To install the go-toolset module, run the following command as - root: -

- 
# yum module install go-toolset
-

- To install the Delve debugger, run the following command as root: -

- 
# yum install delve
-

- To debug a helloworld.go program using Delve, run the following - command: -

- 
$ dlv debug helloworld.go
-

- For more information on Go Toolset, see Using Go - Toolset. -

-

- For more information on Delve, see the upstream Delve documentation. -

-

- (BZ#1747150) -

-
-

OpenJDK now supports also secp256k1

-

- Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. - Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for - elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC - implementation and supports also the secp256k1 curve. -

-
-

- (BZ#1746875, BZ#1746879) -

-
-
-
-
-
-

5.1.12. Identity Management

-
-
-
-
-

IdM now supports new Ansible management modules

-

- This update introduces several ansible-freeipa modules for - automating common Identity Management (IdM) tasks using Ansible playbooks: -

-
-
-
    -
  • - The ipauser module automates adding and removing users. -
    • -
  • - The ipagroup module automates adding and removing users and - user groups to and from user groups. -
    • -
  • - The ipahost module automates adding and removing hosts. -
    • -
  • - The ipahostgroup module automates adding and removing hosts - and host groups to and from host groups. -
    • -
  • - The ipasudorule module automates the management of sudo command and sudo rule. -
    • -
  • - The ipapwpolicy module automates the configuration of - password policies in IdM. -
    • -
  • - The ipahbacrule module automates the management of - host-based access control in IdM. -
    • -
-
-

- Note that you can combine two or more ipauser calls into one with - the users variable or, alternatively, use a JSON file containing - the users. Similarly, you can combine two or more ipahost calls - into one with the hosts variable or, alternatively, use a JSON file - containing the hosts. The ipahost module can also ensure the - presence or absence of several IPv4 and IPv6 addresses for a host. -

-

- (JIRA:RHELPLAN-37713) -

-
-

IdM Healthcheck now supports screening DNS - records

-

- This update introduces a standalone manual test of DNS records on an Identity Management - (IdM) server. -

-
-

- The test uses the Healthcheck tool and performs a DNS query using - the local resolver in the etc/resolv.conf file. The test ensures - that the expected DNS records required for autodiscovery are resolvable. -

-

- (JIRA:RHELPLAN-37777) -

-
-

Direct integration of RHEL into AD using SSSD now supports - FIPS

-

- With this enhancement, the System Services Security Daemon (SSSD) now integrates with Active - Directory (AD) deployments whose authentication mechanisms use encryption types that were - approved by the Federal Information Processing Standard (FIPS). The enhancement enables you - to directly integrate RHEL systems into AD in environments that must meet the FIPS criteria. -

-
-

- (BZ#1841170) -

-
-

The SMB1 protocol has been disabled in the Samba server and client - utilities by default

-

- In Samba 4.11, the default values of the server min protocol - and client min protocol parameters have been changed from NT1 to SMB2_02 because the server - message block version 1 (SMB1) protocol is deprecated. If you have not set these parameters - in the /etc/samba/smb.conf file: -

-
-
-
    -
  • - Clients that only support SMB1 are no longer able to connect to the Samba server. -
    • -
  • - Samba client utilities, such as smbclient, and the libsmbclient library fail to connect to servers that only - support SMB1. -
    • -
-
-

- Red Hat recommends to not use the SMB1 protocol. However, if your environment requires SMB1, you - can manually re-enable the protocol. -

-

- To re-enable SMB1 on a Samba server: -

-
-
    -
  • - Add the following setting to the /etc/samba/smb.conf file: -
    • -
-
- 
server min protocol = NT1
-
-
    -
  • - Restart the smb service: -
    • -
-
- 
# systemctl restart smb
-

- To re-enable SMB1 for Samba client utilities and the libsmbclient - library: -

-
-
    -
  • - Add the following setting to the /etc/samba/smb.conf file: -
    • -
-
- 
client min protocol = NT1
-
-
    -
  • - Restart the smb service: -
    • -
-
- 
# systemctl restart smb
-

- Note that the SMB1 protocol will be removed in a future Samba release. -

-

- (BZ#1785248) -

-
-

samba rebased to version - 4.11.2

-

- The samba packages have been upgraded to upstream - version 4.11.2, which provides a number of bug fixes and enhancements over the previous - version. Notable changes include: -

-
-
-
    -
  • - By default, the server message block version 1 (SMB1) protocol is now disabled in the - Samba server, client utilities, and the libsmbclient - library. However, you can still set the server min protocol - and client min protocol parameters manually to NT1 to re-enable SMB1. Red Hat does not recommend to - re-enabling the SMB1 protocol. -
    • -
  • - The lanman auth and encrypt passwords parameters are deprecated. These parameters - enable insecure authentication and are only available in the deprecated SMB1 protocol. -
    • -
  • - The -o parameter has been removed from the onode clustered trivial database (CTDB) utility. -
    • -
  • - Samba now uses the GnuTLS library for encryption. As a result, if the FIPS mode in RHEL - is enabled, Samba is compliant with the FIPS standard. -
    • -
  • - The ctdbd service now logs when it uses more than 90% of a - CPU thread. -
    • -
  • - The deprecated Python 2 support has been removed. -
    • -
-
-

- Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the database files before starting - Samba. Note that Red Hat does not support downgrading tdb database - files. -

-

- For further information about notable changes, read the upstream release notes before updating: - https://www.samba.org/samba/history/samba-4.11.0.html -

-

- (BZ#1754409) -

-
-

Directory Server rebased to version 1.4.2.4

-

- The 389-ds-base packages have been upgraded to - upstream version 1.4.2.4, which provides a number of bug fixes and enhancements over the - previous version. For a complete list of notable changes, read the archived upstream release - notes before updating: -

-
-

- 389 Directory - Server Release Notes archive includes release notes for the following releases: * 389 - Directory Server 1.4.2.4 * 389 Directory Server 1.4.2.3 * 389 Directory Server 1.4.2.2 * 389 - Directory Server 1.4.2.1 -

-

- (BZ#1748994) -

-
-

Certain legacy scripts have been replaced in Directory Server -

-

- This enhancement provides replacements for the unsupported dbverify, validate-syntax.pl, cl-dump.pl, fixup-memberuid.pl, and - repl-monitor.pl legacy scripts in Directory Server. These - scripts have been replaced with the following commands: -

-
-
-
    -
  • - dbverify: dsctl instance_name dbverify -
    • -
  • - validate-syntax.pl: dsconf schema validate-syntax -
    • -
  • - cl-dump.pl: dsconf replication dump-changelog -
    • -
  • - fixup-memberuid.pl: dsconf plugin posix-winsync fixup -
    • -
  • - repl-monitor.pl: dsconf replication monitor -
    • -
-
-

- For a list of all legacy scripts and their replacements, see Command-line - utilities replaced in Red Hat Directory Server 11. -

-

- (BZ#1739718) -

-
-

Setting up IdM as a hidden replica is now fully supported

-

- Identity Management (IdM) in RHEL 8.2 fully supports setting up IdM servers as hidden - replicas. A hidden replica is an IdM server that has all services running and available. - However, it is not advertised to other clients or masters because no SRV records exist for the services in DNS, and LDAP server roles - are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas. -

-
-

- Hidden replicas are primarily designed for dedicated services that can otherwise disrupt - clients. For example, a full backup of IdM requires to shut down all IdM services on the master - or replica. Since no clients use a hidden replica, administrators can temporarily shut down the - services on this host without affecting any clients. Other use cases include high-load - operations on the IdM API or the LDAP server, such as a mass import or extensive queries. -

-

- To install a new hidden replica, use the ipa-replica-install --hidden-replica command. To change the state of - an existing replica, use the ipa server-state command. -

-

- For further details, see Installing - an IdM hidden replica. -

-

- (BZ#1719767) -

-
-

Kerberos ticket policy now supports authentication indicators -

-

- Authentication indicators are attached to Kerberos tickets based on which pre-authentication - mechanism has been used to acquire the ticket: -

-
-
-
    -
  • - otp for two-factor authentication (password + OTP) -
    • -
  • - radius for RADIUS authentication -
    • -
  • - pkinit for PKINIT, smart card or certificate authentication -
    • -
  • - hardened for hardened passwords (SPAKE or FAST) -
    • -
-
-

- The Kerberos Distribution Center (KDC) can enforce policies such as service access control, - maximum ticket lifetime, and maximum renewable age, on the service ticket requests which are - based on the authentication indicators. -

-

- With this enhancement, administrators can achieve finer control over service ticket issuance by - requiring specific authentication indicators from a user’s tickets. -

-

- (BZ#1777564) -

-
-

The krb5 package is now - FIPS-compliant

-

- With this enhancement, non-compliant cryptography is prohibited. As a result, administrators - can use Kerberos in FIPS-regulated environments. -

-
-

- (BZ#1754690) -

-
-

Directory Server sets the sslVersionMin - parameter based on the system-wide crypto policy

-

- By default, Directory Server now sets the value of the sslVersionMin parameter based on the system-wide crypto policy. - If you set the crypto policy profile in the /etc/crypto-policies/config file to: -

-
-
-
    -
  • - DEFAULT, FUTURE, or FIPS, Directory Server sets sslVersionMin to TLS1.2 -
    • -
  • - LEGACY, Directory Server sets sslVersionMin to TLS1.0 -
    • -
-
-

- Alternatively, you can manually set sslVersionMin to higher value - than the one defined in the crypto policy: -

- 
# dsconf -D "cn=Directory Manager" __ldap://server.example.com__ security set --tls-protocol-min TLS1.3
-

- (BZ#1828727) -

-
-

SSSD now enforces AD GPOs by default

-

- The default setting for the SSSD option ad_gpo_access_control - is now enforcing. In RHEL 8, SSSD enforces access control rules - based on Active Directory Group Policy Objects (GPOs) by default. -

-
-

- Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading - from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control option in the /etc/sssd/sssd.conf file to permissive. -

-

- (JIRA:RHELPLAN-51289) -

-
-
-
-
-
-

5.1.13. Desktop

-
-
-
-
-

Wayland is now enabled on dual-GPU systems

-

- Previously, the GNOME environment defaulted to the X11 session on laptops and other systems - that have two graphical processing units (GPUs). With this release, GNOME now defaults to - the Wayland session on dual-GPU systems, - which is the same behavior as on single-GPU systems. -

-
-

- (BZ#1749960) -

-
-
-
-
-
-

5.1.14. Graphics infrastructures

-
-
-
-
-

Support for new graphics cards

-

- The following graphics cards are now supported: -

-
-
-
    -
  • - Intel HD Graphics 610, 620, and 630, which are found with the Intel Comet Lake H and U - processors -
    • -
  • -

    - Intel Ice Lake UHD Graphics 910 and Iris Plus Graphics 930, 940, and 950. -

    -

    - You no longer need to set the alpha_support kernel - option to enable support for Intel Ice Lake graphics. -

    -
    • -
  • -

    - The AMD Navi 10 family, which includes the following models: -

    -
    -
      -
    • - Radeon RX 5600 -
      • -
    • - Radeon RX 5600 XT -
      • -
    • - Radeon RX 5700 -
      • -
    • - Radeon RX 5700 XT -
      • -
    • - Radeon Pro W5700 -
      • -
    -
    -
    • -
  • -

    - The Nvidia Turing TU116 family, which includes the following models. -

    -

    - Note that the nouveau graphics driver does not yet - support 3D acceleration with the Nvidia Turing TU116 family. -

    -
    -
      -
    • - GeForce GTX 1650 Super -
      • -
    • - GeForce GTX 1660 -
      • -
    • - GeForce GTX 1660 Super -
      • -
    • - GeForce GTX 1660 Ti -
      • -
    • - GeForce GTX 1660 Ti Max-Q -
      • -
    -
    -
    • -
-
-

- Additionally, the following graphics drivers have been updated: -

-
-
    -
  • - The Matrox mgag2000 driver -
    • -
  • - The Aspeed ast driver -
    • -
  • - The Intel i915 driver -
    • -
-
-

- (JIRA:RHELPLAN-41384) -

-
-
-
-
-
-

5.1.15. The web console

-
-
-
-
-

Administrators can now use client certificates to authenticate to the - RHEL 8 web console

-

- With this web console enhancement, a system administrator can use client certificates to - access a RHEL 8 system locally or remotely using a browser with certificate authentication - built in. No additional client software is required. These certificates are commonly - provided by a smart card or Yubikey, or can be imported into the browser. -

-
-

- When logging in with a certificate, the user cannot currently perform administrative actions in - the web console. But the user can perform them on the Terminal page with the sudo command after authenticating with a password. -

-

- (JIRA:RHELPLAN-2507) -

-
-

Option to log in to the web console with a TLS client - certificate

-

- With this update, it is possible to configure the web console to log in with a TLS client - certificate that is provided by a browser or a device such as a smart card or a YubiKey. -

-
-

- (BZ#1678465) -

-
-

Changes to web console login

-

- RHEL web console has been updated with the following changes: -

-
-
-
    -
  • - The web console will automatically log you out of your current session after 15 minutes - of inactivity. You can configure the timeout in minutes in the /etc/cockpit/cockpit.conf file. -
    • -
  • - Similarly to SSH, the web console can now optionally show the content of banner files on - the login screen. Users need to configure the functionality in the /etc/cockpit/cockpit.conf file. -
    • -
-
-

- See the cockpit.conf(5) manual page for more information. -

-

- (BZ#1754163) -

-
-

The RHEL web console has been redesigned to use the PatternFly 4 user - interface design system

-

- The new design provides better accessibility and matches the design of OpenShift 4. Updates - include: -

-
-
-
    -
  • - The Overview page has been completely redesigned. For example, information is grouped - into easier-to-understand panels, health information is more prominent, resource graphs - have been moved to their own page, and the hardware information page is now easier to - find. -
    • -
  • - Users can use the new Search field in the Navigation menu to easily find specific pages - that are based on keywords. -
    • -
-
-

- For more information about PatternFly, see the PatternFly project page. -

-

- (BZ#1784455) -

-
-

Virtual Machines page updates

-

- The web console’s Virtual Machines page got several storage - improvements: -

-
-
-
    -
  • - Storage volume creation now works for all libvirt-supported types. -
    • -
  • - Storage pools can be created on LVM or iSCSI. -
    • -
-
-

- Additionally, the Virtual Machines page now supports the creation - and removal of virtual network interfaces. -

-

- (BZ#1676506, BZ#1672753) -

-
-

Web console Storage page updates -

-

- Usability testing showed that the default mount point - concept on the RHEL web console Storage page was hard to grasp, - and led to a lot of confusion. With this update, the web console no longer offers a Default choice when mounting a file system. Creating a - new file system now always requires a specified mount point. -

-
-

- Additionally, the web console now hides the distinction between the configuration (/etc/fstab) and the run-time state (/proc/mounts). Changes made in the web console always apply to both - the configuration and the run-time state. When the configuration and the run-time state differ - from each other, the web console shows a warning, and enable users to easily bring them back in - sync. -

-

- (BZ#1784456) -

-
-
-
-
-
-

5.1.16. Virtualization

-
-
-
-
-

Attempting to create a RHEL virtual machine from an install tree now - returns a more helpful error message.

-

- RHEL 7 and RHEL 8 virtual machines created using the virt-install utility with the --location option in some cases fail to boot. This update adds a - virt-install error message that provides instructions on how to work around this problem. -

-
-

- (BZ#1677019) -

-
-

Intel Xeon Platinum 9200 series processors supported on KVM - guests

-

- Support for Intel Xeon Platinum 9200 series processors (previously known as Cascade Lake) has now been added to the KVM hypervisor and kernel - code, and to the libvirt API. This enables KVM virtual machines to use Intel Xeon Platinum - 9200 series processors. -

-
-

- (JIRA:RHELPLAN-13995) -

-
-

EDK2 rebased to version - stable201908

-

- The EDK2 package has been upgraded to version stable201908, which provides multiple - enhancements. Notably: -

-
-
-
    -
  • - EDK2 now includes support for OpenSSL-1.1.1. -
    • -
  • - To comply with the upstream project’s licensing requirements, the EDK2 package license has been changed from BSD and OpenSSL and MIT to BSD-2-Clause-Patent and OpenSSL and MIT. -
    • -
-
-

- (BZ#1748180) -

-
-

Creating nested virtual machines

-

- With this update, nested virtualization is fully supported for KVM virtual machines (VMs) - running on an Intel 64 host with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs - on a physical RHEL 8 host can act as a hypervisor, and host its own VMs. -

-
-

- Note that on AMD64 systems, nested KVM virtualization remains a Technology Preview. -

-

- (JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437) -

-
-
-
-
-
-

5.1.17. Containers

-
-
-
-
-

The default registries search list in /etc/containers/registries.conf has been updated

-

- The default registries.search list in /etc/containers/registries.conf has been updated to only include - trusted registries that provide container images curated, patched, and maintained by Red Hat - and its partners. -

-
-

- Red Hat recommends always using fully qualified image names including: -

-
-
    -
  • - The registry server (full DNS name) -
    • -
  • - Namespace -
    • -
  • - Image name -
    • -
  • - Tag (for example registry.redhat.io/ubi8/ubu:latest) -
    • -
-
-

- When using short names, there is always an inherent risk of spoofing For example, a user wants - to pull an image named foobar from a registry and expects it to - come from myregistry.com. If myregistry.com is not first in the search list, an attacker could - place a different foobar image at a registry earlier in the search - list. The user would accidentally pull and run the attacker image and code rather than the - intended content. Red Hat recommends only adding registries which are trusted, that is - registries which do not allow unknown or anonymous users to create accounts with arbitrary - names. This prevents an image from being spoofed, squatted or otherwise made insecure. -

-

- (BZ#1810053) -

-
-

Podman no longer depends on oci-systemd-hook

-

- Podman does not need or depend on the oci-systemd-hook package - which has been removed from the container-tools:rhel8 and container-tools:2.0 module streams. -

-
-

- (BZ#1645280) -

-
-
-
-
-
-
-

5.2. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel - distributed with Red Hat Enterprise Linux 8.2. These changes include added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or - any noticeable behavior changes. -

-
-
-
-
-

5.2.1. New kernel parameters

-
-
-
-
-
-
cpuidle.governor = [CPU_IDLE]
-
- Name of the cpuidle governor to use. -
-
deferred_probe_timeout = [KNL]
-
-

- This is a debugging parameter for setting a timeout in seconds for the deferred - probe to give up waiting on dependencies to probe. -

-

- Only specific dependencies (subsystems or drivers) that have opted in will be - ignored. A timeout of 0 will timeout at the end of initcalls. This parameter will also dump out devices - still on the deferred probe list after retrying. -

-
-
kvm.nx_huge_pages = [KVM]
-
-

- This parameter controls the software workaround for the X86_BUG_ITLB_MULTIHIT bug. -

-

- The options are: -

-
-
    -
  • - force - Always deploy workaround. -
    • -
  • - off - Never deploy workaround. -
    • -
  • - auto (default) - Deploy workaround based on the - presence of X86_BUG_ITLB_MULTIHIT. -
    • -
-
-
-
-
-

- If the software workaround is enabled for the host, guests do not need to enable it for nested - guests. -

-
-
-
kvm.nx_huge_pages_recovery_ratio = [KVM]
-
- This parameter controls how many 4KiB pages are periodically zapped back to huge pages. - 0 disables the recovery, otherwise if the value is N, Kernel-based Virtual Machine (KVM) - will zap 1/Nth of the 4KiB pages every minute. The default is 60. -
-
page_alloc.shuffle = [KNL]
-
-

- Boolean flag to control whether the page allocator should randomize its free lists. -

-

- The randomization may be automatically enabled if the kernel detects it is running - on a platform with a direct-mapped memory-side cache. This parameter can be used to - override/disable that behavior. -

-

- The state of the flag can be read from the sysfs pseudo - filesystem from the /sys/module/page_alloc/parameters/shuffle file. -

-
-
panic_print =
-
-

- Bitmask for printing system info when panic happens. -

-

- The user can chose combination of the following bits: -

-
-
    -
  • - bit 0: print all tasks info -
    • -
  • - bit 1: print system memory info -
    • -
  • - bit 2: print timer info -
    • -
  • - bit 3: print locks info if the CONFIG_LOCKDEP - kernel configuration is on -
    • -
  • - bit 4: print the ftrace buffer -
    • -
  • - bit 5: print all printk messages in buffer -
    • -
-
-
-
rcutree.sysrq_rcu = [KNL]
-
- Commandeer a sysrq key to dump out Tree RCU’s rcu_node tree with an eye towards determining why a new grace - period has not yet started. -
-
rcutorture.fwd_progress = [KNL]
-
- Enable Read-copy update (RCU) grace-period forward-progress testing for the types of RCU - supporting this notion. -
-
rcutorture.fwd_progress_div = [KNL]
-
- Specify the fraction of a CPU-stall-warning period to do tight-loop forward-progress - testing. -
-
rcutorture.fwd_progress_holdoff = [KNL]
-
- Number of seconds to wait between successive forward-progress tests. -
-
rcutorture.fwd_progress_need_resched = [KNL]
-
- Enclose cond_resched() calls within checks for need_resched() during tight-loop forward-progress testing. -
-
tsx = [X86]
-
-

- This parameter controls the Transactional Synchronization Extensions (TSX) feature - in Intel processors that support TSX control. -

-

- The options are: -

-
-
    -
  • - on - Enable TSX on the system. Although there - are mitigations for all known security vulnerabilities, TSX accelerated - several previous speculation-related CVEs. As a result, there may be unknown - security risks associated with leaving it enabled. -
    • -
  • - off - Disable TSX on the system. This option - takes effect only on newer CPUs which are not vulnerable to - Microarchitectural Data Sampling (MDS). In other words they have MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and get the - new IA32_TSX_CTRL Model-specific register (MSR) - through a microcode update. This new MSR allows for a reliable deactivation - of the TSX functionality. -
    • -
  • - auto - Disable TSX if X86_BUG_TAA is present, otherwise enable TSX on - the system. -
    • -
-
-
-
-
-

- Not specifying this parameter is equivalent to tsx=off. -

-

- For details see the upstream kernel - documentation. -

-
-
-
tsx_async_abort = [X86,INTEL]
-
-

- This parameter controls mitigation for the TSX Async Abort (TAA) vulnerability. -

-

- Similar to Micro-architectural Data Sampling (MDS), certain CPUs that support - Transactional Synchronization Extensions (TSX) are vulnerable to an exploit against - CPU internal buffers. The exploit is able to forward information to a disclosure - gadget under certain conditions. -

-

- In vulnerable processors, the speculatively forwarded data can be used in a cache - side channel attack, to access data to which the attacker does not have direct - access. -

-

- The options are: -

-
-
    -
  • - full - Enable TAA mitigation on vulnerable CPUs - if TSX is enabled. -
    • -
  • - full,nosmt - Enable TAA mitigation and disable - Simultaneous Multi Threading (SMT) on vulnerable CPUs. If TSX is disabled, - SMT is not disabled because CPU is not vulnerable to cross-thread TAA - attacks. -
    • -
  • -

    - off - Unconditionally disable TAA - mitigation. -

    -

    - On MDS-affected machines, the tsx_async_abort=off parameter can be - prevented by an active MDS mitigation as both vulnerabilities are - mitigated with the same mechanism. Therefore, to disable this - mitigation, you need to specify the mds=off - parameter as well. -

    -

    - Not specifying this option is equivalent to tsx_async_abort=full. On CPUs which are MDS - affected and deploy MDS mitigation, TAA mitigation is not required and - does not provide any additional mitigation. -

    -
    • -
-
-
-
-
-

- For details see the upstream kernel - documentation. -

-
-
-
-
-
-

5.2.2. Updated kernel parameters

-
-
-
-
-
-
intel_iommu = [DMAR]
-
-

- Intel IOMMU driver Direct Memory Access Remapping (DMAR). -

-

- The options are: -

-
-
    -
  • - sm_on [Default Off] - By default, scalable mode - will be disabled even if the hardware advertises that it has support for the - scalable mode translation. With this option set, scalable mode will be used - on hardware which claims to support it. -
    • -
-
-
-
isolcpus = [KNL,SMP,ISOL]
-
-

- This parameter isolates a given set of CPUs from disturbance. -

-
-
    -
  • -

    - managed_irq - A sub-parameter, which - prevents the isolated CPUs from being targeted by managed interrupts, - which have an interrupt mask containing isolated CPUs. The affinity of - managed interrupts is handled by the kernel and cannot be changed via - the /proc/irq/* interfaces. -

    -

    - This isolation is the best effort and is only effective if the - automatically assigned interrupt mask of a device queue contains - isolated and housekeeping CPUs. If the housekeeping CPUs are online then - such interrupts are directed to the housekeeping CPU so that I/O - submitted on the housekeeping CPU cannot disturb the isolated CPU. -

    -

    - If the queue’s affinity mask contains only isolated CPUs then this - parameter has no effect on the interrupt routing decision. However the - interrupts are only delivered when the tasks running on those isolated - CPUs submit I/O. I/O submitted on the housekeeping CPUs has no influence - on those queues. -

    -
    • -
-
-
-
mds = [X86,INTEL]
-
-

- The changes to options: -

-
-
    -
  • - off - On TSX Async Abort (TAA)-affected - machines, mds=off can be prevented by an active - TAA mitigation as both vulnerabilities are mitigated with the same - mechanism. So in order to disable this mitigation, you need to specify the - tsx_async_abort=off kernel parameter too. -
    • -
-
-
-
-
-

- Not specifying this parameter is equivalent to mds=full. -

-

- For details see the upstream kernel - documentation. -

-
-
-
mem_encrypt = [X86-64]
-
-

- AMD Secure Memory Encryption (SME) control -

-

- … -

-

- For details on when the memory encryption can be activated, see the upstream kernel - documentation. -

-
-
mitigations =
-
-

- The changes to options: -

-
-
    -
  • -

    - off - Disable all optional CPU mitigations. - This improves system performance, but it may also expose users to - several CPU vulnerabilities. -

    -

    - Equivalent to: -

    -
    -
      -
    • - nopti [X86,PPC] -
      • -
    • - kpti=0 [ARM64] -
      • -
    • - nospectre_v1 [X86,PPC] -
      • -
    • - nobp=0 [S390] -
      • -
    • - nospectre_v2 [X86,PPC,S390,ARM64] -
      • -
    • - spectre_v2_user=off [X86] -
      • -
    • - spec_store_bypass_disable=off [X86,PPC] -
      • -
    • - ssbd=force-off [ARM64] -
      • -
    • - l1tf=off [X86] -
      • -
    • - mds=off [X86] -
      • -
    • - tsx_async_abort=off [X86] -
      • -
    • -

      - kvm.nx_huge_pages=off [X86] -

      -

      - Exceptions: -

      -

      - This does not have any effect on kvm.nx_huge_pages when kvm.nx_huge_pages=force. -

      -
      • -
    -
    -
    • -
  • -

    - auto,nosmt - Mitigate all CPU - vulnerabilities, disabling Simultaneous Multi Threading (SMT) if needed. - This option is for users who always want to be fully mitigated, even if - it means losing SMT. -

    -

    - Equivalent to: -

    -
    -
      -
    • - l1tf=flush,nosmt [X86] -
      • -
    • - mds=full,nosmt [X86] -
      • -
    • - tsx_async_abort=full,nosmt [X86] -
      • -
    -
    -
    • -
-
-
-
rcutree.jiffies_till_sched_qs = [KNL]
-
-

- This parameter sets the required age in jiffies for a given grace period before - Read-copy update (RCU) starts soliciting quiescent-state help from the rcu_note_context_switch() and cond_resched() functions. If not specified, the kernel - will calculate a value based on the most recent settings of the rcutree.jiffies_till_first_fqs and rcutree.jiffies_till_next_fqs kernel parameters. -

-

- This calculated value may be viewed in the rcutree.jiffies_to_sched_qs kernel parameter. Any attempt - to set rcutree.jiffies_to_sched_qs will be overwritten. -

-
-
tsc =
-
-

- This parameter disables clocksource stability checks for Time Stamp Counter (TSC). -

-

- Format: <string> -

-

- The options are: -

-
-
    -
  • - reliable [x86] - Marks the TSC clocksource as - reliable. This option disables the clocksource verification at runtime, as - well as the stability checks done at bootup. The option also enables the - high-resolution timer mode on older hardware, and in virtualized - environment. -
    • -
  • - noirqtime [x86] - Do not use TSC to do - Interrupt Request (IRQ) accounting. Used to run time disable IRQ_TIME_ACCOUNTING on any platforms where Read - Time-Stamp Counter (RDTSC) is slow and this accounting can add overhead. -
    • -
  • - unstable [x86] - Marks the TSC clocksource as - unstable. This option marks the TSC unconditionally unstable at bootup and - avoids any further wobbles once the TSC watchdog notices. -
    • -
  • - nowatchdog [x86] - Disables the clocksource - watchdog. The option is used in situations with strict latency requirements - where interruptions from the clocksource watchdog are not acceptable. -
    • -
-
-
-
-
-
-
-
-
-
-

5.2.3. New /proc/sys/kernel parameters

-
-
-
-
-
-
panic_print
-
-

- Bitmask for printing the system info when panic occurs. -

-

- The user can chose the combination of the following bits: -

-
-
    -
  • - bit 0: print all tasks info -
    • -
  • - bit 1: print system memory info -
    • -
  • - bit 2: print timer info -
    • -
  • - bit 3: print locks info if the CONFIG_LOCKDEP - kernel configuration item is on -
    • -
  • -

    - bit 4: print ftrace buffer -

    -

    - For example, to print tasks and memory info on panic, execute: -

    - 
    # echo 3 > /proc/sys/kernel/panic_print
    -
    • -
-
-
-
-
-
-
-
-
-
-

5.2.4. Updated /proc/sys/kernel parameters

-
-
-
-
-
-
threads-max
-
-

- This parameter controls the maximum number of threads the fork() function can create. -

-

- During initialization, the kernel sets this value in such a way that even if the - maximum number of threads is created, the thread structures occupy only a part - (1/8th) of the available RAM pages. -

-

- The minimum value that can be written to threads-max is - 1. The maximum value is given by the constant FUTEX_TID_MASK (0x3fffffff). -

-

- If a value outside of this range is written to threads-max, an error EINVAL - occurs. -

-
-
-
-
-
-
-
-
-

5.2.5. Updated /proc/sys/net parameters

-
-
-
-
-
-
bpf_jit_enable
-
-

- This parameter enables the Berkeley Packet - Filter Just-in-Time (BPF JIT) compiler. -

-

- BPF is a flexible and efficient - infrastructure allowing to execute bytecode at various hook points. It is used in a - number of Linux kernel subsystems such as networking (for example XDP, tc), tracing (for - example kprobes, uprobes, - tracepoints) and security (for example seccomp). -

-

- LLVM has a BPF back-end that can compile - restricted C into a sequence of BPF instructions. After program - load through the bpf() system call and passing a - verifier in the kernel, JIT will - then translate these BPF - proglets into native CPU instructions. -

-

- There are two flavors of JIT, - the newer eBPF JIT is currently - supported on the following CPU architectures: -

-
-
    -
  • - x86_64 -
    • -
  • - arm64 -
    • -
  • - ppc64 (both little and big endians) -
    • -
  • - s390x -
    • -
-
-
-
-
-
-
-
-
-
-
-

5.3. Device Drivers

-
-
-
-

- This chapter provides a comprehensive listing of all device drivers that are new or have been - updated in Red Hat Enterprise Linux 8.2. -

-
-
-
-
-

5.3.1. New drivers

-
-
-
-
Network drivers
-
-
    -
  • - gVNIC Driver (gve.ko.xz) -
    • -
  • - Broadcom UniMAC MDIO bus controller (mdio-bcm-unimac.ko.xz) -
    • -
  • - Software iWARP Driver (siw.ko.xz) -
    • -
-
-
Graphics drivers and miscellaneous drivers
-
-
    -
  • - DRM VRAM memory-management helpers (drm_vram_helper.ko.xz) -
    • -
  • - cpuidle driver for haltpoll governor (cpuidle-haltpoll.ko.xz) -
    • -
  • - stm_ftrace driver (stm_ftrace.ko.xz) -
    • -
  • - stm_console driver (stm_console.ko.xz) -
    • -
  • - System Trace Module device class (stm_core.ko.xz) -
    • -
  • - dummy_stm device (dummy_stm.ko.xz) -
    • -
  • - stm_heartbeat driver (stm_heartbeat.ko.xz) -
    • -
  • - Intel® Trace Hub Global Trace Hub driver (intel_th_gth.ko.xz) -
    • -
  • - Intel® Trace Hub PTI/LPP output driver (intel_th_pti.ko.xz) -
    • -
  • - Intel® Trace Hub controller driver (intel_th.ko.xz) -
    • -
  • - Intel® Trace Hub Memory Storage Unit driver (intel_th_msu.ko.xz) -
    • -
  • - Intel® Trace Hub Software Trace Hub driver (intel_th_sth.ko.xz) -
    • -
  • - Intel® Trace Hub Memory Storage Unit software sink (intel_th_msu_sink.ko.xz) -
    • -
  • - Intel® Trace Hub PCI controller driver (intel_th_pci.ko.xz) -
    • -
  • - Intel® Trace Hub ACPI controller driver (intel_th_acpi.ko.xz) -
    • -
  • - MC Driver for Intel 10nm server processors (i10nm_edac.ko.xz) -
    • -
  • - Device DAX: direct access mapping device (dax_pmem_core.ko.xz) -
    • -
  • - PMEM DAX: direct access to persistent memory (dax_pmem.ko.xz) -
    • -
  • - PMEM DAX: support the deprecated /sys/class/dax interface (dax_pmem_compat.ko.xz) -
    • -
  • - Intel PMC Core platform init (intel_pmc_core_pltdrv.ko.xz) -
    • -
  • - Intel RAPL (Running Average Power Limit) control via MSR interface - (intel_rapl_msr.ko.xz) -
    • -
  • - Intel Runtime Average Power Limit (RAPL) common code (intel_rapl_common.ko.xz) -
    • -
-
-
Storage drivers
-
-
    -
  • - Clustering support for MD (md-cluster.ko.xz) -
    • -
-
-
-
-
-
-
-

5.3.2. Updated drivers

-
-
-
-
Network driver updates
-
-
    -
  • - VMware vmxnet3 virtual NIC driver (vmxnet3.ko.xz) has been updated to version - 1.4.17.0-k. -
    • -
  • - Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf.ko.xz) has been updated to - version 4.1.0-k-rh8.2.0. -
    • -
  • - Intel® 10 Gigabit PCI Express Network Driver (ixgbe.ko.xz) has been updated to version - 5.1.0-k-rh8.2.0. -
    • -
  • - Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) has been updated to - version 0.8.1-k. -
    • -
  • - The Netronome Flow Processor (NFP) driver (nfp.ko.xz) has been updated to version - 4.18.0-185.el8.x86_64. -
    • -
  • - Elastic Network Adapter (ENA) (ena.ko.xz) has been updated to version 2.1.0K. -
    • -
-
-
Graphics and miscellaneous driver updates
-
-
    -
  • - HPE watchdog driver (hpwdt.ko.xz) has been updated to version 2.0.3. -
    • -
  • - Intel I/OAT DMA Linux driver (ioatdma.ko.xz) has been updated to version 5.00. -
    • -
-
-
Storage driver updates
-
-
    -
  • - Driver for HPE Smart Array Controller (hpsa.ko.xz) has been updated to version - 3.4.20-170-RH4. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version - 32.100.00.00. -
    • -
  • - QLogic FCoE Driver (bnx2fc.ko.xz) has been updated to version 2.12.10. -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version - 0:12.6.0.2. -
    • -
  • - QLogic FastLinQ 4xxxx FCoE Module (qedf.ko.xz) has been updated to version 8.42.3.0. -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version - 10.01.00.21.08.2-k. -
    • -
  • - Driver for Microsemi Smart Family Controller version (smartpqi.ko.xz) has been updated - to version 1.2.10-025. -
    • -
  • - QLogic FastLinQ 4xxxx iSCSI Module (qedi.ko.xz) has been updated to version 8.37.0.20. -
    • -
  • - Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version - 07.710.50.00-rc1. -
    • -
-
-
-
-
-
-
-
-

5.4. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.2 that have a significant impact on - users. -

-
-
-
-
-

5.4.1. Installer and image creation

-
-
-
-
-

Using the version or inst.version kernel boot parameters no longer stops the - installation program

-

- Previously, booting the installation program from the kernel command line using the version or inst.version boot - parameters printed the version, for example anaconda 30.25.6, - and stopped the installation program. -

-
-

- With this update, the version and inst.version parameters are ignored when the installation program is - booted from the kernel command line, and as a result, the installation program is not stopped. -

-

- (BZ#1637472) -

-
-

Support secure boot for s390x in the installer

-

- Previously, RHEL 8.1 provided support for preparing boot disks for use in IBM Z environments - that enforced the use of secure boot. The capabilities of the server and hypervisor used - during installation determined if the resulting on-disk format contained secure boot - support. There was no way to influence the on-disk format during installation. Consequently, - if you installed RHEL 8.1 in an environment that supported secure boot, the system was - unable to boot when moved to an environment that lacked secure boot support, as is done in - some failover scenarios. -

-
-

- With this update, you can now configure the secure boot option of the zipl tool. To do so, you can use either: -

-
-
    -
  • - The Kickstart zipl command and one of its options, for - example: --secure-boot, --no-secure-boot, and --force-secure-boot. -
    • -
  • - From the Installation Summary window - in the GUI, you can select the System > - Installation Destination > Full disk summary and boot loader - link and set the boot device. As a result, the installation can now be booted in - environments that lack secure boot support. -
    • -
-
-

- (BZ#1659400) -

-
-

The secure boot feature is now available

-

- Previously, the default value for the secure= boot option was - not set to auto, and as a result, the - secure boot feature was not available. With this update, unless previously configured, the - default value is set to auto, and the - secure boot feature is now available. -

-
-

- (BZ#1750326) -

-
-

The /etc/sysconfig/kernel file no longer - references the new-kernel-pkg script

-

- Previously, the /etc/sysconfig/kernel file referenced the new-kernel-pkg script. However, the new-kernel-pkg script is not included in a RHEL 8 system. With - this update, the reference to the new-kernel-pkg script has - been removed from the /etc/sysconfig/kernel file. -

-
-

- (BZ#1747382) -

-
-

The installation does not set more than the maximum number of allowed - devices in the boot-device NVRAM variable

-

- Previously, the RHEL 8 installation program set more than the maximum number of allowed - devices in the boot-device NVRAM variable. As a result, the - installation failed on systems that had more than the maximum number of devices. With this - update, the RHEL 8 installation program now checks the maximum device setting and only adds - the permitted number of devices. -

-
-

- (BZ#1748756) -

-
-

Installations work for an image location that uses a URL command in a - Kickstart file located in a non-network location

-

- Previously, the installation failed early in the process when network activation triggered - by the image remote location was specified by a URL command in a Kickstart file located in a - non-network location. This update fixes the issue, and installations that provide the image - location by using a URL command in a Kickstart file that is located in a non-network - location, for example, a CD-ROM or local block device, now work as expected. -

-
-

- (BZ#1649359) -

-
-

The RHEL 8 installation program only checks ECKD DASD for unformatted - devices

-

- Previously, when checking for unformatted devices, the installation program checked all DASD - devices. However, the installation program should only have checked ECKD DASD devices. As a - consequence, the installation failed with a traceback when an FBA DASD device with SWAPGEN - was used. With this update, the installation program does not check FBA DASD devices, and - the installation completes successfully. -

-
-

- (BZ#1715303) -

-
-
-
-
-
-

5.4.2. Software management

-
-
-
-
-

yum repolist no longer ends on first - unavailable repository

-

- Previously, the repository configuration option skip_if_unavailable was by default set as follows: -

-
- 
skip_if_unavailable=false
-

- This setting forced the yum repolist command to end on first - unavailable repository with an error and exit status 1. Consequently, yum repolist did not continue listing available repositories. -

-

- With this update, yum repolist has been fixed to no longer require - any downloads. As a result, yum repolist does not provide any - output requiring metadata, and the command now continues listing available repositories as - expected. -

-

- Note that the number of available packages is only returned by yum repolist --verbose or yum repoinfo - that still require available metadata. Therefore these commands will end on the first - unavailable repository. -

-

- (BZ#1697472) -

-
-
-
-
-
-

5.4.3. Shells and command-line tools

-
-
-
-
-

ReaR updates

-

- RHEL 8.2 introduces a number of updates to the Relax-and-Recover (ReaR) utility. -

-
-

- The build directory handling has been changed. Previously, the build directory was kept in a - temporary location in case ReaR encountered a failure. With this - update, the build directory is deleted by default in non-interactive runs to prevent consuming - disk space. -

-

- The semantics of the KEEP_BUILD_DIR configuration variable has been - enhanced to include a new errors value. You can set the KEEP_BUILD_DIR variable to the following values: -

-
-
    -
  • - errors to preserve the build directory on errors for - debugging (the previous behavior) -
    • -
  • - y (true) to always preserve - the build directory -
    • -
  • - n (false) to never preserve - the build directory -
    • -
-
-

- The default value is an empty string with the meaning of errors - when ReaR is being executed interactively (in a terminal) and false if ReaR is being executed - non-interactively. Note that KEEP_BUILD_DIR is automatically set to - true in debug mode (-d) and in - debugscript mode (-D); this behavior has not been changed. -

-

- Notable bug fixes include: -

-
-
    -
  • - Support for NetBackup 8.0 has been fixed. -
    • -
  • - ReaR no longer aborts with a bash error similar to xrealloc: cannot allocate on systems with a large number of - users, groups, and users per group. -
    • -
  • - The bconsole command now shows its prompt, which enables - you to perform a restore operation when using the Bacula integration. -
    • -
  • - ReaR now correctly backs up files also in situations when - the docker service is running but no docker root directory has been defined, or when it is - impossible to determine the status of the docker service. -
    • -
  • - Recovery no longer fails when using thin pools or recovering a system in Migration Mode. -
    • -
  • - Extremely slow rebuild of initramfs during the recovery - process with LVM has been fixed. -
    • -
  • - ReaR now creates a working bootable ISO image on the AMD - and Intel 64-bit architectures when using the UEFI bootloader. Booting a rescue image in - this setup no longer aborts in Grub with the error message Unknown command 'configfile' (…​) Entering rescue mode…​. - Support for GRUB_RESCUE in this setup, which previously could fail due to missing XFS - filesystem support, has also been fixed. -
    • -
-
-

- (BZ#1729501) -

-
-

mlocate-updatedb.timer is now enabled - during the mlocate package installation

-

- Previously, reindexing of the file database was not performed automatically, because the - mlocate-updatedb.timer timer was disabled after the mlocate package installation. With this update, the mlocate-updatedb.timer timer is now a part of the 90-default.preset file and is enabled by default after the mlocate package installation. As a result, the file database is - updated automatically. -

-
-

- (BZ#1817591) -

-
-
-
-
-
-

5.4.4. Infrastructure services

-
-
-
-
-

dnsmasq now correctly handles the - non-recursive DNS queries

-

- Previously, dnsmasq forwarded all the non-recursive queries to - an upstream server, which led to different responses. With this update, the non-recursive - queries to local known names, such as DHCP host lease names or hosts read from the /etc/hosts file, are handled by dnsmasq and are not forwarded to an upstream server. As a result, - the same response as to recursive queries to known names is returned. -

-
-

- (BZ#1700916) -

-
-

dhclient no longer fails to renew the IP - address after system time changes

-

- Previously, if the system time changed, the system could lose the IP address assigned due to - the removal by the kernel. With this update, dhclient uses - monotonic timer to detect backward time jumps and issues the DHCPREQUEST message for lease extension in case of discontinuous - jump in the system time. As a result, the system no longer loses the IP address in the - described scenario. -

-
-

- (BZ#1729211) -

-
-

ipcalc now returns the correct broadcast - address for the /31 networks

-

- This update fixes the ipcalc utility to follow the RFC 3021 - standard properly. As a result, ipcalc returns the correct - broadcast address when the /31 prefix is used on an interface. -

-
-

- (BZ#1638834) -

-
-

/etc/services now contains proper NRPE - port definition

-

- This update adds the proper Nagios Remote Plug-in Executor (NRPE) service port definition to - the /etc/services file. -

-
-

- (BZ#1730396) -

-
-

The postfix DNS resolver code now uses - res_search instead of res_query

-

- Following its previous update in postfix, the DNS resolver code - used the res_query function instead of the res_search function. As a consequence, the DNS resolver did not - search host names in the current and parent domains with the following postfix configuration: -

-
- 
# postconf -e "smtp_host_lookup = dns"
-# postconf -e "smtp_dns_resolver_options = res_defnames, res_dnsrch"
-

- For example, for: -

- 
# postconf -e "relayhost = [smtp]"
-

- and the domain name in the example.com format, the DNS - resolver did not use the smtp.example.com SMTP server for - relaying. -

-

- With this update, the DNS resolver code has been changed to use res_search instead of res_query, and it - now searches the host names in the current and parent domains correctly. -

-

- (BZ#1723950) -

-
-

PCRE, CDB, and SQLite can now be used with Postfix

-

- In RHEL 8, the postfix package has been split into multiple - subpackages, each subpackage providing a plug-in for a specific database. Previously, RPM - packages containing the postfix-pcre, postfix-cdb, and postfix-sqlite - plug-ins were not distributed. Consequently, databases with these plug-ins could not be used - with Postfix. This update adds RPM packages containing the PCRE, CDB, and SQLite plug-ins to - the AppStream repository. As a result, these plug-ins can be used after the appropriate RPM - package is installed. -

-
-

- (BZ#1745321) -

-
-
-
-
-
-

5.4.5. Security

-
-
-
-
-

fapolicyd no longer prevents RHEL - updates

-

- When an update replaces the binary of a running application, the kernel modifies the - application binary path in memory by appending the " (deleted)" suffix. Previously, the - fapolicyd file access policy daemon treated such applications - as untrusted, and prevented them from opening and executing any other files. As a - consequence, the system was sometimes unable to boot after applying updates. -

-
-

- With the release of the RHBA-2020:5243 advisory, fapolicyd ignores the suffix in the binary path so the binary can - match the trust database. As a result, fapolicyd enforces the rules - correctly and the update process can finish. -

-

- (BZ#1897091) -

-
-

openssl-pkcs11 no longer locks devices by - attempting to log in to multiple devices

-

- Previously, the openssl-pkcs11 engine attempted to log in to - the first result of a search using the provided PKCS #11 URI and used the provided PIN even - if the first result was not the intended device and the PIN matched another device. These - failed authentication attempts locked the device. -

-
-

- openssl-pkcs11 now attempts to log in to a device only if the - provided PKCS #11 URI matches only a single device. The engine now intentionally fails in case - the PKCS #11 search finds more than one device. For this reason, you must provide a PKCS #11 URI - that matches only a single device when using openssl-pkcs11 to log - in to the device. -

-

- (BZ#1705505) -

-
-

OpenSCAP offline - scans using rpmverifyfile now work properly

-

- Prior to this update, the OpenSCAP - scanner did not correctly change the current working directory in offline mode, and the - fchdir function was not called with the correct arguments in - the OpenSCAP rpmverifyfile probe. The OpenSCAP scanner has been fixed to - correctly change the current working directory in offline mode, and the fchdir function has been fixed to use correct arguments in rpmverifyfile. As a result, SCAP content that contains OVAL rpmverifyfile can be used by OpenSCAP to scan arbitrary file - systems. -

-
-

- (BZ#1636431) -

-
-

httpd now starts correctly if using an - ECDSA private key without matching public key stored in a PKCS #11 device

-

- Unlike RSA keys, ECDSA private keys do not necessarily contain public-key information. In - this case, you cannot obtain the public key from an ECDSA private key. For this reason, a - PKCS #11 device stores public-key information in a separate object whether it is a - public-key object or a certificate object. OpenSSL expected the EVP_PKEY structure provided by an engine for a private key to - contain the public-key information. When filling the EVP_PKEY - structure to be provided to OpenSSL, the engine in the openssl-pkcs11 package tried to fetch the public-key information - only from matching public-key objects and ignored the present certificate objects. -

-
-

- When OpenSSL requested an ECDSA private key from the engine, the provided EVP_PKEY structure did not contain the public-key information if the - public key was not present in the PKCS #11 device, even when a matching certificate that - contained the public key was available. As a consequence, since the Apache httpd web server called the X509_check_private_key() function, which requires the public key, in - its start-up process, httpd failed to start in this scenario. This - problem has been solved by loading the EC public key from the certificate if the public-key - object is not available. As a result, httpd now starts correctly - when ECDSA keys are stored in a PKCS #11 device. -

-

- (BZ#1664807) -

-
-

scap-security-guide PCI-DSS remediations - of Audit rules now work properly

-

- Previously, the scap-security-guide package contained a - combination of remediation and a check that could result in one of the following scenarios: -

-
-
-
    -
  • - incorrect remediation of Audit rules -
    • -
  • - scan evaluation containing false positives where passed rules were marked as failed -
    • -
-
-

- Consequently, during the RHEL installation process, scanning of the installed system reported - some Audit rules as either failed or errored. -

-

- With this update, the remediations have been fixed, and scanning of the system installed with - the PCI-DSS security policy no longer reports false positives for Audit rules. -

-

- (BZ#1754919) -

-
-

OpenSCAP now - provides offline scanning of virtual machines and containers

-

- Previously, refactoring of the OpenSCAP - codebase caused certain RPM probes to fail to scan VM and containers file systems in offline - mode. Consequently, the following tools could not be included in the openscap-utils package: oscap-vm and - oscap-chroot. Furthermore, the openscap-containers package was completely removed from RHEL 8. - With this update, the problems in the probes have been fixed. -

-
-

- As a result, RHEL 8 now contains the oscap-podman, oscap-vm, and oscap-chroot tools in the - openscap-utils package. -

-

- (BZ#1618489) -

-
-

OpenSCAP rpmverifypackage now works correctly

-

- Previously, the chdir and chroot - system calls were called twice by the rpmverifypackage probe. - Consequently, an error occurred when the probe was utilized during an OpenSCAP scan with custom Open - Vulnerability and Assessment Language (OVAL) content. The rpmverifypackage probe has been fixed to properly utilize the - chdir and chroot system calls. As - a result, rpmverifypackage now works correctly. -

-
-

- (BZ#1646197) -

-
-
-
-
-
-

5.4.6. Networking

-
-
-
-
-

Locking in the qdisc_run function now does - not cause kernel crash

-

- Previously, a race condition when the pfifo_fast queue - discipline resets while dequeuing traffic was leading to packet transmission after they were - freed. As a consequence, sometimes kernel was getting terminated unexpectedly. With this - update, locking in the qdisc_run function has been improved. As - a result, kernel no longer crashes in the described scenario. -

-
-

- (BZ#1744397) -

-
-

The DBus APIs in org.fedoraproject.FirewallD1.config.service work as - expected

-

- Previously, the DBus API getIncludes, setIncludes, and queryIncludes - functions in org.fedoraproject.FirewallD1 returned an error - message: org.fedoraproject.FirewallD1.Exception: list index out of range - due to bad indexing. With this update, the DBus API getIncludes, setIncludes, and queryIncludes functions work as expected. -

-
-

- (BZ#1737045) -

-
-

RHEL no longer logs a kernel warning when unloading the ipvs module

-

- Previously, the IP virtual server (ipvs) module used an - incorrect reference counting, which caused a race condition when unloading the module. - Consequently, RHEL logged a kernel warning. This update fixes the race condition. As a - result, the kernel no longer logs the warning when you unload the ipvs module. -

-
-

- (BZ#1687094) -

-
-

The nft utility no longer interprets - arguments as command-line options after the first non-option argument

-

- Previously, the nft utility accepted options anywhere in an - nft command. For example, admins could use options between or - after non-option arguments. As a consequence, due to the leading dash, nft interpreted negative priority values as options, and the - command failed. The nft utility’s command-line parser has been - updated to not interpret arguments that are starting with a dash after the first non-option - argument has been read. As a result, admins no longer require workarounds to pass negative - priority values to nft. -

-
-

- Note that due to this change, you must now pass all command-options to nft before the first non-option argument. Before you update, verify - your nftables scripts to match this new criteria to ensure that the script works as expected - after you installed this update. -

-

- (BZ#1778883) -

-
-

The /etc/hosts.allow and /etc/hosts.deny files no longer contain outdated references - to removed tcp_wrappers

-

- Previously, the /etc/hosts.allow and /etc/hosts.deny files contained outdated information about the - tcp_wrappers package. The files are removed in RHEL 8 as they - are no longer needed for tcp_wrappers which is removed. -

-
-

- (BZ#1663556) -

-
-

A configuration parameter has been added to firewalld to disable zone drifting

-

- Previously, the firewalld service contained an undocumented - behavior known as "zone drifting". RHEL 8.0 removed this behavior because it could have a - negative security impact. As a consequence, on hosts that used this behavior to configure a - catch-all or fallback zone, firewalld denied connections that - were previously allowed. This update re-adds the zone drifting behavior, but as a - configurable feature. As a result, users can now decide to use zone drifting or disable the - behavior for a more secure firewall setup. -

-
-

- By default, in RHEL 8.2, the new AllowZoneDrifting parameter in the - /etc/firewalld/firewalld.conf file is set to yes. Note that, if the parameter is enabled, firewalld logs: -

- 
WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
-

- (BZ#1772208) -

-
-
-
-
-
-

5.4.7. Kernel

-
-
-
-
-

Subsection memory hotplug is now fully supported

-

- Previously, some platforms aligned physical memory regions such as Dual In-Line Modules - (DIMMs) and interleave sets to 64MiB memory boundary. However, as the Linux hotplug - subsystem uses a memory size of 128MiB, hot-plugging new devices caused multiple memory - regions to overlap in a single hotplug memory window. Consequently, this caused failure in - listing the available persistent memory namespaces with the following or a similar call - trace: -

-
- 
WARNING: CPU: 38 PID: 928 at arch/x86/mm/init_64.c:850
-add_pages+0x5c/0x60
-    [..]
-    RIP: 0010:add_pages+0x5c/0x60
-    [..]
-    Call Trace:
-     devm_memremap_pages+0x460/0x6e0
-     pmem_attach_disk+0x29e/0x680 [nd_pmem]
-     ? nd_dax_probe+0xfc/0x120 [libnvdimm]
-     nvdimm_bus_probe+0x66/0x160 [libnvdimm]
-

- This update fixes the problem and supports Linux hotplug subsystem to enable multiple memory - regions to share a single hotplug memory window. -

-

- (BZ#1724969) -

-
-

Data corruption now triggers a BUG instead of a WARN message -

-

- With this enhancement, the list corruptions at lib/list_debug.c - now triggers a BUG, which generates a report with a vmcore. - Previously, when encountering a data corruption, a simple WARN was generated, which was - likely to go unnoticed. With set CONFIG_BUG_ON_DATA_CORRUPTION, - the kernel now creates a crash and triggers a BUG in response to data corruption. This - prevents further damage and reduces the security risk. The kdump now generates a vmcore, which - improves the data corruption bug reporting. -

-
-

- (BZ#1714330) -

-
-

Support for Intel Carlsville card is - available but not verified in RHEL 8.2

-

- The Intel Carlsville card support is available but not tested - on Red Hat Enterprise Linux 8.2. -

-
-

- (BZ#1720227) -

-
-

RPS and XPS no longer place jobs on isolated CPUs

-

- Previously, the Receive Packet Steering (RPS) software-queue mechanism and the Transmit - Packet Steering (XPS) transmit queue selection mechanism allocated jobs on all CPU sets, - including isolated CPUs. Consequently, this could cause an unexpected latency spike in a - real-time environment when a latency-sensitive workload was using the same CPU where RPS or - XPS jobs were running. With this update, the store_rps_map() - function does not include any isolated CPUs for the purpose of RPS configuration. Similarly, - the kernel drivers used for XPS configuration are respecting CPU isolation. As a result, RPS - and XPS no longer place jobs on isolated CPUs in the described scenario. If you configure an - isolated CPU in the /sys/devices/pci*/net/dev/queues/rx-*/rps_cpus file, the - following error appears: -

-
- 
Error: "-bash: echo:write error: Invalid argument"
-

- However, manually configuring an isolated CPU in the /sys/devices/pci*/net/dev/queues/tx-*/xps_cpus file successfully - allocates XPS jobs on the isolated CPU. -

-

- Note that a networking workload in an environment with isolated CPUs is likely to experience - some performance variation. -

-

- (BZ#1867174) -

-
-
-
-
-
-

5.4.8. File systems and storage

-
-
-
-
-

SCSI drivers no longer use an excessive amount of memory

-

- Previously, certain SCSI drivers used a larger amount of memory than in RHEL 7. In certain - cases, such as vPort creation on a Fibre Channel host bus adapter (HBA), the memory usage - was excessive, depending upon the system configuration. -

-
-

- The increased memory usage was caused by memory preallocation in the block layer. Both the - multiqueue block device scheduling (BLK-MQ) and the multiqueue SCSI stack (SCSI-MQ) preallocated - memory for each I/O request, leading to the increased memory usage. -

-

- With this update, the block layer limits the amount of memory preallocation, and as a result, - the SCSI drivers no longer use an excessive amount of memory. -

-

- (BZ#1698297) -

-
-

VDO can now suspend before UDS has finished rebuilding

-

- Previously, the dmsetup suspend command became unresponsive if - you attempted to suspend a VDO volume while the UDS index was rebuilding. The command - finished only after the rebuild. -

-
-

- With this update, the problem has been fixed. The dmsetup suspend - command can finish before the UDS rebuild is done without becoming unresponsive. -

-

- (BZ#1737639) -

-
-
-
-
-
-

5.4.9. Dynamic programming languages, web and database servers

-
-
-
-
-

Problems in mod_cgid logging have been - fixed

-

- Prior to this update, if the mod_cgid Apache httpd module was used under a threaded multi-processing module - (MPM), the following logging problems occurred: -

-
-
-
    -
  • - The stderr output of the CGI script was not prefixed with - standard timestamp information. -
    • -
  • - The stderr output of the CGI script was not correctly - redirected to a log file specific to the VirtualHost, if - configured. -
    • -
-
-

- This update fixes the problems, and mod_cgid logging now works as - expected. -

-

- (BZ#1633224) -

-
-
-
-
-
-

5.4.10. Compilers and development tools

-
-
-
-
-

Unrelocated and uninitialized shared objects no longer result in - failures if dlopen fails

-

- Previously, if the dlopen call failed, the glibc dynamic linker did not remove shared objects with the NODELETE mark before reporting the error. Consequently, the - unrelocated and uninitialized shared objects remained in the process image, eventually - resulting in assertion failures or crashes. With this update, the dynamic loader uses a - pending NODELETE state to remove shared objects upon dlopen failure, before marking them as NODELETE permanently. As a result, the process does not leave any - unrelocated objects behind. Also, lazy binding failures while ELF constructors and - destructors run now terminate the process. -

-
-

- (BZ#1410154) -

-
-

Advanced SIMD functions on the 64-bit ARM architecture no longer - miscompile when lazily resolved

-

- Previously, the new vector Procedure Call Standard (PCS) for Advanced SIMD did not properly - save and restore certain callee-saved registers when lazily resolving Advanced SIMD - functions. As a consequence, binaries could misbehave at runtime. With this update, the - Advanced SIMD and SVE vector functions in the symbol table are marked with .variant_pcs and, as a result, the dynamic linker will bind such - functions early. -

-
-

- (BZ#1726641) -

-
-

The sudo wrapper script now parses - options

-

- Previously, the /opt/redhat/devtoolset*/root/usr/bin/sudo - wrapper script did not correctly parse sudo options. As a - consequence, some sudo options (for example, sudo -i) could not be executed. With this update, more sudo options are correctly parsed and, as a result, the sudo wrapper script works more like /usr/bin/sudo. -

-
-

- (BZ#1774118) -

-
-

Alignment of TLS variables in glibc has - been fixed

-

- Previously, aligned thread-local storage (TLS) data could, under certain conditions, become - instantiated without the expected alignment. With this update, the POSIX Thread Library - libpthread has been enhanced to ensure correct alignment under - any conditions. As a result, aligned TLS data is now correctly instantiated for all threads - with the correct alignment. -

-
-

- (BZ#1764214) -

-
-

Repeated pututxline calls following EINTR or EAGAIN error no longer - corrupt the utmp file

-

- When the pututxline function tries to acquire a lock and does - not succeed in time, the function returns with EINTR or EAGAIN error code. Previously in this situation, if pututxline was called immediately again and managed to obtain the - lock, it did not use an already-allocated matching slot in the utmp file, but added another entry instead. As a consequence, - these unused entries increased the size of the utmp file - substantially. This update fixes the issue, and the entries are added to the utmp file correctly now. -

-
-

- (BZ#1749439) -

-
-

mtrace no longer hangs when internal - failures occur

-

- Previously, a defect in the mtrace tool implementation could - cause memory tracing to hang. To fix this issue, the mtrace - memory tracing implementation has been made more robust to avoid the hang even in the face - of internal failures. As a result, users can now call mtrace - and it no longer hangs, completing in bounded time. -

-
-

- (BZ#1764235) -

-
-

The fork function avoids certain deadlocks - related to use of pthread_atfork

-

- Previously, if a program registered an atfork handler and - invoked fork from an asynchronous-signal handler, a defect in - the internal implementation-dependent lock could cause the program to freeze. With this - update, the implementation of fork and its atfork handlers is adjusted to avoid the deadlock in - single-threaded programs. -

-
-

- (BZ#1746928) -

-
-

strstr no longer returns incorrect matches - for a truncated pattern

-

- On certain IBM Z platforms (z15, previously known as arch13), the strstr function did not correctly update a CPU register when - handling search patterns that cross a page boundary. As a consequence, strstr returned incorrect matches. This update fixes the problem, - and as a result, strstr works as expected in the mentioned - scenario. -

-
-

- (BZ#1777241) -

-
-

C.UTF-8 locale source ellipsis expressions in glibc are fixed

-

- Previously, a defect in the C.UTF-8 source locale resulted in all Unicode code points above - U+10000 lacking collation weights. As a consequence, all code points above U+10000 did not - collate as expected. The C.UTF-8 source locale has been corrected, and the newly compiled - binary locale now has collation weights for all Unicode code points. The compiled C.UTF-8 - locale is 5.3MiB larger as a result of this fix. -

-
-

- (BZ#1361965) -

-
-

glibc no longer fails when getpwent() is called without calling setpwent()

-

- If your /etc/nsswitch.conf file pointed to the Berkeley DB - (db) password provider, you could request data using the getpwent() function without first calling setpwent() only once. When you called the endpwent() function, further calls to getpwent() without first calling setpwent() caused glibc to fail - because endpwent() could not reset the internals to allow a new - query. This update fixes the problem. As a result, after you end one query with endpwent(), further calls to getpwent() will start a new query even if you do not call setpwent(). -

-
-

- (BZ#1747502) -

-
-

ltrace can now trace system calls in - hardened binaries

-

- Previously, ltrace did not produce any results on certain - hardened binaries, such as system binaries, on the AMD and Intel 64-bit architectures. With - this update, ltrace can now trace system calls in hardened - binaries. -

-
-

- (BZ#1655368) -

-
-

Intel’s JCC flaw no longer causes significant performance loss in the - GCC compiler

-

- Certain Intel CPUs are affected by the Jump Conditional Code (JCC) bug causing machine - instructions to be executed incorrectly. Consequently, the affected CPUs might not execute - programs properly. The full fix involves updating the microcode of vulnerable CPUs, which - can cause a performance degradation. This update enables a workaround in the assembler that - helps to reduce the performance loss. The workaround is not enabled by default. -

-
-

- To apply the workaround, recompile a program using GCC with the -Wa,-mbranches-within-32B-boundaries command-line option. A program - recompiled with this command-line option will not be affected by the JCC flaw, but the microcode - update is still necessary to fully protect a system. -

-

- Note that applying the workaround will increase the size of the program and can still cause a - slight performance decrease, although it should be less than it would have been without the - recompilation. -

-

- (BZ#1777002) -

-
-

make no longer slows down when using - parallel builds

-

- Previously, while running parallel builds, make sub-processes - could become temporarily unresponsive when waiting for their turn to run. As a consequence, - builds with high -j values slowed down or ran at lower - effective -j values. With this update, the job control logic of - make is now non-blocking. As a result, builds with high -j values run at full -j speed. -

-
-

- (BZ#1774790) -

-
-

The ltrace tool now reports function calls - correctly

-

- Because of improvements to binary hardening applied to all RHEL components, the ltrace tool previously could not detect function calls in binary - files coming from RHEL components. As a consequence, ltrace - output was empty because it did not report any detected calls when used on such binary - files. This update fixes the way ltrace handles function calls, - which prevents the described problem from occurring. -

-
-

- (BZ#1618748) -

-
-
-
-
-
-

5.4.11. Identity Management

-
-
-
-
-

The dsctl utility no longer fails to - manage instances with a hyphen in their name

-

- Previously, the dsctl utility did not correctly parse hyphens - in the Directory Server instance names. As a consequence, administrators could not use dsctl to manage instances with a hyphen in their name. This - update fixes the problem, and dsctl now works as expected in - the mentioned scenario. -

-
-

- (BZ#1715406) -

-
-

Directory Server instance names can now have up to 103 - characters

-

- When an LDAP client establishes a connection to Directory Server, the server stores - information related to the client address in a local buffer. Previously, the size of this - buffer was too small to store an LDAPI path name longer than 46 characters. For example, - this is the case if name of the Directory Server instance is too long. As a consequence, the - server terminated unexpectedly due to an buffer overflow. This update increases the buffer - size to the maximum size the Netscape Portable Runtime (NSPR) library supports for the path - name. As a result, Directory Server no longer crashes in the mentioned scenario. -

-
-

- Note that due to the limitation in the NSPR library, an instance name can be maximum 103 - characters. -

-

- (BZ#1748016) -

-
-

The pkidestroy utility now picks the - correct instance

-

- Previously, the pkidestroy --force command executed on a - half-removed instance picked the pki-tomcat instance by - default, regardless of the instance name specified with the -i instance option. -

-
-

- As a consequence, this removed the pki-tomcat instance instead of - the intended instance, and the --remove-logs option did not remove - the intended instance’s logs. pkidestroy now applies the right - instance name, removing only the intended instance’s leftovers. -

-

- (BZ#1698084) -

-
-

The ldap_user_authorized_service - description has been updated in the sssd-ldap man - page

-

- The Pluggable authentication modules (PAM) stack has been changed in RHEL 8. For example, - the systemd user session now starts a PAM conversation using - the systemd-user PAM service. This service now recursively - includes the system-auth PAM service, which may include the - pam_sss.so interface. This means that the SSSD access control - is always called. -

-
-

- You should be aware of this change when designing access control rules for RHEL 8 systems. For - example, you can add the systemd-user service to the allowed - services list. -

-

- Please note for some access control mechanisms, such as IPA HBAC or AD GPOs, the systemd-user service has been added to the allowed services list by - default and you do not need to take any action. -

-

- The sssd-ldap man page has been updated to include this - information. -

-

- (BZ#1669407) -

-
-

Information about required DNS records is now displayed when enabling - support for AD trust in IdM

-

- Previously, when enabling support for Active Directory (AD) trust in Red Hat Enterprise - Linux Identity Management (IdM) installation with external DNS management, no information - about required DNS records was displayed. Entering the ipa dns-update-system-records --dry-run command manually was - necesary to obtain a list of all DNS records required by IdM. -

-
-

- With this update, the ipa-adtrust-install command correctly lists - the DNS service records for manual addition to the DNS zone. -

-

- (BZ#1665051) -

-
-

Recursive DNS queries are now disabled by default in IdM servers with - integrated DNS

-

- Previously, recursive queries were enabled by default when using an Identity Management - (IdM) server with integrated DNS. As a consequence, it was possible to use the server for a - DNS Amplification Attack. With this update, recursive DNS queries are now disabled by - default, and it is no longer possible to use the server for a DNS Amplification Attack. -

-
-

- You can manually allow recursive queries for specific clients by modifying the integrated DNS - configuration on the IdM server. For example, to allow anyone to query the server for - authoritative data, but only allow trusted clients to access your cache and recursion, list the - clients in a trusted access control list (ACL): -

-
-
    -
  1. -

    - Create a trusted ACL in the /etc/named/ipa-ext.conf file: -

    - 
    acl "trusted" {
-     192.168.0.0/16;
-     10.153.154.0/24;
-     localhost;
-     localnets;
- };
    -
    2. -
  2. -

    - Add the trusted ACL to the /etc/named/ipa-options-ext.conf file: -

    - 
         allow-query { any; };
-     allow-recursion { trusted; };
-     allow-query-cache { trusted; };
    -
    3. -
-
-

- (BZ#2151696) -

-
-
-
-
-
-

5.4.12. Desktop

-
-
-
-
-

GNOME Shell on Wayland no longer performs slowly when using a software - renderer

-

- Previously, the Wayland back end of GNOME Shell did not use a cacheable framebuffer when - using a software renderer. As a consequence, software-rendered GNOME Shell on Wayland was - slow compared to software-rendered GNOME Shell on the X.org back end. -

-
-

- With this update, an intermediate shadow framebuffer has been added in GNOME Shell on Wayland. - As a result, software-rendered GNOME Shell on Wayland now performs as well as GNOME Shell on - X.org. -

-

- (BZ#1737553) -

-
-
-
-
-
-

5.4.13. Virtualization

-
-
-
-
-

Starting a VM on a 10th generation Intel Core processor no longer - fails

-

- Previously, starting a virtual machine (VM) failed on a host model that used a 10th - generation Intel Core processor, also known as Icelake-Server. With this update, libvirt no longer attempts to disable the pconfig CPU feature which is not supported by QEMU. As a result, - starting a VM on a host model running a 10th generation Intel processor no longer fails. -

-
-

- (BZ#1749672) -

-
-

Using cloud-init to provision virtual - machines on Microsoft Azure now works correctly

-

- Previously, it was not possible to use the cloud-init utility - to provision a RHEL 8 virtual machine (VM) on the Microsoft Azure platform. This update - fixes the cloud-init handling of the Azure endpoints, and - provisioning RHEL 8 VMs on Azure now proceeds as expected. -

-
-

- (BZ#1641190) -

-
-

RHEL 8 virtual machines on RHEL 7 hosts can be reliably viewed in - higher resolution than 1920x1200

-

- Previously, when using a RHEL 8 virtual machine (VM) running on a RHEL 7 host system, - certain methods of displaying the the graphical output of the VM, such as running the - application in kiosk mode, could not use greater resolution than 1920x1200. As a - consequence, displaying VMs using those methods only worked in resolutions up to 1920x1200 - even if the host hardware supported higher resolutions. This update adjusts DRM and QXL - drivers in a way to prevent the described problem from occurring. -

-
-

- (BZ#1635295) -

-
-

Customizing an ESXi VM using cloud-init - and rebooting the VM now works correctly

-

- Previously, if the cloud-init service was used to modify a - virtual machine (VM) running on the VMware ESXi hypervisor to use static IP and the VM was - then cloned, the new cloned VM in some cases took a very long time to reboot. This update - modifies cloud-init not to rewrite the VM’s static IP to DHCP, - which prevents the described problem from occurring. -

-
-

- (BZ#1666961, BZ#1706482) -

-
-
-
-
-
-

5.4.14. Containers

-
-
-
-
-

Pulling images from the quay.io registry no longer leads to unintended - images

-

- Previously, having the quay.io container image registry listed in the default registries - search list provided in /etc/containers/registries.conf could - allow a user to pull a spoofed image when using a short name. To fix this issue, the quay.io - container image registry has been removed from the default registries search list in /etc/containers/registries.conf. As a result, pulling images from - the quay.io registry now requires users to specify the full - repository name, such as quay.io/myorg/myimage. The quay.io - registry can be added back to the default registries search list in /etc/containers/registries.conf to reenable pulling container - images using short names, however, this is not recommended as it could create a security - risk. -

-
-

- (BZ#1784267) -

-
-
-
-
-
-
-

5.5. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.2. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features - Support Scope. -

-
-
-
-
-

5.5.1. Networking

-
-
-
-
-

nmstate available as a Technology - Preview

-

- Nmstate is a network API for hosts. The nmstate packages, - available as a Technology Preview, provide a library and the nmstatectl command-line utility to manage host network settings - in a declarative manner. The networking state is described by a pre-defined schema. - Reporting of the current state and changes to the desired state both conform to the schema. -

-
-

- For further details, see the /usr/share/doc/nmstate/README.md file - and the examples in the /usr/share/doc/nmstate/examples directory. -

-

- (BZ#1674456) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet - processing. It accompanies XDP and grants efficient redirection - of programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

XDP available as a - Technology Preview

-

- The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a - means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet - processing at an early point in the kernel ingress data path, allowing efficient - programmable packet analysis, filtering, and manipulation. -

-
-

- (BZ#1503672) -

-
-

KTLS available as a Technology Preview

-

- In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a - Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption - algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for - offloading TLS record encryption to Network Interface Controllers (NICs) that support this - functionality. -

-
-

- (BZ#1570255) -

-
-

The dracut utility now supports creating - initrd images with NetworkManager support as a technology - preview

-

- By default, the dracut utility uses a shell script to manage - networking in the initial RAM disk (initrd). In certain cases, - this could cause problems when the system switches from the RAM disk to the operating system - that uses NetworkManager to configure the network. For example, NetworkManager could send - another DHCP request, even if the script in the RAM disk already requested an IP address. - This request from the RAM disk could result in a time out. -

-
-

- To solve these kind of problems, dracut in RHEL 8.2 can now use - NetworkManager in the RAM disk. Use the following commands to enable the feature and recreate - the RAM disk images: -

- 
echo 'add_dracutmodules+=" network-manager "' > /etc/dracut.conf.d/enable-nm.conf
-dracut -vf --regenerate-all
-

- Note that Red Hat does not support technology preview features. However, to provide feedback - about this feature, please contact the Red Hat support. -

-

- (BZ#1626348) -

-
-

The mlx5_core driver supports Mellanox - ConnectX-6 Dx network adapter as a Technology Preview

-

- This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core driver. On hosts that use this adapter, RHEL loads the - mlx5_core driver automatically. Note that Red Hat provides this - feature as an unsupported Technology Preview. -

-
-

- (BZ#1687434) -

-
-

The systemd-resolved service is now - available as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an - Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-
-
-
-
-

5.5.2. Kernel

-
-
-
-
-

kexec fast reboot as a Technology - Preview

-

- The kexec fast reboot feature, continues to be available as a - Technology Preview. Rebooting is now significantly faster thanks to kexec fast reboot. To use this feature, load the kexec kernel - manually, and then reboot the operating system. -

-
-

- (BZ#1769727) -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) - is an in-kernel virtual machine that allows code execution in the kernel space, in the - restricted sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which - supports creating various types of maps, and also allows to load programs in a special - assembly-like code. The code is then loaded to the kernel and translated to the native machine - code with just-in-time compilation. Note that the bpf() syscall can - be successfully used only by a user with the CAP_SYS_ADMIN - capability, such as the root user. See the bpf(2) man page for more - information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. All - components are available as a Technology Preview, unless a specific component is indicated as - supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - bpftrace, a high-level tracing language that utilizes the - eBPF virtual machine. -
    • -
  • - The eXpress Data Path (XDP) feature, a networking technology that enables fast packet - processing in the kernel using the eBPF virtual machine. -
    • -
-
-

- (BZ#1559616) -

-
-

libbpf is available as a Technology Preview

-

- The libbpf package is currently available as a Technology - Preview. The libbpf package is crucial for bpf related - applications like bpftrace and bpf/xdp development. -

-
-

- It is a mirror of bpf-next linux tree bpf-next/tools/lib/bpf - directory plus its supporting header files. The version of the package reflects the version of - the Application Binary Interface (ABI). -

-

- (BZ#1759154) -

-
-

The igc driver available as a Technology - Preview for RHEL 8

-

- The igc Intel 2.5G Ethernet Linux wired LAN driver is now - available on all architectures for RHEL 8 as a Technology Preview. The ethtool utility also supports igc - wired LANs. -

-
-

- (BZ#1495358) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol - which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which - supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in - RHEL 8. -

-
-

- (BZ#1605216) -

-
-
-
-
-
-

5.5.3. File systems and storage

-
-
-
-
-

NVMe/TCP is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks - (NVMe/TCP) and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology - Preview. -

-
-

- The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by - the nvme-cli and nvmetcli packages. -

-

- The NVMe/TCP target Technology Preview is included only for testing purposes and is not - currently planned for full support. -

-

- (BZ#1696451) -

-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8.2, file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address - space. To use DAX, a system must have some form of persistent memory available, usually in - the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file - system that supports DAX must be created on the NVDIMM(s). Also, the file system must be - mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct - mapping of storage into the application’s address space. -

-
-

- (BZ#1627455) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top - of another. Changes are recorded in the upper file system, while the lower file system - remains unmodified. This allows multiple users to share a file-system image, such as a - container or a DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs - warnings when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other - specialized use cases, such as squashed kdump initramfs. - Its use is supported primarily for container COW content, not for persistent storage. - You must place any persistent storage on non-OverlayFS volumes. You can use only the - default container engine configuration: one level of overlay, one lowerdir, and both - lower and upper levels are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might - change in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped - with MAP_SHARED are inconsistent with - subsequent modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on - RHEL 8, but you can enable full POSIX compliance for them with a module - option or mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and - index=on options to improve POSIX - compliance. These two options make the format of the upper layer - incompatible with an overlay without these options. That is, you might - get unexpected results or errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, - use the following command and see if the ftype=1 option - is enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see - Non-standard behavior in the Linux - kernel documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- RHEL 8.2 updates Stratis to version 2.0.0. This version improves reliability and the Stratis - DBus API. -

-

- (JIRA:RHELPLAN-1212) -

-
-

IdM now supports setting up a Samba server on an IdM domain member as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the - same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the - IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the - sss ID mapping back end. As a result, administrators can now - set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows - hosts cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not - support resolving IdM groups using the Distributed Computing Environment / Remote Procedure - Calls (DCE/RPC) protocols. As a consequence, AD users can only access the Samba shares and - printers from IdM clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- (JIRA:RHELPLAN-13195) -

-
-
-
-
-
-

5.5.4. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on the podman container - platform, with the container bundle feature being available as a Technology Preview. There - is one exception to this feature being Technology Preview: Red Hat fully supports the use of - Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-

Heuristics in corosync-qdevice available - as a Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is - zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to - corosync-qnetd where it is used in calculations to determine - which partition should be quorate. -

-
-

- (BZ#1784200) -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off action on the agent that does the fencing. A heuristics agent can - exploit this behavior to prevent the agent that does the actual fencing from fencing a node - under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make - sense for a node to fence the peer if it can know beforehand that it would not be able to take - over the services properly. For example, it might not make sense for a node to take over - services if it has problems reaching the networking uplink, making the services unreachable to - clients, a situation which a ping to a router might detect in that case. -

-

- (BZ#1775847) -

-
-
-
-
-
-

5.5.5. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology - Preview

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as Technology Preview. -

-
-

- In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API - commands. Previously, enhancements could change the behavior of a command in an incompatible - way. Users are now able to continue using existing tools and scripts even if the IdM API - changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the - managing client. -
    • -
  • - Developers to use a specific version of an IdM call, even if the IdM version changes on - the server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones - hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other - DNS servers. This might affect the availability of DNS zones that are not configured in - accordance with recommended naming practices. -

-

- (BZ#1664718) -

-
-

Checking the overall health of your public key infrastructure is now - available as a Technology Preview

-

- With this update, the public key infrastructure (PKI) Healthcheck tool reports the health of - the PKI subsystem to the Identity Management (IdM) Healthcheck tool, which was introduced in - RHEL 8.1. Executing the IdM Healthcheck invokes the PKI Healthcheck, which collects and - returns the health report of the PKI subsystem. -

-
-

- The pki-healthcheck tool is available on any deployed RHEL IdM - server or replica. All the checks provided by pki-healthcheck are - also integrated into the ipa-healthcheck tool. ipa-healthcheck can be installed separately from the idm:DL1 module stream. -

-

- Note that pki-healthcheck can also work in a standalone Red Hat - Certificate System (RHCS) infrastructure. -

-

- (BZ#1303254) -

-
-
-
-
-
-

5.5.6. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is now available for the 64-bit ARM architecture as a - Technology Preview. This enables administrators to configure and manage servers from a - graphical user interface (GUI) remotely, using the VNC session. -

-
-

- As a consequence, new administration applications are available on the 64-bit ARM architecture. - For example: Disk Usage Analyzer (baobab), Firewall - Configuration (firewall-config), Red Hat Subscription Manager (subscription-manager), or the Firefox web browser. Using Firefox, administrators can connect to the - local Cockpit daemon remotely. -

-

- (JIRA:RHELPLAN-27394, BZ#1667516, BZ#1667225, BZ#1724302) -

-
-
-
-
-
-

5.5.7. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is - available as a Technology Preview. Note that the rest of the graphics stack is currently - unverified for the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-
-
-
-
-

5.5.8. Red Hat Enterprise Linux system roles

-
-
-
-
-

The postfix role of RHEL system roles - available as a Technology Preview

-

- Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat - Enterprise Linux subsystems, which makes system configuration easier through the inclusion - of Ansible Roles. This interface enables managing system configurations across multiple - versions of Red Hat Enterprise Linux, as well as adopting new major releases. -

-
-

- The rhel-system-roles packages are distributed through the - AppStream repository. -

-

- The postfix role is available as a Technology Preview. -

-

- The following roles are fully supported: -

-
-
    -
  • - kdump -
    • -
  • - network -
    • -
  • - selinux -
    • -
  • - storage -
    • -
  • - timesync -
    • -
-
-

- For more information, see the Knowledgebase article about RHEL system roles. -

-

- (BZ#1812552) -

-
-

rhel-system-roles-sap available as a - Technology Preview

-

- The rhel-system-roles-sap package provides Red Hat Enterprise - Linux (RHEL) system roles for SAP, which can be used to automate the configuration of a RHEL - system to run SAP workloads. These roles greatly reduce the time to configure a system to - run SAP workloads by automatically applying the optimal settings that are based on best - practices outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions - offerings. Please contact Red Hat Customer Support if you need assistance with your - subscription. -

-
-

- The following new roles in the rhel-system-roles-sap package are - available as a Technology Preview: -

-
-
    -
  • - sap-preconfigure -
    • -
  • - sap-netweaver-preconfigure -
    • -
  • - sap-hana-preconfigure -
    • -
-
-

- For more information, see Red - Hat Enterprise Linux system roles for SAP. -

-

- Note: RHEL 8.2 for SAP Solutions is scheduled to be validated for use with SAP HANA on Intel 64 - architecture and IBM POWER9. Support for other SAP applications and database products, for - example, SAP NetWeaver and SAP ASE, are tied to GA releases, and customers can use RHEL 8.2 - features upon GA. Please consult SAP Notes 2369910 and 2235581 for the latest information about - validated releases and SAP support. -

-

- (BZ#1660832) -

-
-
-
-
-
-

5.5.9. Virtualization

-
-
-
-
-

Select Intel network adapters now support SR-IOV in RHEL guests on - Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a - Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel - network adapters supported by the ixgbevf and i40evf drivers. This feature is enabled when the following - conditions are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine. -
    • -
-
-

- The feature is currently supported with Microsoft Windows Server 2019 and 2016. -

-

- (BZ#1348508) -

-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual - machines

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on - a Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the - following Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-

AMD SEV for KVM virtual machines

-

- As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature - for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine - (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases - the security of the VM if the host is successfully infected by malware. -

-
-

- Note that the number of VMs that can use this feature at a time on a single host is determined - by the host hardware. Current AMD EPYC processors support up to 509 running VMs using SEV. -

-

- Also note that for VMs with SEV configured to be able to boot, you must also configure the VM - with a hard memory limit. To do so, add the following to the VM’s XML configuration: -

- 
<memtune>
-<hard_limit unit='KiB'>N</hard_limit>
-</memtune>
-

- The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if - the guest is assigned 2 GiB RAM, N should be 2359296 or greater. -

-

- (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into - multiple virtual devices referred to as mediated devices. These - mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As - a result, these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning - a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical - display output on the host from working. -

-

- (BZ#1528684) -

-
-
-
-
-
-

5.5.10. Containers

-
-
-
-
-

skopeo container image is available as a - Technology Preview

-

- The registry.redhat.io/rhel8/skopeo container image is a - containerized implementation of the skopeo package. The skopeo is a command-line tool utility that performs various - operations on container images and image repositories. This container image allows you to - inspect and copy container images from one unauthenticated container registry to another. -

-
-

- (BZ#1627900) -

-
-

buildah container image is available as a - Technology Preview

-

- The registry.redhat.io/rhel8/buildah container image is a - containerized implementation of the buildah package. The buildah is a tool that facilitates building OCI container images. - This container image allows you to build container images without the need to install the - buildah package on your system. The use-case does not cover - running this image in rootless mode as a non-root user. -

-
-

- (BZ#1627898) -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

5.6. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8.2. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will - likely not be supported in the next major version release, and are not recommended for new - deployments on the current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the - latest version of release documentation. For information about the length of support, see Red Hat Enterprise - Linux Life Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a - package can be removed from the product. Product documentation then identifies more recent packages - that offer functionality similar, identical, or more advanced to the one deprecated, and provides - further recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, - see Considerations - in adopting RHEL 9. -

-
-
-
-
-

5.6.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated -

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in - the logs. -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still - available and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you - modify your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-
-
-
-
-

5.6.2. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- With this update, the rpmbuild --sign command has become - deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in - an error. It is recommended that you use the rpmsign command - instead. -

-
-

- (BZ#1688849) -

-
-
-
-
-
-

5.6.3. Shells and command-line tools

-
-
-
-
-

Metalink support for curl has been disabled

-

- A flaw was found in curl functionality in the way it handles credentials and file hash - mismatch for content downloaded using the Metalink. This flaw allows malicious actors - controlling a hosting server to: -

-
-
-
    -
  • - Trick users into downloading malicious content -
    • -
  • - Gain unauthorized access to provided credentials without the user’s knowledge -
    • -
-
-

- The highest threat from this vulnerability is confidentiality and integrity. To avoid this, the - Metalink support for curl has been disabled from Red Hat Enterprise Linux 8.2.0.z. -

-

- As a workaround, execute the following command, after the Metalink file is downloaded: -

- 
wget --trust-server-names --input-metalink`
-

- For example: -

- 
wget --trust-server-names --input-metalink <(curl -s $URL)
-

- (BZ#1999620) -

-
-
-
-
-
-

5.6.4. Security

-
-
-
-
-

NSS SEED ciphers are deprecated -

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. For deployments that - rely on SEED ciphers, Red Hat recommends enabling support for other cipher suites. This way, - you ensure smooth transitions when NSS will remove support for them. -

-
-

- Note that the SEED ciphers are already disabled by default in RHEL. -

-

- (BZ#1817533) -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer - Portal and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux - 8. Authentication mechanisms that depend on DSA keys do not work in the default - configuration. Note that OpenSSH clients do not accept DSA host - keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and - earlier allow to start a negotiation with a Client Hello - message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this - feature may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to - version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward - compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be - removed in the next major release. -

-
-

- (BZ#1657927) -

-
-
-
-
-
-

5.6.5. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided - by default. The basic installation provides a new version of the ifup and ifdown scripts which call - the NetworkManager service through the - nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local - scripts are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
~]# yum install network-scripts
-

- The ifup and ifdown scripts link to - the installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-
-
-
-
-

5.6.6. Kernel

-
-
-
-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system via the network. While - convenient, diskless boot is prone to introducing network latency in realtime workloads. - With a future minor update of RHEL for Real Time 8, the diskless booting feature will no - longer be supported. -

-
-

- (BZ#1748980) -

-
-

The qla3xxx driver is deprecated -

-

- The qla3xxx driver has been deprecated in RHEL 8. The driver - will likely not be supported in future major releases of this product, and thus it is not - recommended for new deployments. -

-
-

- (BZ#1658840) -

-
-

The dl2k, dnet, ethoc, and dlci drivers are deprecated

-

- The dl2k, dnet, ethoc, and dlci drivers have been - deprecated in RHEL 8. The drivers will likely not be supported in future major releases of - this product, and thus they are not recommended for new deployments. -

-
-

- (BZ#1660627) -

-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, - is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE - feature is available as an unsupported Technology Preview. However, due to stability issues, - this feature has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

5.6.7. File systems and storage

-
-
-
-
-

The elevator kernel command line parameter - is deprecated

-

- The elevator kernel command line parameter was used in earlier - RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is - deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is - typically the optimal setting. If you require a different scheduler, Red Hat recommends that you - use udev rules or the Tuned service to configure it. Match the - selected devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- (BZ#1665295) -

-
-

LVM mirror is deprecated

-

- The LVM mirror segment type is now deprecated. Support for - mirror will be removed in a future major release of RHEL. -

-
-

- Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1 instead of mirror. The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, - see Converting - a mirrored LVM device to a RAID1 logical volume. -

-

- LVM mirror has several known issues. For details, see known issues in file systems and storage. -

-

- (BZ#1827628) -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by - default. This change affects only NFS version 3 because version 4 requires the Transmission - Control Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-
-
-
-
-

5.6.8. Identity Management

-
-
-
-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- (JIRA:RHELDOCS-16612) -

-
-
-
-
-
-

5.6.9. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of - the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow - the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary - security standards. -

-
-

- (BZ#1607766) -

-
-
-
-
-
-

5.6.10. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended - replacement. -

-
-

- (BZ#1569610) -

-
-
-
-
-
-

5.6.11. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- (BZ#1666722) -

-
-
-
-
-
-

5.6.12. Virtualization

-
-
-
-
-

virt-manager has - been deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The - RHEL 8 web console, also known as Cockpit, is intended to become its - replacement in a subsequent release. It is, therefore, recommended that you use the web - console for managing virtualization in a GUI. Note, however, that some features available in - virt-manager may not be yet available - the RHEL 8 web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

Virtual machine snapshots are not properly supported in RHEL 8 -

-

- The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it - is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL - 8. -

-
-

- Note that a new VM snapshot mechanism is under development and will be fully implemented in a - future minor release of RHEL 8. -

-

- (BZ#1686057) -

-
-

The Cirrus VGA - virtual GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga, virtio-vga, or qxl devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-

The cpu64-rhel6 CPU model has been - deprecated and removed

-

- The cpu64-rhel6 QEMU virtual CPU model has been deprecated in - RHEL 8.1, and has been removed from RHEL 8.2. It is recommended that you use the other CPU - models provided by QEMU and libvirt, according to the CPU present on the host machine. -

-
-

- (BZ#1741346) -

-
-
-
-
-
-

5.6.13. Deprecated packages

-
-
-
-

- The following packages have been deprecated and will probably not be included in a future major - release of Red Hat Enterprise Linux: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - authd -
    • -
  • - custodia -
    • -
  • - hostname -
    • -
  • - libidn -
    • -
  • - net-tools -
    • -
  • - network-scripts -
    • -
  • - nss-pam-ldapd -
    • -
  • - sendmail -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-
-

5.7. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.2. -

-
-
-
-
-

5.7.1. Installer and image creation

-
-
-
-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart - commands during installation. Without this package, the installation fails if auth or authconfig are used. - However, by design, the authselect-compat package is only - available in the AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to - the installer or use the authselect Kickstart command during - installation. -

-

- (BZ#1640697) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec - Kickstart command or the inst.kexec kernel boot parameters do - not provide the same predictable system state as a full reboot. As a consequence, switching - to the installed system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

Anaconda installation includes low limits of minimal resources setting - requirements

-

- Anaconda initiates the installation on systems with minimal resource settings required - available and do not provide previous message warning about the required resources for - performing the installation successfully. As a result, the installation can fail and the - output errors do not provide clear messages for possible debug and recovery. To work around - this problem, make sure that the system has the minimal resources settings required for - installation: 2GB memory on PPC64(LE) and 1GB on x86_64. As a result, it should be possible - to perform a successful installation. -

-
-

- (BZ#1696609) -

-
-

Installation fails when using the reboot --kexec command

-

- The RHEL 8 installation fails when using a Kickstart file that contains the reboot --kexec command. To avoid the problem, use the reboot command instead of reboot --kexec in your Kickstart file. -

-
-

- (BZ#1672405) -

-
-

RHEL 8 initial setup cannot be performed via SSH

-

- Currently, the RHEL 8 initial setup interface does not display when logged in to the system - using SSH. As a consequence, it is impossible to perform the initial setup on a RHEL 8 - machine managed via SSH. To work around this problem, perform the initial setup in the main - system console (ttyS0) and, afterwards, log in using SSH. -

-
-

- (BZ#1676439) -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation - sources. However, network access is not enabled by default, and as a result, these features - cannot be used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a - repository located on the network using boot options also resolves the problem. As a result, the - network-based installation features can be used. -

-

- (BZ#1757877) -

-
-

Registration fails for user accounts that belong to multiple - organizations

-

- Currently, when you attempt to register a system with a user account that belongs to - multiple organizations, the registration process fails with the error message You must specify an organization for new - units. -

-
-

- To work around this problem, you can either: -

-
-
    -
  • - Use a different user account that does not belong to multiple organizations. -
    • -
  • - Use the Activation Key - authentication method available in the Connect to Red Hat feature for GUI and Kickstart - installations. -
    • -
  • - Skip the registration step in Connect to Red Hat and use Subscription Manager to - register your system post-installation. -
    • -
-
-

- (BZ#1822880) -

-
-

A GUI installation using the Binary DVD ISO image can sometimes not - proceed without CDN registration

-

- When performing a GUI installation using the Binary DVD ISO image file, a race condition in - the installer can sometimes prevent the installation from proceeding until you register the - system using the Connect to Red Hat feature. To work around this problem, complete the - following steps: -

-
-
-
    -
  1. - Select Installation Source from the - Installation Summary window of the - GUI installation. -
    2. -
  2. - Verify that Auto-detected installation - media is selected. -
    3. -
  3. - Click Done to confirm the selection - and return to the Installation - Summary window. -
    4. -
  4. - Verify that Local Media is displayed - as the Installation Source status in - the Installation Summary window. -
    5. -
-
-

- As a result, you can proceed with the installation without registering the system using the - Connect to Red Hat feature. -

-

- (BZ#1823578) -

-
-

Copying the content of the Binary DVD.iso - file to a partition omits the .treeinfo and .discinfo files

-

- During local installation, while copying the content of the RHEL 8 Binary DVD.iso image file - to a partition, the * in the cp <path>/\* <mounted partition>/dir command fails to - copy the .treeinfo and .discinfo - files. These files are required for a successful installation. As a result, the BaseOS and - AppStream repositories are not loaded, and a debug-related log message in the anaconda.log file is the only record of the problem. -

-
-

- To work around the problem, copy the missing .treeinfo and .discinfo files to the partition. -

-

- (BZ#1687747) -

-
-

Self-signed HTTPS server cannot be used in Kickstart - installation

-

- Currently, the installer fails to install from a self-signed https server when the - installation source is specified in the kickstart file and the --noverifyssl option is used: -

-
- 
url --url=https://SERVER/PATH --noverifyssl
-

- To work around this problem, append the inst.noverifyssl parameter - to the kernel command line when starting the kickstart installation. -

-

- For example: -

- 
inst.ks=<URL> inst.noverifyssl
-

- (BZ#1745064) -

-
-

GUI installation might fail if an attempt to unregister using the CDN - is made before the repository refresh is completed

-

- In RHEL 8.2, when registering your system and attaching subscriptions using the Content - Delivery Network (CDN), a refresh of the repository metadata is started by the GUI - installation program. The refresh process is not part of the registration and subscription - process, and as a consequence, the Unregister button is enabled in the Connect to Red Hat window. Depending on - the network connection, the refresh process might take more than a minute to complete. If - you click the Unregister button before - the refresh process is completed, the GUI installation might fail as the unregister process - removes the CDN repository files and the certificates required by the installation program - to communicate with the CDN. -

-
-

- To work around this problem, complete the following steps in the GUI installation after you have - clicked the Register button in the Connect to Red Hat window: -

-
-
    -
  1. - From the Connect to Red Hat window, - click Done to return to the Installation Summary window. -
    2. -
  2. - From the Installation Summary - window, verify that the Installation - Source and Software - Selection status messages in italics are not displaying any - processing information. -
    3. -
  3. - When the Installation Source and Software Selection categories are ready, click Connect to Red Hat. -
    4. -
  4. - Click the Unregister button. -
    5. -
-
-

- After performing these steps, you can safely unregister the system during the GUI installation. -

-

- (BZ#1821192) -

-
-
-
-
-
-

5.7.2. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the - subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. - Currently, only role, usage and - service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to - set values to the addons argument will not observe any effect - on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-

Data from multi-path storage devices is lost when installing RHEL using - a Kickstart file

-

- Data from the multi-path storage devices that are attached to a host is lost when installing - RHEL using a Kickstart file. This issue occurs because the installer fails to ignore the - multi-path storage devices that you specify using ignoredisk --drives command. As a result, data on the devices is - lost. -

-
-

- To work around this problem, detach the devices before installation, or use ignoredisk --only-use command to specify the devices for - installation. -

-

- (BZ#1862131) -

-
-
-
-
-
-

5.7.3. Shells and command-line tools

-
-
-
-
-

Applications using Wayland protocol cannot - be forwarded to remote display servers

-

- In Red Hat Enterprise Linux 8, most applications use the Wayland protocol by default instead - of the X11 protocol. As a consequence, the ssh server cannot forward the applications that - use the Wayland protocol but is able to forward the applications that use the X11 protocol - to a remote display server. -

-
-

- To work around this problem, set the environment variable GDK_BACKEND=x11 before starting the applications. As a result, the - application can be forwarded to remote display servers. -

-

- (BZ#1686892) -

-
-

systemd-resolved.service fails to start on - boot

-

- The systemd-resolved service occasionally fails to start on - boot. If this happens, restart the service manually after the boot finishes by using the - following command: -

-
- 
# systemctl start systemd-resolved
-

- However, the failure of systemd-resolved on boot does not impact - any other services. -

-

- (BZ#1640802) -

-
-
-
-
-
-

5.7.4. Security

-
-
-
-
-

Audit executable watches on symlinks do not work

-

- File monitoring provided by the -w option cannot directly track - a path. It has to resolve the path to a device and an inode to make a comparison with the - executed program. A watch monitoring an executable symlink monitors the device and an inode - of the symlink itself instead of the program executed in memory, which is found from the - resolution of the symlink. Even if the watch resolves the symlink to get the resulting - executable program, the rule triggers on any multi-call binary called from a different - symlink. This results in flooding logs with false positives. Consequently, Audit executable - watches on symlinks do not work. -

-
-

- To work around the problem, set up a watch for the resolved path of the program executable, and - filter the resulting log messages using the last component listed in the comm= or proctitle= fields. -

-

- (BZ#1846345) -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config results in a process in which the kernel - boots with SELinux enabled and switches to disabled mode later in the boot process. This - might cause memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- (JIRA:RHELPLAN-34199) -

-
-

libselinux-python is available only - through its module

-

- The libselinux-python package contains only Python 2 bindings - for developing SELinux applications and it is used for backward compatibility. For this - reason, libselinux-python is no longer available in the default - RHEL 8 repositories through the dnf install libselinux-python - command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# dnf module enable libselinux-python
-# dnf install libselinux-python
-

- Alternatively, install libselinux-python using its install profile - with a single command: -

- 
# dnf module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman - value. This prevents the udica tool from analyzing a container - JavaScript Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, - udica can generate an SELinux policy for a UBI 8 container only - when you use the described workaround. -

-

- (BZ#1763210) -

-
-

Removing the rpm-plugin-selinux package - leads to removing all selinux-policy packages from the - system

-

- Removing the rpm-plugin-selinux package disables SELinux on the - machine. It also removes all selinux-policy packages from the - system. Repeated installation of the rpm-plugin-selinux package - then installs the selinux-policy-minimum SELinux policy, even - if the selinux-policy-targeted policy was previously present on - the system. However, the repeated installation does not update the SELinux configuration - file to account for the change in policy. As a consequence, SELinux is disabled even upon - reinstallation of the rpm-plugin-selinux package. -

-
-

- To work around this problem: -

-
-
    -
  1. - Enter the umount /sys/fs/selinux/ command. -
    2. -
  2. - Manually install the missing selinux-policy-targeted - package. -
    3. -
  3. - Edit the /etc/selinux/config file so that the policy is - equal to SELINUX=enforcing. -
    4. -
  4. - Enter the command load_policy -i. -
    5. -
-
-

- As a result, SELinux is enabled and running the same policy as before. -

-

- (BZ#1641631) -

-
-

SELinux prevents systemd-journal-gatewayd - to call newfstatat() on shared memory files created by - corosync

-

- SELinux policy does not contain a rule that allows the systemd-journal-gatewayd daemon to access files created by the - corosync service. As a consequence, SELinux denies systemd-journal-gatewayd to call the newfstatat() function on shared memory files created by corosync. -

-
-

- To work around this problem, create a local policy module with an allow rule which enables the - described scenario. See the audit2allow(1) man page for more - information on generating SELinux policy allow and dontaudit rules. As a result of the previous workaround, - systemd-journal-gatewayd can call the function on shared memory - files created by corosync with SELinux in enforcing mode. -

-

- (BZ#1746398) -

-
-

SELinux prevents auditd to halt or power - off the system

-

- The SELinux policy does not contain a rule that allows the Audit daemon to start a power_unit_file_t systemd unit. - Consequently, auditd cannot halt or power off the system even - when configured to do so in cases such as no space left on a logging disk partition. -

-
-

- To work around this problem, create a custom SELinux policy module. As a result, auditd can properly halt or power off the system only if you apply - the workaround. -

-

- (BZ#1826788) -

-
-

users can run sudo commands as locked - users

-

- In systems where sudoers permissions are defined with the ALL keyword, sudo users with - permissions can run sudo commands as users whose accounts are - locked. Consequently, locked and expired accounts can still be used to execute commands. -

-
-

- To work around this problem, enable the newly implemented runas_check_shell option together with proper settings of valid - shells in /etc/shells. This prevents attackers from running - commands under system accounts such as bin. -

-

- (BZ#1786990) -

-
-

Negative effects of the default logging setup on performance -

-

- The default logging environment setup might consume 4 GB of memory or even more and - adjustments of rate-limit values are complex when systemd-journald is running with rsyslog. -

-
-

- See the Negative effects of - the RHEL default logging setup on performance and their mitigations Knowledgebase - article for more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

Parameter not known errors in the rsyslog output with config.enabled

-

- In the rsyslog output, an unexpected bug occurs in - configuration processing errors using the config.enabled - directive. As a consequence, parameter not known errors are - displayed while using the config.enabled directive except for - the include() statements. -

-
-

- To work around this problem, set config.enabled=on or use include() statements. -

-

- (BZ#1659383) -

-
-

Certain rsyslog priority strings do not - work correctly

-

- Support for the GnuTLS priority string - for imtcp that allows fine-grained control over encryption is - not complete. Consequently, the following priority strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. To work around this problem, upgrade the server to use - certificates signed with SHA-256 or stronger hash, or switch to the LEGACY policy. -

-
-

- (BZ#1628553) -

-
-

TLS 1.3 does not work in NSS in FIPS mode

-

- TLS 1.3 is not supported on systems working in FIPS mode. As a result, connections that - require TLS 1.3 for interoperability do not function on a system working in FIPS mode. -

-
-

- To enable the connections, disable the system’s FIPS mode or enable support for TLS 1.2 in the - peer. -

-

- (BZ#1724250) -

-
-

OpenSSL incorrectly handles PKCS #11 - tokens that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is - created with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- (BZ#1685470) -

-
-

OpenSSL generates a malformed status_request extension in the CertificateRequest message in TLS 1.3

-

- OpenSSL servers send a malformed status_request extension in - the CertificateRequest message if support for the status_request extension and client certificate-based - authentication are enabled. In such case, OpenSSL does not interoperate with implementations - compliant with the RFC 8446 protocol. As a result, clients that - properly verify extensions in the CertificateRequest message - abort connections with the OpenSSL server. To work around this problem, disable support for - the TLS 1.3 protocol on either side of the connection or disable support for status_request on the OpenSSL server. This will prevent the - server from sending malformed messages. -

-
-

- (BZ#1749068) -

-
-

ssh-keyscan cannot retrieve RSA keys of - servers in FIPS mode

-

- The SHA-1 algorithm is disabled for RSA signatures in FIPS - mode, which prevents the ssh-keyscan utility from retrieving - RSA keys of servers operating in that mode. -

-
-

- To work around this problem, use ECDSA keys instead, or retrieve the keys locally from the /etc/ssh/ssh_host_rsa_key.pub file on the server. -

-

- (BZ#1744108) -

-
-

Libreswan does not work properly with - seccomp=enabled on all configurations

-

- The set of allowed syscalls in the Libreswan SECCOMP support - implementation is currently not complete. Consequently, when SECCOMP is enabled in the ipsec.conf file, the syscall filtering rejects even syscalls - needed for the proper functioning of the pluto daemon; the - daemon is killed, and the ipsec service is restarted. -

-
-

- To work around this problem, set the seccomp= option back to the - disabled state. SECCOMP support must remain disabled to run ipsec properly. -

-

- (BZ#1777474) -

-
-

Certain sets of interdependent rules in SSG can fail

-

- Remediation of SCAP Security Guide (SSG) rules in a benchmark - can fail due to undefined ordering of rules and their dependencies. If two or more rules - need to be executed in a particular order, for example, when one rule installs a component - and another rule configures the same component, they can run in the wrong order and - remediation reports an error. To work around this problem, run the remediation twice, and - the second run fixes the dependent rules. -

-
-

- (BZ#1750755) -

-
-

SCAP Workbench - fails to generate results-based remediations from tailored profiles

-

- The following error occurs when trying to generate results-based remediation roles from a - customized profile using the SCAP - Workbench tool: -

-
- 
Error generating remediation role .../remediation.sh: Exit code of oscap was 1: [output truncated]
-

- To work around this problem, use the oscap command with the --tailoring-file option. -

-

- (BZ#1640715) -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda - add-on as org_fedora_oscap instead of com_redhat_oscap which might cause confusion. That is done to - preserve backward compatibility with Red Hat Enterprise Linux 7. -

-
-

- (BZ#1665082) -

-
-

OSCAP Anaconda Addon does not install all - packages in text mode

-

- The OSCAP Anaconda Addon plugin cannot modify the list of - packages selected for installation by the system installer if the installation is running in - text mode. Consequently, when a security policy profile is specified using Kickstart and the - installation is running in text mode, any additional packages required by the security - policy are not installed during installation. -

-
-

- To work around this problem, either run the installation in graphical mode or specify all - packages that are required by the security policy profile in the security policy in the %packages section in your Kickstart file. -

-

- As a result, packages that are required by the security policy profile are not installed during - RHEL installation without one of the described workarounds, and the installed system is not - compliant with the given security policy profile. -

-

- (BZ#1674001) -

-
-

OSCAP Anaconda Addon does not correctly - handle customized profiles

-

- The OSCAP Anaconda Addon plugin does not properly handle - security profiles with customizations in separate files. Consequently, the customized - profile is not available in the RHEL graphical installation even when you properly specify - it in the corresponding Kickstart section. -

-
-

- To work around this problem, follow the instructions in the Creating a single SCAP data stream from an - original DS and a tailoring file Knowledgebase article. As a result of this workaround, - you can use a customized SCAP profile in the RHEL graphical installation. -

-

- (BZ#1691305) -

-
-

GnuTLS fails to resume current session with the NSS server

-

- When resuming a TLS (Transport Layer Security) 1.3 session, the GnuTLS client waits 60 milliseconds plus an estimated round trip - time for the server to send session resumption data. If the server does not send the - resumption data within this time, the client creates a new session instead of resuming the - current session. This incurs no serious adverse effects except for a minor performance - impact on a regular session negotiation. -

-
-

- (BZ#1677754) -

-
-

The oscap-ssh utility fails when scanning a remote system with - --sudo

-

- When performing a Security Content Automation Protocol (SCAP) scan of a remote system using - the oscap-ssh tool with the --sudo - option, the oscap tool on the remote system saves scan result - files and report files into a temporary directory as the root - user. If the umask settings on the remote machine have been - changed, oscap-ssh might not have access to these files. To - work around this problem, modify the oscap-ssh tool as - described in this solution "oscap-ssh --sudo" fails to retrieve - the result files with "scp: …​: Permission denied" error. As a result, oscap saves the files as the target user, and oscap-ssh accesses the files normally. -

-
-

- (BZ#1803116) -

-
-

OpenSCAP produces false positives caused by removing blank lines from - YAML multi-line strings

-

- When OpenSCAP generates Ansible remediations from a datastream, it removes blank lines from - YAML multi-line strings. Because some Ansible remediations contain literal configuration - file content, removing blank lines affects the corresponding remediations. This causes the - openscap utility to fail the corresponding Open Vulnerability - and Assessment Language (OVAL) checks, even though the blank lines do not have any effect. - To work around this problem, check the rule descriptions and skip scan results that failed - because of missing blank lines. Alternatively, use Bash remediations instead of Ansible - remediations, because Bash remediations do not produce these false positive results. -

-
-

- (BZ#1795563) -

-
-

OSPP-based profiles are incompatible with GUI package groups. -

-

- GNOME packages installed by the Server with GUI package group require the nfs-utils package that is not compliant with the Operating System - Protection Profile (OSPP). As a consequence, selecting the Server - with GUI package group during the installation of a system with OSPP or - OSPP-based profiles, for example, Security Technical Implementation Guide (STIG), aborts the - installation. If the OSPP-based profile is applied after the installation, the system is not - bootable. To work around this problem, do not install the Server - with GUI package group or any other groups that install GUI when using - the OSPP profile and OSPP-based profiles. When you use the Server or Minimal - Install package groups instead, the system installs without issues and - works correctly. -

-
-

- (BZ#1787156) -

-
-

RHEL8 system with the Server with - GUI package group cannot be remediated using the e8 profile -

-

- Using the OpenSCAP Anaconda Add-on to harden the system on the Server With GUI package group with profiles that select - rules from the Verify Integrity with RPM group - requires an extreme amount of RAM on the system. This problem is caused by the OpenSCAP - scanner; for more details see Scanning large numbers of - files with OpenSCAP causes systems to run out of memory. As a consequence, the - hardening of the system using the RHEL8 Essential Eight (e8) profile is not successful. To - work around this problem, choose a smaller package group, for example, Server, and install - additional packages that you require after the installation. As a result, the system will - have a smaller number of packages, the scanning will require less memory, and therefore the - system can be hardened automatically. -

-
-

- (BZ#1816199) -

-
-

Scanning large numbers of files with OpenSCAP causes systems to run out - of memory

-

- The OpenSCAP scanner stores all the collected results in the memory until the scan finishes. - As a consequence, the system might run out of memory on systems with low RAM when scanning - large numbers of files, for example from the large package groups Server with GUI and Workstation. To work around this problem, use smaller - package groups, for example, Server and Minimal Install on systems with limited RAM. If you - need to use large package groups, you can test whether your system has sufficient memory in - a virtual or staging environment. Alternatively, you can tailor the scanning profile to - deselect rules that involve recursion over the entire / - filesystem: -

-
-
-
    -
  • - rpm_verify_hashes -
    • -
  • - rpm_verify_permissions -
    • -
  • - rpm_verify_ownership -
    • -
  • - file_permissions_unauthorized_world_writable -
    • -
  • - no_files_unowned_by_user -
    • -
  • - dir_perms_world_writable_system_owned -
    • -
  • - file_permissions_unauthorized_suid -
    • -
  • - file_permissions_unauthorized_sgid -
    • -
  • - file_permissions_ungroupowned -
    • -
  • - dir_perms_world_writable_sticky_bits -
    • -
-
-

- This will prevent OpenSCAP scan from causing the system to run out of memory. -

-

- (BZ#1824152) -

-
-
-
-
-
-

5.7.5. Networking

-
-
-
-
-

IPsec network traffic fails during IPsec offloading when GRO is - disabled

-

- IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on - the device. If IPsec offloading is configured on a network interface and GRO is disabled on - that device, IPsec network traffic fails. -

-
-

- To work around this problem, keep GRO enabled on the device. -

-

- (BZ#1649647) -

-
-

iptables does not request module loading - for commands that update a chain if the specified chain type is not known

-

- Note: This problem causes spurious errors with no functional implication when stopping the - iptables systemd service if you are using the - services default configuration. -

-
-

- When setting a chain’s policy with iptables-nft, the resulting - update chain command sent to the kernel will fail if the associated kernel module is not loaded - already. To work around the problem, use the following commands to cause the modules to load: -

-

- + -

- 
# iptables -t nat -n -L
-# iptables -t mangle -n -L
-

- (BZ#1812666) -

-
-

Automatic loading of address family-specific LOG back end modules by the nft_compat module can hang

-

- When the nft_compat module loads address family-specific LOG target back ends while an operation on network namespaces - (netns) happens in parallel, a lock collision can occur. As a - consequence, loading the address family-specific LOG target - back ends can hang. To work around the problem, manually load the relevant LOG target back ends, such as nf_log_ipv4.ko and nf_log_ipv6.ko, - before executing the iptables-restore utility. As a result, - loading the LOG target back ends does not hang. However, if the - problem appears during the system boots, no workaround is available. -

-
-

- Note that other services, such as libvirtd, also execute iptables commands, which can cause the problem to occur. -

-

- (BZ#1757933) -

-
-
-
-
-
-

5.7.6. Kernel

-
-
-
-
-

Accidental patch removal causes huge_page_setup_helper.py to show error

-

- A patch that updates the huge_page_setup_helper.py script, was - accidentally removed. Consequently, after executing the huge_page_setup_helper.py script, the following error message - appears: -

-
- 
SyntaxError: Missing parentheses in call to 'print'
-

- To work around this problem, copy the huge_page_setup_helper.py - script from RHEL 8.1 and install it to the /usr/bin/ directory: -

-
-
    -
  1. - Download the libhugetlbfs-utils-2.21-3.el8.x86_64.rpm - package from the RHEL-8.1.0 Installation Media or from the Red Hat Customer Portal. -
    2. -
  2. -

    - Execute the rpm2cpio command: -

    - 
    # rpm2cpio libhugetlbfs-utils-2.21-3.el8.x86_64.rpm | cpio -D / -iduv '*/huge_page_setup_helper.py'
    -

    - The command extracts the huge_page_setup_helper.py - script from the RHEL 8.1 RPM and saves it to the /usr/bin/ directory. -

    -
    3. -
-
-

- As a result, the huge_page_setup_helper.py script works correctly. -

-

- (BZ#1823398) -

-
-

Systems with a large amount of persistent memory experience delays - during the boot process

-

- Systems with a large amount of persistent memory take a long time to boot because the - initialization of the memory is serialized. Consequently, if there are persistent memory - file systems listed in the /etc/fstab file, the system might - timeout while waiting for devices to become available. To work around this problem, - configure the DefaultTimeoutStartSec option in the /etc/systemd/system.conf file to a sufficiently large value. -

-
-

- (BZ#1666538) -

-
-

KSM sometimes ignores NUMA memory policies

-

- When the kernel shared memory (KSM) feature is enabled with the merge_across_nodes=1 parameter, KSM ignores memory policies set - by the mbind() function, and may merge pages from some memory areas to Non-Uniform Memory - Access (NUMA) nodes that do not match the policies. -

-
-

- To work around this problem, disable KSM or set the merge_across_nodes parameter to 0 if - using NUMA memory binding with QEMU. As a result, NUMA memory policies configured for the KVM VM - will work as expected. -

-

- (BZ#1153521) -

-
-

Debug kernel fails to boot in crash capture environment in RHEL - 8

-

- Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel, and a stack trace is generated instead. To work around this - problem, increase the crash kernel memory accordingly. As a result, the debug kernel - successfully boots in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

zlib may slow down a vmcore capture in some compression functions

-

- The kdump configuration file uses the lzo compression format (makedumpfile -l) by default. When you modify the configuration - file using the zlib compression format, (makedumpfile -c) it is likely to bring a better compression - factor at the expense of slowing down the vmcore capture - process. As a consequence, it takes the kdump upto four times - longer to capture a vmcore with zlib, as compared to lzo. -

-
-

- As a result, Red Hat recommends using the default lzo for cases - where speed is the main driving factor. However, if the target machine is low on available - space, zlib is a better option. -

-

- (BZ#1790635) -

-
-

A vmcore capture fails after memory - hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating - the device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical - address. The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel - crash is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after - hot-plug or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described - scenario. -

-

- (BZ#1793389) -

-
-

The fadump dumping mechanism renames the - network interface to kdump-<interface-name> -

-

- When using firmware-assisted dump (fadump) to capture a vmcore and store it to a remote machine using SSH or NFS - protocol, renames the network interface to kdump-<interface-name>. The renaming happens when the <interface-name> is generic, for example, *eth#, or net# - and so on. This problem occurs because the vmcore capture - scripts in the initial RAM disk (initrd) add the kdump- prefix - to the network interface name to secure persistent naming. Since the same initrd is also used for a regular boot, the interface name is - changed for the production kernel too. -

-
-

- (BZ#1745507) -

-
-

The system enters the emergency mode at boot-time when fadump is enabled

-

- The system enters the emergency mode when fadump (kdump) or dracut squash module is - enabled in the initramfs scheme because systemd manager fails to fetch the mount information and - configure the LV partition to mount. To work around this problem, add the following kernel - command line parameter rd.lvm.lv=<VG>/<LV> to - discover and mount the failed LV partition appropriately. As a result, the system will boot - successfully in the described scenario. -

-
-

- (BZ#1750278) -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit - ARM architectures that run on the Amazon Web Services (AWS) cloud platforms, the vmcore generation fails when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory after a kernel crash. To work around this - problem: -

-
-
-
    -
  1. - Add irqpoll to the KDUMP_COMMANDLINE_REMOVE key in the /etc/sysconfig/kdump file. -
    2. -
  2. - Restart the kdump service by running the systemctl restart kdump command. -
    3. -
-
-

- As a result, the first kernel boots correctly and the vmcore file - is expected to be captured upon the kernel crash. -

-

- Note that the kdump service can use a significant amount of crash - kernel memory to dump the vmcore file. Ensure that the capture - kernel has sufficient memory available for the kdump service. -

-

- (BZ#1654962) -

-
-

Using vPMEM memory as dump target delays the kernel crash capture - process

-

- When you use Virtual Persistent Memory (vPEM) namespaces as kdump or fadump target, the papr_scm module is forced to unmap and remap the memory backed by - vPMEM and re-add the memory to its linear map. Consequently, this behavior triggers - Hypervisor Calls (HCalls) to the POWER Hypervisor, and the total time taken, slows the - capture kernel boot considerably. Therefore, it is recommended not to use vPMEM namespaces - as a dump target for kdump or fadump. -

-
-

- If you must use vPMEM, to work around this problem execute the following commands: -

-
-
    -
  1. -

    - Create the /etc/dracut.conf.d/99-pmem-workaround.conf - file and add: -

    - 
    add_drivers+="nd_pmem nd_btt libnvdimm papr_scm"
    -
    2. -
  2. -

    - Rebuild the initial RAM disk (initrd) file system: -

    - 
    # touch /etc/kdump.conf
-# systemctl restart kdump.service
    -
    3. -
-
-

- (BZ#1792125) -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is - not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because - the NMI was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a - user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI - to the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the - NMI handler for both these situations calls the kernel panic() - function and if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called - and vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this - scenario, use the virtual Power button to - reset or power cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the - Automated System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an - even smaller frequency. -

-

- (BZ#1602962) -

-
-

The tuned-adm profile powersave command - causes the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system - matches the mentioned specifications. -

-
-

- (BZ#1609288) -

-
-

The cxgb4 driver causes crash in the kdump - kernel

-

- The kdump kernel crashes while trying to save information in - the vmcore file. Consequently, the cxgb4 driver prevents the kdump - kernel from saving a core for later analysis. To work around this problem, add the novmcoredd parameter to the kdump kernel command line to allow - saving core files. -

-
-

- (BZ#1708456) -

-
-

Attempting to add ICE driver NIC port to a - mode 5 (balance-tlb) bonding master interface might lead to - failure

-

- Attempting to add ICE driver NIC port to a mode 5 (balance-tlb) - bonding master interface might lead to a failure with an error Master 'bond0', Slave 'ens1f0': Error: Enslave failed. - Consequently, you experience an intermittent failure to add the NIC port to the bonding - master interface. To workaround this problem, attempt to retry adding the interface. -

-
-

- (BZ#1791664) -

-
-

Attaching the Virtual Function to virtual machine with interface type='hostdev' might fails at times

-

- Attaching a Virtual Function (VF) to a virtual machine using an .XML file, following the - Assignment with <interface type='hostdev'> method, might - fail at times. This occurs because using the Assignment with <interface type='hostdev'> method prevents - the VM from attaching to the VF NIC presented to this virtual machine. To workaround this - problem, attach the VF to the VM using the .XML file using the Assignment with <hostdev> method. As a result, the virsh attach-device command succeeds without error. For more - details about the difference between Assignment with <hostdev> and Assignment with <interface type='hostdev'> (SRIOV devices - only), see PCI - Passthrough of host network devices. -

-
-

- (BZ#1792691) -

-
-
-
-
-
-

5.7.7. File systems and storage

-
-
-
-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical - volume. This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) - for system boot entries. This specification requires that the /boot file system is readable by the platform firmware. On - EFI systems, the platform firmware can read only the /boot - configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat - does not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- (BZ#1496229) -

-
-

LVM no longer allows creating volume groups with mixed block - sizes

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where - the physical volumes (PVs) have different logical block sizes. LVM has adopted this change - because file systems fail to mount if you extend the underlying logical volume (LV) with a - PV of a different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- (BZ#1768536) -

-
-

DM Multipath might fail to start when too many LUNs are - connected

-

- The multipathd service might time out and fail to start if too - many logical units (LUNs) are connected to the system. The exact number of LUNs that causes - the problem depends on several factors, including the number of devices, the response time - of the storage array, the memory and CPU configuration, and system load. -

-
-

- To work around the problem, increase the timeout value in the multipathd unit file: -

-
-
    -
  1. -

    - Open the multipathd unit in the unit editor: -

    - 
    # systemctl edit multipathd
    -
    2. -
  2. -

    - Enter the following configuration to override the timeout value: -

    - 
    [Service]
-TimeoutSec=300
    -

    - Red Hat recommends increasing the value to 300 from the default 90, but you can also - test other values above 90. -

    -
    3. -
  3. - Save the file in the editor. -
    4. -
  4. -

    - Reload systemd units to apply the change: -

    - 
    # systemctl daemon-reload
    -
    5. -
-
-

- As a result, multipathd can now successfully start with a larger - number of LUNs. -

-

- (BZ#1797660) -

-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following - limitations, which are not present in the cache method: -

-
-
-
    -
  • - You cannot take a snapshot of a logical volume while the logical volume is using writecache. -
    • -
  • - You cannot attach or detach writecache while a logical - volume is active. -
    • -
  • -

    - When attaching writecache to an inactive logical - volume, you must use a writecache block size that - matches the existing file system block size. -

    -

    - For details, see the lvmcache(7) man page. -

    -
    • -
  • - You cannot resize a logical volume while writecache is - attached to it. -
    • -
  • - You cannot use pvmove commands on devices that are used - with writecache. -
    • -
  • - You cannot use logical volumes with writecache in - combination with thin pools or VDO. -
    • -
-
-

- (JIRA:RHELPLAN-27987, BZ#1798631, BZ#1808012) -

-
-

LVM mirror devices that store a LUKS - volume sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices - reject all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type - of raid1 instead of mirror if you need - to stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, - see Converting - a mirrored LVM device to a RAID1 device. -

-

- (BZ#1730502) -

-
-

An NFS 4.0 patch can result in reduced performance under an open-heavy - workload

-

- Previously, a bug was fixed that, in some cases, could cause an NFS open operation to - overlook the fact that a file had been removed or renamed on the server. However, the fix - may cause slower performance with workloads that require many open operations. To work - around this problem, it might help to use NFS version 4.1 or higher, which have been - improved to grant delegations to clients in more cases, allowing clients to perform open - operations locally, quickly, and safely. -

-
-

- (BZ#1748451) -

-
-
-
-
-
-

5.7.8. Dynamic programming languages, web and database servers

-
-
-
-
-

getpwnam() might fail when called by a - 32-bit application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- (BZ#1803161) -

-
-

nginx cannot load server certificates from - hardware security tokens

-

- The nginx web server supports loading TLS private keys from - hardware security tokens directly from PKCS#11 modules. However, it is currently impossible - to load server certificates from hardware security tokens through the PKCS#11 URI. To work - around this problem, store server certificates on the file system -

-
-

- (BZ#1668717) -

-
-

php-fpm causes SELinux AVC denials when - php-opcache is installed with PHP 7.2

-

- When the php-opcache package is installed, the FastCGI Process - Manager (php-fpm) causes SELinux AVC denials. To work around - this problem, change the default configuration in the /etc/php.d/10-opcache.ini file to the following: -

-
- 
opcache.huge_code_pages=0
-

- Note that this problem affects only the php:7.2 stream, not the - php:7.3 one. -

-

- (BZ#1670386) -

-
-

The mod_wsgi package name is missing when - being installed as a dependency

-

- With a change in mod_wsgi installation, described in BZ#1779705, - the python3-mod_wsgi package no longer provides the name mod_wsgi. When installing the mod_wsgi module, you must specify the full package name. This - change causes problems with dependencies of third-party packages. -

-
-

- If you try to install a third-party package that requires a dependency named mod_wsgi, an error similar to the following is returned: -

- 
Error:
- Problem: conflicting requests
-  - nothing provides mod_wsgi needed by package-requires-mod_wsgi.el8.noarch
-

- To work around this problem, choose one of the following: -

-
-
    -
  1. - Rebuild the package (or ask the third-party vendor for a new build) to require the full - package name python3-mod_wsgi. -
    2. -
  2. -

    - Create a meta package with the missing package name: -

    -
    -
      -
    1. - Build your own empty meta package that provides the name mod_wsgi. -
      2. -
    2. - Add the module_hotfixes=True line to the .repo configuration file of the repository that - includes the meta package. -
      3. -
    3. - Manually install python3-mod_wsgi. -
      4. -
    -
    -
    3. -
-
-

- (BZ#1829692) -

-
-
-
-
-
-

5.7.9. Compilers and development tools

-
-
-
-
-

Synthetic functions generated by GCC confuse SystemTap

-

- GCC optimization can generate synthetic functions for partially inlined copies of other - functions. Tools such as SystemTap and GDB cannot distinguish these synthetic functions from - real functions. As a consequence, SystemTap places probes on both synthetic and real - function entry points and, thus, registers multiple probe hits for a single real function - call. -

-
-

- To work around this problem, modify SystemTap scripts to detect recursion and prevent placing of - probes related to inlined partial functions. -

-

- This example script -

- 
probe kernel.function("can_nice").call { }
-

- can be modified this way: -

- 
global in_can_nice%
-
-probe kernel.function("can_nice").call {
-  in_can_nice[tid()] ++;
-  if (in_can_nice[tid()] > 1) { next }
-  /* code for real probe handler */
-}
-
-probe kernel.function("can_nice").return {
-  in_can_nice[tid()] --;
-}
-

- Note that this example script does not consider all possible scenarios, such as missed kprobes - or kretprobes, or genuine intended recursion. -

-

- (BZ#1169184) -

-
-
-
-
-
-

5.7.10. Identity Management

-
-
-
-
-

Changing /etc/nsswitch.conf requires a - manual system reboot

-

- Any change to the /etc/nsswitch.conf file, for example running - the authselect select profile_id command, requires a system - reboot so that all relevant processes use the updated version of the /etc/nsswitch.conf file. If a system reboot is not possible, - restart the service that joins your system to Active Directory, which is the System Security Services Daemon (SSSD) or winbind. -

-
-

- (BZ#1657295) -

-
-

SSSD returns incorrect LDAP group membership for local users when the - files domain is enabled

-

- If the System Security Services Daemon (SSSD) serves users from the local files and the - ldap_rfc2307_fallback_to_local_users attribute in the - [domain/LDAP] section of the sssd.conf file is set to True, - then the files provider does not include group memberships from other domains. As a - consequence, if a local user is a member of an LDAP group, the id local_user command does not return the user’s LDAP group - membership. To work around this problem, disable the implicit files domain by adding -

-
- 
enable_files_domain=False
-

- to the [sssd] section in the /etc/sssd/sssd.conf file. -

-

- As a result, id local_user returns correct LDAP group membership - for local users. -

-

- (BZ#1652562) -

-
-

SSSD does not correctly handle multiple certificate matching rules with - the same priority

-

- If a given certificate matches multiple certificate matching rules with the same priority, - the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use - a single certificate matching rule whose LDAP filter consists of the filters of the - individual rules concatenated with the | (or) operator. For - examples of certificate matching rules, see the sss-certamp(5) man page. -

-
-

- (BZ#1447945) -

-
-

Private groups fail to be created with auto_private_group = hybrid when - multiple domains are defined

-

- Private groups fail to be created with the option auto_private_group = hybrid when multiple - domains are defined and the hybrid option is used by any domain other than the first one. If - an implicit files domain is defined along with an AD or LDAP domain in the sssd.conf file and is not marked as MPG_HYBRID, then SSSD fails to create a private group for a user - who has uid=gid and the group with this gid does not exist in AD or LDAP. -

-
-

- The sssd_nss responder checks for the value of the auto_private_groups option in the first domain only. As a - consequence, in setups where multiple domains are configured, which includes the default setup - on RHEL 8, the option auto_private_group has no effect. -

-

- To work around this problem, set enable_files_domain = false in the - sssd section of of sssd.conf. As a result, If the enable_files_domain option is set to false, then sssd does not add a - domain with id_provider=files at the start of the list of active - domains, and therefore this bug does not occur. -

-

- (BZ#1754871) -

-
-

python-ply is not FIPS compatible -

-

- The YACC module of the python-ply package uses the MD5 hashing - algorithm to generate the fingerprint of a YACC signature. However, FIPS mode blocks the use - of MD5, which is only allowed in non-security contexts. As a consequence, python-ply is not - FIPS compatible. On a system in FIPS mode, all calls to ply.yacc.yacc() fail with the error message: -

-
- 
UnboundLocalError: local variable 'sig' referenced before assignment
-

- The problem affects python-pycparser and some use cases of python-cffi. To work around this problem, modify the line 2966 of the - file /usr/lib/python3.6/site-packages/ply/yacc.py, replacing sig = md5() with sig = md5(usedforsecurity=False). As a result, python-ply can be used in FIPS mode. -

-

- (BZ#1747490) -

-
-

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 - characters

-

- If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently - truncates it. This may lead to unexpected password incompatibilities with other systems. -

-
-

- To work around the problem, choose a password that is 249 characters or fewer. -

-

- (BZ#1723362) -

-
-

Installing KRA fails if all KRA members are hidden replicas -

-

- The ipa-kra-install utility fails on a cluster where the Key - Recovery Authority (KRA) is already present if the first KRA instance is installed on a - hidden replica. Consequently, you cannot add further KRA instances to the cluster. -

-
-

- To work around this problem, unhide the hidden replica that has the KRA role before you add new - KRA instances. You can hide it again when ipa-kra-install completes - successfully. -

-

- (BZ#1816784) -

-
-

Directory Server warns about missing attributes in the schema if those - attributes are used in a search filter

-

- If you set the nsslapd-verify-filter-schema parameter to warn-invalid, Directory Server processes search operations with - attributes that are not defined in the schema and logs a warning. With this setting, - Directory Server returns requested attributes in search results, regardless whether the - attributes is defined in the schema or not. -

-
-

- A future version of Directory Server will change the default setting of nsslapd-verify-filter-schema to enforce stricter checks. The new - default will warn about attributes that are missing in the schema, and reject requests or return - only partial results. -

-

- (BZ#1790259) -

-
-

ipa-healthcheck-0.4 does not obsolete - older versions of ipa-healthcheck

-

- The Healthcheck tool has been split into two sub-packages: - ipa-healthcheck and ipa-healthcheck-core. However, only the ipa-healthcheck-core sub-package is correctly set to obsolete - older versions of ipa-healthcheck. As a result, updating Healthcheck only installs ipa-healthcheck-core and the ipa-healthcheck command does not work after the update. -

-
-

- To work around this problem, install the ipa-healthcheck-0.4 - sub-package manually using yum install ipa-healthcheck-0.4. -

-

- (BZ#1852244) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can - pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could - allow an attacker to impersonate a user by altering, for example, the UID or GID of an - object returned in an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and - decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa - are not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in - the /etc/sssd/sssd.conf file. The default behavior is planned to be - changed in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

5.7.11. Desktop

-
-
-
-
-

Limitations of the Wayland session

-

- With Red Hat Enterprise Linux 8, the GNOME environment and the GNOME Display Manager (GDM) - use Wayland as the default session type - instead of the X11 session, which was - used with the previous major version of RHEL. -

-
-

- The following features are currently unavailable or do not work as expected under Wayland: -

-
-
    -
  • - X11 configuration utilities, such as - xrandr, do not work under Wayland due to its different approach - to handling, resolutions, rotations, and layout. You can configure the display features - using GNOME settings. -
    • -
  • - Screen recording and remote desktop require applications to support the portal API on - Wayland. Certain legacy applications - do not support the portal API. -
    • -
  • - Pointer accessibility is not available on Wayland. -
    • -
  • - No clipboard manager is available. -
    • -
  • -

    - GNOME Shell on Wayland ignores - keyboard grabs issued by most legacy X11 applications. You can enable - an X11 application to issue - keyboard grabs using the /org/gnome/mutter/wayland/xwayland-grab-access-rules - GSettings key. By default, GNOME Shell on Wayland enables the following - applications to issue keyboard grabs: -

    -
    -
      -
    • - GNOME Boxes -
      • -
    • - Vinagre -
      • -
    • - Xephyr -
      • -
    • - virt-manager, virt-viewer, and remote-viewer -
      • -
    • - vncviewer -
      • -
    -
    -
    • -
  • - Wayland inside guest virtual - machines (VMs) has stability and performance problems. RHEL automatically falls back to - the X11 session when running in a - VM. -
    • -
-
-

- If you upgrade to RHEL 8 from a RHEL 7 system where you used the X11 GNOME session, your system continues to - use X11. The system also automatically falls - back to X11 when the following graphics - drivers are in use: -

-
-
    -
  • - The proprietary NVIDIA driver -
    • -
  • - The cirrus driver -
    • -
  • - The mga driver -
    • -
  • - The aspeed driver -
    • -
-
-

- You can disable the use of Wayland manually: -

-
-
    -
  • - To disable Wayland in GDM, set the - WaylandEnable=false option in the /etc/gdm/custom.conf file. -
    • -
  • - To disable Wayland in the GNOME - session, select the legacy X11 - option by using the cogwheel menu on the login screen after entering your login name. -
    • -
-
-

- For more details on Wayland, see https://wayland.freedesktop.org/. -

-

- (BZ#1797409) -

-
-

Drag-and-drop does not work between desktop and applications -

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. - Support for this feature will be added back in a future release. -

-
-

- (BZ#1717947) -

-
-

Disabling flatpak repositories from - Software Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- (BZ#1668760) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a - Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the - GRUB boot menu. In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, - use Hyper-V Server 2019 as the host. -

-

- (BZ#1583445) -

-
-

System crash may result in fadump configuration loss

-

- This issue is observed on systems where firmware-assisted dump (fadump) is enabled, and the - boot partition is located on a journaling file system such as XFS. A system crash might - cause the boot loader to load an older initrd that does not - have the dump capturing support enabled. Consequently, after recovery, the system does not - capture the vmcore file, which results in fadump configuration - loss. -

-
-

- To work around this problem: -

-
-
    -
  • -

    - If /boot is a separate partition, perform the - following: -

    -
    -
      -
    1. - Restart the kdump service -
      2. -
    2. -

      - Run the following commands as the root user, or using a user account - with CAP_SYS_ADMIN rights: -

      - 
      # fsfreeze -f
-# fsfreeze -u
      -
      3. -
    -
    -
    • -
  • - If /boot is not a separate partition, reboot the system. -
    • -
-
-

- (BZ#1723501) -

-
-
-
-
-
-

5.7.12. Graphics infrastructures

-
-
-
-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the - application fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority file to use regular user credentials for - authentication. -

-
-

- To work around this problem, use the sudo -E command to run - graphical applications as a root user. -

-

- (BZ#1673073) -

-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in - the kexec context correctly. Instead, radeon falls over, which - causes the rest of the kdump service to - fail. -

-
-

- To work around this problem, blacklist radeon in kdump by adding the following line to the - /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After - starting kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-

Multiple HDR displays on a single MST topology may not power - on

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, - using a DisplayPort hub (such as a laptop dock) with multiple - monitors which support HDR plugged into it may result in failure to turn on all displays - despite having done so on previous RHEL releases. This is due to the system erroneously - thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- (BZ#1812577) -

-
-
-
-
-
-

5.7.13. The web console

-
-
-
-
-

Unprivileged users can access the Subscriptions page

-

- If a non-administrator navigates to the Subscriptions page of the web console, the - web console displays a generic error message Cockpit had an unexpected internal error. -

-
-

- To work around this problem, sign in to the web console with a privileged user and make sure to - check the Reuse my password for privileged - tasks checkbox. -

-

- (BZ#1674337) -

-
-
-
-
-
-

5.7.14. Virtualization

-
-
-
-
-

Low GUI display performance in RHEL 8 virtual machines on a Windows - Server 2019 host

-

- When using RHEL 8 as a guest operating system in graphical mode on a Windows Server 2019 - host, the GUI display performance is low, and connecting to a console output of the guest - currently takes significantly longer than expected. -

-
-

- This is a known issue on Windows 2019 hosts and is pending a fix by Microsoft. To work around - this problem, connect to the guest using SSH or use Windows Server 2016 as the host. -

-

- (BZ#1706541) -

-
-

Displaying multiple monitors of virtual machines that use Wayland is - not possible with QXL

-

- Using the remote-viewer utility to display more than one - monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to - become unresponsive and the Waiting for display - status message to be displayed indefinitely. -

-
-

- To work around this problem, use virtio-gpu instead of qxl as the GPU device for VMs that use Wayland. -

-

- (BZ#1642887) -

-
-

virsh iface-\* commands do not work - consistently

-

- Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration - dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network - connections. Instead, use the NetworkManager program and its related management - applications. -

-
-

- (BZ#1664592) -

-
-

RHEL 8 virtual machines sometimes cannot boot on Witherspoon - hosts

-

- RHEL 8 virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm machine type in some cases fail to boot on - Power9 S922LC for HPC hosts (also known as - Witherspoon) that use the DD2.2 or DD2.3 CPU. -

-
-

- Attempting to boot such a VM instead generates the following error message: -

- 
qemu-kvm: Requested safe indirect branch capability level not supported by kvm
-

- To work around this problem, configure the virtual machine’s XML configuration as follows: -

- 
<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
-  <qemu:commandline>
-    <qemu:arg value='-machine'/>
-    <qemu:arg value='cap-ibs=workaround'/>
-  </qemu:commandline>
-

- (BZ#1732726, BZ#1751054) -

-
-

IBM POWER virtual machines do not work correctly with empty NUMA - nodes

-

- Currently, when an IBM POWER virtual machine (VM) running on a RHEL 8 host is configured - with a NUMA node that uses zero memory (memory='0') and zero - CPUs, the VM cannot start. Therefore, Red Hat strongly recommends not using IBM POWER VMs - with such empty NUMA nodes on RHEL 8. -

-
-

- (BZ#1651474) -

-
-

SMT CPU topology is not detected by VMs when using host passthrough - mode on AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, - the TOPOEXT CPU feature flag is not present. Consequently, the - VM is not able to detect a virtual CPU topology with multiple threads per core. To work - around this problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- (BZ#1740002) -

-
-

Disk identifiers in RHEL 8.2 VMs may change on VM reboot.

-

- When using a virtual machine (VM) with RHEL 8.2 as the guest operating system on a Hyper-V - hypervisor, the device identifiers for the VM’s virtual disks in some cases change when the - VM reboots. For example, a disk originally identified as /dev/sda may become /dev/sdb. As a - consequence, the VM might fail to boot, and scripts that reference disks of the VM might - stop working. -

-
-

- To avoid this issue, Red Hat strongly recommends to set persistent names for the disks in the - VM. For detailed information, see the Microsoft Azure documentation: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-device-names-problems. -

-

- (BZ#1777283) -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number - of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to - boot, and displays a dracut-initqueue[392]: Warning: Could not boot error. -

-
-

- (BZ#1719687) -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not - possible on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, - attaching a physical disk as a LUN device to a virtual machine fails when using the - virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they - should be configured with the device='disk' option rather than - device='lun'. -

-

- (BZ#1777138) -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 - fails

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 - becomes unresponsive with a "Migration status: active" status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- (BZ#1741436) -

-
-
-
-
-
-

5.7.15. Supportability

-
-
-
-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet - the requirements by the FUTURE system-wide cryptographic - policy, the redhat-support-tool utility does not work with this - policy level at the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- (BZ#1802026) -

-
-
-
-
-
-

5.7.16. Containers

-
-
-
-
-

UDICA is not expected to work with 1.0 stable stream

-

- UDICA, the tool to generate SELinux policies for containers, is not expected to work with - containers that are run via podman 1.0.x in the container-tools:1.0 module stream. -

-
-

- (JIRA:RHELPLAN-25571) -

-
-

Notes on FIPS support with Podman

-

- The Federal Information Processing Standard (FIPS) requires certified modules to be used. - Previously, Podman correctly installed certified modules in containers by enabling the - proper flags at startup. However, in this release, Podman does not properly set up the - additional application helpers normally provided by the system in the form of the FIPS - system-wide crypto-policy. Although setting the system-wide crypto-policy is not required by - the certified modules it does improve the ability of applications to use crypto modules in - compliant ways. To work around this problem, change your container to run the update-crypto-policies --set FIPS command before any other - application code is executed. -

-
-

- (BZ#1804193) -

-
-
-
-
-
-
-
-

Chapter 6. Internationalization

-
-
-
-
-
-
-
-

6.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangu -

-
-
-
-
-
-
-
-

6.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - The glibc package updates for multiple locales are now - synchronized with the Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#1715406, BZ#1748016, BZ#1790259, BZ#1748994, BZ#1739718 -

-
-

- NetworkManager -

- 		-

- BZ#1626348 -

-
-

- anaconda -

- 		-

- BZ#1747382, - BZ#1637472, BZ#1748756, BZ#1649359, BZ#1715303, BZ#1696609, BZ#1672405, - BZ#1687747, BZ#1745064, BZ#1659400, BZ#1821192, BZ#1822880, - BZ#1823578, BZ#1748281, BZ#1746391 -

-
-

- audit -

- 		-

- BZ#1757986 -

-
-

- authselect -

- 		-

- BZ#1657295 -

-
-

- bind -

- 		-

- BZ#1564443, BZ#1664863, BZ#1704328 -

-
-

- binutils -

- 		-

- BZ#1777002, - BZ#1618748 -

-
-

- buildah-container -

- 		-

- BZ#1627898 -

-
-

- clevis -

- 		-

- BZ#1766526, - BZ#1564559, BZ#1436780, BZ#1784524 -

-
-

- cloud-init -

- 		-

- BZ#1641190, BZ#1666961 -

-
-

- cockpit-appstream -

- 		-

- BZ#1676506 -

-
-

- cockpit -

- 		-

- BZ#1678465, BZ#1754163, BZ#1666722 -

-
-

- container-tools-rhel8-module -

- 		-

- BZ#1784267 -

-
-

- corosync-qdevice -

- 		-

- BZ#1784200 -

-
-

- createrepo_c -

- 		-

- BZ#1743186 -

-
-

- crypto-policies -

- 		-

- BZ#1690565, BZ#1660839 -

-
-

- device-mapper-multipath -

- 		-

- BZ#1797660 -

-
-

- dhcp -

- 		-

- BZ#1729211 -

-
-

- distribution -

- 		-

- BZ#1657927 -

-
-

- dnf -

- 		-

- BZ#1676891, BZ#1754609 -

-
-

- dnsmasq -

- 		-

- BZ#1700916 -

-
-

- edk2 -

- 		-

- BZ#1748180 -

-
-

- elfutils -

- 		-

- BZ#1744992 -

-
-

- fapolicyd -

- 		-

- BZ#1759895 -

-
-

- fence-agents -

- 		-

- BZ#1775847 -

-
-

- firewalld -

- 		-

- BZ#1737045, BZ#1740670, BZ#1733066 -

-
-

- freeradius -

- 		-

- BZ#1723362 -

-
-

- gcc-toolset-9 -

- 		-

- BZ#1774118 -

-
-

- gcc -

- 		-

- BZ#1726641, - BZ#1698607, BZ#1747157 -

-
-

- gdb -

- 		-

- BZ#1768593 -

-
-

- gdm -

- 		-

- BZ#1749960 -

-
-

- glibc -

- 		-

- BZ#1410154, BZ#1764214, BZ#1749439, BZ#1764235, BZ#1746928, BZ#1777241, BZ#1361965, BZ#1747502, BZ#1764218, BZ#1764238, BZ#1746933, BZ#1747453 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#1717947 -

-
-

- gnome-shell -

- 		-

- BZ#1724302 -

-
-

- gnome-software -

- 		-

- BZ#1668760 -

-
-

- gnutls -

- 		-

- BZ#1628553, BZ#1677754 -

-
-

- go-toolset -

- 		-

- BZ#1747150 -

-
-

- grafana-pcp -

- 		-

- BZ#1685315 -

-
-

- grafana -

- 		-

- BZ#1725278 -

-
-

- graphviz -

- 		-

- BZ#1704875 -

-
-

- grub2 -

- 		-

- BZ#1583445, BZ#1723501 -

-
-

- httpd-2.4-module -

- 		-

- BZ#1747923 -

-
-

- httpd -

- 		-

- BZ#1633224 -

-
-

- initial-setup -

- 		-

- BZ#1676439 -

-
-

- ipa -

- 		-

- BZ#1665051, BZ#1816784, BZ#1719767, BZ#1777564, BZ#1664719, BZ#1664718 -

-
-

- ipcalc -

- 		-

- BZ#1638834 -

-
-

- java-11-openjdk -

- 		-

- BZ#1746875 -

-
-

- kernel-rt -

- 		-

- BZ#1680161 -

-
-

- kernel -

- 		-

- BZ#1744397, BZ#1698297, BZ#1687094, BZ#1720227, BZ#1846345, BZ#1635295, BZ#1793389, - BZ#1706541, BZ#1666538, BZ#1602962, BZ#1649647, BZ#1153521, BZ#1694705, BZ#1348508, - BZ#1748451, BZ#1708456, BZ#1654962, BZ#1609288, BZ#1777283, BZ#1791664, BZ#1792125, - BZ#1792691, BZ#1812666, BZ#1812577, BZ#1757933, BZ#1763661, BZ#1780432, BZ#1401552, - BZ#1716002, BZ#1593711, BZ#1620349, BZ#1724969, BZ#1714330, BZ#1714486, BZ#1660368, - BZ#1524687, BZ#1274406, BZ#1650518, BZ#1636572, BZ#1727369, BZ#1519039, BZ#1627455, - BZ#1501618, BZ#1495358, BZ#1633143, BZ#1503672, BZ#1570255, BZ#1696451, BZ#1665295, - BZ#1658840, BZ#1660627, BZ#1569610, BZ#1730502 -

-
-

- kexec-tools -

- 		-

- BZ#1750278, BZ#1690729 -

-
-

- kmod-kvdo -

- 		-

- BZ#1737639, - BZ#1657301 -

-
-

- krb5 -

- 		-

- BZ#1754690 -

-
-

- libbpf -

- 		-

- BZ#1759154 -

-
-

- libdnf -

- 		-

- BZ#1697472 -

-
-

- libgnome-keyring -

- 		-

- BZ#1607766 -

-
-

- libndp -

- 		-

- BZ#1697595 -

-
-

- libpfm -

- 		-

- BZ#1731019 -

-
-

- libreswan -

- 		-

- BZ#1777474 -

-
-

- libselinux-python-2.8-module -

- 		-

- BZ#1666328 -

-
-

- libvirt -

- 		-

- BZ#1749672, - BZ#1664592, BZ#1528684 -

-
-

- llvm-toolset -

- 		-

- BZ#1747139 -

-
-

- lorax -

- 		-

- BZ#1754711 -

-
-

- ltrace -

- 		-

- BZ#1655368 -

-
-

- lvm2 -

- 		-

- BZ#1600174, BZ#1496229, BZ#1768536 -

-
-

- make -

- 		-

- BZ#1774790 -

-
-

- maven -

- 		-

- BZ#1783926 -

-
-

- mod_wsgi -

- 		-

- BZ#1829692, - BZ#1779705 -

-
-

- mutter -

- 		-

- BZ#1737553 -

-
-

- nfs-utils -

- 		-

- BZ#1719983, - BZ#1592011 -

-
-

- nftables -

- 		-

- BZ#1778883, - BZ#1643192 -

-
-

- nginx -

- 		-

- BZ#1668717 -

-
-

- nmstate -

- 		-

- BZ#1674456 -

-
-

- nss_nis -

- 		-

- BZ#1803161 -

-
-

- nss -

- 		-

- BZ#1724250, BZ#1817533, - BZ#1645153 -

-
-

- numactl -

- 		-

- BZ#1730738 -

-
-

- opencv -

- 		-

- BZ#1694647 -

-
-

- openscap -

- 		-

- BZ#1636431, BZ#1618489, BZ#1646197, BZ#1803116, BZ#1795563, BZ#1824152, - BZ#1642373 -

-
-

- openssh -

- 		-

- BZ#1744108 -

-
-

- openssl-pkcs11 -

- 		-

- BZ#1705505, BZ#1664807, - BZ#1745082 -

-
-

- openssl -

- 		-

- BZ#1685470, BZ#1749068 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1665082, BZ#1674001, - BZ#1691305, BZ#1787156, - BZ#1816199 -

-
-

- pacemaker -

- 		-

- BZ#1712584, - BZ#1700104 -

-
-

- pam -

- 		-

- BZ#1252859, BZ#1537242 -

-
-

- pcp -

- 		-

- BZ#1723598 -

-
-

- pcs -

- 		-

- BZ#1631519, - BZ#1631514, BZ#1676431, BZ#1442116, - BZ#1619620 -

-
-

- perl-LDAP -

- 		-

- BZ#1663063 -

-
-

- php-7.2-module -

- 		-

- BZ#1670386 -

-
-

- php-pecl-xdebug -

- 		-

- BZ#1769857 -

-
-

- pki-core -

- 		-

- BZ#1698084, - BZ#1303254 -

-
-

- podman -

- 		-

- BZ#1804193, - BZ#1645280 -

-
-

- policycoreutils -

- 		-

- BZ#1563742, BZ#1417455 -

-
-

- postfix -

- 		-

- BZ#1723950, BZ#1745321 -

-
-

- powertop -

- 		-

- BZ#1716721 -

-
-

- pykickstart -

- 		-

- BZ#1637872 -

-
-

- python-ply -

- 		-

- BZ#1747490 -

-
-

- python38-3.8-module -

- 		-

- BZ#1747329 -

-
-

- qemu-kvm -

- 		-

- BZ#1651474, BZ#1740002, BZ#1719687, - BZ#1651994, BZ#1741346 -

-
-

- rear -

- 		-

- BZ#1729501 -

-
-

- redhat-release -

- 		-

- BZ#1817591 -

-
-

- redhat-support-tool -

- 		-

- BZ#1802026 -

-
-

- rhel-system-roles-sap -

- 		-

- BZ#1660832 -

-
-

- rng-tools -

- 		-

- BZ#1692435 -

-
-

- rpm -

- 		-

- BZ#1688849 -

-
-

- rsyslog -

- 		-

- JIRA:RHELPLAN-10431, BZ#1659383, BZ#1679512, - BZ#1740683, BZ#1676559, BZ#1692073, BZ#1692072 -

-
-

- rust-toolset -

- 		-

- BZ#1776847 -

-
-

- s390utils -

- 		-

- BZ#1750326 -

-
-

- samba -

- 		-

- BZ#1754409, - JIRA:RHELPLAN-13195 -

-
-

- scap-security-guide -

- 		-

- BZ#1755447, BZ#1754919, BZ#1750755, BZ#1755194 -

-
-

- scap-workbench -

- 		-

- BZ#1640715 -

-
-

- selinux-policy -

- 		-

- BZ#1641631, BZ#1746398, BZ#1826788, BZ#1727887, BZ#1726166, BZ#1726246 -

-
-

- setools -

- 		-

- BZ#1731519 -

-
-

- setroubleshoot-plugins -

- 		-

- BZ#1649842 -

-
-

- setup -

- 		-

- BZ#1730396, BZ#1663556 -

-
-

- skopeo-container -

- 		-

- BZ#1627900 -

-
-

- skopeo -

- 		-

- BZ#1810053 -

-
-

- sscg -

- 		-

- BZ#1717880 -

-
-

- sssd -

- 		-

- BZ#1669407, BZ#1652562, - BZ#1447945, BZ#1754871 -

-
-

- subscription-manager -

- 		-

- BZ#1674337 -

-
-

- sudo -

- 		-

- BZ#1786990, BZ#1733961 -

-
-

- systemd -

- 		-

- BZ#1686892, - BZ#1640802 -

-
-

- systemtap -

- 		-

- BZ#1744989 -

-
-

- tpm2-tools -

- 		-

- BZ#1725714 -

-
-

- tuned -

- 		-

- BZ#1738250 -

-
-

- udica -

- 		-

- BZ#1763210, BZ#1732704 -

-
-

- vdo -

- 		-

- BZ#1713749 -

-
-

- virt-manager -

- 		-

- BZ#1677019 -

-
-

- wayland -

- 		-

- BZ#1673073 -

-
-

- whois -

- 		-

- BZ#1734183 -

-
-

- xorg-x11-drv-qxl -

- 		-

- BZ#1642887 -

-
-

- xorg-x11-server -

- 		-

- BZ#1698565 -

-
-

- zlib -

- 		-

- BZ#1659433, BZ#1666798 -

-
-

- other -

- 		-

- BZ#1640697, BZ#1659609, BZ#1687900, - BZ#1697896, BZ#1797409, - BZ#1790635, BZ#1823398, BZ#1745507, BZ#1732726, - BZ#1757877, JIRA:RHELPLAN-25571, BZ#1777138, JIRA:RHELPLAN-27987, BZ#1797671, BZ#1780124, - JIRA:RHELPLAN-2507, JIRA:RHELPLAN-37713, JIRA:RHELPLAN-37777, BZ#1841170, - JIRA:RHELPLAN-13995, BZ#1785248, BZ#1755347, BZ#1784455, BZ#1784456, BZ#1789401, - JIRA:RHELPLAN-41384, BZ#1690207, JIRA:RHELPLAN-1212, BZ#1559616, BZ#1812552, - JIRA:RHELPLAN-14047, BZ#1769727, - JIRA:RHELPLAN-27394, BZ#1642765, JIRA:RHELPLAN-10304, BZ#1646541, BZ#1647725, BZ#1686057, BZ#1748980, - BZ#1827628 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.3-7
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.3-6
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.3-5
-
-

- Thu Dec 7 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.3-4
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.3-3
-
-

- Tue Nov 7 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fix broken links. -
    • -
-
-
-
0.3-2
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-1
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-0
-
-

- Thu Apr 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated BZ#1811997 with a link to the - Rust Toolset splash page. -
    • -
-
-
-
0.2-9
-
-

- Wed Mar 1 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a bug fix BZ#2151696 - (Identity Management). -
    • -
-
-
-
0.2-8
-
-

- Fri Apr 29 2022, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.2-7
-
-

- Thu Dec 23 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about the Soft-RoCE driver, rdma_rxe, - to Technology Previews BZ#1605216 and - Deprecated Functionality BZ#1878207 (Kernel). -
    • -
-
-
-
0.2-6
-
-

- Tue Oct 05 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#1999620 (Shells and - command-line tools). -
    • -
-
-
-
0.2-5
-
-

- Thu Aug 19 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.2-4
-
-

- Fri Jul 9 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.2-3
-
-

- Wed Jun 23 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the New features section (Installer). -
    • -
-
-
-
0.2-2
-
-

- Fri May 21 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated information about OS conversion in Overview. -
    • -
-
-
-
0.2-1
-
-

- Tue Apr 06 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Improved the list of supported architectures. -
    • -
-
-
-
0.2-0
-
-

- Thu Mar 11 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the New features section (File systems and storage). -
    • -
-
-
-
0.1-9
-
-

- Thu Feb 25 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Fixed CentOS Linux name. -
    • -
-
-
-
0.1-8
-
-

- Wed Feb 10 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a known issue (Virtualization). -
    • -
-
-
-
0.1-7
-
-

- Thu Jan 28 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the Technology Previews chapter. -
    • -
-
-
-
0.1-6
-
-

- Thu Dec 10 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about handling AD GPOs in SSSD to New features (Identity - Management). -
    • -
-
-
-
0.1-5
-
-

- Tue Dec 01 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a bug fix for issue with fapolicyd (Security). -
    • -
  • - Added a known issue (Installer). -
    • -
-
-
-
0.1-4
-
-

- Tue Nov 24 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the New features section (Networking). -
    • -
-
-
-
0.1-3
-
-

- Fri Oct 30 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated Application Streams description in the Repositories section. -
    • -
-
-
-
0.1-2
-
-

- Mon Oct 05 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a bug fix (Networking). -
    • -
-
-
-
0.1-1
-
-

- Tue Sep 29 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated the in-place upgrade path with the release of RHEL 7.9. -
    • -
-
-
-
0.1-0
-
-

- Thu Aug 27 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a bug fix (Kernel). -
    • -
-
-
-
0.0-9
-
-

- Mon Aug 10 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a known issue (Identity Management). -
    • -
-
-
-
0.0-8
-
-

- Tue Jul 21 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.2.1 Release Notes. -
    • -
-
-
-
0.0-7
-
-

- Thu Jul 16 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a Technology Preview (Networking). -
    • -
  • - Updated the New features section. -
    • -
-
-
-
0.0-6
-
-

- Thu Jun 25 2020, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Granulated the kernel parameters chapter. -
    • -
  • - Added various improvements to the device drivers chapter. -
    • -
-
-
-
0.0-5
-
-

- Fri Jun 19 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added new known issues. -
    • -
  • - Several updates to other release notes. -
    • -
-
-
-
0.0-4
-
-

- Thu Jun 04 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the New features section. -
    • -
  • - Added a known issue (Containers). -
    • -
-
-
-
0.0-3
-
-

- Wed May 20 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a known issue (Dynamic programming languages, web and database servers). -
    • -
  • - Added a bug fix (Compilers and development tools). -
    • -
  • - Several updates to other release notes. -
    • -
-
-
-
0.0-2
-
-

- Tue Apr 28 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.2 Release Notes. -
    • -
-
-
-
0.0-1
-
-

- Mon Mar 09 2020, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Provided Important Changes to External Kernel Parameters and New Drivers chapters. -
    • -
-
-
-
0.0-0
-
-

- Tue Jan 21 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.2 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.3.html b/app/data/8.3.html deleted file mode 100644 index 6f02fc8..0000000 --- a/app/data/8.3.html +++ /dev/null @@ -1,16212 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.3
-
-

Release Notes for Red Hat Enterprise Linux 8.3

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.3 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your input on our documentation. Please let us know how we could make it better. To do so: -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-

Installer and image creation

-

- In RHEL 8.3, you can configure a root password and create a user account before you begin the - installation. Previously, you configured a root password and created a user account after you began the - installation process. You can also create customized images based on a much more reliable backend and - also push images to clouds through the RHEL web console. -

-

RHEL for Edge

-

- RHEL 8.3 introduces RHEL for Edge for remotely - installing RHEL on Edge servers. RHEL for Edge is an rpm-ostree image that you can compose using Image - Builder. You can install the image using a Kickstart file and then manage the image to include image - updates and to roll back an image to a previous functional state. -

-

- Following are RHEL for Edge key highlights: -

-
-
    -
  • - Atomic upgrades, where the state of each update is known and no changes are seen until you - reboot the device. -
    • -
  • - Custom health checks and intelligent rollbacks to ensure resiliency. -
    • -
  • - Container-focused workflows, where you can separate core OS updates from the application - updates, and test and deploy different versions of applications. -
    • -
  • - Optimized OTA payloads for low-bandwidth environments. -
    • -
-
-

- For more information, see Section 5.1.2, “RHEL for Edge”. -

-

Infrastructure services

-

- The Tuned system tuning tool has been - rebased to version 2.13, which adds support for architecture-dependent tuning and multiple include - directives. -

-

Security

-

- RHEL 8.3 provides Ansible roles for automated deployments of Policy-Based Decryption (PBD) solutions - using Clevis and Tang, and this version of the rhel-system-roles package also contains an Ansible role for RHEL logging - through Rsyslog. -

-

- The scap-security-guide packages have been rebased to version 0.1.50, and - OpenSCAP has been rebased to version 1.3.3. These - updates provide substantial improvements, including a profile aligned with the CIS RHEL 7 Benchmark - v2.2.0 and a profile aligned with the Health Insurance Portability and Accountability Act (HIPAA) that - is required by North-American healthcare organizations. -

-

- With this update, you can now generate result-based remediation roles from tailored profiles using the - SCAP Workbench tool. -

-

- The USBGuard framework now provides its own SELinux - policy, it notifies desktop users in GUI, and the version 0.7.8 contains many other improvements and bug - fixes. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - nginx 1.18 -
    • -
  • - Node.js 14 -
    • -
  • - Perl 5.30 -
    • -
  • - PHP 7.4 -
    • -
  • - Ruby 2.7 -
    • -
-
-

- The following components have been updated in RHEL 8.3: -

-
-
    -
  • - Git to version 2.27 -
    • -
  • - Squid to version 4.11 -
    • -
-
-

- See Section 5.1.11, “Dynamic - programming languages, web and database servers” for more information. -

-

Compiler toolsets

-

- The following compiler toolsets have been updated in RHEL 8.3: -

-
-
    -
  • - GCC Toolset 10 -
    • -
  • - LLVM Toolset 10.0.1 -
    • -
  • - Rust Toolset 1.45.2 -
    • -
  • - Go Toolset 1.14.7 -
    • -
-
-

- See Section 5.1.12, “Compilers and development - tools” for more information. -

-

Identity Management

-

- The Rivest Cipher 4 (RC4) cipher suite, the default encryption type for users, services, and trusts - between Active Directory (AD) domains in an AD forest, has been deprecated in RHEL 8. For compatibility - reasons, this update introduces a new cryptographic subpolicy AD-SUPPORT to - enable support for the deprecated RC4 encryption type. The new subpolicy allows you to use RC4 with RHEL - Identity Management (IdM) and SSSD Active Directory integration solutions. -

-

- See Section 5.1.13, “Identity Management” for more information. -

-

The web console

-

- The web console provides an option to switch between administrative access and limited access from - inside of a user session. -

-

Virtualization

-

- Virtual machines (VMs) hosted on IBM Z hardware can now use the IBM Secure Execution feature. This makes - the VMs resistant to attacks if the host is compromised, and also prevents untrusted hosts from - obtaining information from the VM. In addition, DASD devices can now be assigned to VMs on IBM Z. -

-

Desktop and graphics

-

- You can now use the GNOME desktop on IBM Z systems. -

-

- The Direct Rendering Manager (DRM) kernel graphics - subsystem has been rebased to upstream Linux kernel version 5.6. This version provides a number of - enhancements over the previous version, including support for new GPUs and APUs, and various driver - updates. -

-

- See Section 5.1.14, “Desktop” - and Section 5.1.15, “Graphics infrastructures” for further - details. -

-

In-place upgrade and OS conversion

-

- In-place upgrade from RHEL 7 to RHEL 8 -

-

- The supported in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.8 to RHEL 8.2 on the 64-bit Intel, IBM POWER 8 (little endian), and IBM Z - architectures -
    • -
  • - From RHEL 7.6 to RHEL 8.2 on architectures that require kernel version 4.14: IBM POWER 9 (little - endian) and IBM Z (Structure A) -
    • -
  • - From RHEL 7.7 to RHEL 8.2 on systems with SAP HANA. -
    • -
-
-

- To ensure your system remains supported after upgrading to RHEL 8.2, either update to the latest RHEL - 8.3 version or enable the RHEL 8.2 Extended Update Support (EUS) repositories. On systems with SAP HANA, - enable the RHEL 8.2 Update Services for SAP Solutions (E4S) repositories. -

-

- For more information, see Supported - in-place upgrade paths for Red Hat Enterprise Linux. For instructions on performing an in-place - upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- Notable enhancements include: -

-
-
    -
  • - Leapp now supports user input by generating true/false - questions to determine how to proceed with the upgrade. -
    • -
  • - You can now upgrade multiple hosts simultaneously using the Satellite web UI. -
    • -
  • - The in-place upgrade is now supported for on-demand instances on AWS and Microsoft Azure, using - Red Hat Update Infrastructure (RHUI). -
    • -
  • - With the release of the RHBA-2021:0569 advisory, you can - create custom scripts for the Leapp pre-upgrade report. - See Automating your Red Hat - Enterprise Linux pre-upgrade report workflow for details. -
    • -
-
-

- In-place upgrade from RHEL 6 to RHEL 8 -

-

- To upgrade from RHEL 6.10 to RHEL 8.2, follow instructions in Upgrading - from RHEL 6 to RHEL 8. -

-

- Conversion from a different Linux distribution to - RHEL -

-

- If you are using CentOS Linux 8 or Oracle Linux 8, you can convert your operating system to RHEL 8 using - the Red Hat-supported Convert2RHEL utility. For more - information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using an earlier version of CentOS Linux or Oracle Linux, namely versions 6 or 7, you can - convert your operating system to RHEL and then perform an in-place upgrade to RHEL 8. Note that CentOS - Linux 6 and Oracle Linux 6 conversions use the unsupported Convert2RHEL - utility. For more information on unsupported conversions, see How to convert from CentOS Linux 6 or Oracle Linux - 6 to RHEL 6. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, see - the Convert2RHEL - Support Policy document. -

-

OpenJDK 11 is now available

-

- New version of Open Java Development Kit (OpenJDK) is now available. For more information about the - features introduced in this release and changes in the existing functionality, see OpenJDK 11 documentation. -

-

Additional resources

-
- -
-

Red Hat Customer Portal Labs

-

- Red Hat Customer Portal Labs is a set of tools in a - section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.3 is distributed with the kernel version 4.18.0-240, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Binary DVD ISO image is larger than 4.7 GB, and as a result, it might not - fit on a single-layer DVD. A dual-layer DVD or USB key is recommended when using - the Binary DVD ISO image to create bootable installation media. You can also use - the Image Builder tool to create customized RHEL images. For more information - about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. RHEL 8.3.1 release

-
-
-
-

- Red Hat makes Red Hat Enterprise Linux 8 content available quarterly, in between minor releases (8.Y). - The quarterly releases are numbered using the third digit (8.Y.1). The new features in the RHEL 8.3.1 - release are described below. -

-
-
-
-
-

4.1. New features

-
-
-
-
-

Flatpak packages for several desktop applications

-

- Flatpak is a system for running graphical applications as containers. Using Flatpak, you can - install and update an application independently of the host operating system. -

-
-

- This update provides Flatpak container images of the following applications in the Red Hat Container - Catalog: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Application nameFlatpak container ID -
-

- Firefox -

- 		-

- org.mozilla.firefox -

-
-

- GIMP -

- 		-

- org.gimp.GIMP -

-
-

- Inkscape -

- 		-

- org.inkscape.Inkscape -

-
-

- Thunderbird -

- 		-

- org.mozilla.Thunderbird -

-
-
-

- To install Flatpak containers available in the Red Hat Container Catalog, use the following - procedure: -

-
-
    -
  1. -

    - Make sure that the latest version of the Flatpak client is installed on your system: -

    - 
    # yum update flatpak
    -
    2. -
  2. -

    - Enable the RHEL Flatpak repository: -

    - 
    # flatpak remote-add rhel https://flatpaks.redhat.io/rhel.flatpakrepo
    -
    3. -
  3. -

    - Provide the credentials for your RHEL account: -

    - 
    # podman login registry.redhat.io
    -

    - By default, Podman saves the credentials only until the user logs out. -

    -
    4. -
  4. -

    - Optional: Save your credentials permanently: -

    - 
    $ cp $XDG_RUNTIME_DIR/containers/auth.json \
-     $HOME/.config/flatpak/oci-auth.json
    -
    5. -
  5. -

    - Install the Flatpak container image: -

    - 
    $ flatpak install rhel container-id
    -
    6. -
-
-

- (JIRA:RHELPLAN-30958, BZ#1920689, BZ#1921179, BZ#1921802, BZ#1916412, BZ#1921812, BZ#1920604) -

-
-

Rust Toolset rebased to version 1.47.0

-

- Rust Toolset has been updated to version 1.47.0. Notable changes include: -

-
-
-
    -
  • - The compile-time evaluated functions const fn have been - improved and can now use control flow features, for example if, - while, and match. -
    • -
  • - The new #[track_caller] annotation can now be put on functions. - Panics from annotated functions report the caller as the source. -
    • -
  • - The Rust Standard Library now generically implements traits for arrays of any length. - Previously, many of the trait implementations for arrays were only filled for lengths - between 0 and 32. -
    • -
-
-

- For detailed instructions regarding usage, see Using Rust - Toolset. -

-

- (BZ#1883839) -

-
-

The Logging System Role now supports property-based filter on its - outputs

-

- With this update, property-based filters have been added to the files output, the forwards - output, and the remote_files output of the Logging System Role. The feature is provided by - underlying the rsyslog sub-role, and is configurable via the - Logging RHEL System Role. As a result, users can benefit from the ability of filtering log - messages by the properties, such as hostname, tag, and the message itself is useful to manage - logs. -

-
-

- (BZ#1889492) -

-
-

The Logging RHEL System Role now supports rsyslog behavior

-

- With this enhancement, rsyslog receives the message from Red Hat - Virtualization and forwards the message to the elasticsearch. -

-
-

- (BZ#1889893) -

-
-

The ubi8/pause container image is now - available

-

- Podman now uses the ubi8/pause instead of the k8s.gcr.io/pause container image to hold the network namespace - information of the pod. -

-
-

- (BZ#1690785) -

-
-

Podman rebased to version 2.1

-

- The Podman utility has been updated to version 2.1. Notable enhancements include: -

-
-
-
    -
  • -

    - Changes: -

    -
    -
      -
    • - Updated Podman to 2.2.1 (from 2.0.5), Buildah to 1.19 (from 1.15.1), Skopeo to - 1.2.1 (from 1.1.1), Udica to 0.2.3 (from 0.2.2), and CRIU to 3.15 (0.3.4) -
      • -
    • - Docker-compatible volume API endpoints (Create, Inspect, List, Remove, Prune) - are now available -
      • -
    • - Added an API endpoint for generating systemd unit files for containers -
      • -
    • - The podman play kube command now features support - for setting CPU and Memory limits for containers -
      • -
    • - The podman play kube command now supports - persistent volumes claims using Podman named volumes -
      • -
    • - The podman play kube command now supports - Kubernetes configmaps via the --configmap option -
      • -
    • - Experimental support for shortname aliasing has been added. This is not enabled - by default, but can be turned on by setting the environment variable CONTAINERS_SHORT_NAME_ALIASING to on. For more - information see Container - image short names in Podman. -
      • -
    • - The new podman image command has been added. This - allows for an image to be mounted, read-only, to inspect its contents without - creating a container from it. -
      • -
    • - The podman save and podman load commands can now create and load archives - containing multiple images. -
      • -
    • - Podman will now retry pulling an image at most 3 times if a pull fails due to - network errors. -
      • -
    -
    -
    • -
  • -

    - Bug Fixes: -

    -
    -
      -
    • - Fixed a bug where running systemd in a container on a cgroups v1 system would - fail. -
      • -
    -
    -
    • -
-
-

- The Buildah tool has been updated to version 1.19. Notable enhancements include: -

-
-
    -
  • -

    - Changes: -

    -
    -
      -
    • - The buildah inspect command supports inspecting - manifests -
      • -
    • - The buildah push command supports pushing manifests - lists and digests -
      • -
    • - Added support for --manifest flags -
      • -
    • - The --arch and --os - and --variant options has beed added to select - architecture and OS -
      • -
    • - Allow users to specify stdin into containers -
      • -
    • - Allow FROM to be overridden with --from option -
      • -
    • - Added --ignorefile flag to use alternate .dockerignore flags -
      • -
    • - short-names aliasing -
      • -
    • - Added --policy option to buildah pull command -
      • -
    • - Fix buildah mount command to display container - names not IDs -
      • -
    • - Improved buildah completions -
      • -
    • - Use --timestamp rather then --omit-timestamp flag -
      • -
    • - Use pipes for copying -
      • -
    • - Added --omit-timestamp flag to buildah bud command -
      • -
    • - Add VFS additional image store to container -
      • -
    • - Allow "readonly" as alias to "ro" in mount options -
      • -
    • - buildah, bud: support --jobs=N option for parallel - execution -
      • -
    -
    -
    • -
-
-

- The Skopeo tool has been updated to version 1.2.1. Notable enhancements include: -

-
-
    -
  • -

    - Changes: -

    -
    -
      -
    • - Add multi-arch builds for upstream and stable skopeo image via Travis -
      • -
    • - Added support for digests in sync -
      • -
    • - Added --all sync flag to emulate copy --all -
      • -
    • - Added --format option to skopeo inspect command -
      • -
    -
    -
    • -
-
-

- The Udica tool has been updated to version 0.2.3. Notable enhancements include: -

-
-
    -
  • -

    - Changes: -

    -
    -
      -
    • - Enable container port, not the host port -
      • -
    • - Add --version option -
      • -
    -
    -
    • -
-
-

- The CRIU tool has been updated to version 3.15. Notable enhancements include: -

-
-
    -
  • -

    - Changes: -

    -
    -
      -
    • - Initial cgroup2 support -
      • -
    • - Legalized swrk API and add the ability for inheriting fds via it -
      • -
    • - External bind mounts and tasks-to-cgroups bindings -
      • -
    • - ibcriu.so (RPC wrapper) and plugins -
      • -
    -
    -
    • -
-
-

- (JIRA:RHELPLAN-55998) -

-
-
-
-
-
-
-

Chapter 5. RHEL 8.3.0 release

-
-
-
-
-
-
-
-

5.1. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.3. -

-
-
-
-
-

5.1.1. Installer and image creation

-
-
-
-
-

Anaconda rebased to version 33.16

-

- With this release, Anaconda has been rebased to version 33.16. This version provides the - following notable enhancements over the previous version. -

-
-
-
    -
  • - The Installation Program now displays static IPv6 addresses on multiple lines and no - longer resizes the windows. -
    • -
  • - The Installation Program now displays supported NVDIMM device sector sizes. -
    • -
  • - Host name is now configured correctly on an installed system having IPv6 static - configuration. -
    • -
  • - You can now use non-ASCII characters in disk encryption passphrase. -
    • -
  • - The Installation Program displays a proper recommendation to create a new file system on - /boot, /tmp, and all /var and /usr mount points except /usr/local and /var/www. -
    • -
  • - The Installation Program now correctly checks the keyboard layout and does not change - the status of the Keyboard Layout screen when the keyboard keys (ALT+SHIFT) are used to - switch between different layouts and languages. -
    • -
  • - Rescue mode no longer fails on systems with existing RAID1 partitions. -
    • -
  • - Changing of the LUKS version of the container is now available in the Manual Partitioning screen. -
    • -
  • - The Installation Program successfully finishes the installation without the btrfs-progs package. -
    • -
  • - The Installation Program now uses the default LUKS2 version for an encrypted container. -
    • -
  • - The Installation Program no longer crashes when a Kickstart file places physical volumes - (PVs) of a Logical volume group (VG) on an ignoredisk list. -
    • -
  • - Introduces a new mount path /mnt/sysroot for system root. - This path is used to mount / of the target system. Usually, - the physical root and the system root are the same, so /mnt/sysroot is attached to the same file system as /mnt/sysimage. The only exceptions are rpm-ostree systems, - where the system root changes based on the deployment. Then, /mnt/sysroot is attached to a subdirectory of /mnt/sysimage. It is recommended to use /mnt/sysroot for chroot. -
    • -
-
-

- (BZ#1691319, BZ#1679893, - BZ#1684045, BZ#1688478, BZ#1700450, - BZ#1720145, BZ#1723888, BZ#1754977, BZ#1755996, BZ#1784360, BZ#1796310, - BZ#1871680) -

-
-

GUI changes in RHEL Installation Program

-

- The RHEL Installation Program now includes the following user settings on the Installation - Summary window: -

-
-
-
    -
  • - Root password -
    • -
  • - User creation -
    • -
-
-

- With this change, you can now configure a root password and create a user account before you - begin the installation. Previously, you configured a root password and created a user account - after you began the installation process. -

-

- A root password is used to log in to the administrator (also known as superuser or root) account - which is used for system administration tasks. The user name is used to log in from a command - line; if you install a graphical environment, then your graphical login manager uses the full - name. For more details, see Performing a standard RHEL installation document. -

-

- (JIRA:RHELPLAN-40469) -

-
-

Image Builder backend osbuild-composer - replaces lorax-composer

-

- The osbuild-composer backend replaces lorax-composer. The new service provides REST APIs for image - building. As a result, users can benefit from a more reliable backend and more predictable - output images. -

-
-

- (BZ#1836211) -

-
-

Image Builder osbuild-composer supports a set of image types

-

- With the osbuild-composer backend replacement, the following - set of image types supported in osbuild-composer this time: -

-
-
-
    -
  • - TAR Archive (.tar) -
    • -
  • - QEMU QCOW2 (.qcow2) -
    • -
  • - VMware Virtual Machine Disk (.vmdk) -
    • -
  • - Amazon Machine Image (.ami) -
    • -
  • - Azure Disk Image (.vhd) -
    • -
  • - OpenStack Image (.qcow2) -
    • -
-
-

- The following outputs are not supported this time: -

-
-
    -
  • - ext4-filesystem -
    • -
  • - partitioned-disk -
    • -
  • - Alibaba Cloud -
    • -
  • - Google GCE -
    • -
-
-

- (JIRA:RHELPLAN-42617) -

-
-

Image Builder now - supports push to clouds through GUI

-

- With this enhancement, when creating images, users can choose the option of pushing to Azure and AWS service clouds - through GUI Image Builder. As a result, - users can benefit from easier uploads and instantiation. -

-
-

- (JIRA:RHELPLAN-30878) -

-
-
-
-
-
-

5.1.2. RHEL for Edge

-
-
-
-
-

Introducing RHEL for Edge images

-

- With this release, you can now create customized RHEL images for Edge servers. -

-
-

- You can use Image Builder to create RHEL for Edge images, and then use RHEL installer to deploy - them on AMD and Intel 64-bit systems. Image Builder generates a RHEL for Edge image as rhel-edge-commit in a .tar file. -

-

- A RHEL for Edge image is an rpm-ostree image that includes system - packages for remotely installing RHEL on Edge servers. -

-

- The system packages include: -

-
-
    -
  • - Base OS package -
    • -
  • - Podman as the container engine -
    • -
-
-

- You can customize the image to configure the OS content as per your requirements, and can deploy - them on physical and virtual machines. -

-

- With a RHEL for Edge image, you can achieve the following: -

-
-
    -
  • - Atomic upgrades, where the state of each update is known and no changes are seen until - you reboot the device. -
    • -
  • - Custom health checks using Greenboot and intelligent rollbacks for resiliency in case of - failed upgrades. -
    • -
  • - Container-focused workflows, where you can separate core OS updates from the application - updates, and test and deploy different versions of applications. -
    • -
  • - Optimized OTA payloads for low-bandwidth environments. -
    • -
  • - Custom health checks using Greenboot to ensure resiliency. -
    • -
-
-

- For more information about composing, installing, and managing RHEL for Edge images, see Composing, - Installing, and Managing RHEL for Edge images. -

-

- (JIRA:RHELPLAN-56676) -

-
-
-
-
-
-

5.1.3. Software management

-
-
-
-
-

The default value for the best dnf - configuration option has been changed from True to False

-

- With this update, the value for the best dnf configuration - option has been set to True in the default configuration file - to retain the original dnf behavior. As a result, for users that use the default - configuration file the behavior remains unchanged. -

-
-

- If you provide your own configuration files, make sure that the best=True option is present to retain the original behavior. -

-

- (BZ#1832869) -

-
-

New --norepopath option for the dnf reposync command is now available

-

- Previously, the reposync command created a subdirectory under - the --download-path directory for each downloaded repository by - default. With this update, the --norepopath option has been - introduced, and reposync does not create the subdirectory. As a - result, the repository is downloaded directly into the directory specified by --download-path. This option is also present in the YUM v3. -

-
-

- (BZ#1842285) -

-
-

Ability to enable and disable the libdnf - plugins

-

- Previously, subscription checking was hardcoded into the RHEL version of the libdnf plug-ins. With this update, the microdnf utility can enable and disable the libdnf plug-ins, and subscription checking can now be disabled - the same way as in DNF. To disable subscription checking, use the --disableplugin=subscription-manager command. To disable all - plug-ins, use the --noplugins command. -

-
-

- (BZ#1781126) -

-
-
-
-
-
-

5.1.4. Shells and command-line tools

-
-
-
-
-

ReaR updates

-

- RHEL 8.3 introduces a number of updates to the Relax-and-Recover (ReaR) utility. Notable changes include: -

-
-
-
    -
  • - Support for the third-party Rubrik Cloud Data Management (CDM) as external backup - software has been added. To use it, set the BACKUP option - in the configuration file to CDM. -
    • -
  • - Creation of a rescue image with a file larger than 4 GB on the IBM POWER, little endian - architecture has been enabled. -
    • -
  • - Disk layout created by ReaR no longer includes entries for - Rancher 2 Longhorn iSCSI devices and file systems. -
    • -
-
-

- (BZ#1743303) -

-
-

smartmontools rebased to version - 7.1

-

- The smartmontools package has been upgraded to version 7.1, - which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - HDD, SSD and USB additions to the drive database. -
    • -
  • - New options -j and --json to - enable JSON output mode. -
    • -
  • - Workaround for the incomplete Log subpages response from - some SAS SSDs. -
    • -
  • - Improved handling of READ CAPACITY command. -
    • -
  • - Various improvements for the decoding of the log pages. -
    • -
-
-

- (BZ#1671154) -

-
-

opencryptoki rebased to version - 3.14.0

-

- The opencryptoki packages have been upgraded to version 3.14.0, - which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • -

    - EP11 cryptographic service enhancements: -

    -
    -
      -
    • - Dilithium support -
      • -
    • - Edwards-curve digital signature algorithm (EdDSA) support -
      • -
    • - Support of Rivest–Shamir–Adleman optimal asymmetric encryption padding - (RSA-OAEP) with non-SHA1 hash and mask generation function (MGF) -
      • -
    -
    -
    • -
  • - Enhanced process and thread locking -
    • -
  • - Enhanced btree and object locking -
    • -
  • - Support for new IBM Z hardware z15 -
    • -
  • - Support of multiple token instances for trusted platform module (TPM), IBM cryptographic - architecture (ICA) and integrated cryptographic service facility (ICSF) -
    • -
  • - Added a new tool p11sak, which lists the token keys in an - openCryptoki token repository -
    • -
  • - Added a utility to migrate a token repository to FIPS compliant encryption -
    • -
  • - Fixed pkcsep11_migrate tool -
    • -
  • - Minor fixes of the ICSF software -
    • -
-
-

- (BZ#1780293) -

-
-

gpgme rebased to version 1.13.1. -

-

- The gpgme packages have been upgraded to upstream version - 1.13.1. Notable changes include: -

-
-
-
    -
  • - New context flags no-symkey-cache (has an effect when used - with GnuPG 2.2.7 or later), request-origin (has an effect - when used with GnuPG 2.2.6 or later), auto-key-locate, and - trust-model have been introduced. -
    • -
  • - New tool gpgme-json as native messaging server for web - browsers has been added. As of now, the public key encryption and decryption is - supported. -
    • -
  • - New encryption API to support direct key specification including hidden recipients - option and taking keys from a file has been introduced. This also allows the use of a - subkey. -
    • -
-
-

- (BZ#1829822) -

-
-
-
-
-
-

5.1.5. Infrastructure services

-
-
-
-
-

powertop rebased to version 2.12 -

-

- The powertop packages have been upgraded to version 2.12. - Notable changes over the previously available version 2.11 include: -

-
-
-
    -
  • - Use of Device Interface Power Management (DIPM) for SATA link PM. -
    • -
  • - Support for Intel Comet Lake mobile and desktop systems, the Skylake server, and the - Atom-based Tremont architecture (Jasper Lake). -
    • -
-
-

- (BZ#1783110) -

-
-

tuned rebased to version 2.14.0 -

-

- The tuned packages have been upgraded to upstream version - 2.14.0. Notable enhancements include: -

-
-
-
    -
  • - The optimize-serial-console profile has been introduced. -
    • -
  • - Support for a post loaded profile has been added. -
    • -
  • - The irqbalance plugin for handling irqbalance settings has been added. -
    • -
  • - Architecture specific tuning for Marvell ThunderX and AMD based platforms has been - added. -
    • -
  • - Scheduler plugin has been extended to support cgroups-v1 - for CPU affinity setting. -
    • -
-
-

- (BZ#1792264) -

-
-

tcpdump rebased to version 4.9.3 -

-

- The tcpdump utility has been updated to version 4.9.3 to fix - Common Vulnerabilities and Exposures (CVE). -

-
-

- (BZ#1804063) -

-
-

libpcap rebased to version 1.9.1 -

-

- The libpcap packages have been updated to version 1.9.1 to fix - Common Vulnerabilities and Exposures (CVE). -

-
-

- (BZ#1806422) -

-
-

iperf3 now supports sctp option on the client side

-

- With this enhancement, the user can use Stream Control Transmission Protocol (SCTP) instead - of Transmission Control Protocol (TCP) on the client side of testing network throughput. -

-
-

- The following options for iperf3 are now available on the client - side of testing: -

-
-
    -
  • - --sctp -
    • -
  • - --xbind -
    • -
  • - --nstreams -
    • -
-
-

- To obtain more information, see Client Specific Options in the - iperf3 man page. -

-

- (BZ#1665142) -

-
-

iperf3 now supports SSL

-

- With this enhancement, the user can use RSA authentication between the client and the server - to restrict the connections to the server only to legitimate clients. -

-
-

- The following options for iperf3 are now available on the server - side: -

-
-
    -
  • - --rsa-private-key-path -
    • -
  • - --authorized-users-path -
    • -
-
-

- The following options for iperf3 are now available on the client - side of communication: -

-
-
    -
  • - --username -
    • -
  • - --rsa-public-key-path -
    • -
-
-

- (BZ#1700497) -

-
-

bind rebased to 9.11.20

-

- The bind package has been upgraded to version 9.11.20, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Increased reliability on systems with many CPU cores by fixing several race conditions. -
    • -
  • - Detailed error reporting: dig and other tools can now print - the Extended DNS Error (EDE) option, if it is present. -
    • -
  • - Message IDs in inbound DNS Zone Transfer Protocol (AXFR) transfers are checked and - logged, when they are inconsistent. -
    • -
-
-

- (BZ#1818785) -

-
-

A new optimize-serial-console TuneD - profile to reduce I/O to serial consoles by lowering the printk value

-

- With this update, a new optimize-serial-console TuneD profile - is available. In some scenarios, kernel drivers can send large amounts of I/O operations to - the serial console. Such behavior can cause temporary unresponsiveness while the I/O is - written to the serial console. The optimize-serial-console - profile reduces this I/O by lowering the printk value from the - default of 7 4 1 7 to 4 4 1 7. Users with a serial console who - wish to make this change on their system can instrument their system as follows: -

-
- 
# tuned-adm profile throughput-performance optimize-serial-console
-

- As a result, users will have a lower printk value that persists - across a reboot, which reduces the likelihood of system hangs. -

-

- This TuneD profile reduces the amount of I/O written to the serial console by removing debugging - information. If you need to collect this debugging information, you should ensure this profile - is not enabled and that your printk value is set to 7 4 1 7. To check the value of printk run: -

- 
# cat /proc/sys/kernel/printk
-

- (BZ#1840689) -

-
-

New TuneD profiles added for the AMD-based platforms

-

- In RHEL 8.3, the throughput-performance TuneD profile was - updated to include tuning for the AMD-based platforms. There is no need to change any - parameter manually and the tuning is automatically applied on the AMD system. The AMD Epyc Naples and - Rome systems alters the following parameters in the default - throughput-performance profile: -

-
-

- sched_migration_cost_ns=5000000 and kernel.numa_balancing=0 -

-

- With this enhancement, the system performance is improved by ~5%. -

-

- (BZ#1746957) -

-
-

memcached rebased to version - 1.5.22

-

- The memcached packages have been upgraded to version 1.5.22. - Notable changes over the previous version include: -

-
-
-
    -
  • - TLS has been enabled. -
    • -
  • - The -o inline_ascii_response option has been removed. -
    • -
  • - The -Y [authfile] option has been added along with - authentication mode for the ASCII protocol. -
    • -
  • - memcached can now recover its cache between restarts. -
    • -
  • - New experimental meta commands have been added. -
    • -
  • - Various performance improvements. -
    • -
-
-

- (BZ#1809536) -

-
-
-
-
-
-

5.1.6. Security

-
-
-
-
-

Cyrus SASL now supports channel bindings with the SASL/GSSAPI and SASL/GSS-SPNEGO - plug-ins

-

- This update adds support for channel bindings with the SASL/GSSAPI and SASL/GSS-SPNEGO - plug-ins. As a result, when used in the openldap libraries, - this feature enables Cyrus SASL to maintain compatibility with and access to Microsoft - Active Directory and Microsoft Windows systems which are introducing mandatory channel - binding for LDAP connections. -

-
-

- (BZ#1817054) -

-
-

Libreswan rebased to 3.32

-

- With this update, Libreswan has been rebased to upstream version 3.32, which includes - several new features and bug fixes. Notable features include: -

-
-
-
    -
  • - Libreswan no longer requires separate FIPS 140-2 certification. -
    • -
  • - Libreswan now implements the cryptographic recommendations of RFC 8247, and changes the - preference from SHA-1 and RSA-PKCS v1.5 to SHA-2 and RSA-PSS. -
    • -
  • - Libreswan supports XFRMi virtual ipsecXX interfaces that simplify writing firewall - rules. -
    • -
  • - Recovery of crashed and rebooted nodes in a full-mesh encryption network is improved. -
    • -
-
-

- (BZ#1820206) -

-
-

The libssh library has been rebased to - version 0.9.4

-

- The libssh library, which implements the SSH protocol, has been - upgraded to version 0.9.4. -

-
-

- This update includes bug fixes and enhancements, including: -

-
-
    -
  • - Added support for Ed25519 keys in PEM files. -
    • -
  • - Added support for diffie-hellman-group14-sha256 key - exchange algorithm. -
    • -
  • - Added support for localuser in Match keyword in the libssh - client configuration file. -
    • -
  • - Match criteria keyword arguments are now case-sensitive - (note that keywords are case-insensitive, but keyword arguments are case-sensitive) -
    • -
  • - Fixed CVE-2019-14889 and CVE-2020-1730. -
    • -
  • - Added support for recursively creating missing directories found in the path string - provided for the known hosts file. -
    • -
  • - Added support for OpenSSH keys in PEM files with comments - and leading white spaces. -
    • -
  • - Removed the OpenSSH server configuration inclusion from the - libssh server configuration. -
    • -
-
-

- (BZ#1804797) -

-
-

gnutls rebased to 3.6.14

-

- The gnutls packages have been rebased to upstream version - 3.6.14. This version provides many bug fixes and enhancements, most notably: -

-
-
-
    -
  • - gnutls now rejects certificates with Time fields that contain invalid characters or formatting. -
    • -
  • - gnutls now checks trusted CA certificates for minimum key - sizes. -
    • -
  • - When displaying an encrypted private key, the certtool - utility no longer includes its plain text description. -
    • -
  • - Servers using gnutls now advertise OCSP-stapling support. -
    • -
  • - Clients using gnutls now send OCSP staples only on request. -
    • -
-
-

- (BZ#1789392) -

-
-

gnutls FIPS DH checks now conform with - NIST SP 800-56A rev. 3

-

- This update of the gnutls packages provides checks required by - NIST Special Publication 800-56A Revision 3, sections 5.7.1.1 and 5.7.1.2, step 2. The - change is necessary for future FIPS 140-2 certifications. As a result, gnutls now accept only 2048-bit or larger parameters from RFC - 7919 and RFC 3526 during the Diffie-Hellman key exchange when operating in FIPS mode. -

-
-

- (BZ#1849079) -

-
-

gnutls now performs validations according - to NIST SP 800-56A rev 3

-

- This update of the gnutls packages adds checks required by NIST - Special Publication 800-56A Revision 3, sections 5.6.2.2.2 and 5.6.2.1.3, step 2. The - addition prepares gnutls for future FIPS 140-2 certifications. - As a result, gnutls perform additional validation steps for - generated and received public keys during the Diffie-Hellman key exchange when operating in - FIPS mode. -

-
-

- (BZ#1855803) -

-
-

update-crypto-policies and fips-mode-setup moved into crypto-policies-scripts

-

- The update-crypto-policies and fips-mode-setup scripts, which were previously included in the - crypto-policies package, are now moved into a separate RPM - subpackage crypto-policies-scripts. The package is - automatically installed through the Recommends dependency on regular installations. This - enables the ubi8/ubi-minimal image to avoid the inclusion of - the Python language interpreter and thus reduces the image size. -

-
-

- (BZ#1832743) -

-
-

OpenSC rebased to version 0.20.0

-

- The opensc package has been rebased to version 0.20.0 which - addresses multiple bugs and security issues. Notable changes include: -

-
-
-
    -
  • - With this update, CVE-2019-6502, - CVE-2019-15946, CVE-2019-15945, CVE-2019-19480, CVE-2019-19481 and CVE-2019-19479 security issues are - fixed. -
    • -
  • - The OpenSC module now supports the C_WrapKey and C_UnwrapKey functions. -
    • -
  • - You can now use the facility to detect insertion and removal of card readers as - expected. -
    • -
  • - The pkcs11-tool utility now supports the CKA_ALLOWED_MECHANISMS attribute. -
    • -
  • - This update allows default detection of the OsEID cards. -
    • -
  • - The OpenPGP Card v3 now supports Elliptic Curve - Cryptography (ECC). -
    • -
  • - The PKCS#11 URI now truncates the reader name with ellipsis. -
    • -
-
-

- (BZ#1810660) -

-
-

stunnel rebased to version 5.56 -

-

- With this update, the stunnel encryption wrapper has been - rebased to upstream version 5.56, which includes several new features and bug fixes. Notable - features include: -

-
-
-
    -
  • - New ticketKeySecret and ticketMacSecret options that control confidentiality and - integrity protection of the issued session tickets. These options enable you to resume - sessions on other nodes in a cluster. -
    • -
  • - New curves option to control the list of elliptic curves in - OpenSSL 1.1.0 and later. -
    • -
  • - New ciphersuites option to control the list of permitted - TLS 1.3 ciphersuites. -
    • -
  • - Added sslVersion, sslVersionMin and sslVersionMax - for OpenSSL 1.1.0 and later. -
    • -
-
-

- (BZ#1808365) -

-
-

libkcapi rebased to version 1.2.0 -

-

- The libkcapi package has been rebased to upstream version - 1.2.0, which includes minor changes. -

-
-

- (BZ#1683123) -

-
-

setools rebased to 4.3.0

-

- The setools package, which is a collection of tools designed to - facilitate SELinux policy analysis, has been upgraded to version 4.3.0. -

-
-

- This update includes bug fixes and enhancements, including: -

-
-
    -
  • - Revised sediff method for Type Enforcement (TE) rules, - which significantly reduces memory and runtime issues. -
    • -
  • - Added infiniband context support to seinfo, sediff, and apol. -
    • -
  • - Added apol configuration for the location of the Qt - assistant tool used to display online documentation. -
    • -
  • -

    - Fixed sediff issues with: -

    -
    -
      -
    • - Properties header displaying when not requested. -
      • -
    • - Name comparison of type_transition files. -
      • -
    -
    -
    • -
  • - Fixed permission of map socket sendto information flow - direction. -
    • -
  • - Added methods to the TypeAttribute class to make it a - complete Python collection. -
    • -
  • - Genfscon now looks up classes, rather than using fixed - values which were dropped from libsepol. -
    • -
-
-

- The setools package requires the following packages: -

-
-
    -
  • - setools-console -
    • -
  • - setools-console-analyses -
    • -
  • - setools-gui -
    • -
-
-

- (BZ#1820079) -

-
-

Individual CephFS files and directories can now have SELinux - labels

-

- The Ceph File System (CephFS) has recently enabled storing SELinux labels in the extended - attributes of files. Previously, all files in a CephFS volume were labeled with a single - common label system_u:object_r:cephfs_t:s0. With this - enhancement, you can change the labels for individual files, and SELinux defines the labels - of newly created files based on transition rules. Note that previously unlabeled files still - have the system_u:object_r:cephfs_t:s0 label until explicitly - changed. -

-
-

- (BZ#1823764) -

-
-

OpenSCAP rebased to - version 1.3.3

-

- The openscap packages have been upgraded to upstream version - 1.3.3, which provides many bug fixes and enhancements over the previous version, most - notably: -

-
-
-
    -
  • - Added the autotailor script that enables you to generate - tailoring files using a command-line interface (CLI). -
    • -
  • - Added the timezone part to the Extensible Configuration Checklist Description Format - (XCCDF) TestResult start and end time stamps -
    • -
  • - Added the yamlfilecontent independent probe as a draft - implementation. -
    • -
  • - Introduced the urn:xccdf:fix:script:kubernetes fix type in - XCCDF. -
    • -
  • - Added ability to generate the machineconfig fix. -
    • -
  • - The oscap-podman tool can now detect ambiguous scan - targets. -
    • -
  • - The rpmverifyfile probe can now verify files from the /bin directory. -
    • -
  • - Fixed crashes when complicated regexes are executed in the textfilecontent58 probe. -
    • -
  • - Evaluation characteristics of the XCCDF report are now consistent with OVAL entities - from the system_info probe. -
    • -
  • - Fixed file-path pattern matching in offline mode in the textfilecontent58 probe. -
    • -
  • - Fixed infinite recursion in the systemdunitdependency - probe. -
    • -
-
-

- (BZ#1829761) -

-
-

SCAP Security Guide now provides a profile aligned with the CIS RHEL 8 - Benchmark v1.0.0

-

- With this update, the scap-security-guide packages provide a - profile aligned with the CIS Red Hat Enterprise Linux 8 Benchmark v1.0.0. The profile - enables you to harden the configuration of the system using the guidelines by the Center for - Internet Security (CIS). As a result, you can configure and automate compliance of your RHEL - 8 systems with CIS by using the CIS Ansible Playbook and the CIS SCAP profile. -

-
-

- Note that the rpm_verify_permissions rule in the CIS profile does - not work correctly. -

-

- (BZ#1760734) -

-
-

scap-security-guide now provides a profile - that implements HIPAA

-

- This update of the scap-security-guide packages adds the Health - Insurance Portability and Accountability Act (HIPAA) profile to the RHEL 8 security - compliance content. This profile implements recommendations outlined on the The HIPAA Privacy - Rule website. -

-
-

- The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic - personal health information that is created, received, used, or maintained by a covered entity. - The Security Rule requires appropriate administrative, physical, and technical safeguards to - ensure the confidentiality, integrity, and security of electronically protected health - information. -

-

- (BZ#1832760) -

-
-

scap-security-guide rebased to - 0.1.50

-

- The scap-security-guide packages, which contain the latest set - of security policies for Linux systems, have been upgraded to version 0.1.50. -

-
-

- This update includes bug fixes and enhancements, most notably: -

-
-
    -
  • - Ansible content has been improved: numerous rules contain Ansible remediations for the - first time and other rules have been updated to address bug fixes. -
    • -
  • -

    - Fixes and improvements to the scap-security-guide - content for scanning RHEL7 systems, including: -

    -
    -
      -
    • - The scap-security-guide packages now provide a - profile aligned with the CIS RHEL 7 Benchmark v2.2.0. Note that the rpm_verify_permissions rule in the CIS profile - does not work correctly; see the rpm_verify_permissions fails in the CIS - profile known issue. -
      • -
    • - The SCAP Security Guide profiles now correctly disable and mask services - that should not be started. -
      • -
    • - The audit_rules_privileged_commands rule in the - scap-security-guide packages now works - correctly for privileged commands. -
      • -
    • - Remediation of the dconf_gnome_login_banner_text rule in the scap-security-guide packages no longer - incorrectly fails. -
      • -
    -
    -
    • -
-
-

- (BZ#1815007) -

-
-

SCAP Workbench can now generate - results-based remediations from tailored profiles

-

- With this update, you can now generate result-based remediation roles from tailored profiles - using the SCAP Workbench tool. -

-
-

- (BZ#1640715) -

-
-

New Ansible role provides automated deployments of Clevis - clients

-

- This update of the rhel-system-roles package introduces the - nbde_client RHEL system role. This Ansible role enables you to - deploy multiple Clevis clients in an automated way. -

-
-

- (BZ#1716040) -

-
-

New Ansible role can now set up a Tang server

-

- With this enhancement, you can deploy and manage a Tang server as part of an automated disk - encryption solution with the new nbde_server system role. The - nbde_server Ansible role, which is included in the rhel-system-roles package, supports the following features: -

-
-
-
    -
  • - Rotating Tang keys -
    • -
  • - Deploying and backing up Tang keys -
    • -
-
-

- For more information, see Rotating - Tang server keys. -

-

- (BZ#1716039) -

-
-

clevis rebased to version 13

-

- The clevis packages have been rebased to version 13, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - clevis luks unlock can be used in the device with a key - file in the non-interactive mode. -
    • -
  • - clevis encrypt tpm2 parses the pcr_ids field if the input is given as a JSON array. -
    • -
  • - The clevis-luks-unbind(1) man page no longer refers only to - LUKS v1. -
    • -
  • - clevis luks bind does not write to an inactive slot - anymore, if the password given is incorrect. -
    • -
  • - clevis luks bind now works while the system uses the - non-English locale. -
    • -
  • - Added support for tpm2-tools 4.x. -
    • -
-
-

- (BZ#1818780) -

-
-

clevis luks edit enables you to edit a - specific pin configuration

-

- This update of the clevis packages introduces the new clevis luks edit subcommand that enables you to edit a specific - pin configuration. For example, you can now change the URL address of a Tang server and the - pcr_ids parameter in a TPM2 configuration. You can also add and - remove new sss pins and change the threshold of an sss pin. -

-
-

- (BZ#1436735) -

-
-

clevis luks bind -y now allows automated - binding

-

- With this enhancement, Clevis supports automated binding with the -y parameter. You can now use the -y - option with the clevis luks bind command, which automatically - answers subsequent prompts with yes. For example, - when using a Tang pin, you are no longer required to manually trust Tang keys. -

-
-

- (BZ#1819767) -

-
-

fapolicyd rebased to version 1.0 -

-

- The fapolicyd packages have been rebased to version 1.0, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - The multiple thread synchronization problem has been resolved. -
    • -
  • - Enhanced performance with reduced database size and loading time. -
    • -
  • - A new trust option for the fapolicyd package in the fapolicyd.conf file has been added to customize trust back - end. You can add all trusted files, binaries, and scripts to the new /etc/fapolicyd/fapolicyd.trust file. -
    • -
  • - You can manage the fapolicyd.trust file using the CLI. -
    • -
  • - You can clean or dump the database using the CLI. -
    • -
  • - The fapolicyd package overrides the magic database for - better decoding of scripts. The CLI prints MIME type of the file similar to the file - command according to the override. -
    • -
  • - The /etc/fapolicyd/fapolicyd.rules file supports a group of - values as attribute values. -
    • -
  • - The fapolicyd daemon has a syslog_format option for setting the format of the audit/sylog events. -
    • -
-
-

- (BZ#1817413) -

-
-

fapolicyd now provides its own SELinux - policy in fapolicyd-selinux

-

- With this enhancement, the fapolicyd framework now provides its - own SELinux security policy. The daemon is confined under the fapolicyd_t domain and the policy is installed through the fapolicyd-selinux subpackage. -

-
-

- (BZ#1714529) -

-
-

USBGuard rebased to version 0.7.8 -

-

- The usbguard packages have been rebased to version 0.7.8 which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - The HidePII=true|false parameter in the /etc/usbguard/usbguard-daemon.conf file can now hide - personally identifiable information from audit entries. -
    • -
  • - The AuthorizedDefault=keep|none|all|internal parameter in - the /etc/usbguard/usbguard-daemon.conf file can predefine - authorization state of controller devices. -
    • -
  • - With the new with-connect-type rule attribute, users can - now distinguish the connection type of the device. -
    • -
  • - Users can now append temporary rules with the -t option. - Temporary rules remain in memory only until the daemon restarts. -
    • -
  • - usbguard list-rules can now filter rules according to - certain properties. -
    • -
  • - usbguard generate-policy can now generate a policy for - specific devices. -
    • -
  • - The usbguard allow|block|reject command can now handle rule - strings, and a target is applied on each device that matches the specified rule string. -
    • -
  • - New subpackages usbguard-notifier and usbguard-selinux are included. -
    • -
-
-

- (BZ#1738590) -

-
-

USBGuard provides many improvements for - corporate desktop users

-

- This addition to the USBGuard project contains enhancements and bug fixes to improve the - usability for corporate desktop users. Important changes include: -

-
-
-
    -
  • - For keeping the /etc/usbguard/rules.conf rule file clean, - users can define multiple configuration files inside the RuleFolder=/etc/usbguard/rules.d/ directory. By default, the - RuleFolder is specified in the /etc/usbguard-daemon.conf file. -
    • -
  • - The usbguard-notifier tool now provides GUI notifications. - The tool notifies the user whenever a device is plugged in or plugged out and whether - the device is allowed, blocked, or rejected by any user. -
    • -
  • - You can now include comments in the configuration files, because the usbguard-daemon no longer parses lines starting with #. -
    • -
-
-

- (BZ#1667395) -

-
-

USBGuard now provides its own SELinux policy in usbguard-selinux

-

- With this enhancement, the USBGuard - framework now provides its own SELinux security policy. The daemon is confined under the - usbguard_t domain and the policy is installed through the usbguard-selinux subpackage. -

-
-

- (BZ#1683567) -

-
-

libcap now supports ambient - capabilities

-

- With this update, users are able to grant ambient capabilities at login and prevent the need - to have root access for the appropriately configured processes. -

-
-

- (BZ#1487388) -

-
-

The libseccomp library has been rebased to - version 2.4.3

-

- The libseccomp library, which provides an interface to the - seccomp system call filtering mechanism, has been upgraded to - version 2.4.3. -

-
-

- This update provides numerous bug fixes and enhancements. Notable changes include: -

-
-
    -
  • - Updated the syscall table for Linux v5.4-rc4. -
    • -
  • - No longer defining __NR_x values for system calls that do - not exist. -
    • -
  • - __SNR_x is now used internally. -
    • -
  • - Added define for __SNR_ppoll. -
    • -
  • - Fixed a multiplexing issue with s390/s390x shm* system calls. -
    • -
  • - Removed the static flag from the libseccomp tools compilation. -
    • -
  • - Added support for io-uring related system calls. -
    • -
  • - Fixed the Python module naming issue introduced in the v2.4.0 release; the module is - named seccomp as it was previously. -
    • -
  • - Fixed a potential memory leak identified by clang in the - scmp_bpf_sim tool. -
    • -
-
-

- (BZ#1770693) -

-
-

omamqp1 module is now supported -

-

- With this update, the AMQP 1.0 protocol supports sending - messages to a destination on the bus. Previously, Openstack used the AMQP1 protocol as a communication standard, and this protocol can - now log messages in AMQP messages. This update introduces the rsyslog-omamqp1 sub-package to deliver the omamqp1 output mode, which logs messages and sends them to the - destination on the bus. -

-
-

- (BZ#1713427) -

-
-

OpenSCAP compresses remote content

-

- With this update, OpenSCAP uses gzip compression for - transferring remote content. The most common type of remote content is text-based CVE feeds, - which increase in size over time and typically have to be downloaded for every scan. The - gzip compression reduces the bandwidth to 10% of bandwidth - needed for uncompressed content. As a result, this reduces bandwidth requirements across the - entire chain between the scanned system and the server that hosts the remote content. -

-
-

- (BZ#1855708) -

-
-

SCAP Security Guide now provides a profile aligned with - NIST-800-171

-

- With this update, the scap-security-guide packages provide a - profile aligned with the NIST-800-171 standard. The profile enables you to harden the system - configuration in accordance with security requirements for protection of Controlled - Unclassified Information (CUI) in non-federal information systems. As a result, you can more - easily configure systems to be aligned with the NIST-800-171 standard. -

-
-

- (BZ#1762962) -

-
-
-
-
-
-

5.1.7. Networking

-
-
-
-
-

The IPv4 and IPv6 connection tracking modules have been merged into the - nf_conntrack module

-

- This enhancement merges the nf_conntrack_ipv4 and nf_conntrack_ipv6 Netfilter connection tracking modules into the - nf_conntrack kernel module. Due to this change, blacklisting - the address family-specific modules no longer work in RHEL 8.3, and you can blacklist only - the nf_conntrack module to disable connection tracking support - for both the IPv4 and IPv6 protocols. -

-
-

- (BZ#1822085) -

-
-

firewalld rebased to version 0.8.2

-

- The firewalld packages have been upgraded to upstream version - 0.8.2, which provides a number of bug fixes over the previous version. For details, see the - firewalld 0.8.2 - Release Notes. -

-
-

- (BZ#1809636) -

-
-

NetworkManager rebased to version 1.26.0

-

- The NetworkManager packages have been upgraded to upstream - version 1.26.0, which provides a number of enhancements and bug fixes over the previous - version: -

-
-
-
    -
  • - NetworkManager resets the auto-negotiation, speed, and duplex setting to their original - value when deactivating a device. -
    • -
  • - Wi-Fi profiles connect now automatically if all previous activation attempts failed. - This means that an initial failure to auto-connect to the network no longer blocks the - automatism. A side effect is that existing Wi-Fi profiles that were previously blocked - now connect automatically. -
    • -
  • - The nm-settings-nmcli(5) and nm-settings-dbus(5) man pages have been added. -
    • -
  • - Support for a number of bridge parameters has been added. -
    • -
  • - Support for virtual routing and forwarding (VRF) interfaces has been added. For further - details, see Permanently - reusing the same IP address on different interfaces. -
    • -
  • - Support for Opportunistic Wireless Encryption mode (OWE) for Wi-Fi networks has been - added. -
    • -
  • - NetworkManager now supports 31-bit prefixes on IPv4 point-to-point links according to RFC 3021. -
    • -
  • - The nmcli utility now supports removing settings using the - nmcli connection modify <connection_name> remove <setting> - command. -
    • -
  • - NetworkManager no longer creates and activates slave devices if a master device is - missing. -
    • -
-
-

- For further information about notable changes, read the upstream release notes: -

-
- -
-

- (BZ#1814746) -

-
-

XDP is conditionally supported

-

- Red Hat supports the eXpress Data Path (XDP) feature only if all of the following conditions - apply: -

-
-
-
    -
  • - You load the XDP program on an AMD or Intel 64-bit architecture -
    • -
  • - You use the libxdp library to load the program into the - kernel -
    • -
  • - The XDP program uses one of the following return codes: XDP_ABORTED, XDP_DROP, or XDP_PASS -
    • -
  • - The XDP program does not use the XDP hardware offloading -
    • -
-
-

- For details about unsupported XDP features, see Overview of XDP features that - are available as Technology Preview -

-

- (BZ#1889736) -

-
-

xdp-tools is partially supported -

-

- The xdp-tools package, which contains user space support - utilities for the kernel eXpress Data Path (XDP) feature, is now supported on the AMD and - Intel 64-bit architectures. This includes the libxdp library, - the xdp-loader utility for loading XDP programs, and the xdp-filter example program for packet filtering. Note that the - xdpdump utility for capturing packets from a network interface - with XDP enabled is still a Technology Preview. (BZ#1820670) -

-
-
-

The dracut utility by default now uses - NetworkManager in initial RAM disk

-

- Previously, the dracut utility was using a shell script to - manage networking in the initial RAM disk, initrd. In certain - cases, this could cause problems. For example, the NetworkManager sends another DHCP - request, even if the script in the RAM disk has already requested an IP address, which could - result in a timeout. -

-
-

- With this update, the dracut by default now uses the NetworkManager - in the initial RAM disk and prevents the system from running into issues. In case you want to - switch back to the previous implementation, and recreate the RAM disk images, use the following - commands: -

- 
# echo 'add_dracutmodules+=" network-legacy "' > /etc/dracut.conf.d/enable-network-legacy.conf
-
-# dracut -vf --regenerate-all
-

- (BZ#1626348) -

-
-

Network configuration in the kernel command line has been consolidated - under the ip parameter

-

- The ipv6, netmask, gateway, and hostname parameters to - set the network configuration in the kernel command line have been consolidated under the - ip parameter. The ip parameter - accepts different formats, such as the following: -

-
- 
ip=__IP_address__:__peer__:__gateway_IP_address__:__net_mask__:__host_name__:__interface_name__:__configuration_method__
-

- For further details about the individual fields and other formats this parameter accepts, see - the description of the ip parameter in the dracut.cmdline(7) man page. -

-

- The ipv6, netmask, gateway, and hostname parameters are no - longer available in RHEL 8. -

-

- (BZ#1905138) -

-
-
-
-
-
-

5.1.8. Kernel

-
-
-
-
-

Kernel version in RHEL 8.3

-

- Red Hat Enterprise Linux 8.3 is distributed with the kernel version 4.18.0-240. -

-
-

- (BZ#1839151) -

-
-

Extended Berkeley Packet Filter for RHEL 8.3

-

- The Extended Berkeley Packet Filter - (eBPF) is an in-kernel virtual machine that allows code execution in - the kernel space, in the restricted sandbox environment with access to a limited set of - functions. The virtual machine executes a special assembly-like code. -

-
-

- The eBPF bytecode first loads to the kernel, - followed by its verification, code translation to the native machine code with just-in-time - compilation, and then the virtual machine executes the code. -

-

- Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. In RHEL - 8.3, the following eBPF components are - supported: -

-
-
    -
  • - The BPF Compiler Collection (BCC) - tools package, which provides tools for I/O analysis, networking, and monitoring of - Linux operating systems using eBPF -
    • -
  • - The BCC library which allows the - development of tools similar to those provided in the BCC tools package. -
    • -
  • - The eBPF for Traffic Control (tc) - feature, which enables programmable packet processing inside the kernel network data - path. -
    • -
  • - The eXpress Data Path (XDP) feature, - which provides access to received packets before the kernel networking stack processes - them, is supported under specific conditions. For more details, refer to the Networking - section of Relase Notes. -
    • -
  • - The libbpf package, which is crucial for bpf related - applications like bpftrace and bpf/xdp development. For more details, refer to the dedicated - release note libbpf - fully supported. -
    • -
  • - The xdp-tools package, which contains userspace support - utilities for the XDP feature, is - now supported on the AMD and Intel 64-bit architectures.This includes the libxdp library, the xdp-loader - utility for loading XDP programs, and the xdp-filter - example program for packet filtering. Note that the xdpdump - utility for capturing packets from a network interface with XDP enabled is still an - unsupported Technology Preview. For more details, refer to the Networking - section of Release Notes. -
    • -
-
-

- Note that all other eBPF components are - available as Technology Preview, unless a specific component is indicated as supported. -

-

- The following notable eBPF components are - currently available as Technology Preview: -

-
-
    -
  • - The bpftrace tracing language -
    • -
  • - The AF_XDP socket for connecting the eXpress Data Path (XDP) path to user - space -
    • -
-
-

- For more information regarding the Technology Preview components, see Technology - Previews. -

-

- (BZ#1780124) -

-
-

Cornelis Networks Omni-Path Architecture (OPA) Host Software -

-

- Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux - 8.3. OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for - high performance data transfers (high bandwidth, high message rate, low latency) between - compute and I/O nodes in a clustered environment. -

-
-

- (BZ#1893174) -

-
-

TSX is now disabled - by default

-

- Starting with RHEL 8.3, the kernel now has the Intel® - Transactional Synchronization Extensions (TSX) technology disabled - by default to improve the OS security. The change applies to those CPUs that support - disabling TSX, including the 2nd - Generation Intel® Xeon® Scalable Processors (formerly known as Cascade Lake with Intel® C620 - Series Chipsets). -

-
-

- For users whose applications do not use TSX, - the change removes the default performance penalty of the TSX Asynchronous Abort (TAA) mitigations on - the 2nd Generation Intel® Xeon® Scalable Processors. -

-

- The change also aligns the RHEL kernel behavior with upstream, where TSX has been disabled by default since Linux - 5.4. -

-

- To enable TSX, add the tsx=on parameter to the kernel command line. -

-

- (BZ#1828642) -

-
-

RHEL 8.3 now supports the page owner tracking feature

-

- With this update, you can use the page owner tracking feature to observe the kernel memory - utilization at the page allocation level. -

-
-

- To enable the page tracker, execute the following steps : -

- 
# grubby --args="page_owner=on" --update-kernel=0
-# reboot
-

- As a result, the page owner tracker will track the kernel memory consumption, which helps to - debug kernel memory leaks and detect the drivers that use a lot of memory. -

-

- (BZ#1825414) -

-
-

EDAC for AMD EPYC™ 7003 Series Processors is now supported

-

- This enhancement provides Error Detection And Correction (EDAC) device support for AMD EPYC™ - 7003 Series Processors. Previously, corrected (CEs) and uncorrected (UEs) memory errors were - not reported on systems based on AMD EPYC™ 7003 Series Processors. With this update, such - errors will now be reported using EDAC. -

-
-

- (BZ#1735611) -

-
-

Flamegraph is now supported with perf - tool

-

- With this update, the perf command line tool supports - flamegraphs to create a graphical representation of the system’s performance. The perf data is grouped together into samples with similar stack - backtraces. As a result, this data is converted into a visual representation to allow easier - identification of computationally intensive areas of code. To generate a flamegraph using - the perf tool, execute the following commands: -

-
- 
$ perf script record flamegraph -F 99 -g -- stress --cpu 1 --vm-bytes 128M --timeout 10s
-stress: info: [4461] dispatching hogs: 1 cpu, 0 io, 0 vm, 0 hdd
-stress: info: [4461] successful run completed in 10s
-[ perf record: Woken up 1 times to write data ]
-[ perf record: Captured and wrote 0.060 MB perf.data (970 samples) ]
-$ perf script report flamegraph
-dumping data to flamegraph.html
-

- Note : To generate flamegraphs, install the js-d3-flame-graph rpm. -

-

- (BZ#1281843) -

-
-

/dev/random and /dev/urandom are now conditionally powered by the Kernel - Crypto API DRBG

-

- In FIPS mode, the /dev/random and /dev/urandom pseudorandom number generators are powered by the - Kernel Crypto API Deterministic Random Bit Generator (DRBG). Applications in FIPS mode use - the mentioned devices as a FIPS-compliant noise source, therefore the devices have to employ - FIPS-approved algorithms. To achieve this goal, necessary hooks have been added to the /dev/random driver. As a result, the hooks are enabled in the - FIPS mode and cause /dev/random and /dev/urandom to connect to the Kernel Crypto API DRBG. -

-
-

- (BZ#1785660) -

-
-

libbpf fully supported

-

- The libbpf package, crucial for bpf related applications like - bpftrace and bpf/xdp development, - is now fully supported. -

-
-

- It is a mirror of bpf-next linux tree bpf-next/tools/lib/bpf - directory plus its supporting header files. The version of the package reflects the version of - the Application Binary Interface (ABI). -

-

- (BZ#1759154) -

-
-

lshw utility now provides additional CPU - information

-

- With this enhancement, the List Hardware utility (lshw) displays more CPU information. The CPU version field now provides the family, model and stepping details - of the system processors in numeric format as version: <family>.<model>.<stepping>. -

-
-

- (BZ#1794049) -

-
-

kernel-rt source tree has been updated to - the RHEL 8.3 tree

-

- The kernel-rt sources have been updated to use the latest Red - Hat Enterprise Linux kernel source tree. The real-time patch set has also been updated to - the latest upstream version, v5.6.14-rt7. Both of these updates provide a number of bug - fixes and enhancements. -

-
-

- (BZ#1818138, BZ#1818142) -

-
-

tpm2-tools rebased to version - 4.1.1

-

- The tpm2-tools package has been upgraded to version 4.1.1, - which provides a number of command additions, updates, and removals. For more details, see - the Updates to tpm2-tools - package in RHEL8.3 solution. -

-
-

- (BZ#1789682) -

-
-

The Mellanox ConnectX-6 Dx network adapter is now fully - supported

-

- This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core driver. On hosts that use this adapter, RHEL loads the - mlx5_core driver automatically. This feature, previously - available as a technology preview, is now fully supported in RHEL 8.3. -

-
-

- (BZ#1782831) -

-
-

mlxsw driver rebased to version - 5.7

-

- The mlxsw driver is upgraded to upstream version 5.7 and - include following new features: -

-
-
-
    -
  • - The shared buffer occupancy feature, which provides buffer occupancy data. -
    • -
  • - The packet drop feature, which enables monitoring the layer 2, layer 3, tunnels and access control list - drops. -
    • -
  • - Packet trap policers support. -
    • -
  • - Default port priority configuration support using Link Layer Discovery Protocol (LLDP) - agent. -
    • -
  • - Enhanced Transmission Selection (ETS) and Token Bucket Filter (TBF) queuing discipline - offloading support. -
    • -
  • - RED queuing discipline nodrop mode is enabled to prevent - early packet drops. -
    • -
  • - Traffic class SKB editing action skbedit priority feature - enables changing packets metadata and it complements with pedit Traffic Class Offloading (TOS). -
    • -
-
-

- (BZ#1821646) -

-
-

The crash kernel now expands memory reserve for kdump

-

- With this enhancement, the crashkernel=auto argument now - reserves more memory on machines with 4GB to 64GB memory capacity. Previously, due to - limited memory reserve, the crash kernel failed to capture the crash dump as the kernel - space and user space memory expanded. As a consequence, the crash kernel experienced an - out-of-memory (OOM) error. This update helps to reduce the OOM error occurrences in the - described scenario and expands the memory capacity for kdump - accordingly. -

-
-

- (BZ#1746644) -

-
-
-
-
-
-

5.1.9. File systems and storage

-
-
-
-
-

LVM can now manage VDO volumes

-

- LVM now supports the Virtual Data Optimizer (VDO) segment type. As a result, you can now use - LVM utilities to create and manage VDO volumes as native LVM logical volumes. -

-
-

- VDO provides inline block-level deduplication, compression, and thin provisioning features. -

-

- For more information, see Deduplicating - and compressing logical volumes on RHEL. -

-

- (BZ#1598199) -

-
-

The SCSI stack now works better with high-performance adapters -

-

- The performance of the SCSI stack has been improved. As a result, next-generation, high - performance host bus adapters (HBAs) are now capable of higher IOPS (I/Os per second) on - RHEL. -

-
-

- (BZ#1761928) -

-
-

The megaraid_sas driver has been updated - to the latest version

-

- The megaraid_sas driver has been updated to version - 07.713.01.00-rc1. This update provides several bug fixes and enhancements relating to - improving performance, better stability of supported MegaRAID adapters, and a richer feature - set. -

-
-

- (BZ#1791041) -

-
-

Stratis now lists the pool name on error

-

- When you attempt to create a Stratis pool on a block device that is already in use by an - existing Stratis pool, the stratis utility now reports the name - of the existing pool. Previously, the utility listed only the UUID label of the pool. -

-
-

- (BZ#1734496) -

-
-

FPIN ELS frame notification support

-

- The lpfc Fibre Channel (FC) driver now supports Fabric - Performance Impact Notifications (FPINs) regarding link integrity, which help identify link - level issues and allows the switch to choose a more reliable path. -

-
-

- (BZ#1796565) -

-
-

New commands to debug LVM on-disk metadata

-

- The pvck utility, which is available from the lvm2 package, now provides low-level commands to debug or rescue - LVM on-disk metadata on physical volumes: -

-
-
-
    -
  • - To extract metadata, use the pvck --dump command. -
    • -
  • - To repair metadata, use the pvck --repair command. -
    • -
-
-

- For more information, see the pvck(8) man page. -

-

- (BZ#1541165) -

-
-

LVM RAID supports DM integrity to prevent data loss due to corrupted - data on a device

-

- It is now possible to add Device Mapper (DM) integrity to an LVM RAID configuration to - prevent data loss. The integrity layer detects data corruption on a device and alerts the - RAID layer to fix the corrupted data across the LVM RAID. -

-
-

- While RAID prevents data loss due to device failure, adding integrity to an LVM RAID array - prevents data loss due to corrupted data on a device. You can add the integrity layer when you - create a new LVM RAID, or you can add it to an LVM RAID that already exists. -

-

- (JIRA:RHELPLAN-39320) -

-
-

Resilient Storage (GFS2) supported on AWS, Azure, and Aliyun public - clouds

-

- Resilient Storage (GFS2) is now supported on three major public clouds, Amazon (AWS), - Microsoft (Azure) and Alibaba (Aliyun) with the introduction of shared block device support - on those platforms. As a result GFS2 is now a true hybrid cloud cluster filesystem with - options to use both on premises and in the public cloud. For information on configuring - shared block storage on Microsoft Azure and on AWS, see Deploying - RHEL 8 on Microsoft Azure and Deploying - RHEL 8 on Amazon Web Services. For information on configuring shared block storage - on Alibaba Cloud, see Configuring Shared Block Storage for a - Red Hat High Availability Cluster on Alibaba Cloud. -

-
-

- (BZ#1900019) -

-
-

Userspace now supports the latest nfsdcld - daemon

-

- Userspace now supports the lastest nfsdcld daemon, which is the - only namespace-aware client tracking method. This enhancement ensures client open or lock - recovery from the containerized knfsd daemon without any data - corruption. -

-
-

- (BZ#1817756) -

-
-

nconnect now supports multiple concurrent - connections

-

- With this enhancement, you can use the nconnect functionality - to create multiple concurrent connections to an NFS server, allowing for a different load - balancing ability. Enable the nconnect functionality with the - nconnect=X NFS mount option, where X is the number of concurrent connections to use. The - current limit is 16. -

-
-

- (BZ#1683394, BZ#1761352) -

-
-

nfsdcld daemon for client information - tracking is now supported

-

- With this enhancement, the nfsdcld daemon is now the default - method in tracking per-client information on a stable storage. As a result, the NFS v4 - running in containers allows the clients to reclaim the opens or locks after a server - restart. -

-
-

- (BZ#1817752) -

-
-
-
-
-
-

5.1.10. High availability and clusters

-
-
-
-
-

pacemaker rebased to version - 2.0.4

-

- The Pacemaker cluster resource manager has been upgraded to upstream version 2.0.4, which - provides a number of bug fixes. -

-
-

- (BZ#1828488) -

-
-

New priority-fencing-delay cluster - property

-

- Pacemaker now supports the new priority-fencing-delay cluster - property, which allows you to configure a two-node cluster so that in a split-brain - situation the node with the fewest resources running is the node that gets fenced. -

-
-

- The priority-fencing-delay property can be set to a time duration. - The default value for this property is 0 (disabled). If this property is set to a non-zero - value, and the priority meta-attribute is configured for at least - one resource, then in a split-brain situation the node with the highest combined priority of all - resources running on it will be more likely to survive. -

-

- For example, if you set pcs resource defaults priority=1 and pcs property set priority-fencing-delay=15s and no other priorities - are set, then the node running the most resources will be more likely to survive because the - other node will wait 15 seconds before initiating fencing. If a particular resource is more - important than the rest, you can give it a higher priority. -

-

- The node running the master role of a promotable clone will get an extra 1 point if a priority - has been configured for that clone. -

-

- Any delay set with priority-fencing-delay will be added to any - delay from the pcmk_delay_base and pcmk_delay_max fence device properties. This behavior allows some - delay when both nodes have equal priority, or both nodes need to be fenced for some reason other - than node loss (for example, on-fail=fencing is set for a resource - monitor operation). If used in combination, it is recommended that you set the priority-fencing-delay property to a value that is significantly - greater than the maximum delay from pcmk_delay_base and pcmk_delay_max, to be sure the prioritized node is preferred (twice - the value would be completely safe). -

-

- (BZ#1784601) -

-
-

New commands for managing multiple sets of resource and operation - defaults

-

- It is now possible to create, list, change and delete multiple sets of resource and - operation defaults. When you create a set of default values, you can specify a rule that - contains resource and op - expressions. This allows you, for example, to configure a default resource value for all - resources of a particular type. Commands that list existing default values now include - multiple sets of defaults in their output. -

-
-
-
    -
  • - The pcs resource [op] defaults set create command creates a - new set of default values. When specifying rules with this command, only resource and op expressions, - including and, or and - parentheses, are allowed. -
    • -
  • - The pcs resource [op] defaults set delete | remove command - removes sets of default values. -
    • -
  • - The pcs resource [op] defaults set update command changes - the default values in a set. -
    • -
-
-

- (BZ#1817547) -

-
-

Support for tagging cluster resources

-

- It is now possible to tag cluster resources in a Pacemaker cluster with the pcs tag command. This feature allows you to administer a - specified set of resources with a single command. You can also use the pcs tag command to remove or modify a resource tag, and to - display the tag configuration. -

-
-

- The pcs resource enable, pcs resource disable, pcs resource manage, and pcs resource unmanage commands accept tag IDs as arguments. -

-

- (BZ#1684676) -

-
-

Pacemaker now supports recovery by demoting a promoted resource rather - than fully stopping it

-

- It is now possible to configure a promotable resource in a Pacemaker cluster so that when a - promote or monitor action fails for that resource, or the partition in which the resource is - running loses quorum, the resource will be demoted but will not be fully stopped. -

-
-

- This feature can be useful when you would prefer that the resource continue to be available in - the unpromoted mode. For example, if a database master’s partition loses quorum, you might - prefer that the database resource lose the Master role, but stay - alive in read-only mode so applications that only need to read can continue to work despite the - lost quorum. This feature can also be useful when a successful demote is both sufficient for - recovery and much faster than a full restart. -

-

- To support this feature: -

-
-
    -
  • -

    - The on-fail operation meta-attribute now accepts a - demote value when used with promote actions, as in the following example: -

    - 
    pcs resource op add my-rsc promote on-fail="demote"
    -
    • -
  • -

    - The on-fail operation meta-attribute now accepts a - demote value when used with monitor actions with both interval set to a nonzero value and role set to Master, as in - the following example: -

    - 
    pcs resource op add my-rsc monitor interval="10s" on-fail="demote" role="Master"
    -
    • -
  • - The no-quorum-policy cluster property now accepts a demote value. When set, if a cluster partition loses quorum, - any promoted resources will be demoted but left running and all other resources will be - stopped. -
    • -
-
-

- Specifying a demote meta-attribute for an operation does not affect - how promotion of a resource is determined. If the affected node still has the highest promotion - score, it will be selected to be promoted again. -

-

- (BZ#1837747, BZ#1843079) -

-
-

New SBD_SYNC_RESOURCE_STARTUP SBD - configuration parameter to improve synchronization with Pacemaker

-

- To better control synchronization between SBD and Pacemaker, the /etc/sysconfig/sbd file now supports the SBD_SYNC_RESOURCE_STARTUP parameter. When Pacemaker and SBD - packages from RHEL 8.3 or later are installed and SBD is configured with SBD_SYNC_RESOURCE_STARTUP=true, SBD contacts the Pacemaker daemon - for information about the daemon’s state. -

-
-

- In this configuration, the Pacemaker daemon will wait until it has been contacted by SBD, both - before starting its subdaemons and before final exit. As a result, Pacemaker will not run - resources if SBD cannot actively communicate with it, and Pacemaker will not exit until it has - reported a graceful shutdown to SBD. This prevents the unlikely situation that might occur - during a graceful shutdown when SBD fails to detect the brief moment when no resources are - running before Pacemaker finally disconnects, which would trigger an unneeded reboot. Detecting - a graceful shutdown using a defined handshake works in maintenance mode as well. The previous - method of detecting a graceful shutdown on the basis of no running resources left had to be - disabled in maintenance mode since running resources would not be touched on shutdown. -

-

- In addition, enabling this feature avoids the risk of a split-brain situation in a cluster when - SBD and Pacemaker both start successfully but SBD is unable to contact pacemaker. This could - happen, for example, due to SELinux policies. In this situation, Pacemaker would assume that SBD - is functioning when it is not. With this new feature enabled, Pacemaker will not complete - startup until SBD has contacted it. Another advantage of this new feature is that when it is - enabled SBD will contact Pacemaker repeatedly, using a heartbeat, and it is able to panic the - node if Pacemaker stops responding at any time. -

-
-
Note
-
-

- If you have edited your /etc/sysconfig/sbd file or configured SBD through PCS, then an - RPM upgrade will not pull in the new SBD_SYNC_RESOURCE_STARTUP parameter. In these cases, to - implement this feature you must manually add it from the /etc/sysconfig/sbd.rpmnew file or follow the procedure - described in the Configuration via environment section of - the sbd(8) man page. -

-
-
-

- (BZ#1718324, BZ#1743726) -

-
-
-
-
-
-

5.1.11. Dynamic programming languages, web and database servers

-
-
-
-
-

A new module stream: ruby:2.7

-

- RHEL 8.3 introduces Ruby 2.7.1 in a new ruby:2.7 module stream. - This version provides a number of performance improvements, bug and security fixes, and new - features over Ruby 2.6 distributed with RHEL 8.1. -

-
-

- Notable enhancements include: -

-
-
    -
  • - A new Compaction Garbage Collector (GC) has been introduced. This GC can defragment a - fragmented memory space. -
    • -
  • - Ruby yet Another Compiler-Compiler (Racc) now provides a command-line interface for the - one-token Look-Ahead Left-to-Right – LALR(1) – parser generator. -
    • -
  • - Interactive Ruby Shell (irb), the bundled Read–Eval–Print - Loop (REPL) environment, now supports multi-line editing. -
    • -
  • - Pattern matching, frequently used in functional programming languages, has been - introduced as an experimental feature. -
    • -
  • - Numbered parameter as the default block parameter has been introduced as an experimental - feature. -
    • -
-
-

- The following performance improvements have been implemented: -

-
-
    -
  • - Fiber cache strategy has been changed to accelerate fiber creation. -
    • -
  • - Performance of the CGI.escapeHTML method has been improved. -
    • -
  • - Performance of the Monitor class and MonitorMixin module has been improved. -
    • -
-
-

- In addition, automatic conversion of keyword arguments and positional arguments has been - deprecated. In Ruby 3.0, positional arguments and keyword arguments will be separated. For more - information, see the upstream - documentation. -

-

- To suppress warnings against experimental features, use the -W:no-experimental command-line option. To disable a deprecation - warning, use the -W:no-deprecated command-line option or add Warning[:deprecated] = false to your code. -

-

- To install the ruby:2.7 module stream, use: -

- 
# yum module install ruby:2.7
-

- If you want to upgrade from the ruby:2.6 stream, see Switching - to a later stream. -

-

- (BZ#1817135) -

-
-

A new module stream: nodejs:14 -

-

- A new module stream, nodejs:14, is now available. Node.js 14, included in RHEL 8.3, provides numerous new features - and bug and security fixes over Node.js 12 distributed in RHEL - 8.1. -

-
-

- Notable changes include: -

-
-
    -
  • - The V8 engine has been upgraded to version 8.3. -
    • -
  • - A new experimental WebAssembly System Interface (WASI) has been implemented. -
    • -
  • - A new experimental Async Local Storage API has been introduced. -
    • -
  • - The diagnostic report feature is now stable. -
    • -
  • - The streams APIs have been hardened. -
    • -
  • - Experimental modules warnings have been removed. -
    • -
-
-

- With the release of the RHEA-2020:5101 advisory, RHEL 8 - provides Node.js 14.15.0, which is the most recent Long Term - Support (LTS) version with improved stability. -

-

- To install the nodejs:14 module stream, use: -

- 
# yum module install nodejs:14
-

- If you want to upgrade from the nodejs:12 stream, see Switching - to a later stream. -

-

- (BZ#1815402, BZ#1891809) -

-
-

git rebased to version 2.27

-

- The git packages have been upgraded to upstream version 2.27. - Notable changes over the previously available version 2.18 include: -

-
-
-
    -
  • -

    - The git checkout command has been split into two - separate commands: -

    -
    -
      -
    • - git switch for managing branches -
      • -
    • - git restore for managing changes within the - directory tree -
      • -
    -
    -
    • -
  • - The behavior of the git rebase command is now based on the - merge workflow by default rather than the previous patch+apply workflow. To preserve the previous behavior, set - the rebase.backend configuration variable to apply. -
    • -
  • - The git difftool command can now be used also outside a - repository. -
    • -
  • - Four new configuration variables, {author,committer}.{name,email}, have been introduced to - override user.{name,email} in more specific cases. -
    • -
  • - Several new options have been added that enable users to configure SSL for communication - with proxies. -
    • -
  • - Handling of commits with log messages in non-UTF-8 character encoding has been improved - in the git fast-export and git fast-import utilities. -
    • -
  • - The lfs extension has been added as a new git-lfs package. Git Large File Storage (LFS) replaces large - files with text pointers inside Git and stores the file - contents on a remote server. -
    • -
-
-

- (BZ#1825114, - BZ#1783391) -

-
-

Changes in Python

-

- RHEL 8.3 introduces the following changes to the python38:3.8 - module stream: -

-
-
-
    -
  • - The Python interpreter has been updated to version 3.8.3, - which provides several bug fixes. -
    • -
  • - The python38-pip package has been updated to version - 19.3.1, and pip now supports installing manylinux2014 wheels. -
    • -
-
-

- Performance of the Python 3.6 interpreter, provided by the python3 packages, has been significantly improved. -

-

- The ubi8/python-27, ubi8/python-36, - and ubi8/python-38 container images now support installing the - pipenv utility from a custom package index or a PyPI mirror if - provided by the customer. Previously, pipenv could only be - downloaded from the upstream PyPI repository, and if the upstream repository was unavailable, - the installation failed. -

-

- (BZ#1847416, BZ#1724996, - BZ#1827623, BZ#1841001) -

-
-

A new module stream: php:7.4

-

- RHEL 8.3 introduces PHP 7.4, which provides a number of bug - fixes and enhancements over version 7.3. -

-
-

- This release introduces a new experimental extension, Foreign Function Interface (FFI), which - enables you to call native functions, access native variables, and create and access data - structures defined in C libraries. The FFI extension is available in the php-ffi package. -

-

- The following extensions have been removed: -

-
-
    -
  • - The wddx extension, removed from php-xml package -
    • -
  • - The recode extension, removed from the php-recode package. -
    • -
-
-

- To install the php:7.4 module stream, use: -

- 
# yum module install php:7.4
-

- If you want to upgrade from the php:7.3 stream, see Switching - to a later stream. -

-

- For details regarding PHP usage on RHEL 8, see Using - the PHP scripting language. -

-

- (BZ#1797661) -

-
-

A new module stream: nginx:1.18 -

-

- The nginx 1.18 web and proxy server, which provides a number of - bug fixes, security fixes, new features and enhancements over version 1.16, is now - available. Notable changes include: -

-
-
-
    -
  • - Enhancements to HTTP request rate and connection limiting have been implemented. For - example, the limit_rate and limit_rate_after directives now support variables, including - new $limit_req_status and $limit_conn_status variables. In addition, dry-run mode has - been added for the limit_conn_dry_run and limit_req_dry_run directives. -
    • -
  • - A new auth_delay directive has been added, which enables - delayed processing of unauthorized requests. -
    • -
  • - The following directives now support variables: grpc_pass, - proxy_upload_rate, and proxy_download_rate. -
    • -
  • - Additional PROXY protocol variables have been added, namely $proxy_protocol_server_addr and $proxy_protocol_server_port. -
    • -
-
-

- To install the nginx:1.18 stream, use: -

- 
# yum module install nginx:1.18
-

- If you want to upgrade from the nginx:1.16 stream, see Switching - to a later stream. -

-

- (BZ#1826632) -

-
-

A new module stream: perl:5.30 -

-

- RHEL 8.3 introduces Perl 5.30, which provides a number of bug - fixes and enhancements over the previously released Perl 5.26. - The new version also deprecates or removes certain language features. Notable changes with - significant impact include: -

-
-
-
    -
  • - The Math::BigInt::CalcEmu, arybase, and B::Debug modules - have been removed -
    • -
  • - File descriptors are now opened with a close-on-exec flag -
    • -
  • - Opening the same symbol as a file and as a directory handle is no longer allowed -
    • -
  • - Subroutine attributes now must precede subroutine signatures -
    • -
  • - The :locked and :uniq - attributes have been removed -
    • -
  • - Comma-less variable lists in formats are no longer allowed -
    • -
  • - A bare << here-document operator is no longer allowed -
    • -
  • - Certain formerly deprecated uses of an unescaped left brace ({) character in regular expression patterns are no longer - permitted -
    • -
  • - The AUTOLOAD() subroutine can no longer be inherited to - non-method functions -
    • -
  • - The sort pragma no longer allows specifying a sort algorithm -
    • -
  • - The B::OP::terse() subroutine has been replaced by the - B::Concise::b_terse() subroutine -
    • -
  • - The File::Glob::glob() function has been replaced by the - File::Glob::bsd_glob() function -
    • -
  • - The dump() function now must be invoked fully qualified as - CORE::dump() -
    • -
  • - The yada-yada operator (…​) is a statement now, it cannot - be used as an expression -
    • -
  • - Assigning a non-zero value to the $[ variable now returns a - fatal error -
    • -
  • - The $* and $# variables are no - longer allowed -
    • -
  • - Declaring variables using the my() function in a false - condition branch is no longer allowed -
    • -
  • - Using the sysread() and syswrite() functions on the :utf8 handles now returns a fatal error -
    • -
  • - The pack() function no longer returns malformed UTF-8 - format -
    • -
  • - Unicode code points with a value greater than IV_MAX are no - longer allowed -
    • -
  • - Unicode 12.1 is now supported -
    • -
-
-

- To upgrade from an earlier perl module stream, see Switching - to a later stream. -

-

- Perl 5.30 is also available as an s2i-enabled ubi8/perl-530 container image. -

-

- (BZ#1713592, BZ#1732828) -

-
-

A new module stream: perl-libwww-perl:6.34

-

- RHEL 8.3 introduces a new perl-libwww-perl:6.34 module stream, - which provides the perl-libwww-perl package for all versions of - Perl available in RHEL 8. The non-modular perl-libwww-perl package, available since RHEL 8.0, which cannot - be used with other Perl streams than 5.26, has been obsoleted - by the new default perl-libwww-perl:6.34 stream. -

-
-

- (BZ#1781177) -

-
-

A new module stream: perl-IO-Socket-SSL:2.066

-

- A new perl-IO-Socket-SSL:2.066 module stream is now available. - This module provides the perl-IO-Socket-SSL and perl-Net-SSLeay packages and it is compatible with all Perl streams available in RHEL 8. -

-
-

- (BZ#1824222) -

-
-

The squid:4 module stream rebased to - version 4.11

-

- The Squid proxy server, provided by the squid:4 module stream, has been upgraded from version 4.4 to - version 4.11. This release provides multiple bug and security fixes, and various - enhancements, such as new configuration options. -

-
-

- (BZ#1829467) -

-
-

Changes in the httpd:2.4 module - stream

-

- RHEL 8.3 introduces the following notable changes to the Apache HTTP Server, available - through the httpd:2.4 module stream: -

-
-
-
    -
  • - The mod_http2 module rebased to version 1.15.7 -
    • -
  • - Configuration changes in the H2Upgrade and H2Push directives -
    • -
  • - A new H2Padding configuration directive to control padding - of the HTTP/2 payload frames -
    • -
  • - Numerous bug fixes. -
    • -
-
-

- (BZ#1814236) -

-
-

Support for logging to journald from the - CustomLog directive in httpd

-

- It is now possible to output access (transfer) logs to journald - from the Apache HTTP Server by using a new option for the CustomLog directive. -

-
-

- The supported syntax is as follows: -

- 
CustomLog journald:priority format|nickname
-

- where priority is any priority string up to debug as used in the LogLevel directive. -

-

- For example, to log to journald using the the combined log format, use: -

- 
CustomLog journald:info combined
-

- Note that when using this option, the server performance might be lower than when logging - directly to flat files. -

-

- (BZ#1209162) -

-
-
-
-
-
-

5.1.12. Compilers and development tools

-
-
-
-
-

.NET 5 is now available on RHEL

-

- .NET 5 is available on Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and OpenShift - Container Platform. .NET 5 includes new language versions: C# 9 and F# 5.0. Significant - performance improvements were made in the base libraries, GC and JIT. .NET 5 has single file - applications, which allows you to distribute .NET applications as a single executable, with - all dependencies included. UBI8 images for .NET 5 are available from Red Hat container - registry and can be used with OpenShift. -

-
-

- To use .NET 5, install the dotnet-sdk-5.0 package: -

- 
$ sudo dnf install -y dotnet-sdk-5.0
-

- For more information, see the .NET 5 documentation. -

-

- (BZ#1944677) -

-
-

New GCC Toolset 10

-

- GCC Toolset 10 is a compiler toolset that provides recent versions of development tools. It - is available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- The GCC compiler has been updated to version 10.2.1, which provides many bug fixes and - enhancements that are available in upstream GCC. -

-

- The following tools and versions are provided by GCC Toolset 10: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 10.2.1 -

-
-

- GDB -

- 		-

- 9.2 -

-
-

- Valgrind -

- 		-

- 3.16.0 -

-
-

- SystemTap -

- 		-

- 4.3 -

-
-

- Dyninst -

- 		-

- 10.1.0 -

-
-

- binutils -

- 		-

- 2.35 -

-
-

- elfutils -

- 		-

- 0.180 -

-
-

- dwz -

- 		-

- 0.12 -

-
-

- make -

- 		-

- 4.2.1 -

-
-

- strace -

- 		-

- 5.7 -

-
-

- ltrace -

- 		-

- 0.7.91 -

-
-

- annobin -

- 		-

- 9.29 -

-
-
-

- To install GCC Toolset 10, run the following command as root: -

- 
# yum install gcc-toolset-10
-

- To run a tool from GCC Toolset 10: -

- 
$ scl enable gcc-toolset-10 tool
-

- To run a shell session where tool versions from GCC Toolset 10 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-10 bash
-

- For more information, see Using - GCC Toolset. -

-

- The GCC Toolset 10 components are available in the two container images: -

-
-
    -
  • - rhel8/gcc-toolset-10-toolchain, which includes the GCC - compiler, the GDB debugger, and the make automation tool. -
    • -
  • -

    - rhel8/gcc-toolset-10-perftools, which includes the - performance monitoring tools, such as SystemTap and Valgrind. -

    -

    - To pull a container image, run the following command as root: -

    - 
    # podman pull registry.redhat.io/<image_name>
    -

    - Note that only the GCC Toolset 10 container images are now supported. Container - images of earlier GCC Toolset versions are deprecated. -

    -
    • -
-
-

- For details regarding the container images, see Using - the GCC Toolset container images. -

-

- (BZ#1842656) -

-
-

Rust Toolset rebased to version 1.45.2

-

- Rust Toolset has been updated to version 1.45.2. Notable changes include: -

-
-
-
    -
  • - The subcommand cargo tree for viewing dependencies is now - included in cargo. -
    • -
  • - Casting from floating point values to integers now produces a clamped cast. Previously, - when a truncated floating point value was out of range for the target integer type the - result was undefined behaviour of the compiler. Non-finite floating point values led to - undefined behaviour as well. With this enhancement, finite values are clamped either to - the minimum or the maximum range of the integer. Positive and negative infinity values - are by default clamped to the maximum and minimum integer respectively, - Not-a-Number(NaN) values to zero. -
    • -
  • - Function-like procedural macros in expressions, patterns, and statements are now - extended and stabilized. -
    • -
-
-

- For detailed instructions regarding usage, see Using Rust - Toolset. -

-

- (BZ#1820593) -

-
-

LLVM Toolset rebased to version 10.0.1

-

- LLVM Toolset has been upgraded to version 10.0.1. With this update, the clang-libs packages no longer include individual component - libraries. As a result, it is no longer possible to link applications against them. To link - applications against the clang libraries, use the libclang-cpp.so package. -

-
-

- For more information, see Using LLVM - Toolset. -

-

- (BZ#1820587) -

-
-

Go Toolset rebased to version 1.14.7

-

- Go Toolset has been upgraded to version 1.14.7 Notable changes include: -

-
-
-
    -
  • - The Go module system is now fully supported. -
    • -
  • - SSL version 3.0 (SSLv3) is no longer supported. Notable Delve debugger enhancements - include: -
    • -
  • - The new command examinemem (or x) for examining raw memory -
    • -
  • - The new command display for printing values of an - expression during each stop of the program -
    • -
  • - The new --tty flag for supplying a Teletypewriter (TTY) for - the debugged program -
    • -
  • - The new coredump support for Arm64 -
    • -
  • - The new ability to print goroutine labels -
    • -
  • - The release of the Debug Adapter Protocol (DAP) server -
    • -
  • - The improved output from dlv trace and trace REPL (read-eval-print-loop) commands -
    • -
-
-

- For more information on Go Toolset, see Using Go - Toolset. -

-

- For more information on Delve, see the upstream Delve documentation. -

-

- (BZ#1820596) -

-
-

SystemTap rebased to version 4.3

-

- The SystemTap instrumentation tool has been updated to version 4.3, which provides multiple - bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Userspace probes can be targeted by hexadecimal buildid - from readelf -n. This alternative to a path name enables - matching binaries to be probed under any name, and thus allows a single script to target - a range of different versions. This feature works well in conjunction with the elfutils - debuginfod server. -
    • -
  • - Script functions can use probe $context variables to access - variables in the probed location, which allows the SystemTap scripts to use common logic - to work with a variety of probes. -
    • -
  • - The stapbpf program improvements, including try-catch - statements, and error probes, have been made to enable proper error tolerance in scripts - running on the BPF backend. -
    • -
-
-

- For further information about notable changes, read the upstream release - notes before updating. -

-

- (BZ#1804319) -

-
-

Valgrind rebased to version 3.16.0

-

- The Valgrind executable code analysis tool has been updated to version 3.16.0, which - provides a number of bug fixes and enhancements over the previous version: -

-
-
-
    -
  • - It is now possible to dynamically change the value of many command-line options while - your program is running under Valgrind: through vgdb, - through a gdb connected to the Valgrind gdbserver, or - through program client requests. To get a list of dynamically changeable options, run - the valgrind --help-dyn-options command. -
    • -
  • - For the Cachegrind (cg_annotate) and Callgrind (callgrind_annotate) tools the --auto and --show-percs options - now default to yes. -
    • -
  • - The Memcheck tool produces fewer false positive errors on optimized code. In particular, - Memcheck now better handles the case when the compiler transformed an A && B check into B && A, where B could be - undefined and A was false. Memcheck also better handles - integer equality checks and non-equality checks on partially defined values. -
    • -
  • - The experimental Stack and Global Array Checking tool (exp-sgcheck) has been removed. An alternative for detecting - stack and global array overruns is using the AddressSanitizer (ASAN) facility of GCC, - which requires you to rebuild your code with the -fsanitize=address option. -
    • -
-
-

- (BZ#1804324) -

-
-

elfutils rebased to version 0.180 -

-

- The elfutils package has been updated to version 0.180, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Better support for debug info for code built with GCC LTO (link time optimization). The - eu-readelf and libdw utilities - now can read and handle .gnu.debuglto_ sections, and - correctly resolve file names for functions that are defined across CUs (compile units). -
    • -
  • - The eu-nm utility now explicitly identifies weak objects as - V and common symbols as C. -
    • -
  • - The debuginfod server can now index .deb archives and has a generic extension to add other - package archive formats using the -Z EXT[=CMD] option. For - example -Z '.tar.zst=zstdcat' indicates that archives - ending with the .tar.zst extension should be unpacked using - the zstdcat utility. -
    • -
  • - The debuginfo-client tool has several new helper functions, - such as debuginfod_set_user_data, debuginfod_get_user_data, debuginfod_get_url and debuginfod_add_http_header. It also supports file:// URLs now. -
    • -
-
-

- (BZ#1804321) -

-
-

GDB now supports process record and replay on IBM z15

-

- With this enhancement, the GNU Debugger (GDB) now supports process record and replay with - most of the new instructions of the IBM z15 processor (previously known as arch13). Note - that the following instructions are currently not supported: SORTL (sort lists), DFLTCC - (deflate conversion call), KDSA (compute digital signature authentication). -

-
-

- (BZ#1659535) -

-
-

Marvell ThunderX2 performance monitoring events have been updated in - papi

-

- With this enhancement, a number of performance events specific to ThunderX2, including - uncore events, have been updated. As a result, developers can better investigate system - performance on Marvell ThunderX2 systems. -

-
-

- (BZ#1726070) -

-
-

The glibc math library is now optimized - for IBM Z

-

- With this enhancement, the libm math functions were optimized - to improve performance on IBM Z machines. Notable changes include: -

-
-
-
    -
  • - improved rounding mode handling to avoid superfluous floating point control register - sets and extracts -
    • -
  • - exploitation of conversion between z196 integer and float -
    • -
-
-

- (BZ#1780204) -

-
-

An additional libffi-specific temporary directory is available - now

-

- Previously on hardened systems, the system-wide temporary directories may not have had - permissions suitable for use with the libffi library. -

-
-

- With this enhancement, system administrators can now set the LIBFFI_TMPDIR environment variable to point to a libffi-specific - temporary directory with both write and exec mount or selinux permissions. -

-

- (BZ#1723951) -

-
-

Improved performance of strstr() and strcasestr()

-

- With this update, the performance of the strstr() and strcasestr() functions has been improved across several supported - architectures. As a result, users now benefit from significantly better performance of all - applications using string and memory manipulation routines. -

-
-

- (BZ#1821531) -

-
-

glibc now handles loading of a truncated - locale archive correctly

-

- If the archive of system locales has been previously truncated, either due to a power outage - during upgrade or a disk failure, a process could terminate unexpectedly when loading the - archive. This enhancement adds additional consistency checks to the loading of the locale - archive. As a result, processes are now able to detect archive truncation and fall back to - either non-archive installed locales or the default POSIX locale. -

-
-

- (BZ#1784525) -

-
-

GDB now supports debuginfod

-

- With this enhancement, the GNU Debugger (GDB) can now download debug information packages - from centralized servers on demand using the elfutils debuginfod client library. -

-
-

- (BZ#1838777) -

-
-

pcp rebased to version 5.1.1-3 -

-

- The pcp package has been upgraded to version 5.1.1-3. Notable - changes include: -

-
-
-
    -
  • - Updated service units and improved systemd integration and - reliability for all the PCP services. Improved archive log rotation and more timely - compression. Archived discovery bug fixes in the pmproxy - protocol. -
    • -
  • - Improved pcp-atop, pcp-dstat, - pmrep, and related monitor tools along with metric labels - reporting in the pmrep and export tools. -
    • -
  • - Improved bpftrace, OpenMetrics, MMV, the Linux kernel agent, and other - collection agents. New metric collectors for the Open vSwitch and RabbitMQ - servers. -
    • -
  • - New host discovery pmfind systemd service, which replaces - the standalone pmmgr daemon. -
    • -
-
-

- (BZ#1792971) -

-
-

grafana rebased to version 6.7.3 -

-

- The grafana package has been upgraded to version 6.7.3. Notable - changes include: -

-
-
-
    -
  • - Generic OAuth role mapping support -
    • -
  • - A new logs panel -
    • -
  • - Multi-line text display in the table panel -
    • -
  • - A new currency and energy units -
    • -
-
-

- (BZ#1807323) -

-
-

grafana-pcp rebased to version - 2.0.2

-

- The grafana-pcp package has been upgraded to version 2.0.2. - Notable changes include: -

-
-
-
    -
  • - Supports the multidimensional eBPF maps to be graphed in - the flamegraph. -
    • -
  • - Removes an auto-completion cache in the query editor, so that the PCP metrics can appear - dynamically. -
    • -
-
-

- (BZ#1807099) -

-
-

A new rhel8/pcp container image -

-

- The rhel8/pcp container image is now available in the Red Hat - Container Registry. The image contains the Performance Co-Pilot (PCP) toolkit, which - includes preinstalled pcp-zeroconf package and the OpenMetrics PMDA. -

-
-

- (BZ#1497296) -

-
-

A new rhel8/grafana container - image

-

- The rhel8/grafana container image is now available in the Red - Hat Container Registry. Grafana is an open source utility with metrics dashboard, and graph - editor for the Graphite, Elasticsearch, OpenTSDB, Prometheus, InfluxDB, and PCP monitoring tool. -

-
-

- (BZ#1823834) -

-
-
-
-
-
-

5.1.13. Identity Management

-
-
-
-
-

IdM backup utility now checks for required replica roles

-

- The ipa-backup utility now checks if all of the services used - in the IdM cluster, such as a Certificate Authority (CA), Domain Name System (DNS), and Key - Recovery Agent (KRA) are installed on the replica where you are running the backup. If the - replica does not have all these services installed, the ipa-backup utility exits with a warning, because backups taken on - that host would not be sufficient for a full cluster restoration. -

-
-

- For example, if your IdM deployment uses an integrated Certificate Authority (CA), a backup run - on a non-CA replica will not capture CA data. Red Hat recommends verifying that the replica - where you perform an ipa-backup has all of the IdM services used in - the cluster installed. -

-

- For more information, see Preparing - for data loss with IdM backups. -

-

- (BZ#1810154) -

-
-

New password expiration notification tool

-

- Expiring Password Notification (EPN), provided by the ipa-client-epn package, is a standalone tool you can use to build - a list of Identity Management (IdM) users whose passwords are expiring soon. -

-
-

- IdM administrators can use EPN to: -

-
-
    -
  • - Display a list of affected users in JSON format, which is calculated at runtime -
    • -
  • - Calculate how many emails will be sent for a given day or date range -
    • -
  • - Send password expiration email notifications to users -
    • -
-
-

- Red Hat recommends launching EPN once a day from an IdM client or replica with the included - ipa-epn.timer systemd timer. -

-

- (BZ#913799) -

-
-

JSS now provides a FIPS-compliant SSLContext

-

- Previously, Tomcat used the SSLEngine directive from the Java Cryptography Architecture - (JCA) SSLContext class. The default SunJSSE implementation is not compliant with the Federal - Information Processing Standard (FIPS), therefore PKI now provides a FIPS-compliant - implementation via JSS. -

-
-

- (BZ#1821851) -

-
-

Checking the overall health of your public key infrastructure is now - available

-

- With this update, the public key infrastructure (PKI) Healthcheck tool reports the health of - the PKI subsystem to the Identity Management (IdM) Healthcheck tool, which was introduced in - RHEL 8.1. Executing the IdM Healthcheck invokes the PKI Healthcheck, which collects and - returns the health report of the PKI subsystem. -

-
-

- The pki-healthcheck tool is available on any deployed RHEL IdM - server or replica. All the checks provided by pki-healthcheck are - also integrated into the ipa-healthcheck tool. ipa-healthcheck can be installed separately from the idm:DL1 module stream. -

-

- Note that pki-healthcheck can also work in a standalone Red Hat - Certificate System (RHCS) infrastructure. -

-

- (BZ#1770322) -

-
-

Support for RSA PSS

-

- With this enhancement, PKI now supports the RSA PSS (Probabilistic Signature Scheme) signing - algorithm. -

-
-

- To enable this feature, set the following line in the pkispawn - script file for a given subsystem: pki_use_pss_rsa_signing_algorithm=True -

-

- As a result, all existing default signing algorithms for this subsystem (specified in its CS.cfg configuration file) will use the corresponding PSS version. - For example, SHA256withRSA becomes SHA256withRSA/PSS -

-

- (BZ#1824948) -

-
-

Directory Server exports the private key and certificate to a private - name space when the service starts

-

- Directory Server uses OpenLDAP libraries for outgoing connections, such as replication - agreements. Because these libraries cannot access the network security services (NSS) - database directly, Directory Server extracts the private key and certificates from the NSS - database on instances with TLS encryption support to enable the OpenLDAP libraries to - establish encrypted connections. Previously, Directory Server extracted the private key and - certificates to the directory set in the nsslapd-certdir - parameter in the cn=config entry (default: /etc/dirsrv/slapd-<instance_name>/). As a consequence, - Directory Server stored the Server-Cert-Key.pem and Server-Cert.pem in this directory. With this enhancement, - Directory Server extracts the private key and certificate to a private name space that systemd mounts to the /tmp/ - directory. As a result, the security has been increased. -

-
-

- (BZ#1638875) -

-
-

Directory Server can now turn an instance to read-only mode if the disk - monitoring threshold is reached

-

- This update adds the nsslapd-disk-monitoring-readonly-on-threshold parameter to the - cn=config entry. If you enable this setting, Directory Server - switches all databases to read-only if disk monitoring is enabled and the free disk space is - lower than the value you configured in nsslapd-disk-monitoring-threshold. With nsslapd-disk-monitoring-readonly-on-threshold set to on, the databases cannot be modified until Directory Server - successfully shuts down the instance. This can prevent data corruption. -

-
-

- (BZ#1728943) -

-
-

samba rebased to version - 4.12.3

-

- The samba packages have been upgraded to upstream - version 4.12.3, which provides a number of bug fixes and enhancements over the previous - version: -

-
-
-
    -
  • - Built-in cryptography functions have been replaced with GnuTLS functions. This improves - the server message block version 3 (SMB3) performance and copy speed significantly. -
    • -
  • - The minimum runtime support is now Python 3.5. -
    • -
  • - The write cache size parameter has been removed because the - previous write cache concept could reduce the performance on memory-constrained systems. -
    • -
  • - Support for authenticating connections using Kerberos tickets with DES encryption types - has been removed. -
    • -
  • - The vfs_netatalk virtual file system (VFS) module has been - removed. -
    • -
  • - The ldap ssl ads parameter is marked as deprecated and will - be removed in a future Samba version. For information about how to alternatively encrypt - LDAP traffic and further details, see the samba: removal of "ldap ssl ads" - smb.conf option solution. -
    • -
  • - By default, Samba on RHEL 8.3 no longer supports the deprecated RC4 cipher suite. If you - run Samba as a domain member in an AD that still requires RC4 for Kerberos - authentication, use the update-crypto-policies --set DEFAULT:AD-SUPPORT command to - enable support for the RC4 encryption type. -
    • -
-
-

- Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the database files before starting - Samba. Note that Red Hat does not support downgrading tdb database - files. -

-

- For further information about notable changes, read the upstream release notes - before updating. -

-

- (BZ#1817557) -

-
-

cockpit-session-recording rebased to version 4

-

- The cockpit-session-recording module has been rebased to - version 4. This version provides following notable changes over the previous version: -

-
-
-
    -
  • - Updated parent id in the metainfo file. -
    • -
  • - Updated package manifest. -
    • -
  • - Fixed rpmmacro to resolve correct path on CentOS7. -
    • -
  • - Handled byte-array encoded journal data. -
    • -
  • - Moved code out of deprecated React lifecycle functions. -
    • -
-
-

- (BZ#1826516) -

-
-

krb5 rebased to version 1.18.2 -

-

- The krb5 packages have been upgraded to upstream version - 1.18.2. Notable fixes and enhancements include: -

-
-
-
    -
  • - Single- and triple-DES encryption types have been removed. -
    • -
  • - Draft 9 PKINIT has been removed as it is not needed for any of the supported versions of - Active Directory. -
    • -
  • - NegoEx mechanism plug-ins are now supported. -
    • -
  • - Hostname canonicalization fallback is now supported (dns_canonicalize_hostname = fallback). -
    • -
-
-

- (BZ#1802334) -

-
-

IdM now supports new Ansible management modules

-

- This update introduces several ansible-freeipa modules for - automating common Identity Management (IdM) tasks using Ansible playbooks: -

-
-
-
    -
  • - The config module allows setting global configuration - parameters within IdM. -
    • -
  • - The dnsconfig module allows modifying global DNS - configuration. -
    • -
  • - The dnsforwardzone module allows adding and removing DNS - forwarders from IdM. -
    • -
  • - The dnsrecord allows the management of DNS records. In - contrast to the upstream ipa_dnsrecord, it allows multiple - record management in one execution, and it supports more record types. -
    • -
  • - The dnszone module allows configuring zones in the DNS - server. -
    • -
  • - The service module allows ensuring the presence and absence - of services. -
    • -
  • - The vault module allows ensuring the presence and absence - of vaults and of the members of vaults. -
    • -
-
-

- Note that the ipagroup and ipahostgroup modules have been extended to include user and host - group membership managers, respectively. A group membership manager is a user or a group that - can add members to a group or remove members from a group. For more information, see the Variables sections of the respective /usr/share/doc/ansible-freeipa/README-* files. -

-

- (JIRA:RHELPLAN-49954) -

-
-

IdM now supports a new Ansible system role for certificate - management

-

- Identity Management (IdM) supports a new Ansible system role for automating certificate - management tasks. The new role includes the following benefits: -

-
-
-
    -
  • - The role helps automate the issuance and renewal of certificates. -
    • -
  • - The role can be configured to have the ipa certificate - authority issue your certificates. In this way, you can use your existing IdM - infrastructure to manage the certificate trust chain. -
    • -
  • - The role allows you to specify the commands to be executed before and after a - certificate is issued, for example the stopping and starting of services. -
    • -
-
-

- (JIRA:RHELPLAN-50002) -

-
-

Identity Management now supports FIPS

-

- With this enhancement, you can now use encryption types that are approved by the Federal - Information Processing Standard (FIPS) with the authentication mechanisms in Identity - Management (IdM). Note that a cross-forest trust between IdM and Active Directory is not - FIPS compliant. -

-
-

- Customers who require FIPS but do not require an AD trust can now install IdM in FIPS mode. -

-

- (JIRA:RHELPLAN-43531) -

-
-

OpenDNSSEC in idm:DL1 rebased to version - 2.1

-

- The OpenDNSSEC component of the idm:DL1 module stream has been - upgraded to the 2.1 version series, which is the current long term upstream support version. - OpenDNSSEC is an open source project driving the adoption of Domain Name System Security - Extensions (DNSSEC) to further enhance Internet security. OpenDNSSEC 2.1 provides a number - of bug fixes and enhancements over the previous version. For more information, read the - upstream release notes: https://www.opendnssec.org/archive/releases/ -

-
-

- (JIRA:RHELPLAN-48838) -

-
-

IdM now supports the deprecated RC4 cipher suite with a new system-wide - cryptographic subpolicy

-

- This update introduces the new AD-SUPPORT cryptographic - subpolicy that enables the Rivest Cipher 4 (RC4) cipher suite in Identity Management (IdM). -

-
-

- As an administrator in the context of IdM-Active Directory (AD) cross-forest trusts, you can - activate the new AD-SUPPORT subpolicy when AD is not configured to - use Advanced Encryption Standard (AES). More specifically, Red Hat recommends enabling the new - subpolicy if one of the following conditions applies: -

-
-
    -
  • - The user or service accounts in AD have RC4 encryption keys and lack AES encryption - keys. -
    • -
  • - The trust links between individual Active Directory domains have RC4 encryption keys and - lack AES encryption keys. -
    • -
-
-

- To enable the AD-SUPPORT subpolicy in addition to the DEFAULT cryptographic policy, enter: -

- 
 # update-crypto-policies --set DEFAULT:AD-SUPPORT
-

- Alternatively, to upgrade trusts between AD domains in an AD forest so that they support strong - AES encryption types, see the following Microsoft article: AD - DS: Security: Kerberos "Unsupported etype" error when accessing a resource in a trusted - domain. -

-

- (BZ#1851139) -

-
-

Adjusting to new Microsoft LDAP channel binding and LDAP signing - requirements

-

- With recent Microsoft updates, Active Directory (AD) flags the clients that do not use the - default Windows settings for LDAP channel binding and LDAP signing. As a consequence, RHEL - systems that use the System Security Services Daemon (SSSD) for direct or indirect - integration with AD might trigger error Event IDs in AD upon successful Simple - Authentication and Security Layer (SASL) operations that use the Generic Security Services - Application Program Interface (GSSAPI). -

-
-

- To prevent these notifications, configure client applications to use the Simple and Protected - GSSAPI Negotiation Mechanism (GSS-SPNEGO) SASL mechanism instead of GSSAPI. To configure SSSD, - set the ldap_sasl_mech option to GSS-SPNEGO. -

-

- Additionally, if channel binding is enforced on the AD side, configure any systems that use SASL - with SSL/TLS in the following way: -

-
-
    -
  1. - Install the latest versions of the cyrus-sasl, openldap and krb5-libs packages - that are shipped with RHEL 8.3 and later. -
    2. -
  2. - In the /etc/openldap/ldap.conf file, specify the correct - channel binding type by setting the SASL_CBINDING option to - tls-endpoint. -
    3. -
-
-

- For more information, see Impact of Microsoft Security Advisory - ADV190023 | LDAP Channel Binding and LDAP Signing on RHEL and AD integration. -

-

- (BZ#1873567) -

-
-

SSSD, adcli, and realmd now support the deprecated RC4 cipher suite - with a new system-wide cryptographic subpolicy

-

- This update introduces the new AD-SUPPORT cryptographic - subpolicy that enables the Rivest Cipher 4 (RC4) cipher suite for the following utilities: -

-
-
-
    -
  • - the System Security Services Daemon (SSSD) -
    • -
  • - adcli -
    • -
  • - realmd -
    • -
-
-

- As an administrator, you can activate the new AD-SUPPORT subpolicy - when Active Directory (AD) is not configured to use Advanced Encryption Standard (AES) in the - following scenarios: -

-
-
    -
  • - SSSD is used on a RHEL system connected directly to AD. -
    • -
  • - adcli is used to join an AD domain or to update host - attributes, for example the host key. -
    • -
  • - realmd is used to join an AD domain. -
    • -
-
-

- Red Hat recommends enabling the new subpolicy if one of the following conditions applies: -

-
-
    -
  • - The user or service accounts in AD have RC4 encryption keys and lack AES encryption - keys. -
    • -
  • - The trust links between individual Active Directory domains have RC4 encryption keys and - lack AES encryption keys. -
    • -
-
-

- To enable the AD-SUPPORT subpolicy in addition to the DEFAULT cryptographic policy, enter: -

- 
 # update-crypto-policies --set DEFAULT:AD-SUPPORT
-

- (BZ#1866695) -

-
-

authselect has a new minimal profile

-

- The authselect utility has a new minimal profile. You can use this profile to serve only local - users and groups directly from system files instead of using other authentication providers. - Therefore, you can safely remove the SSSD, winbind, and fprintd packages and - can use this profile on systems that require minimal installation to save disk and memory - space. -

-
-

- (BZ#1654018) -

-
-

SSSD now updates Samba’s secrets.tdb file - when rotating a password

-

- A new ad_update_samba_machine_account_password option in the - sssd.conf file is now available in RHEL. You can use it to set - SSSD to automatically update the Samba secrets.tdb file when - rotating a machine’s domain password while using Samba. -

-
-

- However, if SELinux is in enforcing mode, SSSD fails to update the secrets.tdb file. Consequently, Samba does not have access to the new - password. To work around this problem, set SELinux to permissive mode. -

-

- (BZ#1793727) -

-
-

SSSD now enforces AD GPOs by default

-

- The default setting for the SSSD option ad_gpo_access_control - is now enforcing. In RHEL 8, SSSD enforces access control rules - based on Active Directory Group Policy Objects (GPOs) by default. -

-
-

- Red Hat recommends ensuring GPOs are configured correctly in Active Directory before upgrading - from RHEL 7 to RHEL 8. If you would not like to enforce GPOs, change the value of the ad_gpo_access_control option in the /etc/sssd/sssd.conf file to permissive. -

-

- (JIRA:RHELPLAN-51289) -

-
-

Directory Server now supports the pwdReset - operation attribute

-

- This enhancement adds support for the pwdReset operation - attribute to Directory Server. When an administrator changes the password of a user, - Directory Server sets pwdReset in the user’s entry to true. As a result, applications can use this attribute to - identify if a password of a user has been reset by an administrator. -

-
-

- Note that pwdReset is an operational attribute and, therefore, - users cannot edit it. -

-

- (BZ#1775285) -

-
-

Directory Server now logs the work and operation time in RESULT entries

-

- With this update, Directory Server now logs two additional time values in RESULT`entries in the `/var/log/dirsrv/slapd-<instance_name>/access - file: -

-
-
-
    -
  • - The wtime value indicates how long it took for an operation - to move from the work queue to a worker thread. -
    • -
  • - The optime value shows the time the actual operation took - to be completed once a worker thread started the operation. -
    • -
-
-

- The new values provide additional information about how the Directory Server handles load and - processes operations. -

-

- For further details, see the Access - Log Reference section in the Red Hat Directory Server Configuration, Command, and File - Reference. -

-

- (BZ#1850275) -

-
-
-
-
-
-

5.1.14. Desktop

-
-
-
-
-

Single-application session is now available

-

- You can now start GNOME in a single-application session, also known as kiosk mode. In this - session, GNOME displays only a full-screen window of an application that you have - configured. -

-
-

- To enable the single-application session: -

-
-
    -
  1. -

    - Install the gnome-session-kiosk-session package: -

    - 
    # yum install gnome-session-kiosk-session
    -
    2. -
  2. -

    - Create and edit the $HOME/.local/bin/redhat-kiosk file - of the user that will open the single-application session. -

    -

    - In the file, enter the executable name of the application that you want to launch. -

    -

    - For example, to launch the Text - Editor application: -

    - 
    #!/bin/sh
-
-gedit &
    -
    3. -
  3. -

    - Make the file executable: -

    - 
    $ chmod +x $HOME/.local/bin/redhat-kiosk
    -
    4. -
  4. - At the GNOME login screen, select the Kiosk session from the cogwheel button - menu and log in as the single-application user. -
    5. -
-
-

- (BZ#1739556) -

-
-

tigervnc has been rebased to version 1.10.1

-

- The tigervnc suite has been rebased to version 1.10.1. The - update contains number of fixes and improvements. Most notably: -

-
-
-
    -
  • - tigervnc now only supports starting of the virtual network computing (VNC) server using - the systemd service manager. -
    • -
  • - The clipboard now supports full Unicode in the native viewer, WinVNC and Xvnc/libvnc.so. -
    • -
  • - The native client will now respect the system trust store when verifying server - certificates. -
    • -
  • - The Java web server has been removed. -
    • -
  • - x0vncserver can now be configured to only allow local - connections. -
    • -
  • - x0vncserver has received fixes for when only part of the - display is shared. -
    • -
  • - Polling is now default in WinVNC. -
    • -
  • - Compatibility with VMware’s VNC server has been improved. -
    • -
  • - Compatibility with some input methods on macOS has been improved. -
    • -
  • - Automatic "repair" of JPEG artefacts has been improved. -
    • -
-
-

- (BZ#1806992) -

-
-
-
-
-
-

5.1.15. Graphics infrastructures

-
-
-
-
-

Support for new graphics cards

-

- The following graphics cards are now fully supported: -

-
-
-
    -
  • -

    - The AMD Navi 14 family, which includes the following models: -

    -
    -
      -
    • - Radeon RX 5300 -
      • -
    • - Radeon RX 5300 XT -
      • -
    • - Radeon RX 5500 -
      • -
    • - Radeon RX 5500 XT -
      • -
    -
    -
    • -
  • -

    - The AMD Renoir APU family, which includes the following models: -

    -
    -
      -
    • - Ryzen 3 4300U -
      • -
    • - Ryzen 5 4500U, 4600U, and 4600H -
      • -
    • - Ryzen 7 4700U, 4800U, and 4800H -
      • -
    -
    -
    • -
  • -

    - The AMD Dali APU family, which includes the following models: -

    -
    -
      -
    • - Athlon Silver 3050U -
      • -
    • - Athlon Gold 3150U -
      • -
    • - Ryzen 3 3250U -
      • -
    -
    -
    • -
-
-

- Additionally, the following graphics drivers have been updated: -

-
-
    -
  • - The Matrox mgag200 driver -
    • -
-
-

- (JIRA:RHELPLAN-55009) -

-
-

Hardware acceleration with Nvidia Volta and Turing

-

- The nouveau graphics driver now supports hardware acceleration - with the Nvidia Volta and Turing GPU families. As a result, the desktop and applications - that use 3D graphics now render efficiently on the GPU. Additionally, this frees the CPU for - other tasks and improves the overall system responsiveness. -

-
-

- (JIRA:RHELPLAN-57564) -

-
-

Reduced display tearing on XWayland

-

- The XWayland display back end now enables the XPresent extension. Using XPresent, - applications can efficiently update their window content, which reduces display tearing. -

-
-

- This feature significantly improves the user interface rendering of full-screen OpenGL - applications, such as 3D editors. -

-

- (JIRA:RHELPLAN-57567) -

-
-

Intel Tiger Lake GPUs are now supported

-

- This update adds support for the Intel Tiger Lake family of GPUs. This includes Intel UHD - Graphics and Intel Xe GPUs found with the following CPU models: https://ark.intel.com/content/www/us/en/ark/products/codename/88759/tiger-lake.html. -

-
-

- You no longer have to set the i915.alpha_support=1 or i915.force_probe=* kernel option to enable Tiger Lake GPU support. -

-

- This enhancement was released as part of the RHSA-2021:0558 asynchronous - advisory. -

-

- (BZ#1882620) -

-
-
-
-
-
-

5.1.16. The web console

-
-
-
-
-

Setting privileges from within the web console session

-

- With this update the web console provides an option to switch between administrative access - and limited access from inside of a user session. You can switch between the modes by - clicking the Administrative access or - Limited access indicator in your web - console session. -

-
-

- (JIRA:RHELPLAN-42395) -

-
-

Improvements to logs searching

-

- With this update, the web console introduces a search box that supports several new ways of - how the users can search among logs. The search box supports regular expression searching in - log messages, specifying service or searching for entries with specific log fields. -

-
-

- (BZ#1710731) -

-
-

Overview page shows more detailed Insights reports

-

- With this update, when a machine is connected to Red Hat Insights, the Health card in the Overview page in the web console shows - more detailed information about number of hits and their priority. -

-
-

- (JIRA:RHELPLAN-42396) -

-
-
-
-
-
-

5.1.17. Red Hat Enterprise Linux system roles

-
-
-
-
-

Terminal log role added to RHEL - system roles

-

- With this enhancement, a new Terminal log (TLOG) role - has been added to RHEL system roles shipped with the rhel-system-roles package. Users can now use the tlog role to setup and configure session recording using Ansible. -

-
-

- Currently, the tlog role supports the following tasks: -

-
-
    -
  • - Configure tlog to log recording data to the systemd journal -
    • -
  • - Enable session recording for explicit users and groups, via SSSD -
    • -
-
-

- (BZ#1822158) -

-
-

RHEL Logging system role is now available for Ansible

-

- With the Logging system role, you can deploy various logging configurations consistently on - local and remote hosts. You can configure a RHEL host as a server to collect logs from many - client systems. -

-
-

- (BZ#1677739) -

-
-

rhel-system-roles-sap fully - supported

-

- The rhel-system-roles-sap package, previously available as a - Technology Preview, is now fully supported. It provides Red Hat Enterprise Linux (RHEL) - system roles for SAP, which can be used to automate the configuration of a RHEL system to - run SAP workloads. These roles greatly reduce the time to configure a system to run SAP - workloads by automatically applying the optimal settings that are based on best practices - outlined in relevant SAP Notes. Access is limited to RHEL for SAP Solutions offerings. - Please contact Red Hat Customer Support if you need assistance with your subscription. -

-
-

- The following new roles in the rhel-system-roles-sap package are - fully supported: -

-
-
    -
  • - sap-preconfigure -
    • -
  • - sap-netweaver-preconfigure -
    • -
  • - sap-hana-preconfigure -
    • -
-
-

- For more information, see Red - Hat Enterprise Linux system roles for SAP. -

-

- (BZ#1660832) -

-
-

The metrics RHEL system role is now - available for Ansible.

-

- With the metrics RHEL system role, you can configure, for local - and remote hosts: -

-
-
-
    -
  • - performance analysis services via the pcp application -
    • -
  • - visualisation of this data using a grafana server -
    • -
  • - querying of this data using the redis data source without - having to manually configure these services separately. -
    • -
-
-

- (BZ#1890499) -

-
-

rhel-system-roles-sap - upgraded

-

- The rhel-system-roles-sap - packages have been upgraded to upstream version 2.0.0, which provides multiple bug fixes and - enhancements. Notable changes include: -

-
-
-
    -
  • - Improve hostname configuration and checking -
    • -
  • - Improve uuidd status detection and handling -
    • -
  • - Add support for the --check (-c) option -
    • -
  • - Increase nofile limits from 32800 to 65536 -
    • -
  • - Add the nfs-utils file to sap_preconfigure_packages* -
    • -
  • - Disable firewalld. With this change we disable firewalld only when it is installed. -
    • -
  • - Add minimum required versions of the setup package for RHEL - 8.0 and RHEL 8.1. -
    • -
  • - Improve the tmpfiles.d/sap.conf file handling -
    • -
  • - Support single step execution or checking of SAP notes -
    • -
  • - Add the required compat-sap-c++ packages -
    • -
  • - Improve minimum package installation handling -
    • -
  • - Detect if a reboot is required after applying the RHEL system roles -
    • -
  • - Support setting any SElinux state. Default state is "disabled" -
    • -
  • - No longer fail if there is more than one line with identical IP addresses -
    • -
  • - No longer modify /etc/hosts if there is more than one line - containing sap_ip -
    • -
  • - Support for HANA on RHEL 7.7 -
    • -
  • - Support for adding a repository for the IBM service and productivity tools for Power, - required for SAP HANA on the ppc64le platform -
    • -
-
-

- (BZ#1844190) -

-
-

The storage RHEL system role now supports - file system management

-

- With this enhancement, administrators can use the storage RHEL - system role to: -

-
-
-
    -
  • - resize an ext4 file -
    • -
  • - resize a LVM file -
    • -
  • - create a swap partition, if it does not exist, or to modify the swap partition, if it - already exists, on a block device using the default parameters. -
    • -
-
-

- (BZ#1959289) -

-
-
-
-
-
-

5.1.18. Virtualization

-
-
-
-
-

Migrating a virtual machine to a host with incompatible TSC setting now - fails faster

-

- Previously, migrating a virtual machine to a host with incompatible Time Stamp Counter (TSC) - setting failed late in the process. With this update, attempting such a migration generates - an error before the migration process starts. -

-
-

- (JIRA:RHELPLAN-45950) -

-
-

Virtualization support for 2nd generation AMD EPYC processors -

-

- With this update, virtualization on RHEL 8 adds support for the 2nd generation AMD EPYC - processors, also known as EPYC Rome. As a result, virtual machines hosted on RHEL 8 can now - use the EPYC-Rome CPU model and utilise new features that the - processors provide. -

-
-

- (JIRA:RHELPLAN-45959) -

-
-

New command: virsh iothreadset

-

- This update introduces the virsh iothreadset command, which can - be used to configure dynamic IOThread polling. This makes it possible to set up virtual - machines with lower latencies for I/O-intensive workloads at the expense of greater CPU - consumption for the IOThread. For specific options, see the virsh man page. -

-
-

- (JIRA:RHELPLAN-45958) -

-
-

UMIP is now supported by KVM on 10th generation Intel Core - processors

-

- With this update, the User-mode Instruction Prevention (UMIP) feature is now supported by - KVM for hosts running on 10th generation Intel Core processors, also known as Ice Lake - Servers. The UMIP feature issues a general protection exception if certain instructions, - such as sgdt, sidt, sldt, smsw, and str, are executed when the Current Privilege Level (CPL) is - greater than 0. As a result, UMIP ensures system security by preventing unauthorized - applications from accessing certain system-wide settings which can be used to initiate - privilege escalation attacks. -

-
-

- (JIRA:RHELPLAN-45957) -

-
-

The libvirt library now supports Memory - Bandwidth Allocation

-

- libvirt now supports Memory Bandwidth Allocation (MBA). With - MBA, you can allocate parts of host memory bandwidth in vCPU threads by using the <memorytune> element in the <cputune> section. -

-
-

- MBA is an extension of the existing Cache QoS Enforcement (CQE) feature found in the Intel Xeon - v4 processors, also known as Broadwell server. For tasks that are associated with the CPU - affinity, the mechanism used by MBA is the same as in CQE. -

-

- (JIRA:RHELPLAN-45956) -

-
-

RHEL 6 virtual machines now support the Q35 machine type

-

- Virtual machines (VMs) hosted on RHEL 8 that use RHEL 6 as their guest OS can now use Q35, a - more modern PCI Express-based machine type. This provides a variety of improvements in - features and performance of virtual devices, and ensures that a wider range of modern - devices are compatible with RHEL 6 VMs. -

-
-

- (JIRA:RHELPLAN-45952) -

-
-

All logged QEMU events now have a time stamp. As a result, users can - more easily troubleshoot their virtual machines using logs saved in the /var/log/libvirt/qemu/ directory.

-

- QEMU logs now include time stamps for spice-server events -

-
-

- This update adds time stamps to`spice-server` event logs. Therefore, all logged QEMU events now - have a time stamp. As a result, users can more easily troubleshoot their virtual machines using - logs saved in the /var/log/libvirt/qemu/ directory. -

-

- (JIRA:RHELPLAN-45945) -

-
-

The bochs-display device is now - supported

-

- RHEL 8.3 and later introduce the Bochs display device, which is more secure than the - currently used stdvga device. Note that all virtual machines - (VMs) compatible with bochs-display will use it by default. - This mainly includes VMs that use the UEFI interface. -

-
-

- (JIRA:RHELPLAN-45939) -

-
-

Optimized MDS protection for virtual machines

-

- With this update, a RHEL 8 host can inform its virtual machines (VMs) whether they are - vulnerable to Microarchitectural Data - Sampling (MDS). VMs that are not vulnerable do not use measures against MDS, which - improves their performance. -

-
-

- (JIRA:RHELPLAN-45937) -

-
-

Creating QCOW2 disk images on RBD now supported

-

- With this update, it is possible to create QCOW2 disk images on RADOS Block Device (RBD) - storage. As a result, virtual machines can use RBD servers for their storage back ends with - QCOW2 images. -

-
-

- Note, however, that the write performance of QCOW2 disk images on RBD storage is currently lower - than intended. -

-

- (JIRA:RHELPLAN-45936) -

-
-

Maximum supported VFIO devices increased to 64

-

- With this update, you can attach up to 64 PCI devices that use VFIO to a single virtual - machine on a RHEL 8 host. This is up from 32 in RHEL 8.2 and prior. -

-
-

- (JIRA:RHELPLAN-45930) -

-
-

discard and write-zeroes commands are now supported in QEMU/KVM -

-

- With this update, the discard and write-zeroes commands for virtio-blk - are now supported in QEMU/KVM. As a result, virtual machines can use the virtio-blk device to discard unused sectors of an SSD, fill - sectors with zeroes when they are emptied, or both. This can be used to increase SSD - performance or to ensure that a drive is securely erased. -

-
-

- (JIRA:RHELPLAN-45926) -

-
-

RHEL 8 now supports IBM POWER 9 XIVE

-

- This update introduces support for the External Interrupt Virtualization Engine (XIVE) - feature of IBM POWER9 to RHEL 8. As a result, virtual machines (VMs) running on a RHEL 8 - hypervisor on an IBM POWER 9 system can use XIVE, which improves the performance of - I/O-intensive VMs. -

-
-

- (JIRA:RHELPLAN-45922) -

-
-

Control Group v2 support for virtual machines

-

- With this update, the libvirt suite supports control groups v2. As a result, virtual - machines hosted on RHEL 8 can take advantage of resource control capabilities of control - group v2. -

-
-

- (JIRA:RHELPLAN-45920) -

-
-

Paravirtualized IPIs are now supported for Windows virtual - machines

-

- With this update, the hv_ipi flag has been added to the - supported hypervisor enlightenments for Windows virtual machines (VMs). This allows - inter-processor interrupts (IPIs) to be sent via a hypercall. As a result, IPIs can be - performed faster on VMs running a Windows OS. -

-
-

- (JIRA:RHELPLAN-45918) -

-
-

Migrating virtual machines with enabled disk cache is now - possible

-

- This update makes the RHEL 8 KVM hypervisor compatible with disk cache live migration. As a - result, it is now possible to live-migrate virtual machines with disk cache enabled. -

-
-

- (JIRA:RHELPLAN-45916) -

-
-

macvtap interfaces can now be used by virtual machines in - non-privileged sessions

-

- It is now possible for virtual machines (VMs) to use a macvtap interface previously created - by a privileged process. Notably, this enables VMs started by the non-privileged user session of libvirtd to use a - macvtap interface. -

-
-

- To do so, first create a macvtap interface in a privileged environment and set it to be owned by - the user who will be running libvirtd in a non-privileged session. - You can do this using a management application such as the web console, or using command-line - utilities as root, for example: -

- 
# ip link add link en2 name mymacvtap0 address 52:54:00:11:11:11 type macvtap mode bridge
-# chown myuser /dev/tap$(cat /sys/class/net/mymacvtap0/ifindex)
-# ip link set mymacvtap0 up
-

- Afterwards, modify the <target> sub-element of the VM’s <interface> configuration to reference the newly created - macvtap interface: -

- 
  <interface type='ethernet'>
-     <model type='virtio'/>
-     <mac address='52:54:00:11:11:11'/>
-     <target dev='mymacvtap0' managed='no'/>
-   </interface>
-

- With this configuration, if libvirtd is run as the user myuser, the VM will use the existing macvtap interface when started. -

-

- (JIRA:RHELPLAN-45915) -

-
-

Virtual machines can now use features of 10th generation Intel Core - processors

-

- The Icelake-Server and Icelake-Client CPU model names are now available for virtual - machines (VMs). On hosts with 10th generation Intel Core processors, using Icelake-Server or Icelake-Client as - the CPU type in the XML configuration of a VM makes new features of these CPUs exposed to - the VM. -

-
-

- (JIRA:RHELPLAN-45911) -

-
-

QEMU now supports LUKS encryption

-

- With this update, it is possible to create virtual disks using Linux Unified Key Setup - (LUKS) encryption. You can encrypt the disks when creating the storage volume by including - the <encryption> field in the virtual machine’s (VM) XML - configuration. You can also make the LUKS encrypted virtual - disk completely transparent to the VM by including the <encryption> field in the disk’s domain definition in the - XML configuration file. -

-
-

- (JIRA:RHELPLAN-45910) -

-
-

Improved logs for nbdkit

-

- The nbdkit service logging has been modified to be less - verbose. As a result, nbdkit logs only potentially important - messages, and the logs created during virt-v2v conversions are - shorter and easier to parse. -

-
-

- (JIRA:RHELPLAN-45909) -

-
-

Improved consistency for virtual machines SELinux security labels and - permissions

-

- With this update, the libvirt service can record SELinux - security labels and permissions associated with files, and restore the labels after - modifying the files. As a result, for example, using libguestfs - utilities to modify a virtual machine (VM) disk image owned by a specific user no longer - changes the image owner to root. -

-
-

- Note that this feature does not work on file systems that do not support extended file - attributes, such as NFS. -

-

- (JIRA:RHELPLAN-45908) -

-
-

QEMU now uses the gcrypt library for XTS - ciphers

-

- With this update, the QEMU emulator has been changed to use the XTS cipher mode - implementation provided by the gcrypt library. This improves - the I/O performance of virtual machines whose host storage uses QEMU’s native luks encryption driver. -

-
-

- (JIRA:RHELPLAN-45904) -

-
-

Windows Virtio drivers can now be updated using Windows - Updates

-

- With this update, a new standard SMBIOS string is initiated by - default when QEMU starts. The parameters provided in the SMBIOS - fields make it possible to generate IDs for the virtual hardware running on the virtual - machine(VM). As a result, Windows Update can identify the virtual hardware and the RHEL - hypervisor machine type, and update the Virtio drivers on VMs running Windows 10+, Windows - Server 2016, and Windows Server 2019+. -

-
-

- (JIRA:RHELPLAN-45901) -

-
-

New command: virsh guestinfo

-

- The virsh guestinfo command has been introduced to RHEL 8.3. - This makes it possible to report the following types of information about a virtual machine - (VM): -

-
-
-
    -
  • - Guest OS and file system information -
    • -
  • - Active users -
    • -
  • - The time zone used -
    • -
-
-

- Before running virsh guestinfo, ensure that the qemu-guest-agent package is installed. In addition, the - guest_agent channel must be enabled in the VM’s XML configuration, - for example as follows: -

- 
<channel type='unix'>
-   <target type='virtio' name='org.qemu.guest_agent.0'/>
-</channel>
-

- (JIRA:RHELPLAN-45900) -

-
-

VNNI for BFLOAT16 inputs are now supported - by KVM

-

- With this update, Vector Neural Network Instructions (VNNI) supporting BFLOAT16 inputs, also known as AVX512_BF16 instructions, are now supported by KVM for hosts - running on the 3rd Gen Intel Xeon scalable processors, also known as Cooper Lake. As a - result, guest software can now use the AVX512_BF16 instructions - inside virtual machines, by enabling it in the virtual CPU configuration. -

-
-

- (JIRA:RHELPLAN-45899) -

-
-

New command: virsh pool-capabilities

-

- RHEL 8.3 introduces the virsh pool-capabilities command option. - This command displays information that can be used for creating storage pools, as well as - storage volumes within each pool, on your host. This includes: -

-
-
-
    -
  • - Storage pool types -
    • -
  • - Storage pool source formats -
    • -
  • - Target storage volume format types -
    • -
-
-

- (JIRA:RHELPLAN-45884) -

-
-

Support for CPUID.1F in virtual machines with Intel Xeon Platinum 9200 - series processors

-

- With this update, virtual machines hosted on RHEL 8 can be configured with a virtual CPU - topology of multiple dies, using the Extended Topology Enumeration leaf feature (CPUID.1F). - This feature is supported by Intel Xeon Platinum 9200 series processors, previously known as - Cascade Lake. As a result, it is now possible on hosts that use Intel Xeon Platinum 9200 - series processors to create a vCPU topology that mirrors the physical CPU topology of the - host. -

-
-

- (JIRA:RHELPLAN-37573, JIRA:RHELPLAN-45934) -

-
-

Virtual machines can now use features of 3rd Generation Intel Xeon - Scalable Processors

-

- The Cooperlake CPU model name is now available for virtual - machines (VMs). Using Cooperlake as the CPU type in the XML - configuration of a VM makes new features from the 3rd Generation Intel Xeon Scalable - Processors exposed to the VM, if the host uses this CPU. -

-
-

- (JIRA:RHELPLAN-37570) -

-
-

Intel Optane persistent memory now supported by KVM

-

- With this update, virtual machines hosted on RHEL 8 can benefit from the Intel Optane - persistent memory technology, previously known as Intel Crystal Ridge. Intel Optane - persistent memory storage devices provide data center-class persistent memory technology, - which can significantly increase transaction throughput. -

-
-

- (JIRA:RHELPLAN-14068) -

-
-

Virtual machines can now use Intel Processor Trace

-

- With this update, virtual machines (VMs) hosted on RHEL 8 are able to use the Intel - Processor Trace (PT) feature. When your host uses a CPU that supports Intel PT, you can use - specialized Intel software to collect a variety of metrics about the performance of your - VM’s CPU. Note that this also requires enabling the intel-pt - feature in the XML configuration of the VM. -

-
-

- (JIRA:RHELPLAN-7788) -

-
-

DASD devices can now be assigned to virtual machines on IBM Z -

-

- Direct-access storage devices (DASDs) provide a number of specific storage features. Using - the vfio-ccw feature, you can assign DASDs as mediated devices - to your virtual machines (VMs) on IBM Z hosts. This for example makes it possible for the VM - to access a z/OS dataset, or to share the assigned DASDs with a z/OS machine. -

-
-

- (JIRA:RHELPLAN-40234) -

-
-

IBM Secure Execution supported for IBM Z

-

- When using IBM Z hardware to run your RHEL 8 host, you can improve the security of your - virtual machines (VMs) by configuring IBM Secure Execution for the VMs. IBM Secure - Execution, also known as Protected Virtualization, prevents the host system from accessing a - VM’s state and memory contents. -

-
-

- As a result, even if the host is compromised, it cannot be used as a vector for attacking the - guest operating system. In addition, Secure Execution can be used to prevent untrusted hosts - from obtaining sensitive information from the VM. -

-

- (JIRA:RHELPLAN-14754) -

-
-
-
-
-
-

5.1.19. RHEL in cloud environments

-
-
-
-
-

cloud-utils-growpart rebased to - 0.31

-

- The cloud-utils-growpart package has been upgraded to version - 0.31, which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - A bug that prevented GPT disks from being grown past 2TB has been fixed. -
    • -
  • - The growpart operation no longer fails when the start - sector and size are the same. -
    • -
  • - Resizing a partition using the sgdisk utility previously in - some cases failed. This problem has now been fixed. -
    • -
-
-

- (BZ#1846246) -

-
-
-
-
-
-

5.1.20. Containers

-
-
-
-
-

skopeo container image is now - available

-

- The registry.redhat.io/rhel8/skopeo container image is a - containerized implementation of the skopeo package. The skopeo tool is a command-line utility that performs various - operations on container images and image repositories. This container image allows you to - inspect container images in a registry, to remove a container image from a registry, and to - copy container images from one unauthenticated container registry to another. To pull the - registry.redhat.io/rhel8/skopeo container image, you need an - active Red Hat Enterprise Linux subscription. -

-
-

- (BZ#1627900) -

-
-

buildah container image is now - available

-

- The registry.redhat.io/rhel8/buildah container image is a - containerized implementation of the buildah package. The buildah tool facilitates building OCI container images. This - container image allows you to build container images without the need to install the buildah package on your system. The use-case does not cover - running this image in rootless mode as a non-root user. To pull the registry.redhat.io/rhel8/buildah container image, you need an - active Red Hat Enterprise Linux subscription. -

-
-

- (BZ#1627898) -

-
-

Podman v2.0 RESTful API is now available

-

- The new REST based Podman 2.0 API replaces the old remote API based on the varlink library. - The new API works in both a rootful and a rootless environment and provides a docker - compatibility layer. -

-
-

- (JIRA:RHELPLAN-37517) -

-
-

Installing Podman does not require container-selinux

-

- With this enhancement, the installation of the container-selinux package is now optional during the container - build. As a result, Podman has fewer dependencies on other packages. -

-
-

- (BZ#1806044) -

-
-
-
-
-
-
-

5.2. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel - shipped with Red Hat Enterprise Linux 8.3. These changes could include for example added or updated - proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or - any noticeable behavior changes. -

-
New kernel parameters
-
-
-
acpi_no_watchdog = [HW,ACPI,WDT]
-
- This parameter enables to ignore the Advanced Configuration and Power Interface (ACPI) based - watchdog interface (WDAT) and let the native driver control the watchdog device instead. -
-
dfltcc = [HW,S390]
-
-

- This parameter configures the zlib hardware support for IBM - Z architectures. -

-

- Format: { on | off | def_only | inf_only | always } -

-

- The options are: -

-
-
    -
  • - on (default) - IBM Z zlib hardware support for compression on level 1 and - decompression -
    • -
  • - off - No IBM Z zlib - hardware support -
    • -
  • - def_only - IBM Z zlib - hardware support for the deflate algorithm only - (compression on level 1) -
    • -
  • - inf_only - IBM Z zlib - hardware support for the inflate algorithm only - (decompression) -
    • -
  • - always - Similar as on, but ignores the selected compression level and - always uses hardware support (used for debugging) -
    • -
-
-
-
irqchip.gicv3_pseudo_nmi = [ARM64]
-
-

- This parameter enables support for pseudo non-maskable interrupts (NMIs) in the kernel. -

-

- To use this parameter you need to build the kernel with the CONFIG_ARM64_PSEUDO_NMI configuration item. -

-
-
panic_on_taint =
-
-

- Bitmask for conditionally calling panic() in add_taint() -

-

- Format: <hex>[,nousertaint] -

-

- A hexadecimal bitmask which represents a set of TAINT flags - that will cause the kernel to panic when the add_taint() - system call is invoked with any of the flags in this set. The optional nousertaint switch prevents userspace-forced crashes by - writing to the /proc/sys/kernel/tainted file any flagset - that matches the bitmask in panic_on_taint. -

-

- For for more information see the upstream - documentation. -

-
-
prot_virt = [S390]
-
-

- Format: <bool> -

-

- This parameter enables hosting of protected virtual machines which are isolated from the - hypervisor if the hardware support is present. -

-
-
rcutree.use_softirq = [KNL]
-
-

- This parameter enables elimination of Tree-RCU softirq - processing. -

-

- If you set this parameter to zero, it moves all RCU_SOFTIRQ - processing to per-CPU rcuc kthreads. If you set rcutree.use_softirq to a non-zero value (default), RCU_SOFTIRQ is used by default. Specify rcutree.use_softirq=0 to use rcuc kthreads. -

-
-
split_lock_detect = [X86]
-
-

- This parameter enables the split lock detection. When enabled, and if hardware support - is present, atomic instructions that access data across cache line boundaries will - result in an alignment check exception. -

-

- The options are: -

-
-
    -
  • - off - not enabled -
    • -
  • - warn - the kernel will emit rate limited warnings - about applications that trigger the Alignment Check Exception (#AC). This mode - is the default on CPUs that supports split lock detection. -
    • -
  • -

    - fatal - the kernel will send Buss error - (SIGBUS) signal to applications that trigger the #AC exception. -

    -

    - If the #AC exception is hit while not executing in the user mode, the kernel - will issue an oops error in either the warn or - fatal mode. -

    -
    • -
-
-
-
srbds = [X86,INTEL]
-
-

- This parameter controls the Special Register Buffer Data Sampling (SRBDS) mitigation. -

-

- Certain CPUs are vulnerable to a Microarchitectural Data Sampling (MDS)-like exploit - which can leak bits from the random number generator. -

-

- By default, microcode mitigates this issue. However, the microcode fix can cause the - RDRAND and RDSEED instructions - to become much slower. Among other effects, this will result in reduced throughput from - the urandom kernel random number source device. -

-

- To disable the microcode mitigation, set the following option: -

-
-
    -
  • - off - Disable mitigation and remove performance - impact to RDRAND and RDSEED -
    • -
-
-
-
svm = [PPC]
-
-

- Format: { on | off | y | n | 1 | 0 } -

-

- This parameter controls the use of the Protected Execution Facility on pSeries systems. -

-
-
nopv = [X86,XEN,KVM,HYPER_V,VMWARE]
-
-

- This parameter disables the PV optimizations which forces the guest to run as generic - guest with no PV drivers. -

-

- Currently supported are XEN HVM, KVM, HYPER_V and VMWARE guests. -

-
-
-
-
Updated kernel parameters
-
-
-
hugepagesz = [HW]
-
-

- This parameter specifies a huge page size. Use this parameter in conjunction with the - hugepages parameter to pre-allocate a number of huge pages - of the specified size. -

-

- Specify the hugepagesz and hugepages parameters in pairs such as: -

- 
hugepagesz=2M hugepages=512
-

- The hugepagesz parameter can only be specified once on the - command line for a specific huge page size. Valid huge page sizes are architecture - dependent. -

-
-
hugepages = [HW]
-
-

- This parameter specifies the number of huge pages to pre-allocate. This parameter - typically follows the valid hugepagesz or default_hugepagesz parameter. -

-

- However, if hugepages is the first or the only HugeTLB - command-line parameter, it implicitly specifies the number of huge pages of the default - size to allocate. If the number of huge pages of the default size is implicitly - specified, it can not be overwritten by the hugepagesz + - hugepages parameter pair for the default size. -

-

- For example, on an architecture with 2M default huge page size: -

- 
hugepages=256 hugepagesz=2M hugepages=512
-

- Settings from the example above results in allocation of 256 2M huge pages and a warning - message that the hugepages=512 parameter was ignored. If - hugepages is preceded by invalid hugepagesz, hugepages will be - ignored. -

-
-
default_hugepagesz = [HW]
-
-

- This parameter specifies the default huge page size. You can specify default_hugepagesz only once on the command-line. Optionally, - you can follow default_hugepagesz with the hugepages parameter to pre-allocate a specific number of huge - pages of the default size. Also, you can implicitly specify the number of default-sized - huge pages to pre-allocate. -

-

- For example, on an architecture with 2M default huge page size: -

- 
hugepages=256
-default_hugepagesz=2M hugepages=256
-hugepages=256 default_hugepagesz=2M
-

- Settings from the example above all results in allocation of 256 2M huge pages. Valid - default huge page size is architecture dependent. -

-
-
efi = [EFI]
-
-

- Format: { "old_map", "nochunk", "noruntime", "debug", "nosoftreserve" } -

-

- The options are: -

-
-
    -
  • - old_map [X86-64] - Switch to the old ioremap-based - EFI runtime services mapping. 32-bit still uses this one by default -
    • -
  • - nochunk - Disable reading files in "chunks" in the - EFI boot stub, as chunking can cause problems with some firmware implementations -
    • -
  • - noruntime - Disable EFI runtime services support -
    • -
  • - debug - Enable miscellaneous debug output -
    • -
  • - nosoftreserve - The EFI_MEMORY_SP (Specific Purpose) attribute sometimes - causes the kernel to reserve the memory range for a memory mapping driver to - claim. Specify efi=nosoftreserve to disable this - reservation and treat the memory by its base type (for example EFI_CONVENTIONAL_MEMORY / "System RAM"). -
    • -
-
-
-
intel_iommu = [DMAR]
-
-

- Intel IOMMU driver Direct Memory Access Remapping (DMAR). -

-

- The added options are: -

-
-
    -
  • - nobounce (Default off) - Disable bounce buffer for - untrusted devices such as the Thunderbolt devices. This will treat the untrusted - devices as the trusted ones. Hence this setting might expose security risks of - direct memory access (DMA) attacks. -
    • -
-
-
-
mem = nn[KMG] [KNL,BOOT]
-
-

- This parameter forces the usage of a specific amount of memory. -

-

- The amount of memory to be used in cases as follows: -

-
-
    -
  1. - For test. -
    2. -
  2. - When the kernel is not able to see the whole system memory. -
    3. -
  3. -

    - Memory that lies after the mem boundary is - excluded from the hypervisor, then assigned to KVM guests. -

    -

    - [X86] Work as limiting max address. Use together with the memmap parameter to avoid physical address space - collisions. Without memmap, Peripheral - Component Interconnect (PCI) devices could be placed at addresses belonging - to unused RAM. -

    -

    - Note that this setting only takes effect during the boot time since in the - case 3 above, the memory may need to be hot added after the boot if the - system memory of hypervisor is not sufficient. -

    -
    4. -
-
-
-
pci = [PCI]
-
-

- Various Peripheral Component Interconnect (PCI) subsystem options. -

-

- Some options herein operate on a specific device or a set of devices (<pci_dev>). These are specified in one of the following - formats: -

- 
[<domain>:]<bus>:<dev>.<func>[/<dev>.<func>]*
-pci:<vendor>:<device>[:<subvendor>:<subdevice>]
-

- Note that the first format specifies a PCI bus/device/function address which may change - if new hardware is inserted, if motherboard firmware changes, or due to changes caused - by other kernel parameters. If the domain is left unspecified, it is taken to be zero. - Optionally, a path to a device through multiple device/function addresses can be - specified after the base address (this is more robust against renumbering issues). The - second format selects devices using IDs from the configuration space which may match - multiple devices in the system. -

-

- The options are: -

-
-
    -
  • - hpmmiosize - The fixed amount of bus space which is - reserved for hotplug bridge’s Memory-mapped I/O (MMIO) window. The default size - is 2 megabytes. -
    • -
  • - hpmmioprefsize - The fixed amount of bus space - which is reserved for hotplug bridge’s MMIO_PREF window. The default size is 2 - megabytes. -
    • -
-
-
-
pcie_ports = [PCIE]
-
-

- Peripheral Component Interconnect Express (PCIe) port services handling. -

-

- The options are: -

-
-
    -
  • - native - Use native PCIe services (PME, AER, DPC, - PCIe hotplug) even if the platform does not give the OS permission to use them. - This setting may cause conflicts if the platform also tries to use these - services. -
    • -
  • - dpc-native - Use native PCIe service for DPC only. - This setting may cause conflicts if firmware uses AER or DPC. -
    • -
  • - compat - Disable native PCIe services (PME, AER, - DPC, PCIe hotplug). -
    • -
-
-
-
rcu_nocbs = [KNL]
-
- The argument is a CPU list. The string "all" can be used to specify every CPU on the system. -
-
usbcore.authorized_default = [USB]
-
-

- The default USB device authorization. -

-

- The options are: -

-
-
    -
  • - -1 (Default) - Authorized except for wireless USB -
    • -
  • - 0 - Not authorized -
    • -
  • - 1 - Authorized -
    • -
  • - 2 - Authorized if the device is connected to the - internal port -
    • -
-
-
-
usbcore.old_scheme_first = [USB]
-
- This parameter enables to start with the old device initialization scheme. This setting - applies only to low and full-speed devices (default 0 = off). -
-
usbcore.quirks = [USB]
-
-

- A list of quirk entries to augment the built-in USB core quirk list. The list entries - are separated by commas. Each entry has the form VendorID:ProductID:Flags, for example - quirks=0781:5580:bk,0a5c:5834:gij. The IDs are 4-digit hex numbers and Flags is a set of letters. Each letter - will change the built-in quirk; setting it if it is clear and clearing it if it is set. -

-

- The added flags: -

-
-
    -
  • - o - USB_QUIRK_HUB_SLOW_RESET, hub needs extra delay after - resetting its port -
    • -
-
-
-
-
-
New /proc/sys/fs parameters
-
-
-
protected_fifos
-
-

- This parameter is based on the restrictions in the Openwall software and provides - protection by allowing to avoid unintentional writes to an attacker-controlled FIFO - where a program intended to create a regular file. -

-

- The options are: -

-
-
    -
  • - 0 - Writing to FIFOs is unrestricted. -
    • -
  • - 1 - Does not allow the O_CREAT flag open on FIFOs that we do not own in - world writable sticky directories unless they are owned by the owner of the - directory. -
    • -
  • - 2 - Applies to group writable sticky directories. -
    • -
-
-
-
protected_regular
-
-

- This parameter is similar to the protected_fifos parameter, - however it avoids writes to an attacker-controlled regular file where a program intended - to create one. -

-

- The options are: -

-
-
    -
  • - 0 - Writing to regular files is unrestricted. -
    • -
  • - 1 - Does not allow the O_CREAT flag open on regular files that we do not own - in world writable sticky directories unless they are owned by the owner of the - directory. -
    • -
  • - 2 - Applies to group writable sticky directories. -
    • -
-
-
-
-
-
-
-
-
-
-

5.3. Device Drivers

-
-
-
-
-
-
-
-

5.3.1. New drivers

-
-
-
-
Network drivers
-
-
    -
  • - CAN driver for Kvaser CAN/USB devices (kvaser_usb.ko.xz) -
    • -
  • - Driver for Theobroma Systems UCAN devices (ucan.ko.xz) -
    • -
  • - Pensando Ethernet NIC Driver (ionic.ko.xz) -
    • -
-
-
Graphics drivers and miscellaneous drivers
-
-
    -
  • - Generic Remote Processor Framework (remoteproc.ko.xz) -
    • -
  • - Package Level C-state Idle Injection for Intel® CPUs (intel_powerclamp.ko.xz) -
    • -
  • - X86 PKG TEMP Thermal Driver (x86_pkg_temp_thermal.ko.xz) -
    • -
  • - INT3402 Thermal driver (int3402_thermal.ko.xz) -
    • -
  • - ACPI INT3403 thermal driver (int3403_thermal.ko.xz) -
    • -
  • - Intel® acpi thermal rel misc dev driver (acpi_thermal_rel.ko.xz) -
    • -
  • - INT3400 Thermal driver (int3400_thermal.ko.xz) -
    • -
  • - Intel® INT340x common thermal zone handler (int340x_thermal_zone.ko.xz) -
    • -
  • - Processor Thermal Reporting Device Driver (processor_thermal_device.ko.xz) -
    • -
  • - Intel® PCH Thermal driver (intel_pch_thermal.ko.xz) -
    • -
  • - DRM gem ttm helpers (drm_ttm_helper.ko.xz) -
    • -
  • - Device node registration for cec drivers (cec.ko.xz) -
    • -
  • - Fairchild FUSB302 Type-C Chip Driver (fusb302.ko.xz) -
    • -
  • - VHOST IOTLB (vhost_iotlb.ko.xz) -
    • -
  • - vDPA-based vhost backend for virtio (vhost_vdpa.ko.xz) -
    • -
  • - VMware virtual PTP clock driver (ptp_vmw.ko.xz) -
    • -
  • - Intel® LPSS PCI driver (intel-lpss-pci.ko.xz) -
    • -
  • - Intel® LPSS core driver (intel-lpss.ko.xz) -
    • -
  • - Intel® LPSS ACPI driver (intel-lpss-acpi.ko.xz) -
    • -
  • - Mellanox watchdog driver (mlx_wdt.ko.xz) -
    • -
  • - Mellanox FAN driver (mlxreg-fan.ko.xz) -
    • -
  • - Mellanox regmap I/O access driver (mlxreg-io.ko.xz) -
    • -
  • - Intel® speed select interface pci mailbox driver (isst_if_mbox_pci.ko.xz) -
    • -
  • - Intel® speed select interface mailbox driver (isst_if_mbox_msr.ko.xz) -
    • -
  • - Intel® speed select interface mmio driver (isst_if_mmio.ko.xz) -
    • -
  • - Mellanox LED regmap driver (leds-mlxreg.ko.xz) -
    • -
  • - vDPA Device Simulator (vdpa_sim.ko.xz) -
    • -
  • - Intel® Tiger Lake PCH pinctrl/GPIO driver (pinctrl-tigerlake.ko.xz) -
    • -
  • - PXA2xx SSP SPI Controller (spi-pxa2xx-platform.ko.xz) -
    • -
  • - CE4100/LPSS PCI-SPI glue code for PXA’s driver (spi-pxa2xx-pci.ko.xz) -
    • -
  • - Hyper-V PCI Interface (pci-hyperv-intf.ko.xz) -
    • -
  • - vDPA bus driver for virtio devices (virtio_vdpa.ko.xz) -
    • -
-
-
-
-
-
-
-

5.3.2. Updated drivers

-
-
-
-
Network driver updates
-
-
    -
  • - VMware vmxnet3 virtual NIC driver (vmxnet3.ko.xz) has been updated to version 1.5.0.0-k. -
    • -
  • - Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (r8152.ko.xz) has been updated to - version 1.09.10. -
    • -
  • - Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.10.1. -
    • -
  • - The Netronome Flow Processor (NFP) driver (nfp.ko.xz) has been updated to version - 4.18.0-240.el8.x86_64. -
    • -
  • - Intel® Ethernet Switch Host Interface Driver (fm10k.ko.xz) has been updated to version - 0.27.1-k. -
    • -
  • - Intel® Ethernet Connection E800 Series Linux Driver (ice.ko.xz) has been updated to - version 0.8.2-k. -
    • -
-
-
Storage driver updates
-
-
    -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version - 0:12.8.0.1. -
    • -
  • - QLogic FCoE Driver (bnx2fc.ko.xz) has been updated to version 2.12.13. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version - 34.100.00.00. -
    • -
  • - Driver for HP Smart Array Controller version (hpsa.ko.xz) has been updated to version - 3.4.20-170-RH5. -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version - 10.01.00.25.08.3-k. -
    • -
  • - Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version - 07.714.04.00-rh1. -
    • -
-
-
Graphics and miscellaneous driver updates
-
-
    -
  • - Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to - version 2.17.0.0. -
    • -
  • - Crypto Co-processor for Chelsio Terminator cards. (chcr.ko.xz) has been updated to - version 1.0.0.0-ko. -
    • -
-
-
-
-
-
-
-
-

5.4. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.3 that have a significant impact on - users. -

-
-
-
-
-

5.4.1. Installer and image creation

-
-
-
-
-

RHEL 8 initial setup now works properly via SSH

-

- Previously, the RHEL 8 initial setup interface did not display when logged in to the system - using SSH. As a consequence, it was impossible to perform the initial setup on a RHEL 8 - machine managed via SSH. This problem has been fixed, and RHEL 8 initial setup now works - correctly when performed via SSH. -

-
-

- (BZ#1676439) -

-
-

Installation failed when using the reboot --kexec command

-

- Previously, the RHEL 8 installation failed when a Kickstart file that contained the reboot --kexec command was used. -

-
-

- With this update, the installation with reboot --kexec now works as - expected. -

-

- (BZ#1672405) -

-
-

America/New York time zone can - now be set correctly

-

- Previously, the interactive Anaconda installation process did not allow users to set the - America/New York time zone when using a kickstart - file. With this update, users can now set America/New - York as the preferred time zone in the interactive installer if a time - zone is not specified in the kickstart file. -

-
-

- (BZ#1665428) -

-
-

SELinux contexts are now set correctly

-

- Previously, when SELinux was in enforcing mode, incorrect SELinux contexts on some folders - and files resulted in unexpected AVC denials when attempting to access these files after - installation. -

-
-

- With this update, Anaconda sets the correct SELinux contexts. As a result, you can now access - the folders and files without manually relabeling the filesystem. -

-

- (BZ#1775975) -

-
-

Automatic partitioning now creates a valid /boot partition

-

- Previously, when installing RHEL on a system using automatic partitioning or using a - kickstart file with preconfigured partitions, the installer created a partitioning scheme - that could contain an invalid /boot partition. Consequently, - the automatic installation process ended prematurely because the verification of the - partitioning scheme failed. With this update, Anaconda creates a partitioning scheme that - contains a valid /boot partition. As a result, the automatic - installation completes as expected. -

-
-

- (BZ#1630299) -

-
-

A GUI installation using the Binary DVD ISO image now completes - successfully without CDN registration

-

- Previously, when performing a GUI installation using the Binary DVD ISO image file, a race - condition in the installer prevented the installation from proceeding until you registered - the system using the Connect to Red Hat feature. -

-
-

- With this update, you can now proceed with the installation without registering the system using - the Connect to Red Hat feature. -

-

- (BZ#1823578) -

-
-

iSCSI or FCoE devices created in Kickstart and used in ignoredisk --only-use command no longer stop the installation - process

-

- Previously, when the iSCSI or FCoE devices created in Kickstart were used in the ignoredisk --only-use command, the installation program failed - with an error similar to Disk "disk/by-id/scsi-360a9800042566643352b476d674a774a" given in ignoredisk command does not exist. - This stopped the installation process. -

-
-

- With this update, the problem has been fixed. The installation program continues working. -

-

- (BZ#1644662) -

-
-

System registration using CDN failed with the error message Name or service not known

-

- When you attempted to register a system using the Content Delivery Network (CDN), the - registration process failed with the error message Name - or service not known. -

-
-

- This issue occurred because the empty Custom server - URL and Custom Base - URL values overwrote the default values for system registration. -

-

- With this update, the empty values now do not overwrite the default values, and the system - registration completes successfully. -

-

- (BZ#1862116) -

-
-
-
-
-
-

5.4.2. Software management

-
-
-
-
-

dnf-automatic now updates only packages - with correct GPG signatures

-

- Previously, the dnf-automatic configuration file did not check - GPG signatures of downloaded packages before performing an update. As a consequence, - unsigned updates or updates signed by key which was not imported could be installed by dnf-automatic even though repository configuration requires GPG - signature check (gpgcheck=1). With this update, the problem has - been fixed, and dnf-automatic checks GPG signatures of - downloaded packages before performing the update. As a result, only updates with correct GPG - signatures are installed from repositories that require GPG signature check. -

-
-

- (BZ#1793298) -

-
-

Trailing comma no longer causes entries removal in an append type option

-

- Previously, adding a trailing comma (an empty entry at the end of the list) to an append type option (for example, exclude, excludepkgs, includepkgs) caused all entries in the option to be removed. - Also, adding two commas (an empty entry) caused that only entries after the commas were - used. -

-
-

- With this update, empty entries other than leading commas (an empty entry at the beginning of - the list) are ignored. As a result, only the leading comma now removes existing entries from the - append type option, and the user can use it to overwrite these - entries. -

-

- (BZ#1788154) -

-
-
-
-
-
-

5.4.3. Shells and command-line tools

-
-
-
-
-

The ReaR disk layout no longer includes - entries for Rancher 2 Longhorn iSCSI devices and file systems

-

- This update removes entries for Rancher 2 Longhorn iSCSI devices and file systems from the - disk layout created by ReaR. -

-
-

- (BZ#1843809) -

-
-

Rescue image creation with a file larger than 4 GB is now enabled on - IBM POWER, little endian

-

- Previously, the ReaR utility could not create rescue images - containing files larger than 4GB on IBM POWER, little endian architecture. With this update, - the problem has been fixed, and it is now possible to create a rescue image with a file - larger than 4 GB on IBM POWER, little endian. -

-
-

- (BZ#1729502) -

-
-
-
-
-
-

5.4.4. Security

-
-
-
-
-

SELinux no longer prevents systemd-journal-gatewayd to call newfstatat() on /dev/shm/ files - used by corosync

-

- Previously, SELinux policy did not contain a rule that allows the systemd-journal-gatewayd daemon to access files created by the - corosync service. As a consequence, SELinux denied systemd-journal-gatewayd to call the newfstatat() function on shared memory files created by corosync. With this update, SELinux no longer prevents systemd-journal-gatewayd to call newfstatat() on shared memory files created by corosync. -

-
-

- (BZ#1746398) -

-
-

Libreswan now works with seccomp=enabled on all configurations

-

- Prior to this update, the set of allowed syscalls in the Libreswan SECCOMP support implementation did not match new usage - of RHEL libraries. Consequently, when SECCOMP was enabled in the ipsec.conf file, the syscall filtering rejected even syscalls - required for the proper functioning of the pluto daemon; the - daemon was killed, and the ipsec service was restarted. With - this update, all newly required syscalls have been allowed, and Libreswan now works with the seccomp=enabled option correctly. -

-
-

- (BZ#1544463) -

-
-

SELinux no longer prevents auditd to halt - or power off the system

-

- Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start - a power_unit_file_t systemd unit. - Consequently, auditd could not halt or power off the system - even when configured to do so in cases such as no space left on a logging disk partition. -

-
-

- This update of the selinux-policy packages adds the missing rule, - and auditd can now properly halt and power off the system only with - SELinux in enforcing mode. -

-

- (BZ#1826788) -

-
-

IPTABLES_SAVE_ON_STOP now works - correctly

-

- Previously, the IPTABLES_SAVE_ON_STOP feature of the iptables service did not work because files with saved IP tables - content received incorrect SELinux context. This prevented the iptables script from changing permissions, and the script - subsequently failed to save the changes. This update defines a proper context for the iptables.save and ip6tables.save - files, and creates a filename transition rule. As a consequence, the IPTABLES_SAVE_ON_STOP feature of the iptables service works correctly. -

-
-

- (BZ#1776873) -

-
-

NSCD databases can now use different modes

-

- Domains in the nsswitch_domain attribute are allowed access to - Name Service Cache Daemon (NSCD) services. Each NSCD database is configured in the nscd.conf file, and the shared - property determines whether the database uses Shared memory or Socket mode. Previously, all - NSCD databases had to use the same access mode, depending on the nscd_use_shm boolean value. Now, using Unix stream socket is - always allowed, and therefore different NSCD databases can use different modes. -

-
-

- (BZ#1772852) -

-
-

The oscap-ssh utility now works correctly - when scanning a remote system with --sudo

-

- When performing a Security Content Automation Protocol (SCAP) scan of a remote system using - the oscap-ssh tool with the --sudo - option, the oscap tool on the remote system saves scan result - files and report files into a temporary directory as the root - user. Previously, if the umask settings on the remote machine - were changed, oscap-ssh might have been prevented access to - these files. This update fixes the issue, and as a result, oscap saves the files as the target user, and oscap-ssh accesses the files normally. -

-
-

- (BZ#1803116) -

-
-

OpenSCAP now handles remote file systems correctly

-

- Previously, OpenSCAP did not reliably detect remote file systems if their mount - specification did not start with two slashes. As a consequence, OpenSCAP handled some - network-based file systems as local. With this update, OpenSCAP identifies file systems - using the file-system type instead of the mount specification. As a result, OpenSCAP now - handles remote file systems correctly. -

-
-

- (BZ#1870087) -

-
-

OpenSCAP no longer removes blank lines from YAML multi-line - strings

-

- Previously, OpenSCAP removed blank lines from YAML multi-line strings within generated - Ansible remediations from a datastream. This affected Ansible remediations and caused the - openscap utility to fail the corresponding Open Vulnerability - and Assessment Language (OVAL) checks, producing false positive results. The issue is now - fixed and as a result, openscap no longer removes blank lines - from YAML multi-line strings. -

-
-

- (BZ#1795563) -

-
-

OpenSCAP can now scan systems with large numbers of files without - running out of memory

-

- Previously, when scanning systems with low RAM and large numbers of files, the OpenSCAP - scanner sometimes caused the system to run out of memory. With this update, OpenSCAP scanner - memory management has been improved. As a result, the scanner no longer runs out of memory - on systems with low RAM when scanning large numbers of files, for example package groups - Server with GUI and Workstation. -

-
-

- (BZ#1824152) -

-
-

config.enabled now controls statements - correctly

-

- Previously, the rsyslog incorrectly evaluated the config.enabled directive during the configuration processing of a - statement. As a consequence, the parameter not known errors - were displayed for each statement except for the include() one. - With this update, the configuration is processed for all statements equally. As a result, - config.enabled now correctly disables or enables statements - without displaying any error. -

-
-

- (BZ#1659383) -

-
-

fapolicyd no longer prevents RHEL - updates

-

- When an update replaces the binary of a running application, the kernel modifies the - application binary path in memory by appending the " (deleted)" suffix. Previously, the - fapolicyd file access policy daemon treated such applications - as untrusted, and prevented them from opening and executing any other files. As a - consequence, the system was sometimes unable to boot after applying updates. -

-
-

- With the release of the RHBA-2020:5242 advisory, fapolicyd ignores the suffix in the binary path so the binary can - match the trust database. As a result, fapolicyd enforces the rules - correctly and the update process can finish. -

-

- (BZ#1897090) -

-
-

The e8 profile can now be used to remediate RHEL 8 systems with Server with GUI

-

- Using the OpenSCAP Anaconda Add-on to harden the system on the Server With GUI package group with profiles that select rules - from the Verify Integrity with RPM group no longer requires an - extreme amount of RAM on the system. The cause of this problem was the OpenSCAP scanner. For - more details, see Scanning large numbers of - files with OpenSCAP causes systems to run out of memory. As a consequence, the - hardening of the system using the RHEL 8 Essential Eight (e8) profile now works also with - Server With GUI. -

-
-

- (BZ#1816199) -

-
-
-
-
-
-

5.4.5. Networking

-
-
-
-
-

Automatic loading of iptables extension - modules by the nft_compat module no longer hangs -

-

- Previously, when the nft_compat module loaded an extension - module while an operation on network name spaces (netns) - happened in parallel, a lock collision could occur if that extension registered a pernet subsystem during initialization. As a consequence, the - kernel-called modprobe command hang. This could also be caused - by other services, such as libvirtd, that also execute iptables commands. This problem has been fixed. As a result, - loading iptables extension modules by the nft_compat module no longer hangs. -

-
-

- (BZ#1757933) -

-
-

The firewalld service now removes ipsets when the service stops

-

- Previously, stopping the firewalld service did not remove ipsets. This update fixes the problem. As a result, ipsets are no longer left in the system after firewalld stops. -

-
-

- (BZ#1790948) -

-
-

firewalld no longer retains ipset entries after shutdown

-

- Previously, shutting down firewalld did not remove ipset entries. Consequently, ipset - entries remained active in the kernel even after stopping the firewalld service. With this fix, shutting down firewalld removes ipset entries as - expected. -

-
-

- (BZ#1682913) -

-
-

firewalld now restores ipset entries after reloading

-

- Previously, firewalld did not retain runtime ipset entries after reloading. Consequently, users had to - manually add the missing entries again. With this update, firewalld has been modified to restore ipset entries after reloading. -

-
-

- (BZ#1809225) -

-
-

nftables and firewalld services are now mutually exclusive

-

- Previously, it was possible to enable nftables and firewalld services at the same time. As a consequence, nftables was overriding firewalld - rulesets. With this update, nftables and firewalld services are now mutually exclusive so that these - cannot be enabled at the same time. -

-
-

- (BZ#1817205) -

-
-
-
-
-
-

5.4.6. Kernel

-
-
-
-
-

The huge_page_setup_helper.py script now - works correctly

-

- A patch that updated the huge_page_setup_helper.py script for - Python 3 was accidentally removed. Consequently, after executing huge_page_setup_helper.py, the following error message appeared: -

-
- 
SyntaxError: Missing parentheses in call to 'print'
-

- With this update, the problem has been fixed by updating the libhugetlbfs.spec file. As a result, huge_page_setup_helper.py does not show any error in the described - scenario. -

-

- (BZ#1823398) -

-
-

Systems with a large amount of persistent memory boot more quickly and - without timeouts

-

- Systems with a large amount of persistent memory took a long time to boot because the - original source code allowed for just one initialization thread per node. For example, for a - 4-node system there were 4 memory initialization threads. Consequently, if there were - persistent memory file systems listed in the /etc/fstab file, - the system could time out while waiting for devices to become available. With this update, - the problem has been fixed because the source code now allows for multiple memory - initialization threads within a single node. As a result, the systems boot more quickly and - no timeouts appear in the described scenario. -

-
-

- (BZ#1666538) -

-
-

The bcc scripts now successfully compile a - BPF module

-

- During the script code compilation to create a Berkeley Packet Filter (BPF) module, the - bcc toolkit used kernel headers for data type definition. Some - kernel headers needed the KBUILD_MODNAME macro to be defined. - Consequently, those bcc scripts that did not add KBUILD_MODNAME, were likely to fail to compile a BPF module - across various CPU architectures. The following bcc scripts - were affected: -

-
-
-
    -
  • - bindsnoop -
    • -
  • - sofdsnoop -
    • -
  • - solisten -
    • -
  • - tcpaccept -
    • -
  • - tcpconnect -
    • -
  • - tcpconnlat -
    • -
  • - tcpdrop -
    • -
  • - tcpretrans -
    • -
  • - tcpsubnet -
    • -
  • - tcptop -
    • -
  • - tcptracer -
    • -
-
-

- With this update, the problem has been fixed by adding KBUILD_MODNAME to the default cflags - parameter for bcc. As a result, this problem no longer appears in - the described scenario. Also, customer scripts do not need to define KBUILD_MODNAME themselves either. -

-

- (BZ#1837906) -

-
-

bcc-tools and bpftrace work properly on IBM Z

-

- Previously, a feature backport introduced the ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE kernel option. However, - the bcc-tools package and bpftrace - tracing language package for IBM Z architectures did not have proper support for this - option. Consequently, the bpf() system call failed with the - Invalid argument exception and bpftrace failed with an error stating Error loading program when trying to load the BPF program. With - this update, the ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE option - is now removed. As a result, the problem no longer appears in the described scenario. -

-
-

- (BZ#1847837, BZ#1853964) -

-
-

Boot process no longer fails due to lack of entropy

-

- Previously, the boot process failed due to lack of entropy. A better mechanism is now used - to allow the kernel to gather entropy early in the boot process, which does not depend on - any hardware specific interrupts. This update fixes the problem by ensuring availability of - sufficient entropy to secure random generation in early boot. As a result, the fix prevents - kickstart timeout or slow boots and the boot process works as expected. -

-
-

- (BZ#1778762) -

-
-

Repeated reboots using kexec now work as - expected

-

- Previously, during the kernel reboot on the Amazon EC2 Nitro platform, the remove module - (rmmod) was not called during the shutdown() call of the kernel execution path. Consequently, - repeated kernel reboots using the kexec system call led to a - failure. With this update, the issue has been fixed by adding the PCI shutdown() handler that allows safe kernel execution. As a - result, repeated reboots using kexec on Amazon EC2 Nitro - platforms no longer fail. -

-
-

- (BZ#1758323) -

-
-

Repeated reboots using vPMEM memory as dump target now works as - expected

-

- Previously, using Virtual Persistent Memory (vPMEM) namespaces as dump target for kdump or fadump caused the papr_scm module to unmap and remap the memory backed by vPMEM and - re-add the memory to its linear map. -

-
-

- Consequently, this behavior triggered Hypervisor Calls (HCalls) to POWER Hypervisor. As a - result, this slows down the capture kernel boot considerably and takes a long time to save the - dump file. This update fixes the problem and the boot process now works as expected in the - described scenario -

-

- (BZ#1792125) -

-
-

Attempting to add ICE driver NIC port to a - mode 5 bonding master interface no longer fails

-

- Previously, attempting to add the ICE driver NIC port to a mode - 5 (balance-tlb) bonding master interface led to a failure with - an error Master 'bond0', Slave 'ens1f0': Error: Enslave failed. - Consequently, you experienced an intermittent failure to add the NIC port to the bonding - master interface. This update fixes the issue and adding the interface no longer fails. -

-
-

- (BZ#1791664) -

-
-

The cxgb4 driver no longer causes crash in - the kdump kernel

-

- Previously, the kdump kernel would crash while trying to save - information in the vmcore file. Consequently, the cxgb4 driver prevented the kdump - kernel from saving a core for later analysis. To work around this problem, add the novmcoredd parameter to the kdump - kernel command line to allow saving core files. -

-
-

- With the release of the RHSA-2020:1769 advisory, the - kdump kernel handles this situation properly and no longer crashes. -

-

- (BZ#1708456) -

-
-
-
-
-
-

5.4.7. High availability and clusters

-
-
-
-
-

When a GFS2 file system is used with the Filesystem agent the fast_stop option now defaults to no

-

- Previously, when a GFS2 file system was used with the Filesystem agent, the fast_stop option defaulted to yes. - This value could result in unnecessary fence events due to the length of time it can take a - GFS2 file system to unmount. With this update, this option defaults to no. For all other file systems it continues to default to yes. -

-
-

- (BZ#1814896) -

-
-

fence_compute and fence_evacuate agents now interpret insecure option in a more standard way

-

- Previously, the fence_compute and fence_evacuate agents worked as if --insecure was specified by default. With this update, customers - who do not use valid certificates for their compute or evacuate services must set insecure=true and use the --insecure - option when running manually from the CLI. This is consistent with the behavior of all other - agents. -

-
-

- (BZ#1830776) -

-
-
-
-
-
-

5.4.8. Dynamic programming languages, web and database servers

-
-
-
-
-

Optimized CPU consumption by libdb

-

- A previous update to the libdb database caused an excessive CPU - consumption in the trickle thread. With this update, the CPU usage has been optimized. -

-
-

- (BZ#1670768) -

-
-

The did_you_mean Ruby gem no longer - contains a file with a non-commercial license

-

- Previously, the did_you_mean gem available in the ruby:2.5 module stream contained a file with a non-commercial - license. This update removes the affected file. -

-
-

- (BZ#1846113) -

-
-

nginx can now load server certificates - from hardware security tokens through the PKCS#11 URI

-

- The ssl_certificate directive of the nginx web server supports loading TLS server certificates from - hardware security tokens directly from PKCS#11 modules. Previously, it was impossible to - load server certificates from hardware security tokens through the PKCS#11 URI. -

-
-

- (BZ#1668717) -

-
-
-
-
-
-

5.4.9. Compilers and development tools

-
-
-
-
-

The glibc dynamic loader no longer fails - while loading a shared library that uses DT_FILTER and has - a constructor

-

- Prior to this update, a defect in the dynamic loader implementation of shared objects as - filters caused the dynamic loader to fail while loading a shared library that uses a filter - and has a constructor. With this release, the dynamic loader implementation of filters - (DT_FILTER) has been fixed to correctly handle such shared - libraries. As a result, the dynamic loader now works as expected in the mentioned scenario. -

-
-

- (BZ#1812756) -

-
-

glibc can now remove pseudo-mounts from - the getmntent() list

-

- The kernel includes automount pseudo-entries in the tables - exposed to userspace. Consequently, programs that use the getmntent() API see both regular mounts and these pseudo-mounts - in the list. The pseudo-mounts do not correspond to real mounts, nor include valid - information. -

-
-

- With this update, if the mount entry has the ignore mount option - present in the automount(8) configuration the glibc library now removes these pseudo-mounts from the getmntent() list. Programs that expect the previous behavior have to - use a different API. -

-

- (BZ#1743445) -

-
-

The movv1qi pattern no longer causes - miscompilation in the auto-vectorized code on IBM Z

-

- Prior to this update, wrong load instructions were emitted for the movv1qi pattern. As a consequence, when auto-vectorization was in - effect, a miscompilation could occur on IBM Z systems. This update fixes the movv1qi pattern, and as a result, code compiles and runs - correctly now. -

-
-

- (BZ#1784758) -

-
-

PAPI_event_name_to_code() now works - correctly in multiple threads

-

- Prior to this update, the PAPI internal code did not handle thread coordination properly. As - a consequence, when multiple threads used the PAPI_event_name_to_code() operation, a race condition occurred - and the operation failed. This update enhances the handling of multiple threads in the PAPI - internal code. As a result, multithreaded code using the PAPI_event_name_to_code() operation now works correctly. -

-
-

- (BZ#1807346) -

-
-

Improved performance for the glibc math - functions on IBM Power Systems

-

- Previously, the glibc math functions performed unnecessary - floating point status updates and system calls on IBM Power Systems, which negatively - affected the performance. This update removes the unnecessary floating point status update, - and improves the implementations of: ceil(), ceilf(), fegetmode(), fesetmode(), fesetenv(), fegetexcept(), feenableexcept(), - fedisablexcept(), fegetround() and - fesetround(). As a result, the performance of the math library - is improved on IBM Power Systems. -

-
-

- (BZ#1783303) -

-
-

Memory protection keys are now supported on IBM Power

-

- On IBM Power Systems, the memory protection key interfaces pkey_set and pkey_get were - previously stub functions, and consequently always failed. This update implements the - interfaces, and as a result, the GNU C Library (glibc) now - supports memory protection keys on IBM Power Systems. -

-
-

- Note that memory protection keys currently require the hash-based memory management unit (MMU), - therefore you might have to boot certain systems with the disable_radix kernel parameter. -

-

- (BZ#1642150) -

-
-

papi-testsuite and papi-devel now install the required papi-libs package

-

- Previously, the papi-testsuite and papi-devel RPM packages did not declare a dependency on the - matching papi-libs package. Consequently, the tests failed to - run, and developers did not have the required version of the papi shared library available for their applications. -

-
-

- With this update, when the user installs either the papi-testsuite - or papi-devel packages, the papi-libs - package is also installed. As a result, the papi-testsuite now has - the correct library allowing the tests to run, and developers using papi-devel have their executables linked with the appropriate version - of the papi shared library. -

-

- (BZ#1664056) -

-
-

Installing the lldb packages for multiple - architectures no longer leads to file conflicts

-

- Previously, the lldb packages installed architecture-dependent - files in architecture-independent locations. As a consequence, installing both 32-bit and - 64-bit versions of the packages led to file conflicts. This update packages the files in - correct architecture-dependent locations. As a result, the installation of lldb in the described scenario completes successfully. -

-
-

- (BZ#1841073) -

-
-

getaddrinfo now correctly handles a memory - allocation failure

-

- Previously, after a memory allocation failure, the getaddrinfo - function of the GNU C Library glibc did not release the - internal resolver context. As a consequence, getaddrinfo was - not able to reload the /etc/resolv.conf file for the rest of - the lifetime of the calling thread, resulting in a possible memory leak. -

-
-

- This update modifies the error handling path with an additional release operation for the - resolver context. As a result, getaddrinfo reloads /etc/resolv.conf with new configuration values even after an - intermittent memory allocation failure. -

-

- (BZ#1810146) -

-
-

glibc avoids certain failures caused by - IFUNC resolver ordering

-

- Previously, the implementation of the librt and libpthread libraries of the GNU C Library glibc contained the indirect function (IFUNC) resolvers for the - following functions: clock_gettime, clock_getcpuclockid, clock_nanosleep, clock_settime, - vfork. In some cases, the IFUNC resolvers could execute before - the librt and libpthread libraries - were relocated. Consequently, applications would fail in the glibc dynamic loader during early program startup. -

-
-

- With this release, the implementations of these functions have been moved into the libc component of glibc, which prevents - the described problem from occurring. -

-

- (BZ#1748197) -

-
-

Assertion failures no longer occur during pthread_create

-

- Previously, the glibc dynamic loader did not roll back changes - to the internal Thread Local Storage (TLS) module ID counter. As a consequence, an assertion - failure in the pthread_create function could occur after the - dlopen function had failed in certain ways. With this fix, the - glibc dynamic loader updates the TLS module ID counter at a - later point in time, after certain failures can no longer happen. As a result, the assertion - failures no longer occur. -

-
-

- (BZ#1774115) -

-
-

glibc now installs correct dependencies - for 32-bit applications using nss_db

-

- Previously, the nss_db.x86_64 package did not declare - dependencies on the nss_db.i686 package. Therefore automated - installation did not install nss_db.i686 on the system, despite - having a 32-bit environment glibc.i686 installed. As a - consequence, 32-bit applications using nss_db failed to perform - accurate user database lookups, while 64-bit applications in the same setup worked - correctly. -

-
-

- With this update, the glibc packages now have weak dependencies - that trigger the installation of the nss_db.i686 package when both - glibc.i686 and nss_db are installed on - the system. As a result, 32-bit applications using nss_db now work - correctly, even if the system administrator has not explicitly installed the nss_db.i686 package. -

-

- (BZ#1807824) -

-
-

glibc locale information updated with Odia - language

-

- The name of Indian state previously known as Orissa has changed to Odisha, and the name of - its official language has changed from Oriya to Odia. With this update, the glibc locale information reflects the new name of the language. -

-
-

- (BZ#1757354) -

-
-

LLVM sub packages now install arch-dependent files in arch-dependent - locations

-

- Previously, LLVM sub packages installed arch-dependent files in arch-independent locations. - This resulted in conflicts when installing 32 and 64 bit versions of LLVM. With this update, - package files are now correctly installed in arch-dependent locations, avoiding version - conflicts. -

-
-

- (BZ#1820319) -

-
-

Password and group lookups no longer fail in glibc

-

- Previously, the nss_compat module of the glibc library overwrote the errno - status with incorrect error codes during processing of password and group entries. - Consequently, applications did not resize buffers as expected, causing password and group - lookups to fail. This update fixes the problem, and the lookups now complete as expected. -

-
-

- (BZ#1836867) -

-
-
-
-
-
-

5.4.10. Identity Management

-
-
-
-
-

SSSD no longer downloads every rule with a wildcard character by - default

-

- Previously, the ldap_sudo_include_regexp option was incorrectly - set to true by default. As a consequence, when SSSD started - running or after updating SSSD rules, SSSD downloaded every rule that contained a wildcard - character (*) in the sudoHost - attribute. This update fixes the bug, and the ldap_sudo_include_regexp option is now properly set to false by default. As a result, the described problem no longer - occurs. -

-
-

- (BZ#1827615) -

-
-

krb5 now only requests permitted - encryption types

-

- Previously, permitted encryption types specified in the permitted_enctypes variable in the /etc/krb5.conf file did not apply to the default encryption types - if the default_tgs_enctypes or default_tkt_enctypes attributes were not set. Consequently, - Kerberos clients were able to request deprecated cipher suites like RC4, which may cause - other processes to fail. With this update, encryption types specified in the permitted_enctypes variable apply to the default encryption types - as well, and only permitted encryption types are requested. -

-
-

- The RC4 cipher suite, which has been deprecated in RHEL 8, is the default encryption type for - users, services, and trusts between Active Directory (AD) domains in an AD forest. -

-
- -
-

- (BZ#1791062) -

-
-

KDCs now correctly enforce password lifetime policy from LDAP - backends

-

- Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password - lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With - this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as - expected. -

-
-

- (BZ#1784655) -

-
-

Password expiration notifications sent to AD clients using - SSSD

-

- Previously, Active Directory clients (non-IdM) using SSSD were not sent password expiration - notices because of a recent change in the SSSD interface for acquiring Kerberos credentials. -

-
-

- The Kerberos interface has been updated and expiration notices are now sent correctly. -

-

- (BZ#1820311) -

-
-

Directory Server no longer leaks memory when using indirect COS - definitions

-

- Previously, after processing an indirect Class Of Service (COS) definition, Directory Server - leaked memory for each search operation that used an indirect COS definition. With this - update, Directory Server frees all internal COS structures associated with the database - entry after it has been processed. As a result, the server no longer leaks memory when using - indirect COS definitions. -

-
-

- (BZ#1816862) -

-
-

Adding ID overrides of AD users now works in IdM Web UI

-

- Previously, adding ID overrides of Active Directory (AD) users to Identity Management (IdM) - groups in the Default Trust View for the purpose of granting access to management roles - failed when using the IdM Web UI. This update fixes the bug. As a result, you can now use - both the Web UI as well as the IdM command-line interface (CLI) in this scenario. -

-
-

- (BZ#1651577) -

-
-

FreeRADIUS no longer generates certificates during package - installation

-

- Previously, FreeRADIUS generated certificates during package installation, resulting in the - following issues: -

-
-
-
    -
  • - If FreeRADIUS was installed using Kickstart, certificates might be generated at a time - when entropy on the system was insufficient, resulting in either a failed installation - or a less secure certificate. -
    • -
  • - The package was difficult to build as part of an image, such as a container, because the - package installation occurs on the builder machine instead of the target machine. All - instances that are spawned from the image had the same certificate information. -
    • -
  • - It was difficult for an end-user to generate a simple VM in their environment as the - certificates would have to be removed and regenerated manually. -
    • -
-
-

- With this update, the FreeRADIUS installation no longer generates default self-signed CA - certificates nor subordinate CA certificates. When FreeRADIUS is launched via systemd: -

-
-
    -
  • - If all of the required certificates are missing, a set of default certificates are - generated. -
    • -
  • - If one or more of the expected certificates are present, it does not generate new - certificates. -
    • -
-
-

- (BZ#1672285) -

-
-

FreeRADIUS now generates FIPS-compliant Diffie-Hellman - parameters

-

- Due to new FIPS requirements that do not allow openssl to - generate Diffie-Hellman (dh) parameters via dhparam, the dh - parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file, - rfc3526-group-18-8192.dhparam, is included with the FreeRADIUS - packages for all systems, and thus enables FreeRADIUS to start in FIPS mode. -

-
-

- Note that you can customize /etc/raddb/certs/bootstrap and /etc/raddb/certs/Makefile to restore the DH parameter generation if - required. -

-

- (BZ#1859527) -

-
-

Updating Healthcheck now properly updates - both ipa-healthcheck-core and ipa-healthcheck

-

- Previously, entering yum update healthcheck did not update the - ipa-healthcheck package but replaced it with the ipa-healthcheck-core package. As a consequence, the ipa-healthcheck command did not work after the update. -

-
-

- This update fixes the bug, and updating ipa-healthcheck now - correctly updates both the ipa-healthcheck package and the ipa-healthcheck-core package. As a result, the Healthcheck tool works correctly after the update. -

-

- (BZ#1852244) -

-
-
-
-
-
-

5.4.11. Graphics infrastructures

-
-
-
-
-

Laptops with hybrid Nvidia GPUs can now successfully resume from - suspend

-

- Previously, the nouveau graphics driver sometimes could not - power on hybrid Nvidia GPUs on certain laptops from power-save mode. As a result, the - laptops failed to resume from suspend. -

-
-

- With this update, several problems in the Runtime Power Management (runpm) system have been fixed. As a result, the laptops with hybrid - graphics can now successfully resume from suspend. -

-

- (JIRA:RHELPLAN-57572) -

-
-
-
-
-
-

5.4.12. Virtualization

-
-
-
-
-

Migrating virtual machines with the default CPU model now works more - reliably

-

- Previously, if a virtual machine (VM) was created without a specific CPU model, QEMU used a - default model that was not visible to the libvirt service. As a - consequence, it was possible to migrate the VM to a host that did not support the default - CPU model of the VM, which sometimes caused crashes and incorrect behavior in the guest OS - after the migration. -

-
-

- With this update, libvirt explicitly uses the qemu64 model as default in the XML configuration of the VM. As a - result, if the user attempts migrating a VM with the default CPU model to a host that does not - support that model, libvirt correctly generates an error message. -

-

- Note, however, that Red Hat strongly recommends using a specific CPU model for your VMs. -

-

- (JIRA:RHELPLAN-45906) -

-
-
-
-
-
-

5.4.13. Containers

-
-
-
-
-

Notes on FIPS support with Podman

-

- The Federal Information Processing Standard (FIPS) requires certified modules to be used. - Previously, Podman correctly installed certified modules in containers by enabling the - proper flags at startup. However, in this release, Podman does not properly set up the - additional application helpers normally provided by the system in the form of the FIPS - system-wide crypto-policy. Although setting the system-wide crypto-policy is not required by - the certified modules it does improve the ability of applications to use crypto modules in - compliant ways. To work around this problem, change your container to run the update-crypto-policies --set FIPS command before any other - application code was executed. The update-crypto-policies --set FIPS command is no longer required - with this fix. -

-
-

- (BZ#1804193) -

-
-
-
-
-
-
-

5.5. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.3. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features - Support Scope. -

-
-
-
-
-

5.5.1. Networking

-
-
-
-
-

Enabled the xt_u32 Netfilter - module

-

- The xt_u32 Netfilter module is now available in the kernel-modules-extra rpm. This module helps in packet forwarding - based on the data that is inaccessible to other protocol-based packet filters and thus eases - manual migration to nftables. However, xt_u32 Netfilter module is not supported by Red Hat. -

-
-

- (BZ#1834769) -

-
-

nmstate available as a Technology - Preview

-

- Nmstate is a network API for hosts. The nmstate packages, - available as a Technology Preview, provide a library and the nmstatectl command-line utility to manage host network settings - in a declarative manner. The networking state is described by a pre-defined schema. - Reporting of the current state and changes to the desired state both conform to the schema. -

-
-

- For further details, see the /usr/share/doc/nmstate/README.md file - and the examples in the /usr/share/doc/nmstate/examples directory. -

-

- (BZ#1674456) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet - processing. It accompanies XDP and grants efficient redirection - of programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

XDP available as a - Technology Preview

-

- The eXpress Data Path (XDP) feature, which is available as a Technology Preview, provides a - means to attach extended Berkeley Packet Filter (eBPF) programs for high-performance packet - processing at an early point in the kernel ingress data path, allowing efficient - programmable packet analysis, filtering, and manipulation. -

-
-

- (BZ#1503672) -

-
-

KTLS available as a Technology Preview

-

- In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a - Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption - algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for - offloading TLS record encryption to Network Interface Controllers (NICs) that support this - functionality. -

-
-

- (BZ#1570255) -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
- -
-

- (BZ#1889737) -

-
-

act_mpls module available as a Technology - Preview

-

- The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module - allows the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control - (TC) filters, for example, push and pop MPLS label stack entries with TC filters. The module - also allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set - independently. -

-
-

- (BZ#1839311) -

-
-

Multipath TCP is now available as a Technology Preview

-

- Multipath TCP (MPTCP), an extension to TCP, is now available as a Technology Preview. MPTCP - improves resource usage within the network and resilience to network failure. For example, - with Multipath TCP on the RHEL server, smartphones with MPTCP v1 enabled can connect to an - application running on the server and switch between Wi-Fi and cellular networks without - interrupting the connection to the server. -

-
-

- Note that either the applications running on the server must natively support MPTCP or - administrators must load an eBPF program into the kernel to - dynamically change IPPROTO_TCP to IPPROTO_MPTCP. -

-

- For further details see, Getting - started with Multipath TCP. -

-

- (JIRA:RHELPLAN-41549) -

-
-

The systemd-resolved service is now - available as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an - Link-Local Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-
-
-
-
-

5.5.2. Kernel

-
-
-
-
-

The kexec fast reboot feature is available - as Technology Preview

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. kexec fast reboot significantly speeds the - boot process by allowing the kernel to boot directly into the second kernel without passing - through the Basic Input/Output System (BIOS) first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot the operating system. -
    3. -
-
-

- (BZ#1769727) -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) - is an in-kernel virtual machine that allows code execution in the kernel space, in the - restricted sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which - supports creating various types of maps, and also allows to load programs in a special - assembly-like code. The code is then loaded to the kernel and translated to the native machine - code with just-in-time compilation. Note that the bpf() syscall can - be successfully used only by a user with the CAP_SYS_ADMIN - capability, such as the root user. See the bpf(2) man page for more - information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. All - components are available as a Technology Preview, unless a specific component is indicated as - supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - bpftrace, a high-level tracing language that utilizes the - eBPF virtual machine. -
    • -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user - space for applications that prioritize packet processing performance. -
    • -
-
-

- (BZ#1559616) -

-
-

The igc driver available as a Technology - Preview for RHEL 8

-

- The igc Intel 2.5G Ethernet Linux wired LAN driver is now - available on all architectures for RHEL 8 as a Technology Preview. The ethtool utility also supports igc - wired LANs. -

-
-

- (BZ#1495358) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol - which implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which - supports two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in - RHEL 8. -

-
-

- (BZ#1605216) -

-
-
-
-
-
-

5.5.3. File systems and storage

-
-
-
-
-

NVMe/TCP is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks - (NVMe/TCP) and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology - Preview. -

-
-

- The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by - the nvme-cli and nvmetcli packages. -

-

- The NVMe/TCP target Technology Preview is included only for testing purposes and is not - currently planned for full support. -

-

- (BZ#1696451) -

-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address - space. To use DAX, a system must have some form of persistent memory available, usually in - the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file - system that supports DAX must be created on the NVDIMM(s). Also, the file system must be - mounted with the dax mount option. Then, an mmap of a file on the dax-mounted file system results in a direct - mapping of storage into the application’s address space. -

-
-

- (BZ#1627455) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top - of another. Changes are recorded in the upper file system, while the lower file system - remains unmodified. This allows multiple users to share a file-system image, such as a - container or a DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs - warnings when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other - specialized use cases, such as squashed kdump initramfs. - Its use is supported primarily for container COW content, not for persistent storage. - You must place any persistent storage on non-OverlayFS volumes. You can use only the - default container engine configuration: one level of overlay, one lowerdir, and both - lower and upper levels are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might - change in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped - with MAP_SHARED are inconsistent with - subsequent modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on - RHEL 8, but you can enable full POSIX compliance for them with a module - option or mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and - index=on options to improve POSIX - compliance. These two options make the format of the upper layer - incompatible with an overlay without these options. That is, you might - get unexpected results or errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, - use the following command and see if the ftype=1 option - is enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see - Non-standard behavior in the Linux - kernel documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- RHEL 8.3 updates Stratis to version 2.1.0. For more information, see Stratis 2.1.0 Release - Notes. -

-

- (JIRA:RHELPLAN-1212) -

-
-

IdM now supports setting up a Samba server on an IdM domain member as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the - same-named package adds a Samba-specific Kerberos service principal to IdM and prepares the - IdM client. For example, the utility creates the /etc/samba/smb.conf with the ID mapping configuration for the - sss ID mapping back end. As a result, administrators can now - set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows - hosts cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not - support resolving IdM groups using the Distributed Computing Environment / Remote Procedure - Calls (DCE/RPC) protocols. As a consequence, AD users can only access the Samba shares and - printers from IdM clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- (JIRA:RHELPLAN-13195) -

-
-
-
-
-
-

5.5.4. High availability and clusters

-
-
-
-
-

Local mode version of pcs cluster setup - command available as a technology preview

-

- By default, the pcs cluster setup command automatically - synchronizes all configuration files to the cluster nodes. In Red Hat Enterprise Linux 8.3, - the pcs cluster setup command provides the --corosync-conf option as a technology preview. Specifying this - option switches the command to local mode. In this mode, pcs creates a corosync.conf file and - saves it to a specified file on the local node only, without communicating with any other - node. This allows you to create a corosync.conf file in a - script and handle that file by means of the script. -

-
-

- (BZ#1839637) -

-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on the podman container - platform, with the container bundle feature being available as a Technology Preview. There - is one exception to this feature being Technology Preview: Red Hat fully supports the use of - Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-

Heuristics in corosync-qdevice available - as a Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is - zero), heuristics have passed; otherwise, they have failed. The heuristics result is sent to - corosync-qnetd where it is used in calculations to determine - which partition should be quorate. -

-
-

- (BZ#1784200) -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off action on the agent that does the fencing. A heuristics agent can - exploit this behavior to prevent the agent that does the actual fencing from fencing a node - under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make - sense for a node to fence the peer if it can know beforehand that it would not be able to take - over the services properly. For example, it might not make sense for a node to take over - services if it has problems reaching the networking uplink, making the services unreachable to - clients, a situation which a ping to a router might detect in that case. -

-

- (BZ#1775847) -

-
-
-
-
-
-

5.5.5. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology - Preview

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as Technology Preview. -

-
-

- In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of API - commands. Previously, enhancements could change the behavior of a command in an incompatible - way. Users are now able to continue using existing tools and scripts even if the IdM API - changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the - managing client. -
    • -
  • - Developers to use a specific version of an IdM call, even if the IdM version changes on - the server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones - hosted on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other - DNS servers. This might affect the availability of DNS zones that are not configured in - accordance with recommended naming practices. -

-

- (BZ#1664718) -

-
-
-
-
-
-

5.5.6. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is now available for the 64-bit ARM architecture as a - Technology Preview. This enables administrators to configure and manage servers from a - graphical user interface (GUI) remotely, using the VNC session. -

-
-

- As a consequence, new administration applications are available on the 64-bit ARM architecture. - For example: Disk Usage Analyzer (baobab), Firewall - Configuration (firewall-config), Red Hat Subscription Manager (subscription-manager), or the Firefox web browser. Using Firefox, administrators can connect to the - local Cockpit daemon remotely. -

-

- (JIRA:RHELPLAN-27394, BZ#1667225, BZ#1667516, BZ#1724302) -

-
-

GNOME desktop on IBM Z is available as a Technology Preview -

-

- The GNOME desktop, including the Firefox web browser, is now available as a Technology - Preview on the IBM Z architecture. You can now connect to a remote graphical session running - GNOME using VNC to configure and manage your IBM Z servers. -

-
-

- (JIRA:RHELPLAN-27737) -

-
-
-
-
-
-

5.5.7. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is - available as a Technology Preview. Note that the rest of the graphics stack is currently - unverified for the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-

Intel Tiger Lake graphics available as a Technology Preview -

-

- Intel Tiger Lake UP3 and UP4 Xe graphics are now available as a Technology Preview. -

-
-

- To enable hardware acceleration with Intel Tiger Lake graphics, add the following option on the - kernel command line: -

- 
i915.force_probe=pci-id
-

- In this option, replace pci-id with one of the following: -

-
-
    -
  • - The PCI ID of your Intel GPU -
    • -
  • - The * character to enable the i915 driver with all alpha-quality hardware -
    • -
-
-

- (BZ#1783396) -

-
-
-
-
-
-

5.5.8. Red Hat Enterprise Linux system roles

-
-
-
-
-

The postfix role of RHEL system roles - available as a Technology Preview

-

- Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat - Enterprise Linux subsystems, which makes system configuration easier through the inclusion - of Ansible Roles. This interface enables managing system configurations across multiple - versions of Red Hat Enterprise Linux, as well as adopting new major releases. -

-
-

- The rhel-system-roles packages are distributed through the - AppStream repository. -

-

- The postfix role is available as a Technology Preview. -

-

- The following roles are fully supported: -

-
-
    -
  • - kdump -
    • -
  • - network -
    • -
  • - selinux -
    • -
  • - storage -
    • -
  • - timesync -
    • -
-
-

- For more information, see the Knowledgebase article about RHEL system roles. -

-

- (BZ#1812552) -

-
-
-
-
-
-

5.5.9. Virtualization

-
-
-
-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual - machines

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on - a Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the - following Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-

AMD SEV for KVM virtual machines

-

- As a Technology Preview, RHEL 8 introduces the Secure Encrypted Virtualization (SEV) feature - for AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine - (VM), SEV encrypts VM memory so that the host cannot access data on the VM. This increases - the security of the VM if the host is successfully infected by malware. -

-
-

- Note that the number of VMs that can use this feature at a time on a single host is determined - by the host hardware. Current AMD EPYC processors support up to 509 running VMs using SEV. -

-

- Also note that for VMs with SEV configured to be able to boot, you must also configure the VM - with a hard memory limit. To do so, add the following to the VM’s XML configuration: -

- 
<memtune>
-<hard_limit unit='KiB'>N</hard_limit>
-</memtune>
-

- The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if - the guest is assigned 2 GiB RAM, N should be 2359296 or greater. -

-

- (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into - multiple virtual devices referred to as mediated devices. These - mediated devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As - a result, these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. In addition, assigning - a physical GPU to VMs makes it impossible for the host to use the GPU, and may prevent graphical - display output on the host from working. -

-

- (BZ#1528684) -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on AMD64 and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or RHEL 8 - VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs. -

-
-

- Note that in RHEL 8.2 and later, nested virtualization is fully supported for VMs running on an - Intel 64 host. -

-

- (JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437) -

-
-

Select Intel network adapters now support SR-IOV in RHEL guests on - Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a - Hyper-V hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel - network adapters supported by the ixgbevf and iavf drivers. This feature is enabled when the following - conditions are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently supported with Microsoft Windows Server 2019 and 2016. -

-

- (BZ#1348508) -

-
-
-
-
-
-

5.5.10. Containers

-
-
-
-
-

podman container image is available as a - Technology Preview

-

- The registry.redhat.io/rhel8/podman container image is a - containerized implementation of the podman package. The podman tool is used for managing containers and images, volumes - mounted into those containers, and pods made from groups of containers. Podman is based on - the libpod library for container lifecycle management. The - libpod library provides APIs for managing containers, pods, - container images, and volumes. This container image allows create, modify and run container - images without the need to install the podman package on your - system. The use-case does not cover running this image in rootless mode as a non-root user. - To pull the registry.redhat.io/rhel8/podman container image, - you need an active Red Hat Enterprise Linux subscription. -

-
-

- (BZ#1627899) -

-
-

crun is available as a Technology - Preview

-

- The crun OCI runtime has been added to the container-rools:rhl8 module. The crun provides an access to run with cgoupsV2. The crun supports an annotation that allows the container to access - the rootless users additional groups. This is useful for volume mounting in a directory that - the user only have group access to, or the directory is setgid on it. -

-
-

- (BZ#1841438) -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

5.6. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will - likely not be supported in the next major version release, and are not recommended for new - deployments on the current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the - latest version of release documentation. For information about the length of support, see Red Hat Enterprise - Linux Life Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a - package can be removed from the product. Product documentation then identifies more recent packages - that offer functionality similar, identical, or more advanced to the one deprecated, and provides - further recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, - see Considerations - in adopting RHEL 9. -

-
-
-
-
-

5.6.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated -

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in - the logs. -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still - available and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you - modify your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-

lorax-composer back end for Image Builder - is deprecated in RHEL 8

-

- The previous back end lorax-composer for Image Builder is - considered deprecated. It will only receive select fixes for the rest of the Red Hat - Enterprise Linux 8 life cycle and will be omitted from future major releases.  Red Hat - recommends that you uninstall lorax-composer the and install - osbuild-composer back end instead. -

-
-

- See Composing - a customized RHEL system image for more details. -

-

- (BZ#1893767) -

-
-
-
-
-
-

5.6.2. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- With this update, the rpmbuild --sign command has become - deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in - an error. It is recommended that you use the rpmsign command - instead. -

-
-

- (BZ#1688849) -

-
-
-
-
-
-

5.6.3. Shells and command-line tools

-
-
-
-
-

Metalink support for curl has been disabled.

-

- A flaw was found in curl functionality in the way it handles credentials and file hash - mismatch for content downloaded using the Metalink. This flaw allows malicious actors - controlling a hosting server to: -

-
-
-
    -
  • - Trick users into downloading malicious content -
    • -
  • - Gain unauthorized access to provided credentials without the user’s knowledge -
    • -
-
-

- The highest threat from this vulnerability is confidentiality and integrity. To avoid this, the - Metalink support for curl has been disabled from Red Hat Enterprise Linux 8.2.0.z. -

-

- As a workaround, execute the following command, after the Metalink file is downloaded: -

- 
wget --trust-server-names --input-metalink`
-

- For example: -

- 
wget --trust-server-names --input-metalink <(curl -s $URL)
-

- (BZ#1999620) -

-
-
-
-
-
-

5.6.4. Infrastructure services

-
-
-
-
-

mailman is deprecated

-

- With this update, the mailman packages have been marked as - deprecated and will not be available in the future major releases of Red Hat Enterprise - Linux. -

-
-

- (BZ#1890976) -

-
-
-
-
-
-

5.6.5. Security

-
-
-
-
-

NSS SEED ciphers are deprecated -

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat - recommends enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- (BZ#1817533) -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer - Portal and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux - 8. Authentication mechanisms that depend on DSA keys do not work in the default - configuration. Note that OpenSSH clients do not accept DSA host - keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and - earlier allow to start a negotiation with a Client Hello - message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this - feature may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to - version 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward - compatible with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be - removed in the next major release. -

-
-

- (BZ#1657927) -

-
-
-
-
-
-

5.6.6. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided - by default. The basic installation provides a new version of the ifup and ifdown scripts which call - the NetworkManager service through the - nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local - scripts are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
~]# yum install network-scripts
-

- The ifup and ifdown scripts link to - the installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-
-
-
-
-

5.6.7. Kernel

-
-
-
-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system via the network. While - convenient, diskless boot is prone to introducing network latency in realtime workloads. - With a future minor update of RHEL for Real Time 8, the diskless booting feature will no - longer be supported. -

-
-

- (BZ#1748980) -

-
-

The qla3xxx driver is deprecated -

-

- The qla3xxx driver has been deprecated in RHEL 8. The driver - will likely not be supported in future major releases of this product, and thus it is not - recommended for new deployments. -

-
-

- (BZ#1658840) -

-
-

The dl2k, dnet, ethoc, and dlci drivers are deprecated

-

- The dl2k, dnet, ethoc, and dlci drivers have been - deprecated in RHEL 8. The drivers will likely not be supported in future major releases of - this product, and thus they are not recommended for new deployments. -

-
-

- (BZ#1660627) -

-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, - is a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE - feature is available as an unsupported Technology Preview. However, due to stability issues, - this feature has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

5.6.8. File systems and storage

-
-
-
-
-

The elevator kernel command line parameter - is deprecated

-

- The elevator kernel command line parameter was used in earlier - RHEL releases to set the disk scheduler for all devices. In RHEL 8, the parameter is - deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is - typically the optimal setting. If you require a different scheduler, Red Hat recommends that you - use udev rules or the Tuned service to configure it. Match the - selected devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- (BZ#1665295) -

-
-

LVM mirror is deprecated

-

- The LVM mirror segment type is now deprecated. Support for - mirror will be removed in a future major release of RHEL. -

-
-

- Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1 instead of mirror. The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, - see Converting - a mirrored LVM device to a RAID1 logical volume. -

-

- LVM mirror has several known issues. For details, see known issues in file systems and storage. -

-

- (BZ#1827628) -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured - storage events. It helps you investigate storage issues. -

-

- (BZ#1871953) -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by - default. This change affects only NFS version 3 because version 4 requires the Transmission - Control Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. - squashfs is recommended as an alternative solution. -

-
-

- (BZ#1794513) -

-
-
-
-
-
-

5.6.9. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated -

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, - which integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, - if available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from - SSSD, enable the ssh responder by adding ssh to the services option in the sssd.conf file. See the sssd.conf(5) man - page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- (BZ#1871025) -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated - and disabled by default since RHEL 7. With the recent rebase of Kerberos packages, - single-DES (DES) and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might - experience service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions - on re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, - set supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files - in /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files - in /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from - the previous step, remove them and upgrade. You do not need those settings after - upgrading to the latest Kerberos packages. -
    5. -
-
-

- (BZ#1877991) -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- (JIRA:RHELDOCS-16612) -

-
-
-
-
-
-

5.6.10. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of - the libsecret library, as libgnome-keyring is not maintained upstream, and does not follow - the necessary cryptographic policies for RHEL. The new libsecret library is the replacement that follows the necessary - security standards. -

-
-

- (BZ#1607766) -

-
-

The AlternateTab extension has been removed

-

- The gnome-shell-extension-alternate-tab package, which provides - the AlternateTab GNOME Shell extension, - has been removed. -

-
-

- To configure the window-switching behavior, set a keyboard shortcut in keyboard settings. For - more information, see the following article: Using Alternate-Tab in Gnome 3.32 or - later. (BZ#1922488) -

-
-
-
-
-
-

5.6.11. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended - replacement. -

-
-

- (BZ#1569610) -

-
-
-
-
-
-

5.6.12. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- (BZ#1666722) -

-
-
-
-
-
-

5.6.13. Red Hat Enterprise Linux System Roles

-
-
-
-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and - it also downloads proprietary content. Therefore, the geoipupdate package has been deprecated, and will be removed in - the next major RHEL version. -

-
-

- (BZ#1874892) -

-
-
-
-
-
-

5.6.14. Virtualization

-
-
-
-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. As a result, SPICE will remain - supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display - streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Note that the QXL graphics device, which is - used by SPICE, has become deprecated as well. -

-

- (BZ#1849563) -

-
-

virt-manager has - been deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The - RHEL 8 web console, also known as Cockpit, is intended to become its - replacement in a subsequent release. It is, therefore, recommended that you use the web - console for managing virtualization in a GUI. Note, however, that some features available in - virt-manager may not be yet available - the RHEL 8 web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

Virtual machine snapshots are not properly supported in RHEL 8 -

-

- The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it - is not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL - 8. -

-
-

- Note that a new VM snapshot mechanism is under development and will be fully implemented in a - future minor release of RHEL 8. -

-

- (BZ#1686057) -

-
-

The Cirrus VGA - virtual GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-
-
-
-
-

5.6.15. Containers

-
-
-
-
-

Podman varlink-based REST API V1 has been deprecated

-

- The Podman varlink-based REST API V1 has been deprecated upstream in favor of the new Podman - REST API V2. This functionality will be removed in a later release of Red Hat Enterprise - Linux 8. -

-
-

- (JIRA:RHELPLAN-60226) -

-
-
-
-
-
-

5.6.16. Deprecated packages

-
-
-
-

- The following packages have been deprecated and will probably not be included in a future major - release of Red Hat Enterprise Linux: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - authd -
    • -
  • - custodia -
    • -
  • - hostname -
    • -
  • - libidn -
    • -
  • - lorax-composer -
    • -
  • - mercurial -
    • -
  • - net-tools -
    • -
  • - network-scripts -
    • -
  • - nss-pam-ldapd -
    • -
  • - sendmail -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-
-

5.7. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.3. -

-
-
-
-
-

5.7.1. Installer and image creation

-
-
-
-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart - commands during installation. Without this package, the installation fails if auth or authconfig are used. - However, by design, the authselect-compat package is only - available in the AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to - the installer or use the authselect Kickstart command during - installation. -

-

- (BZ#1640697) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec - Kickstart command or the inst.kexec kernel boot parameters do - not provide the same predictable system state as a full reboot. As a consequence, switching - to the installed system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation - sources. However, network access is not enabled by default, and as a result, these features - cannot be used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a - repository located on the network using boot options also resolves the problem. As a result, the - network-based installation features can be used. -

-

- (BZ#1757877) -

-
-

The new osbuild-composer back end does not - replicate the blueprint state from lorax-composer on - upgrades

-

- Image Builder users that are upgrading from the lorax-composer - back end to the new osbuild-composer back end, blueprints can - disappear. As a result, once the upgrade is complete, the blueprints do not display - automatically. To work around this problem, perform the following steps. -

-
-
-

Prerequisites

-
    -
  • - You have the composer-cli CLI utility installed. -
    • -
-
-
-

Procedure

-
    -
  1. -

    - Run the command to load the previous lorax-composer - based blueprints into the new osbuild-composer back - end: -

    - 
    $ for blueprint in $(find /var/lib/lorax/composer/blueprints/git/workspace/master -name '*.toml'); do composer-cli blueprints push "${blueprint}"; done
    -
    2. -
-
-

- As a result, the same blueprints are now available in osbuild-composer back end. -

-
-

Additional resources

- -
-

- (BZ#1897383) -

-
-

Self-signed HTTPS server cannot be used in Kickstart - installation

-

- Currently, the installer fails to install from a self-signed https server when the - installation source is specified in the kickstart file and the --noverifyssl option is used: -

-
- 
url --url=https://SERVER/PATH --noverifyssl
-

- To work around this problem, append the inst.noverifyssl parameter - to the kernel command line when starting the kickstart installation. -

-

- For example: -

- 
inst.ks=<URL> inst.noverifyssl
-

- (BZ#1745064) -

-
-

GUI installation might fail if an attempt to unregister using the CDN - is made before the repository refresh is completed

-

- Since RHEL 8.2, when registering your system and attaching subscriptions using the Content - Delivery Network (CDN), a refresh of the repository metadata is started by the GUI - installation program. The refresh process is not part of the registration and subscription - process, and as a consequence, the Unregister button is enabled in the Connect to Red Hat window. Depending on - the network connection, the refresh process might take more than a minute to complete. If - you click the Unregister button before - the refresh process is completed, the GUI installation might fail as the unregister process - removes the CDN repository files and the certificates required by the installation program - to communicate with the CDN. -

-
-

- To work around this problem, complete the following steps in the GUI installation after you have - clicked the Register button in the Connect to Red Hat window: -

-
-
    -
  1. - From the Connect to Red Hat window, - click Done to return to the Installation Summary window. -
    2. -
  2. - From the Installation Summary - window, verify that the Installation - Source and Software - Selection status messages in italics are not displaying any - processing information. -
    3. -
  3. - When the Installation Source and Software Selection categories are ready, click Connect to Red Hat. -
    4. -
  4. - Click the Unregister button. -
    5. -
-
-

- After performing these steps, you can safely unregister the system during the GUI installation. -

-

- (BZ#1821192) -

-
-

Registration fails for user accounts that belong to multiple - organizations

-

- Currently, when you attempt to register a system with a user account that belongs to - multiple organizations, the registration process fails with the error message You must specify an organization for new - units. -

-
-

- To work around this problem, you can either: -

-
-
    -
  • - Use a different user account that does not belong to multiple organizations. -
    • -
  • - Use the Activation Key - authentication method available in the Connect to Red Hat feature for GUI and Kickstart - installations. -
    • -
  • - Skip the registration step in Connect to Red Hat and use Subscription Manager to - register your system post-installation. -
    • -
-
-

- (BZ#1822880) -

-
-

RHEL installer fails to start when InfiniBand network interfaces are - configured using installer boot options

-

- When you configure InfiniBand network interfaces at an early stage of RHEL installation - using installer boot options (for example, to download installer image using PXE server), - the installer fails to activate the network interfaces. -

-
-

- This issue occurs because the RHEL NetworkManager fails to recognize the network interfaces in - InfiniBand mode, and instead configures Ethernet connections for the interfaces. -

-

- As a result, connection activation fails, and if the connectivity over the InfiniBand interface - is required at an early stage, RHEL installer fails to start the installation. -

-

- To workaround this issue, create a new installation media including the updated Anaconda and - NetworkManager packages, using the Lorax tool. -

-

- For more information about creating a new installation media including the updated Anaconda and - NetworkManager packages, using the Lorax tool, see Unable to install Red Hat Enterprise - Linux 8.3.0 with InfiniBand network interfaces -

-

- (BZ#1890261) -

-
-

Anaconda installation fails when NVDIMM device namespace set to devdax mode.

-

- Anaconda installation fails with a trackback after booting with NVDIMM device namespace set - to devdax mode before the GUI installation. -

-
-

- To workaround this problem, reconfigure the NVDIMM device to set the namespace to a different - mode than the devdax mode before the installation begins. As a - result, you can proceed with the installation. -

-

- (BZ#1891827) -

-
-

Local Media installation source is not - detected when booting the installation from a USB that is created using a third party - tool

-

- When booting the RHEL installation from a USB that is created using a third party tool, the - installer fails to detect the Local Media installation source - (only 'Red Hat CDN' is detected). -

-
-

- This issue occurs because the default boot option int.stage2= - attempts to search for iso9660 image format. However, a third party - tool might create an ISO image with a different format. -

-

- As a workaround, use either of the following solution: -

-
-
    -
  • - When booting the installation, click the Tab key to edit - the kernel command line, and change the boot option inst.stage2= to inst.repo=. -
    • -
  • - To create a bootable USB device on Windows, use Fedora Media Writer. -
    • -
  • - When using a third party tool like Rufus to create a bootable USB device, first - regenerate the RHEL ISO image on a Linux system, and then use the third party tool to - create a bootable USB device. -
    • -
-
-

- For more information on the steps involved in performing any of the specified workaround, see, - Installation media is not - auto detected during the installation of RHEL 8.3 -

-

- (BZ#1877697) -

-
-

Anaconda now shows a dialog for ldl or - unformatted DASD disks in text mode

-

- Previously, during an installation in text mode, Anaconda failed to show a dialog for Linux - disk layout (ldl) or unformatted Direct-Access Storage Device - (DASD) disks. As a result, users were unable to utilize those disks for the installation. -

-
-

- With this update, in text mode Anaconda recognizes ldl and - unformatted DASD disks and shows a dialog where users can format them properly for the future - utilization for the installation. -

-

- (BZ#1874394) -

-
-

Red Hat Insights client fails to register the operating system when - using the graphical installer

-

- Currently, the installation fails with an error at the end, which points to the Insights - client. -

-
-

- To work around this problem, uncheck the Connect to Red Hat - Insights option during the Connect - to Red Hat step before registering the systems in the installer. -

-

- As a result, you can complete the installation and register to Insights afterwards by using this - command: -

- 
# insights-client --register
-

- (BZ#1931069) -

-
-
-
-
-
-

5.7.2. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the - subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose command-line tool have been added: role,usage, service_level_agreement and addons. - Currently, only role, usage and - service_level_agreement affect the output of running the subscription-manager attach --auto command. Users who attempt to - set values to the addons argument will not observe any effect - on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-
-
-
-
-

5.7.3. Infrastructure services

-
-
-
-
-

libmaxminddb-devel-debuginfo.rpm is - removed when running dnf update

-

- When performing the dnf update command, the binary mmdblookup tool is moved from the libmaxminddb-devel subpackage to the main libmaxmindb package. Consequently, the libmaxminddb-devel-debuginfo.rpm is removed, which might create a - broken update path for this package. To work around this problem, remove the libmaxminddb-devel-debuginfo prior to the execution of the dnf update command. -

-
-

- Note: libmaxminddb-debuginfo is the new debuginfo package. -

-

- (BZ#1642001) -

-
-
-
-
-
-

5.7.4. Security

-
-
-
-
-

Users can run sudo commands as locked - users

-

- In systems where sudoers permissions are defined with the ALL keyword, sudo users with - permissions can run sudo commands as users whose accounts are - locked. Consequently, locked and expired accounts can still be used to execute commands. -

-
-

- To work around this problem, enable the newly implemented runas_check_shell option together with proper settings of valid - shells in /etc/shells. This prevents attackers from running - commands under system accounts such as bin. -

-

- (BZ#1786990) -

-
-

GnuTLS fails to resume current session with the NSS server

-

- When resuming a TLS (Transport Layer Security) 1.3 session, the GnuTLS client waits 60 milliseconds plus an estimated round trip - time for the server to send session resumption data. If the server does not send the - resumption data within this time, the client creates a new session instead of resuming the - current session. This incurs no serious adverse effects except for a minor performance - impact on a regular session negotiation. -

-
-

- (BZ#1677754) -

-
-

libselinux-python is available only - through its module

-

- The libselinux-python package contains only Python 2 bindings - for developing SELinux applications and it is used for backward compatibility. For this - reason, libselinux-python is no longer available in the default - RHEL 8 repositories through the dnf install libselinux-python - command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# dnf module enable libselinux-python
-# dnf install libselinux-python
-

- Alternatively, install libselinux-python using its install profile - with a single command: -

- 
# dnf module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman - value. This prevents the udica tool from analyzing a container - JavaScript Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, - udica can generate an SELinux policy for a UBI 8 container only - when you use the described workaround. -

-

- (BZ#1763210) -

-
-

Negative effects of the default logging setup on performance -

-

- The default logging environment setup might consume 4 GB of memory or even more and - adjustments of rate-limit values are complex when systemd-journald is running with rsyslog. -

-
-

- See the Negative effects of - the RHEL default logging setup on performance and their mitigations Knowledgebase - article for more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

File permissions of /etc/passwd- are not - aligned with the CIS RHEL 8 Benchmark 1.0.0

-

- Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures - permissions on the /etc/passwd- backup file configures - permissions to 0644. However, the CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0 requires file - permissions 0600 for that file. As a consequence, the file - permissions of /etc/passwd- are not aligned with the benchmark - after remediation. -

-
-

- (BZ#1858866) -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config results in a process in which the kernel - boots with SELinux enabled and switches to disabled mode later in the boot process. This - might cause memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- (JIRA:RHELPLAN-34199) -

-
-

ssh-keyscan cannot retrieve RSA keys of - servers in FIPS mode

-

- The SHA-1 algorithm is disabled for RSA signatures in FIPS - mode, which prevents the ssh-keyscan utility from retrieving - RSA keys of servers operating in that mode. -

-
-

- To work around this problem, use ECDSA keys instead, or retrieve the keys locally from the /etc/ssh/ssh_host_rsa_key.pub file on the server. -

-

- (BZ#1744108) -

-
-

OpenSSL incorrectly handles PKCS #11 - tokens that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is - created with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- (BZ#1685470) -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, Transport Security Layer (TLS) clients that use OpenSSL return a bad dh value error and abort TLS connections to servers that use - manually generated parameters. This is because OpenSSL, when configured to work in - compliance with FIPS 140-2, works only with D-H parameters compliant to NIST SP 800-56A rev3 - Appendix D (groups 14, 15, 16, 17, and 18 defined in RFC 3526 and with groups defined in RFC - 7919). Also, servers that use OpenSSL ignore all other parameters and instead select known - parameters of similar size. To work around this problem, use only the compliant groups. -

-
-

- (BZ#1810911) -

-
-

Removing the rpm-plugin-selinux package - leads to removing all selinux-policy packages from the - system

-

- Removing the rpm-plugin-selinux package disables SELinux on the - machine. It also removes all selinux-policy packages from the - system. Repeated installation of the rpm-plugin-selinux package - then installs the selinux-policy-minimum SELinux policy, even - if the selinux-policy-targeted policy was previously present on - the system. However, the repeated installation does not update the SELinux configuration - file to account for the change in policy. As a consequence, SELinux is disabled even upon - reinstallation of the rpm-plugin-selinux package. -

-
-

- To work around this problem: -

-
-
    -
  1. - Enter the umount /sys/fs/selinux/ command. -
    2. -
  2. - Manually install the missing selinux-policy-targeted - package. -
    3. -
  3. - Edit the /etc/selinux/config file so that the policy is - equal to SELINUX=enforcing. -
    4. -
  4. - Enter the command load_policy -i. -
    5. -
-
-

- As a result, SELinux is enabled and running the same policy as before. -

-

- (BZ#1641631) -

-
-

systemd service - cannot execute commands from arbitrary paths

-

- The systemd service cannot execute - commands from /home/user/bin arbitrary paths because the - SELinux policy package does not include any such rule. Consequently, the custom services - that are executed on non-system paths fail and eventually logs the Access Vector Cache (AVC) - denial audit messages when SELinux denied access. To work around this problem, do one of the - following: -

-
-
-
    -
  • -

    - Execute the command using a shell script with the -c option. For example, -

    - 
    bash -c command
    -
    • -
  • - Execute the command from a common path using /bin, /sbin, /usr/sbin, /usr/local/bin, and /usr/local/sbin common directories. -
    • -
-
-

- (BZ#1860443) -

-
-

rpm_verify_permissions fails in the CIS - profile

-

- The rpm_verify_permissions rule compares file permissions to - package default permissions. However, the Center for Internet Security (CIS) profile, which - is provided by the scap-security-guide packages, changes some - file permissions to be more strict than default. As a consequence, verification of certain - files using rpm_verify_permissions fails. -

-
-

- To work around this problem, manually verify that these files have the following permissions: -

-
-
    -
  • - /etc/cron.d (0700) -
    • -
  • - /etc/cron.hourly (0700) -
    • -
  • - /etc/cron.monthly (0700) -
    • -
  • - /etc/crontab (0600) -
    • -
  • - /etc/cron.weekly (0700) -
    • -
  • - /etc/cron.daily (0700) -
    • -
-
-

- (BZ#1843913) -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda - add-on as org_fedora_oscap instead of com_redhat_oscap which might cause confusion. That is done to - preserve backward compatibility with Red Hat Enterprise Linux 7. -

-
-

- (BZ#1665082) -

-
-

Certain sets of interdependent rules in SSG can fail

-

- Remediation of SCAP Security Guide (SSG) rules in a benchmark - can fail due to undefined ordering of rules and their dependencies. If two or more rules - need to be executed in a particular order, for example, when one rule installs a component - and another rule configures the same component, they can run in the wrong order and - remediation reports an error. To work around this problem, run the remediation twice, and - the second run fixes the dependent rules. -

-
-

- (BZ#1750755) -

-
-

OSCAP Anaconda Addon does not install all - packages in text mode

-

- The OSCAP Anaconda Addon plugin cannot modify the list of - packages selected for installation by the system installer if the installation is running in - text mode. Consequently, when a security policy profile is specified using Kickstart and the - installation is running in text mode, any additional packages required by the security - policy are not installed during installation. -

-
-

- To work around this problem, either run the installation in graphical mode or specify all - packages that are required by the security policy profile in the security policy in the %packages section in your Kickstart file. -

-

- As a result, packages that are required by the security policy profile are not installed during - RHEL installation without one of the described workarounds, and the installed system is not - compliant with the given security policy profile. -

-

- (BZ#1674001) -

-
-

OSCAP Anaconda Addon does not correctly - handle customized profiles

-

- The OSCAP Anaconda Addon plugin does not properly handle - security profiles with customizations in separate files. Consequently, the customized - profile is not available in the RHEL graphical installation even when you properly specify - it in the corresponding Kickstart section. -

-
-

- To work around this problem, follow the instructions in the Creating a single SCAP data stream from an - original DS and a tailoring file Knowledgebase article. As a result of this workaround, - you can use a customized SCAP profile in the RHEL graphical installation. -

-

- (BZ#1691305) -

-
-

OSPP-based profiles are incompatible with GUI package groups. -

-

- GNOME packages installed by the Server with GUI package group require the nfs-utils package that is not compliant with the Operating System - Protection Profile (OSPP). As a consequence, selecting the Server - with GUI package group during the installation of a system with OSPP or - OSPP-based profiles, for example, Security Technical Implementation Guide (STIG), OpenSCAP - displays a warning that the selected package group is not compatible with the security - policy. If the OSPP-based profile is applied after the installation, the system is not - bootable. To work around this problem, do not install the Server - with GUI package group or any other groups that install GUI when using - the OSPP profile and OSPP-based profiles. When you use the Server or Minimal - Install package groups instead, the system installs without issues and - works correctly. -

-
-

- (BZ#1787156) -

-
-

Installation with the Server with GUI or - Workstation software selections and CIS security profile is - not possible

-

- The CIS security profile is not compatible with the Server with GUI and Workstation - software selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS profile is not - possible. An attempted installation using the CIS profile and either of these software - selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- To work around the problem, do not use the CIS security profile with the Server with GUI or Workstation software - selections. -

-

- (BZ#1843932) -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a - service enable or disable state - remediation is not needed. Consequently, OpenSCAP might set the services on the installed - system to a non-compliant state. As a workaround, you can scan and remediate the system - after the kickstart installation. This will fix the service-related issues. -

-
-

- (BZ#1834716) -

-
-

Certain rsyslog priority strings do not - work correctly

-

- Support for the GnuTLS priority string - for imtcp that allows fine-grained control over encryption is - not complete. Consequently, the following priority strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic - level name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use - system-wide crypto policies only when you disable them through the workaround. (BZ#1919155) -

-
-
-
-
-
-

5.7.5. Networking

-
-
-
-
-

The iptables utility now requests module - loading for commands that update a chain regardless of the NLM_F_CREATE flag

-

- Previously, when setting a chain’s policy, the iptables-nft - utility generated a NEWCHAIN message but did not set the NLM_F_CREATE flag. As a consequence, the RHEL 8 kernel did not - load any modules and the resulting update chain command failed if the associated kernel - modules were not manually loaded. With this update, the iptables-nft utility now requests module loading for all commands - that update a chain and users are able to set a chain’s policy using the iptables-nft utility without manually loading the associated - modules. -

-
-

- (BZ#1812666) -

-
-

Support for updating packet/byte counters - in the kernel was changed incorrectly between RHEL 7 and RHEL 8

-

- When referring to an ipset command with enabled counters from - an iptables rule, which specifies additional constraints on - matching ipset entries, the ipset - counters are updated only if all the additional constraints match. This is also problematic - with --packets-gt or --bytes-gt - constraints. -

-
-

- As a result, when migrating an iptables ruleset from RHEL 7 to RHEL - 8, the rules involving ipset lookups may stop working and need to - be adjusted. To work around this problem, avoid using the --packets-gt or --bytes-gt options and - replace them with the --packets-lt or --bytes-lt options. -

-

- (BZ#1806882) -

-
-

Unloading XDP programs fails on Netronome network cards that use the - nfp driver

-

- The nfp driver for Netronome network cards contains a bug. - Therefore, unloading eXpress Data Path (XDP) programs fails if you use such cards and load - the XDP program using the IFLA_XDP_EXPECTED_FD feature with the - XDP_FLAGS_REPLACE flag. For example, this bug affects XDP - programs that are loaded using the libxdp library. Currently, - there is no workaround available for the problem. -

-
-

- (BZ#1880268) -

-
-

Anaconda does not have network access when using DHCP in the ip boot option

-

- The initial RAM disk (initrd) uses NetworkManager to manage - networking. The dracut NetworkManager module provided by the - RHEL 8.3 ISO file incorrectly assumes that the first field of the ip option in the Anaconda boot options is always set. As a - consequence, if you use DHCP and set ip=::::<host_name>::dhcp, NetworkManager does not retrieve - an IP address, and the network is not available in Anaconda. -

-
-

- You have the following options to work around the problem: -

-
-
    -
  1. -

    - Set the first field in the ip`option to `. (period): -

    - 
    ip=.::::<host_name>::dhcp
    -

    - Note that this work around will not work in future versions of RHEL when the problem - has been fixed. -

    -
    2. -
  2. - Re-create the boot.iso file using the latest packages from - the BaseOS repository that contains a fix for the bug: . -
    3. -
-
- 
# lorax '--product=Red Hat Enterprise Linux' --version=8.3 --release=8.3 \
-    --source=<URL_to_BaseOS_repository> \
-    --source=<URL_to_AppStream_repository> \
-    --nomacboot --buildarch=x86_64 '--volid=RHEL 8.3' <output_directory>
-

- . Note that Red Hat does not support self-created ISO files. -

-

- As a result, RHEL retrieves an IP address from the DHCP server, and network access is available - in Anaconda. -

-

- (BZ#1902791) -

-
-
-
-
-
-

5.7.6. Kernel

-
-
-
-
-

The tboot-1.9.12-2 utility causes a boot - failure in RHEL 8

-

- The tboot utility of version 1.9.12-2 causes some systems with - Trusted Platform Module (TPM) 2.0 to fail to boot in legacy mode. As a consequence, the - system halts once it attempts to boot from the tboot Grand Unified Bootloader (GRUB) entry. - To workaround this problem, downgrade to tboot of version - 1.9.10. -

-
-

- (BZ#1947839) -

-
-

The kernel returns false positive warnings on IBM Z systems -

-

- In RHEL 8, IBM Z systems are missing a whitelist entry for the ZONE_DMA memory zone to allow user access. Consequently, the - kernel returns false positive warnings such as: -

-
- 
...
-Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dma-kmalloc-192' (offset 0, size 144)!
-WARNING: CPU: 0 PID: 8519 at mm/usercopy.c:83 usercopy_warn+0xac/0xd8
-...
-

- The warnings appear when accessing certain system information through the sysfs interface. For example, by running the debuginfo.sh script. -

-

- To work around this problem, add the hardened_usercopy=off - parameter to the kernel command line. -

-

- As a result, no warning messages are displayed in the described scenario. -

-

- (BZ#1660290) -

-
-

The rngd service busy wait causes total - CPU consumption in FIPS mode

-

- A new kernel entropy source for FIPS mode has been added for kernels starting with version - 4.18.0-193.10. Consequently, when in FIPS mode, the rngd - service busy waits on the poll() system call for the /dev/random device, thereby causing consumption of 100% of CPU - time. To work around this problem, stop and disable rngd by - running: -

-
- 
# systemctl stop rngd
-# systemctl disable rngd
-

- As a result, rngd no longer busy waits on poll() in the described scenario. -

-

- (BZ#1884857) -

-
-

softirq changes can cause the localhost - interface to drop UDP packets when under heavy load

-

- Changes in the Linux kernel’s software interrupt (softirq) - handling are done to reduce denial of service (DOS) effects. Consequently, this leads to - situations where the localhost interface drops User Datagram Protocol (UDP) packets under - heavy load. -

-
-

- To work around this problem, increase the size of the network device backlog buffer to value - 6000: -

- 
echo 6000 > /proc/sys/net/core/netdev_max_backlog
-

- In Red Hat tests, this value was sufficient to prevent packet loss. More heavily loaded systems - might require larger backlog values. Increased backlogs have the effect of potentially - increasing latency on the localhost interface. -

-

- The result is to increase the buffer and allow more packets to be waiting for processing, which - reduces the chances of dropping localhost packets. -

-

- (BZ#1779337) -

-
-

A vmcore capture fails after memory - hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating - the device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical - address. The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel - crash is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after - hot-plug or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described - scenario. -

-

- (BZ#1793389) -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit - ARM architectures that run on the Amazon Web Services (AWS) cloud platforms, the vmcore generation fails when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory after a kernel crash. To work around this - problem: -

-
-
-
    -
  1. - Add irqpoll to the KDUMP_COMMANDLINE_REMOVE key in the /etc/sysconfig/kdump file. -
    2. -
  2. - Restart the kdump service by running the systemctl restart kdump command. -
    3. -
-
-

- As a result, the first kernel boots correctly and the vmcore file - is expected to be captured upon the kernel crash. -

-

- Note that the kdump service can use a significant amount of crash - kernel memory to dump the vmcore file. Ensure that the capture - kernel has sufficient memory available for the kdump service. -

-

- (BZ#1654962) -

-
-

Debug kernel fails to boot in crash capture environment in RHEL - 8

-

- Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel, and a stack trace is generated instead. To work around this - problem, increase the crash kernel memory accordingly. As a result, the debug kernel - successfully boots in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

zlib may slow down a vmcore capture in some compression functions

-

- The kdump configuration file uses the lzo compression format (makedumpfile -l) by default. When you modify the configuration - file using the zlib compression format, (makedumpfile -c) it is likely to bring a better compression - factor at the expense of slowing down the vmcore capture - process. As a consequence, it takes the kdump upto four times - longer to capture a vmcore with zlib, as compared to lzo. -

-
-

- As a result, Red Hat recommends using the default lzo for cases - where speed is the main driving factor. However, if the target machine is low on available - space, zlib is a better option. -

-

- (BZ#1790635) -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is - not able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because - the NMI was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a - user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI - to the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the - NMI handler for both these situations calls the kernel panic() - function and if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called - and vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this - scenario, use the virtual Power button to - reset or power cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the - Automated System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an - even smaller frequency. -

-

- (BZ#1602962) -

-
-

The tuned-adm profile powersave command - causes the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system - matches the mentioned specifications. -

-
-

- (BZ#1609288) -

-
-

The default 7 4 1 7 - printk value sometimes causes temporary system - unresponsiveness

-

- The default 7 4 1 7 printk value allows for better debugging of the kernel activity. - However, when coupled with a serial console, this printk - setting can cause intense I/O bursts that can lead to a RHEL system becoming temporarily - unresponsive. To work around this problem, we have added a new optimize-serial-console TuneD profile, which reduces the default - printk value to 4 4 1 - 7. Users can instrument their system as follows: -

-
- 
# tuned-adm profile throughput-performance optimize-serial-console
-

- Having a lower printk value persistent across a reboot reduces the - likelihood of system hangs. -

-

- Note that this setting change comes at the expense of losing the extra debugging information. -

-

- For more information about the newly added feature, see A - new optimize-serial-console TuneD profile to reduce I/O to - serial consoles by lowering the printk value. -

-

- (JIRA:RHELPLAN-28940) -

-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not - define a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the - PCI bus device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff memory region, and can assign that memory - region to the PCI Enhanced Configuration Access Mechanism (ECAM) properly. You can verify that - PCI ECAM works correctly by accessing the PCIe configuration space over the 256 byte offset with - the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- (BZ#1868526) -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified - Communication X (UCX) is the default point-to-point communicator (PML). The later versions - of OPEN MPI 4.0.x series deprecated openib Byte Transfer Layer - (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous cluster (same hardware and - software configuration), UCX still uses openib BTL for MPI - one-sided operations. As a consequence, this may trigger execution errors. To work around this - problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer - over UCX. -

-

- (BZ#1866402) -

-
-
-
-
-
-

5.7.7. File systems and storage

-
-
-
-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical - volume. This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) - for system boot entries. This specification requires that the /boot file system is readable by the platform firmware. On - EFI systems, the platform firmware can read only the /boot - configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat - does not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- (BZ#1496229) -

-
-

LVM no longer allows creating volume groups with mixed block - sizes

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where - the physical volumes (PVs) have different logical block sizes. LVM has adopted this change - because file systems fail to mount if you extend the underlying logical volume (LV) with a - PV of a different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- (BZ#1768536) -

-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following - limitations, which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using - pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in - combination with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- (JIRA:RHELPLAN-27987, BZ#1798631, BZ#1808012) -

-
-

LVM mirror devices that store a LUKS - volume sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices - reject all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type - of raid1 instead of mirror if you need - to stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, - see Converting - a mirrored LVM device to a RAID1 device. -

-

- (BZ#1730502) -

-
-

An NFS 4.0 patch can result in reduced performance under an open-heavy - workload

-

- Previously, a bug was fixed that, in some cases, could cause an NFS open operation to - overlook the fact that a file had been removed or renamed on the server. However, the fix - may cause slower performance with workloads that require many open operations. To work - around this problem, it might help to use NFS version 4.1 or higher, which have been - improved to grant delegations to clients in more cases, allowing clients to perform open - operations locally, quickly, and safely. -

-
-

- (BZ#1748451) -

-
-
-
-
-
-

5.7.8. Dynamic programming languages, web and database servers

-
-
-
-
-

getpwnam() might fail when called by a - 32-bit application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- (BZ#1803161) -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in - httpd

-

- When both the libldap and libldap_r libraries provided by OpenLDAP are loaded and used - within a single process, symbol conflicts between these libraries might occur. Consequently, - Apache httpd child processes using the PHP ldap extension might terminate unexpectedly if the mod_security or mod_auth_openidc - modules are also loaded by the httpd configuration. -

-
-

- With this update to the Apache Portable Runtime (APR) library, you can work around the problem - by setting the APR_DEEPBIND environment variable, which enables the - use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- (BZ#1819607) -

-
-

PAM plug-in does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules - (PAM) plug-in version 1.0. The MariaDB PAM plug-in version 1.0 - does not work in RHEL 8. To work around this problem, use the PAM plug-in version 2.0 - provided by the mariadb:10.5 module stream, which is available - with RHEL 8.4. -

-
-

- (BZ#1942330) -

-
-
-
-
-
-

5.7.9. Identity Management

-
-
-
-
-

Installing KRA fails if all KRA members are hidden replicas -

-

- The ipa-kra-install utility fails on a cluster where the Key - Recovery Authority (KRA) is already present, if the first KRA instance is installed on a - hidden replica. Consequently, you cannot add further KRA instances to the cluster. -

-
-

- To work around this problem, unhide the hidden replica that has the KRA role before you add new - KRA instances. You can hide it again when ipa-kra-install completes - successfully. -

-

- (BZ#1816784) -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate - System

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual - steps are required to recover the system. -

-
-

- (BZ#1729215) -

-
-

Certificates issued by PKI ACME Responder connected to PKI CA may fail - OCSP validation

-

- The default ACME certificate profile provided by PKI CA contains a sample OCSP URL that does - not point to an actual OCSP service. As a consequence, if PKI ACME Responder is configured - to use a PKI CA issuer, the certificates issued by the responder may fail OCSP validation. -

-
-

- To work around this problem, you need to set the policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0 - property to a blank value in the /usr/share/pki/ca/profiles/ca/acmeServerCert.cfg configuration file: -

-
-
    -
  1. - In the ACME Responder configuration file, change the line policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ocsp.example.com - to policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=. -
    2. -
  2. - Restart the service and regenerate the certificate. -
    3. -
-
-

- As a result, PKI CA will generate ACME certificates with an autogenerated OCSP URL that points - to an actual OCSP service. -

-

- (BZ#1868233) -

-
-

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 - characters

-

- If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently - truncates it. This may lead to unexpected password incompatibilities with other systems. -

-
-

- To work around the problem, choose a password that is 249 characters or fewer. -

-

- (BZ#1723362) -

-
-

The /var/log/lastlog sparse file on IdM - hosts can cause performance problems

-

- During the IdM installation, a range of 200,000 UIDs from a total of 10,000 possible ranges - is randomly selected and assigned. Selecting a random range in this way significantly - reduces the probability of conflicting IDs in case you decide to merge two separate IdM - domains in the future. -

-
-

- However, having high UIDs can create problems with the /var/log/lastlog file. For example, if a user with the UID of - 1280000008 logs in to an IdM client, the local /var/log/lastlog - file size increases to almost 400 GB. Although the actual file is sparse and does not use all - that space, certain applications are not designed to identify sparse files by default and may - require a specific option to handle them. For example, if the setup is complex and a backup and - copy application does not handle sparse files correctly, the file is copied as if its size was - 400 GB. This behavior can cause performance problems. -

-

- To work around this problem: -

-
-
    -
  • - In case of a standard package, refer to its documentation to identify the option that - handles sparse files. -
    • -
  • - In case of a custom application, ensure that it is able to manage sparse files such as - /var/log/lastlog correctly. -
    • -
-
-

- (JIRA:RHELPLAN-59111) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can - pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could - allow an attacker to impersonate a user by altering, for example, the UID or GID of an - object returned in an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and - decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa - are not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in - the /etc/sssd/sssd.conf file. The default behavior is planned to be - changed in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

5.7.10. Desktop

-
-
-
-
-

Disabling flatpak repositories from - Software Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- (BZ#1668760) -

-
-

Drag-and-drop does not work between desktop and applications -

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. - Support for this feature will be added back in a future release. -

-
-

- (BZ#1717947) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a - Microsoft Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the - GRUB boot menu. In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, - use Hyper-V Server 2019 as the host. -

-

- (BZ#1583445) -

-
-
-
-
-
-

5.7.11. Graphics infrastructures

-
-
-
-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in - the kexec context correctly. Instead, radeon falls over, which - causes the rest of the kdump service to - fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the - /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After - starting kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-

Multiple HDR displays on a single MST topology may not power - on

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, - using a DisplayPort hub (such as a laptop dock) with multiple - monitors which support HDR plugged into it may result in failure to turn on. This is due to - the system erroneously thinking there is not enough bandwidth on the hub to support all of - the displays. -

-
-

- (BZ#1812577) -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the - application fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority file to use regular user credentials for - authentication. -

-
-

- To work around this problem, use the sudo -E command to run - graphical applications as a root user. -

-

- (BZ#1673073) -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM - Z server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 - option with -depth 24 in the Xvnc - configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the - server. -

-

- (BZ#1886147) -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the - 64-bit ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- (JIRA:RHELPLAN-57914) -

-
-

The RHEL installer becomes unresponsive with NVIDIA Ampere

-

- RHEL 8.3.0 does not support the NVIDIA Ampere GPUs. If you start the RHEL installation on a - system that has an NVIDIA Ampere GPU, the installer becomes unresponsive. As a consequence, - the installation cannot finish successfully. -

-
-

- The NVIDIA Ampere family includes the following GPU models: -

-
-
    -
  • - GeForce RTX 3060 Ti -
    • -
  • - GeForce RTX 3070 -
    • -
  • - GeForce RTX 3080 -
    • -
  • - GeForce RTX 3090 -
    • -
  • - RTX A6000 -
    • -
  • - NVIDIA A40 -
    • -
  • - NVIDIA A100 -
    • -
  • - NVIDIA A100 80GB -
    • -
-
-

- To work around the problem, disable the nouveau graphics driver and - install RHEL in text mode: -

-
-
    -
  1. - Boot into the boot menu of the installer. -
    2. -
  2. -

    - Add the nouveau.modeset=0 option on the kernel command - line. -

    -

    - For details, see Editing - boot options. -

    -
    3. -
  3. - Install RHEL on the system. -
    4. -
  4. - Boot into the newly installed RHEL. At the boot menu, add the nouveau.modeset=0 option on the kernel command line. -
    5. -
  5. -

    - Disable the nouveau driver permanently: -

    - 
    # echo 'blacklist nouveau' >> /etc/modprobe.d/blacklist.conf
    -
    6. -
-
-

- As a result, the installation has finished successfully and RHEL now runs in text mode. -

-

- Optionally, you can install the proprietary NVIDIA GPU driver to enable graphics. For - instructions, see How to - install the NVIDIA proprietary driver on RHEL 8. -

-

- (BZ#1903890) -

-
-
-
-
-
-

5.7.12. The web console

-
-
-
-
-

Unprivileged users can access the Subscriptions page

-

- If a non-administrator navigates to the Subscriptions page of the web console, the - web console displays a generic error message Cockpit had an unexpected internal error. -

-
-

- To work around this problem, sign in to the web console with a privileged user and make sure to - check the Reuse my password for privileged - tasks checkbox. -

-

- (BZ#1674337) -

-
-
-
-
-
-

5.7.13. Red Hat Enterprise Linux system roles

-
-
-
-
-

oVirt input and the elasticsearch output functionalities are not supported in - system roles Logging

-

- The oVirt input and the elasticsearch output are not supported in system roles Logging - although they are mentioned in the README file. There is no workaround available at the - moment. -

-
-

- (BZ#1889468) -

-
-
-
-
-
-

5.7.14. Virtualization

-
-
-
-
-

Displaying multiple monitors of virtual machines that use Wayland is - not possible with QXL

-

- Using the remote-viewer utility to display more than one - monitor of a virtual machine (VM) that is using the Wayland display server causes the VM to - become unresponsive and the Waiting for display - status message to be displayed indefinitely. -

-
-

- To work around this problem, use virtio-gpu instead of qxl as the GPU device for VMs that use Wayland. -

-

- (BZ#1642887) -

-
-

virsh iface-\* commands do not work - consistently

-

- Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration - dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network - connections. Instead, use the NetworkManager program and its related management - applications. -

-
-

- (BZ#1664592) -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number - of interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to - boot, and displays a dracut-initqueue[392]: Warning: Could not boot error. -

-
-

- (BZ#1719687) -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not - possible on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, - attaching a physical disk as a LUN device to a virtual machine fails when using the - virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they - should be configured with the device='disk' option rather than - device='lun'. -

-

- (BZ#1777138) -

-
-

Virtual machines using Cooperlake cannot - boot when TSX is disabled on the host

-

- Virtual machines (VMs) that use the Cooperlake CPU model - currently fail to boot when the TSX CPU flag is diabled on the - host. Instead, the host displays the following error message: -

-
- 
the CPU is incompatible with host CPU: Host CPU does not provide required features: hle, rtm
-

- To make VMs with Cooperlake usable on such host, disable the HLE, - RTM, and TAA_NO flags in the VM configuration in the VM’s XML configuration: -

- 
<feature policy='disable' name='hle'/>
-<feature policy='disable' name='rtm'/>
-<feature policy='disable' name='taa-no'/>
-

- (BZ#1860743) -

-
-

Virtual machines sometimes cannot boot on Witherspoon hosts -

-

- Virtual machines (VMs) that use the pseries-rhel7.6.0-sxxm - machine type in some cases fail to boot on Power9 S922LC for - HPC hosts (also known as Witherspoon) that use the DD2.2 or DD2.3 CPU. -

-
-

- Attempting to boot such a VM instead generates the following error message: -

- 
qemu-kvm: Requested safe indirect branch capability level not supported by kvm
-

- To work around this problem, configure the VM’s XML configuration as follows: -

- 
<domain type='qemu' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
-  <qemu:commandline>
-    <qemu:arg value='-machine'/>
-    <qemu:arg value='cap-ibs=workaround'/>
-  </qemu:commandline>
-

- (BZ#1732726) -

-
-
-
-
-
-

5.7.15. RHEL in cloud environments

-
-
-
-
-

GPU problems on Azure NV6 instances

-

- When running RHEL 8 as a guest operating system on a Microsoft Azure NV6 instance, resuming - the virtual machine (VM) from hibernation sometimes causes the VM’s GPU to work incorrectly. - When this occurs, the kernel logs the following message: -

-
- 
hv_irq_unmask() failed: 0x5
-

- (BZ#1846838) -

-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, - starting the kdump kernel in some cases fails when post-exec - notifiers are enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- (BZ#1865745) -

-
-

Setting static IP in a RHEL 8 virtual machine on a VMWare host does not - work

-

- Currently, when using RHEL 8 as a guest operating system of a virtual machine (VM) on a - VMWare host, the DatasourceOVF function does not work correctly. As a consequence, if you - use use the cloud-init utility to set the the VM’s network to - static IP and then reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- (BZ#1750862) -

-
-

Core dumping RHEL 8 virtual machines with certain NICs to a remote - machine on Azure takes longer than expected

-

- Currently, using the kdump utility to save the core dump file - of a RHEL 8 virtual machine (VM) on a Microsoft Azure hypervisor to a remote machine does - not work correctly when the VM is using a NIC with enabled accelerated networking. As a - consequence, the dump file is saved after approximately 200 seconds, instead of immediately. - In addition, the following error message is logged on the console before the dump file is - saved. -

-
- 
device (eth0): linklocal6: DAD failed for an EUI-64 address
-

- (BZ#1854037) -

-
-

TX/RX packet counters do not increase - after virtual machines resume from hibernation

-

- The TX/RX packet counters stop increasing when a RHEL 8 virtual - machine (VM), with a CX4 VF NIC, resumes from hibernation on Microsoft Azure. To keep the - counters working, restart the VM. Note that, doing so will reset the counters. -

-
-

- (BZ#1876527) -

-
-

RHEL 8 virtual machines fail to resume from hibernation on - Azure

-

- The GUID of the virtual function (VF), vmbus device, changes - when a RHEL 8 virtual machine (VM), with SR-IOV enabled, is - hibernated and deallocated on Microsoft Azure . As a result, when the VM is restarted, it - fails to resume and crashes. As a workaround, hard reset the VM using the Azure serial - console. -

-
-

- (BZ#1876519) -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 - fails

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 - becomes unresponsive with a "Migration status: active" status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- (BZ#1741436) -

-
-
-
-
-
-

5.7.16. Supportability

-
-
-
-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet - the requirements by the FUTURE system-wide cryptographic - policy, the redhat-support-tool utility does not work with this - policy level at the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- (BZ#1802026) -

-
-
-
-
-
-

5.7.17. Containers

-
-
-
-
-

UDICA is not expected to work with 1.0 stable stream

-

- UDICA, the tool to generate SELinux policies for containers, is not expected to work with - containers that are run via podman 1.0.x in the container-tools:1.0 module stream. -

-
-

- (JIRA:RHELPLAN-25571) -

-
-

podman system connection add does not - automatically set the default connection

-

- The podman system connection add command does not automatically - set the first connection to be the default connection. To set the default connection, you - must manually run the command podman system connection default <connection_name>. -

-
-

- (BZ#1881894) -

-
-
-
-
-
-
-
-

Chapter 6. Internationalization

-
-
-
-
-
-
-
-

6.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

6.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#1816862, BZ#1638875, - BZ#1728943 -

-
-

- NetworkManager -

- 		-

- BZ#1814746, - BZ#1626348 -

-
-

- anaconda -

- 		-

- BZ#1665428, BZ#1775975, - BZ#1630299, BZ#1823578, BZ#1672405, - BZ#1644662, BZ#1745064, BZ#1821192, BZ#1822880, BZ#1862116, - BZ#1890261, BZ#1891827, BZ#1691319, BZ#1931069 -

-
-

- apr -

- 		-

- BZ#1819607 -

-
-

- authselect -

- 		-

- BZ#1654018 -

-
-

- bcc -

- 		-

- BZ#1837906 -

-
-

- bind -

- 		-

- BZ#1818785 -

-
-

- buildah-container -

- 		-

- BZ#1627898 -

-
-

- buildah -

- 		-

- BZ#1806044 -

-
-

- clevis -

- 		-

- BZ#1716040, BZ#1818780, - BZ#1436735, BZ#1819767 -

-
-

- cloud-init -

- 		-

- BZ#1750862 -

-
-

- cloud-utils-growpart -

- 		-

- BZ#1846246 -

-
-

- cockpit-session-recording -

- 		-

- BZ#1826516 -

-
-

- cockpit -

- 		-

- BZ#1710731, BZ#1666722 -

-
-

- corosync-qdevice -

- 		-

- BZ#1784200 -

-
-

- crun -

- 		-

- BZ#1841438 -

-
-

- crypto-policies -

- 		-

- BZ#1832743, BZ#1660839 -

-
-

- cyrus-sasl -

- 		-

- BZ#1817054 -

-
-

- distribution -

- 		-

- BZ#1815402, BZ#1657927 -

-
-

- dnf -

- 		-

- BZ#1793298, BZ#1832869, BZ#1842285 -

-
-

- elfutils -

- 		-

- BZ#1804321 -

-
-

- fapolicyd -

- 		-

- BZ#1897090, BZ#1817413, BZ#1714529 -

-
-

- fence-agents -

- 		-

- BZ#1830776, - BZ#1775847 -

-
-

- firewalld -

- 		-

- BZ#1790948, BZ#1682913, BZ#1809225, BZ#1817205, BZ#1809636 -

-
-

- freeradius -

- 		-

- BZ#1672285, BZ#1859527, BZ#1723362 -

-
-

- gcc-toolset-10-gdb -

- 		-

- BZ#1838777 -

-
-

- gcc -

- 		-

- BZ#1784758 -

-
-

- gdb -

- 		-

- BZ#1659535 -

-
-

- git -

- 		-

- BZ#1825114 -

-
-

- glibc -

- 		-

- BZ#1812756, - BZ#1743445, BZ#1783303, BZ#1642150, BZ#1810146, BZ#1748197, BZ#1774115, BZ#1807824, BZ#1757354, BZ#1836867, - BZ#1780204, BZ#1821531, BZ#1784525 -

-
-

- gnome-session -

- 		-

- BZ#1739556 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#1717947 -

-
-

- gnome-shell -

- 		-

- BZ#1724302 -

-
-

- gnome-software -

- 		-

- BZ#1668760 -

-
-

- gnutls -

- 		-

- BZ#1677754, BZ#1789392, BZ#1849079, - BZ#1855803 -

-
-

- go-toolset -

- 		-

- BZ#1820596 -

-
-

- gpgme -

- 		-

- BZ#1829822 -

-
-

- grafana-container -

- 		-

- BZ#1823834 -

-
-

- grafana-pcp -

- 		-

- BZ#1807099 -

-
-

- grafana -

- 		-

- BZ#1807323 -

-
-

- grub2 -

- 		-

- BZ#1583445 -

-
-

- httpd -

- 		-

- BZ#1209162 -

-
-

- initial-setup -

- 		-

- BZ#1676439 -

-
-

- ipa-healthcheck -

- 		-

- BZ#1852244 -

-
-

- ipa -

- 		-

- BZ#1816784, BZ#1810154, - BZ#913799, BZ#1651577, - BZ#1851139, BZ#1664719, BZ#1664718 -

-
-

- iperf3 -

- 		-

- BZ#1665142, BZ#1700497 -

-
-

- jss -

- 		-

- BZ#1821851 -

-
-

- kernel-rt -

- 		-

- BZ#1818138 -

-
-

- kernel -

- 		-

- BZ#1758323, BZ#1812666, BZ#1793389, BZ#1694705, BZ#1748451, BZ#1654962, BZ#1792125, - BZ#1708456, BZ#1812577, BZ#1757933, BZ#1847837, BZ#1791664, BZ#1666538, BZ#1602962, - BZ#1609288, BZ#1730502, BZ#1806882, BZ#1660290, BZ#1846838, BZ#1865745, BZ#1868526, - BZ#1884857, BZ#1854037, BZ#1876527, BZ#1876519, BZ#1823764, - BZ#1822085, BZ#1735611, BZ#1281843, BZ#1828642, BZ#1825414, BZ#1761928, BZ#1791041, - BZ#1796565, BZ#1834769, BZ#1785660, BZ#1683394, BZ#1817752, BZ#1782831, BZ#1821646, - BZ#1519039, BZ#1627455, BZ#1501618, BZ#1495358, BZ#1633143, BZ#1503672, BZ#1570255, - BZ#1696451, BZ#1348508, BZ#1778762, - BZ#1839311, BZ#1783396, BZ#1665295, BZ#1658840, BZ#1660627, BZ#1569610 -

-
-

- krb5 -

- 		-

- BZ#1791062, BZ#1784655, BZ#1820311, - BZ#1802334, BZ#1877991 -

-
-

- libbpf -

- 		-

- BZ#1759154 -

-
-

- libcap -

- 		-

- BZ#1487388 -

-
-

- libdb -

- 		-

- BZ#1670768 -

-
-

- libffi -

- 		-

- BZ#1723951 -

-
-

- libgnome-keyring -

- 		-

- BZ#1607766 -

-
-

- libkcapi -

- 		-

- BZ#1683123 -

-
-

- libmaxminddb -

- 		-

- BZ#1642001 -

-
-

- libpcap -

- 		-

- BZ#1806422 -

-
-

- libreswan -

- 		-

- BZ#1544463, BZ#1820206 -

-
-

- libseccomp -

- 		-

- BZ#1770693 -

-
-

- libselinux-python-2.8-module -

- 		-

- BZ#1666328 -

-
-

- libssh -

- 		-

- BZ#1804797 -

-
-

- libvirt -

- 		-

- BZ#1664592, BZ#1528684 -

-
-

- lldb -

- 		-

- BZ#1841073 -

-
-

- llvm-toolset -

- 		-

- BZ#1820587 -

-
-

- llvm -

- 		-

- BZ#1820319 -

-
-

- lshw -

- 		-

- BZ#1794049 -

-
-

- lvm2 -

- 		-

- BZ#1496229, BZ#1768536, - BZ#1598199, BZ#1541165, JIRA:RHELPLAN-39320 -

-
-

- mariadb -

- 		-

- BZ#1942330 -

-
-

- memcached -

- 		-

- BZ#1809536 -

-
-

- mesa -

- 		-

- BZ#1886147 -

-
-

- microdnf -

- 		-

- BZ#1781126 -

-
-

- mod_http2 -

- 		-

- BZ#1814236 -

-
-

- nfs-utils -

- 		-

- BZ#1817756, - BZ#1592011 -

-
-

- nginx -

- 		-

- BZ#1668717, BZ#1826632 -

-
-

- nmstate -

- 		-

- BZ#1674456 -

-
-

- nss_nis -

- 		-

- BZ#1803161 -

-
-

- nss -

- 		-

- BZ#1817533, - BZ#1645153 -

-
-

- opencryptoki -

- 		-

- BZ#1780293 -

-
-

- openmpi -

- 		-

- BZ#1866402 -

-
-

- opensc -

- 		-

- BZ#1810660 -

-
-

- openscap -

- 		-

- BZ#1803116, BZ#1870087, BZ#1795563, BZ#1824152, BZ#1829761 -

-
-

- openssh -

- 		-

- BZ#1744108 -

-
-

- openssl -

- 		-

- BZ#1685470, BZ#1810911 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1816199, BZ#1665082, BZ#1674001, - BZ#1691305, BZ#1787156, BZ#1843932, BZ#1834716 -

-
-

- pacemaker -

- 		-

- BZ#1828488, BZ#1784601, - BZ#1837747, BZ#1718324 -

-
-

- papi -

- 		-

- BZ#1807346, BZ#1664056, - BZ#1726070 -

-
-

- pcp-container -

- 		-

- BZ#1497296 -

-
-

- pcp -

- 		-

- BZ#1792971 -

-
-

- pcs -

- 		-

- BZ#1817547, BZ#1684676, BZ#1839637, - BZ#1619620 -

-
-

- perl-5.30-module -

- 		-

- BZ#1713592 -

-
-

- perl-IO-Socket-SSL -

- 		-

- BZ#1824222 -

-
-

- perl-libwww-perl -

- 		-

- BZ#1781177 -

-
-

- php -

- 		-

- BZ#1797661 -

-
-

- pki-core -

- 		-

- BZ#1729215, BZ#1868233, - BZ#1770322, BZ#1824948 -

-
-

- podman -

- 		-

- BZ#1804193, BZ#1881894, BZ#1627899 -

-
-

- powertop -

- 		-

- BZ#1783110 -

-
-

- pykickstart -

- 		-

- BZ#1637872 -

-
-

- python38 -

- 		-

- BZ#1847416 -

-
-

- qemu-kvm -

- 		-

- BZ#1719687, BZ#1860743, - JIRA:RHELPLAN-45901, BZ#1651994 -

-
-

- rear -

- 		-

- BZ#1843809, BZ#1729502, - BZ#1743303 -

-
-

- redhat-support-tool -

- 		-

- BZ#1802026 -

-
-

- resource-agents -

- 		-

- BZ#1814896 -

-
-

- rhel-system-roles-sap -

- 		-

- BZ#1844190, - BZ#1660832 -

-
-

- rhel-system-roles -

- 		-

- BZ#1889468, BZ#1822158, BZ#1677739 -

-
-

- rpm -

- 		-

- BZ#1688849 -

-
-

- rsyslog -

- 		-

- BZ#1659383, JIRA:RHELPLAN-10431, BZ#1679512, BZ#1713427 -

-
-

- ruby-2.7-module -

- 		-

- BZ#1817135 -

-
-

- ruby -

- 		-

- BZ#1846113 -

-
-

- rust-toolset -

- 		-

- BZ#1820593 -

-
-

- samba -

- 		-

- BZ#1817557, - JIRA:RHELPLAN-13195 -

-
-

- scap-security-guide -

- 		-

- BZ#1843913, BZ#1858866, BZ#1750755, BZ#1760734, BZ#1832760, BZ#1815007 -

-
-

- scap-workbench -

- 		-

- BZ#1640715 -

-
-

- selinux-policy -

- 		-

- BZ#1826788, - BZ#1746398, BZ#1776873, BZ#1772852, - BZ#1641631, BZ#1860443 -

-
-

- setools -

- 		-

- BZ#1820079 -

-
-

- skopeo-container -

- 		-

- BZ#1627900 -

-
-

- smartmontools -

- 		-

- BZ#1671154 -

-
-

- spice -

- 		-

- BZ#1849563 -

-
-

- squid -

- 		-

- BZ#1829467 -

-
-

- sssd -

- 		-

- BZ#1827615, BZ#1793727 -

-
-

- stratis-cli -

- 		-

- BZ#1734496 -

-
-

- stunnel -

- 		-

- BZ#1808365 -

-
-

- subscription-manager -

- 		-

- BZ#1674337 -

-
-

- sudo -

- 		-

- BZ#1786990 -

-
-

- systemtap -

- 		-

- BZ#1804319 -

-
-

- tang -

- 		-

- BZ#1716039 -

-
-

- tcpdump -

- 		-

- BZ#1804063 -

-
-

- tigervnc -

- 		-

- BZ#1806992 -

-
-

- tpm2-tools -

- 		-

- BZ#1789682 -

-
-

- tuned -

- 		-

- BZ#1792264, BZ#1840689, - BZ#1746957 -

-
-

- udica -

- 		-

- BZ#1763210 -

-
-

- usbguard -

- 		-

- BZ#1738590, BZ#1667395, BZ#1683567 -

-
-

- valgrind -

- 		-

- BZ#1804324 -

-
-

- wayland -

- 		-

- BZ#1673073 -

-
-

- xdp-tools -

- 		-

- BZ#1880268, - BZ#1820670 -

-
-

- xorg-x11-drv-qxl -

- 		-

- BZ#1642887 -

-
-

- xorg-x11-server -

- 		-

- BZ#1698565 -

-
-

- yum -

- 		-

- BZ#1788154 -

-
-

- other -

- 		-

- JIRA:RHELPLAN-45950, JIRA:RHELPLAN-57572, BZ#1640697, BZ#1659609, BZ#1687900, - BZ#1697896, BZ#1790635, BZ#1823398, BZ#1757877, JIRA:RHELPLAN-25571, BZ#1777138, - JIRA:RHELPLAN-27987, JIRA:RHELPLAN-28940, JIRA:RHELPLAN-34199, JIRA:RHELPLAN-57914, - BZ#1897383, BZ#1900019, BZ#1839151, BZ#1780124, - JIRA:RHELPLAN-42395, BZ#1889736, - BZ#1842656, JIRA:RHELPLAN-45959, JIRA:RHELPLAN-45958, JIRA:RHELPLAN-45957, - JIRA:RHELPLAN-45956, JIRA:RHELPLAN-45952, JIRA:RHELPLAN-45945, JIRA:RHELPLAN-45939, - JIRA:RHELPLAN-45937, JIRA:RHELPLAN-45936, JIRA:RHELPLAN-45930, JIRA:RHELPLAN-45926, - JIRA:RHELPLAN-45922, JIRA:RHELPLAN-45920, JIRA:RHELPLAN-45918, JIRA:RHELPLAN-45916, - JIRA:RHELPLAN-45915, JIRA:RHELPLAN-45911, JIRA:RHELPLAN-45910, JIRA:RHELPLAN-45909, - JIRA:RHELPLAN-45908, JIRA:RHELPLAN-45906, JIRA:RHELPLAN-45904, JIRA:RHELPLAN-45900, - JIRA:RHELPLAN-45899, JIRA:RHELPLAN-45884, JIRA:RHELPLAN-37573, JIRA:RHELPLAN-37570, - JIRA:RHELPLAN-49954, JIRA:RHELPLAN-50002, JIRA:RHELPLAN-43531, JIRA:RHELPLAN-48838, - BZ#1873567, BZ#1866695, - JIRA:RHELPLAN-14068, JIRA:RHELPLAN-7788, JIRA:RHELPLAN-40469, JIRA:RHELPLAN-42617, - JIRA:RHELPLAN-30878, JIRA:RHELPLAN-37517, JIRA:RHELPLAN-55009, JIRA:RHELPLAN-42396, - BZ#1836211, JIRA:RHELPLAN-57564, JIRA:RHELPLAN-57567, BZ#1890499, - JIRA:RHELPLAN-40234, JIRA:RHELPLAN-56676, JIRA:RHELPLAN-14754, JIRA:RHELPLAN-51289, - BZ#1893174, - BZ#1690207, JIRA:RHELPLAN-1212, BZ#1559616, BZ#1889737, BZ#1812552, - JIRA:RHELPLAN-14047, BZ#1769727, - JIRA:RHELPLAN-27394, JIRA:RHELPLAN-27737, JIRA:RHELPLAN-41549, BZ#1642765, - JIRA:RHELPLAN-10304, BZ#1646541, BZ#1647725, BZ#1686057, BZ#1748980, - BZ#1827628, BZ#1871025, BZ#1871953, - BZ#1874892, BZ#1893767, - JIRA:RHELPLAN-60226 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.4-1
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.4-0
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.3-9
-
-

- Thu Dec 7 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.3-8
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.3-7
-
-

- Tue Nov 7 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fix broken links. -
    • -
-
-
-
0.3-6
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-5
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-4
-
-

- Fri Apr 29 2022, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated Deprecated functionality introduction. -
    • -
  • - Fixed typo in BZ#1605216. -
    • -
  • - Fixed broken links. -
    • -
-
-
-
0.3-3
-
-

- Tue Apr 05 2022, Jaroslav Klech (jklech@redhat.com) -

-
- -
-
-
0.3-2
-
-

- Thu Mar 17 2022, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Added a known issue (Kernel). -
    • -
-
-
-
0.3-1
-
-

- Fri Feb 04 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#1794513 (Filesystems and storage). -
    • -
-
-
-
0.3-0
-
-

- Thu Dec 23 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about the Soft-RoCE driver, rdma_rxe, - to Technology Previews BZ#1605216 and - Deprecated Functionality BZ#1878207 (Kernel). -
    • -
-
-
-
0.2-9
-
-

- Thu Oct 07 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated the known issue BZ#1942330 (Dynamic programming - languages, web and database servers). -
    • -
-
-
-
0.2-8
-
-

- Tue Oct 05 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a deprecated functionality BZ#1999620 (Shells and - command-line tools). -
    • -
-
-
-
0.2-7
-
-

- Thu Aug 19 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.2-6
-
-

- Fri Jul 9 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.2-5
-
-

- Wed Jun 23 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added information about removal of AlternateTab in BZ#1922488 (Desktop). -
    • -
-
-
-
0.2-4
-
-

- Fri May 21 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated information about OS conversion in Overview. -
    • -
-
-
-
0.2-3
-
-

- Thu May 20 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a workaround to the known issue BZ#1942330 (Dynamic programming - languages, web and database servers). -
    • -
-
-
-
0.2-2
-
-

- Fri May 14 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a new feature BZ#1944677 about .NET 5 support - (Compilers and development tools). -
    • -
  • - Added a new feature xfer:BZ-1959289[BZ#1959289] (RHEL System Roles). -
    • -
  • - Updated information about the xdp-tools package in BZ#1820670 (Networking) and in BZ#1780124 (Kernel). -
    • -
-
-
-
0.2-1
-
-

- Mon Apr 19 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#1942330 (Dynamic programming - languages, web and database servers). -
    • -
-
-
-
0.2-0
-
-

- Tue Apr 13 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a known issue (Installer and image creation). -
    • -
-
-
-
0.1-9
-
-

- Tue Apr 06 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Improved the list of supported architectures. -
    • -
-
-
-
0.1-8
-
-

- Wed Mar 31 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated information about OS conversions with the availability of the supported - Convert2RHEL utility. -
    • -
-
-
-
0.1-7
-
-

- Mon Mar 29 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the New features section (Kernel). -
    • -
-
-
-
0.1-6
-
-

- Thu Feb 25 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Fixed CentOS Linux name. -
    • -
-
-
-
0-1-5
-
-

- Tue Feb 23 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Add a known issues (Identity Management). -
    • -
  • - Add a note about the podman utility rebase to the RHEL - 8.3.1 section. -
    • -
-
-
-
0-1-4
-
-

- Thu Feb 18 2021, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Adds a known issue (Kernel). -
    • -
  • - Fix links for an enhancement (Kernel). -
    • -
-
-
-
0-1-3
-
-

- Tue Feb 16 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.3.1 Release Notes. -
    • -
  • - Update in-place upgrade section in Overview with the release of the RHBA-2021:0569 - advisory. -
    • -
-
-
-
0-1-2
-
-

- Fri Feb 12 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added two known issues (Security, Installer). -
    • -
-
-
-
0-1-1
-
-

- Wed Feb 10 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a known issue (Virtualization). -
    • -
-
-
-
0-1-0
-
-

- Wed Feb 03 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a note about the consolidation of network configuration in the kernel command - line under the ip parameter (Networking). -
    • -
  • - Added mercurial to deprecated packages. -
    • -
  • - Added a known issue related to Witherspoon hosts (Virtualization). -
    • -
-
-
-
0-0-9
-
-

- Fri Jan 29 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added new bug fix description (Security). -
    • -
  • - Added a note about deprecation of the mailman package - (Software management). -
    • -
  • - Updated the New features section (Security, Identity Management). -
    • -
  • - Added Technology Preview note about the systemd-resolved service. -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.0-8
-
-

- Mon Dec 14 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the Known issues section and the Bug fixes section. -
    • -
-
-
-
0.0-7
-
-

- Fri Nov 27 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a bug fix for issue with fapolicyd (Security). -
    • -
  • - More updates to the Bug Fixes section. -
    • -
  • - Added a note about deprecation of the Podman varlink-based REST API V1 (Containers). -
    • -
  • - Updated the New features section. -
    • -
  • - Added new Known issue about replicating blueprints from the lorax-composer back end to the new osbuild-composer back end (Image Builder). -
    • -
-
-
-
0.0-6
-
-

- Fri Nov 20 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added an OpenSCAP bug fix description (Security). -
    • -
  • - Updated the New features section (Software management). -
    • -
-
-
-
0.0-5
-
-

- Wed Nov 18 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about conversion from Oracle Linux or CentOS Linux to RHEL - (Overview). -
    • -
-
-
-
0.0-4
-
-

- Thu Nov 12 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about Node.js 14.15.0 released with - the RHEA-2020:5101 - advisory. -
    • -
-
-
-
0.0-3
-
-

- Wed Nov 11 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added description about Omni-Path Architecture (OPA) host software support to New - features. -
    • -
-
-
-
0.0-2
-
-

- Mon Nov 09 2020, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added Intel Tiger Lake graphics as a Technology Preview (Graphics infrastructures). -
    • -
-
-
-
0.0-1
-
-

- Wed Nov 04 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.3 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Tue Jul 28 2020, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.3 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.4.html b/app/data/8.4.html deleted file mode 100644 index 73d9efe..0000000 --- a/app/data/8.4.html +++ /dev/null @@ -1,18113 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.4
-
-

Release Notes for Red Hat Enterprise Linux 8.4

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.4 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your input on our documentation. Please let us know how we could make it better. To do so: -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 8.4

-
-
-
-

Security

-

- IPsec VPN provided by Libreswan now supports TCP - encapsulation and security labels for IKEv2. -

-

- The scap-security-guide packages have been rebased to version 0.1.54, - and OpenSCAP has been rebased to version 1.3.4. - These updates provide substantial improvements, including: -

-
-
    -
  • - Improved memory management -
    • -
  • - Added RHEL8 ANSSI-BP-028 Minimal, Intermediary and Enhanced profiles -
    • -
  • - Updated RHEL8 STIG profile to DISA STIG v1r1 -
    • -
-
-

- The fapolicyd framework now provides integrity checking, and the RPM plugin now - registers any system update that is handled by either the YUM package manager or the RPM Package - Manager. -

-

- The rhel8-tang container image provides Tang-server decryption - capabilities for Clevis clients that run either in OpenShift Container Platform (OCP) clusters or in - separate virtual machines. -

-

- See Section 4.6, “Security” - for more information. -

-

Networking

-

- Nmstate is a network API for hosts and fully supported in RHEL 8.4. The nmstate packages provide a library and the nmstatectl command-line utility to manage host network settings in a - declarative manner. -

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route traffic - flow across enterprise networks. For example, you can add tc filters - for managing packets received from specific ports or carrying specific types of traffic, in a - consistent way. The MPLS support is available in this release as a Technology Preview. -

-

- The iproute2 utility introduces three new traffic control (tc) actions; mac_push, push_eth, and pop_eth to add MPLS labels, - build an Ethernet header at the beginning of the packet, and drop the outer Ethernet header - respectively. -

-

- The support for bareudp devices is now available with the ip link command as a Technology Preview. -

-

- For more information about the features introduced in this release and changes in the existing - functionality, see Section 4.7, “Networking”. -

-

Kernel

-

- The kpatch-dnf package provides a DNF plugin for subscribing a RHEL system to kernel - live patch updates. The plugin enables automatic subscription for any kernel the system currently - uses, and also for kernels to-be-installed in the future. -

-

- Proactive compaction regularly initiates memory - compaction work before a request for allocation - is made. Therefore, latency for specific memory allocation requests is lowered. -

-

- A new implementation of slab memory controller for the control - groups technology is now available in RHEL 8. The slab memory controller - brings improvement in slab utilization, and enables to shift the memory accounting from the page - level to the object level. As a result, you can observe a significant drop in the total kernel - memory footprint and positive effects on memory fragmentation. -

-

- The time namespace feature is available in RHEL 8.4. This feature is suited for changing the date - and time inside Linux containers. The in-container clock adjustments after restoration from a - checkpoint are also now possible. -

-

- RHEL 8 supports the Error Detection and Correction (EDAC) kernel module set in 8th and 9th - generation Intel Core Processors. -

-

- For more information about the features introduced in this release and changes in the existing - functionality, see Section 4.8, - “Kernel”. -

-

High availability and clusters

-

- A persistent Pacemaker resource agent that maintains state data can detect failures asynchronously - and inject a failure into Pacemaker immediately without waiting for the next monitor interval. A - persistent resource agent can also speed up cluster response time for services with a high state - overhead, since maintaining state data can reduce the state overhead for cluster actions such as - start, stop, and monitor by not invoking the state separately for each action. -

-

- For information on creating a persistent Pacemaker resource agent, you can now consult the article - Creating a Persistent (Daemonized) - Pacemaker Resource Agent. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - Python 3.9 -
    • -
  • - SWIG 4.0 -
    • -
  • - Subversion 1.14 -
    • -
  • - Redis 6 -
    • -
  • - PostgreSQL 13 -
    • -
  • - MariaDB 10.5 -
    • -
-
-

- See Section 4.11, “Dynamic - programming languages, web and database servers” for more information. -

-

Compilers and development tools

-

- The following compiler toolsets have been updated: -

-
-
    -
  • - GCC Toolset 10 -
    • -
  • - LLVM Toolset 11.0.0 -
    • -
  • - Rust Toolset 1.49.0 -
    • -
  • - Go Toolset 1.15.7 -
    • -
-
-

- See Section 4.12, “Compilers and development - tools” for more information. -

-
OpenJDK 11 is now available
-

- A new version of Open Java Development Kit (OpenJDK) is now available. For more information about - the features introduced in this release and changes in the existing functionality, see OpenJDK documentation. -

-

Identity Management

-

- RHEL 8.4 provides Ansible modules for automated management of role-based access control (RBAC) in - Identity Management (IdM), an Ansible role for backing up and restoring IdM servers, and an Ansible - module for location management. -

-

- See Section 4.13, “Identity Management” for more information. -

-
-
-
-
-
-

1.2. In-place upgrade and OS conversion

-
-
-
-

In-place upgrade from RHEL 7 to RHEL 8

-

- The supported in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.4 on the 64-bit Intel, IBM POWER 8 (little endian), and IBM Z - architectures -
    • -
  • - From RHEL 7.6 to RHEL 8.4 on architectures that require kernel version 4.14: IBM POWER 9 - (little endian) and IBM Z (Structure A) -
    • -
  • - From RHEL 7.7 to RHEL 8.2 on systems with SAP HANA. To ensure your system with SAP HANA - remains supported after upgrading to RHEL 8.2, enable the RHEL 8.2 Update Services for SAP - Solutions (E4S) repositories. -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. For instructions on performing an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- With the release of RHEL 8.4, additional required data files are now downloaded automatically from - cloud.redhat.com if you are using Red Hat Subscription Manager (RHSM) and have not previously - downloaded older required data files without performing the upgrade. -

-

In-place upgrade from RHEL 6 to RHEL 8

-

- To upgrade from RHEL 6.10 to RHEL 8.4, follow instructions in Upgrading - from RHEL 6 to RHEL 8. -

-

Conversion from a different Linux - distribution to RHEL

-

- If you are using CentOS Linux 8 or Oracle Linux 8, you can convert your operating system to RHEL 8 - using the Red Hat-supported Convert2RHEL utility. For more - information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using an earlier version of CentOS Linux or Oracle Linux, namely versions 6 or 7, you can - convert your operating system to RHEL and then perform an in-place upgrade to RHEL 8. Note that - CentOS Linux 6 and Oracle Linux 6 conversions use the unsupported Convert2RHEL utility. For more information on unsupported conversions, - see How to convert from CentOS - Linux 6 or Oracle Linux 6 to RHEL 6. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, - see the Convert2RHEL Support Policy - document. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-
- -
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.4 is distributed with the kernel version 4.18.0-305, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Binary DVD ISO image is larger than 4.7 GB, and as a result, it might not - fit on a single-layer DVD. A dual-layer DVD or USB key is recommended when using - the Binary DVD ISO image to create bootable installation media. You can also use - the Image Builder tool to create customized RHEL images. For more information - about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.4. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Anaconda replaces the original boot device NVRAM variable list with new - values

-

- Previously, booting from NVRAM could lead to boot system failure due to the entries with the - incorrect values in the boot device list. -

-
-

- With this update the problem is fixed, but the previous list of devices is cleared when updating the - boot device NVRAM variable. -

-

- (BZ#1854307) -

-
-

Graphical installation of KVM virtual machines on IBM Z is now - available

-

- When using the KVM hypervisor on IBM Z hardware, you can now use the graphical installation when - creating virtual machines (VMs). -

-
-

- Now, when a user executes the installation in KVM, and QEMU provides a virtio-gpu driver, the installer automatically starts the graphical - console. The user can switch to text or VNC mode by appending the inst.text or inst.vnc boot parameters in the - VM’s kernel command line. -

-

- (BZ#1609325) -

-
-

Warnings for deprecated kernel boot arguments

-

- Anaconda boot arguments without the inst. prefix (for example, - ks, stage2, repo and so on) are deprecated starting RHEL7. These arguments will - be removed in the next major RHEL release. -

-
-

- With this release, appropriate warning messages are displayed when the boot arguments are used - without the inst prefix. The warning messages are displayed in dracut when booting the installation and also when the installation - program is started on a terminal. -

-

- Following is a sample warning message that is displayed on a terminal: -

-

- Deprecated boot argument %s must be used with the inst. prefix. Please use inst.%s instead. - Anaconda boot arguments without inst. prefix have been deprecated and - will be removed in a future major release. -

-

- Following is a sample warning message that is displayed in dracut: -

-

- $1 has been deprecated. All usage of Anaconda boot arguments without - the inst. prefix have been deprecated and will be removed in a future - major release. Please use $2 instead. -

-

- (BZ#1897657) -

-
-
-
-
-
-

4.2. RHEL for Edge

-
-
-
-
-

Support to specify the kernel name as customization for RHEL for Edge image - types

-

- When creating OSTree commits for RHEL for Edge images, only one - kernel package can be installed at a time, otherwise the commit creation fails in rpm-ostree. This prevents RHEL for Edge from adding alternative - kernels, in particular, the real-time kernel (kernel-rt). With this - enhancement, when creating a blueprint for RHEL for Edge image using the CLI, you can define the - name of the kernel to be used in an image, by setting the customizations.kernel.name key. If you do not specify any kernel - name, the image include the default kernel package. -

-
-

- (BZ#1960043) -

-
-
-
-
-
-

4.3. Software management

-
-
-
-
-

New fill_sack_from_repos_in_cache function is - now supported in DNF API

-

- With this update, the new DNF API fill_sack_from_repos_in_cache - function has been introduced which allows to load repositories only from the cached solv, solvx files, and the repomd.xml file. As a result, if the user manages dnf cache, it is possible to save resources without having duplicate - information (xml and solv), and - without processing xml into solv. -

-
-

- (BZ#1865803) -

-
-

createrepo_c now automatically adds modular - metadata to repositories

-

- Previously, running the createrepo_c command on RHEL8 packages to - create a new repository did not include modular repodata in this repository. Consequently, it - caused various problems with repositories. With this update, createrepo_c: -

-
-
-
    -
  • - scans for modular metadata -
    • -
  • - merges the found module YAML files into a single modular document modules.yaml -
    • -
  • - automatically adds this document to the repository. -
    • -
-
-

- As a result, adding modular metadata to repositories is now automatic and no longer has to be done - as a separate step using the modifyrepo_c command. -

-

- (BZ#1795936) -

-
-

The ability to mirror a transaction between systems within DNF is now - supported

-

- With this update, the user can store and replay a transaction within DNF. -

-
-
-
    -
  • - To store a transaction from DNF history into a JSON file, run the dnf history store command. -
    • -
  • - To replay the transaction later on the same machine, or on a different one, run the dnf history replay command. -
    • -
-
-

- Comps groups operations storing and replaying is supported. Module operations are not yet supported, - and consequently, are not stored or replayed. -

-

- (BZ#1807446) -

-
-

createrepo_c rebased to version - 0.16.2

-

- The createrepo_c packages have been rebased to version 0.16.2 which - provides the following notable changes over the previous version: -

-
-
-
    -
  • - Added module metadata support for createrepo_c. -
    • -
  • - Fixed various memory leaks -
    • -
-
-

- (BZ#1894361) -

-
-

The protect_running_kernel configuration - option is now available.

-

- With this update, the protect_running_kernel configuration option - for the dnf and microdnf commands has - been introduced. This option controls whether the package corresponding to the running version - of the kernel is protected from removal. As a result, the user can now disable protection of the - running kernel. -

-
-

- (BZ#1698145) -

-
-
-
-
-
-

4.4. Shells and command-line tools

-
-
-
-
-

OpenIPMI rebased to version 2.0.29 -

-

- The OpenIPMI packages have been upgraded to version 2.0.29. Notable - changes over the previous version include: -

-
-
-
    -
  • - Fixed memory leak, variable binding, and missing error messages. -
    • -
  • - Added support for IPMB. -
    • -
  • - Added support for registration of individual group extension in the lanserv. -
    • -
-
-

- (BZ#1796588) -

-
-

freeipmi rebased to version 1.6.6

-

- The freeipmi packages have been upgraded to version 1.6.6. Notable - changes over the previous version include: -

-
-
-
    -
  • - Fixed memory leaks and typos in the source code. -
    • -
  • -

    - Implemented workarounds for the following known issues: -

    -
    -
      -
    • - unexpected completion code. -
      • -
    • - Dell Poweredge FC830. -
      • -
    • - out of order packets with lan/rmcpplus ipmb. -
      • -
    -
    -
    • -
  • - Added support for new Dell, Intel, and Gigabyte devices. -
    • -
  • - Added support for the interpretation of system information and events. -
    • -
-
-

- (BZ#1861627) -

-
-

opal-prd rebased to version 6.6.3

-

- The opal-prd package has been rebased to version 6.6.3. Notable - changes include: -

-
-
-
    -
  • - Added an offline worker process handle page for opal-prd - daemon. -
    • -
  • - Fixed the bug for opal-gard on POWER9P so that the system can identify the chip targets for - gard records. -
    • -
  • - Fixed false negatives in wait_for_all_occ_init() of occ command. -
    • -
  • - Fixed OCAPI_MEM BAR values in hw/phys-map. -
    • -
  • - Fixed warnings for Inconsistent MSAREA in hdata/memory.c. -
    • -
  • -

    - For sensors in occ: -

    -
    -
      -
    • - Fixed sensor values zero bug. -
      • -
    • - Fixed the GPU detection code. -
      • -
    -
    -
    • -
  • - Skipped sysdump retrieval in MPIPL - boot. -
    • -
  • - Fixed IPMI double-free in the Mihawk platform. -
    • -
  • - Updated non-MPIPL scenario in fsp/dump. -
    • -
  • -

    - For hw/phb4: -

    -
    -
      -
    • - Verified AER support before initialising AER regs. -
      • -
    • - Enabled error reporting. -
      • -
    -
    -
    • -
  • - Added new smp-cable-connector VPD keyword in hdata. -
    • -
-
-

- (BZ#1844427) -

-
-

opencryptoki rebased to version - 3.15.1

-

- The opencryptoki packages have been rebased to version 3.15.1. - Notable changes include: -

-
-
-
    -
  • - Fixed segfault in C_SetPin. -
    • -
  • - Fixed usage of EVP_CipherUpdate and EVP_CipherFinal. -
    • -
  • - Added utility to migrate the token repository to FIPS compliant - encryption. -
    • -
  • -

    - For pkcstok_migrate tool: -

    -
    -
      -
    • - Fixed NVTOK.DAT conversion on Little Endian - platforms. -
      • -
    • - Fixed private and public token object conversion on Little Endian platforms. -
      • -
    -
    -
    • -
  • - Fixed storing of public token objects in the new data format. -
    • -
  • - Fixed the parameter checking mechanism in dh_pkcs_derive. -
    • -
  • - Corrected soft token model name. -
    • -
  • - Replaced deprecated OpenSSL interfaces in mech_ec.c file and in - ICA, TPM, and Soft tokens. -
    • -
  • - Replaced deprecated OpenSSL AES/3DES interfaces in sw_crypt.c - file. -
    • -
  • - Added support for ECC mechanism in Soft token. -
    • -
  • - Added IBM specific SHA3 HMAC and SHA512/224/256 HMAC mechanisms in the Soft token. -
    • -
  • - Added support for key wrapping with CKM_RSA_PKCS in CCA. -
    • -
  • -

    - For EP11 crypto stack: -

    -
    -
      -
    • - Fixed ep11_get_keytype to recognize CKM_DES2_KEY_GEN. -
      • -
    • - Fixed error trace in token_specific_rng. -
      • -
    • - Enabled specific FW version and API in HSM simulation. -
      • -
    -
    -
    • -
  • - Fixed Endian bug in X9.63 KDF. -
    • -
  • - Added an error message for handling p11sak remove-key command. -
    • -
  • - Fixed compiling issues with C++. -
    • -
  • - Fixed the problem with C_Get/SetOperationState and digest - contexts. -
    • -
  • - Fixed pkcscca migration fails with usr/sb2. -
    • -
-
-

- (BZ#1847433) -

-
-

powerpc-utils rebased to version - 1.3.8

-

- The powerpc-utils packages have been rebased to version 1.3.8. - Notable changes include: -

-
-
-
    -
  • - Commands that do not depend on Perl are now moved to the core - subpackage. -
    • -
  • - Added support for Linux Hybrid Network Virtualization. -
    • -
  • - Updated safe bootlist. -
    • -
  • - Added vcpustat utility. -
    • -
  • - Added support for cpu-hotplug in lparstat command. -
    • -
  • - Added switch to print Scaled metrics in lparstat command. -
    • -
  • - Added helper function to calculate the delta, scaled timebase, - and to derive PURR/SPURR values. -
    • -
  • -

    - For ofpathname utility: -

    -
    -
      -
    • - Improved the speed for l2of_scsi(). -
      • -
    • - Fixed the udevadm location. -
      • -
    • - Added partition to support l2od_ide() and l2of_scsi(). -
      • -
    • - Added support for the plug ID of a SCSI/SATA host. -
      • -
    -
    -
    • -
  • - Fixed the segfault condition on the unsupported connector type. -
    • -
  • - Added tools to support migration of SR_IOV to a hybrid virtual - network. -
    • -
  • - Fixed the format-overflow warnings. -
    • -
  • - Fixed the bash command substitution warning using the lsdevinfo - utility. -
    • -
  • - Fixed boot-time bonding interface cleanup. -
    • -
-
-

- (BZ#1853297) -

-
-

New kernel cmdline option now generates network device name

-

- The net_id built-in from systemd-udevd - service gains a new kernel cmdline option net.naming-scheme=SCHEME_VERSION. Based on the value of the SCHEME_VERSION, a user can select a version of the algorithm that - will generate the network device name. -

-
-

- For example, to use the features of net_id built-in in RHEL 8.4, set - the value of the SCHEME_VERSION to rhel-8.4. -

-

- Similarly, you can set the value of the SCHEME_VERSION to any other - minor release that includes the required change or fix. -

-

- (BZ#1827462) -

-
-
-
-
-
-

4.5. Infrastructure services

-
-
-
-
-

Difference in default postfix-3.5.8 - behavior

-

- For better RHEL-8 backward compatibility, the behavior of the postfix-3.5.8 update differs from the default upstream postfix-3.5.8 behavior. For the default upstream postfix-3.5.8 behavior, run the following commands: -

-
-

- # postconf info_log_address_format=external -

-

- # postconf smtpd_discard_ehlo_keywords= -

-

- # postconf rhel_ipv6_normalize=yes -

-

- For details, see the /usr/share/doc/postfix/README-RedHat.txt file. If - the incompatible functionalities are not used or RHEL-8 backward compatibility is the priority, no - steps are necessary. -

-

- (BZ#1688389) -

-
-

BIND rebased to version 9.11.26

-

- The bind packages have been updated to version 9.11.26. Notable - changes include: -

-
-
-
    -
  • - Changed the default EDNS buffer size from 4096 to 1232 bytes. This change will prevent the - loss of fragmented packets in some networks. -
    • -
  • - Increased the default value of max-recursion-queries from 75 to 100. Related to - CVE-2020-8616. -
    • -
  • - Fixed the problem of reused dead nodes in lib/dns/rbtdb.c file - in named. -
    • -
  • - Fixed the crashing problem in the named service when cleaning - the reused dead nodes in the lib/dns/rbtdb.c file. -
    • -
  • - Fixed the problem of configured multiple forwarders sometimes occurring in the named service. -
    • -
  • - Fixed the problem of the named service of assigning incorrect - signed zones with no DS record at the parent as bogus. -
    • -
  • - Fixed the missing DNS cookie response over UDP. -
    • -
-
-

- (BZ#1882040) -

-
-

unbound configuration now provides enhanced - logging output

-

- With this enhancement, the following three options have been added to the unbound configuration: -

-
-
-
    -
  • - log-servfail enables log lines that explain the reason for the - SERVFAIL error code to clients. -
    • -
  • - log-local-actions enables logging of all local zone actions. -
    • -
  • - log-tag-queryreply enables tagging of log queries and log - replies in the log file. -
    • -
-
-

- (BZ#1850460) -

-
-

Multiple vulnerabilities fixed with ghostscript-9.27

- -
-

- (BZ#1874523) -

-
-

Tuned rebased to version 2.15-1.

-

- Notable changes include: -

-
-
-
    -
  • - Added service plugin for Linux services control. -
    • -
  • - Improved scheduler plugin. -
    • -
-
-

- (BZ#1874052) -

-
-

DNSTAP now records incoming detailed - queries.

-

- DNSTAP provides an advanced way to monitor and log details of - incoming name queries. It also records sent answers from the named - service. Classic query logging of the named service has a negative impact on the performance of - the named service. -

-
-

- As a result, DNSTAP offers a way to perform continuous logging of detailed incoming queries without - impacting the performance penalty. The new dnstap-read utility allows - you to analyze the queries running on a different system. -

-

- (BZ#1854148) -

-
-

SpamAssassin rebased to version 3.4.4 -

-

- The SpamAssassin package has been upgraded to version 3.4.4. - Notable changes include: -

-
-
-
    -
  • - OLEVBMacro plugin has been added. -
    • -
  • - New functions check_rbl_ns, check_rbl_rcvd, check_hashbl_bodyre, - and check_hashbl_uris have been added. -
    • -
-
-

- (BZ#1822388) -

-
-

Key algorithm can be changed using the OMAPI shell

-

- With this enhancement, users can now change the key algorithm. The key algorithm that was - hardcoded as HMAC-MD5 is not considered secure anymore. As a - result, users can use the omshell command to change the key - algorithm. -

-
-

- (BZ#1883999) -

-
-

Sendmail now supports TLSFallbacktoClear - configuration

-

- With this enhancement, if the outgoing TLS connection fails, the sendmail client will fall back - to the plaintext. This overcomes the TLS compatibility problems with the other parties. Red Hat - ships sendmail with the TLSFallbacktoClear option disabled by - default. -

-
-

- (BZ#1868041) -

-
-

tcpdump now allows viewing RDMA capable devices

-

- This enhancement enables support for capturing RDMA traffic with tcpdump. It allows users to capture and analyze offloaded RDMA - traffic with the tcpdump tool. As a result, users can use tcpdump to view RDMA capable devices, capture RoCE and VMA traffic, - and analyze its content. -

-
-

- (BZ#1743650) -

-
-
-
-
-
-

4.6. Security

-
-
-
-
-

libreswan rebased to 4.3

-

- The libreswan packages have been upgraded to version 4.3. Notable - changes over the previous version include: -

-
-
-
    -
  • - IKE and ESP over TCP support (RFC 8229) -
    • -
  • - IKEv2 Labeled IPsec support -
    • -
  • - IKEv2 leftikeport/rightikeport support -
    • -
  • - Experimental support for Intermediate Exchange -
    • -
  • - Extended Redirect support for loadbalancing -
    • -
  • - Default IKE lifetime changed from 1 h to 8 h for increased interoperability -
    • -
  • - :RSA sections in the ipsec.secrets - file are no longer required -
    • -
  • - Fixed Windows 10 rekeying -
    • -
  • - Fixed sending certificate for ECDSA authentication -
    • -
  • - Fixes for MOBIKE and NAT-T -
    • -
-
-

- (BZ#1891128) -

-
-

IPsec VPN now supports TCP transport

-

- This update of the libreswan packages adds support for IPsec-based - VPNs over TCP encapsulation as described in RFC 8229. The addition helps establish IPsec VPNs on - networks that prevent traffic using Encapsulating Security Payload (ESP) and UDP. As a result, - administrators can configure VPN servers and clients to use TCP either as a fallback or as the - main VPN transport protocol. -

-
-

- (BZ#1372050) -

-
-

Libreswan now supports IKEv2 for Labeled IPsec

-

- The Libreswan Internet Key Exchange (IKE) implementation now includes Internet Key Exchange - version 2 (IKEv2) support of Security Labels for IPsec. With this update, systems that use - security labels with IKEv1 can be upgraded to IKEv2. -

-
-

- (BZ#1025061) -

-
-

libpwquality rebased to 1.4.4

-

- The libpwquality package has been rebased to version 1.4.4. This - release includes multiple bug fixes and translation updates. Most notably, the following setting - options have been added to the pwquality.conf file: -

-
-
-
    -
  • - retry -
    • -
  • - enforce_for_root -
    • -
  • - local_users_only -
    • -
-
-

- (BZ#1537240) -

-
-

p11-kit rebased to 0.23.19

-

- The p11-kit packages have been upgraded from version 0.23.14 to - version 0.23.19. The new version fixes several bugs and provides various enhancements, notably: -

-
-
-
    -
  • - Fixed CVE-2020-29361, CVE-2020-29362, CVE-2020-29363 security issues. -
    • -
  • - p11-kit now supports building through the meson build system. -
    • -
-
-

- (BZ#1887853) -

-
-

pyOpenSSL rebased to 19.0.0

-

- The pyOpenSSL packages have been rebased to upstream version - 19.0.0. This version provides bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Improved TLS 1.3 support with openssl version 1.1.1. -
    • -
  • - No longer raising an error when trying to add a duplicate certificate with X509Store.add_cert -
    • -
  • - Improved handling of X509 certificates containing NUL bytes in components -
    • -
-
-

- (BZ#1629914) -

-
-

SCAP Security Guide rebased to 0.1.54

-

- The scap-security-guide packages have been rebased to upstream - version 0.1.54, which provides several bug fixes and improvements. Most notably: -

-
-
-
    -
  • - The Operating System Protection Profile - (OSPP) has been updated in accordance with the Protection Profile for General Purpose - Operating Systems for Red Hat Enterprise Linux 8.4. -
    • -
  • - The ANSSI family of profiles based on - the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been - introduced. The content contains profiles implementing rules of the Minimum, Intermediary - and Enhanced hardening levels. -
    • -
  • - The Security Technical Implementation Guide (STIG) security profile has been updated, - and it implements rules from the recently-released version V1R1. -
    • -
-
-

- (BZ#1889344) -

-
-

OpenSCAP rebased to 1.3.4

-

- The OpenSCAP packages have been rebased to upstream version 1.3.4. Notable fixes and - enhancements include: -

-
-
-
    -
  • - Fixed certain memory issues that were causing systems with large amounts of files to run out - of memory. -
    • -
  • - OpenSCAP now treats GPFS as a remote file system. -
    • -
  • - Proper handling of OVALs with circular dependencies between definitions. -
    • -
  • - Improved yamlfilecontent: updated yaml-filter, extended the schema and probe to be able to work - with a set of values in maps. -
    • -
  • - Fixed numerous warnings (GCC and Clang). -
    • -
  • - Numerous memory management fixes. -
    • -
  • - Numerous memory leak fixes. -
    • -
  • - Platform elements in XCCDF files are now properly resolved in accordance with the XCCDF - specification. -
    • -
  • - Improved compatibility with uClibc. -
    • -
  • - Local and remote file system detection methods improved. -
    • -
  • - Fixed dpkginfo probe to use pkgCacheFile instead of manually opening the cache. -
    • -
  • - OpenSCAP scan report is now a valid HTML5 document. -
    • -
  • - Fixed unwanted recursion in the file probe. -
    • -
-
-

- (BZ#1887794) -

-
-

The RHEL 8 STIG security profile updated to version V1R1

-

- With the release of the RHBA-2021:1886 advisory, the - DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP - Security Guide has been updated to align with the latest version V1R1. The profile is now also more stable and better aligns with the - RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense - Information Systems Agency (DISA). This first iteration brings approximately 60% of coverage - with regards to the STIG. -

-
-

- You should use only the current version of this profile because the draft profile is no longer - valid. -

-
-
Warning
-
-

- Automatic remediation might render the system non-functional. Run the remediation in a test - environment first. -

-
-
-

- (BZ#1918742) -

-
-

New DISA STIG profile compatible with Server with GUI - installations

-

- A new profile, DISA STIG with GUI, has been added to the SCAP Security Guide with the release of the RHBA-2021:4098 - advisory. This profile is derived from the DISA STIG profile and is - compatible with RHEL installations that selected the Server with GUI package group. The previously existing stig profile was not compatible with Server with GUI because DISA STIG demands uninstalling any Graphical - User Interface. However, this can be overridden if properly documented by a Security Officer - during evaluation. As a result, the new profile helps when installing a RHEL system as a Server with GUI aligned with the DISA STIG profile. -

-
-

- (BZ#2005431) -

-
-

Profiles for ANSSI-BP-028 Minimal, Intermediary and Enhanced levels are now - available in SCAP Security Guide

-

- With the new profiles, you can harden the system to the recommendations from the French National - Security Agency (ANSSI) for GNU/Linux Systems at the Minimal, Intermediary and Enhanced - hardening levels. As a result, you can configure and automate compliance of your RHEL 8 systems - according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the - ANSSI SCAP profiles. -

-
-

- (BZ#1778188) -

-
-

scap-workbench can now scan remote systems - using sudo privileges

-

- The scap-workbench GUI tool now supports scanning remote systems - using passwordless sudo access. This feature reduces the security - risk imposed by supplying root’s credentials. -

-
-

- Be cautious when using scap-workbench with passwordless sudo access and the remediate option. Red - Hat recommends dedicating a well-secured user account just for the OpenSCAP scanner. -

-

- (BZ#1877522) -

-
-

rhel8-tang container image is now - available

-

- With this release, the rhel8/rhel8-tang container image is - available in the registry.redhat.io catalog. The container image - provides Tang-server decryption capabilities for Clevis clients that run either in OpenShift - Container Platform (OCP) clusters or in separate virtual machines. -

-
-

- (BZ#1913310) -

-
-

Clevis rebased to version 15

-

- The clevis packages have been rebased to upstream version 15. This - version provides many bug fixes and enhancements over the previous version, most notably: -

-
-
-
    -
  • - Clevis now produces a generic initramfs and no longer automatically adds the rd.neednet=1 parameter to the kernel command line. -
    • -
  • - Clevis now properly handles incorrect configurations that use the sss pin, and the clevis encrypt sss - sub-command returns outputs that indicate the error cause. -
    • -
-
-

- (BZ#1887836) -

-
-

Clevis no longer automatically adds rd.neednet=1

-

- Clevis now correctly produces a generic initrd (initial ramdisk) - without host-specific configuration options by default. As a result, Clevis no longer - automatically adds the rd.neednet=1 parameter to the kernel command - line. -

-
-

- If your configuration uses the previous functionality, you can either enter the dracut command with the --hostonly-cmdline - argument or create the clevis.conf file in the /etc/dracut.conf.d and add the hostonly_cmdline=yes option to the file. A Tang binding must be present - during the initrd build process. -

-

- (BZ#1853651) -

-
-

New package: rsyslog-udpspoof

-

- The rsyslog-udpspoof subpackage has been added back to RHEL 8. This - module is similar to the regular UDP forwarder, but permits relaying syslog between different network segments while maintaining the - source IP in the syslog packets. -

-
-

- (BZ#1869874) -

-
-

fapolicyd rebased to 1.0.2

-

- The fapolicyd packages have been rebased to upstream version 1.0.2. - This version provides many bug fixes and enhancements over the previous version, most notably: -

-
-
-
    -
  • -

    - Added the integrity configuration option for enabling - integrity checks through: -

    -
    -
      -
    • - Comparing file sizes -
      • -
    • - Comparing SHA-256 hashes -
      • -
    • - Integrity Measurement Architecture (IMA) subsystem -
      • -
    -
    -
    • -
  • - The fapolicyd RPM plugin now registers any system update that - is handled by either the YUM package manager or the RPM Package Manager. -
    • -
  • - Rules now can contain GID in subjects. -
    • -
  • - You can now include rule numbers in debug and syslog messages. -
    • -
-
-

- (BZ#1887451) -

-
-

New RPM plugin notifies fapolicyd about - changes during RPM transactions

-

- This update of the rpm packages introduces a new RPM plugin that - integrates the fapolicyd framework with the RPM database. The - plugin notifies fapolicyd about installed and changed files during - an RPM transaction. As a result, fapolicyd now supports integrity - checking. -

-
-

- Note that the RPM plugin replaces the YUM plugin because its functionality is not limited to YUM - transactions but covers also changes by RPM. -

-

- (BZ#1923167) -

-
-
-
-
-
-

4.7. Networking

-
-
-
-
-

The PTP capabilities output format of the ethtool utility has changed

-

- Starting with RHEL 8.4, the ethtool utility uses the netlink interface instead of the ioctl() - system call to communicate with the kernel. Consequently, when you use the ethtool -T <network_controller> - command, the format of Precision Time Protocol (PTP) values changes. -

-
-

- Previously, with the ioctl() interface, ethtool translated the capability bit names by using an ethtool-internal string table and, the ethtool -T <network_controller> - command displayed, for example: -

- 
Time stamping parameters for <network_controller>:
-Capabilities:
-hardware-transmit (SOF_TIMESTAMPING_TX_HARDWARE)
-software-transmit (SOF_TIMESTAMPING_TX_SOFTWARE)
-...
-

- With the netlink interface, ethtool - receives the strings from the kernel. These strings do not include the internal SOF_TIMESTAMPING_* names. Therefore, ethtool -T <network_controller> - now displays, for example: -

- 
Time stamping parameters for <network_controller>:
-Capabilities:
-hardware-transmit
-software-transmit
-...
-

- If you use the PTP capabilities output of ethtool in scripts or - applications, update them accordingly. -

-

- (JIRA:RHELDOCS-18188) -

-
-

XDP is conditionally supported

-

- Red Hat supports the eXpress Data Path (XDP) feature only if all of the following conditions - apply: -

-
-
-
    -
  • - You load the XDP program on an AMD or Intel 64-bit architecture -
    • -
  • - You use the libxdp library to load the program into the kernel -
    • -
  • - The XDP program does not use the XDP hardware offloading -
    • -
-
-

- In RHEL 8.4, XDP_TX and XDP_REDIRECT - return codes are now supported in XDP programs. -

-

- For details about unsupported XDP features, see XDP features that are available as Technology - Preview -

-

- (BZ#1952421) -

-
-

NetworkManager rebased to version 1.30.0

-

- The NetworkManager packages have been upgraded to upstream version - 1.30.0, which provides a number of enhancements and bug fixes over the previous version: -

-
-
-
    -
  • - The ipv4.dhcp-reject-servers connection property has been added - to define from which DHCP server IDs NetworkManager should reject lease offers. -
    • -
  • - The ipv4.dhcp-vendor-class-identifier connection property has - been added to send a custom Vendor Class Identifier DHCP option value. -
    • -
  • - The active_slave bond option has been deprecated. Instead, set - the primary option in the controller connection. -
    • -
  • - The nm-initrd-generator utility now supports MAC addresses to - indicate interfaces. -
    • -
  • - The nm-initrd-generator utility generator now supports creating - InfiniBand connections. -
    • -
  • - The timeout of the NetworkManager-wait-online service has been - increased to 60 seconds. -
    • -
  • - The ipv4.dhcp-client-id=ipv6-duid connection property has been - added to be compliant to RFC4361. -
    • -
  • - Additional ethtool offload features have been added. -
    • -
  • - Support for the WPA3 Enterprise Suite-B 192-bit mode has been added. -
    • -
  • - Support for virtual Ethernet (veth) devices has been added. -
    • -
-
-

- For further information about notable changes, read the upstream release notes: -

-
- -
-

- (BZ#1878783) -

-
-

The iproute2 utility introduces traffic - control actions to add MPLS headers before Ethernet header

-

- With this enhancement, the iproute2 utility offers three new - traffic control (tc) actions: -

-
-
-
    -
  • - mac_push - The act_mpls module - provides this action to add MPLS labels before the original Ethernet header. -
    • -
  • - push_eth - The act_vlan module - provides this action to build an Ethernet header at the beginning of the packet. -
    • -
  • - pop_eth - The act_vlan module - provides this action to drop the outer Ethernet header. -
    • -
-
-

- These tc actions help in implementing layer 2 virtual private network - (L2VPN) by adding multiprotocol label switching (MPLS) labels before Ethernet headers. You can use - these actions while adding tc filters to the network interfaces. -

-

- Red Hat provides these actions as unsupported Technology Preview, because MPLS itself is a - Technology Preview feature. -

-

- For more information about these actions and their parameters, refer to the tc-mpls(8) and tc-vlan(8) man pages. -

-

- (BZ#1861261) -

-
-

The nmstate API is now fully - supported

-

- Nmstate, which was previously a Technology Preview, is a network API for hosts and fully - supported in RHEL 8.4. The nmstate packages provide a library and - the nmstatectl command-line utility to manage host network settings - in a declarative manner. The networking state is described by a predefined schema. Reporting of - the current state and changes to the desired state both conform to the schema. -

-
-

- For further details, see the /usr/share/doc/nmstate/README.md file and - the sections about nmstatectl in the Configuring - and managing networking documentation. -

-

- (BZ#1674456) -

-
-

New package: rshim

-

- The rhsim package provides the Mellanox BlueField rshim user-space - driver, which enables accessing the rshim resources on the BlueField SmartNIC target from the - external host machine. The current version of the rshim user-space driver implements device - files for boot image push and virtual console access. In addition, it creates a virtual network - interface to connect to the BlueField target and provides a way to access internal rshim - registers. -

-
-

- Note that in order for the virtual console or virtual network interface to be operational, the - target must be running a tmfifo driver. -

-

- (BZ#1744737) -

-
-

iptraf-ng rebased to 1.2.1

-

- The iptraf-ng packages have been rebased to upstream version 1.2.1, - which provides several bug fixes and improvements. Most notably: -

-
-
-
    -
  • - The iptraf-ng application no longer causes 100% CPU usage when - showing the detailed statistics of a deleted interface. -
    • -
  • - The unsafe handling arguments of printf() functions have been - fixed. -
    • -
  • - Partial support for IP over InfiniBand (IPoIB) interface has been added. Because the kernel - does not provide the source address on the interface, you cannot use this feature in the LAN - station monitor mode. -
    • -
  • - Packet capturing abstraction has been added to allow iptraf-ng - to capture packets at multi-gigabit speed. -
    • -
  • - You can now scroll using the Home, End, Page up, and Page down keyboard keys. -
    • -
  • - The application now shows the dropped packet count. -
    • -
-
-

- (BZ#1906097) -

-
-
-
-
-
-

4.8. Kernel

-
-
-
-
-

Kernel version in RHEL 8.4

-

- Red Hat Enterprise Linux 8.4 is distributed with the kernel version 4.18.0-305. -

-
-

- See also Important Changes to External - Kernel Parameters and Device Drivers. -

-

- (BZ#1839151) -

-
-

Extended Berkeley Packet Filter for RHEL 8.4

-

- The Extended Berkeley Packet Filter (eBPF) - is an in-kernel virtual machine that allows code execution in the kernel space, in the - restricted sandbox environment with access to a limited set of functions. The virtual machine - executes a special assembly-like code. -

-
-

- The eBPF bytecode first loads to the kernel, - followed by its verification, code translation to the native machine code with just-in-time - compilation, and then the virtual machine executes the code. -

-

- Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. In RHEL 8.4, - the following eBPF components are supported: -

-
-
    -
  • - The BPF Compiler Collection (BCC) tools - package, which provides tools for I/O analysis, networking, and monitoring of Linux - operating systems using eBPF. -
    • -
  • - The BCC library which allows the - development of tools similar to those provided in the BCC tools package. -
    • -
  • - The eBPF for Traffic Control (tc) - feature, which enables programmable packet processing inside the kernel network data path. -
    • -
  • - The eXpress Data Path (XDP) feature, - which provides access to received packets before the kernel networking stack processes them, - is supported under specific conditions. -
    • -
  • - The libbpf package, which is crucial for bpf related - applications like bpftrace and bpf/xdp development. -
    • -
  • - The xdp-tools package, which contains userspace support - utilities for the XDP feature, is now - supported on the AMD and Intel 64-bit architectures. This includes the libxdp library, the xdp-loader - utility for loading XDP programs, the xdp-filter example - program for packet filtering, and the xdpdump utility for - capturing packets from a network interface with XDP enabled. -
    • -
-
-

- Note that all other eBPF components are - available as Technology Preview, unless a specific component is indicated as supported. -

-

- The following notable eBPF components are - currently available as Technology Preview: -

-
-
    -
  • - The bpftrace tracing language -
    • -
  • - The AF_XDP socket for connecting the eXpress Data Path (XDP) path to user space -
    • -
-
-

- For more information regarding the Technology Preview components, see Technology - Previews. -

-

- (BZ#1780124) -

-
-

New package: kmod-redhat-oracleasm

-

- This update adds the new kmod-redhat-oracleasm package, which - provides the kernel module part of the ASMLib utility. Oracle Automated Storage Management (ASM) - is a data volume manager for Oracle databases. ASMLib is an optional utility that can be used on - Linux systems to manage Oracle ASM devices. -

-
-

- (BZ#1827015) -

-
-

The xmon program changes to support Secure Boot and kernel_lock resilience - against attacks

-

- If the Secure Boot mechanism is disabled, - you can set the xmon program into read-write mode (xmon=rw) on the kernel command-line. However, if you specify xmon=rw and boot into Secure - Boot mode, the kernel_lockdown feature - overrides xmon=rw and changes it to read-only mode. The additional - behavior of xmon depending on Secure Boot enablement is listed below: -

-
-

- Secure Boot is on: -

-
-
    -
  • - xmon=ro (default) -
    • -
  • - A stack trace is printed -
    • -
  • - Memory read works -
    • -
  • - Memory write is blocked -
    • -
-
-

- Secure Boot is off: -

-
-
    -
  • - Possibility to set xmon=rw -
    • -
  • - A stack trace is always printed -
    • -
  • - Memory read always works -
    • -
  • - Memory write is permitted only if xmon=rw -
    • -
-
-

- These changes to xmon behavior aim to support the Secure Boot and kernel_lock resilience against attackers with root permissions. -

-

- For information how to configure kernel command-line parameters, see Configuring - kernel command-line parameters on the Customer Portal. -

-

- (BZ#1952161) -

-
-

Cornelis Omni-Path Architecture (OPA) Host Software

-

- Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 8.4. - OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high - performance data transfers (high bandwidth, high message rate, low latency) between compute and - I/O nodes in a clustered environment. -

-
-

- For instructions on installing Omni-Path Architecture, see: Cornelis - Omni-Path Fabric Software Release Notes file. -

-

- (BZ#1960412) -

-
-

SLAB cache merging disabled by default

-

- The CONFIG_SLAB_MERGE_DEFAULT kernel configuration option has been - disabled, and now SLAB caches are not merged by default. This change aims to enhance the - allocator’s reliability and traceability of cache usage. If the previous slab-cache merging - behavior was desirable, the user can re-enable it by adding the slub_merge parameter to the kernel command-line. For more information - on how to set the kernel command-line parameters, see the Configuring - kernel command-line parameters on Customer Portal. -

-
-

- (BZ#1871214) -

-
-

The ima-evm-utils package rebased to version 1.3.2

-

- The ima-evm-utils package has been upgraded to version 1.3.2, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Added support for handling the Trusted Platform Module (TPM2) multi-banks feature -
    • -
  • - Extended the boot aggregate value to Platform Configuration Registers (PCRs) 8 and 9 -
    • -
  • - Preloaded OpenSSL engine through a CLI parameter -
    • -
  • - Added support for Intel Task State Segment (TSS2) PCR reading -
    • -
  • - Added support for the original Integrity Measurement Architecture (IMA) template -
    • -
-
-

- Both the libimaevm.so.0 and libimaevm.so.2 - libraries are part of ima-evm-utils. Users of libimaevm.so.0 will not be affected, when their more recent applications - use libimaevm.so.2. -

-

- (BZ#1868683) -

-
-

Levelling IMA and EVM features across supported CPU architectures -

-

- All CPU architectures, except ARM, have a similar level of feature support for Integrity - Measurement Architecture (IMA) and Extended Verification Module (EVM) technologies. The enabled - functionalities are different for each CPU architecture. The following are the most significant - changes for each supported CPU architecture: -

-
-
-
    -
  • - IBM Z: IMA appraise and trusted keyring enablement. -
    • -
  • - AMD64 and Intel 64: specific architecture policy in secure boot state. -
    • -
  • - IBM Power System (little-endian): specific architecture policy in secure and trusted boot - state. -
    • -
  • - SHA-256 as default hash algorithm for all supported architectures. -
    • -
  • - For all architectures, the measurement template has changed to IMA-SIG The template includes - the signature bits when present. Its format is d-ng|n-ng|sig. -
    • -
-
-

- The goal of this update is to decrease the level of feature difference in IMA and EVM, so that - userspace applications can behave equally across all supported CPU architectures. -

-

- (BZ#1869758) -

-
-

Proactive compaction is - now included in RHEL 8 as disabled-by-default

-

- With ongoing workload activity, system memory becomes fragmented. The fragmentation can result - in capacity and performance problems. In some cases, program errors are also possible. Thereby, - the kernel relies on a reactive mechanism called memory compaction. The original design of the - mechanism is conservative, and the compaction activity is initiated on demand of allocation - request. However, reactive behavior tends to increase the allocation latency if the system - memory is already heavily fragmented. Proactive - compaction improves the design by regularly initiating memory compaction work - before a request for allocation is made. - This enhancement increases the chances that memory allocation requests find the physically - contiguous blocks of memory without the need of memory compaction producing those on-demand. As - a result, latency for specific memory allocation requests is lowered. -

-
-
-
Warning
-
-

- Proactive compaction can result in - increased compaction activity. This might have serious, system-wide impact, because memory - pages that belong to different processes are moved and remapped. Therefore, enabling proactive compaction requires utmost care - to avoid latency spikes in applications. -

-
-
-

- (BZ#1848427) -

-
-

EDAC support has been added in RHEL 8

-

- With this update, RHEL 8 supports the Error Detection and Correction (EDAC) kernel module set in - 8th and 9th generation Intel Core Processors (CoffeeLake). The EDAC kernel module mainly handles - Error Code Correction (ECC) memory and detect and report PCI bus parity errors. -

-
-

- (BZ#1847567) -

-
-

A new package: kpatch-dnf

-

- The kpatch-dnf package provides a DNF plugin, which makes it possible to - subscribe a RHEL system to kernel live patch updates. The subscription will affect all kernels - currently installed on the system, including kernels that will be installed in the future. For - more details about kpatch-dnf, see the dnf-kpatch(8) manual page or the Managing, - monitoring, and updating the kernel documentation. -

-
-

- (BZ#1798711) -

-
-

A new cgroups controller implementation for slab memory

-

- A new implementation of slab memory controller for the control groups technology is now available in - RHEL 8. Currently, a single memory slab can contain objects owned by different memory control group. The slab memory controller - brings improvement in slab utilization (up to 45%) and enables to shift the memory accounting - from the page level to the object level. Also, this change eliminates each set of duplicated - per-CPU and per-node slab caches for each memory control group and establishes one common set of - per-CPU and per-node slab caches for all memory control - groups. As a result, you can achieve a significant drop in the total - kernel memory footprint and observe positive effects on memory fragmentation. -

-
-

- Note that the new and more precise memory accounting requires more CPU time. However, the difference - seems to be negligible in practice. -

-

- (BZ#1877019) -

-
-

Time namespace has been added in RHEL 8

-

- The time namespace enables the system monotonic and boot-time clocks to work with per-namespace - offsets on AMD64, Intel 64, and the 64-bit ARM architectures. This feature is suited for - changing the date and time inside Linux containers and for in-container adjustments of clocks - after restoration from a checkpoint. As a result, users can now independently set time for each - individual container. -

-
-

- (BZ#1548297) -

-
-

New feature: Free memory page returning

-

- With this update, the RHEL 8 host kernel is able to return memory pages that are not used by its - virtual machines (VMs) back to the hypervisor. This improves the stability and resource - efficiency of the host. Note that for memory page returning to work, it must be configured in - the VM, and the VM must also use the virtio_balloon device. -

-
-

- (BZ#1839055) -

-
-

Supports changing the sorting order in perf top

-

- With this update, perf top can now sort samples by arbitrary event - column in case multiple events in a group are sampled, instead of sorting by the first column. - As a result, pressing a number key sorts the table by the matching data column. -

-
-
-
Note
-
-

- The column numbering starts from 0. -

-
-
-

- Using the --group-sort-idx command line option, it is possible to sort - by the column number. -

-

- (BZ#1851933) -

-
-

The kabi_whitelist package has been renamed to kabi_stablelist

-

- In accordance with Red Hat commitment to replacing problematic language, we renamed the kabi_whitelist package to kabi_stablelist in the RHEL 8.4 release. -

-
-

- (BZ#1867910, BZ#1886901) -

-
-

bpf rebased to version 5.9

-

- The bpf kernel technology in RHEL 8 has been brought up-to-date - with its upstream counterpart from the kernel v5.9. -

-
-

- The update provides multiple bug fixes and enhancements. Notable changes include: -

-
-
    -
  • - Added Berkeley Packet Filter (BPF) iterator for map elements and to iterate all BPF programs - for efficient in-kernel inspection. -
    • -
  • - Programs in the same control group (cgroup) can share the cgroup local storage map. -
    • -
  • - BPF programs can run on socket lookup. -
    • -
  • - The SO_KEEPALIVE and related options are available to the bpf_setsockopt() helper. -
    • -
-
-

- Note that some BPF programs may need changes to their source code. -

-

- (BZ#1874005) -

-
-

The bcc package rebased to version 0.16.0

-

- The bcc package has been upgraded to version 0.16.0, which provides - multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Added utilities klockstat and funcinterval -
    • -
  • - Fixes in various parts of the tcpconnect manual page -
    • -
  • - Fix to make the tcptracer tool output show SPORT and DPORT - columns for IPv6 addresses -
    • -
  • - Fix broken dependencies -
    • -
-
-

- (BZ#1879411) -

-
-

bpftrace rebased to version 0.11.0

-

- The bpftrace package has been upgraded to version 0.11.0, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Added utilities threadsnoop, tcpsynbl, tcplife, swapin, setuids, and naptime -
    • -
  • - Fixed failures to run of the tcpdrop.bt and syncsnoop.bt tools -
    • -
  • - Fixed a failure to load the Berkeley Packet Filter (BPF) program on IBM Z architectures -
    • -
  • - Fixed a symbol lookup error -
    • -
-
-

- (BZ#1879413) -

-
-

libbpf rebased to version 0.2.0.1

-

- The libbpf package has been upgraded to version 0.2.0.1, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Added support for accessing Berkeley Packet Filter (BPF) map fields in the bpf_map struct from programs that have BPF Type Format (BTF) - struct access -
    • -
  • - Added BPF ring buffer -
    • -
  • - Added bpf iterator infrastructure -
    • -
  • - Improved bpf_link observability -
    • -
-
-

- (BZ#1919345) -

-
-

perf now supports adding or removing - tracepoints from a running collector without having to stop or restart perf

-

- Previously, to add or remove tracepoints from an instance of perf record, the perf process had to be - stopped. As a consequence, performance data that occurred during the time the process was - stopped was not collected and, therefore, lost. With this update, you can dynamically enable and - disable tracepoints being collected by perf record via the control - pipe interface without having to stop the perf record process. -

-
-

- (BZ#1844111) -

-
-

The perf tool now supports recording and - displaying absolute timestamps for trace data

-

- With this update, perf script can now record and display trace data - with absolute timestamps. -

-
-

- Note: To display trace data with absolute timestamps, the data must be recorded with the clock ID - specified. -

-

- To record data with absolute timestamps, specify the clock ID: -

- 
# perf record -k CLOCK_MONOTONIC sleep 1
-

- To display trace data recorded with the specified clock ID, execute the following command: -

- 
# perf script -F+tod
-

- (BZ#1811839) -

-
-

dwarves rebased to version 1.19.1

-

- The dwarves package has been upgraded to version 1.19.1, which - provides multiple bug fixes and enhancements. Notably, this update introduces a new way of - checking functions from the DWARF debug data with related ftrace - entries to ensure a subset of ftrace functions is generated. -

-
-

- (BZ#1903566) -

-
-

perf now supports circular buffers that use - specified events to trigger snapshots

-

- With this update, you can create custom circular buffers that write data to a perf.data file when an event you specify is detected. As a result, - perf record can run continuously in the system background without - generating excess overhead by continuously writing data to a perf.data file, and only recording data you are interested in. -

-
-

- To create a custom circular buffer using the perf tool that records - event specific snapshots, use the following command: -

- 
# perf record --overwrite -e _events_to_be_collected_ --switch-output-event _snapshot_trigger_event_
-

- (BZ#1844086) -

-
-

Kernel DRBG and Jitter entropy source are compliant to NIST SP 800-90A and - NIST SP 800-90B

-

- Kernel Deterministic Random Bit Generator (DRBG) and Jitter entropy source are now compliant to - recommendation for random number generation using DRBG (NIST SP 800-90A) and recommendation for - the entropy sources used for random bit generation (NIST SP 800-90B) specifications. As a - result, applications in FIPS mode can use these sources as FIPS-compliant randomness and noise - sources. -

-
-

- (BZ#1905088) -

-
-

kdump now supports Virtual Local Area Network tagged team network - interface

-

- This update adds support to configure Virtual Local Area Network tagged team interface for kdump. As a result, this feature now enables kdump to use a Virtual Local Area Network tagged team interface to - dump a vmcore file. -

-
-

- (BZ#1844941) -

-
-

kernel-rt source tree has been updated to RHEL 8.4 tree

-

- The kernel-rt source has been updated to use the latest Red Hat - Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest - upstream version, v5.10-rt7. Both of these updates provide a number of bug fixes and - enhancements. -

-
-

- (BZ#1858099, BZ#1858105) -

-
-

The stalld package is now added to RHEL 8.4 distribution

-

- This update adds the stalld package to RHEL 8.4.0. stalld is a daemon that monitors threads on a system running low - latency applications. It checks for job threads that have been on a run-queue without being - scheduled onto a CPU for a specified threshold. -

-
-

- When it detects a stalled thread, stalld temporarily changes the - scheduling policy to SCHED_DEADLINE and assigns the thread a slice of - CPU time to make forward progress. When the time slice completes or the thread blocks, the thread - goes back to its original scheduling policy. -

-

- (BZ#1875037) -

-
-

Support for CPU hotplug in the hv_24x7 and - hv_gpci PMUs

-

- With this update, PMU counters correctly react to the hot-plugging of a CPU. As a result, if a - hv_gpci event counter is running on a CPU that gets disabled, the - counting redirects to another CPU. -

-
-

- (BZ#1844416) -

-
-

Metrics for POWERPC hv_24x7 nest events are - now available

-

- Metrics for POWERPC hv_24x7 nest events are now available for perf. By aggregating multiple events, these metrics provide a better - understanding of the values obtained from perf counters and how - effectively the CPU is able to process the workload. -

-
-

- (BZ#1780258) -

-
-

hwloc rebased to version 2.2.0

-

- The hwloc package has been upgraded to version 2.2.0, which - provides the following change: -

-
-
-
    -
  • - The hwloc functionality can report details on Nonvolatile - Memory Express (NVMe) drives including total disk size and sector size. -
    • -
-
-

- (BZ#1841354) -

-
-

The igc driver is now fully supported -

-

- The igc Intel 2.5G Ethernet Linux wired LAN driver was introduced - in RHEL 8.1 as a Technology Preview. Starting with RHEL 8.4, it is fully supported on all - architectures. The ethtool utility also supports igc wired LANs. -

-
-

- (BZ#1495358) -

-
-
-
-
-
-

4.9. File systems and storage

-
-
-
-
-

RHEL installation now supports creating a swap partition of size 16 - TiB

-

- Previously, when installing RHEL, the installer created a swap partition of maximum 128 GB for - automatic and manual partitioning. -

-
-

- With this update, for automatic partitioning, the installer continues to create a swap partition of - maximum 128 GB, but in case of manual partitioning, you can now create a swap partition of 16 TiB. -

-

- (BZ#1656485) -

-
-

Surprise removal of NVMe devices

-

- With this enhancement, you can surprise remove NVMe devices from the Linux operating system - without notifying the operating system beforehand. This will enhance the serviceability of NVMe - devices because no additional steps are required to prepare the devices for orderly removal, - which ensures the availability of servers by eliminating server downtime. -

-
-

- Note the following: -

-
-
    -
  • - Surprise removal of NVMe devices requires kernel-4.18.0-193.13.2.el8_2.x86_64 version or later. -
    • -
  • - Additional requirements from the hardware platform or the software running on the platform - might be necessary for successful surprise removal of NVMe devices. -
    • -
  • - Surprise removing an NVMe device that is critical to the system operation is not supported. - For example, you cannot remove an NVMe device that contains the operating system or a swap - partition. -
    • -
-
-

- (BZ#1634655) -

-
-

Stratis filesystem symlink paths have changed

-

- With this enhancement, Stratis filesystem symlink paths have changed from /stratis/<stratis-pool>/<filesystem-name> - to /dev/stratis/<stratis-pool>/<filesystem-name>. - Consequently, all existing Stratis symlinks must be migrated to utilize the new symlink paths. -

-
-

- Use the included stratis_migrate_symlinks.sh migration script or reboot - your system to update the symlink paths. If you manually changed the systemd unit files or the /etc/fstab file to - automatically mount Stratis filesystems, you must update them with the new symlink paths. -

-
-
Note
-
-

- If you do not update your configuration with the new Stratis symlink paths, or if you - temporarily disable the automatic mounts, the boot process might not complete the next time - you reboot or start your system. -

-
-
-

- (BZ#1798244) -

-
-

Stratis now supports binding encrypted pools to a supplementary Clevis - encryption policy

-

- With this enhancement, you can now bind encrypted Stratis pools to Network Bound Disk Encryption - (NBDE) using a Tang server, or to the Trusted Platform Module (TPM) 2.0. Binding an encrypted - Stratis pool to NBDE or TPM 2.0 facilitates automatic unlocking of pools. As a result, you can - access your Stratis pools without having to provide the kernel keyring description after each - system reboot. Note that binding a Stratis pool to a supplementary Clevis encryption policy does - not remove the primary kernel keyring encryption. -

-
-

- (BZ#1868100) -

-
-

New mount options to control when DAX is enabled on XFS and ext4 file - systems

-

- This update introduces new mount options which, when combined with the FS_XFLAG_DAX inode flag, provide finer-grained control of the Direct - Access (DAX) mode for files on XFS and ext4 file systems. In prior releases, DAX was enabled for - the entire file system using the dax mount option. Now, the direct - access mode can be enabled on a per-file basis. -

-
-

- The on-disk flag, FS_XFLAG_DAX, is used to selectively enable or - disable DAX for a particular file or directory. The dax mount option - dictates whether or not the flag is honored: -

-
-
    -
  • - -o dax=inode - follow FS_XFLAG_DAX. This is the default when no dax option is - specified. -
    • -
  • - -o dax=never - never enable DAX, ignore FS_XFLAG_DAX. -
    • -
  • - -o dax=always - always enable DAX, ignore FS_XFLAG_DAX. -
    • -
  • - -o dax - is a legacy option which is an alias for "dax=always". - This may be removed in the future, so "-o dax=always" is preferred. -
    • -
-
-

- You can set FS_XFLAG_DAX flag by using the xfs_io utility’s chatter command: -

- 
# xfs_io -c "chattr +x" filename
-

- (BZ#1838876, BZ#1838344) -

-
-

SMB Direct is now supported

-

- With this update, the SMB client now supports SMB Direct. -

-
-

- (BZ#1887940) -

-
-

New API for mounting filesystems has been added

-

- With this update, a new API for mounting filesystems based on an internal kernel structure - called a filesystem context (struct fs_context) has been added into - RHEL 8.4, allowing greater flexibility in communication of mount parameters between userspace, - the VFS, and the file system. Along with this, there are following system calls for operating on - the file system context: -

-
-
-
    -
  • - fsopen() - creates a blank filesystem configuration context - within the kernel for the filesystem named in the fsname - parameter, adds it into creation mode, and attaches it to a file descriptor, which it then - returns. -
    • -
  • - fsmount() - takes the file descriptor returned by fsopen() and creates a mount object for the file system root - specified there. -
    • -
  • - fsconfig() - supplies parameters to and issues commands against - a file system configuration context as set up by the fsopen(2) - or fspick(2) system calls. -
    • -
  • - fspick() - creates a new file system configuration context - within the kernel and attaches a pre-existing superblock to it so that it can be - reconfigured. -
    • -
  • - move_mount() - moves a mount from one location to another; it - can also be used to attach an unattached mount created by fsmount() or open_tree() with the - OPEN_TREE_CLONE system call. -
    • -
  • - open_tree() - picks the mount object specified by the pathname - and attaches it to a new file descriptor or clones it and attaches the clone to the file - descriptor. -
    • -
-
-

- Note that the old API based on the mount() system call is still - supported. -

-

- For additional information, see the Documentation/filesystems/mount_api.txt file in the kernel source tree. -

-

- (BZ#1622041) -

-
-

Discrepancy in vfat file system mtime no longer occurs

-

- With this update, the discrepancy in the vfat file system mtime between in-memory and on-disk write times is no longer present. - This discrepancy was caused by a difference between in-memory and on-disk mtime metadata, which no longer occurs. -

-
-

- (BZ#1533270) -

-
-

RHEL 8.4 now supports close_range() system - call

-

- With this update, the close_range() system call was backported to - RHEL 8.4. This system call closes all file descriptors in a given range effectively, preventing - timing problems which are present when closing a wide range of file descriptors sequentially if - applications configure very large limits. -

-
-

- (BZ#1900674) -

-
-

Support for user extended attributes through the NFSv4.2 protocol has been - added

-

- This update adds NFSV4.2 client-side and server-side support for user extended attributes (RFC - 8276) and newly includes the following protocol extensions: -

-
-

- New operations: -

-
-
    -
  • - - GETXATTR - get an extended attribute of a file -
    • -
  • - - SETXATTR - set an extended attribute of a file -
    • -
  • - - LISTXATTR - list extended attributes of a file -
    • -
  • - - REMOVEXATTR - remove an extended attribute of a file -
    • -
-
-

- New error codes: -

-
-
    -
  • - - NFS4ERR-NOXATTR - xattr does not - exist -
    • -
  • - - NFS4ERR_XATTR2BIG - xattr value - is too big -
    • -
-
-

- New attribute: -

-
-
    -
  • - - xattr_support - per-fs read-only attribute determines whether - xattrs are supported. When set to True, the object’s file system supports extended attributes. -
    • -
-
-

- (BZ#1888214) -

-
-
-
-
-
-

4.10. High availability and clusters

-
-
-
-
-

Noncritical resources in colocation constraints are now supported -

-

- With this enhancement, you can configure a colocation constraint such that if the dependent - resource of the constraint reaches its migration threshold for failure, Pacemaker will leave - that resource offline and keep the primary resource on its current node rather than attempting - to move both resources to another node. To support this behavior, colocation constraints now - have an influence option, which can be set to true or false, and resources have a - critical meta-attribute, which can also be set to true or false. The value of the critical resource meta option determines the default value of the - influence option for all colocation constraints involving the - resource as a dependent resource. -

-
-

- When the influence colocation constraint option has a value of true Pacemaker will attempt to keep both the primary and dependent - resource active. If the dependent resource reaches its migration threshold for failures, both - resources will move to another node, if possible. -

-

- When the influence colocation option has a value of false, Pacemaker will avoid moving the primary resource as a result of - the status of the dependent resource. In this case, if the dependent resource reaches its migration - threshold for failures, it will stop if the primary resource is active and can remain on its current - node. -

-

- By default, the value of the critical resource meta option is set to - true, which in turn determines that the default value of the influence option is true. This preserves the - previous behavior where Pacemaker attempted to keep both resources active. -

-

- (BZ#1371576) -

-
-

New number data type supported by Pacemaker - rules

-

- PCS now supports a data type of number, which you can use when - defining Pacemaker rules in any PCS command that accepts rules. Pacemaker rules implement number as a double-precision floating-point number and integer as a 64-bit integer. -

-
-

- (BZ#1869399) -

-
-

Ability to specify a custom clone ID when creating a clone resource or - promotable clone resource

-

- When you create a clone resource or a promotable clone resource, the clone resource is named - resource-id -clone by - default. If that ID is already in use, PCS adds the suffix -integer, starting with an integer value of 1 and incrementing by one for each additional clone. You can now - override this default by specifying a name for a clone resource ID or promotable clone resource - ID with the clone-id option when creating a clone - resource with the pcs resource create or the pcs resource clone command. For information on creating clone - resources, see Creating - cluster resources that are active on multiple nodes. -

-
-

- (BZ#1741056) -

-
-

New command to display Corosync configuration

-

- You can now print the contents of the corosync.conf file in several - output formats with the new pcs cluster config [show] command. By - default, the pcs cluster config command uses the text output format, which displays the Corosync configuration in a - human-readable form, with the same structure and option names as the pcs cluster setup and pcs cluster config update commands. -

-
-

- (BZ#1667066) -

-
-

New command to modify the Corosync configuration of an existing - cluster

-

- You can now modify the parameters of the corosync.conf file with - the new pcs cluster config update command. You can use this - command, for example, to increase the totem token to avoid fencing - during temporary system unresponsiveness. For information on modifying the corosync.conf file, see Modifying - the corosync.conf file with the pcs command. -

-
-

- (BZ#1667061) -

-
-

Enabling and disabling Corosync traffic encryption in an existing - cluster

-

- Previously, you could configure Corosync traffic encryption only when creating a new cluster. - With this update: -

-
-
-
    -
  • - You can change the configuration of the Corosync crypto cipher and hash with the pcs cluster config update command. -
    • -
  • - You can change the Corosync authkey with the pcs cluster authkey corosync command. -
    • -
-
-

- (BZ#1457314) -

-
-

New crypt resource agent for shared and - encrypted GFS2 file systems

-

- RHEL HA now supports a new crypt resource agent, which allows you - to configure a LUKS encrypted block device that can be used to provide shared and encrypted GFS2 - file systems. Using the crypt resource is currently supported only - with GFS2 file systems. For information on configuring an encrypted GFS2 file system, see Configuring - an encrypted GFS2 file system in a cluster. -

-
-

- (BZ#1471182) -

-
-
-
-
-
-

4.11. Dynamic programming languages, web and database servers

-
-
-
-
-

A new module: python39

-

- RHEL 8.4 introduces Python 3.9, provided by the new module python39 - and the ubi8/python-39 container image. -

-
-

- Notable enhancements compared to Python 3.8 include: -

-
-
    -
  • - The merge (|) and update (|=) - operators have been added to the dict class. -
    • -
  • - Methods to remove prefixes and suffixes have been added to strings. -
    • -
  • - Type hinting generics have been added to certain standard types, such as list and dict. -
    • -
  • - The IANA Time Zone Database is now available through the new zoneinfo module. -
    • -
-
-

- Python 3.9 and packages built for it can be installed in parallel with Python 3.8 and Python 3.6 on - the same system. -

-

- To install packages from the python39 module, use, for example: -

- 
# yum install python39
-# yum install python39-pip
-

- The python39:3.9 module stream will be enabled automatically. -

-

- To run the interpreter, use, for example: -

- 
$ python3.9
-$ python3.9 -m pip --help
-

- See Installing - and using Python for more information. -

-

- Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8. - Similarly to Python 3.8, Python 3.9 will have a shorter life cycle; see Red Hat - Enterprise Linux 8 Application Streams Life Cycle. -

-

- (BZ#1877430) -

-
-

Changes in the default separator for the Python urllib parsing functions

-

- To mitigate the Web - Cache Poisoning CVE-2021-23336 in the Python urllib - library, the default separator for the urllib.parse.parse_qsl and - urllib.parse.parse_qs functions is being changed from both - ampersand (&) and semicolon (;) to - only an ampersand. -

-
-

- This change has been implemented in Python 3.6 with the release of RHEL 8.4, and will be backported - to Python 3.8 and Python 2.7 in the following minor release of RHEL 8. -

-

- The change of the default separator is potentially backwards incompatible, therefore Red Hat - provides a way to configure the behavior in Python packages where the default separator has been - changed. In addition, the affected urllib parsing functions issue a - warning if they detect that a customer’s application has been affected by the change. -

-

- For more information, see the Mitigation of Web Cache Poisoning in the - Python urllib library (CVE-2021-23336). -

-

- Python 3.9 is unaffected and already includes the new default separator (&), which can be changed only by passing the separator parameter when - calling the urllib.parse.parse_qsl and urllib.parse.parse_qs functions in Python code. -

-

- (BZ#1935686, BZ#1928904) -

-
-

A new module stream: swig:4.0

-

- RHEL 8.4 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.0, available - as a new module stream, swig:4.0. -

-
-

- Notable changes over the previously released SWIG 3.0 include: -

-
-
    -
  • - The only supported Python versions are: 2.7 and 3.2 to 3.8. -
    • -
  • - The Python module has been improved: the generated code has - been simplified and most optimizations are now enabled by default. -
    • -
  • - Support for Ruby 2.7 has been added. -
    • -
  • - PHP 7 is now the only supported PHP version; support for PHP 5 has been removed. -
    • -
  • - Performance has been significantly improved when running SWIG - on large interface files. -
    • -
  • - Support for a command-line options file (also referred to as a response file) has been - added. -
    • -
  • - Support for JavaScript Node.js versions 2 to 10 has been added. -
    • -
  • - Support for Octave versions 4.4 to 5.1 has been added. -
    • -
-
-

- To install the swig:4.0 module stream, use: -

- 
# yum module install swig:4.0
-

- If you want to upgrade from the swig:3.0 stream, see Switching - to a later stream. -

-

- For information about the length of support for the swig module - streams, see the Red Hat - Enterprise Linux 8 Application Streams Life Cycle. -

-

- (BZ#1853639) -

-
-

A new module stream: subversion:1.14 -

-

- RHEL 8.4 introduces a new module stream, subversion:1.14. Subversion 1.14 is the most recent Long Term Support (LTS) release. -

-
-

- Notable changes since Subversion 1.10 distributed in RHEL 8.0 include: -

-
-
    -
  • - Subversion 1.14 includes Python 3 - bindings for automation and integration of Subversion into the - customer’s build and release infrastructure. -
    • -
  • - A new svnadmin rev-size command enables users to determine the - total size of a revision. -
    • -
  • - A new svnadmin build-repcache command enables administrators to - populate the rep-cache database with missing entries. -
    • -
  • - A new experimental command has been added to provide an overview of the current working copy - status. -
    • -
  • - Various improvements to the svn log, svn info, and svn list commands have - been implemented. For example, svn list --human-readable now - uses human-readable units for file sizes. -
    • -
  • - Significant improvements to svn status for large working copies - have been made. -
    • -
-
-

- Compatibility information: -

-
-
    -
  • - Subversion 1.10 clients and servers interoperate with Subversion 1.14 servers and clients. However, certain features - might not be available unless both client and server are upgraded to the latest version. -
    • -
  • - Repositories created under Subversion 1.10 can be successfully - loaded in Subversion 1.14. -
    • -
  • - Subversion 1.14 distributed in RHEL 8 enables users to cache - passwords in plain text on the client side. This behaviour is the same as Subversion 1.10 but different from the upstream release of Subversion 1.14. -
    • -
  • - The experimental Shelving feature has been significantly - changed, and it is incompatible with shelves created in Subversion 1.10. See the upstream - documentation for details and upgrade instructions. -
    • -
  • - The interpretation of path-based authentication configurations with both global and - repository-specific rules has changed in Subversion 1.14. See - the upstream - documentation for details on affected configurations. -
    • -
-
-

- To install the subversion:1:14 module stream, use: -

- 
# yum module install subversion:1.14
-

- If you want to upgrade from the subversion:1.10 stream, see Switching - to a later stream. -

-

- For information about the length of support for the subversion module - streams, see the Red Hat - Enterprise Linux 8 Application Streams Life Cycle. -

-

- (BZ#1844947) -

-
-

A new module stream: redis:6

-

- Redis 6, an advanced key-value store, is now available as a new - module stream, redis:6. -

-
-

- Notable changes over Redis 5 include: -

-
-
    -
  • - Redis now supports SSL on all channels. -
    • -
  • - Redis now supports Access Control List (ACL), which defines - user permissions for command calls and key pattern access. -
    • -
  • - Redis now supports a new RESP3 - protocol, which returns more semantical replies. -
    • -
  • - Redis can now optionally use threads to handle I/O. -
    • -
  • - Redis now offers server-side support for client-side caching of - key values. -
    • -
  • - The Redis active expire cycle has been improved to enable - faster eviction of expired keys. -
    • -
-
-

- Redis 6 is compatible with Redis 5, with - the exception of this backward incompatible change: -

-
-
    -
  • - When a set key does not exist, the SPOP <count> command - no longer returns null. In Redis 6, the command returns an - empty set in this scenario, similar to a situation when it is called with a 0 argument. -
    • -
-
-

- To install the redis:6 module stream, use: -

- 
# yum module install redis:6
-

- If you want to upgrade from the redis:5 stream, see Switching - to a later stream. -

-

- For information about the length of support for the redis module - streams, see the Red Hat - Enterprise Linux 8 Application Streams Life Cycle. -

-

- (BZ#1862063) -

-
-

A new module stream: postgresql:13 -

-

- RHEL 8.4 introduces PostgreSQL 13, which provides a number of new - features and enhancements over version 12. Notable changes include: -

-
-
-
    -
  • - Performance improvements resulting from de-duplication of B-tree index entries -
    • -
  • - Improved performance for queries that use aggregates or partitioned tables -
    • -
  • - Improved query planning when using extended statistics -
    • -
  • - Parallelized vacuuming of indexes -
    • -
  • - Incremental sorting -
    • -
-
-

- Note that support for Just-In-Time (JIT) compilation, available in upstream since PostgreSQL 11, is not provided by the postgresql:13 module stream. -

-

- See also Using - PostgreSQL. -

-

- To install the postgresql:13 stream, use: -

- 
# yum module install postgresql:13
-

- If you want to upgrade from an earlier postgresql stream within RHEL 8, - follow the procedure described in Switching - to a later stream and then migrate your PostgreSQL data as described in Migrating - to a RHEL 8 version of PostgreSQL. -

-

- For information about the length of support for the postgresql module - streams, see the Red Hat - Enterprise Linux 8 Application Streams Life Cycle. -

-

- (BZ#1855776) -

-
-

A new module stream: mariadb:10.5

-

- MariaDB 10.5 is now available as a new module stream, mariadb:10.5. Notable enhancements over the previously available - version 10.3 include: -

-
-
-
    -
  • - MariaDB now uses the unix_socket - authentication plug-in by default. The plug-in enables users to use operating system - credentials when connecting to MariaDB through the local Unix - socket file. -
    • -
  • - MariaDB supports a new FLUSH SSL - command to reload SSL certificates without a server restart. -
    • -
  • - MariaDB adds mariadb-* named - binaries and mysql* symbolic links pointing to the mariadb-* binaires. For example, the mysqladmin, mysqlaccess, and mysqlshow symlinks point to the mariadb-admin, mariadb-access, and - mariadb-show binaries, respectively. -
    • -
  • - MariaDB supports a new INET6 data - type for storing IPv6 addresses. -
    • -
  • - MariaDB now uses the Perl Compatible Regular Expressions (PCRE) - library version 2. -
    • -
  • - The SUPER privilege has been split into several privileges to - better align with each user role. As a result, certain statements have changed required - privileges. -
    • -
  • - MariaDB adds a new global variable, binlog_row_metadata, as well as system variables and status - variables to control the amount of metadata logged. -
    • -
  • - The default value of the eq_range_index_dive_limit variable has - been changed from 0 to 200. -
    • -
  • - A new SHUTDOWN WAIT FOR ALL SLAVES server command and a new - mysqladmin shutdown --wait-for-all-slaves option have been - added to instruct the server to shut down only after the last binlog event has been sent to - all connected replicas. -
    • -
  • - In parallel replication, the slave_parallel_mode variable now - defaults to optimistic. -
    • -
-
-

- The InnoDB storage engine introduces the following changes: -

-
-
    -
  • - InnoDB now supports an instant DROP COLUMN operation and enables users to change the column - order. -
    • -
  • - Defaults of the following variables have been changed: innodb_adaptive_hash_index to OFF - and innodb_checksum_algorithm to full_crc32. -
    • -
  • - Several InnoDB variables have been removed or deprecated. -
    • -
-
-

- MariaDB Galera Cluster has been upgraded to version 4 with the - following notable changes: -

-
-
    -
  • - Galera adds a new streaming replication feature, which supports - replicating transactions of unlimited size. During an execution of streaming replication, a - cluster replicates a transaction in small fragments. -
    • -
  • - Galera now fully supports Global Transaction ID (GTID). -
    • -
  • - The default value for the wsrep_on option in the /etc/my.cnf.d/galera.cnf file has changed from 1 to 0 to prevent end users from - starting wsrep replication without configuring required - additional options. -
    • -
-
-

- See also Using - MariaDB. -

-

- To install the mariadb:10.5 stream, use: -

- 
# yum module install mariadb:10.5
-

- If you want to upgrade from the mariadb:10.3 module stream, see Upgrading - from MariaDB 10.3 to MariaDB 10.5. -

-

- For information about the length of support for the mariadb module - streams, see the Red Hat - Enterprise Linux 8 Application Streams Life Cycle. -

-

- (BZ#1855781) -

-
-

MariaDB 10.5 provides the PAM plug-in version - 2.0

-

- MariaDB 10.5 adds a new version of the Pluggable Authentication - Modules (PAM) plug-in. The PAM plug-in version 2.0 performs PAM authentication using a separate - setuid root helper binary, which enables MariaDB to utilize additional PAM modules. -

-
-

- In MariaDB 10.5, the Pluggable Authentication Modules (PAM) plug-in and - its related files have been moved to a new package, mariadb-pam. This - package contains both PAM plug-in versions: version 2.0 is the default, and version 1.0 is available - as the auth_pam_v1 shared object library. -

-

- Note that the mariadb-pam package is not installed by default with the - MariaDB server. To make the PAM authentication plug-in available in - MariaDB 10.5, install the mariadb-pam - package manually. -

-

- See also known issue PAM plug-in version 1.0 does not work - in MariaDB. -

-

- (BZ#1936842) -

-
-

A new package: mysql-selinux

-

- RHEL 8.4 adds a new mysql-selinux package that provides an SELinux - module with rules for the MariaDB and MySQL databases. The package is installed by default with the - database server. The module’s priority is set to 200. -

-
-

- (BZ#1895021) -

-
-

python-PyMySQL rebased to version - 0.10.1

-

- The python-PyMySQL package, which provides the pure-Python MySQL - client library, has been updated to version 0.10.1. The package is included in the python36, python38, and python39 modules. -

-
-

- Notable changes include: -

-
-
    -
  • - This update adds support for the ed25519 and caching_sha2_password authentication mechanisms. -
    • -
  • - The default character set in the python38 and python39 modules is utf8mb4, which - aligns with upstream. The python36 module preserves the default - latin1 character set to maintain compatibility with earlier - versions of this module. -
    • -
  • - In the python36 module, the /usr/lib/python3.6/site-packages/pymysql/tests/ directory is no - longer available. -
    • -
-
-

- (BZ#1820628, BZ#1885641) -

-
-

A new package: python3-pyodbc

-

- This update adds the python3-pyodbc package to RHEL 8. The pyodbc Python module provides access to Open Database Connectivity - (ODBC) databases. This module implements the Python DB API 2.0 specification and can be used - with third-party ODBC drivers. For example, you can now use the Performance Co-Pilot (pcp) to monitor performance of the SQL Server. -

-
-

- (BZ#1881490) -

-
-

A new package: micropipenv

-

- A new micropipenv package is now available. It provides a - lightweight wrapper for the pip package installer to support Pipenv and Poetry lock files. -

-
-

- Note that the micropipenv package is distributed in the AppStream - repository and is provided under the Compatibility level 4. For more information, see the Red Hat - Enterprise Linux 8 Application Compatibility Guide. -

-

- (BZ#1849096) -

-
-

New packages: py3c-devel and py3c-docs

-

- RHEL 8.4 introduces new py3c-devel and py3c-docs packages, which simplify porting C extensions to Python 3. - These packages include a detailed guide and a set of macros for easier porting. -

-
-

- Note that the py3c-devel and py3c-docs - packages are distributed through the unsupported CodeReady Linux Builder (CRB) repository. -

-

- (BZ#1841060) -

-
-

Enhanced ProxyRemote directive for configuring - httpd

-

- The ProxyRemote configuration directive in the Apache HTTP Server - has been enhanced to optionally take user name and password credentials. These credentials are - used for authenticating to the remote proxy using HTTP Basic - authentication. This feature has been backported from httpd 2.5. -

-
-

- (BZ#1869576) -

-
-

Non-end-entity certificates can be used with the SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath httpd - directives

-

- With this update, you can use non-end-entity (non-leaf) certificates, such as a Certificate - Authority (CA) or intermediate certificate, with the SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath configuration directives in the Apache - HTTP Server. The Apache HTTP server now treats such certificates as trusted CAs, as if they were - used with the SSLProxyMachineCertificateChainFile directive. - Previously, if non-end-entity certificates were used with the SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath directives, httpd failed to start with a configuration error. -

-
-

- (BZ#1883648) -

-
-

A new SecRemoteTimeout directive in the mod_security module

-

- Previously, you could not modify the default timeout for retrieving remote rules in the mod_security module for the Apache HTTP Server. With this update, you - can set a custom timeout in seconds using the new SecRemoteTimeout - configuration directive. -

-
-

- When the timeout has been reached, httpd now fails with an error - message Timeout was reached. Note that in this scenario, the error - message also contains Syntax error even if the configuration file is - syntactically valid. The httpd behavior upon timeout depends on the - value of the SecRemoteRulesFailAction configuration directive (the - default value is Abort). -

-

- (BZ#1824859) -

-
-

The mod_fcgid module can now pass up to 1024 - environment variables to an FCGI server process

-

- With this update, the mod_fcgid module for the Apache HTTP Server - can pass up to 1024 environment variables to a FastCGI (FCGI) server process. The previous limit - of 64 environment variables could cause applications running on the FCGI server to malfunction. -

-
-

- (BZ#1876525) -

-
-

perl-IO-String is now available in the - AppStream repository

-

- The perl-IO-String package, which provides the Perl IO::String module, is now distributed through the supported AppStream - repository. In previous releases of RHEL 8, the perl-IO-String - package was available in the unsupported CodeReady Linux Builder repository. -

-
-

- (BZ#1890998) -

-
-

A new package: quota-devel

-

- RHEL 8.4 introduces the quota-devel package, which provides header - files for implementing the quota Remote Procedure Call (RPC) - service. -

-
-

- Note that the quota-devel package is distributed through the - unsupported CodeReady Linux - Builder (CRB) repository. -

-

- (BZ#1868671) -

-
-
-
-
-
-

4.12. Compilers and development tools

-
-
-
-
-

The glibc library now supports glibc-hwcaps subdirectories for loading optimized shared library - implementations

-

- On certain architectures, hardware upgrades sometimes caused glibc - to load libraries with baseline optimizations, rather than optimized libraries for the previous - hardware generation. Additionally, when running on AMD CPUs, optimized libraries were not loaded - at all. -

-
-

- With this enhancement, glibc supports locating optimized library - implementations in the glibc-hwcaps subdirectories. The dynamic loader - checks for library files in the sub-directories based on the CPU in use and its hardware - capabilities. This feature is available on following architectures: IBM Power Systems (little - endian), IBM Z, 64-bit AMD and Intel. -

-

- (BZ#1817513) -

-
-

The glibc dynamic loader now activates - selected audit modules at run time

-

- Previously, the binutils link editor ld supported the --audit option to - select audit modules for activation at run time, but the glibc - dynamic loader ignored the request. With this update, the glib - dynamic loader no longer ignores the request, and loads the indicated audit modules. As a - result, it is possible to activate audit modules for specific programs without writing wrapper - scripts or using similar mechanisms. -

-
-

- (BZ#1871385) -

-
-

glibc now provides improved performance on IBM - POWER9

-

- This update introduces new implementations of the functions strlen, - strcpy, stpcpy, and rawmemchr for IBM POWER9. As a result, these functions now execute - faster on IBM POWER9 hardware which leads to performance gains. -

-
-

- (BZ#1871387) -

-
-

Optimized performance of memcpy and memset on IBM Z

-

- With this enhancement, the core library implementation for the memcpy and memset APIs were adjusted to - accelerate both small (< 64KiB) and larger data copies on IBM Z processors. As a result, - applications working with in-memory data now benefit from significantly improved performance - across a wide variety of workloads. -

-
-

- (BZ#1871395) -

-
-

GCC now supports the ARMv8.1 LSE atomic instructions

-

- With this enhancement, the GCC compiler now supports Large System Extensions (LSE), atomic - instructions added with the ARMv8.1 specification. These instructions provide better performance - in multi-threaded applications than the ARMv8.0 Load-Exclusive and Store-Exclusive instructions. -

-
-

- (BZ#1821994) -

-
-

GCC now emits vector alignment hints for certain IBM Z systems

-

- This update enables the GCC compiler to emit vector load and store alignment hints for IBM z13 - processors. To use this enhancement the assembler must support such hints. As a result, users - now benefit from improved performance of certain vector operations. -

-
-

- (BZ#1850498) -

-
-

Dyninst rebased to version 10.2.1

-

- The Dyninst binary analysis and modification tool has been updated to version 10.2.1. Notable - bug fixes and enhancements include: -

-
-
-
    -
  • - Support for the elfutils debuginfod client library. -
    • -
  • - Improved parallel binary code analysis. -
    • -
  • - Improved analysis and instrumentation of large binaries. -
    • -
-
-

- (BZ#1892001) -

-
-

elfutils rebased to version 0.182

-

- The elfutils package has been updated to version 0.182. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - Recognizes the DW_CFA_AARCH64_negate_ra_state instruction. When - Pointer Authentication Code (PAC) is not enabled, you can use DW_CFA_AARCH64_negate_ra_state to unwind code that is compiled - for PAC on the 64-bit ARM architecture. -
    • -
  • - elf_update now fixes bad sh_addralign values in sections that have set the SHF_COMPRESSED flag. -
    • -
  • - debuginfod-client now supports kernel ELF images compressed - with ZSTD. -
    • -
  • - debuginfod has a more efficient package traversal, tolerating - various errors during scanning. The grooming process is more visible and interruptible, and - provides more Prometheus metrics. -
    • -
-
-

- (BZ#1875318) -

-
-

SystemTap rebased to version 4.4

-

- The SystemTap instrumentation tool has been updated to version 4.4, which provides multiple bug - fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Performance and stability improvements to user-space probing. -
    • -
  • - Users can now access implicit thread local storage variables on these architectures: AMD64, - Intel 64, IBM Z, the little-endian variant of IBM Power Systems. -
    • -
  • - Initial support for processing of floating point values. -
    • -
  • - Improved concurrency for scripts using global variables. The locks required to protect - concurrent access to global variables have been optimized so that they span the smallest - possible critical region. -
    • -
  • - New syntax for defining aliases with both a prologue and an epilogue. -
    • -
  • - New @probewrite predicate. -
    • -
  • - syscall arguments are writable again. -
    • -
-
-

- For further information about notable changes, read the upstream release notes - before updating. -

-

- (BZ#1875341) -

-
-

Valgrind now supports IBM z14 instructions

-

- With this update, the Valgrind tool suite supports instructions for the IBM z14 processor. As a - result, you can now use the Valgrind tools to debug programs using the z14 vector instructions - and the miscellaneous z14 instruction set. -

-
-

- (BZ#1504123) -

-
-

CMake rebased to version 3.18.2

-

- The CMake build system has been upgraded from version 3.11.4 to version 3.18.2. It is available - in RHEL 8.4 as the cmake-3.18.2-8.el8 package. -

-
-

- To use CMake on a project that requires the version 3.18.2 or less, use the command cmake_minimum_required(version x.y.z). -

-

- For further information on new features and deprecated functionalities, see the CMake Release Notes. -

-

- (BZ#1816874) -

-
-

libmpc rebased to version 1.1.0

-

- The libmpc package has been rebased to version 1.1.0, which - provides several enhancements and bug fixes over the previous version. For details, see GNU MPC 1.1.0 release - notes. -

-
-

- (BZ#1835193) -

-
-

Updated GCC Toolset 10

-

- GCC Toolset 10 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- Notable changes introduced with RHEL 8.4 include: -

-
-
    -
  • - The GCC compiler has been updated to the upstream version, which provides multiple bug - fixes. -
    • -
  • - elfutils has been updated to version 0.182. -
    • -
  • - Dyninst has been updated to version 10.2.1. -
    • -
  • - SystemTap has been updated to version 4.4. -
    • -
-
-

- The following tools and versions are provided by GCC Toolset 10: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 10.2.1 -

-
-

- GDB -

- 		-

- 9.2 -

-
-

- Valgrind -

- 		-

- 3.16.0 -

-
-

- SystemTap -

- 		-

- 4.4 -

-
-

- Dyninst -

- 		-

- 10.2.1 -

-
-

- binutils -

- 		-

- 2.35 -

-
-

- elfutils -

- 		-

- 0.182 -

-
-

- dwz -

- 		-

- 0.12 -

-
-

- make -

- 		-

- 4.2.1 -

-
-

- strace -

- 		-

- 5.7 -

-
-

- ltrace -

- 		-

- 0.7.91 -

-
-

- annobin -

- 		-

- 9.29 -

-
-
-

- To install GCC Toolset 10, run the following command as root: -

- 
# yum install gcc-toolset-10
-

- To run a tool from GCC Toolset 10: -

- 
$ scl enable gcc-toolset-10 tool
-

- To run a shell session where tool versions from GCC Toolset 10 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-10 bash
-

- For more information, see Using - GCC Toolset. -

-

- The GCC Toolset 10 components are available in the two container images: -

-
-
    -
  • - rhel8/gcc-toolset-10-toolchain, which includes the GCC - compiler, the GDB debugger, and the make automation tool. -
    • -
  • - rhel8/gcc-toolset-10-perftools, which includes the performance - monitoring tools, such as SystemTap and Valgrind. -
    • -
-
-

- To pull a container image, run the following command as root: -

- 
# podman pull registry.redhat.io/<image_name>
-

- Note that only the GCC Toolset 10 container images are now supported. Container images of earlier - GCC Toolset versions are deprecated. -

-

- For details regarding the container images, see Using - the GCC Toolset container images. -

-

- (BZ#1918055) -

-
-

GCC Toolset 10: GCC now supports bfloat16

-

- In GCC Toolset 10, the GCC compiler now supports the bfloat16 - extension through ACLE Intrinsics. This enhancement provides high-performance computing. -

-
-

- (BZ#1656139) -

-
-

GCC Toolset 10: GCC now supports ENQCMD and - ENQCMDS instructions on Intel Sapphire Rapids - processors

-

- In GCC Toolset 10, the GNU Compiler Collection (GCC) now supports the ENQCMD and ENQCMDS instructions, which - you can use to submit work descriptors to devices automatically. To apply this enhancement, run - GCC with the -menqcmd option. -

-
-

- (BZ#1891998) -

-
-

GCC Toolset 10: Dyninst rebased to version 10.2.1

-

- In GCC Toolset 10, the Dyninst binary analysis and modification tool has been updated to version - 10.2.1. Notable bug fixes and enhancements include: -

-
-
-
    -
  • - Support for the elfutils debuginfod client library. -
    • -
  • - Improved parallel binary code analysis. -
    • -
  • - Improved analysis and instrumentation of large binaries. -
    • -
-
-

- (BZ#1892007) -

-
-

GCC Toolset 10: elfutils rebased to version - 0.182

-

- In GCC Toolset 10, the elfutils package has been updated to version - 0.182. Notable bug fixes and enhancements include: -

-
-
-
    -
  • - Recognizes the DW_CFA_AARCH64_negate_ra_state instruction. When - Pointer Authentication Code (PAC) is not enabled, you can use DW_CFA_AARCH64_negate_ra_state to unwind code that is compiled - for PAC on the 64-bit ARM architecture. -
    • -
  • - elf_update now fixes bad sh_addralign values in sections that have set the SHF_COMPRESSED flag. -
    • -
  • - debuginfod-client now supports kernel ELF images compressed - with ZSTD. -
    • -
  • - debuginfod has a more efficient package traversal, tolerating - various errors during scanning. The grooming process is more visible and interruptible, and - provides more Prometheus metrics. -
    • -
-
-

- (BZ#1879758) -

-
-

Go Toolset rebased to version 1.15.7

-

- Go Toolset has been upgraded to 1.15.7. Notable enhancements include: -

-
-
-
    -
  • - Linking is now faster and requires less memory due to the newly implemented object file - format and increased concurrency of internal phases. With this enhancement, internal linking - is now the default. To disable this setting, use the compiler flag -ldflags=-linkmode=external. -
    • -
  • - Allocating small objects has been improved for high core counts, including worst-case - latency. -
    • -
  • - Treating the CommonName field on X.509 certificates as a host - name when no Subject Alternative Names are specified is now - disabled by default. To enable it, add the value x509ignoreCN=0 - to the GODEBUG environment variable. -
    • -
  • - GOPROXY now supports skipping proxies that return errors. -
    • -
  • - Go now includes the new package time/tzdata. It enables you to - embed the timezone database into a program even if the timezone database is not available on - your local system. -
    • -
-
-

- For more information on Go Toolset, go to Using Go - Toolset. -

-

- (BZ#1870531) -

-
-

Rust Toolset rebased to version 1.49.0

-

- Rust Toolset has been updated to version 1.49.0. Notable changes include: -

-
-
-
    -
  • - You can now use the path of a rustdoc page item to link to it in rustdoc. -
    • -
  • - The rust test framework now hides thread output. Output of failed tests still show in the - terminal. -
    • -
  • - You can now use [T; N]: TryFrom<Vec<T>> to turn a - vector into an array of any length. -
    • -
  • -

    - You can now use slice::select_nth_unstable to perform - ordered partitioning. This function is also available with the following variants: -

    -
    -
      -
    • - slice::select_nth_unstable_by provides a comparator - function. -
      • -
    • - slice::select_nth_unstable_by_key provides a key - extraction function. -
      • -
    -
    -
    • -
  • - You can now use ManuallyDrop as the type of a union field. It - is also possible to use impl Drop for Union to add the Drop - trait to existing unions. This makes it possible to define unions where certain fields need - to be dropped manually. -
    • -
  • - Container images for Rust Toolset have been deprecated and Rust Toolset has been added to - the Universal Base Images (UBI) repositories. -
    • -
-
-

- For further information, see Using Rust - Toolset. -

-

- (BZ#1896712) -

-
-

LLVM Toolset rebased to version 11.0.0

-

- LLVM Toolset has been upgraded to version 11.0.0. Notable changes include: -

-
-
-
    -
  • - Support for the -fstack-clash-protection command-line option - has been added to the AMD and Intel 64-bit architectures, IBM Power Systems, Little Endian, - and IBM Z. This new compiler flag protects from stack-clash attacks by automatically - checking each stack page. -
    • -
  • - The new compiler flag ffp-exception-behavior={ignore,maytrap,strict} enables the - specification of floating-point exception behavior. The default setting is ignore. -
    • -
  • - The new compiler flag ffp-model={precise,strict,fast} allows - the simplification of single purpose floating-point options. The default setting is precise. -
    • -
  • - The new compiler flag -fno-common is now enabled by default. - With this enhancement, code written in C using tentative variable definitions in multiple - translation units now triggers multiple-definition linker errors. To disable this setting, - use the -fcommon flag. -
    • -
  • - Container images for LLVM Toolset have been deprecated and LLVM Toolset has been added to - the Universal Base Images (UBI) repositories. -
    • -
-
-

- For more information, see Using LLVM - Toolset. -

-

- (BZ#1892716) -

-
-

pcp rebased to version 5.2.5

-

- The pcp package has been upgraded to version 5.2.5. Notable changes - include: -

-
-
-
    -
  • - SQL Server metrics support via a secure connection. -
    • -
  • - eBPF/BCC netproc module with per-process network metrics. -
    • -
  • - pmdaperfevent(1) support for the hv_24x7 core-level and hv_gpci event - metrics. -
    • -
  • - New Linux process accounting metrics, Linux ZFS metrics, Linux XFS metric, Linux kernel - socket metrics, Linux multipath TCP metrics, Linux memory and ZRAM metrics, and S.M.A.R.T. - metric support for NVM Express disks. -
    • -
  • - New pcp-htop(1) utility to visualize the system and process - metrics. -
    • -
  • - New pmrepconf(1) utility to generate the pmrep/pcp2xxx - configurations. -
    • -
  • - New pmiectl(1) utility for controlling the pmie services. -
    • -
  • - New pmlogctl(1) utility for controlling the pmlogger services. -
    • -
  • - New pmlogpaste(1) utility for writing log string metrics. -
    • -
  • - New pcp-atop(1) utility to process accounting statistics and - per-process network statistics reporting. -
    • -
  • - New pmseries(1) utility to query functions, language - extensions, and REST API. -
    • -
  • - New pmie(1) rules for detecting OOM kills and socket connection - saturation. -
    • -
  • - Bug fixes in the pcp-atopsar(1), pcp-free(1), pcp-dstat(1), pmlogger(1), and pmchart(1) - utilities. -
    • -
  • - REST API and C API support for per-context derived metrics. -
    • -
  • - Improved OpenMetrics metric metadata (units, semantics). -
    • -
  • - Rearranged installed /var file system layouts extensively. -
    • -
-
-

- (BZ#1854035) -

-
-

Accessing remote hosts through a central pmproxy for the Vector data source in grafana-pcp

-

- In some environments, the network policy does not allow connections from the dashboard viewer’s - browser to the monitored hosts directly. This update makes it possible to customize the hostspec in order to connect to a central pmproxy, which forwards the requests to the individual hosts. -

-
-

- (BZ#1845592) -

-
-

grafana rebased to version 7.3.6

-

- The grafana package has been upgraded to version 7.3.6. Notable - changes include: -

-
-
-
    -
  • - New panel editor and new data transformations feature -
    • -
  • - Improved time zone support -
    • -
  • - Default provisioning path now changed from the /usr/share/grafana/conf/provisioning to the /etc/grafana/provisioning directory. You can configure this - setting in the /etc/grafana/grafana.ini configuration file. -
    • -
-
-

- For more information, see What’s New in Grafana - v7.0, What’s New in Grafana - v7.1, What’s New in Grafana - v7.2, and What’s New in Grafana - v7.3. -

-

- (BZ#1850471) -

-
-

grafana-pcp rebased to version 3.0.2 -

-

- The grafana-pcp package has been upgraded to version 3.0.2. Notable - changes include: -

-
-
-
    -
  • -

    - Redis: -

    -
    -
      -
    • - Supports creating an alert in Grafana. -
      • -
    • - Using the label_values(metric, label) in a Grafana - variable query is deprecated due to performance reasons. The label_values(label) query is still supported. -
      • -
    -
    -
    • -
  • -

    - Vector: -

    -
    -
      -
    • - Supports derived metrics, which allows the usage of arithmetic operators and - statistical functions inside a query. For more information, see the pmRegisterDerived(3) man page. -
      • -
    • - Configurable hostspec, where you can access remote Performance Metrics Collector - Daemon (PMCDs) through a central pmproxy. -
      • -
    • - Automatically configures the unit of the panel. -
      • -
    -
    -
    • -
  • -

    - Dashboards: -

    -
    -
      -
    • - Detects potential performance issues and shows possible solutions with the - checklist dashboards, using the Utilization Saturation and Errors (USE) method. -
      • -
    • - New MS SQL server dashboard, eBPF/BCC dashboard, - and container overview dashboard with the CGroups v2. -
      • -
    • - All dashboards are now located in the Dashboards tab in the Datasource settings pages and - are not imported automatically. -
      • -
    -
    -
    • -
-
-

- Upgrade notes: -

-

- Update the Grafana configuration file: -

-
-
    -
  1. -

    - Edit the /etc/grafana/grafana.ini Grafana configuration - file and make sure that the following option is set: -

    - 
    allow_loading_unsigned_plugins = pcp-redis-datasource
    -
    2. -
  2. -

    - Restart the Grafana server: -

    - 
    # systemctl restart grafana-server
    -
    3. -
-
-

- (BZ#1854093) -

-
-

Active Directory authentication for accessing SQL Server metrics in - PCP

-

- With this update, a system administrator can configure pmdamssql(1) - to connect securely to the SQL Server metrics using Active Directory (AD) authentication. -

-
-

- (BZ#1847808) -

-
-

grafana-container rebased to version - 7.3.6

-

- The rhel8/grafana container image provides Grafana. Grafana is an - open source utility with metrics dashboard, and graphic editor for Graphite, Elasticsearch, - OpenTSDB, Prometheus, InfluxDB, and Performance Co-Pilot (PCP). The grafana-container package has been upgraded to version 7.3.6. Notable - changes include: -

-
-
-
    -
  • - The grafana package is now updated to version 7.3.6. -
    • -
  • - The grafana-pcp package is now updated to version 3.0.2. -
    • -
-
-

- The rebase updates the rhel8/grafana image in the Red Hat Container - Registry. -

-

- To pull this container image, execute the following command: -

- 
# podman pull registry.redhat.io/rhel8/grafana
-

- (BZ#1916154) -

-
-

pcp-container rebased to version - 5.2.5

-

- The rhel8/pcp container image provides Performance Co-Pilot, which - is a system performance analysis toolkit. The pcp-container package - has been upgraded to version 5.2.5. Notable changes include: -

-
-
-
    -
  • - The pcp package is now updated to version 5.2.5. -
    • -
  • - Introduced a new PCP_SERVICES environment variable, which - specifies a comma-separated list of PCP services to start inside the container. -
    • -
-
-

- The rebase updates the rhel8/pcp image in the Red Hat Container - Registry. -

-

- To pull this container image, execute the following command: -

- 
# podman pull registry.redhat.io/rhel8/pcp
-

- (BZ#1916155) -

-
-

JDK Mission Control rebased to version 8.0.0

-

- The JDK Mission Control (JMC) profiler for HotSpot JVMs, provided by the jmc:rhel8 module stream, has been upgraded to version 8.0.0. Notable - enhancements include: -

-
-
-
    -
  • - The Treemap viewer has been added to the JOverflow plug-in for visualizing memory usage by classes. -
    • -
  • - The Threads graph has been enhanced with more filtering and - zoom options. -
    • -
  • - JDK Mission Control now provides support for opening JDK Flight Recorder recordings - compressed with the LZ4 algorithm. -
    • -
  • - New columns have been added to the Memory and TLAB views to help you identify areas of allocation pressure. -
    • -
  • - Graph view has been added to improve visualization of stack - traces. -
    • -
  • - The Percentage column has been added to histogram tables. -
    • -
-
-

- JMC in RHEL 8 requires JDK version 8 or later to run. Target Java applications must run with at - least OpenJDK version 8 so that JMC can access JDK Flight Recorder features. -

-

- The jmc:rhel8 module stream has two profiles: -

-
-
    -
  • - The common profile, which installs the entire JMC application -
    • -
  • - The core profile, which installs only the core Java libraries - (jmc-core) -
    • -
-
-

- To install the common profile of the jmc:rhel8 module stream, use: -

- 
# yum module install jmc:rhel8/common
-

- Change the profile name to core to install only the jmc-core package. -

-

- (BZ#1919283) -

-
-
-
-
-
-

4.13. Identity Management

-
-
-
-
-

Making Identity Management more inclusive

-

- Red Hat is committed to using conscious language. -

-
-

- In Identity Management, planned terminology replacements include: -

-
-
    -
  • - block - list replaces blacklist -
    • -
  • - allow - list replaces whitelist -
    • -
  • - secondary replaces slave -
    • -
  • -

    - The word master is going to be replaced with more - precise language, depending on the context: -

    -
    -
      -
    • - IdM - server replaces IdM master -
      • -
    • - CA renewal - server replaces CA renewal master -
      • -
    • - CRL publisher - server replaces CRL master -
      • -
    • - multi-supplier - replaces multi-master -
      • -
    -
    -
    • -
-
-

- (JIRA:RHELPLAN-73418) -

-
-

The dsidm utility supports renaming and moving - entries

-

- With this enhancement, you can use the dsidm utility to rename and - move users, groups, POSIX groups, roles, and organizational units (OU) in Directory Server. For - further details and examples, see the Renaming - Users, Groups, POSIX Groups, and OUs section in the Directory Server Administration - Guide. -

-
-

- (BZ#1859218) -

-
-

Deleting Sub-CAs in IdM

-

- With this enhancement, if you run the ipa ca-del command and have - not disabled the Sub-CA, an error indicates the Sub-CA cannot be deleted and it must be - disabled. First run the ipa ca-disable command to disable the - Sub-CA and then delete it using the ipa ca-del command. -

-
-

- Note that you cannot disable or delete the IdM CA. -

-

- (JIRA:RHELPLAN-63081) -

-
-

IdM now supports new Ansible management role and modules

-

- RHEL 8.4 provides Ansible modules for automated management of role-based access control (RBAC) - in Identity Management (IdM), an Ansible role for backing up and restoring IdM servers, and an - Ansible module for location management: -

-
-
-
    -
  • - You can use the ipapermission module to create, modify, and - delete permissions and permission members in IdM RBAC. -
    • -
  • - You can use the ipaprivilege module to create, modify, and - delete privileges and privilege members in IdM RBAC. -
    • -
  • - You can use the iparole module to create, modify, and delete - roles and role members in IdM RBAC. -
    • -
  • - You can use the ipadelegation module to delegate permissions - over users in IdM RBAC. -
    • -
  • - You can use the ipaselfservice module to create, modify, and - delete self-service access rules in IdM. -
    • -
  • - You can use the ipabackup role to create, copy, and remove IdM - server backups and restore an IdM server either locally or from the control node. -
    • -
  • - You can use the ipalocation module to ensure the presence or - absence of the physical locations of hosts, such as their data center racks. -
    • -
-
-

- (JIRA:RHELPLAN-72660) -

-
-

IdM in FIPS mode now supports a cross-forest trust with AD

-

- With this enhancement, administrators can establish a cross-forest trust between an IdM domain - with FIPS mode enabled and an Active Directory (AD) domain. Note that you cannot establish a - trust using a shared secret while FIPS mode is enabled in IdM, see FIPS - compliance. -

-
-

- (JIRA:RHELPLAN-58629) -

-
-

AD users can now log in to IdM with UPN suffixes subordinate to known UPN - suffixes

-

- Previously, Active Directory (AD) users could not log into Identity Management (IdM) with a - Universal Principal Name (UPN) (for example, sub1.ad-example.com) - that is a subdomain of a known UPN suffix (for example, ad-example.com) because internal Samba processes filtered subdomains - as duplicates of any Top Level Names (TLNs). This update validates UPNs by testing if they are - subordinate to the known UPN suffixes. As a result, users can now log in using subordinate UPN - suffixes in the described scenario. -

-
-

- (BZ#1891056) -

-
-

IdM now supports new password policy options

-

- With this update, Identity Management (IdM) supports additional libpwquality library options: -

-
-
-
-
--maxrepeat
-
- Specifies the maximum number of the same character in sequence. -
-
--maxsequence
-
- Specifies the maximum length of monotonic character sequences (abcd). -
-
--dictcheck
-
- Checks if the password is a dictionary word. -
-
--usercheck
-
- Checks if the password contains the username. -
-
-
-

- If any of the new password policy options are set, then the minimum length of passwords is 6 - characters regardless of the value of the --minlength option. The new - password policy settings are applied only to new passwords. -

-

- In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced - only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM - client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password - policy requirements set by the system administrator will not be applied. To ensure consistent - behavior, upgrade or update all servers to RHEL 8.4 and later. -

-

- (BZ#1340463) -

-
-

Improved Active Directory site discovery process

-

- The SSSD service now discovers Active Directory sites in parallel over connection-less LDAP - (CLDAP) to multiple domain controllers to speed up site discovery in situations where some - domain controllers are unreachable. Previously, site discovery was performed sequentially and, - in situations where domain controllers were unreachable, a timeout eventually occurred and SSSD - went offline. -

-
-

- (BZ#1819012) -

-
-

The default value of nsslapd-nagle has been - turned off to increase the throughput

-

- Previously, the nsslapd-nagle parameter in the cn=config entry was enabled by default. As a consequence, Directory - Server performed a high number of setsocketopt system calls which - slowed down the server. This update changes the default value of nsslapd-nagle to off. As a result, - Directory Server performs a lower number of setsocketopt system - calls and can handle a higher number of operations per second. -

-
-

- (BZ#1996076) -

-
-

Enabling or disabling SSSD domains within the [domain] section of the - sssd.conf file

-

- With this update, you can now enable or disable an SSSD domain by modifying its respective [domain] section in the sssd.conf file. -

-
-

- Previously, if your SSSD configuration contained a standalone domain, you still had to modify the - domains option in the [sssd] section of - the sssd.conf file. This update allows you to set the enabled= option in the domain configuration to true or false. -

-
-
    -
  • - Setting the enabled option to true enables a domain, even if it - is not listed under the domains option in the [sssd] section of the sssd.conf - file. -
    • -
  • - Setting the enabled option to false disables a domain, even if - it is listed under the domains option in the [sssd] section of the sssd.conf - file. -
    • -
  • - If the enabled option is not set, the configuration in the - domains option in the [sssd] - section of the sssd.conf is used. -
    • -
-
-

- (BZ#1884196) -

-
-

Added an option to manually control the maximum offline timeout -

-

- The offline_timeout period determines the time incrementation - between attempts by SSSD to go back online. Previously, the maximum possible value for this - interval was hardcoded to 3600 seconds, which was adequate for general usage but resulted in - issues in fast or slow changing environments. -

-
-

- This update adds the offline_timeout_max option to manually control the - maximum length of each interval, allowing you more flexibility to track the server behavior in SSSD. -

-

- Note that you should set this value in correlation to the offline_timeout parameter value. A value of 0 disables the incrementing - behavior. -

-

- (BZ#1884213) -

-
-

Support for exclude_users and exclude_groups with scope=all in - SSSD session recording configuration

-

- Red Hat Enterprise 8.4 now provides new SSSD options for defining session recording for large - lists of groups or users: -

-
-
-
    -
  1. -

    - exclude_users -

    -

    - A comma-separated list of users to be excluded from recording, only applicable with the - scope=all configuration option. -

    -
    2. -
  2. -

    - exclude_groups -

    -

    - A comma-separated list of groups, members of which should be excluded from recording. - Only applicable with the scope=all configuration option. -

    -
    3. -
-
-

- For more information, refer to the sssd-session-recording man page. -

-

- (BZ#1784459) -

-
-

samba rebased to version - 4.13.2

-

- The samba packages have been upgraded to upstream version - 4.13.2, which provides a number of bug fixes and enhancements over the previous version: -

-
-
-
    -
  • - To avoid a security issue that allows unauthenticated users to take over a domain using the - netlogon protocol, ensure that your Samba servers use the - default value (yes) of the server schannel parameter. To verify, use the testparm -v | grep 'server schannel' command. For further - details, see CVE-2020-1472. -
    • -
  • - The Samba "wide - links" feature has been converted to a VFS module. -
    • -
  • - Running Samba as a PDC or BDC is - deprecated. -
    • -
  • -

    - You can now use Samba on RHEL with FIPS mode enabled. Due to the restrictions of the - FIPS mode: -

    -
    -
      -
    • - You cannot use NT LAN Manager (NTLM) authentication because the RC4 cipher is - blocked. -
      • -
    • - By default in FIPS mode, Samba client utilities use Kerberos authentication with - AES ciphers. -
      • -
    • - You can use Samba as a domain member only in Active Directory (AD) or Red Hat - Identity Management (IdM) environments with Kerberos authentication that uses - AES ciphers. Note that Red Hat continues supporting the primary domain - controller (PDC) functionality IdM uses in the background. -
      • -
    -
    -
    • -
  • -

    - The following parameters for less-secure authentication methods, which are only usable - over the server message block version 1 (SMB1) protocol, are now deprecated: -

    -
    -
      -
    • - client plaintext auth -
      • -
    • - client NTLMv2 auth -
      • -
    • - client lanman auth -
      • -
    • - client use spnego -
      • -
    -
    -
    • -
  • - An issue with the GlusterFS write-behind performance translator, when used with Samba, has - been fixed to avoid data corruption. -
    • -
  • - The minimum runtime support is now Python 3.6. -
    • -
  • - The deprecated ldap ssl ads parameter has been removed. -
    • -
-
-

- Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the database files before starting Samba. - Note that Red Hat does not support downgrading tdb database files. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- (BZ#1878109) -

-
-

New GSSAPI PAM module for passwordless sudo - authentication with SSSD

-

- With the new pam_sss_gss.so Pluggable Authentication Module (PAM), - you can configure the System Security Services Daemon (SSSD) to authenticate users to PAM-aware - services with the Generic Security Service Application Programming Interface (GSSAPI). -

-
-

- For example, you can use this module for passwordless sudo - authentication with a Kerberos ticket. For additional security in an IdM environment, you can - configure SSSD to grant access only to users with specific authentication indicators in their - tickets, such as users that have authenticated with a smart card or a one-time password. -

-

- For additional information, see Granting - sudo access to an IdM user on an IdM client. -

-

- (BZ#1893698) -

-
-

Directory Server rebased to version 1.4.3.16

-

- The 389-ds-base packages have been upgraded to upstream version - 1.4.3.16, which provides a number of bug fixes and enhancements over the previous version. For a - complete list of notable changes, read the upstream release notes before updating: -

-
-
- -
-

- (BZ#1862529) -

-
-

Directory Server now logs the work and operation time in RESULT entries

-

- With this update, Directory Server now logs two additional time values in RESULT entries in the /var/log/dirsrv/slapd-<instance_name>/access file: -

-
-
-
    -
  • - The wtime value indicates how long it took for an operation to - move from the work queue to a worker thread. -
    • -
  • - The optime value shows the time the actual operation took to be - completed once a worker thread started the operation. -
    • -
-
-

- The new values provide additional information about how the Directory Server handles load and - processes operations. -

-

- For further details, see the Access - Log Reference section in the Red Hat Directory Server Configuration, Command, and File - Reference. -

-

- (BZ#1850275) -

-
-

Directory Server can now reject internal unindexed searches

-

- This enhancement adds the nsslapd-require-internalop-index - parameter to the cn=<database_name>,cn=ldbm database,cn=plugins,cn=config - entry to reject internal unindexed searches. When a plug-in modifies data, it has a write lock - on the database. On large databases, if a plug-in then executes an unindexed search, the plug-in - sometimes uses all database locks, which corrupts the database or causes the server to become - unresponsive. To avoid this problem, you can now reject internal unindexed searches by enabling - the nsslapd-require-internalop-index parameter. -

-
-

- (BZ#1851975) -

-
-
-
-
-
-

4.14. Desktop

-
-
-
-
-

You can configure the unresponsive application timeout in GNOME -

-

- GNOME periodically sends a signal to every application to detect if the application is - unresponsive. When GNOME detects an unresponsive application, it displays a dialog over the - application window that asks if you want to stop the application or wait. -

-
-

- Certain applications cannot respond to the signal in time. As a consequence, GNOME displays the - dialog even when the application is working properly. -

-

- With this update, you can configure the time between the signals. The setting is stored in the org.gnome.mutter.check-alive-timeout GSettings key. To completely disable - the unresponsive application detection, set the key to 0. -

-

- For details on configuring a GSettings key, see Working - with GSettings keys on command line. -

-

- (BZ#1886034) -

-
-
-
-
-
-

4.15. Graphics infrastructures

-
-
-
-
-

Intel Tiger Lake GPUs are now supported

-

- This release adds support for the Intel Tiger Lake CPU microarchitecture with integrated - graphics. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following - CPU models: -

-
-
-
    -
  • - Intel Core i7-1160G7 -
    • -
  • - Intel Core i7-1185G7 -
    • -
  • - Intel Core i7-1165G7 -
    • -
  • - Intel Core i7-1165G7 -
    • -
  • - Intel Core i7-1185G7E -
    • -
  • - Intel Core i7-1185GRE -
    • -
  • - Intel Core i7-11375H -
    • -
  • - Intel Core i7-11370H -
    • -
  • - Intel Core i7-1180G7 -
    • -
  • - Intel Core i5-1130G7 -
    • -
  • - Intel Core i5-1135G7 -
    • -
  • - Intel Core i5-1135G7 -
    • -
  • - Intel Core i5-1145G7E -
    • -
  • - Intel Core i5-1145GRE -
    • -
  • - Intel Core i5-11300H -
    • -
  • - Intel Core i5-1145G7 -
    • -
  • - Intel Core i5-1140G7 -
    • -
  • - Intel Core i3-1115G4 -
    • -
  • - Intel Core i3-1115G4 -
    • -
  • - Intel Core i3-1110G4 -
    • -
  • - Intel Core i3-1115GRE -
    • -
  • - Intel Core i3-1115G4E -
    • -
  • - Intel Core i3-1125G4 -
    • -
  • - Intel Core i3-1125G4 -
    • -
  • - Intel Core i3-1120G4 -
    • -
  • - Intel Pentium Gold 7505 -
    • -
  • - Intel Celeron 6305 -
    • -
  • - Intel Celeron 6305E -
    • -
-
-

- You no longer have to set the i915.alpha_support=1 or i915.force_probe=* kernel option to enable Tiger Lake GPU support. -

-

- (BZ#1882620) -

-
-

Intel GPUs that use the 11th generation Core microprocessors are now - supported

-

- This release adds support for the 11th generation Core CPU architecture (formerly known as Rocket Lake) with Xe gen 12 integrated graphics, which is - found in the following CPU models: -

-
-
-
    -
  • - Intel Core i9-11900KF -
    • -
  • - Intel Core i9-11900K -
    • -
  • - Intel Core i9-11900 -
    • -
  • - Intel Core i9-11900F -
    • -
  • - Intel Core i9-11900T -
    • -
  • - Intel Core i7-11700K -
    • -
  • - Intel Core i7-11700KF -
    • -
  • - Intel Core i7-11700T -
    • -
  • - Intel Core i7-11700 -
    • -
  • - Intel Core i7-11700F -
    • -
  • - Intel Core i5-11500T -
    • -
  • - Intel Core i5-11600 -
    • -
  • - Intel Core i5-11600K -
    • -
  • - Intel Core i5-11600KF -
    • -
  • - Intel Core i5-11500 -
    • -
  • - Intel Core i5-11600T -
    • -
  • - Intel Core i5-11400 -
    • -
  • - Intel Core i5-11400F -
    • -
  • - Intel Core i5-11400T -
    • -
-
-

- (BZ#1784246, BZ#1784247, BZ#1937558) -

-
-

Nvidia Ampere is now supported

-

- This release adds support for the Nvidia Ampere GPUs that use the GA102 or GA104 chipset. That - includes the following GPU models: -

-
-
-
    -
  • - GeForce RTX 3060 Ti -
    • -
  • - GeForce RTX 3070 -
    • -
  • - GeForce RTX 3080 -
    • -
  • - GeForce RTX 3090 -
    • -
  • - RTX A4000 -
    • -
  • - RTX A5000 -
    • -
  • - RTX A6000 -
    • -
  • - Nvidia A40 -
    • -
-
-

- Note that the nouveau graphics driver does not yet support 3D - acceleration with the Nvidia Ampere family. -

-

- (BZ#1916583) -

-
-

Various updated graphics drivers

-

- The following graphics drivers have been updated to the latest upstream version: -

-
-
-
    -
  • - The Matrox mgag200 driver -
    • -
  • - The Aspeed ast driver -
    • -
-
-

- (JIRA:RHELPLAN-72994, BZ#1854354, BZ#1854367) -

-
-
-
-
-
-

4.16. The web console

-
-
-
-
-

Software Updates page checks for required restarts

-

- With this update, the Software Updates page in the RHEL web console checks if it is sufficient - to only restart some services or running processes for updates to become effective after - installation. In these cases this avoids having to reboot the machine. -

-
-

- (JIRA:RHELPLAN-59941) -

-
-

Graphical performance analysis in the web console

-

- With this update the system graphs page has been replaced with a new dedicated page for - analyzing the performance of a machine. To view the performance metrics, click View details and history from the Overview page. It shows current metrics and - historical events based on the Utilization Saturation, and Errors (USE) method. -

-
-

- (JIRA:RHELPLAN-59938) -

-
-

Web console assists with SSH key setup

-

- Previously, the web console allowed logging into remote hosts with your initial login password - when Reuse my password for remote - connections was selected during login. This option has been removed, and - instead of that the web console now helps with setting up SSH keys for users that want automatic - and password-less login to remote hosts. -

-
-

- Check Managing - remote systems in the web console for more details. -

-

- (JIRA:RHELPLAN-59950) -

-
-
-
-
-
-

4.17. Red Hat Enterprise Linux system roles

-
-
-
-
-

The RELP secure transport support added to the Logging role - configuration

-

- Reliable Event Logging Protocol, RELP, is a secure, reliable protocol to forward and receive log - messages among rsyslog servers. With this enhancement, - administrators can now benefit from the RELP, which is a useful protocol with high demands from - rsyslog users, as rsyslog servers are - capable of forwarding and receiving log messages over the RELP protocol. -

-
-

- (BZ#1889484) -

-
-

SSH Client RHEL system role is now supported

-

- Previously, there was no vendor-supported automation tooling to configure RHEL SSH in a - consistent and stable manner for servers and clients. With this enhancement, you can use the - RHEL system roles to configure SSH clients in a systematic and unified way, independently of the - operating system version. -

-
-

- (BZ#1893712) -

-
-

An alternative to the traditional RHEL system roles format: Ansible - Collection

-

- RHEL 8.4 introduces RHEL system roles in the Collection format, available as an option to the - traditional RHEL system roles format. -

-
-

- This update introduces the concept of a fully qualified collection name (FQCN), that consists of a - namespace and the collection name. For example, the Kernel role fully qualified name is: redhat.rhel_system_roles.kernel_settings -

-
-
    -
  • - The combination of a namespace and a collection name guarantees that the objects are unique. -
    • -
  • - The combination of a namespace and a collection name ensures that the objects are shared - across the Collections and namespaces without any conflicts. -
    • -
-
-

- Install the Collection using an RPM package. Ensure that you have the python3-jmespath installed on the host on which you execute the playbook: -

- 
# yum install rhel-system-roles
-

- The RPM package includes the roles in both the legacy Ansible Roles format as well as the new - Ansible Collection format. For example, to use the network role, perform the following steps: -

-

- Legacy format: -

- 
---
-- hosts: all
-  roles:
-rhel-system-roles.network
-

- Collection format: -

- 
---
-- hosts: all
-  roles:
-redhat.rhel_system_roles.network
-

- If you are using Automation Hub and want to install the system roles Collection hosted in Automation - Hub, enter the following command: -

- 
$ ansible-galaxy collection install redhat.rhel_system_roles
-

- Then you can use the roles in the Collection format, as previously described. This requires - configuring your system with the ansible-galaxy command to use Automation Hub instead of Ansible - Galaxy. See How - to configure the ansible-galaxy client to use Automation Hub - instead of Ansible Galaxy for more details. -

-

- (BZ#1893906) -

-
-

Metrics role supports configuration and - enablement of metrics collection for SQL server via PCP

-

- The metrics RHEL system role now provides the ability to connect - SQL Server, mssql with Performance Co-Pilot, pcp. SQL Server is a general purpose relational database from - Microsoft. As it runs, SQL Server updates internal statistics about the operations it is - performing. These statistics can be accessed using SQL queries but it is important for system - and database administrators undertaking performance analysis tasks to be able to record, report, - visualize these metrics. With this enhancement, users can use the metrics RHEL system role to - automate connecting SQL server, mssql, with Performance Co-Pilot, - pcp, which provides recording, reporting, and visualization - functionality for mssql metrics. -

-
-

- (BZ#1893908) -

-
-

exporting-metric-data-to-elasticsearch - functionality available in the Metrics RHEL system role

-

- Elasticsearch is a popular, powerful and scalable search engine. With this enhancement, by - exporting metric values from the Metrics RHEL system role to the Elasticsearch, users are able - to access metrics via Elasticsearch interfaces, including via graphical interfaces, REST APIs, - between others. As a result, users are able to use these Elasticsearch interfaces to help - diagnose performance problems and assist in other performance related tasks like capacity - planning, benchmarking and so on. -

-
-

- (BZ#1895188) -

-
-

Support for SSHD RHEL system role

-

- Previously, there was no vendor-supported automation tooling to configure SSH RHEL system roles - in a consistent and stable manner for servers and clients. With this enhancement, you can use - the RHEL system roles to configure sshd servers in a systematic and - unified way regardless of operating system version. -

-
-

- (BZ#1893696) -

-
-

Crypto Policies RHEL system role is now supported

-

- With this enhancement, RHEL 8 introduces a new feature for system-wide cryptographic policy - management. By using RHEL system roles, you now can consistently and easily configure - cryptographic policies on any number of RHEL 8 systems. -

-
-

- (BZ#1893699) -

-
-

The Logging RHEL system role now supports rsyslog behavior

-

- With this enhancement, rsyslog receives the message from Red Hat - Virtualization and forwards the message to the elasticsearch. -

-
-

- (BZ#1889893) -

-
-

The networking RHEL system role now supports - the ethtool settings

-

- With this enhancement, you can use the networking RHEL system role - to configure ethtool coalesce settings of a NetworkManager connection. When using the interrupt coalescing procedure, the system collects network packets - and generates a single interrupt for multiple packets. As a result, this increases the amount of - data sent to the kernel with one hardware interrupt, which reduces the interrupt load, and - maximizes the throughput. -

-
-

- (BZ#1893961) -

-
-
-
-
-
-

4.18. Virtualization

-
-
-
-
-

IBM Z virtual machines can now run up to 248 CPUs

-

- Previously, the number of CPUs that you could use in an IBM Z (s390x) virtual machine (VM), with - DIAG318 enabled, was limited to 240. Now, using the Extended-Length - SCCB, IBM Z VMs can run up to 248 CPUs. -

-
-

- (JIRA:RHELPLAN-44450) -

-
-

HMAT is now supported on RHEL KVM

-

- With this update, ACPI Heterogeneous Memory Attribute Table (HMAT) is now supported on RHEL KVM. - The ACPI HMAT optimizes memory by providing information about memory attributes, such as memory - side cache attributes as well as bandwidth and latency details related to the System Physical - Address (SPA) Memory Ranges. -

-
-

- (JIRA:RHELPLAN-37817) -

-
-

Virtual machines can now use features of Intel Atom P5000 - Processors

-

- The Snowridge CPU model name is now available for virtual machines - (VMs). On hosts with Intel Atom P5000 processors, using Snowridge - as the CPU type in the XML configuration of the VM exposes new features of these processors to - the VM. -

-
-

- (JIRA:RHELPLAN-37579) -

-
-

virtio-gpu devices now work better on virtual - machines with Windows 10 and later

-

- This update extends the virtio-win drivers to also provide custom - drivers for virtio-gpu devices on selected Windows platforms. As a - result, the virtio-gpu devices now have improved performance on - virtual machines that use Windows 10 or later as their guest systems. In addition, the devices - will also benefit from future enhancements to virtio-win. -

-
-

- (BZ#1861229) -

-
-

Virtualization support for 3rd generation AMD EPYC processors

-

- With this update, virtualization on RHEL 8 adds support for the 3rd generation AMD EPYC - processors, also known as EPYC Milan. As a result, virtual machines hosted on RHEL 8 can now use - the EPYC-Milan CPU model and utilise new features that the - processors provide. -

-
-

- (BZ#1790620) -

-
-
-
-
-
-

4.19. RHEL in cloud environments

-
-
-
-
-

Automatic registration for gold images for AWS

-

- With this update, gold images of RHEL 8.4 and later for Amazon Web Services and Microsoft Azure - can be configured by the user to automatically register to Red Hat Subscription Management - (RHSM) and Red Hat Insights. This makes it faster and easier to configure a large number of - virtual machines created from a gold image. -

-
-

- However, if you require consuming repositories provided by RHSM, ensure that the manage_repos option in /etc/rhsm/rhsm.conf - is set to 1. For more information, please refer to Red Hat KnowledgeBase. -

-

- (BZ#1905398, BZ#1932804) -

-
-

cloud-init is now supported on Power Systems - Virtual Server in IBM Cloud

-

- With this update, the cloud-init utility can be used to configure - RHEL 8 virtual machines hosted on IBM Power Systems hosts and running in the IBM Cloud Virtual - Server service. -

-
-

- (BZ#1886430) -

-
-
-
-
-
-

4.20. Supportability

-
-
-
-
-

sos rebased to version 4.0

-

- The sos package has been upgraded to version 4.0. This major - version release includes a number of new features and changes. -

-
-

- Major changes include: -

-
-
    -
  • - A new sos binary has replaced the former sosreport binary as - the main entry point for the utility. -
    • -
  • - sos report is now used to generate sosreport tarballs. The - sosreport binary is maintained as a redirection point and now - invokes sos report. -
    • -
  • -

    - The /etc/sos.conf file has been moved to /etc/sos/sos.conf, and its layout has changed as follows: -

    -
    -
      -
    • - The [general] section has been renamed to [global], and may be used to specify options that are - available to all sos commands and sub-commands. -
      • -
    • - The [tunables] section has been renamed to [plugin_options]. -
      • -
    • - Each sos component, report, collect, and - clean, has its own dedicated section. For example, - sos report loads options from global and from report. -
      • -
    -
    -
    • -
  • - sos is now a Python3-only utility. Python2 is no longer - supported in any capacity. -
    • -
-
-

- sos collect -

-

- sos collect formally brings the sos-collector utility into the main sos - project, and is used to collect sosreports from multiple nodes simultaneously. The sos-collector binary is maintained as a redirection point and invokes - sos collect. The standalone sos-collector - project will no longer be independently developed. Enhancements for sos collect include: -

-
-
    -
  • - sos collect is now supported on all distributions that sos report supports, that is any distribution with a Policy defined. -
    • -
  • - The --insecure-sudo option has been renamed to --nopasswd-sudo. -
    • -
  • - The --threads option, used to connect simultaneously to the - number of nodes, has been renamed to --jobs -
    • -
-
-

- sos clean -

-

- sos clean formally brings the functionality of the soscleaner utility into the main sos - project. This subcommand performs further data obfuscation on reports, such as cleaning IP - addresses, domain names, and user-provided keywords. -

-

- Note: When the --clean option is used with the sos report or sos collect command, sos clean is applied on a report being generated. Thus, it is not - necessary to generate a report and only after then apply the cleaner function on it. -

-

- Key enhancements for sos clean include: -

-
-
    -
  • - Support for IPv4 address obfuscation. Note that this will attempt to preserve topological - relationships between discovered addresses. -
    • -
  • - Support for host name and domain name obfuscation. -
    • -
  • - Support for user-provided keyword obfuscations. -
    • -
  • -

    - The --clean or --mask flag - used with the sos report command obfuscates a report being - generated. Alternatively, the following command obfuscates an already existing report: -

    - 
    [user@server1 ~]$ sudo sos (clean|mask) $archive
    -

    - Using the former results in a single obfuscated report archive, while the latter results - in two; an obfuscated archive and the un-obfuscated original. -

    -
    • -
-
-

- For full information on the changes contained in this release, see sos-4.0. -

-

- (BZ#1966838) -

-
-
-
-
-
-

4.21. Containers

-
-
-
-
-

Podman now supports volume plugins written for Docker

-

- Podman now has support for Docker volume plugins. These volume plugins or drivers, written by - vendors and community members, can be used by Podman to create and manage container volumes. -

-
-

- The podman volume create command now supports creation of the volume - using a volume plugin with the given name. The volume plugins must be defined in the [engine.volume_plugins] section of the container.conf configuration file. -

-

- Example: -

- 
[engine.volume_plugins]
-testvol = "/run/docker/plugins/testvol.sock"
-

- where testvol is the name of the plugin and /run/docker/plugins/testvol.sock is the path to the plugin socket. -

-

- You can use the podman volume create --driver testvol to create a - volume using a testvol plugin. -

-

- (BZ#1734854) -

-
-

The ubi-micro container image is now - available

-

- The registry.redhat.io/ubi8/ubi-micro container image is the - smallest base image that uses the package manager on the underlying host to install packages, - typically using Buildah or multi-stage builds with Podman. Excluding package managers and all of - its dependencies increases the level of security of the image. -

-
-

- (JIRA:RHELPLAN-56664) -

-
-

Support to auto-update container images is available

-

- With this enhancement, users can use the podman auto-update command - to auto-update containers according to their auto-update policy. The containers have to be - labeled with a specified "io.containers.autoupdate=image" label to - check if the image has been updated. If it has, Podman pulls the new image and restarts the - systemd unit executing the container. The podman auto-update - command relies on systemd and requires a fully-specified image name to create a container. -

-
-

- (JIRA:RHELPLAN-56661) -

-
-

Podman now supports secure short names

-

- Short-name aliases for images can now be configured in the registries.conf file in the [aliases] - table. The short-names modes are: -

-
-
-
    -
  • - Enforcing: If no matching alias is found during the image pull, Podman prompts the user to - choose one of the unqualified-search registries. If the selected image is pulled - successfully, Podman automatically records a new short-name alias in the users $HOME/.config/containers/short-name-aliases.conf file. If the - user cannot be prompted (for example, stdin or stdout are not a TTY), Podman fails. Note - that the short-name-aliases.conf file has precedence over registries.conf file if both specify the same alias. -
    • -
  • - Permissive: Similar to enforcing mode but it does not fail if the user cannot be prompted. - Instead, Podman searches in all unqualified-search registries in the given order. Note that - no alias is recorded. -
    • -
-
-

- Example: -

- 
unqualified-search-registries=[“registry.fedoraproject.org”, “quay.io”]
-
-[aliases]
-
-"fedora"="registry.fedoraproject.org/fedora"
-

- (JIRA:RHELPLAN-39843) -

-
-

container-tools:3.0 stable stream is now - available

-

- The container-tools:3.0 stable module stream, which contains the - Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and - enhancements over the previous version. -

-
-

- For instructions how to upgrade from an earlier stream, see Switching - to a later stream. -

-

- (JIRA:RHELPLAN-56782) -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel shipped - with Red Hat Enterprise Linux 8.4. These changes could include for example added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-
-
-
-
-

5.1. New kernel parameters

-
-
-
-
-
-
bgrt_disable = [ACPI, X86]
-
- This parameter disables Boot Graphics Resource Table (BGRT) to avoid flickering Original - Equipment Manufacturer (OEM) logo. -
-
radix_hcall_invalidate = on [PPC/PSERIES]
-
- This parameter disables Radix GTSE feature and use hcall for Translation Lookaside Buffer - (TLB) invalidate. -
-
disable_tlbie = [PPC]
-
- This parameter disables Translation Look-Aside Buffer Invalidate Entry (TLBIE) instruction. - Currently does not work with KVM, with hash Memory management Unit (MMU), or with coherent - accelerators. -
-
fw_devlink = [KNL]
-
-

- This parameter creates device links between consumer and supplier devices by scanning - the firmware to infer the consumer and supplier relationships. This feature is useful - when drivers are loaded as modules as it ensures proper ordering of tasks like: -

-
-
    -
  • - device probing (suppliers first, then consumers) -
    • -
  • - supplier boot state clean up (only after all consumers have probed) -
    • -
  • -

    - suspend, resume and runtime Power Management (PM) (consumers first, then - suppliers) -

    -

    - Format: { off | permissive | on | rpm } -

    -
    • -
  • - off - Do not create device links from firmware - info. -
    • -
  • - permissive - Create device links from firmware info - but use it only for ordering boot state clean up (sync_state() calls). -
    • -
  • - on - Create device links from firmware info and use - it to enforce probe and suspend or resume ordering. -
    • -
  • - rpm - Like on, but - also used to order runtime PM. -
    • -
-
-
-
-
-

- The default value is permissive. You can check the configured value in - the /proc/cmdline file. -

-
-
-
init_on_alloc = [MM]
-
-

- This parameter fills newly allocated pages and heap objects with zeroes. -

-

- Format: 0 | 1 -

-

- Default set by the kernel CONFIG_INIT_ON_ALLOC_DEFAULT_ON - configuration -

-
-
init_on_free = [MM]
-
-

- This parameter fills freed pages and heap objects with zeroes. -

-

- Format: 0 | 1 -

-

- Default set by CONFIG_INIT_ON_FREE_DEFAULT_ON -

-
-
nofsgsbase [X86]
-
- This parameter disables FSGSBASE instructions. -
-
nosgx [X86-64,SGX]
-
- This parameter disables Intel Software Guard Extensions (SGX) kernel support. -
-
rcutree.rcu_min_cached_objs = [KNL]
-
- Minimum number of objects which are cached and maintained per one CPU. Object size is equal - to PAGE_SIZE. The cache allows to reduce the pressure to page - allocator. Also it makes the whole algorithm to behave better in low memory condition. -
-
rcuperf.kfree_rcu_test = [KNL]
-
- This parameter is used to measure performance of the kfree_rcu() function flooding. -
-
rcuperf.kfree_nthreads = [KNL]
-
- The number of threads running loops of kfree_rcu(). -
-
rcuperf.kfree_alloc_num = [KNL]
-
- Number of allocations and frees done in an iteration. -
-
rcuperf.kfree_loops = [KNL]
-
- Number of loops doing rcuperf.kfree_alloc_num number of - allocations and frees. -
-
rcupdate.rcu_cpu_stall_ftrace_dump = [KNL]
-
- This parameter dumps ftrace buffer after reporting - Read-copy-update (RCU) CPU stall warning. -
-
nopvspin = [X86,KVM]
-
- This parameter disables the qspinlock slow path using - Para-virtualization (PV) optimizations. This allows the hypervisor to 'idle' the guest on - lock contention. -
-
-
-
-
-
-
-
-

5.2. New /proc/sys/user parameters

-
-
-
-
-
-
max_time_namespaces
-
- The maximum number of time namespaces that any user in the current user namespace can - create. -
-
-
-
-
-
-
-
-

5.3. New /proc/sys/vm parameters

-
-
-
-
-
-
compaction_proactiveness
-
-

- This parameter determines how aggressively the kernel should compact memory in the - background. The parameter takes a value in the range [0, 100] and the default value is - 0. The motivation to disable this parameter by default was to avoid breaking the - currently established and expected behavior of the system by a kthread that would be - woken up every 500msec to move memory around. -

-

- Note that compaction has a non-trivial system-wide impact as pages belonging to - different processes are moved around. This could also lead to latency spikes in - unsuspecting applications. The kernel employs various heuristics to avoid wasting CPU - cycles if it detects that proactive compaction is not being effective. -

-

- Be careful when setting this parameter to extreme values such as 100. This can cause - excessive background compaction activity. -

-
-
watermark_boost_factor
-
-

- This parameter controls the level of reclaim when memory is being fragmented. It defines - the percentage of the high watermark of a zone that will be reclaimed if pages of - different mobility are being mixed within pageblocks. The intent is that compaction has - less work to do in the future and to increase the success rate of future high-order - allocations such as SLUB allocations, THP and hugetlbfs pages. -

-

- With respect to the watermark_scale_factor parameter, the - unit is in fractions of 10,000. The default value of 15,000 on !DISCONTIGMEM configurations means that up to 150% of the - high watermark is reclaimed in the event of a pageblock being mixed due to - fragmentation. The level of reclaim is determined by the number of fragmentation events - that occurred in the recent past. If this value is smaller than a pageblock then a - pageblocks worth of pages are going to be reclaimed (e.g. 2MB on 64-bit x86). A boost - factor of 0 will disable the feature. -

-
-
-
-
-
-
-
-
-
-

Chapter 6. Device drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - Realtek 802.11ac wireless 8822b driver (rtw88_8822b.ko.xz) -
    • -
  • - Realtek 802.11ac wireless 8822be driver (rtw88_8822be.ko.xz) -
    • -
  • - Realtek 802.11ac wireless 8822c driver (rtw88_8822c.ko.xz) -
    • -
  • - Realtek 802.11ac wireless 8822ce driver (rtw88_8822ce.ko.xz) -
    • -
  • - Realtek 802.11ac wireless core module (rtw88_core.ko.xz) -
    • -
  • - Realtek 802.11ac wireless PCI driver (rtw88_pci.ko.xz) -
    • -
  • - Interface driver for UDP encapsulated traffic (bareudp.ko.xz) -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - Regmap SoundWire Module (regmap-sdw.ko.xz) -
    • -
  • - Intel® QuickAssist Technology (qat_4xxx.ko.xz) -
    • -
  • - Intel® Data Accelerator Driver (idxd.ko.xz) -
    • -
  • - Oracle VM VirtualBox Graphics Card (vboxvideo.ko.xz) -
    • -
  • - HID driver for gaming keys on Logitech gaming keyboards (hid-lg-g15.ko.xz) -
    • -
  • - Driver for AMD Energy reporting from RAPL MSR via HWMON interface (amd_energy.ko.xz) -
    • -
  • - Elastic Fabric Adapter (EFA) (efa.ko.xz) -
    • -
  • - AMD® PCI-E Non-Transparent Bridge Driver (ntb_hw_amd.ko.xz) -
    • -
  • - PCIe NTB Performance Measurement Tool (ntb_perf.ko.xz) -
    • -
  • - PCIe NTB Simple Pingpong Client (ntb_pingpong.ko.xz) -
    • -
  • - PCIe NTB Debugging Tool (ntb_tool.ko.xz) -
    • -
  • - Software Queue-Pair Transport over NTB (ntb_transport.ko.xz) -
    • -
  • - Intel Elkhart Lake PCH pinctrl/GPIO driver (pinctrl-elkhartlake.ko.xz) -
    • -
  • - Dell platform setting control interface (dell-wmi-sysman.ko.xz) -
    • -
  • - DesignWare PWM Controller (pwm-dwc.ko.xz) -
    • -
  • - SoundWire bus (soundwire-bus.ko.xz) -
    • -
  • - Cadence Soundwire Library (soundwire-cadence.ko.xz) -
    • -
  • - SoundWire Generic Bandwidth Allocation (soundwire-generic-allocation.ko.xz) -
    • -
  • - Intel Soundwire Init Library (soundwire-intel.ko.xz) -
    • -
  • - Fast-charge control for Apple "MFi" devices (apple-mfi-fastcharge.ko.xz) -
    • -
  • - TI HD3SS3220 DRP Port Controller Driver (hd3ss3220.ko.xz) -
    • -
  • - STMicroelectronics STUSB160x Type-C controller driver (stusb160x.ko.xz) -
    • -
  • - Nitro Enclaves Driver (nitro_enclaves.ko.xz) -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Graphics and miscellaneous driver updates

-
-
    -
  • - Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version - 2.18.0.0. -
    • -
  • - Cisco FCoE HBA Driver (fnic.ko.xz) has been updated to version 1.6.0.53. -
    • -
  • - Driver for HP Smart Array Controller version 3.4.20-200-RH1 (hpsa.ko.xz) has been updated to - version 3.4.20-200-RH1. -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver 12.8.0.5 (lpfc.ko.xz) has been updated to - version 0:12.8.0.5. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version - 35.101.00.00. -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version 10.02.00.104-k. -
    • -
  • - SCSI debug adapter driver (scsi_debug.ko.xz) has been updated to version 0190. -
    • -
  • - Driver for Microsemi Smart Family Controller version 1.2.16-012 (smartpqi.ko.xz) has been - updated to version 1.2.16-012. -
    • -
  • - hpe watchdog driver (hpwdt.ko.xz) has been updated to version 2.0.4. -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.4 that have a significant impact on users. -

-
-
-
-
-

7.1. Installer and image creation

-
-
-
-
-

Anaconda now shows a dialog for ldl or - unformatted DASD disks in text mode

-

- Previously, during an installation in text mode, Anaconda failed to show a dialog for Linux disk - layout (ldl) or unformatted Direct-Access Storage Device (DASD) - disks. As a result, users were unable to utilize those disks for the installation. -

-
-

- With this update, in text mode Anaconda recognizes ldl and unformatted - DASD disks and shows a dialog where users can format them properly for the future utilization for - the installation. -

-

- (BZ#1874394) -

-
-

RHEL installer failed to start when InfiniBand network interfaces were - configured using installer boot options

-

- Previously, when you configured InfiniBand network interfaces at an early stage of RHEL - installation using installer boot options (for example, downloaded installer image using PXE - server), the installer failed to activate the network interfaces. -

-
-

- This issue occured because the RHEL NetworkManager failed to recognize the network interfaces in - InfiniBand mode, and instead configured Ethernet connections for the interfaces. -

-

- As a result, connection activation failed, and if the connectivity over the InfiniBand interface was - required at an early stage, RHEL installer failed to start the installation. -

-

- With this release, the installer successfully activates the InfiniBand network interfaces that you - configure at an early stage of RHEL installation using installer boot options, and the installation - completes successfully. -

-

- (BZ#1890009) -

-
-

The automatic partitioning can be scheduled in Anaconda

-

- Previously, during automatic partitioning on LVM type disks, the installer tried to create a - partition for an LVM PV on each selected disk. If these disks already had partitioning layout, - the schedule of the automatic partitioning could have failed with the error message. -

-
-

- With this update, the problem has been fixed. Now you can schedule the automatic partitioning in the - installer. -

-

- (BZ#1642391) -

-
-

Configuring a wireless network using Anaconda GUI is fixed

-

- Previously, configuring the wireless network while using Anaconda graphical user interface (GUI) - caused the installation to crash. -

-
-

- With this update, the problem has been fixed. You can configure the wireless network during the - installation while using Anaconda GUI. -

-

- (BZ#1847681) -

-
-
-
-
-
-

7.2. Software management

-
-
-
-
-

New -m and -M - parameters are now supported for the %autopatch rpm - macro

-

- With this update, the -m (min) and -M - (max) parameters have been added to the %autopatch macro to apply - only a range of patches with given parameters. -

-
-

- (BZ#1834931) -

-
-

popt rebased to version 1.18

-

- The popt packages have been upgraded to the upstream version 1.18, - which provides the following notable changes over the previous version: -

-
-
-
    -
  • - Overall codebase cleanup and modernization. -
    • -
  • - Failing to drop privileges on the alias exec command has been - fixed. -
    • -
  • - Various bugs, including resource leaks, have been fixed. -
    • -
-
-

- (BZ#1843787) -

-
-
-
-
-
-

7.3. Shells and command-line tools

-
-
-
-
-

snmpbulkget now provides valid output for a - non-existing PID

-

- Previously, the snmpbulkget command did not provide valid output - for a non-existing PID. Consequently, this command would fail with the output as no results found. -

-
-

- With this update,snmpbulkget provides valid output for a non-existing - PID. -

-

- (BZ#1817190) -

-
-

The CRON command now sends an email as per the - trigger conditions.

-

- Previously, when the Relax-and-Recover (ReaR) utility was - configured incorrectly, the CRON command triggered an error message - that was sent to the administrator through an email. Consequently, the administrator would - receive emails even if the configuration was not performed for ReaR. -

-
-

- With this update, the CRON command is modified and sends an email as - per the trigger conditions. -

-

- (BZ#1729499) -

-
-

Using NetBackup version 8.2 as the backup mechanism in ReaR now works.

-

- Previously, when using NetBackup as a backup method, the Relax-and-Recover (ReaR) utility did not start the vxpbx_exchanged service in the rescue system. Consequently, restoring - the data from the backup in the rescue system with NetBackup 8.2 failed with the following error - messages logged on the NetBackup server: -

-
-

- Error bpbrm (pid=…​) cannot execute cmd on clientInfo tar (pid=…​) done. status: 25: cannot connect on socketError bpbrm (pid=…​) client restore EXIT STATUS 25: cannot connect on socket -

-

- With this update, ReaR adds the vxpbx_exchanged service and related required files to the rescue system, - and starts the service when the rescue system launches. -

-

- (BZ#1898080) -

-
-

libvpd rebased to version 2.2.8.

-

- Notable changes include: -

-
-
-
    -
  • - Improved performance of vpdupdate by making the sqlite operations asynchronous. -
    • -
-
-

- (BZ#1844429) -

-
-

ReaR utility now restores system using LUKS2 encrypted partition

-

- Previously, when at least one LUKS2 encrypted partition was present - on the system to backup with Relax-and-Recover (Rear) utility, the - user was not informed that ReaR does not support LUKS2 encrypted - partition. Consequently, the ReaR utility was unable to recreate - the original state of the system during the restore phase. -

-
-

- With this update, support of basic LUKS2 configuration, error checking, - and improved output has been added to the ReaR utility. The ReaR utility now restores systems using basic LUKS2 encrypted partitions or notifies users in the opposite case. -

-

- (BZ#1832394) -

-
-

Texlive now correctly works with Poppler

-

- Previously, the Poppler utility underwent an update for API - changes. Consequently, due to these API changes the Texlive build - did not function. With this update, the Texlive build now functions - correctly with the new Poppler utility. -

-
-

- (BZ#1889802) -

-
-
-
-
-
-

7.4. Infrastructure services

-
-
-
-
-

RPZ now works with wildcard characters

-

- Previously, the dns_rpz_find_name function in the lib/dns/rpz.c file did not consider wildcard characters when a record - for the same suffix was present. Consequently, some records containing wildcard characters were - ignored. With this update, the dns_rpz_find_name function has been - fixed and it now considers wildcard characters. -

-
-

- (BZ#1876492) -

-
-
-
-
-
-

7.5. Security

-
-
-
-
-

Improved padding for pkcs11

-

- Previously, the pkcs11 token label had extra padding for some smart - cards. As a consequence, the wrong padding could cause issues matching cards based on the label - attribute. With this update, the padding is fixed for all the cards and defined PKCS #11 URIs - and matching against them in application should work as expected. -

-
-

- (BZ#1877973) -

-
-

Fixed sealert connection issue - handling

-

- Previously, a crash of the setroubleshoot daemon could cause the - sealert process to stop responding. Consequently, the GUI did not - show any analysis and also became unresponsive, the command line tool did not print any output - and kept running until killed. This update improves handling of connection issues between sealert and setroubleshootd. Now sealert reports an error message and exits in case the setroubleshoot daemon crashes. -

-
-

- (BZ#1875290) -

-
-

Optimized audit record analysis by setroubleshoot

-

- Previously, new features introduced in setroubleshoot-3.3.23-1 had - a negative impact on performance, which led to the AVC analysis being up to 8 times slower than - before. This update provides optimizations that significantly reduce the AVC analysis times. -

-
-

- (BZ#1794807) -

-
-

Fixed SELinux policy interface parser

-

- Previously, the policy interface parser caused syntax error messages to appear when installing a - custom policy that contained an ifndef block in its interface file. - This update improves the interface file parsing, and thus resolves this issue. -

-
-

- (BZ#1868717) -

-
-

setfiles does not stop on labeling - error

-

- Previously, the setfiles utility stopped whenever it failed to - relabel a file. Consequently, mislabeled files were left in the target directory. With this - update, setfiles skips files it cannot relabel, and as a result, - setfiles processes all files in the target directory. -

-
-

- (BZ#1926386) -

-
-

Rebuilds of the SELinux policy store are now more resistant to power - failures

-

- Previously, SELinux-policy rebuilds were not resistant to power failures due to write caching. - Consequently, the SELinux policy store may become corrupted after a power failure during a - policy rebuild. With this update, the libsemanage library writes - all pending modifications to metadata and cached file data to the file system that contains the - policy store before using it. As a result, the policy store is now more resistant to power - failures and other interruptions. -

-
-

- (BZ#1913224) -

-
-

libselinux now determines the default context - of SELinux users correctly

-

- Previously, the libselinux library failed to determine the default - context of SELinux users on some systems, due to the use of the deprecated security_compute_user() function. As a consequence, some system - services were unavailable on systems with complex security policies. With this update, libselinux no longer uses security_compute_user() and determines the SELinux user’s default - context properly, regardless of policy complexity. -

-
-

- (BZ#1879368) -

-
-

Geo-replication in rsync mode no longer fails - due to SELinux

-

- Previously, SELinux policy did not allow processes running under rsync_t to set the value of the security.trusted extended attribute. As a consequence, - geo-replication in Red Hat Gluster Storage (RHGS) failed. This update includes the new SELinux - boolean rsync_sys_admin that allows the rsync_t processes to set security.trusted. As a result, if the rsync_sys_admin boolean is enabled, rsync can set the security.trusted - extended attribute and geo-replication no longer fails. -

-
-

- (BZ#1889673) -

-
-

OpenSCAP can now scan systems with large numbers of files without running - out of memory

-

- Previously, when scanning systems with low RAM and large numbers of files, the OpenSCAP scanner - sometimes caused the system to run out of memory. With this update, OpenSCAP scanner memory - management has been improved. As a result, the scanner no longer runs out of memory on systems - with low RAM when scanning large numbers of files, for example package groups Server with GUI and Workstation. -

-
-

- (BZ#1824152) -

-
-

CIS-remediated systems with FAT no longer fail on boot

-

- Previously, the Center for Internet Security (CIS) profile in the SCAP Security Guide (SSG) - contained a rule which disabled loading of the kernel module responsible for access to FAT file - systems. As a consequence, if SSG remediated this rule, the system could not access partitions - formatted with FAT12, FAT16, and FAT32 file systems, including EFI System Partitions (ESP). This - caused the systems to fail to boot. With this update, the rule has been removed from the - profile. As a result, systems that use these file systems no longer fail to boot. -

-
-

- (BZ#1927019) -

-
-

OVAL checks consider GPFS as remote

-

- Previously, the OpenSCAP scanner did not identify mounted General Parallel File Systems (GPFS) - as remote file systems (FS). As a consequence, OpenSCAP scanned GPFS even for OVAL checks that - applied only to local systems. This sometimes caused the scanner to run out of resources and - fail to complete the scan. With this update, GPFS has been included in the list of remote FS. As - a result, OVAL checks correctly consider GPFS as a remote FS, and the scans are faster. -

-
-

- (BZ#1840579) -

-
-

The fapolicyd-selinux SELinux policy now - covers all file types

-

- Previously, the fapolicyd-selinux SELinux policy did not cover all - file types. Consequently, the fapolicyd service could not access - files located on non-monitored locations such as sysfs. With this - update, the fapolicyd service covers and analyzes all file system - types. -

-
-

- (BZ#1940289) -

-
-

fapolicyd no longer prevents RHEL - updates

-

- When an update replaces the binary of a running application, the kernel modifies the application - binary path in memory by appending the (deleted) suffix. - Previously, the fapolicyd file access policy daemon treated such - applications as untrusted. As a consequence, fapolicyd prevented - these applications from opening and executing any other files. With this update, fapolicyd ignores the suffix in the binary path so the binary can - match the trust database. As a result, fapolicyd enforces the rules - correctly and the update process can finish. -

-
-

- (BZ#1896875) -

-
-

USBGuard rebased to 1.0.0-1

-

- The usbguard packages have been rebased to the upstream version - 1.0.0-1. This update provides improvements and bug fixes, most notably: -

-
-
-
    -
  • - Stable public API ensures backwards compatibility. -
    • -
  • - Rule files inside the rules.d directory now load in - alphanumeric order. -
    • -
  • - Some use cases when the policy of multiple devices could not be changed by a single rule - have been fixed. -
    • -
  • - Filtering rules by their labels no longer produces errors. -
    • -
-
-

- (BZ#1887448) -

-
-

USBGuard now can send Audit messages

-

- As part of service hardening, the capabilities of usbguard.service - were limited while the CAP_AUDIT_WRITE capability was missing. As a - consequence, usbguard running as a system service could not send - Audit events. With this update, the service configuration has been updated, and as a result, - USBGuard can send Audit messages. -

-
-

- (BZ#1940060) -

-
-

tangd now handles invalid requests - correctly

-

- Previously, the tangd daemon returned an error exit code for some - invalid requests. As a consequence, tangd.socket@.service failed, - which in turn might have caused problems if the number of such failed units increased. With this - update, tangd exits with an error code only when the tangd server itself is facing problems. As a result, tangd handles invalid requests correctly. -

-
-

- (BZ#1828558) -

-
-
-
-
-
-

7.6. Networking

-
-
-
-
-

Migrating an iptables rule set from RHEL 7 to - RHEL 8 with rules involving ipset lookups no longer - fails

-

- Previously, the ipset counters were updated only if all the - additional constraints match while referring to an ipset command - with enabled counters from an iptables rule set. Consequently, the - rules involving ipset lookups, e.g. -m set --match-set xxx src --bytes-gt 100 will never get chance to - match, because the member’s counter of ipset will not be added up. - With this update, migrating an iptables rule set with rules - involving ipset lookups works as expected. -

-
-

- (BZ#1806882) -

-
-

The iptraf-ng no longer exposes raw memory - content

-

- Previously, when setting %p in a filter in iptraf-ng, the application displayed raw memory content in the status - bar. Consequently, inessential information was getting displayed. With this update, the iptraf-ng processes do not show any raw memory content on the status - bar at the bottom. -

-
-

- (BZ#1842690) -

-
-

Network access is now available when using DHCP in the Anaconda ip boot option

-

- The initial RAM disk (initrd) uses NetworkManager to manage - networking. Previously, the dracut NetworkManager module provided - by the RHEL 8.3 ISO file incorrectly assumed that the first field of the ip option in the Anaconda boot options was always set. As a - consequence, if you used DHCP and set ip=::::<host_name>::dhcp, NetworkManager did not retrieve an IP - address, and the network was not available in Anaconda. This problem has been fixed. As a - result, the Anaconda ip boot option works as expected when you use - the RHEL 8.4 ISO to install a host in the mentioned scenario. -

-
-

- (BZ#1900260) -

-
-

Unloading XDP programs no longer fails on Netronome network cards that use - the nfp driver

-

- Previously, the nfp driver for Netronome network cards contained a - bug. As a consequence, unloading eXpress Data Path (XDP) programs failed if you used such a card - and loaded the XDP program using the IFLA_XDP_EXPECTED_FD feature - with the XDP_FLAGS_REPLACE flag. For example, this affected XDP - programs that were loaded using the libxdp library. This bug has - been fixed. As a result, unloading an XDP program from Netronome network cards works as - expected. -

-
-

- (BZ#1880268) -

-
-

NetworkManager now tries to retrieve the host name using DHCP and reverse - DNS lookups on all interfaces

-

- Previously, if the host name was not set in the /etc/hostname file, - NetworkManager tried to obtain the host name using DHCP or a reverse DNS lookup only through the - interface with the default route with the lowest metric value. As a consequence, it was not - possible to automatically assign a host name on networks without a default route. This update - changes the behavior, and NetworkManager now first tries to retrieve the host name using the - default route interface. If this process fails, NetworkManager tries other available interfaces. - As a result, NetworkManager tries to retrieve the host name using DHCP and reverse DNS lookups - on all interfaces if it is not set in /etc/hostname. -

-
-

- To configure that NetworkManager uses the old behavior: -

-
-
    -
  1. -

    - Create the /etc/NetworkManager/conf.d/10-hostname.conf file - with the following content: -

    - 
    [connection-hostname-only-from-default]
-hostname.only-from-default=1
    -
    2. -
  2. -

    - Reload the NetworkManager service: -

    - 
    # systemctl reload NetworkManager
    -
    3. -
-
-

- (BZ#1766944) -

-
-
-
-
-
-

7.7. Kernel

-
-
-
-
-

The kernel no longer returns false positive warnings on IBM Z - systems

-

- Previously, IBM Z systems on RHEL 8 were missing an allowed entry for the ZONE_DMA memory zone to allow user access. Consequently, the kernel - returned false positive warnings such as: -

-
- 
...
-Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dma-kmalloc-192' (offset 0, size 144)!
-WARNING: CPU: 0 PID: 8519 at mm/usercopy.c:83 usercopy_warn+0xac/0xd8
-...
-

- The warnings appeared when accessing certain system information through the sysfs interface. For example, by running the debuginfo.sh script. -

-

- This update adds a flag in the Direct Memory Access (DMA) buffer, so that user space applications - can access the buffer. -

-

- As a result, no warning messages are displayed in the described scenario. -

-

- (BZ#1660290) -

-
-

RHEL systems boot as expected from the tboot - GRUB entry

-

- Previously, the tboot utility of version 1.9.12-2 caused some RHEL - systems with Trusted Platform Module (TPM) 2.0 enabled to fail to boot in legacy mode. As a - consequence, the system halted when it attempted to boot from the tboot Grand Unified Bootloader (GRUB) entry. With a new version of - RHEL 8 and the update of the tboot utility, the problem has been - fixed and RHEL systems boot as expected. -

-
-

- (BZ#1947839) -

-
-

The kernel successfully reclaims memory in heavy-workload container - scenarios

-

- When a volume was constrained for I/O and memory within a container, the kernel code responsible - for reclaiming memory experienced soft-lockup due to a data race condition. Data race is a - phenomenon that happens if: -

-
-
-
    -
  • - At least two CPU threads try to modify the same set of data simultaneously. -
    • -
  • - At least one of these CPU threads tries to do a write operation on the dataset. -
    • -
-
-

- Based on the exact timing of each thread to modify the dataset, the result can be A, B, or AB - (indeterminate). -

-

- When a container was under memory pressure, the situation likely led to multiple Out of Memory (OOM) - kills, causing the container locking up and becoming unresponsive. In this release, the RHEL kernel - code for locking and optimization has been updated. As a result, the kernel no longer becomes - unresponsive, and the data does not become subject to race conditions. -

-

- (BZ#1860031) -

-
-

RHEL 8 with offline memory no longer causes kernel panics

-

- Previously, when running RHEL 8 with memory that was initiated but marked as offline, the kernel - in some cases attempted to access uninitialized memory pages. As a consequence, a kernel panic - occurred. This update fixes the kernel mechanism for idle page tracking, which prevents the - problem from occurring. -

-
-

- (BZ#1867490) -

-
-

The NUMA systems no longer experience unexpected memory layout

-

- Previously, ARM64 and S390 - architectures experienced unexpected memory layouts on NUMA systems due to missing of the CONFIG_NODES_SPAN_OTHER_NODES option. As a consequence, the memory - regions from different NUMA nodes intersected and the intersecting memory regions from low NUMA - nodes were added into the high NUMA. -

-
-

- With this update, the NUMA systems no longer experience the memory layouts issue. -

-

- (BZ#1844157) -

-
-

The rngd service no longer busy-waits on poll() system call

-

- A new kernel entropy source for FIPS mode was added for kernels, starting with version - 4.18.0-193.10. Consequently, the rngd service busy-waited on the - poll() system call for the /dev/random - device. This situation caused consumption of 100% of CPU time, when a system was in a FIPS mode. - With this update, in FIPS mode, a poll() handler for the /dev/random device has been changed from a default one to a handler - developed especially for the /dev/random device. As a result, the - rngd service no longer busy-waits on poll() in the described scenario. -

-
-

- (BZ#1884857) -

-
-

HRTICK support for SCHED_DEADLINE scheduler is enabled

-

- Previously, the feature for high resolution system timers (HRTICK) - was not armed for certain tasks configured with the SCHED_DEADLINE - policy. Consequently, the throttling mechanism for these tasks using the SCHED_DEADLINE scheduler, consumed all the runtime configured for - those tasks. This behavior caused an unexpected latency spike in the real-time environment. -

-
-

- This update enables the HRTICK feature, which provides high resolution - preemption. HRTICK uses a high resolution timer, which enforces the - throttling mechanism when a task completes its runtime. As a result, this problem no longer occurs - in the described scenario. -

-

- (BZ#1885850) -

-
-

tpm2-abrmd rebased to version 2.3.3.2

-

- The tpm2-abrmd package has been upgraded to version 2.3.3.2, which - provides multiple bug fixes. Notable changes include: -

-
-
-
    -
  • - Fixed the usage of transient handles -
    • -
  • - Fixed partial reads in TPM Command Transmission Interface (TCTI) -
    • -
  • - Refactored the access broker -
    • -
-
-

- (BZ#1855177) -

-
-

The cxgb4 driver no longer causes crash in the - kdump kernel

-

- Previously, the kdump kernel would crash while trying to save - information in the vmcore file. Consequently, the cxgb4 driver prevented the kdump kernel - from saving a core for later analysis. To work around this problem, add the novmcoredd parameter to the kdump kernel - command line to allow saving core files. -

-
-

- With the release of the RHSA-2020:1769 advisory, the kdump kernel handles this situation properly and no longer crashes. -

-

- (BZ#1708456) -

-
-
-
-
-
-

7.8. File systems and storage

-
-
-
-
-

Accessing SMB targets no longer fail with EREMOTE error

-

- Previously, mounting a DFS namespace on a RHEL SMB client with the cifsacl mount option was inaccessible and a listing failed with an - EREMOTE error. This update fixes the kernel to account for EREMOTE, and thus makes the SMB share accessible. -

-
-

- (BZ#1871246) -

-
-

Performance improvements for NFS readdir - function

-

- Previously, a process on a NFS client listing a directory could take a long time to complete the - listing, with possibility to never complete. With this update, the NFS client directory listing - performance is improved in the following scenarios: -

-
-
-
    -
  • - Listing of large directories with 100,000 or more files. -
    • -
  • - Listing of directories that are being modified. -
    • -
-
-

- (BZ#1893882) -

-
-
-
-
-
-

7.9. High availability and clusters

-
-
-
-
-

Default token timeout value in corosync.conf - file increased from 1 second to 3 seconds

-

- Previously, the TOTEM token timeout value in the corosync.conf file - was set to 1 second. This short timeout makes the cluster react quickly but in the case of - network delays it may result in premature failover. The default value is now set to 3 seconds to - provide a better trade-off between quick response and broader applicability. For information on - modifying the token timeout value, see How to change totem token timeout value in - a RHEL 5, 6, 7, or 8 High Availability cluster? -

-
-

- (BZ#1870449) -

-
-
-
-
-
-

7.10. Dynamic programming languages, web and database servers

-
-
-
-
-

An in-place upgrade is now possible when perl-Time-HiRes is installed

-

- Previously, the perl-Time-HiRes package distributed in RHEL 8 was - missing an epoch number that was included in the RHEL 7 version of the package. As a - consequence, it was impossible to perform an in-place upgrade from RHEL 7 to RHEL 8 when perl-Time-HiRes was installed. The missing epoch number has been - added, and the in-place upgrade no longer fails when perl-Time-HiRes is installed. -

-
-

- (BZ#1895852) -

-
-
-
-
-
-

7.11. Compilers and development tools

-
-
-
-
-

The glibc DNS stub resolver correctly - processes parallel queries with identical transaction IDs

-

- Prior to this update, the DNS stub resolver in the GNU C library glibc did not process responses to parallel queries with identical - transaction IDs correctly. Consequently, when the transaction IDs were equal, the second - parallel response was never matched to a query, resulting in a timeout and retry. -

-
-

- With this update, the second parallel response is now recognized as valid. As a result, the glibc DNS stub resolver avoids excessive timeouts due to unrecognized - responses. -

-

- (BZ#1868106) -

-
-

Reading configuration files with fgetsgent() - and fgetsgent_r() is now more robust

-

- Specifically structured entries in the /etc/gshadow file, or - changes in file sizes while reading, sometimes caused the fgetsgent() and fgetsgent_r() functions - to return invalid pointers. Consequently, applications that used these functions to read /etc/gshadow, or other configuration files in /etc/, failed with a segmentation fault error. This update modifies - fgetsgent() and fgetsgent_r() to make - reading of configuration files more robust. As a result, applications are now able to read - configuration files successfully. -

-
-

- (BZ#1871397) -

-
-

The glibc string functions now avoid negative - impact on system cache on AMD64 and Intel 64 processors

-

- Previously, the glibc implementation of string functions - incorrectly estimated the amount of last-level cache available to a thread on the 64-bit AMD and - Intel processors. As a consequence, calling the memcpy function on - large buffers either negatively impacted the overall cache performance of the system or slowed - down the memcpy system call. -

-
-

- With this update, the last-level cache size is no longer scaled with the number of reported hardware - threads in the system. As a result, the string functions now bypass caches for large buffers, - avoiding negative impact on the rest of the system cache. -

-

- (BZ#1880670) -

-
-

The glibc dynamic loader now avoids certain - failures of libc.so.6

-

- Previously, when the libc.so.6 shared object ran as a main program - (for example, to display the glibc version information), the glibc dynamic loader did not order relocation of libc.so.6 correctly in relation to the objects loaded using the LD_PRELOAD environment variable. Consequently, when LD_PRELOAD was set, invoking libc.so.6 - sometimes caused libc.so.6 to terminate unexpectedly with a - segmentation fault. This update fixes the bug, and the dynamic loader now correctly handles the - relocation of libc.so.6. As a result, the described problem no - longer occurs. -

-
-

- (BZ#1882466) -

-
-

The glibc dynamic linker now restricts part of - the static thread-local storage space to static TLS allocations

-

- Previously, the glibc dynamic linker used all available static - thread-local storage (TLS) space for dynamic TLS, on a first come, first served basis. - Consequently, loading additional shared objects at run time using the dlopen function sometimes failed, because dynamic TLS allocations had - already consumed all available static TLS space. This problem occurred particularly on the - 64-bit ARM architecture and IBM Power Systems. -

-
-

- Now, the dynamic linker restricts part of the static TLS area to static TLS allocations and does not - use this space for dynamic TLS optimizations. As a result, dlopen calls - succeed in more cases with the default setting. Applications that require more allocated static TLS - than the default setting allows can use a new glibc.rtld.optional_static_tls tunable. -

-

- (BZ#1871396) -

-
-

The glibc dynamic linker now disables lazy - binding for the 64-bit ARM variant calling convention

-

- Previously, the glibc dynamic linker did not disable lazy binding - for functions using the 64-bit ARM (AArch64) variant calling convention. As a consequence, the - dynamic linker corrupted arguments in such function calls, leading to incorrect results or - process failures. With this update, the dynamic linker now disables lazy binding in the - described scenario, and the function arguments are passed correctly. -

-
-

- (BZ#1893662) -

-
-

gcc rebased to version 8.4

-

- The GNU Compiler Collection (GCC) has been rebased to upstream version 8.4, which provides a - number of bug fixes over the previous version. -

-
-

- (BZ#1868446) -

-
-
-
-
-
-

7.12. Identity Management

-
-
-
-
-

The Samba wide links feature has been - converted to a VFS module

-

- Previously, the wide links parameter was part of the smbd service’s core functionality. Enabling this feature is insecure - and, therefore, has been moved into a separate virtual file system (VFS) module named widelinks. For backward compatibility, Samba in RHEL 8.4 - automatically loads this module for shares that have wide links = yes set in their configuration. -

-
-

- Important: Red Hat recommends not to use the insecure wide links - feature. Instead, use a bind mount to mount a part of the file - hierarchy to a directory that you shared in Samba. For details about configuring a bind mount, see - the Bind mount operation section in the mount(8) man page. -

-

- To switch from a configuration that uses wide links to bind mount: -

-
-
    -
  1. - For every symbolic link that links outside of a share, replace the link with a bind mount. For details, see the Bind mount operation section in the mount(8) man page. -
    2. -
  2. - Remove all wide links = yes entries from the /etc/samba/smb.conf file. -
    3. -
  3. -

    - Reload Samba: -

    - 
    # smbcontrol all reload-config
    -
    4. -
-
-

- (BZ#1925192) -

-
-

Network connection idle timeouts are no longer reported as resource - errors

-

- Previously, Directory Server reported a misleading error that a resource was temporarily - unavailable when an idle network connection timed out. With this update, the error macro for - network connection idle timeouts has been changed from EAGAIN to - ETIMEDOUT, and an accurate error message describing a timeout is - written to the Directory Server access logs. -

-
-

- (BZ#1859301) -

-
-

Certificates issued by PKI ACME Responder connected to PKI CA no longer - fail OCSP validation

-

- Previously, the default ACME certificate profile provided by PKI CA contained a sample OCSP URL - that did not point to an actual OCSP service. As a consequence, if PKI ACME Responder was - configured to use a PKI CA issuer, the certificates issued by the responder could fail OCSP - validation. This update removes hard-coded URLs in the ACME certificate profile and adds an - upgrade script to fix the profile configuration file in case you did not customize it. -

-
-

- (BZ#1868233) -

-
-
-
-
-
-

7.13. Graphics infrastructures

-
-
-
-
-

Display backlight now works reliably on recent Intel laptops

-

- Certain recent laptops with Intel CPUs require a proprietary interface to control display - backlight. Previously, RHEL did not support the proprietary interface, and attempted to use the - VESA interface, which was unreliable on the laptops. As a consequence, RHEL could not control - display backlight on those laptops. -

-
-

- With this update, RHEL adds support for the proprietary backlight interface, and as a result, - display control now works as expected. -

-

- (BZ#1885406) -

-
-
-
-
-
-

7.14. Red Hat Enterprise Linux system roles

-
-
-
-
-

tests_luks.yml no longer cause partition case - fail with NVME disk

-

- Previously, NVME disks used a different partition naming convention than the one used by virtio/scsi and the Storage role did not reflect it. As a - consequence, running the Storage role with NVME disks resulted in a crash. With this fix, the - Storage RHEL system role now obtains the partition name from the blivet module. -

-
-

- (BZ#1865990) -

-
-

The selinux RHEL system role no longer uses - variable named present

-

- Previously, some tasks in the selinux RHEL system role were - incorrectly using a variable named present instead of using the - string present. As a consequence, the selinux RHEL system role returned an error informing that there is no - variable named present. This update fixes this issue, changing - those tasks to use the string present. As a result, the selinux RHEL system role works as expected, with no error message. -

-
-

- (BZ#1926947) -

-
-

Logging output no longer fails when the rsyslog-gnutls package is missing

-

- A global tls rsyslog-gnutls package is - required when the logging RHEL system role is configured to provide - secure remote input and secure forward output. Previously, thel tls - rsyslog-gnutls package was changed to install unconditionally in - the previous version. As a consequence, when the tls rsyslog-gnutls package was not available on the managed nodes, the - logging role configuration failed, even if the secure remote input - and secure forward output were not included as part of the configuration. This update fixes the - issue by examining if the secure connection is configured and checking the global tls logging_pki_files variable. The - rsyslog-gnutls package is installed only when the secure connection - is configured. As a result, the operation to configure Red Hat Enterprise Virtualization - Hypervisor to integrate elasticsearch as the logging output no - longer fails with the missing rsyslog-gnutls package. -

-
-

- (BZ#1927943) -

-
-
-
-
-
-

7.15. Virtualization

-
-
-
-
-

Connecting to the RHEL 8 guest console on a Windows Server 2019 host is no - longer slowed down

-

- Previously, when using RHEL 8 as a guest operating system in multi-user mode on a Windows Server - 2019 host, connecting to a console output of the guest currently took significantly longer than - expected. This update improves the performance of VRAM on the Hyper-V hypervisor, which fixes - the problem. -

-
-

- (BZ#1908893) -

-
-

Displaying multiple monitors of virtual machines that use Wayland is now - possible with QXL

-

- Previously, using the remote-viewer utility to display more than - one monitor of a virtual machine (VM) that was using the Wayland display server caused the VM to - become unresponsive and the Waiting for display status - message to be displayed indefinitely. The underlying code has been fixed, which prevents the - described problem from occurring. -

-
-

- (BZ#1642887) -

-
-
-
-
-
-

7.16. RHEL in cloud environments

-
-
-
-
-

GPU-optimized Azure instances now work correctly after hibernation -

-

- When running RHEL 8 as a guest operating system on a Microsoft Azure instance with GPU-optmized - virtual machine (VM) size, such as NV6, resuming the VM from hibernation previously caused the - VM’s GPU to work incorrectly. When this occurred, the kernel logged the following message: -

-
- 
hv_irq_unmask() failed: 0x5
-

- With this update, the impacted VMs on Microsoft Azure handle their GPUs correctly after resuming, - which prevents the problem from occurring. -

-

- (BZ#1846838) -

-
-

The TX/RX packet counters increase as intended - after virtual machines resume from hibernation

-

- Previously, the TX/RX packet counters stopped increasing when a - RHEL 8 virtual machine using a CX4 VF NIC resumed from hibernation on Microsoft Azure. This - update resolves the issue, and the packet counters increase as intended. -

-
-

- (BZ#1876527) -

-
-

RHEL 8 virtual machines no longer fail to resume from hibernation on - Azure

-

- Previously, the GUID of the virtual function (VF), vmbus device, - changed when a RHEL 8 virtual machine (VM), with SR-IOV enabled, - was hibernated and deallocated on Microsoft Azure. Consequently, when the VM was restarted, it - failed to resume and terminated unexpectedly. With this update, the vmbus device VF no longer changes, and the VM resumes from - hibernation successfully. -

-
-

- (BZ#1876519) -

-
-

Removed a redundant error message in Hyper-V and KVM guests

-

- Previously, when a RHEL 8 guest operating system was running in a KVM or Hyper-V virtual - machine, the following error message was reported in the /var/log/messages file: -

-
- 
serial8250: too much work for irq4
-

- This was a redundant error message and has now been removed. -

-

- For more information on the problem, see the Red Hat Knowledgebase solution. -

-

- (BZ#1919745) -

-
-
-
-
-
-

7.17. Containers

-
-
-
-
-

podman system connection add automatically set - the default connection

-

- Previously, the podman system connection add command did not - automatically set the first connection to be the default connection. As a consequence, you must - manually run the podman system connection default <connection_name> command to - set the default connection. With this update, the podman system connection add command works as expected. -

-
-

- (BZ#1881894) -

-
-

The podman run --pid=host works in a rootless - mode

-

- Previously, running the podman run --pid=host command as a rootless - user did not work. Consequently, an OCI permission error occurred: -

-
- 
$ podman run --rm --pid=host quay.io/libpod/testimage:20200929 cat -v /proc/self/attr/current
-
-Error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: readonly path /proc/bus: operation not permitted: OCI permission denied
-

- With this update, the problem has been fixed. -

-

- (BZ#1940854) -

-
-
-
-
-
-
-

Chapter 8. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.4. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

Red Hat Connector available as a Technology Preview

-

- You can now connect to a RHEL system with a single command to consume Red Hat Insights and your - subscription content. Available as a Technology Preview in Red Hat Enterprise Linux 8.4, the Red - Hat connector (rhc) CLI unifies the registration experience and - eliminates the need to separately run the subscription-manager and - insights-client commands to connect to Red Hat. With Red Hat - connector and a Smart Management subscription, you can also remediate issues directly from the - cloud. -

-
-

- For more information, see the Red - Hat Connector Configuration Guide. -

-

- (BZ#1957316) -

-
-
-
-
-
-

8.2. Networking

-
-
-
-
-

Introducing bareudp device support for - encapsulating MPLS traffic over UDP tunnel as a Technology Preview

-

- The support for bareudp devices is now available with the ip link command as a Technology Preview. The bareudp devices provide L3 encapsulation tunnelling support for - routing traffic with different L3 protocols, such as unicast and multicast multi protocol label - switching (MPLS) and IPv4/IPv6 inside the UDP tunnel. You can start routing MPLS packets in UDP - with the help of adding tc filters and actions. -

-
-

- For example, to create a new bareudp device, use the following command: -

- 
# ip link add dev bareudp0 type bareudp dstport 6635 ethertype mpls_uc
-

- To route MPLS incoming packets in UDP tunnel using the bareudp0 device, use the following command: -

- 
# tc qdisc add dev enp1s0 ingress
-# tc filter add dev enp1s0 ingress proto mpls_uc matchall   \
-> action tunnel_key set src_ip 2001:db8::22 dst_ip 2001:db8::21 id 0   \
-> action mirred egress redirect dev bareudp0
-

- For more information about options and parameters used while creating bareudp devices, refer to the Bareudp Type Support section in the ip-link(8) man page. -

-

- (BZ#1849815) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It - accompanies XDP and grants efficient redirection of - programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

KTLS available as a Technology Preview

-

- In Red Hat Enterprise Linux 8, Kernel Transport Layer Security (KTLS) is provided as a - Technology Preview. KTLS handles TLS records using the symmetric encryption or decryption - algorithms in the kernel for the AES-GCM cipher. KTLS also provides the interface for offloading - TLS record encryption to Network Interface Controllers (NICs) that support this functionality. -

-
-

- (BZ#1570255) -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
-
    -
  • - Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the libxdp library is not available for architectures other than AMD - and Intel 64-bit. -
    • -
  • - The XDP hardware offloading. -
    • -
-
-

- (BZ#1889737) -

-
-

Multi-protocol Label Switching for TC available as a Technology - Preview

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route - traffic flow across enterprise networks. In an MPLS network, the router that receives packets - decides the further route of the packets based on the labels attached to the packet. With the - usage of labels, the MPLS network has the ability to handle packets with particular - characteristics. For example, you can add tc filters for managing - packets received from specific ports or carrying specific types of traffic, in a consistent way. -

-
-

- After packets enter the enterprise network, MPLS routers perform multiple operations on the packets, - such as push to add a label, swap to - update a label, and pop to remove a label. MPLS allows defining actions - locally based on one or multiple labels in RHEL. You can configure routers and set traffic control - (tc) filters to take appropriate actions on the packets based on the - MPLS label stack entry (lse) elements, such as label, traffic class, bottom of stack, and time to live. -

-

- For example, the following command adds a filter to the enp0s1 network interface to match incoming packets having the - first label 12323 and the second label 45832. On matching packets, the following actions are taken: -

-
-
    -
  • - the first MPLS TTL is decremented (packet is dropped if TTL reaches 0) -
    • -
  • - the first MPLS label is changed to 549386 -
    • -
  • -

    - the resulting packet is transmitted over enp0s2, - with destination MAC address 00:00:5E:00:53:01 - and source MAC address 00:00:5E:00:53:02 -

    - 
    # tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
-action mpls dec_ttl pipe \
-action mpls modify label 549386 pipe \
-action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
-action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
-action mirred egress redirect dev enp0s2
    -
    • -
-
-

- (BZ#1814836, BZ#1856415) -

-
-

act_mpls module available as a Technology - Preview

-

- The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows - the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) - filters, for example, push and pop MPLS label stack entries with TC filters. The module also - allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set - independently. -

-
-

- (BZ#1839311) -

-
-

Improved Multipath TCP support is available as a Technology - Preview

-

- Multipath TCP (MPTCP) improves resource usage within the network and resilience to network - failure. For example, with Multipath TCP on the RHEL server, smartphones with MPTCP v1 enabled - can connect to an application running on the server and switch between Wi-Fi and cellular - networks without interrupting the connection to the server. -

-
-

- RHEL 8.4 offers additional features, such as: -

-
-
    -
  • - Multiple concurrent active substreams -
    • -
  • - Active-backup support -
    • -
  • - Improved stream performances -
    • -
  • - Better memory usage, with receive and send buffer auto-tuning -
    • -
  • - SYN cookie support -
    • -
-
-

- Note that either the applications running on the server must natively support MPTCP or - administrators must load an eBPF program into the kernel to dynamically - change IPPROTO_TCP to IPPROTO_MPTCP. -

-

- For further details see, Getting - started with Multipath TCP. -

-

- (JIRA:RHELPLAN-57712) -

-
-

The systemd-resolved service is now available - as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-

The nispor package is now available as a - Technology Preview

-

- The nispor package is now available as a Technology Preview, which - is a unified interface for Linux network state querying. It provides a unified way to query all - running network status through the python and C api, and rust crate. nispor works as the dependency in the nmstate tool. -

-
-

- You can install the nispor package as a dependency of nmstate or as an individual package. -

-
-
    -
  • -

    - To install nispor as an individual package, enter: -

    - 
    # yum install nispor
    -
    • -
  • -

    - To install nispor as a dependency of nmstate, enter: -

    - 
    # yum install nmstate
    -

    - nispor is listed as the dependency. -

    -
    • -
-
-

- For more information on using nispor, refer to /usr/share/doc/nispor/README.md file. -

-

- (BZ#1848817) -

-
-
-
-
-
-

8.3. Kernel

-
-
-
-
-

The kexec fast reboot feature is available as Technology Preview -

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. kexec fast reboot significantly speeds the boot - process by allowing the kernel to boot directly into the second kernel without passing through - the Basic Input/Output System (BIOS) first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot the operating system. -
    3. -
-
-

- (BZ#1769727) -

-
-

The accel-config package available as a - Technology Preview

-

- The accel-config package is now available on Intel EM64T and AMD64 architectures for RHEL - 8.4 as a Technology Preview. This package helps in controlling and configuring data-streaming - accelerator (DSA) sub-system in the Linux Kernel. Also, it configures devices via sysfs (pseudo-filesystem), saves and loads the configuration in the - json format. -

-
-

- (BZ#1843266) -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. This release - initiates the kernel support for SGX v1 and v1.5. The version 1 enables platforms using the - Flexible Launch Control mechanism to use the - SGX technology. -

-
-

- (BZ#1660337) -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space, in the restricted - sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which supports - creating various types of maps, and also allows to load programs in a special assembly-like code. - The code is then loaded to the kernel and translated to the native machine code with just-in-time - compilation. Note that the bpf() syscall can be successfully used only - by a user with the CAP_SYS_ADMIN capability, such as the root user. See - the bpf(2) manual page for more information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. All - components are available as a Technology Preview, unless a specific component is indicated as - supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - bpftrace, a high-level tracing language that utilizes the eBPF virtual machine. -
    • -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space - for applications that prioritize packet processing performance. -
    • -
-
-

- (BZ#1559616) -

-
-

The data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The data streaming accelerator (DSA) driver for the kernel is currently available as a - Technology Preview. DSA is an Intel CPU integrated accelerator and supports a shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- (BZ#1837187) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol which - implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which supports - two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL - 8. -

-
-

- (BZ#1605216) -

-
-
-
-
-
-

8.4. File systems and storage

-
-
-
-
-

NVMe/TCP is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) - and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology Preview. -

-
-

- The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by the - nvme-cli and nvmetcli packages. -

-

- The NVMe/TCP target Technology Preview is included only for testing purposes and is not currently - planned for full support. -

-

- (BZ#1696451) -

-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address space. To - use DAX, a system must have some form of persistent memory available, usually in the form of one - or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX - must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a - file on the dax-mounted file system results in a direct mapping of storage into the - application’s address space. -

-
-

- (BZ#1627455) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top of - another. Changes are recorded in the upper file system, while the lower file system remains - unmodified. This allows multiple users to share a file-system image, such as a container or a - DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings - when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other specialized - use cases, such as squashed kdump initramfs. Its use is - supported primarily for container COW content, not for persistent storage. You must place - any persistent storage on non-OverlayFS volumes. You can use only the default container - engine configuration: one level of overlay, one lowerdir, and both lower and upper levels - are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change - in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped with - MAP_SHARED are inconsistent with subsequent - modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on RHEL - 8, but you can enable full POSIX compliance for them with a module option or - mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and index=on options to improve POSIX compliance. - These two options make the format of the upper layer incompatible with an - overlay without these options. That is, you might get unexpected results or - errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, use - the following command and see if the ftype=1 option is - enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel - documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- RHEL 8.3 updated Stratis to version 2.1.0. For more information, see Stratis 2.1.0 Release - Notes. -

-

- (JIRA:RHELPLAN-1212) -

-
-

IdM now supports setting up a Samba server on an IdM domain member as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the same-named - package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For - example, the utility creates the /etc/samba/smb.conf with the ID - mapping configuration for the sss ID mapping back end. As a result, - administrators can now set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts - cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support - resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) - protocols. As a consequence, AD users can only access the Samba shares and printers from IdM - clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- (JIRA:RHELPLAN-13195) -

-
-
-
-
-
-

8.5. High availability and clusters

-
-
-
-
-

Local mode version of pcs cluster setup - command available as a Technology Preview

-

- By default, the pcs cluster setup command automatically - synchronizes all configuration files to the cluster nodes. Since Red Hat Enterprise Linux 8.3, - the pcs cluster setup command provides the --corosync-conf option as a Technology Preview. Specifying this - option switches the command to local mode. In this mode, pcs creates a corosync.conf file and - saves it to a specified file on the local node only, without communicating with any other node. - This allows you to create a corosync.conf file in a script and - handle that file by means of the script. -

-
-

- (BZ#1839637) -

-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on Podman, with the container bundle feature being available - as a Technology Preview. There is one exception to this feature being Technology Preview: Red - Hat fully supports the use of Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-

Heuristics in corosync-qdevice available as a - Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is zero), - heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which - partition should be quorate. -

-
-

- (BZ#1784200) -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off - action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent - the agent that does the actual fencing from fencing a node under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make sense - for a node to fence the peer if it can know beforehand that it would not be able to take over the - services properly. For example, it might not make sense for a node to take over services if it has - problems reaching the networking uplink, making the services unreachable to clients, a situation - which a ping to a router might detect in that case. -

-

- (BZ#1775847) -

-
-
-
-
-
-

8.6. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- (BZ#1664718) -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- (JIRA:RHELPLAN-58596) -

-
-
-
-
-
-

8.7. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology - Preview. This enables administrators to configure and manage servers from a graphical user - interface (GUI) remotely, using the VNC session. -

-
-

- As a consequence, new administration applications are available on the 64-bit ARM architecture. For - example: Disk Usage Analyzer (baobab), Firewall - Configuration (firewall-config), Red Hat Subscription Manager (subscription-manager), or the Firefox web browser. Using Firefox, administrators can connect to the local - Cockpit daemon remotely. -

-

- (JIRA:RHELPLAN-27394, BZ#1667225, BZ#1667516, BZ#1724302) -

-
-

GNOME desktop on IBM Z is available as a Technology Preview

-

- The GNOME desktop, including the Firefox web browser, is now available as a Technology Preview - on the IBM Z architecture. You can now connect to a remote graphical session running GNOME using - VNC to configure and manage your IBM Z servers. -

-
-

- (JIRA:RHELPLAN-27737) -

-
-
-
-
-
-

8.8. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available - as a Technology Preview. Note that the rest of the graphics stack is currently unverified for - the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-

Intel Tiger Lake graphics available as a Technology Preview

-

- Intel Tiger Lake UP3 and UP4 Xe graphics are now available as a Technology Preview. -

-
-

- To enable hardware acceleration with Intel Tiger Lake graphics, add the following option on the - kernel command line: -

- 
i915.force_probe=pci-id
-

- In this option, replace pci-id with one of the following: -

-
-
    -
  • - The PCI ID of your Intel GPU -
    • -
  • - The * character to enable the i915 - driver with all alpha-quality hardware -
    • -
-
-

- (BZ#1783396) -

-
-
-
-
-
-

8.9. Red Hat Enterprise Linux system roles

-
-
-
-
-

HA Cluster RHEL system role available as a Technology Preview

-

- The High Availability Cluster (HA Cluster) role is now available as a Technology Preview. - Currently, the following notable configurations are available: -

-
-
-
    -
  • - Configuring clusters running no fencing and no resources -
    • -
  • - Configuring multi-link clusters -
    • -
  • - Configuring custom cluster names and node names -
    • -
  • - Configuring whether clusters start automatically on boot -
    • -
-
-

- (BZ#1893743) -

-
-

The postfix role of RHEL system roles - available as a Technology Preview

-

- Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise - Linux subsystems, which makes system configuration easier through the inclusion of Ansible - Roles. This interface enables managing system configurations across multiple versions of Red Hat - Enterprise Linux, as well as adopting new major releases. -

-
-

- The rhel-system-roles packages are distributed through the AppStream - repository. -

-

- The postfix role is available as a Technology Preview. -

-

- The following roles are fully supported: -

-
-
    -
  • - kdump -
    • -
  • - network -
    • -
  • - selinux -
    • -
  • - storage -
    • -
  • - timesync -
    • -
-
-

- For more information, see the Knowledgebase article about RHEL system roles. -

-

- (BZ#1812552) -

-
-
-
-
-
-

8.10. Virtualization

-
-
-
-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines -

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a - Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel systems. In addition, nested virtualization is - in some cases not enabled by default on Hyper-V. To enable it, see the following Microsoft - documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-

AMD SEV for KVM virtual machines

-

- As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts VM memory so that the host cannot access data on the VM. This increases the security of - the VM if the host is successfully infected by malware. -

-
-

- Note that the number of VMs that can use this feature at a time on a single host is determined by - the host hardware. Current AMD EPYC processors support up to 509 running VMs using SEV. -

-

- Also note that for VMs with SEV configured to be able to boot, you must also configure the VM with a - hard memory limit. To do so, add the following to the VM’s XML configuration: -

- 
<memtune>
-<hard_limit unit='KiB'>N</hard_limit>
-</memtune>
-

- The recommended value for N is equal to or greater then the guest RAM + 256 MiB. For example, if the - guest is assigned 2 GiB RAM, N should be 2359296 or greater. -

-

- (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. -

-

- In addition, it is possible to enable a VNC console operated by Intel vGPU. By enabling it, users - can connect to a VNC console of the VM and see the VM’s desktop hosted by Intel vGPU. However, this - currently only works for RHEL guest operating systems. -

-

- (BZ#1528684) -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or - RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs. -

-
-

- (JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437) -

-
-

Select Intel network adapters now support SR-IOV in RHEL guests on - Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V - hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network - adapters supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions - are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently supported with Microsoft Windows Server 2019 and 2016. -

-

- (BZ#1348508) -

-
-

ESXi hypervisor and SEV-ES available as a Technology Preview for RHEL - VMs

-

- As a Technology Preview, in RHEL 8.4 and later, you can enable the AMD Secure Encrypted - Virtualization-Encrypted State (SEV-ES) to secure RHEL virtual machines (VMs) on VMware’s ESXi - hypervisor, versions 7.0.2 and later. -

-
-

- (BZ#1904496) -

-
-
-
-
-
-

8.11. Containers

-
-
-
-
-

CNI plugins are available in Podman as a Technology Preview

-

- CNI plugins are now available to use in Podman rootless mode as a Technology Preview. To enable - this feature, users are required to build their own rootless CNI infrastructure container image. -

-
-

- (BZ#1932083) -

-
-

The crun is available as a Technology - Preview

-

- The crun OCI runtime is now available for the container-tools:rhel8 module as a Technology Preview. The crun container runtime supports an annotation that allows the - container to access the rootless user’s additional groups. This is useful for volume mounting in - a directory where setgid is set, or where the user only has group access. Currently, neither the - crun or runc runtimes fully support - cgroupsv2. -

-
-

- (BZ#1841438) -

-
-

A podman container image is available as a - Technology Preview

-

- The registry.redhat.io/rhel8/podman container image is a - containerized implementation of the podman package. The podman tool is used for managing containers and images, volumes - mounted into those containers, and pods made of groups of containers. -

-
-

- (JIRA:RHELPLAN-56659) -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

Chapter 9. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

9.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in the - logs. -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still available - and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you modify - your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-

The Kickstart autostep command has been - deprecated

-

- The autostep command has been deprecated. The related section about - this command has been removed from the RHEL - 8 documentation. -

-
-

- (BZ#1904251) -

-
-

lorax-composer back end for Image Builder is - deprecated in RHEL 8

-

- The previous back end lorax-composer for Image Builder is - considered deprecated. It will only receive select fixes for the rest of the Red Hat Enterprise - Linux 8 life cycle and will be omitted from future major releases.  Red Hat recommends that you - uninstall lorax-composer the and install osbuild-composer back end instead. -

-
-

- See Composing - a customized RHEL system image for more details. -

-

- (BZ#1893767) -

-
-
-
-
-
-

9.2. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- With this update, the rpmbuild --sign command has become - deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an - error. It is recommended that you use the rpmsign command instead. -

-
-

- (BZ#1688849) -

-
-
-
-
-
-

9.3. Shells and command-line tools

-
-
-
-
-

The OpenEXR component has been - deprecated

-

- The OpenEXR component has been deprecated. Hence, the support for - the EXR image format has been dropped from the imagecodecs module. -

-
-

- (BZ#1886310) -

-
-

Metalink support for curl has been disabled.

-

- A flaw was found in curl functionality in the way it handles credentials and file hash mismatch - for content downloaded using the Metalink. This flaw allows malicious actors controlling a - hosting server to: -

-
-
-
    -
  • - Trick users into downloading malicious content -
    • -
  • - Gain unauthorized access to provided credentials without the user’s knowledge -
    • -
-
-

- The highest threat from this vulnerability is confidentiality and integrity. To avoid this, the - Metalink support for curl has been disabled from Red Hat Enterprise Linux 8.2.0.z. -

-

- As a workaround, execute the following command, after the Metalink file is downloaded: -

- 
wget --trust-server-names --input-metalink`
-

- For example: -

- 
wget --trust-server-names --input-metalink <(curl -s $URL)
-

- (BZ#1999620) -

-
-
-
-
-
-

9.4. Security

-
-
-
-
-

NSS SEED ciphers are deprecated

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends - enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- (BZ#1817533) -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal - and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. - Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note - that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello - has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and earlier - allow to start a negotiation with a Client Hello message formatted - in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature - may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version - 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible - with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next - major release. -

-
-

- (BZ#1657927) -

-
-

Runtime disabling SELinux using /etc/selinux/config is now deprecated

-

- Runtime disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config file has been deprecated. In RHEL 9, when you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. -

-
-

- If your scenario really requires to completely disable SELinux, Red Hat recommends disabling SELinux - by adding the selinux=0 parameter to the kernel command line as - described in the Changing - SELinux modes at boot time section of the Using - SELinux title. -

-

- (BZ#1932222) -

-
-

ipa SELinux module removed from selinux-policy

-

- The ipa SELinux module has been removed from the selinux-policy package, because it is no longer maintained. The - functionality is now included in the ipa-selinux subpackage. If you - need to use types or interfaces from the ipa module in a local - SELinux policy, install the ipa-selinux package. -

-
-

- (BZ#1461914) -

-
-
-
-
-
-

9.5. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by - default. The basic installation provides a new version of the ifup - and ifdown scripts which call the NetworkManager service through the nmcli tool. In Red Hat Enterprise Linux 8, to - run the ifup and the ifdown scripts, - NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts - are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
~]# yum install network-scripts
-

- The ifup and ifdown scripts link to the - installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-

The dropwatch tool is deprecated

-

- The dropwatch tool has been deprecated. The tool will not be - supported in future releases. Thus the tool is not recommended for new deployments As a - replacement of this package, Red Hat recommends to use the perf command line tool. -

-
-

- For more information on using the perf command line tool, - see the Getting - started with Perf section on the Red Hat customer portal or the perf man page. -

-

- (BZ#1929173) -

-
-

The term slaves is deprecated in the nmstate API

-

- Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl. -

-
-

- (JIRA:RHELDOCS-17641) -

-
-
-
-
-
-

9.6. Kernel

-
-
-
-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system via the network. While - convenient, diskless boot is prone to introducing network latency in realtime workloads. With a - future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be - supported. -

-
-

- (BZ#1748980) -

-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is - a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is - available as an unsupported Technology Preview. However, due to stability issues, this feature - has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

9.7. Platform enablement

-
-
-
-
-

The Linux firewire sub-system and its - associated user-space components are deprecated in RHEL 8

-

- The firewire sub-system provides interfaces to use and maintain any - resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer - be supported in the kernel package. -

-
-

- Note that firewire contains several user-space components provided by - the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as - well. -

-

- (BZ#1871863) -

-
-
-
-
-
-

9.8. File systems and storage

-
-
-
-
-

The elevator kernel command line parameter is - deprecated

-

- The elevator kernel command line parameter was used in earlier RHEL - releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is typically - the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the Tuned service to configure it. Match the selected - devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- (BZ#1665295) -

-
-

LVM mirror is deprecated

-

- The LVM mirror segment type is now deprecated. Support for mirror will be removed in a future major release of RHEL. -

-
-

- Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1 instead of mirror. The raid1 segment type is the default RAID configuration type and replaces - mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 logical volume. -

-

- LVM mirror has several known issues. For details, see known issues - in file systems and storage. -

-

- (BZ#1827628) -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured storage - events. It helps you investigate storage issues. -

-

- (BZ#1871953) -

-
-

VDO write modes other than async are deprecated

-

- VDO supports several write modes in RHEL 8: -

-
-
-
    -
  • - sync -
    • -
  • - async -
    • -
  • - async-unsafe -
    • -
  • - auto -
    • -
-
-

- Starting with RHEL 8.4, the following write modes are deprecated: -

-
-
-
sync
-
- Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the - devices cannot take advantage of the VDO sync mode. -
-
async-unsafe
-
- VDO added this write mode as a workaround for the reduced performance of async mode, which complies to Atomicity, Consistency, Isolation, - and Durability (ACID). Red Hat does not recommend async-unsafe - for most use cases and is not aware of any users who rely on it. -
-
auto
-
- This write mode only selects one of the other write modes. It is no longer necessary when - VDO supports only a single write mode. -
-
-
-

- These write modes will be removed in a future major RHEL release. -

-

- The recommended VDO write mode is now async. -

-

- For more information on VDO write modes, see Selecting - a VDO write mode. -

-

- (JIRA:RHELPLAN-70700) -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. - This change affects only NFS version 3 because version 4 requires the Transmission Control - Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution. -

-
-

- (BZ#1794513) -

-
-
-
-
-
-

9.9. High availability and clusters

-
-
-
-
-

pcs commands that support the clufter tool have been deprecated

-

- The pcs commands that support the clufter tool for analyzing cluster configuration formats have been - deprecated. These commands now print a warning that the command has been deprecated and sections - related to these commands have been removed from the pcs help - display and the pcs(8) man page. -

-
-

- (BZ#1851335) -

-
-
-
-
-
-

9.10. Compilers and development tools

-
-
-
-
-

The gdb.i686 packages are deprecated -

-

- In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another - package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions - of GDB, gdb.x86_64, are fully capable of debugging 32-bit - applications. -

-
-

- If you use gdb.i686 note the following important issues: -

-
-
    -
  • - The gdb.i686 packages will no longer be updated. Users must - install gdb.x86_64 instead. -
    • -
  • - If you have gdb.i686 installed, installing gdb.x86_64 will cause dnf to report - package gdb-8.2-14.el8.x86_64 obsoletes gdb < 8.2-14.el8 provided by gdb-8.2-12.el8.i686. - This is expected. Either uninstall gdb.i686 or pass dnf the --allowerasing option to - remove gdb.i686 and install gdb.x8_64. -
    • -
  • - Users will no longer be able to install the gdb.i686 packages - on 64-bit systems, that is, those with the libc.so.6()(64-bit) - packages. -
    • -
-
-

- (BZ#1853140) -

-
-

libdwarf has been deprecated

-

- The libdwarf library has been deprecated in RHEL 8. The library - will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for - applications that wish to process ELF/DWARF files. -

-
-

- Alternatives for the libdwarf-tools dwarfdump program are the binutils readelf program or the elfutils eu-readelf program, both used by passing the --debug-dump flag. -

-

- (BZ#1920624) -

-
-
-
-
-
-

9.11. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, which - integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, if - available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, - enable the ssh responder by adding ssh to - the services option in the sssd.conf file. - See the sssd.conf(5) man page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- (BZ#1871025) -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and - disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) - and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might experience - service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions on - re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, set - supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from the - previous step, remove them and upgrade. You do not need those settings after upgrading to - the latest Kerberos packages. -
    5. -
-
-

- (BZ#1877991) -

-
-

Standalone use of the ctdb service has been - deprecated

-

- As of RHEL 8.4, customers are advised to use the ctdb clustered - Samba service only when both of the following conditions apply: -

-
-
-
    -
  • - The ctdb service is managed as a pacemaker resource with the resource-agent ctdb. -
    • -
  • - The ctdb service uses storage volumes that contain either a - GlusterFS file system provided by the Red Hat Gluster Storage product or a GFS2 file system. -
    • -
-
-

- The stand-alone use case of the ctdb service has been deprecated and - will not be included in a next major release of Red Hat Enterprise Linux. For further information on - support policies for Samba, see the Knowledgebase article Support Policies for RHEL Resilient Storage - - ctdb General Policies. -

-

- (BZ#1916296) -

-
-

Running Samba as a PDC or BDC is deprecated

-

- The classic domain controller mode that enabled administrators to run Samba as an NT4-like - primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and - settings to configure these modes will be removed in a future Samba release. -

-
-

- As long as the Samba version in RHEL 8 provides the PDC and BDC modes, Red Hat supports these modes - only in existing installations with Windows versions which support NT4 domains. Red Hat recommends - not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and - Windows Server 2008 R2 do not support NT4 domains. -

-

- If you use the PDC to authenticate only Linux users, Red Hat suggests migrating to Red Hat Identity Management - (IdM) that is included in RHEL subscriptions. However, you cannot join Windows systems to an - IdM domain. Note that Red Hat continues supporting the PDC functionality IdM uses in the background. -

-

- Red Hat does not support running Samba as an AD domain controller (DC). -

-

- (BZ#1926114) -

-
-

The SSSD version of libwbclient has been deprecated

-

- The SSSD implementation of the libwbclient package was added to - allow the Samba smbd service to retrieve user and group information - from AD without the need to run the winbind service. As Samba now - requires that the winbind service is running and handling - communication with AD, the related code has been removed from smdb - for security reasons. As this additional required functionality is not part of SSSD and the SSSD - implementation of libwbclient cannot be used with recent versions - of Samba, the SSSD implementation of libwbclient is being - deprecated. -

-
-

- (BZ#1881992) -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612 -

-
-
-
-
-
-

9.12. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of the - libsecret library, as libgnome-keyring - is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. - The new libsecret library is the replacement that follows the - necessary security standards. -

-
-

- (BZ#1607766) -

-
-
-
-
-
-

9.13. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement. -

-
-

- (BZ#1569610) -

-
-
-
-
-
-

9.14. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- (BZ#1666722) -

-
-
-
-
-
-

9.15. Red Hat Enterprise Linux System Roles

-
-
-
-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and it - also downloads proprietary content. Therefore, the geoipupdate - package has been deprecated, and will be removed in the next major RHEL version. -

-
-

- (BZ#1874892) -

-
-
-
-
-
-

9.16. Virtualization

-
-
-
-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. As a result, SPICE will remain - supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display - streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Note that the QXL graphics device, which is used - by SPICE, has become deprecated as well. -

-

- (BZ#1849563) -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL 8 - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available the RHEL 8 web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

Virtual machine snapshots are not properly supported in RHEL 8

-

- The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is - not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8. -

-
-

- Note that a new VM snapshot mechanism is under development and will be fully implemented in a future - minor release of RHEL 8. -

-

- (BZ#1686057) -

-
-

The Cirrus VGA virtual - GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-

KVM on IBM POWER has been deprecated

-

- Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM - POWER is still supported in RHEL 8, but will become unsupported in a future major release of - RHEL. -

-
-

- (JIRA:RHELPLAN-71200) -

-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. -

-
-

- Instead, Red Hat recommends using signatures based on the SHA2 algorithm, or later. -

-

- (BZ#1935497) -

-
-
-
-
-
-

9.17. Containers

-
-
-
-
-

The Podman varlink-based API v1.0 has been removed

-

- The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 - introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API - v1.0 has been completely removed. -

-
-

- (JIRA:RHELPLAN-45858) -

-
-

container-tools:1.0 has been - deprecated

-

- The container-tools:1.0 module has been deprecated and will no - longer receive security updates. It is recommended to use a newer supported stable module - stream, such as container-tools:2.0 or container-tools:3.0. -

-
-

- (JIRA:RHELPLAN-59825) -

-
-
-
-
-
-

9.18. Deprecated packages

-
-
-
-

- The following packages have been deprecated and will probably not be included in a future major - release of Red Hat Enterprise Linux: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - authd -
    • -
  • - custodia -
    • -
  • - firewire -
    • -
  • - geoipupdate -
    • -
  • - hostname -
    • -
  • - isl -
    • -
  • - isl-devel -
    • -
  • - libavc1394 -
    • -
  • - libdc1394 -
    • -
  • - libdwarf -
    • -
  • - libdwarf-devel -
    • -
  • - libdwarf-static -
    • -
  • - libdwarf-tools -
    • -
  • - libidn -
    • -
  • - libpng12 -
    • -
  • - libraw1394 -
    • -
  • - lorax-composer -
    • -
  • - mailman -
    • -
  • - mailx - replaced by s-nail -
    • -
  • - mercurial -
    • -
  • - ncompress -
    • -
  • - net-tools -
    • -
  • - netcf -
    • -
  • - netcf-libs -
    • -
  • - network-scripts -
    • -
  • - nss_nis -
    • -
  • - nss-pam-ldapd -
    • -
  • - openssh-ldap -
    • -
  • - parfait -
    • -
  • - peripety -
    • -
  • - perl-prefork -
    • -
  • - perl-Sys-Virt -
    • -
  • - python3-nose -
    • -
  • - python3-pymongo -
    • -
  • - python3-pytoml - replaced by python3-toml -
    • -
  • - python3-virtualenv - use the venv module in Python 3 instead -
    • -
  • - redhat-support-lib-python -
    • -
  • - redhat-support-tool -
    • -
  • - scala -
    • -
  • - sendmail -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
  • - xdelta -
    • -
  • - xinetd -
    • -
-
-
-
-
-
-
-

9.19. Deprecated devices

-
-
-
-

- This section lists devices (drivers, adapters) that continue to be supported until the end of life - of RHEL 8 but will likely not be supported in future major releases of this product and are not - recommended for new deployments. Support for devices other than those listed remains unchanged. -

-

- PCI IDs are in the format of vendor:device:subvendor:subdevice. If the subdevice or subvendor:subdevice entry is not listed, devices with any - values of such missing entries have been deprecated. To check the PCI IDs of the hardware on your - system, run the lspci -nn command. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device typeDriverDeviceDevice ID
-

- PCI -

- 		-

- bnx2 -

- 		  
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x3239:0x103C:0x21C4 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x3239:0x103C:0x21C9 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x3239:0x103C:0x21CC -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x3239:0x103C:0x21CD -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x3239:0x103C:0x21CE -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x3233 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x3241 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x3243 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x3245 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x3247 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x3249 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x324A -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323a:0x103C:0x324B -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323b:0x103C:0x3350 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323b:0x103C:0x3351 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323b:0x103C:0x3352 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323b:0x103C:0x3353 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323b:0x103C:0x3354 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323b:0x103C:0x3355 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x323b:0x103C:0x3356 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x103C:0x333f:0x103c:0x333f -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x9005:0x0290:0x9005:0x0580 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x9005:0x0290:0x9005:0x0581 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x9005:0x0290:0x9005:0x0582 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x9005:0x0290:0x9005:0x0583 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x9005:0x0290:0x9005:0x0584 -

-
-

- PCI -

- 		-

- hpsa -

- 		  -

- 0x9005:0x0290:0x9005:0x0585 -

-
-

- PCI -

- 		-

- lpfc -

- 		  -

- 0x10df:0x0724 -

-
-

- PCI -

- 		-

- lpfc -

- 		  -

- 0x10df:0xe200 -

-
-

- PCI -

- 		-

- lpfc -

- 		  -

- 0x10df:0xe220 -

-
-

- PCI -

- 		-

- lpfc -

- 		  -

- 0x10df:0xf011 -

-
-

- PCI -

- 		-

- lpfc -

- 		  -

- 0x10df:0xf015 -

-
-

- PCI -

- 		-

- lpfc -

- 		  -

- 0x10df:0xf100 -

-
-

- PCI -

- 		-

- lpfc -

- 		  -

- 0x10df:0xfc40 -

-
-

- PCI -

- 		-

- megaraid_sas -

- 		  -

- 0x1000:0x005b -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x006E -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0080 -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0081 -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0082 -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0083 -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0084 -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0085 -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0086 -

-
-

- PCI -

- 		-

- mpt3sas -

- 		  -

- 0x1000:0x0087 -

-
-

- PCI -

- 		-

- myri10ge -

- 		  
-

- PCI -

- 		-

- netxen_nic -

- 		  
-

- PCI -

- 		-

- sfc -

- 		  -

- 0x1924:0x0803 -

-
-

- PCI -

- 		-

- sfc -

- 		  -

- 0x1924:0x0813 -

-
-

- PCI -

- 		-

- qla2xxx -

- 		  -

- 0x1077:0x2031 -

-
-

- PCI -

- 		-

- qla2xxx -

- 		  -

- 0x1077:0x2532 -

-
-

- PCI -

- 		-

- qla2xxx -

- 		  -

- 0x1077:0x8031 -

-
-
-
-
-
-
-
-
-

Chapter 10. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.4. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- (BZ#1640697) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation sources. - However, network access is not enabled by default, and as a result, these features cannot be - used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a repository - located on the network using boot options also resolves the problem. As a result, the network-based - installation features can be used. -

-

- (BZ#1757877) -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- (BZ#1914955) -

-
-

Anaconda does not show encryption for a custom partition

-

- The Encrypt my data radio button is not - available when you choose the Custom - partitioning during the system installation. As a result, your data is not encrypted when - installation is complete. -

-
-

- To workaround this problem, set encryption in the custom partitioning screen for each device you - want to encrypt. Anaconda will ask for a passphrase when leaving the dialog. -

-

- (BZ#1903786) -

-
-

Installation program attempts automatic partitioning when no partitioning - scheme is specified in the Kickstart file

-

- When using a Kickstart file to perform an automated installation, the installation program - attempts to perform automatic partitioning even when you do not specify any partitioning - commands in the Kickstart file. The installation program behaves as if the autopart command was used in the Kickstart file, resulting in - unexpected partitions. To work around this problem, use the reqpart - command in the Kickstart file so that you can interactively configure manual partitioning. -

-
-

- (BZ#1954408) -

-
-

The new osbuild-composer back end does not - replicate the blueprint state from lorax-composer on - upgrades

-

- Image Builder users that are upgrading from the lorax-composer back - end to the new osbuild-composer back end, blueprints can disappear. - As a result, once the upgrade is complete, the blueprints do not display automatically. To work - around this problem, perform the following steps. -

-
-
-

Prerequisites

-
    -
  • - You have the composer-cli CLI utility installed. -
    • -
-
-
-

Procedure

-
    -
  1. -

    - Run the command to load the previous lorax-composer based - blueprints into the new osbuild-composer back end: -

    - 
    $ for blueprint in $(find /var/lib/lorax/composer/blueprints/git/workspace/master -name '*.toml'); do composer-cli blueprints push "${blueprint}"; done
    -
    2. -
-
-

- As a result, the same blueprints are now available in osbuild-composer - back end. -

-
-

Additional resources

- -
-

- (BZ#1897383) -

-
-

Adding the same username in both blueprint and Kickstart files causes Edge - image installation to fail

-

- To install a RHEL for Edge image, users must create a blueprint to build a rhel-edge-container image and also create a Kickstart file to install - the RHEL for Edge image. When a user adds the same username, password, and SSH key in both the - blueprint and the Kickstart file, the RHEL for Edge image installation fails. Currently, there - is no workaround. -

-
-

- (BZ#1951964) -

-
-

GUI installation might fail if an attempt to unregister using the CDN is - made before the repository refresh is completed

-

- Since RHEL 8.2, when registering your system and attaching subscriptions using the Content - Delivery Network (CDN), a refresh of the repository metadata is started by the GUI installation - program. The refresh process is not part of the registration and subscription process, and as a - consequence, the Unregister button is - enabled in the Connect to Red Hat window. - Depending on the network connection, the refresh process might take more than a minute to - complete. If you click the Unregister button - before the refresh process is completed, the GUI installation might fail as the unregister - process removes the CDN repository files and the certificates required by the installation - program to communicate with the CDN. -

-
-

- To work around this problem, complete the following steps in the GUI installation after you have - clicked the Register button in the Connect to Red Hat window: -

-
-
    -
  1. - From the Connect to Red Hat window, - click Done to return to the Installation Summary window. -
    2. -
  2. - From the Installation Summary window, - verify that the Installation Source and - Software Selection status messages in - italics are not displaying any processing information. -
    3. -
  3. - When the Installation Source and Software Selection categories are ready, click Connect to Red Hat. -
    4. -
  4. - Click the Unregister button. -
    5. -
-
-

- After performing these steps, you can safely unregister the system during the GUI installation. -

-

- (BZ#1821192) -

-
-

Registration fails for user accounts that belong to multiple - organizations

-

- Currently, when you attempt to register a system with a user account that belongs to multiple - organizations, the registration process fails with the error message You must specify an organization for new - units. -

-
-

- To work around this problem, you can either: -

-
-
    -
  • - Use a different user account that does not belong to multiple organizations. -
    • -
  • - Use the Activation Key authentication - method available in the Connect to Red Hat feature for GUI and Kickstart installations. -
    • -
  • - Skip the registration step in Connect to Red Hat and use Subscription Manager to register - your system post-installation. -
    • -
-
-

- (BZ#1822880) -

-
-

Red Hat Insights client fails to register the operating system when using - the graphical installer

-

- Currently, the installation fails with an error at the end, which points to the Insights client. -

-
-

- To work around this problem, uncheck the Connect to Red Hat - Insights option during the Connect to - Red Hat step before registering the systems in the installer. -

-

- As a result, you can complete the installation and register to Insights afterwards by using this - command: -

- 
# insights-client --register
-

- (BZ#1931069) -

-
-

Installation with autopart utility fails with - inconsistent disk sector sizes

-

- Installing RHEL using autopart with multiple inconsistent disk - sector sizes fails. As a workaround, use a plain partitioning - scheme, for example autopart --type=plain, instead of the default - LVM scheme. Another option is to try re-configuring sector sizes, - for example by running hdparm --set-sector-size=<SIZE> <DEVICE>. -

-
-

- As a workaround for kickstart installations: -

-
-
    -
  • - Restrict the disks used for the partitioning by specifying ignoredisk --drives=.. OR --only-use=... -
    • -
  • - Specify disks to be used for each created LVM Physical Volume: partition pv.1 --ondisk=... -
    • -
-
-

- As a workaround for manual installations: -

-
-
    -
  • - Select only the disks with the same sector size during manual installation in graphical or - text mode. -
    • -
  • - When disks with inconsistent sector size are selected for the installation, restrict each - created LVM Volume Group to use Physical Volumes with the same sector size. This can only be - done in graphical mode in the Custom partitioning spoke. -
    • -
-
-

- (BZ#1935722) -

-
-

The GRUB retries to access the disk after initial failures during - boot

-

- Sometimes, Storage Area Networks (SANs) fail to acknowledge the open and read disk calls. Previously, - the GRUB tool used to enter into the grub_rescue prompt resulting - in the boot failure. With this update, GRUB retries to access the disk up to 20 times after the - initial call to open and read the disk fails. If the GRUB tool is still unable to open or read - the disk after these attempts, it will enter into the grub_rescue - mode. -

-
-

- (BZ#1987087) -

-
-

IBM Power systems with HASH MMU mode fail to - boot with memory allocation failures

-

- IBM Power Systems with HASH memory allocation unit (MMU) mode - support kdump up to a maximum of 192 cores. Consequently, the - system fails to boot with memory allocation failures if kdump is - enabled on more than 192 cores. This limitation is due to RMA memory allocations during early - boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled - instead of using kdump. -

-
-

- (BZ#2028361) -

-
-

Unable to rebuild grub.cfg by using grub2-mkconfig on rhel-guest-image-8.4 images

-

- The rhel-guest-image-8.4 type does not contain the entry - 'GRUB_DEFAULT=saved' entry in the /etc/default/grub file. As a - consequence, if you install a new kernel and rebuild the grub using the grub2-mkconfig -o /boot/grub2/grub.cfg command, after reboot, the - system will not boot up with the new kernel. To work around this issue, you can append the GRUB_DEFAULT=saved to the /etc/default/grub file. As a result, the system should boot up with - the new kernel. -

-
-

- (BZ#2227218) -

-
-
-
-
-
-

10.2. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose - command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect - the output of running the subscription-manager attach --auto - command. Users who attempt to set values to the addons argument - will not observe any effect on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-
-
-
-
-

10.3. Infrastructure services

-
-
-
-
-

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to - SHA-256

-

- By default in RHEL 8, postfix uses MD5 fingerprints with the TLS - for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, - which may cause TLS to incorrectly function in the default postfix configuration. To workaround - this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration - file. -

-
-

- For more details, see the related Knowledgebase article Fix postfix TLS in the FIPS mode by switching - to SHA-256 instead of MD5. -

-

- (BZ#1711885) -

-
-
-
-
-
-

10.4. Security

-
-
-
-
-

Users can run sudo commands as locked - users

-

- In systems where sudoers permissions are defined with the ALL keyword, sudo users with permissions - can run sudo commands as users whose accounts are locked. - Consequently, locked and expired accounts can still be used to execute commands. -

-
-

- To work around this problem, enable the newly implemented runas_check_shell option together with proper settings of valid shells in - /etc/shells. This prevents attackers from running commands under system - accounts such as bin. -

-

- (BZ#1786990) -

-
-

libselinux-python is available only through - its module

-

- The libselinux-python package contains only Python 2 bindings for - developing SELinux applications and it is used for backward compatibility. For this reason, - libselinux-python is no longer available in the default RHEL 8 - repositories through the dnf install libselinux-python command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# dnf module enable libselinux-python
-# dnf install libselinux-python
-

- Alternatively, install libselinux-python using its install profile with - a single command: -

- 
# dnf module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. - This prevents the udica tool from analyzing a container JavaScript - Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you - use the described workaround. -

-

- (BZ#1763210) -

-
-

Negative effects of the default logging setup on performance

-

- The default logging environment setup might consume 4 GB of memory or even more and adjustments - of rate-limit values are complex when systemd-journald is running - with rsyslog. -

-
-

- See the Negative effects of the - RHEL default logging setup on performance and their mitigations Knowledgebase article for - more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

File permissions of /etc/passwd- are not - aligned with the CIS RHEL 8 Benchmark 1.0.0

-

- Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures - permissions on the /etc/passwd- backup file configures permissions - to 0644. However, the CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0 requires file - permissions 0600 for that file. As a consequence, the file - permissions of /etc/passwd- are not aligned with the benchmark - after remediation. -

-
-

- (BZ#1858866) -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots - with SELinux enabled and switches to disabled mode later in the boot process. This might cause - memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- (JIRA:RHELPLAN-34199) -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic level - name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide - crypto policies only when you disable them through the workaround. -

-

- (BZ#1919155) -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. -

-
-

- To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger - hash, or switch to the LEGACY policy. -

-

- (BZ#1628553) -

-
-

Libreswan ignores the leftikeport and rightikeport options

-

- Libreswan ignores the leftikeport and rightikeport options in any host-to-host Libreswan connections. As a - consequence, Libreswan uses the default ports regardless of leftikeport and rightikeport settings. - No workaround is available at the moment. -

-
-

- (BZ#1934058) -

-
-

Using multiple labeled IPsec connections with IKEv2 do not work correctly

-

- When Libreswan uses the IKEv2 protocol, security labels for IPsec - do not work correctly for more than one connection. As a consequence, Libreswan using labeled - IPsec can establish only the first connection, but cannot establish subsequent connections - correctly. To use more than one connection, use the IKEv1 protocol. -

-
-

- (BZ#1934859) -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, TLS clients that use OpenSSL return a bad dh value - error and abort TLS connections to servers that use manually generated parameters. This is - because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with - Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, - and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL - ignore all other parameters and instead select known parameters of similar size. To work around - this problem, use only the compliant groups. -

-
-

- (BZ#1810911) -

-
-

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

-

- The file_caching option is enabled in the default OpenSC - configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning - process through OpenSC fails. -

-
-

- To work around the problem, add the following snippet to the /etc/opensc.conf file: -

- 
app pkcs15-init {
-        framework pkcs15 {
-                use_file_caching = false;
-        }
-}
-

- The smart-card provisioning through pkcs15-init only works if you apply - the previously described workaround. -

-

- (BZ#1947025) -

-
-

systemd cannot execute - commands from arbitrary paths

-

- The systemd service cannot execute commands - from /home/user/bin arbitrary paths because the SELinux policy - package does not include any such rule. Consequently, the custom services that are executed on - non-system paths fail and eventually log the Access Vector Cache (AVC) denial audit messages - when SELinux denied access. To work around this problem, do one of the following: -

-
-
-
    -
  • -

    - Execute the command using a shell - script with the -c option. For example, -

    - 
    bash -c command
    -
    • -
  • - Execute the command from a common path using /bin, /sbin, /usr/sbin, /usr/local/bin, and /usr/local/sbin - common directories. -
    • -
-
-

- (BZ#1860443) -

-
-

selinux-policy prevents IPsec from working - over TCP

-

- The libreswan package in RHEL 8.4 supports IPsec-based VPNs using - TCP encapsulation. However, the selinux-policy package does not - reflect this update. As a consequence, when you set Libreswan to use TCP, the ipsec service fails to bind to the given TCP port. -

-
-

- To work around the problem, use a custom SELinux policy: -

-
-
    -
  1. -

    - Open a new .cil file in a text editor, for example: -

    - 
    # vim local_ipsec_tcp_listen.cil
    -
    2. -
  2. -

    - Insert the following rule: -

    - 
    (allow ipsec_t ipsecnat_port_t (tcp_socket (name_bind name_connect)))
    -
    3. -
  3. - Save and close the file. -
    4. -
  4. -

    - Install the policy module: -

    - 
    # semodule -i local_ipsec_tcp_listen.cil
    -
    5. -
  5. -

    - Restart the ipsec service: -

    - 
    # systemctl restart ipsec
    -
    6. -
-
-

- As a result, Libreswan can bind and connect to the commonly used 4500/tcp port. -

-

- (BZ#1931848) -

-
-

Installation with the Server with GUI or Workstation software selections and CIS security profile is not - possible

-

- The CIS security profile is not compatible with the Server with GUI - and Workstation software selections. As a consequence, a RHEL 8 - installation with the Server with GUI software selection and CIS - profile is not possible. An attempted installation using the CIS profile and either of these - software selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- To work around the problem, do not use the CIS security profile with the Server with GUI or Workstation software - selections. -

-

- (BZ#1843932) -

-
-

rpm_verify_permissions fails in the CIS - profile

-

- The rpm_verify_permissions rule compares file permissions to - package default permissions. However, the Center for Internet Security (CIS) profile, which is - provided by the scap-security-guide packages, changes some file - permissions to be more strict than default. As a consequence, verification of certain files - using rpm_verify_permissions fails. -

-
-

- To work around this problem, manually verify that these files have the following permissions: -

-
-
    -
  • - /etc/cron.d (0700) -
    • -
  • - /etc/cron.hourly (0700) -
    • -
  • - /etc/cron.monthly (0700) -
    • -
  • - /etc/crontab (0600) -
    • -
  • - /etc/cron.weekly (0700) -
    • -
  • - /etc/cron.daily (0700) -
    • -
-
-

- (BZ#1843913) -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on - as org_fedora_oscap instead of com_redhat_oscap which might cause confusion. That is done to - preserve backward compatibility with Red Hat Enterprise Linux 7. -

-
-

- (BZ#1665082) -

-
-

Certain sets of interdependent rules in SSG can fail

-

- Remediation of SCAP Security Guide (SSG) rules in a benchmark can - fail due to undefined ordering of rules and their dependencies. If two or more rules need to be - executed in a particular order, for example, when one rule installs a component and another rule - configures the same component, they can run in the wrong order and remediation reports an error. - To work around this problem, run the remediation twice, and the second run fixes the dependent - rules. -

-
-

- (BZ#1750755) -

-
-

OSCAP Anaconda Addon does not install all - packages in text mode

-

- The OSCAP Anaconda Addon plugin cannot modify the list of packages - selected for installation by the system installer if the installation is running in text mode. - Consequently, when a security policy profile is specified using Kickstart and the installation - is running in text mode, any additional packages required by the security policy are not - installed during installation. -

-
-

- To work around this problem, either run the installation in graphical mode or specify all packages - that are required by the security policy profile in the security policy in the %packages section in your Kickstart file. -

-

- As a result, packages that are required by the security policy profile are not installed during RHEL - installation without one of the described workarounds, and the installed system is not compliant - with the given security policy profile. -

-

- (BZ#1674001) -

-
-

OSCAP Anaconda Addon does not correctly handle - customized profiles

-

- The OSCAP Anaconda Addon plugin does not properly handle security - profiles with customizations in separate files. Consequently, the customized profile is not - available in the RHEL graphical installation even when you properly specify it in the - corresponding Kickstart section. -

-
-

- To work around this problem, follow the instructions in the Creating a single SCAP data stream from an - original DS and a tailoring file Knowledgebase article. As a result of this workaround, you - can use a customized SCAP profile in the RHEL graphical installation. -

-

- (BZ#1691305) -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- (BZ#1834716) -

-
-

Certain rsyslog priority strings do not work - correctly

-

- Support for the GnuTLS priority string for - imtcp that allows fine-grained control over encryption is not - complete. Consequently, the following priority strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-

Conflict in SELinux Audit rules and SELinux boolean configurations -

-

- If the Audit rule list includes an Audit rule that contains a subj_* or obj_* field, and the SELinux - boolean configuration changes, setting the SELinux booleans causes a deadlock. As a consequence, - the system stops responding and requires a reboot to recover. To work around this problem, - disable all Audit rules containing the subj_* or obj_* field, or temporarily disable such rules before changing - SELinux booleans. -

-
-

- With the release of the RHSA-2021:2168 advisory, the kernel - handles this situation properly and no longer deadlocks. -

-

- (BZ#1924230) -

-
-
-
-
-
-

10.5. Networking

-
-
-
-
-

The nm-cloud-setup service removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain - cases, other services on the host can configure interfaces as well. For example, these services - could add secondary IP addresses. To avoid that nm-cloud-setup - removes secondary IP addresses: -

-
-
-
    -
  1. -

    - Stop and disable the nm-cloud-setup service and timer: -

    - 
    # systemctl disable --now nm-cloud-setup.service nm-cloud-setup.timer
    -
    2. -
  2. -

    - Display the available connection profiles: -

    - 
    # nmcli connection show
    -
    3. -
  3. -

    - Reactive the affected connection profiles: -

    - 
    # nmcli connection up "<profile_name>"
    -
    4. -
-
-

- As a result, the service no longer removes manually-configured secondary IP addresses from - interfaces. -

-

- (BZ#2132754) -

-
-

IPsec network traffic fails during IPsec offloading when GRO is - disabled

-

- IPsec offloading is not expected to work when Generic Receive Offload (GRO) is disabled on the - device. If IPsec offloading is configured on a network interface and GRO is disabled on that - device, IPsec network traffic fails. -

-
-

- To work around this problem, keep GRO enabled on the device. -

-

- (BZ#1649647) -

-
-
-
-
-
-

10.6. Kernel

-
-
-
-
-

Certain BCC utilities display a harmless warning

-

- Due to macro redefinitions in some compiler specific kernel headers. Some BPF Compiler - Collection (BCC) utilities show the following warning: -

-
- 
warning: __no_sanitize_address' macro redefined [-Wmacro-redefined]
-

- The warning is harmless, and you can ignore it. -

-

- (BZ#1907271) -

-
-

A vmcore capture fails after memory hot-plug or unplug operation -

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating the - device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. - The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel crash - is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after hot-plug - or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described scenario. -

-

- (BZ#1793389) -

-
-

kdump fails to dump vmcore on SSH or NFS dump targets

-

- The new version of dracut-network drops dependency on dhcp-client that requires an ipcalc. - Consequently, when NIC port is configured to a static IP and kdump - is configured to dump on SSH or NFS dump targets, kdump fails with - the following error message: -

-
- 
ipcalc: command not found
-

- To work around this problem: -

-
-
    -
  1. -

    - Install the ipcalc package manually. -

    - 
    dnf install ipcalc
    -
    2. -
  2. -

    - Rebuild the initramfs for kdump. -

    - 
    kdumpctrl rebuild
    -
    3. -
  3. -

    - Restart the kdump service. -

    - 
    systemctl restart kdump
    -
    4. -
-
-

- As a result, kdump is successful in the described scenario. -

-

- (BZ#1931266) -

-
-

Debug kernel fails to boot in crash capture environment in RHEL 8 -

-

- Due to memory-demanding nature of the debug kernel, a problem occurs when the debug kernel is in - use and a kernel panic is triggered. As a consequence, the debug kernel is not able to boot as - the capture kernel, and a stack trace is generated instead. To work around this problem, - increase the crash kernel memory accordingly. As a result, the debug kernel successfully boots - in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

Memory allocation on crash kernel fails at boot time

-

- On some Ampere Altra systems, memory allocation fails when the 32-bit region is disabled in BIOS - settings. Consequently, the kdump service fails to start because - the conventional memory is not large enough to reserve the memory allocation. -

-
-

- To work around this problem, enable 32-bit CPU in BIOS as follows: -

-
-
    -
  1. - Open the BIOS settings on your system. -
    2. -
  2. - Open the Chipset menu. -
    3. -
  3. - Under Memory Configuration, enable the - Slave 32-bit option. -
    4. -
-
-

- As a result, the crash kernel allocates memory within the 32-bit region and the kdump service works as expected. -

-

- (BZ#1940674) -

-
-

Certain kernel drivers do not display their version

-

- The behavior for module versioning of many networking kernel drivers has changed in RHEL 8.4. - Consequently, those drivers now do not display their version. Alternatively, after executing the - ethtool -i command, the drivers display the kernel version instead of the driver version. To work around this problem, - users can run the following command: -

-
- 
# modinfo <AFFECTED_DRIVER> | grep rhelversion
-

- As a result, users can determine versions of the affected kernel drivers in scenarios where it is - necessary. -

-

- Note that the perceived amount of change in a driver version string has no actual bearing on the - amount of change in the driver itself. -

-

- (BZ#1944639) -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit ARM - architectures that run on the Amazon Web Services (AWS) cloud platforms, the vmcore generation fails when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory after a kernel crash. To work around this - problem: -

-
-
-
    -
  1. -

    - Append irqpoll to KDUMP_COMMANDLINE_REMOVE in the /etc/sysconfig/kdump file. -

    - 
    KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet log_buf_len swiotlb"
    -
    2. -
  2. -

    - Remove irqpoll from KDUMP_COMMANDLINE_APPEND in the /etc/sysconfig/kdump file. -

    - 
    KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory udev.children-max=2 panic=10 swiotlb=noforce novmcoredd"
    -
    3. -
  3. - Restart the kdump service by running the systemctl restart kdump command. -
    4. -
-
-

- As a result, the first kernel boots correctly and the vmcore file is - expected to be captured upon the kernel crash. -

-

- Note that the kdump service can use a significant amount of crash - kernel memory to dump the vmcore file. Ensure that the capture kernel - has sufficient memory available for the kdump service. -

-

- (BZ#1654962) -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is not - able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI to - the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI - handler for both these situations calls the kernel panic() function and - if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called and - vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, - use the virtual Power button to reset or power - cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated - System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even - smaller frequency. -

-

- (BZ#1602962) -

-
-

The tuned-adm profile powersave command causes - the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system matches - the mentioned specifications. -

-
-

- (BZ#1609288) -

-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define - a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus - device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff - memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism - (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration - space over the 256 byte offset with the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- (BZ#1868526) -

-
-

The hwloc commands with the default settings do not work on single CPU - Power9 and Power10 LPARs

-

- With the hwloc package of version 2.2.0, any single-node - Non-Uniform Memory Access (NUMA) system that runs Power9 / Power10 CPU is considered to be - "disallowed". Consequently, all hwloc commands do not work and the - following error message is displayed: -

-
- 
Topology does not contain any NUMA node, aborting!
-

- You can use either of these two options to work around this problem: -

-
-
    -
  • - Set the environment variable HWLOC_ALLOW=all -
    • -
  • - Use the disallowed flag with various hwloc commands -
    • -
-
-

- As a result, the hwloc command does not return any errors in the - described scenario. -

-

- (BZ#1917560) -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication - X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x - series deprecated openib Byte Transfer Layer (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous - cluster (same hardware and software configuration), UCX still uses openib BTL for MPI one-sided operations. As a consequence, this may - trigger execution errors. To work around this problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer over - UCX. -

-

- (BZ#1866402) -

-
-

Connections fail when attaching a virtual function to virtual - machine

-

- Pensando network cards that use the ionic device driver silently - accept VLAN tag configuration requests and attempt configuring network connections while - attaching network virtual functions (VF) to a virtual machine - (VM). Such network connections fail as this feature is not yet - supported by the card’s firmware. -

-
-

- (BZ#1930576) -

-
-
-
-
-
-

10.7. Hardware enablement

-
-
-
-
-

The default 7 4 1 7 printk value sometimes causes temporary system - unresponsiveness

-

- The default 7 4 1 7 printk value allows for better debugging of the kernel activity. - However, when coupled with a serial console, this printk setting - can cause intense I/O bursts that can lead to a RHEL system becoming temporarily unresponsive. - To work around this problem, we have added a new optimize-serial-console TuneD profile, which reduces the default - printk value to 4 4 1 - 7. Users can instrument their system as follows: -

-
- 
# tuned-adm profile throughput-performance optimize-serial-console
-

- Having a lower printk value persistent across a reboot reduces the - likelihood of system hangs. -

-

- Note that this setting change comes at the expense of losing the extra debugging information. -

-

- (JIRA:RHELPLAN-28940) -

-
-
-
-
-
-

10.8. File systems and storage

-
-
-
-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical volume. - This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) for - system boot entries. This specification requires that the /boot - file system is readable by the platform firmware. On EFI systems, the platform firmware can - read only the /boot configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does - not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- (BZ#1496229) -

-
-

LVM no longer allows creating volume groups with mixed block sizes -

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the - physical volumes (PVs) have different logical block sizes. LVM has adopted this change because - file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a - different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- (BZ#1768536) -

-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following limitations, - which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in combination - with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- (JIRA:RHELPLAN-27987, BZ#1798631, BZ#1808012) -

-
-

LVM mirror devices that store a LUKS volume - sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject - all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of - raid1 instead of mirror if you need to - stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 device. -

-

- (BZ#1730502) -

-
-

An NFS 4.0 patch can result in reduced performance under an open-heavy - workload

-

- Previously, a bug was fixed that, in some cases, could cause an NFS open operation to overlook - the fact that a file had been removed or renamed on the server. However, the fix may cause - slower performance with workloads that require many open operations. To work around this - problem, it might help to use NFS version 4.1 or higher, which have been improved to grant - delegations to clients in more cases, allowing clients to perform open operations locally, - quickly, and safely. -

-
-

- (BZ#1748451) -

-
-

xfs_quota state doesn’t output all grace times - when multiple quota types are specified

-

- Currently, the xfs_quota state command doesn’t output the grace - time for quotas as expected with options specifying multiple quota types. To work around this - issue, specify the required quota type in command option individually, i. e. xfs_quota state -g, xfs_quota state -p - or xfs_quota state -u. -

-
-

- (BZ#1949743) -

-
-
-
-
-
-

10.9. High availability and clusters

-
-
-
-
-

The ocf:heartbeat:pgsql resource agent and any - third-party agents that parse crm_mon output in their stop - operation may fail to stop during a shutdown process in RHEL 8.4

-

- In the RHEL 8.4 GA release, Pacemaker’s crm_mon command-line tool - was modified to display a "shutting down" message rather than the usual cluster information when - Pacemaker starts to shut down. As a result, shutdown progress, such as the stopping of - resources, can not be monitored, and resource agents that parse crm_mon output in their stop - operation (such as the ocf:heartbeat:pgsql agent distributed with - the resource-agents package, or some custom or third-party agents) could fail to stop, leading - to cluster problems. -

-
-

- It is recommended that clusters that use the ocf:heartbeat:pgsql - resource agent not be upgraded to RHEL 8.4 until the z-stream is available. -

-

- (BZ#1948620) -

-
-
-
-
-
-

10.10. Dynamic programming languages, web and database servers

-
-
-
-
-

getpwnam() might fail when called by a 32-bit - application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- (BZ#1803161) -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

-

- When both the libldap and libldap_r - libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts - between these libraries might occur. Consequently, Apache httpd - child processes using the PHP ldap extension might terminate - unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration. -

-
-

- Since the RHEL 8.3 update to the Apache Portable Runtime (APR) library, you can work around the - problem by setting the APR_DEEPBIND environment variable, which enables - the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- (BZ#1819607) -

-
-

MariaDB 10.5 does not warn about dropping a - non-existent table when the OQGraph plug-in is enabled -

-

- When the OQGraph storage engine plug-in is loaded to the MariaDB 10.5 server, MariaDB does not - warn about dropping a non-existent table. In particular, when the user attempts to drop a - non-existent table using the DROP TABLE or DROP TABLE IF EXISTS SQL commands, MariaDB neither returns an error message nor logs a warning. -

-
-

- Note that the OQGraph plug-in is provided by the mariadb-oqgraph-engine package, which is not installed by default. -

-

- (BZ#1944653) -

-
-

PAM plug-in version 1.0 does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) - plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 - and 2.0, version 2.0 is the default. -

-
-

- The MariaDB PAM plug-in version 1.0 does not work in RHEL 8. To work - around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5 module stream. -

-

- See also MariaDB 10.5 provides the PAM plug-in version 2.0. -

-

- (BZ#1942330) -

-
-

pyodbc does not work with MariaDB 10.3

-

- The pyodbc module currently does not work with the MariaDB 10.3 server included in the RHEL 8.4 release. Earlier - versions of the MariaDB 10.3 server and the MariaDB 10.5 server are not affected by this problem. -

-
-

- Note that the root cause is in the mariadb-connector-odbc package and - the affected package versions are as follows: -

-
-
    -
  • - pyodbc-4.0.30 -
    • -
  • - mariadb-server-10.3.27 -
    • -
  • - mariadb-connector-odbc-3.0.7 -
    • -
-
-

- (BZ#1944692) -

-
-
-
-
-
-

10.11. Compilers and development tools

-
-
-
-
-

GCC Toolset 10: Valgrind erroneously reports IBM z15 architecture - support

-

- Valgrind does not support certain IBM z15 processors features yet, but a bug in GCC Toolset 10 - Valgrind causes it to report z15 support when run on a z15-capable system. As a consequence, - software that tries to use z15 features when available cannot run under Valgrind. To work around - this problem, when running on a z15 processor, use the system version of Valgrind accessible via - /usr/bin/valgrind. This build will not report z15 support. -

-
-

- (BZ#1937340) -

-
-

Memory leaks in pmproxy in PCP

-

- The pmproxy service experiences memory leaks in Performance - Co-Pilot (PCP) versions earlier than 5.3.0. The PCP version 5.3.0 is unavailable in RHEL 8.4 and - the earlier minor versions of RHEL 8. As a consequence, RHEL 8 users might experience higher - memory usage than expected. -

-
-

- To work around this problem, limit the memory usage of pmproxy: -

-
-
    -
  1. -

    - Create the /etc/systemd/system/pmproxy.service.d/override.conf file by - executing the following command: -

    - 
    # systemctl edit pmproxy
    -
    2. -
  2. -

    - Add the following content to override.conf and save the - changes: -

    - 
    [Service]
-MemoryMax=10G
    -

    - Replace the 10G value as per your requirement. -

    -
    3. -
  3. -

    - Restart the pmproxy service: -

    - 
    # systemctl restart pmproxy
    -
    4. -
-
-

- As a result, the pmproxy service is restarted if the memory usage of - pmproxy reaches the given limit. -

-

- (BZ#1991659) -

-
-
-
-
-
-

10.12. Identity Management

-
-
-
-
-

Installing KRA fails if all KRA members are hidden replicas

-

- The ipa-kra-install utility fails on a cluster where the Key - Recovery Authority (KRA) is already present, if the first KRA instance is installed on a hidden - replica. Consequently, you cannot add further KRA instances to the cluster. -

-
-

- To work around this problem, unhide the hidden replica that has the KRA role before you add new KRA - instances. You can hide it again when ipa-kra-install completes - successfully. -

-

- (BZ#1816784) -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System -

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual steps - are required to recover the system. -

-
-

- (BZ#1729215) -

-
-

The /var/log/lastlog sparse file on IdM hosts - can cause performance problems

-

- During the IdM installation, a range of 200,000 UIDs from a total of 10,000 possible ranges is - randomly selected and assigned. Selecting a random range in this way significantly reduces the - probability of conflicting IDs in case you decide to merge two separate IdM domains in the - future. -

-
-

- However, having high UIDs can create problems with the /var/log/lastlog - file. For example, if a user with the UID of 1280000008 logs in to an IdM client, the local /var/log/lastlog file size increases to almost 400 GB. Although the - actual file is sparse and does not use all that space, certain applications are not designed to - identify sparse files by default and may require a specific option to handle them. For example, if - the setup is complex and a backup and copy application does not handle sparse files correctly, the - file is copied as if its size was 400 GB. This behavior can cause performance problems. -

-

- To work around this problem: -

-
-
    -
  • - In case of a standard package, refer to its documentation to identify the option that - handles sparse files. -
    • -
  • - In case of a custom application, ensure that it is able to manage sparse files such as /var/log/lastlog correctly. -
    • -
-
-

- (JIRA:RHELPLAN-59111) -

-
-

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 - characters

-

- If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates - it. This may lead to unexpected password incompatibilities with other systems. -

-
-

- To work around the problem, choose a password that is 249 characters or fewer. -

-

- (BZ#1723362) -

-
-

FIPS mode does not support using a shared secret to establish a - cross-forest trust

-

- Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP - authentication is not FIPS-compliant. To work around this problem, authenticate with an Active - Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS - mode enabled and an AD domain. -

-
-

- (BZ#1924707) -

-
-

Downgrading authselect after the rebase to - version 1.2.2 breaks system authentication

-

- The authselect package has been rebased to the latest upstream - version 1.2.2. Downgrading authselect - is not supported and breaks system authentication for all users, including root. -

-
-

- If you downgraded the authselect package to 1.2.1 or earlier, perform the following steps to work around this - problem: -

-
-
    -
  1. - At the GRUB boot screen, select Red Hat Enterprise Linux with - the version of the kernel that you want to boot and press e to - edit the entry. -
    2. -
  2. - Type single as a separate word at the end of the line that - starts with linux and press Ctrl+x - to start the boot process. -
    3. -
  3. - Upon booting in single-user mode, enter the root password. -
    4. -
  4. -

    - Restore authselect configuration using the following command: -

    - 
    # authselect select sssd --force
    -
    5. -
-
-

- (BZ#1892761) -

-
-

Upgrading an IdM server from RHEL 8.3 to RHEL 8.4 fails if pki-ca package - version is earlier than 10.10.5

-

- The IdM server upgrade program, ipa-server-upgrade, fails if the - pki-ca package version is earlier than 10.10.5. As the required - files do not exist in these versions, the IdM server upgrade does not complete successfully both - at package installation and when ipa-server-upgrade or ipactl are executed. -

-
-

- To resolve this issue, upgrade the pki-* packages to version 10.10.5 or - higher and run the ipa-server-upgrade command again. -

-

- (BZ#1957768) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

10.13. Desktop

-
-
-
-
-

Disabling flatpak repositories from Software - Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- (BZ#1668760) -

-
-

Drag-and-drop does not work between desktop and applications

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. Support - for this feature will be added back in a future release. -

-
-

- (BZ#1717947) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft - Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. - In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use - Hyper-V Server 2019 as the host. -

-

- (BZ#1583445) -

-
-
-
-
-
-

10.14. Graphics infrastructures

-
-
-
-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in the - kexec context correctly. Instead, radeon falls over, which causes - the rest of the kdump service to fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After starting - kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-

Multiple HDR displays on a single MST topology may not power on -

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, using - a DisplayPort hub (such as a laptop dock) with multiple monitors - which support HDR plugged into it may result in failure to turn on. This is due to the system - erroneously thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- (BZ#1812577) -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the application - fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority - file to use regular user credentials for authentication. -

-
-

- To work around this problem, use the sudo -E command to run graphical - applications as a root user. -

-

- (BZ#1673073) -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z - server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 option - with -depth 24 in the Xvnc configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the server. -

-

- (BZ#1886147) -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit - ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- (JIRA:RHELPLAN-57914) -

-
-

GUI in ESXi might crash due to low video memory

-

- The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 - hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect - multiple consoles or high-resolution monitors to the VM, the GUI requires least 16 MB of video - memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly. -

-
-

- To work around the problem, configure the hypervisor to assign at least 16 MB of video memory to the - VM. As a result, the GUI on the VM no longer crashes. -

-

- (BZ#1910358) -

-
-
-
-
-
-

10.15. Virtualization

-
-
-
-
-

virsh iface-\* commands do not work - consistently

-

- Currently, virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, frequently fail due to configuration - dependencies. Therefore, it is recommended not to use virsh iface-\* commands for configuring and managing host network - connections. Instead, use the NetworkManager program and its related management applications. -

-
-

- (BZ#1664592) -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of - interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, - and displays a dracut-initqueue[392]: Warning: Could not boot - error. -

-
-

- (BZ#1719687) -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible - on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a - physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they should - be configured with the device='disk' option rather than device='lun'. -

-

- (BZ#1777138) -

-
-

Virtual machines using Cooperlake cannot boot - when TSX is disabled on the host

-

- Virtual machines (VMs) that use the Cooperlake CPU model currently - fail to boot when the TSX CPU flag is diabled on the host. Instead, - the host displays the following error message: -

-
- 
the CPU is incompatible with host CPU: Host CPU does not provide required features: hle, rtm
-

- To make VMs with Cooperlake usable on such host, disable the HLE, RTM, - and TAA_NO flags in the VM configuration in the VM’s XML configuration: -

- 
<feature policy='disable' name='hle'/>
-<feature policy='disable' name='rtm'/>
-<feature policy='disable' name='taa-no'/>
-

- (BZ#1860743) -

-
-

Using perf kvm record on IBM POWER Systems can - cause the VM to crash

-

- When using a RHEL 8 host on the little-endian variant of IBM POWER hardware, using the perf kvm record command to collect trace event samples for a KVM - virtual machine (VM) in some cases results in the VM becoming unresponsive. This situation - occurs when: -

-
-
-
    -
  • - The perf utility is used by an unprivileged user, and the -p option is used to identify the VM - for example perf kvm record -e trace_cycles -p 12345. -
    • -
  • - The VM was started using the virsh shell. -
    • -
-
-

- To work around this problem, use the perf kvm utility with the -i option to monitor VMs that were created using the virsh shell. For example: -

- 
# perf kvm record -e trace_imc/trace_cycles/  -p <guest pid> -i
-

- Note that when using the -i option, child tasks do not inherit - counters, and threads will therefore not be monitored. -

-

- (BZ#1924016) -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails -

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes - unresponsive with a Migration status: active status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- (BZ#1741436) -

-
-

Using virt-customize sometimes causes guestfs-firstboot to fail

-

- After modifying a virtual machine (VM) disk image using the virt-customize utility, the guestfs-firstboot service in some cases fails due to incorrect - SELinux permissions. This causes a variety of problems during VM startup, such as failing user - creation or system registration. -

-
-

- To avoid this problem, add the --selinux-relabel option to the virt-customize command. -

-

- (BZ#1554735) -

-
-

Virtual machines with iommu_platform=on fail - to start on IBM POWER

-

- RHEL 8 currently does not support the iommu_platform=on parameter - for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this - parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process. -

-
-

- (BZ#1910848) -

-
-

SMT CPU topology is not detected by VMs when using host passthrough mode on - AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the - TOPOEXT CPU feature flag is not present. Consequently, the VM is - not able to detect a virtual CPU topology with multiple threads per core. To work around this - problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- (BZ#1740002) -

-
-

Windows Server 2016 virtual machines with Hyper-V enabled fail to boot when - using certain CPU models

-

- Currently, it is not possible to boot a virtual machine (VM) that uses Windows Server 2016 as - the guest operating system, has the Hyper-V role enabled, and uses one of the following CPU - models: -

-
-
-
    -
  • - EPYC-IBPB -
    • -
  • - EPYC -
    • -
-
-

- To work around this problem, use the EPYC-v3 CPU - model, or manually enable the xsaves CPU flag - for the VM. -

-

- (BZ#1942888) -

-
-

Deleting a macvtap interface from a virtual machine resets all macvtap - connections

-

- Currently, deleting a macvtap interface from a running virtual - machines (VM) with multiple macvtap devices also resets the - connection settings of the other macvtap interfaces. As a - consequence, the VM may experience network issues. -

-
-

- (BZ#1332758) -

-
-

Hot unplugging an IBMVFC device on PowerVM fails

-

- When using a virtual machine (VM) with a RHEL 8 guest operating system on the PowerVM - hypervisor, attempting to remove an IBM Power Virtual Fibre Channel (IBMVFC) device from the - running VM currently fails. Instead, it displays an outstanding translation error. -

-
-

- To work around this problem, remove the IBMVFC device when the VM is shut down. -

-

- (BZ#1959020) -

-
-

IBM POWER hosts may crash when using the ibmvfc driver

-

- When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors may currently - occur due problems with the ibmvfc driver. As a consequence, the - host’s kernel may panic under certain circumstances, such as: -

-
-
-
    -
  • - Using the Live Partition Mobility (LPM) feature -
    • -
  • - Resetting a host adapter -
    • -
  • - Using SCSI error handling (SCSI EH) functions -
    • -
-
-

- (BZ#1961722) -

-
-

Mounting virtiofs directories fails in certain - circumstances on RHEL 8 guests

-

- Currently, when using the virtiofs feature to provide a host - directory to a virtual machine (VM), mounting the directory on the VM fails with an "Operation - not supported" error if the VM is using a RHEL 8.4 (or earlier) kernel but a RHEL 8.5 (or later) - selinux-policy package. -

-
-

- To work around this problem, reboot the guest and boot it into the latest available kernel on the - guest. -

-

- (BZ#1995558) -

-
-
-
-
-
-

10.16. RHEL in cloud environments

-
-
-
-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting - the kdump kernel in some cases fails when post-exec notifiers are - enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- (BZ#1865745) -

-
-

Setting static IP in a RHEL 8 virtual machine on a VMWare host does not - work

-

- Currently, when using RHEL 8 as a guest operating system of a virtual machine (VM) on a VMWare - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- (BZ#1750862) -

-
-

Core dumping RHEL 8 virtual machines with certain NICs to a remote machine - on Azure takes longer than expected

-

- Currently, using the kdump utility to save the core dump file of a - RHEL 8 virtual machine (VM) on a Microsoft Azure hypervisor to a remote machine does not work - correctly when the VM is using a NIC with enabled accelerated networking. As a consequence, the - dump file is saved after approximately 200 seconds, instead of immediately. In addition, the - following error message is logged on the console before the dump file is saved. -

-
- 
device (eth0): linklocal6: DAD failed for an EUI-64 address
-

- (BZ#1854037) -

-
-

The nm-cloud-setup utility sets an incorrect - default route on Microsoft Azure

-

- On Microsoft Azure, the nm-cloud-setup utility fails to detect the - correct gateway of the cloud environment. As a consequence, the utility sets an incorrect - default route, and breaks connectivity. There is no workaround available at the moment. -

-
-

- (BZ#1912236) -

-
-

The SCSI host address sometimes changes when booting a Hyper-V VM with - multiple guest disks

-

- Currently, when booting a RHEL 8 virtual machine (VM) on the Hyper-V hypervisor, the host - portion of the Host, Bus, Target, Lun (HBTL) SCSI address - in some cases changes. As a consequence, automated tasks set up with the HBTL SCSI - identification or device node in the VM do not work consistently. This occurs if the VM has more - than one disk or if the disks have different sizes. -

-
-

- To work around the problem, modify your kickstart files, using one of the following methods: -

-

- Method 1: Use persistent identifiers for SCSI - devices. -

-

- You can use for example the following powershell script to determine the specific device - identifiers: -

- 
# Output what the /dev/disk/by-id/<value> for the specified hyper-v virtual disk.
-# Takes a single parameter which is the virtual disk file.
-# Note: kickstart syntax works with and without the /dev/ prefix.
-param (
-    [Parameter(Mandatory=$true)][string]$virtualdisk
-)
-
-$what = Get-VHD -Path $virtualdisk
-$part = $what.DiskIdentifier.ToLower().split('-')
-
-$p = $part[0]
-$s0 = $p[6] + $p[7] + $p[4] + $p[5] + $p[2] + $p[3] + $p[0] + $p[1]
-
-$p = $part[1]
-$s1 =  $p[2] + $p[3] + $p[0] + $p[1]
-
-[string]::format("/dev/disk/by-id/wwn-0x60022480{0}{1}{2}", $s0, $s1, $part[4])
-

- You can use this script on the hyper-v host, for example as follows: -

- 
PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_8.vhdx
-/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_9.vhdx
-/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-

- Afterwards, the disk values can be used in the kickstart file, for example as follows: -

- 
part / --fstype=xfs --grow --asprimary --size=8192 --ondisk=/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-part /home --fstype="xfs" --grow --ondisk=/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-

- As these values are specific for each virtual disk, the configuration needs to be done for each VM - instance. It may, therefore, be useful to use the %include syntax to - place the disk information into a separate file. -

-

- Method 2: Set up device selection by size. -

-

- A kickstart file that configures disk selection based on size must include lines similar to the - following: -

- 
...
-
-# Disk partitioning information is supplied in a file to kick start
-%include /tmp/disks
-
-...
-
-# Partition information is created during install using the %pre section
-%pre --interpreter /bin/bash --log /tmp/ks_pre.log
-
-	# Dump whole SCSI/IDE disks out sorted from smallest to largest ouputting
-	# just the name
-	disks=(`lsblk -n -o NAME -l -b -x SIZE -d -I 8,3`) || exit 1
-
-	# We are assuming we have 3 disks which will be used
-	# and we will create some variables to represent
-	d0=${disks[0]}
-	d1=${disks[1]}
-	d2=${disks[2]}
-
-	echo "part /home --fstype="xfs" --ondisk=$d2 --grow" >> /tmp/disks
-	echo "part swap --fstype="swap" --ondisk=$d0 --size=4096" >> /tmp/disks
-	echo "part / --fstype="xfs" --ondisk=$d1 --grow" >> /tmp/disks
-	echo "part /boot --fstype="xfs" --ondisk=$d1 --size=1024" >> /tmp/disks
-
-%end
-

- (BZ#1906870) -

-
-

RHEL 8 virtual machines have lower network performance on AWS ARM64 - instances

-

- When using RHEL 8 as a guest operating system in a virtual machine (VM) that runs on an Amazon - Web Services (AWS) ARM64 instance, the VM has lower than expected network performance when the - iommu.strict=1 kernel parameter is used or when no iommu.strict parameter is defined. -

-
-

- To work around this problem, change the parameter to iommu.strict=0. - However, this can also decrease the security of the VM. -

-

- (BZ#1836058) -

-
-

Hibernating RHEL 8 guests fails when FIPS mode is enabled

-

- Currently, it is not possible to hibernate a virtual machine (VM) that uses RHEL 8 as its guest - operating system if the VM is using FIPS mode. -

-
-

- (BZ#1934033, BZ#1944636) -

-
-

SSH keys are not generated correctly on EC2 instanced created from a backup - AMI

-

- Currently, when creating a new Amazon EC2 instance of RHEL 8 from a backup Amazon Machine Image - (AMI), cloud-init deletes existing SSH keys on the VM but does not - create new ones. Consequently, the VM in some cases cannot connect to the host. -

-
-

- To work around this problem, edit the cloud.cgf file and change the - "ssh_genkeytypes: ~" line to ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']. -

-

- This makes it possible for SSH keys to be deleted and generated correctly when provisioning a RHEL 8 - VM in the described circumstances. -

-

- (BZ#1957532) -

-
-

SSH keys are not generated correctly on EC2 instanced created from a backup - AMI

-

- Currently, when creating a new Amazon EC2 instance of RHEL 8 from a backup Amazon Machine Image - (AMI), cloud-init deletes existing SSH keys on the VM but does not - create new ones. Consequently, the VM in some cases cannot connect to the host. -

-
-

- To work around this problem, edit the cloud.cgf file and change the - "ssh_genkeytypes: ~" line to ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']. -

-

- This makes it possible for SSH keys to be deleted and generated correctly when provisioning a RHEL 8 - VM in the described circumstances. -

-

- (BZ#1963981) -

-
-
-
-
-
-

10.17. Supportability

-
-
-
-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet the - requirements by the FUTURE system-wide cryptographic policy, the - redhat-support-tool utility does not work with this policy level at - the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- (BZ#1802026) -

-
-
-
-
-
-
-

Chapter 11. Internationalization

-
-
-
-
-
-
-
-

11.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

11.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#1859301, BZ#1862529, BZ#1859218, BZ#1850275, BZ#1851975 -

-
-

- KVM Hypervisor -

- 		-

- JIRA:RHELPLAN-44450 -

-
-

- NetworkManager -

- 		-

- BZ#1900260, BZ#1878783, BZ#1766944, BZ#1912236 -

-
-

- OpenIPMI -

- 		-

- BZ#1796588 -

-
-

- SLOF -

- 		-

- BZ#1910848 -

-
-

- accel-config -

- 		-

- BZ#1843266 -

-
-

- anaconda -

- 		-

- BZ#1890009, BZ#1874394, - BZ#1642391, BZ#1609325, BZ#1854307, BZ#1821192, BZ#1822880, BZ#1914955, - BZ#1847681, BZ#1903786, BZ#1931069, - BZ#1954408, BZ#1897657 -

-
-

- apr -

- 		-

- BZ#1819607 -

-
-

- authselect -

- 		-

- BZ#1892761 -

-
-

- bcc -

- 		-

- BZ#1879411 -

-
-

- bind -

- 		-

- BZ#1876492, BZ#1882040, BZ#1854148 -

-
-

- bpftrace -

- 		-

- BZ#1879413 -

-
-

- clevis -

- 		-

- BZ#1887836, BZ#1853651 -

-
-

- cloud-init -

- 		-

- BZ#1886430, BZ#1750862, BZ#1957532, BZ#1963981 -

-
-

- cmake -

- 		-

- BZ#1816874 -

-
-

- cockpit -

- 		-

- BZ#1666722 -

-
-

- corosync-qdevice -

- 		-

- BZ#1784200 -

-
-

- corosync -

- 		-

- BZ#1870449 -

-
-

- createrepo_c -

- 		-

- BZ#1795936, - BZ#1894361 -

-
-

- crun -

- 		-

- BZ#1841438 -

-
-

- crypto-policies -

- 		-

- BZ#1919155, BZ#1660839 -

-
-

- dhcp -

- 		-

- BZ#1883999 -

-
-

- distribution -

- 		-

- BZ#1877430, BZ#1855776, BZ#1855781, BZ#1657927 -

-
-

- dnf -

- 		-

- BZ#1865803, BZ#1807446, BZ#1698145 -

-
-

- dwarves -

- 		-

- BZ#1903566 -

-
-

- dyninst -

- 		-

- BZ#1892001, BZ#1892007 -

-
-

- edk2 -

- 		-

- BZ#1935497 -

-
-

- elfutils -

- 		-

- BZ#1875318, BZ#1879758 -

-
-

- fapolicyd -

- 		-

- BZ#1940289, BZ#1896875, BZ#1887451 -

-
-

- fence-agents -

- 		-

- BZ#1775847 -

-
-

- freeipmi -

- 		-

- BZ#1861627 -

-
-

- freeradius -

- 		-

- BZ#1723362 -

-
-

- gcc -

- 		-

- BZ#1868446, - BZ#1821994, BZ#1850498, BZ#1656139, BZ#1891998 -

-
-

- gdb -

- 		-

- BZ#1853140 -

-
-

- ghostscript -

- 		-

- BZ#1874523 -

-
-

- glibc -

- 		-

- BZ#1868106, BZ#1871397, BZ#1880670, - BZ#1882466, BZ#1871396, BZ#1893662, - BZ#1817513, BZ#1871385, BZ#1871387, BZ#1871395 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#1717947 -

-
-

- gnome-software -

- 		-

- BZ#1668760 -

-
-

- gnutls -

- 		-

- BZ#1628553 -

-
-

- go-toolset -

- 		-

- BZ#1870531 -

-
-

- grafana-container -

- 		-

- BZ#1916154 -

-
-

- grafana-pcp -

- 		-

- BZ#1845592, BZ#1854093 -

-
-

- grafana -

- 		-

- BZ#1850471 -

-
-

- grub2 -

- 		-

- BZ#1583445 -

-
-

- httpd -

- 		-

- BZ#1869576, BZ#1883648 -

-
-

- hwloc -

- 		-

- BZ#1841354, BZ#1917560 -

-
-

- ima-evm-utils -

- 		-

- BZ#1868683 -

-
-

- ipa -

- 		-

- BZ#1891056, BZ#1340463, BZ#1816784, BZ#1924707, BZ#1664719, BZ#1664718 -

-
-

- iproute -

- 		-

- BZ#1849815 -

-
-

- iptraf-ng -

- 		-

- BZ#1842690, BZ#1906097 -

-
-

- jmc -

- 		-

- BZ#1919283 -

-
-

- kernel-rt -

- 		-

- BZ#1858099 -

-
-

- kernel -

- 		-

- BZ#1806882, BZ#1846838, BZ#1884857, BZ#1876527, BZ#1660290, BZ#1885850, BZ#1649647, - BZ#1838876, BZ#1871246, BZ#1893882, BZ#1876519, BZ#1860031, BZ#1844416, BZ#1780258, - BZ#1851933, BZ#1885406, BZ#1867490, BZ#1908893, BZ#1919745, BZ#1867910, BZ#1887940, - BZ#1874005, BZ#1871214, BZ#1622041, BZ#1533270, BZ#1900674, BZ#1869758, BZ#1861261, - BZ#1848427, BZ#1847567, BZ#1844157, BZ#1844111, BZ#1811839, BZ#1877019, BZ#1548297, - BZ#1844086, BZ#1839055, BZ#1905088, BZ#1882620, BZ#1784246, BZ#1916583, BZ#1924230, - BZ#1793389, BZ#1944639, BZ#1694705, BZ#1748451, BZ#1654962, BZ#1708456, BZ#1812577, - BZ#1666538, BZ#1602962, BZ#1609288, BZ#1730502, BZ#1865745, BZ#1868526, BZ#1910358, - BZ#1924016, BZ#1906870, BZ#1940674, BZ#1930576, BZ#1907271, BZ#1942888, BZ#1836058, - BZ#1934033, BZ#1519039, BZ#1627455, BZ#1501618, BZ#1495358, BZ#1633143, BZ#1570255, - BZ#1814836, BZ#1696451, BZ#1348508, BZ#1839311, BZ#1783396, JIRA:RHELPLAN-57712, - BZ#1837187, BZ#1904496, BZ#1660337, BZ#1665295, BZ#1569610 -

-
-

- kexec-tools -

- 		-

- BZ#1844941, BZ#1931266, BZ#1854037 -

-
-

- kmod-redhat-oracleasm -

- 		-

- BZ#1827015 -

-
-

- kpatch -

- 		-

- BZ#1798711 -

-
-

- krb5 -

- 		-

- BZ#1877991 -

-
-

- libbpf -

- 		-

- BZ#1919345 -

-
-

- libgnome-keyring -

- 		-

- BZ#1607766 -

-
-

- libguestfs -

- 		-

- BZ#1554735 -

-
-

- libmpc -

- 		-

- BZ#1835193 -

-
-

- libpcap -

- 		-

- BZ#1743650 -

-
-

- libpwquality -

- 		-

- BZ#1537240 -

-
-

- libreswan -

- 		-

- BZ#1891128, - BZ#1372050, BZ#1025061, BZ#1934058, BZ#1934859 -

-
-

- libselinux-python-2.8-module -

- 		-

- BZ#1666328 -

-
-

- libselinux -

- 		-

- BZ#1879368 -

-
-

- libsemanage -

- 		-

- BZ#1913224 -

-
-

- libvirt -

- 		-

- BZ#1664592, BZ#1332758, - BZ#1528684 -

-
-

- libvpd -

- 		-

- BZ#1844429 -

-
-

- llvm-toolset -

- 		-

- BZ#1892716 -

-
-

- lvm2 -

- 		-

- BZ#1496229, BZ#1768536 -

-
-

- mariadb-connector-odbc -

- 		-

- BZ#1944692 -

-
-

- mariadb -

- 		-

- BZ#1936842, BZ#1944653, BZ#1942330 -

-
-

- mesa -

- 		-

- BZ#1886147 -

-
-

- micropipenv -

- 		-

- BZ#1849096 -

-
-

- mod_fcgid -

- 		-

- BZ#1876525 -

-
-

- mod_security -

- 		-

- BZ#1824859 -

-
-

- mutter -

- 		-

- BZ#1886034 -

-
-

- mysql-selinux -

- 		-

- BZ#1895021 -

-
-

- net-snmp -

- 		-

- BZ#1817190 -

-
-

- nfs-utils -

- 		-

- BZ#1592011 -

-
-

- nispor -

- 		-

- BZ#1848817 -

-
-

- nmstate -

- 		-

- BZ#1674456 -

-
-

- nss_nis -

- 		-

- BZ#1803161 -

-
-

- nss -

- 		-

- BZ#1817533, - BZ#1645153 -

-
-

- opal-prd -

- 		-

- BZ#1844427 -

-
-

- opencryptoki -

- 		-

- BZ#1847433 -

-
-

- opencv -

- 		-

- BZ#1886310 -

-
-

- openmpi -

- 		-

- BZ#1866402 -

-
-

- opensc -

- 		-

- BZ#1877973, BZ#1947025 -

-
-

- openscap -

- 		-

- BZ#1824152, BZ#1887794, BZ#1840579 -

-
-

- openssl -

- 		-

- BZ#1810911 -

-
-

- osbuild-composer -

- 		-

- BZ#1951964 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1843932, - BZ#1665082, BZ#1674001, - BZ#1691305, BZ#1834716 -

-
-

- p11-kit -

- 		-

- BZ#1887853 -

-
-

- pacemaker -

- 		-

- BZ#1371576, BZ#1948620 -

-
-

- pcp-container -

- 		-

- BZ#1916155 -

-
-

- pcp -

- 		-

- BZ#1854035, BZ#1847808 -

-
-

- pcs -

- 		-

- BZ#1869399, BZ#1741056, BZ#1667066, BZ#1667061, BZ#1457314, BZ#1839637, - BZ#1619620, BZ#1851335 -

-
-

- perl-IO-String -

- 		-

- BZ#1890998 -

-
-

- perl-Time-HiRes -

- 		-

- BZ#1895852 -

-
-

- pki-core -

- 		-

- BZ#1868233, BZ#1729215 -

-
-

- podman -

- 		-

- BZ#1734854, BZ#1881894, BZ#1932083 -

-
-

- policycoreutils -

- 		-

- BZ#1868717, BZ#1926386 -

-
-

- popt -

- 		-

- BZ#1843787 -

-
-

- postfix -

- 		-

- BZ#1688389, BZ#1711885 -

-
-

- powerpc-utils -

- 		-

- BZ#1853297 -

-
-

- py3c -

- 		-

- BZ#1841060 -

-
-

- pyOpenSSL -

- 		-

- BZ#1629914 -

-
-

- pykickstart -

- 		-

- BZ#1637872 -

-
-

- pyodbc -

- 		-

- BZ#1881490 -

-
-

- python-PyMySQL -

- 		-

- BZ#1820628 -

-
-

- python-blivet -

- 		-

- BZ#1656485 -

-
-

- qemu-kvm -

- 		-

- BZ#1790620, BZ#1719687, BZ#1860743, BZ#1740002, - BZ#1651994 -

-
-

- quota -

- 		-

- BZ#1868671 -

-
-

- rear -

- 		-

- BZ#1729499, - BZ#1898080, BZ#1832394 -

-
-

- redhat-support-tool -

- 		-

- BZ#1802026 -

-
-

- redis -

- 		-

- BZ#1862063 -

-
-

- resource-agents -

- 		-

- BZ#1471182 -

-
-

- rhel-system-roles -

- 		-

- BZ#1865990, BZ#1926947, BZ#1889484, BZ#1927943, BZ#1893712, BZ#1893743, BZ#1893906, BZ#1893908, BZ#1895188, BZ#1893696, BZ#1893699, BZ#1889893, BZ#1893961 -

-
-

- rpm -

- 		-

- BZ#1834931, BZ#1923167, BZ#1688849 -

-
-

- rshim -

- 		-

- BZ#1744737 -

-
-

- rsyslog -

- 		-

- BZ#1869874, - JIRA:RHELPLAN-10431, BZ#1679512 -

-
-

- rust-toolset -

- 		-

- BZ#1896712 -

-
-

- samba -

- 		-

- BZ#1878109, - JIRA:RHELPLAN-13195, Jira:RHELDOCS-16612 -

-
-

- scap-security-guide -

- 		-

- BZ#1889344, BZ#1927019, BZ#1918742, BZ#1778188, BZ#1843913, BZ#1858866, BZ#1750755 -

-
-

- scap-workbench -

- 		-

- BZ#1877522 -

-
-

- selinux-policy -

- 		-

- BZ#1889673, BZ#1860443, BZ#1931848, - BZ#1461914 -

-
-

- sendmail -

- 		-

- BZ#1868041 -

-
-

- setroubleshoot -

- 		-

- BZ#1875290, - BZ#1794807 -

-
-

- skopeo -

- 		-

- BZ#1940854 -

-
-

- sos -

- 		-

- BZ#1966838 -

-
-

- spamassassin -

- 		-

- BZ#1822388 -

-
-

- spice -

- 		-

- BZ#1849563 -

-
-

- sssd -

- 		-

- BZ#1819012, BZ#1884196, BZ#1884213, BZ#1784459, BZ#1893698, BZ#1881992 -

-
-

- stalld -

- 		-

- BZ#1875037 -

-
-

- stratisd -

- 		-

- BZ#1798244, BZ#1868100 -

-
-

- subscription-manager -

- 		-

- BZ#1905398 -

-
-

- subversion -

- 		-

- BZ#1844947 -

-
-

- sudo -

- 		-

- BZ#1786990 -

-
-

- swig -

- 		-

- BZ#1853639 -

-
-

- systemd -

- 		-

- BZ#1827462 -

-
-

- systemtap -

- 		-

- BZ#1875341 -

-
-

- tang-container -

- 		-

- BZ#1913310 -

-
-

- tang -

- 		-

- BZ#1828558 -

-
-

- texlive -

- 		-

- BZ#1889802 -

-
-

- tpm2-abrmd -

- 		-

- BZ#1855177 -

-
-

- tuned -

- 		-

- BZ#1874052 -

-
-

- udica -

- 		-

- BZ#1763210 -

-
-

- unbound -

- 		-

- BZ#1850460 -

-
-

- usbguard -

- 		-

- BZ#1887448, BZ#1940060 -

-
-

- valgrind -

- 		-

- BZ#1504123, BZ#1937340 -

-
-

- virtio-win -

- 		-

- BZ#1861229 -

-
-

- wayland -

- 		-

- BZ#1673073 -

-
-

- xdp-tools -

- 		-

- BZ#1880268 -

-
-

- xfsprogs -

- 		-

- BZ#1949743 -

-
-

- xorg-x11-drv-qxl -

- 		-

- BZ#1642887 -

-
-

- xorg-x11-server -

- 		-

- BZ#1698565 -

-
-

- other -

- 		-

- BZ#1839151, BZ#1780124, - JIRA:RHELPLAN-59941, JIRA:RHELPLAN-59938, JIRA:RHELPLAN-59950, BZ#1952421, - JIRA:RHELPLAN-37817, BZ#1918055, JIRA:RHELPLAN-56664, JIRA:RHELPLAN-56661, - JIRA:RHELPLAN-39843, BZ#1925192, - JIRA:RHELPLAN-73418, JIRA:RHELPLAN-63081, BZ#1935686, BZ#1634655, - JIRA:RHELPLAN-56782, JIRA:RHELPLAN-72660, JIRA:RHELPLAN-72994, JIRA:RHELPLAN-37579, - BZ#1952161, BZ#1640697, BZ#1659609, BZ#1687900, - BZ#1697896, JIRA:RHELPLAN-59111, BZ#1757877, BZ#1777138, JIRA:RHELPLAN-27987, - JIRA:RHELPLAN-28940, JIRA:RHELPLAN-34199, JIRA:RHELPLAN-57914, BZ#1897383, - BZ#1741436, BZ#1971061, - JIRA:RHELPLAN-58629, BZ#1960412, - BZ#1959020, BZ#1690207, JIRA:RHELPLAN-1212, BZ#1559616, BZ#1889737, BZ#1812552, - JIRA:RHELPLAN-14047, BZ#1769727, - JIRA:RHELPLAN-27394, JIRA:RHELPLAN-27737, JIRA:RHELPLAN-56659, BZ#1906489, BZ#1957316, BZ#1960043, - BZ#1642765, JIRA:RHELPLAN-10304, BZ#1646541, BZ#1647725, BZ#1932222, BZ#1686057, BZ#1748980, - JIRA:RHELPLAN-71200, BZ#1827628, JIRA:RHELPLAN-45858, BZ#1871025, BZ#1871953, - BZ#1874892, BZ#1893767, - BZ#1916296, BZ#1926114, - BZ#1904251, JIRA:RHELPLAN-59825, BZ#1920624, - JIRA:RHELPLAN-70700, BZ#1929173 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.3-6
-
-

- Thu May 23 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.3-5
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.3-4
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.3-3
-
-

- Thu Feb 29 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.3-2
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.3-1
-
-

- Tue Nov 7 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fix broken links. -
    • -
-
-
-
0.3-0
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-9
-
-

- September 8 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
- -
-
-
0.2-8
-
-

- Fri Aug 11 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2227218 - (Installer and image creation). -
    • -
-
-
-
0.2-7
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-6
-
-

- Thu Apr 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fixed 2 broken links in DFs and KIs. -
    • -
-
-
-
0.2-5
-
-

- Thu Dec 08, 2022, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2132754 - (Networking). -
    • -
-
-
-
0.2-4
-
-

- Thu Jun 09, Lucie Vařáková (lmanasko@redhat.com) -

-
-
    -
  • - Added a new feature BZ#1996076 - (Identity Management). -
    • -
-
-
-
0.2-3
-
-

- Fri Apr 29, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.2-2
-
-

- Thu Mar 24 2022, Jaroslav Klech (jklech@redhat.com) -

-
- -
-
-
0.2-1
-
-

- Mon Mar 21 2022, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Removed a known issue (Kernel). -
    • -
-
-
-
0.2-0
-
-

- Fri Feb 04 2022, Jaroslav Klech (jklech@redhat.com) -

-
- -
-
-
0.1-9
-
-

- Thu Jan 20 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2028361 - (Installer and image creation). -
    • -
-
-
-
0.1-8
-
-

- Thu Dec 23 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about the Soft-RoCE driver, rdma_rxe, - to Technology Previews BZ#1605216 and - Deprecated Functionality BZ#1878207 (Kernel). -
    • -
-
-
-
0.1-7
-
-

- Wed Dec 22 29 2021, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.1-6
-
-

- Thu Oct 29 2021, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Updated the fw_devlink parameter (Important changes to - external kernel parameters). -
    • -
-
-
-
0.1-5
-
-

- Thu Oct 07 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated the known issue BZ#1942330 (Dynamic - programming languages, web and database servers). -
    • -
-
-
-
0.1-4
-
-

- Tue Oct 05 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#1999620 (Shells and - command-line tools). -
    • -
-
-
-
0.1-3
-
-

- Fri Sep 17 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added known issue BZ#1987087 - (Installer). -
    • -
-
-
-
0.1-2
-
-

- Tue Sep 07 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated the known issue BZ#1961722 - (Virtualization). -
    • -
-
-
-
0.1-1
-
-

- Fri Sep 03 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Updated the known issue BZ#1995558 - (Virtualization). -
    • -
-
-
-
0.1-0
-
-

- Mon Aug 30 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#1995558 - (Virtualization). -
    • -
  • - Added a bug fix BZ#1940854 - (Containers). -
    • -
-
-
-
0.0-9
-
-

- Fri Aug 20 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.0-8
-
-

- Tue Aug 10 2021, Lucie Manásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated new feature BZ#1905398 (RHEL in - cloud environents). -
    • -
-
-
-
0.0-7
-
-

- Tue Aug 03 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added known issue BZ#1935722 - (Installer and image creation). -
    • -
  • - Added known issue BZ#1961722 - (Virtualization). -
    • -
-
-
-
0.0-6
-
-

- Fri Jul 23 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added known issue BZ#1924230 - (Security). -
    • -
  • - Added known issue BZ#1957768 - (Identity Management). -
    • -
-
-
-
0.0-5
-
-

- Fri Jul 16 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added known issue BZ#1959020 - (Virtualization). -
    • -
  • - Added known issue BZ#1963981 - (RHEL in cloud environments). -
    • -
  • - Added new feature BZ#1340463 (Identity - Management). -
    • -
  • - Removed invalid release note and its revision history entry. -
    • -
-
-
-
0.0-4
-
-

- Wed Jun 23 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added new feature BZ#1966838 (Supportability). -
    • -
  • - Updated Deprecated devices with sfc. -
    • -
  • - Other small improvements. -
    • -
-
-
-
0.0-3
-
-

- Wed Jun 16 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#1929173 (Networking). -
    • -
  • - Added deprecated functionality BZ#1920624 (Compilers and development - tools). -
    • -
  • - Added new feature JIRA:RHELPLAN-63081 (Identity Management). -
    • -
  • - Added known issue BZ#1949743 - (File systems and storage). -
    • -
  • - Added know inssue BZ#1332758 - (Virtualization). -
    • -
  • - Added known issue BZ#1957532 - (RHEL in cloud environments). -
    • -
  • - Other small improvements. -
    • -
-
-
-
0.0-2
-
-

- Fri Jun 04 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Fixed the BZ#1849815 - note. -
    • -
  • - Various formatting improvements. -
    • -
-
-
-
0.0-1
-
-

- Wed May 18 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.4 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Wed Mar 31 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.4 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.5.html b/app/data/8.5.html deleted file mode 100644 index 3cccbdc..0000000 --- a/app/data/8.5.html +++ /dev/null @@ -1,19046 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.5
-
-

Release Notes for Red Hat Enterprise Linux 8.5

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.5 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your input on our documentation. Please let us know how we could make it better. To do so: -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 8.5

-
-
-
-

Installer and image creation

-

- In RHEL 8.5, Image Builder supports the following features: -

-
-
    -
  • - Ability to customize filesystem configuration. -
    • -
  • - Ability to override official repositories available -
    • -
  • - Ability to create bootable installer images and install them to a bare metal system. -
    • -
-
-

- For more information, see Section 4.1, “Installer and image creation”. -

-

RHEL for Edge

-

- RHEL 8.5 introduces RHEL for Edge Simplified Installer image, optimized for unattended installation - to a device, and provisioning the image to a RHEL for Edge image. -

-

- For more information, see Section 4.2, “RHEL for Edge”. -

-

Security

-

- The system-wide cryptographic policies support - scopes and wildcards for directives in custom policies. You can now enable different sets of - algorithms for different back ends. -

-

- The Rsyslog log processing application has been - updated to version 8.2102.0-5. This update introduces, among other improvements, the OpenSSL network - stream driver. This implements TLS-protected - transport using the OpenSSL library into Rsyslog. -

-

- The SCAP Security Guide project now includes - several new profiles and improvements of existing profiles: -

-
-
    -
  • - A new profile aligned with the Australian Cyber Security Centre Information Security Manual - (ACSC ISM). -
    • -
  • - The Center for Internet Security (CIS) profile restructured into four different profiles - (Workstation Level 1, Workstation Level 2, Server Level 1, Server Level 2). -
    • -
  • - The Security Technical Implementation Guide (STIG) security profile updated to version V1R3. -
    • -
  • - A new STIG profile compatible with Server with GUI - installations. -
    • -
  • - A new French National Security Agency (ANSSI) High Level profile, which completes the - availability of profiles for all ANSSI-BP-028 v1.2 hardening levels in the SCAP Security Guide. -
    • -
-
-

- With these enhancements, you can install a system that conforms with one of these security baselines - and use the OpenSCAP suite for checking security - compliance and remediation using the risk-based approach for security controls defined by the - relevant authorities. -

-

- See New features - Security - for more information. -

-

- The new RHEL VPN System Role makes it easier to - set up secure and properly configured IPsec tunneling and virtual private networking (VPN) solutions - on large numbers of hosts. For more information, see New Features - Red Hat Enterprise Linux - System Roles. -

-

Networking

-

- NetworkManager now supports configuring a device to accept all traffic. You can configure this - feature using, for example, the nmcli utility. -

-

- The firewalld service supports forwarding traffic between different - interfaces or sources within a zone. -

-

- The firewalld service supports filtering traffic that is forwarded - between zones. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - Ruby 3.0 -
    • -
  • - nginx 1.20 -
    • -
  • - Node.js 16 -
    • -
-
-

- The following components have been upgraded: -

-
-
    -
  • - PHP to version 7.4.19 -
    • -
  • - Squid to version 4.15 -
    • -
  • - Mutt to version 2.0.7 -
    • -
-
-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-

- The following compiler toolsets have been updated: -

-
-
    -
  • - GCC Toolset 11 -
    • -
  • - LLVM Toolset 12.0.1 -
    • -
  • - Rust Toolset 1.54.0 -
    • -
  • - Go Toolset 1.16.7 -
    • -
-
-

- See New features - Compilers and development tools - for more information. -

-
OpenJDK updates
-
-
    -
  • - Open Java Development Kit 17 (OpenJDK 17) is now available. For more information about the - features introduced in this release and changes in the existing functionality, see OpenJDK - documentation. -
    • -
  • - OpenJDK 11 has been updated to version 11.0.13. For more information about the features - introduced in this release and changes in the existing functionality, see OpenJDK documentation. -
    • -
  • - OpenJDK 8 has been updated to version 8.0.312. For more information about the features - introduced in this release and changes in the existing functionality, see OpenJDK documentation. -
    • -
-
-

Red Hat Enterprise Linux System Roles

-

- The Postfix RHEL System Role is fully supported. -

-

- The Network Time Security (NTS) option is now added to the Timesync RHEL System Role. -

-

- The Storage RHEL System Role now supports LVM - VDO volumes and expresses volume sizes as a percentage. -

-

- The new RHEL VPN System Role makes it easier to - set up secure and properly configured IPsec tunneling and virtual private networking (VPN) solutions - on large numbers of hosts. -

-

- High Availability Cluster RHEL System Role is - available as a Technology Preview for the 8.5 GA Release. -

-

- See New features - Red Hat Enterprise Linux - System Roles and Technology Previews - Red Hat Enterprise - Linux System Roles for more information. -

-
-
-
-
-
-

1.2. In-place upgrade and OS conversion

-
-
-
-

In-place upgrade from RHEL 7 to RHEL 8

-

- The supported in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.4 on the 64-bit Intel, IBM POWER 8 (little endian), and IBM Z - architectures -
    • -
  • - From RHEL 7.6 to RHEL 8.4 on architectures that require kernel version 4.14: IBM POWER 9 - (little endian) and IBM Z (Structure A). This is the final in-place upgrade path for these - architectures. -
    • -
  • - From RHEL 7.7 to RHEL 8.2 on systems with SAP HANA. To ensure your system with SAP HANA - remains supported after upgrading to RHEL 8.2, enable the RHEL 8.2 Update Services for SAP - Solutions (E4S) repositories. -
    • -
-
-

- To ensure your system remains supported after upgrading to RHEL 8.4, either update to the latest - RHEL 8.5 version or ensure that the RHEL 8.4 Extended Update Support (EUS) repositories have been - enabled. On systems with SAP HANA, enable the RHEL 8.2 Update Services for SAP Solutions (E4S) - repositories. -

-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. For instructions on performing an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. For instructions on performing an in-place upgrade on systems with - SAP environments, see How to - in-place upgrade SAP environments from RHEL 7 to RHEL 8. -

-

- Notable enhancements include: -

-
-
    -
  • - It is now possible to perform an in-place upgrade with SAP HANA on Pay-As-You-Go instances - on AWS with Red Hat Update Infrastructure (RHUI). -
    • -
  • - It is now possible to enable EUS or E4S repositories during the in-place upgrade. -
    • -
  • - The Leapp utility can now be installed using the yum install leapp-upgrade command. As part of this change, the - leapp-repository and leapp-repository-deps RPM packages have been renamed leapp-upgrade-el7toel8 and leapp-upgrade-el7toel8-deps respectively. If the old packages are - already installed on your system, they will be automatically replaced by the new packages - when you run yum update. -
    • -
  • - Leapp reports, logs, and other generated documentation are in English, regardless of the - language configuration. -
    • -
  • - After the upgrade, leftover Leapp packages must be manually removed from the exclude list in - the /etc/dnf/dnf.conf configuration file before they can be - removed from the system. -
    • -
  • - The repomap.csv file, which is located in the leapp-data15.tar.gz archive, has been deprecated and has been - replaced with the repomap.json file. The deprecated file will - remain available until March 2022. -
    • -
  • - The IBM POWER 9 (little endian) and IBM Z (Structure A) architectures have reached end of - life. Subsequent releases to the in-place upgrade, including new upgrade paths, features, - and bug fixes, will not include these architectures. -
    • -
-
-

In-place upgrade from RHEL 6 to RHEL 8

-

- To upgrade from RHEL 6.10 to RHEL 8.4, follow instructions in Upgrading - from RHEL 6 to RHEL 8. -

-

Conversion from a different Linux - distribution to RHEL

-

- If you are using CentOS Linux 8 or Oracle Linux 8, you can convert your operating system to RHEL 8 - using the Red Hat-supported Convert2RHEL utility. For more - information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using an earlier version of CentOS Linux or Oracle Linux, namely versions 6 or 7, you can - convert your operating system to RHEL and then perform an in-place upgrade to RHEL 8. Note that - CentOS Linux 6 and Oracle Linux 6 conversions use the unsupported Convert2RHEL utility. For more information on unsupported conversions, - see How to perform an unsupported - conversion from a RHEL-derived Linux distribution to RHEL. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, - see the Convert2RHEL Support Policy - document. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-
- -
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.5 is distributed with the kernel version 4.18.0-348, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Binary DVD ISO image is larger than 4.7 GB, and as a result, it might not - fit on a single-layer DVD. A dual-layer DVD or USB key is recommended when using - the Binary DVD ISO image to create bootable installation media. You can also use - the Image Builder tool to create customized RHEL images. For more information - about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.5. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

RHEL for Edge now supports a Simplified Installer

-

- This enhancement enables Image Builder to build the RHEL for Edge Simplified Installer (edge-simplified-installer) and RHEL for Edge Raw Images (edge-raw-image). -

-
-

- RHEL for Edge Simplified Installer enables you to specify a new blueprint option, installation_device and thus, perform an unattended installation to a - device. To create the raw image, you must provide an existing OSTree commit. It results in a raw - image with the existing commit deployed in it. The installer will use this raw image to the - specified installation device. -

-

- Additionally, you can also use Image Builder to build RHEL for Edge Raw Images. These are compressed - raw images that contain a partition layout with an existing deployed OSTree commit in it. You can - install the RHEL for Edge Raw Images to flash on a hard drive or booted in a virtual machine. -

-

- (BZ#1937854) -

-
-

Warnings for deprecated kernel boot arguments

-

- Anaconda boot arguments without the inst. prefix (for example, - ks, stage2, repo and so on) are deprecated starting RHEL7. These arguments will - be removed in the next major RHEL release. -

-
-

- With this release, appropriate warning messages are displayed when the boot arguments are used - without the inst prefix. The warning messages are displayed in dracut when booting the installation and also when the installation - program is started on a terminal. -

-

- Following is a sample warning message that is displayed on a terminal: -

-

- Deprecated boot argument ks must be used with the inst. prefix. Please use inst.ks instead. - Anaconda boot arguments without inst. prefix have been deprecated and - will be removed in a future major release. -

-

- Following is a sample warning message that is displayed in dracut: -

-

- ks has been deprecated. All usage of Anaconda boot arguments without - the inst. prefix have been deprecated and will be removed in a future - major release. Please use inst.ks instead. -

-

- (BZ#1897657) -

-
-

Red Hat Connector is now fully supported

-

- You can connect the system using Red Hat Connector (rhc). Red Hat - Connector consists of a command-line interface and a daemon that allow users to execute Insights - remediation playbook directly on their host within the web user interface of Insights - (console.redhat.com). Red Hat Connector was available as a Technology Preview in RHEL 8.4 and as - of RHEL 8.5, it is fully supported. -

-
-

- (BZ#1957316) -

-
-

Ability to override official repositories available

-

- By default, the osbuild-composer backend has its own set of - official repositories defined in the /usr/share/osbuild-composer/repositories directory. Consequently, it - does not inherit the system repositories located in the /etc/yum.repos.d/ directory. You can now override the official - repositories. To do that, define overrides in the /etc/osbuild-composer/repositories and, as a result, the files - located there take precedence over those in the /usr directory. -

-
-

- (BZ#1915351) -

-
-

Image Builder now supports filesystem configuration

-

- With this enhancement, you can specify custom filesystem configuration in your blueprints and - you can create images with the desired disk layout. As a result, by having non-default layouts, - you can benefit from security benchmarks, consistency with existing setups, performance, and - protection against out-of-disk errors. -

-
-

- To customize the filesystem configuration in your blueprint, set the following customization: -

- 
[[customizations.filesystem]]
-mountpoint = "MOUNTPOINT"
-size = MINIMUM-PARTITION-SIZE
-

- (BZ#2011448) -

-
-

Image Builder now supports creating bootable installer images

-

- With this enhancement, you can use Image Builder to create bootable ISO images that consist of a - tarball file, which contains a root file system. As a result, you - can use the bootable ISO image to install the tarball file system - to a bare metal system. -

-
-

- (BZ#2019318) -

-
-
-
-
-
-

4.2. RHEL for Edge

-
-
-
-
-

Greenboot services now enabled by default

-

- Previously, the greenboot services were not present in the default presets so, when the - greenboot package was installed, users had to manually enable these greenboot services. With - this update, the greenboot services are now present in the default presets configuration and - users are no longer required to manually enable it. -

-
-

- (BZ#1935177) -

-
-
-
-
-
-

4.3. Software management

-
-
-
-
-

RPM now has read-only support for the sqlite - database backend

-

- The ability to query an RPM database based on sqlite may be desired - when inspecting other root directories, such as containers.This update adds read-only support - for the RPM sqlite database backend. As a result, it is now - possible to query packages installed in a UBI 9 or Fedora container from the host RHEL 8. To do - that with Podman: -

-
-
-
    -
  1. - Mount the container’s file system with the podman mount - command. -
    2. -
  2. - Run the rpm -qa command with the --root option pointing to the mounted location. -
    3. -
-
-

- Note that RPM on RHEL 8 still uses the BerkeleyDB database (bdb) - backend. -

-

- (BZ#1938928) -

-
-

libmodulemd rebased to version 2.12.1 -

-

- The libmodulemd packages have been rebased to version 2.12.1. - Notable changes include: -

-
-
-
    -
  • - Added support for version 1 of the modulemd-obsoletes document - type, which provides information about a stream obsoleting another one, or a stream reaching - its end of life. -
    • -
  • - Added support for version 3 of the modulemd-packager document - type, which provides a packager description of a module stream content for a module build - system. -
    • -
  • - Added support for the static_context attribute of the version 2 - modulemd document type. With that, a module context is now - defined by a packager instead of being generated by a module build system. -
    • -
  • - Now, a module stream value is always serialized as a quoted string. -
    • -
-
-

- (BZ#1894573) -

-
-

libmodulemd rebased to version 2.13.0 -

-

- The libmodulemd packages have been rebased to version 2.13.0, which - provides the following notable changes over the previous version: -

-
-
-
    -
  • - Added support for delisting demodularized packages from a module. -
    • -
  • - Added support for validating modulemd-packager-v3 documents - with a new --type option of the modulemd-validator tool. -
    • -
  • - Fortified parsing integers. -
    • -
  • - Fixed various modulemd-validator issues. -
    • -
-
-

- (BZ#1984402) -

-
-

sslverifystatus has been added to dnf configuration

-

- With this update, when sslverifystatus option is enabled, dnf checks each server certificate revocation status using the Certificate Status Request TLS extension (OCSP - stapling). As a result, when a revoked certificate is encountered, dnf refuses to download from its server. -

-
-

- (BZ#1814383) -

-
-
-
-
-
-

4.4. Shells and command-line tools

-
-
-
-
-

ReaR has been updated to version 2.6

-

- Relax-and-Recover (ReaR) has been updated to version 2.6. Notable bug fixes and enhancements - include: -

-
-
-
    -
  • - Added support for eMMC devices. -
    • -
  • - By default, all kernel modules are included in the rescue system. To include specific - modules, set the MODULES array variable in the configuration - file as: MODULES=( mod1 mod2 ) -
    • -
  • - On the AMD and Intel 64-bit architectures and on IBM Power Systems, Little Endian, a new - configuration variable GRUB2_INSTALL_DEVICES is introduced to - control the location of the bootloader installation. See the description in /usr/share/rear/conf/default.conf for more details. -
    • -
  • - Improved backup of multipath devices. -
    • -
  • - Files under /media, /run, /mnt, /tmp are automatically - excluded from backups as these directories are known to contain removable media or temporary - files. See the description of the AUTOEXCLUDE_PATH variable in /usr/share/rear/conf/default.conf. -
    • -
  • - CLONE_ALL_USERS_GROUPS=true is now the default. See the - description in /usr/share/rear/conf/default.conf for more - details. -
    • -
-
-

- (BZ#1988493) -

-
-

The modulemd-tools package is now - available

-

- With this update, the modulemd-tools package has been introduced - which provides tools for parsing and generating modulemd YAML - files. -

-
-

- To install modulemd-tools, use: -

- 
# yum install modulemd-tools
-

- (BZ#1924850) -

-
-

opencryptoki rebased to version - 3.16.0

-

- opencryptoki has been upgraded to version 3.16.0. Notable bug fixes - and enhancements include: -

-
-
-
    -
  • - Improved the protected-key option and support for the attribute-bound keys in the EP11 - core processor. -
    • -
  • - Improved the import and export of secure key objects in the cycle-count-accurate (CCA) processor. -
    • -
-
-

- (BZ#1919223) -

-
-

lsvpd rebased to version 1.7.12

-

- lsvpd has been upgraded to version 1.7.12. Notable bug fixes and - enhancements include: -

-
-
-
    -
  • - Added the UUID property in sysvpd. -
    • -
  • - Improved the NVMe firmware version. -
    • -
  • - Fixed PCI device manufacturer parsing logic. -
    • -
  • - Added recommends clause to the lsvpd configuration file. -
    • -
-
-

- (BZ#1844428) -

-
-

ppc64-diag rebased to version 2.7.7 -

-

- ppc64-diag has been upgraded to version 2.7.7. Notable bug fixes - and enhancements include: -

-
-
-
    -
  • - Improved unit test cases. -
    • -
  • - Added the UUID property in sysvpd. -
    • -
  • - The rtas_errd service does not run in the Linux containers. -
    • -
  • - The obsolete logging options are no longer available in the systemd service files. -
    • -
-
-

- (BZ#1779206) -

-
-

The ipmi_power and ipmi_boot modules are available in the redhat.rhel_mgmt Collection

-

- This update provides support to the Intelligent Platform Management Interface (IPMI) Ansible modules. IPMI is a - specification for a set of management interfaces to communicate with baseboard management - controller (BMC) devices. The IPMI modules - ipmi_power and ipmi_boot - are available - in the redhat.rhel_mgmt Collection, which you can obtain by - installing the ansible-collection-redhat-rhel_mgmt package. -

-
-

- (BZ#1843859) -

-
-

udftools 2.3 are now added to RHEL -

-

- The udftools packages provide user-space utilities for manipulating - Universal Disk Format (UDF) file systems. With this enhancement, udftools provides the following set of tools: -

-
-
-
    -
  • - cdrwtool - It performs actions like blank, format, quick setup, - and write to the DVD-R/CD-R/CD-RW media. -
    • -
  • - mkfs.udf, mkudffs - It creates a - Universal Disk Format (UDF) filesystem. -
    • -
  • - pktsetup - It sets up and tears down the packet device. -
    • -
  • - udfinfo - It shows information about the Universal Disk Format - (UDF) file system. -
    • -
  • - udflabel - It shows or changes the Universal Disk Format (UDF) - file system label. -
    • -
  • - wrudf - It provides an interactive shell with cp, rm, mkdir, rmdir, ls, and cd operations on the - existing Universal Disk Format (UDF) file system. -
    • -
-
-

- (BZ#1882531) -

-
-

Tesseract 4.1.1 is now present in RHEL - 8.5

-

- Tesseract is an open-source OCR (optical character reading) engine - and has the following features: -

-
-
-
    -
  • - Starting with tesseract version 4, character recognition is - based on Long Short-Term Memory (LSTM) neural networks. -
    • -
  • - Supports UTF-8. -
    • -
  • - Supports plain text, hOCR (HTML), PDF, and TSV output formats. -
    • -
-
-

- (BZ#1826085) -

-
-

Errors when restoring LVM with thin pools do not happen anymore -

-

- With this enhancement, ReaR now detects when thin pools and other logical volume types with - kernel metadata (for example, RAIDs and caches) are used in a volume group (VG) and switches to - a mode where it recreates all the logical volumes (LVs) in the VG using lvcreate commands. - Therefore, LVM with thin pools are restored without any errors. -

-
-
-
Note
-
-

- This new method does not preserve all the LV properties, for example LVM UUIDs. A restore - from the backup should be tested before using ReaR in a Production environment in order to - determine whether the recreated storage layout matches the requirements. -

-
-
-

- (BZ#1747468) -

-
-

Net-SNMP now detects RSA and ECC certificates

-

- Previously, Net-Simple Network Management Protocol (Net-SNMP) detected only Rivest, Shamir, - Adleman (RSA) certificates. This enhancement adds support for Elliptic Curve Cryptography (ECC). - As a result, Net-SNMP now detects RSA and ECC certificates. -

-
-

- (BZ#1919714) -

-
-

FCoE option is changed to rd.fcoe

-

- Previously, the man page for dracut.cmdline documented rd.nofcoe=0 as the command to turn off Fibre Channel over Ethernet - (FCoE). -

-
-

- With this update, the command is changed to rd.fcoe. To disable FCoE, - run the command rd.fcoe=0. -

-

- For further information on FCoE see, Configuring - Fibre Channel over Ethernet -

-

- (BZ#1929201) -

-
-
-
-
-
-

4.5. Infrastructure services

-
-
-
-
-

linuxptp rebased to version 3.1

-

- The linuxptp package has been updated to version 3.1. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - Added ts2phc program for synchronization of Precision Time - Protocol (PTP) hardware clock to Pulse Per Second (PPS) signal. -
    • -
  • - Added support for the automotive profile. -
    • -
  • - Added support for client event monitoring. -
    • -
-
-

- (BZ#1895005) -

-
-

chrony rebased to version 4.1

-

- chrony has been updated to version 4.1. Notable bug fixes and - enhancements include: -

-
-
-
    -
  • - Added support for Network Time Security (NTS) authentication. For more information, see Overview - of Network Time Security (NTS) in chrony. -
    • -
  • - By default, the Authenticated Network Time Protocol (NTP) sources are trusted over - non-authenticated NTP sources. Add the autselectmode ignore - argument in the chrony.conf file to restore the original - behavior. -
    • -
  • - The support for authentication with RIPEMD keys - RMD128, RMD160, RMD256, RMD320 is no longer - available. -
    • -
  • - The support for long non-standard MACs in NTPv4 packets is no longer available. If you are - using chrony 2.x, non-MD5/SHA1 - keys, you need to configure chrony with the version 3 option. -
    • -
-
-

- (BZ#1895003) -

-
-

PowerTop rebased to version 2.14

-

- PowerTop has been upgraded to version 2.14. This is an update - adding Alder Lake, Sapphire Rapids, and Rocket Lake platforms support. -

-
-

- (BZ#1834722) -

-
-

TuneD now moves unnecessary IRQs to housekeeping CPUs

-

- Network device drivers like i40e, iavf, mlx5, evaluate the online CPUs to - determine the number of queues and hence the MSIX vectors to be - created. -

-
-

- In low-latency environments with a large number of isolated and very few housekeeping CPUs, when - TuneD tries to move these device IRQs to the housekeeping CPUs it fails due to the per CPU vector - limit. -

-

- With this enhancement, TuneD explicitly adjusts the numbers of network device channels (and hence - MSIX vectors) as per the housekeeping CPUs. Therefore, all the device IRQs can now be moved on the - housekeeping CPUs to achieve low latency. -

-

- (BZ#1951992) -

-
-
-
-
-
-

4.6. Security

-
-
-
-
-

libreswan rebased to 4.4

-

- The libreswan packages have been upgraded to upstream version 4.4, - which introduces many enhancements and bug fixes. Most notably: -

-
-
-
    -
  • -

    - The IKEv2 protocol: -

    -
    -
      -
    • - Introduced fixes for TCP encapsulation in Transport Mode and host-to-host connections. -
      • -
    • - Added the --globalstatus option to the ipsec whack command for displaying redirect - statistics. -
      • -
    • - The vhost and vnet - values in the ipsec.conf configuration file are no - longer allowed for IKEv2 connections. -
      • -
    -
    -
    • -
  • -

    - The pluto IKE daemon: -

    -
    -
      -
    • - Introduced fixes for host-to-host connections that use non-standard IKE ports. -
      • -
    • - Added peer ID (IKEv2 IDr or IKEv1 Aggr) to select the best initial connection. -
      • -
    • - Disabled the interface-ip= option because Libreswan - does not provide the corresponding functionality yet. -
      • -
    • - Fixed the PLUTO_PEER_CLIENT variable in the ipsec__updown script for NAT in Transport Mode. -
      • -
    • - Set the PLUTO_CONNECTION_TYPE variable to transport or tunnel. -
      • -
    • - Non-templated wildcard ID connections can now match. -
      • -
    -
    -
    • -
-
-

- (BZ#1958968) -

-
-

GnuTLS rebased to 3.6.16

-

- The gnutls packages have been updated to version 3.6.16. Notable - bug fixes and enhancements include: -

-
-
-
    -
  • - The gnutls_x509_crt_export2() function now returns 0 instead of - the size of the internal base64 blob in case of success. This aligns with the documentation - in the gnutls_x509_crt_export2(3) man page. -
    • -
  • - Certificate verification failures due to the Online Certificate Status Protocol (OCSP) - must-stapling not being followed are now correctly marked with the GNUTLS_CERT_INVALID flag. -
    • -
  • - Previously, even when TLS 1.2 was explicitly disabled through the -VERS-TLS1.2 option, the server still offered TLS 1.2 if TLS 1.3 - was enabled. The version negotiation has been fixed, and TLS 1.2 can now be correctly - disabled. -
    • -
-
-

- (BZ#1956783) -

-
-

socat rebased to 1.7.4

-

- The socat packages have been upgraded from version 1.7.3 to 1.7.4, - which provides many bug fixes and improvements. Most notably: -

-
-
-
    -
  • - GOPEN and UNIX-CLIENT addresses - now support SEQPACKET sockets. -
    • -
  • - The generic setsockopt-int and related options are, in the case - of listening or accepting addresses, applied to the connected sockets. To enable setting - options on a listening socket, the setsockopt-listen option is - now available. -
    • -
  • - Added the -r and -R options for a - raw dump of transferred data to a file. -
    • -
  • - Added the ip-transparent option and the IP_TRANSPARENT socket option. -
    • -
  • - OPENSSL-CONNECT now automatically uses the SNI feature and the - openssl-no-sni option turns SNI off. The openssl-snihost option overrides the value of the openssl-commonname option or the server name. -
    • -
  • - Added the accept-timeout and listen-timeout options. -
    • -
  • - Added the ip-add-source-membership option. -
    • -
  • - UDP-DATAGRAM address now does not check peer port of replies as - it did in 1.7.3. Use the sourceport optioon if your scenario - requires the previous behavior. -
    • -
  • - New proxy-authorization-file option reads PROXY-CONNECT credentials from a file and enables to hide this - data from the process table. -
    • -
  • - Added AF_VSOCK support for VSOCK-CONNECT and VSOCK-LISTEN - addresses. -
    • -
-
-

- (BZ#1947338) -

-
-

crypto-policies rebased to 20210617 -

-

- The crypto-policies packages have been upgraded to upstream version - 20210617, which provides a number of enhancements and bug fixes over the previous version, most - notably: -

-
-
-
    -
  • -

    - You can now use scoped policies to enable different sets of algorithms for different - back ends. Each configuration directive can now be limited to specific protocols, - libraries, or services. For a complete list of available scopes and details on the new - syntax, see the crypto-policies(7) man page. For example, - the following directive allows using AES-256-CBC cipher with the SSH protocol, impacting - both the libssh library and the OpenSSH suite: -

    - 
    cipher@SSH = AES-256-CBC+
    -
    • -
  • -

    - Directives can now use asterisks for specifying multiple values using wildcards. For - example, the following directive disables all CBC mode ciphers for applications using - libssh: -

    - 
    cipher@libssh = -*-CBC
    -

    - Note that future updates can introduce new algorithms matched by the current wildcards. -

    -
    • -
-
-

- (BZ#1960266) -

-
-

crypto-policies now support AES-192 ciphers in - custom policies

-

- The system-wide cryptographic policies now support the following values for the cipher option in custom policies and subpolicies: AES-192-GCM, AES-192-CCM, AES-192-CTR, and AES-192-CBC. As a - result, you can enable the AES-192-GCM and AES-192-CBC ciphers for the Libreswan application and the AES-192-CTR and AES-192-CBC ciphers for - the libssh library and the OpenSSH suite through crypto-policies. -

-
-

- (BZ#1876846) -

-
-

CBC ciphers disabled in the FUTURE - cryptographic policy

-

- This update of the crypto-policies packages disables ciphers that - use cipher block chaining (CBC) mode in the FUTURE policy. The - settings in FUTURE should withstand near-term future attacks, and - this change reflects the current progress. As a result, system components respecting crypto-policies cannot use CBC mode when the FUTURE policy is active. -

-
-

- (BZ#1933016) -

-
-

Adding new kernel AVC tracepoint

-

- With this enhancement, a new avc:selinux_audited kernel tracepoint - is added that triggers when an SELinux denial is to be audited. This feature allows for more - convenient low-level debugging of SELinux denials. The new tracepoint is available for tools - such as perf. -

-
-

- (BZ#1954024) -

-
-

New ACSC ISM profile in the SCAP Security Guide

-

- The scap-security-guide packages now provide the Australian Cyber - Security Centre (ACSC) Information Security Manual (ISM) compliance profile and a corresponding - Kickstart file. With this enhancement, you can install a system that conforms with this security - baseline and use the OpenSCAP suite for checking security compliance and remediation using the - risk-based approach for security controls defined by ACSC. -

-
-

- (BZ#1955373) -

-
-

SCAP Security Guide rebased to 0.1.57

-

- The scap-security-guide packages have been rebased to upstream - version 0.1.57, which provides several bug fixes and improvements. Most notably: -

-
-
-
    -
  • - The Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) profile has been introduced. The - profile extends the Essential Eight profile and adds more security controls defined in the - ISM. -
    • -
  • - The Center for Internet Security (CIS) - profile has been restructured into four different profiles respecting levels of hardening - and system type (server and workstation) as defined in the official CIS benchmarks. -
    • -
  • - The Security Technical Implementation Guide (STIG) security profile has been updated, - and implements rules from the recently-released version V1R3. -
    • -
  • - The Security Technical Implementation Guide with GUI (STIG with GUI) security profile has been - introduced. The profile derives from the STIG profile and is compatible with RHEL - installations that select the Server with GUI package - selection. -
    • -
  • - The ANSSI High level profile, which is - based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), - has been introduced. This contains a profile implementing rules of High hardening levels. -
    • -
-
-

- (BZ#1966577) -

-
-

OpenSCAP rebased to 1.3.5

-

- The OpenSCAP packages have been rebased to upstream version 1.3.5. Notable fixes and - enhancements include: -

-
-
-
    -
  • - Enabled Schematron-based validation by default for the validate - command of oval and xccdf modules. -
    • -
  • - Added SCAP 1.3 source data stream Schematron. -
    • -
  • - Added XML signature validation. -
    • -
  • - Allowed clamping mtime to SOURCE_DATE_EPOCH. -
    • -
  • - Added severity and role - attributes. -
    • -
  • - Support for requires and conflicts - elements of the Rule and Group (XCCDF). -
    • -
  • - Kubernetes remediation in the HTML report. -
    • -
  • - Handling gpfs, proc and sysfs file systems as non-local. -
    • -
  • - Fixed handling of common options styled as --arg=val. -
    • -
  • - Fixed behavior of the StateType operator. -
    • -
  • - Namespace ignored in XPath expressions (xmlfilecontent) to - allow for incomplete XPath queries. -
    • -
  • - Fixed a problem that led to a warning about the presence of obtrusive data. -
    • -
  • - Fixed multiple segfaults and a broken test in the --stig-viewer - feature. -
    • -
  • - Fixed the TestResult/benchmark/@href attribute. -
    • -
  • - Fixed many memory management issues. -
    • -
  • - Fixed many memory leaks. -
    • -
-
-

- (BZ#1953092) -

-
-

Validation of digitally signed SCAP source data streams

-

- To conform with the Security Content Automation Protocol (SCAP) 1.3 specifications, OpenSCAP now - validates digital signatures of digitally signed SCAP source data streams. As a result, OpenSCAP - validates the digital signature when evaluating a digitally signed SCAP source data stream. The - signature validation is performed automatically while loading the file. Data streams with - invalid signatures are rejected, and OpenSCAP does not evaluate their content. OpenSCAP uses the - XML Security Library with the OpenSSL - cryptography library to validate the digital signature. -

-
-

- You can skip the signature validation by adding the --skip-signature-validation option to the oscap xccdf eval command. -

-
-
Important
-
-

- OpenSCAP does not address the trustworthiness of certificates or public keys that are part - of the KeyInfo signature element and that are used to verify - the signature. You should verify such keys by yourselves to prevent evaluation of data - streams that have been modified and signed by bad actors. -

-
-
-

- (BZ#1966612) -

-
-

New DISA STIG profile compatible with Server with GUI - installations

-

- A new profile, DISA STIG with GUI, has been added to the SCAP Security Guide. This profile is derived - from the DISA STIG profile and is compatible with RHEL - installations that selected the Server with GUI package group. The - previously existing stig profile was not compatible with Server with GUI because DISA STIG demands uninstalling any Graphical - User Interface. However, this can be overridden if properly documented by a Security Officer - during evaluation. As a result, the new profile helps when installing a RHEL system as a Server with GUI aligned with the DISA STIG profile. -

-
-

- (BZ#1970137) -

-
-

STIG security profile updated to version V1R3

-

- The DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP - Security Guide has been updated to align with the latest version V1R3. The profile is now also more stable and better aligns with the - RHEL 8 STIG (Security Technical Implementation Guide) manual benchmark provided by the Defense - Information Systems Agency (DISA). -

-
-

- This second iteration brings approximately 90% of coverage with regards to the STIG. You should use - only the current version of this profile because older versions are no longer valid. -

-
-
Warning
-
-

- Automatic remediation might render the system non-functional. Run the remediation in a test - environment first. -

-
-
-

- (BZ#1993056) -

-
-

Three new CIS profiles in SCAP Security Guide

-

- Three new compliance profiles aligned with the Center for Internet Security (CIS) Red Hat - Enterprise Linux 8 Benchmark have been introduced to the SCAP Security Guide. The CIS RHEL 8 - Benchmark provides different configuration recommendations for "Server" and "Workstation" - deployments, and defines two levels of configuration, "level 1" and "level 2" for each - deployment. The CIS profile previously shipped in RHEL8 represented only the "Server Level 2". - The three new profiles complete the scope of the CIS RHEL8 Benchmark profiles, and you can now - more easily evaluate your system against CIS recommendations. -

-
-

- All currently available CIS RHEL 8 profiles are: -

-
- - - - - - - - - - - - - - - - - - - - - - - -
-

- Workstation Level 1 -

- 		-

- xccdf_org.ssgproject.content_profile_cis_workstation_l1 -

-
-

- Workstation Level 2 -

- 		-

- xccdf_org.ssgproject.content_profile_cis_workstation_l2 -

-
-

- Server Level 1 -

- 		-

- xccdf_org.ssgproject.content_profile_cis_server_l1 -

-
-

- Server Level 2 -

- 		-

- xccdf_org.ssgproject.content_profile_cis -

-
-
-

- (BZ#1993197) -

-
-

Performance of remediations for Audit improved by grouping similar system - calls

-

- Previously, Audit remediations generated an individual rule for each system call audited by the - profile. This led to large numbers of audit rules, which degraded performance. With this - enhancement, remediations for Audit can group rules for similar system calls with identical - fields together into a single rule, which improves performance. -

-
-

- Examples of system calls grouped together: -

- 
-a always, exit -F arch=b32 -S chown, fchown, fchownat, lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
- 
-a always, exit -F arch=b32 -S unlink, unlinkat, rename, renameat, rmdir -F auid>=1000 -F auid!=unset -F key=delete
- 
-a always, exit -F arch=b32 -S chown, fchown, fchownat, lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- 
-a always, exit -F arch=b32 -S unlink, unlinkat, rename, renameat -F auid>=1000 -F auid!=unset -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-

- (BZ#1876483) -

-
-

Added profile for ANSSI-BP-028 High level

-

- The ANSSI High level profile, based on the ANSSI BP-028 recommendations from the French National - Security Agency (ANSSI), has been introduced. This completes the availability of profiles for - all ANSSI-BP-028 v1.2 hardening levels in the SCAP Security - Guide. With the new profile, you can harden the system to the - recommendations from ANSSI for GNU/Linux Systems at the High hardening level. As a result, you - can configure and automate compliance of your RHEL 8 systems to the strictest hardening level by - using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles. -

-
-

- (BZ#1955183) -

-
-

OpenSSL added for encrypting Rsyslog TCP and RELP traffic

-

- The OpenSSL network stream driver has been added to Rsyslog. This driver implements - TLS-protected transport using the OpenSSL library. This provides additional functionality - compared to the stream driver using the GnuTLS library. As a result, you can now use either - OpenSSL or GnuTLS as an Rsyslog network stream driver. -

-
-

- (BZ#1891458) -

-
-

Rsyslog rebased to 8.2102.0-5

-

- The rsyslog packages have been rebased to upstream version - 8.2102.0-5, which provides the following notable changes over the previous version: -

-
-
-
    -
  • - Added the exists() script function to check whether a variable - exists or not, for example $!path!var. -
    • -
  • - Added support for setting OpenSSL configuration commands with a new configuration parameter - tls.tlscfgcmd for the omrelp and - imrelp modules. -
    • -
  • -

    - Added new rate-limit options to the omfwd module for - rate-limiting syslog messages sent to the remote server: -

    -
    -
      -
    • - ratelimit.interval specifies the rate-limiting - interval in seconds. -
      • -
    • - ratelimit.burst specifies the rate-limiting burst - in the number of messages. -
      • -
    -
    -
    • -
  • - Rewritten the immark module with various improvements. -
    • -
  • - Added the max sessions config parameter to the imptcp module. The maximum is measured per instance, not globally - across all instances. -
    • -
  • - Added the rsyslog-openssl subpackage; this network stream - driver implements TLS-protected transport using the OpenSSL library. -
    • -
  • - Added per-minute rate limiting to the imfile module with the - MaxBytesPerMinute and MaxLinesPerMinute options. These options accept integer values - and limit the number of bytes or lines that may be sent in a minute. -
    • -
  • - Added support to the imtcp and omfwd module to configure a maximum depth for the certificate - chain verification with the streamdriver.TlsVerifyDepth option. -
    • -
-
-

- (BZ#1932795) -

-
-
-
-
-
-

4.7. Networking

-
-
-
-
-

Support for pause parameter of ethtool in - NetworkManager

-

- Non auto-pause parameters need to be set explicitly on a specific network interface in certain - cases. Previously, NetworkManager could not pause the control flow parameters of ethtool in nmstate. To disable the auto - negotiation of the pause parameter and enable RX/TX pause support explicitly, use the following - command: -

-
- 
# nmcli connection modify enp1s0 ethtool.pause-autoneg no ethtool.pause-rx true ethtool.pause-tx true
-

- (BZ#1899372) -

-
-

New property in NetworkManager for setting physical and virtual interfaces - in promiscuous mode

-

- With this update the 802-3-ethernet.accept-all-mac-addresses - property has been added to NetworkManager for setting physical and virtual interfaces in the - accept all MAC addresses mode. With this update, the kernel can - accept network packages targeting current interfaces’ MAC address in the accept all MAC addresses mode. To enable accept all MAC addresses mode on eth1, - use the following command: -

-
- 
$ sudo nmcli c add type ethernet  ifname eth1 connection.id eth1  802-3-ethernet.accept-all-mac-addresses true
-

- (BZ#1942331) -

-
-

NetworkManager rebased to version 1.32.10

-

- The NetworkManager packages have been upgraded to upstream version - 1.32.10, which provides a number of enhancements and bug fixes over the previous version. -

-
-

- For further information about notable changes, read the upstream - release notes for this version. -

-

- (BZ#1934465) -

-
-

NetworkManager now supports nftables as - firewall back end

-

- This enhancement adds support for the nftables firewall framework - to NetworkManager. To switch the default back end from iptables to - nftables: -

-
-
-
    -
  1. -

    - Create the /etc/NetworkManager/conf.d/99-firewall-backend.conf file with - the following content: -

    - 
    [main]
-firewall-backend=nftables
    -
    2. -
  2. -

    - Reload the NetworkManager service. -

    - 
    # systemctl reload NetworkManager
    -
    3. -
-
-

- (BZ#1548825) -

-
-

firewalld rebased to version 0.9.3

-

- The firewalld packages have been upgraded to upstream version - 0.9.3, which provides a number of enhancements and bug fixes over the previous version. -

-
-

- For further details, see the upstream release notes: -

-
- -
-

- (BZ#1872702) -

-
-

The firewalld policy objects feature is now - available

-

- Previously, you could not use firewalld to filter traffic flowing - between virtual machines, containers, and zones. With this update, the firewalld policy objects feature has been introduced, which provides - forward and output filtering in firewalld. -

-
-

- (BZ#1492722) -

-
-

Multipath TCP is now fully supported

-

- Starting with RHEL 8.5, Multipath TCP (MPTCP) is fully supported. MPTCP improves resource usage - within the network and resilience to network failure. For example, with Multipath TCP on the - RHEL server, smartphones with MPTCP v1 enabled can connect to an application running on the - server and switch between Wi-Fi and cellular networks without interrupting the connection to the - server. -

-
-

- RHEL 8.5 introduced additional features, such as: -

-
-
    -
  • - Multiple concurrent active substreams -
    • -
  • - Active-backup support -
    • -
  • - Improved stream performances -
    • -
  • - Better memory usage, with receive and send buffer auto-tuning -
    • -
  • - SYN cookie support -
    • -
-
-

- Note that either the applications running on the server must natively support MPTCP or - administrators must load an eBPF program into the kernel to dynamically - change IPPROTO_TCP to IPPROTO_MPTCP. -

-

- For further details see, Getting - started with Multipath TCP. -

-

- (JIRA:RHELPLAN-57712) -

-
-

Alternative network interface naming is now available in RHEL

-

- Alternative interface naming is the RHEL kernel configuration, which provides the following - networking benefits: -

-
-
-
    -
  • - Network interface card (NIC) names can have arbitrary length. -
    • -
  • - One NIC can have multiple names at the same time. -
    • -
  • - Usage of alternative names as handles for commands. -
    • -
-
-

- (BZ#2164986) -

-
-
-
-
-
-

4.8. Kernel

-
-
-
-
-

Kernel version in RHEL 8.5

-

- Red Hat Enterprise Linux 8.5 is distributed with the kernel version 4.18.0-348. -

-
-

- (BZ#1839151) -

-
-

EDAC for Intel Sapphire Rapids processors is now supported

-

- This enhancement provides Error Detection And Correction (EDAC) device support for Intel - Sapphire Rapids processors. EDAC mainly handles Error Code Correction (ECC) memory and detects - and reports PCI bus parity errors. -

-
-

- (BZ#1837389) -

-
-

The bpftrace package rebased to version - 0.12.1

-

- The bpftrace package has been upgraded to version 0.12.1, which - provides multiple bug fixes and enhancements. Notable changes over previous versions include: -

-
-
-
    -
  • - Added the new builtin path, which is a new reliable method to - display the full path from a path structure. -
    • -
  • - Added wildcard support for kfunc probes and tracepoint categories. -
    • -
-
-

- (BZ#1944716) -

-
-

vmcore capture works as expected after CPU hot-add or hot-removal - operations

-

- Previously, on IBM POWER systems, after every CPU or memory hot-plug or removal operation, the - CPU data on the device tree became stale unless the kdump.service - is reloaded. To reload the latest CPU information, the kdump.service parses through the device nodes to fetch the CPU - information. However, some of the CPU nodes are already lost during its hot-removal. - Consequently, a race condition between the kdump.service reload and - a CPU hot-removal happens at the same time and this may cause the - dump to fail. A subsequent crash might then not capture the vmcore - file. -

-
-

- This update eliminates the need to reload the kdump.service after a CPU - hot-plug and the vmcore capture works as expected in the described - scenario. -

-

- Note: This enhancement works as expected for firmware-assisted dumps (fadump). In the case of standard kdump, the - kdump.service reload takes place during the hot-plug operation. -

-

- (BZ#1922951) -

-
-

The kdumpctl command now supports the new kdumpctl estimate utility

-

- The kdumpctl command now supports the kdumpctl estimate utility. Based on the existing kdump configuration, kdumpctl estimate - prints a suitable estimated value for kdump memory allocation. -

-
-

- The minimum size of the crash kernel may vary depending on the hardware and machine specifications. - Hence, previously, it was difficult to estimate an accurate crashkernel= value. -

-

- With this update, the kdumpctl estimate utility provides an estimated - value. This value is a best effort recommended estimate and can serve as a good reference to - configure a feasible crashkernel= value. -

-

- (BZ#1879558) -

-
-

IBM TSS 2.0 package rebased to 1.6.0

-

- The IBM’s Trusted Computing Group (TCG) Software Stack (TSS) 2.0 binary package has been - upgraded to 1.6.0. This update adds the IBM TSS 2.0 support on AMD64 and Intel 64 architecture. -

-
-

- It is a user space TSS for Trusted Platform Modules (TPM) 2.0 and implements the functionality - equivalent to (but not API compatible with) the TCG TSS working group’s Enhanced System Application - Interface (ESAPI), System Application Interface (SAPI), and TPM Command Transmission Interface - (TCTI) API with a simpler interface. -

-

- It is a security middleware that allows applications and platforms to share and integrate the TPM - into secure applications. -

-

- This rebase provides many bug fixes and enhancements over the previous version. The most notable - changes include the following new attributes: -

-
-
    -
  • - tsscertifyx509: validates the x509 - certificate -
    • -
  • - tssgetcryptolibrary: displays the current cryptographic library -
    • -
  • - tssprintattr: prints the TPM attributes as text -
    • -
  • - tsspublicname: calculates the public name of an entity -
    • -
  • - tsssetcommandcodeauditstatus: clears or sets code via TPM2_SetCommandCodeAuditStatus -
    • -
  • - tsstpmcmd: sends an in-band TPM simulator signal -
    • -
-
-

- (BZ#1822073) -

-
-

The schedutil CPU frequency governor is now - available on RHEL 8

-

- The schedutil CPU governor uses CPU utilization data available on - the CPU scheduler. schedutil is a part of the CPU scheduler and it - can access the scheduler’s internal data structures directly. schedutil controls how the CPU would raise and lower its frequency in - response to system load. You must manually select the schedutil - frequency governor as it is not enabled as default. -

-
-

- There is one policyX directory per CPU. schedutil is available in the policyX/scaling_governors list of the existing CPUFreq governors in the kernel and is attached to /sys/devices/system/cpu/cpufreq/policyx policy. The policy file can be - overwritten to change it. -

-

- Note that when using intel_pstate scaling drivers, it might be - necessary to configure the intel_pstate=passive command line argument - for intel_pstate to become available and be listed by the governor. - intel_pstate is the default on Intel hardware with any modern CPU. -

-

- (BZ#1938339) -

-
-

The rt-tests suite rebased to rt-tests-2.1 upstream version

-

- The rt-tests suite has been rebased to rt-tests-2.1 version, which provides multiple bug fixes and - enhancements. The notable changes over the previous version include: -

-
-
-
    -
  • - Fixes to various programs in the rt-tests suite. -
    • -
  • - Fixes to make programs more uniform with the common set of options, for example, the oslat program’s option -t --runtime - option is renamed to -D to specify the run duration to match - the rest of the suite. -
    • -
  • - Implements a new feature to output data in json format. -
    • -
-
-

- (BZ#1954387) -

-
-

Intel® QuickAssist Technology Library (QATlib) was rebased to version - 21.05

-

- The qatlib package has been rebased to version 21.05, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • -

    - Adding support for several encryption algorithms: -

    -
    -
      -
    • - AES-CCM 192/256 -
      • -
    • - ChaCha20-Poly1305 -
      • -
    • - PKE 8K (RSA, DH, ModExp, ModInv) -
      • -
    -
    -
    • -
  • - Fixing device enumeration on different nodes -
    • -
  • - Fixing pci_vfio_set_command for 32-bit builds -
    • -
-
-

- For more information about QATlib installation, check Ensuring that Intel® QuickAssist Technology - stack is working correctly on RHEL 8. -

-

- (BZ#1920237) -

-
-
-
-
-
-

4.9. File systems and storage

-
-
-
-
-

xfs_quota state command now outputs all grace - times when multiple quota types are specified

-

- The xfs_quota state command now outputs grace times for multiple - quota types specified on the command line. Previously, only one was shown even if more than one - of -g, -p, or -u was specified. -

-
-

- (BZ#1949743) -

-
-

-H option added to the rpc.gssd daemon and the set-home - option added to the /etc/nfs.conf file

-

- This patch adds the -H option to rpc.gssd and the set-home option into - /etc/nfs.conf, but does not change the default behavior. -

-
-

- By default, rpc.gssd sets $HOME to / to avoid possible deadlock that may happen when users' home directories - are on an NFS share with Kerberos security. If either the -H option is - added to rpc.gssd, or set-home=0 is added - to /etc/nfs.conf, rpc.gssd does not set - $HOME to /. -

-

- These options allow you to use Kerberos k5identity files in $HOME/.k5identity and assumes NFS home directory is not on an NFS share - with Kerberos security. These options are provided for use in only specific environments, such as - the need for k5identity files. For more information see the k5identity - man page. -

-

- (BZ#1868087) -

-
-

The storage RHEL system role now supports LVM - VDO volumes

-

- Virtual Data Optimizer (VDO) helps to optimize usage of the storage volumes. With this - enhancement, administrators can use the storage system role to - manage compression and deduplication - on Logical Manager Volumes (LVM) VDO volumes. -

-
-

- (BZ#1882475) -

-
-
-
-
-
-

4.10. High availability and clusters

-
-
-
-
-

Local mode version of pcs cluster setup - command is now fully supported

-

- By default, the pcs cluster setup command automatically - synchronizes all configuration files to the cluster nodes. Since RHEL 8.3, the pcs cluster setup command has provided the --corosync-conf option as a Technology Preview. This feature is now - fully supported in RHEL 8.5. Specifying this option switches the command to local mode. In this mode, the pcs - command-line interface creates a corosync.conf file and saves it to - a specified file on the local node only, without communicating with any other node. This allows - you to create a corosync.conf file in a script and handle that file - by means of the script. -

-
-

- (BZ#1839637) -

-
-

Ability to configure watchdog-only SBD for fencing on subset of cluster - nodes

-

- Previously, to use a watchdog-only SBD configuration, all nodes in the cluster had to use SBD. - That prevented using SBD in a cluster where some nodes support it but other nodes (often remote - nodes) required some other form of fencing. Users can now configure a watchdog-only SBD setup - using the new fence_watchdog agent, which allows cluster - configurations where only some nodes use watchdog-only SBD for fencing and other nodes use other - fencing types. A cluster may only have a single such device, and it must be named watchdog. -

-
-

- (BZ#1443666) -

-
-

New pcs command to update SCSI fencing device - without causing restart of all other resources

-

- Updating a SCSI fencing device with the pcs stonith update command - causes a restart of all resources running on the same node where the stonith resource was - running. The new pcs stonith update-scsi-devices command allows you - to update SCSI devices without causing a restart of other cluster resources. -

-
-

- (BZ#1872378) -

-
-

New reduced output display option for pcs resource safe-disable command

-

- The pcs resource safe-disable and pcs resource disable --safe commands print a lengthy simulation - result after an error report. You can now specify the --brief - option for those commands to print errors only. The error report now always contains resource - IDs of affected resources. -

-
-

- (BZ#1909901) -

-
-

pcs now accepts Promoted and Unpromoted as role - names

-

- The pcs command-line interface now accepts Promoted and Unpromoted anywhere roles - are specified in Pacemaker configuration. These role names are the functional equivalent of the - Master and Slave Pacemaker roles. - Master and Slave remain the names for - these roles in configuration displays and help text. -

-
-

- (BZ#1885293) -

-
-

New pcs resource status display commands

-

- The pcs resource status and the pcs stonith status commands now support the following options: -

-
-
-
    -
  • - You can display the status of resources configured on a specific node with the pcs resource status node=node_id - command and the pcs stonith status node=node_id - command. You can use these commands to display the status of resources on both cluster and - remote nodes. -
    • -
  • - You can display the status of a single resource with the pcs resource status resource_id - and the pcs stonith status resource_id - commands. -
    • -
  • - You can display the status of all resources with a specified tag with the pcs resource status tag_id - and the pcs stonith status tag_id - commands. -
    • -
-
-

- (BZ#1290830, - BZ#1285269) -

-
-

New LVM volume group flag to control autoactivation

-

- LVM volume groups now support a setautoactivation flag which - controls whether logical volumes that you create from a volume group will be automatically - activated on startup. When creating a volume group that will be managed by Pacemaker in a - cluster, set this flag to n with the vgcreate --setautoactivation n command for the volume group to - prevent possible data corruption. If you have an existing volume group used in a Pacemaker - cluster, set the flag with vgchange --setautoactivation n. -

-
-

- (BZ#1899214) -

-
-
-
-
-
-

4.11. Dynamic programming languages, web and database servers

-
-
-
-
-

The nodejs:16 module stream is now fully - supported

-

- The nodejs:16 module stream, previously available as a Technology - preview, is fully supported with the release of the RHSA-2021:5171 advisory. The - nodejs:16 module stream now provides Node.js 16.13.1, which is a Long Term Support (LTS) version. -

-
-

- Node.js 16 included in RHEL 8.5 provides numerous new features and bug - and security fixes over Node.js 14 available since RHEL 8.3. -

-

- Notable changes include: -

-
-
    -
  • - The V8 engine has been upgraded to version 9.4. -
    • -
  • - The npm package manager has been upgraded to version 8.1.2. -
    • -
  • - A new Timers Promises API provides an alternative set of timer - functions that return Promise objects. -
    • -
  • - Node.js now provides a new experimental Web Streams API. -
    • -
  • - Node.js now includes Corepack, an - experimental tool that enables you to use package managers configured in the given project - without the need to manually install them. -
    • -
  • - Node.js now provides an experimental ECMAScript modules (ESM) - loader hooks API, which consolidates ESM loader hooks. -
    • -
-
-

- To install the nodejs:16 module stream, use: -

- 
# yum module install nodejs:16
-

- If you want to upgrade from the nodejs:14 stream, see Switching - to a later stream. -

-

- (BZ#1953991, BZ#2027610) -

-
-

A new module stream: ruby:3.0

-

- RHEL 8.5 introduces Ruby 3.0.2 in a new ruby:3.0 module stream. This version provides a number of performance - improvements, bug and security fixes, and new features over Ruby 2.7 distributed with RHEL 8.3. -

-
-

- Notable enhancements include: -

-
-
    -
  • -

    - Concurrency and parallelism features: -

    -
    -
      -
    • - Ractor, an Actor-model abstraction that provides - thread-safe parallel execution, is provided as an experimental feature. -
      • -
    • - Fiber Scheduler has been introduced as an - experimental feature. Fiber Scheduler intercepts - blocking operations, which enables light-weight concurrency without changing - existing code. -
      • -
    -
    -
    • -
  • -

    - Static analysis features: -

    -
    -
      -
    • - The RBS language has been introduced, which - describes the structure of Ruby programs. The rbs gem has been added to parse type definitions - written in RBS. -
      • -
    • - The TypeProf utility has been introduced, which is - a type analysis tool for Ruby code. -
      • -
    -
    -
    • -
  • - Pattern matching with the case/in expression is no longer - experimental. -
    • -
  • - One-line pattern matching, which is an experimental feature, has been redesigned. -
    • -
  • - Find pattern has been added as an experimental feature. -
    • -
-
-

- The following performance improvements have been implemented: -

-
-
    -
  • - Pasting long code to the Interactive Ruby Shell (IRB) is now - significantly faster. -
    • -
  • - The measure command has been added to IRB for time measurement. -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - Keyword arguments have been separated from other arguments. -
    • -
  • - The default directory for user-installed gems is now $HOME/.local/share/gem/ unless the $HOME/.gem/ directory is already present. -
    • -
-
-

- To install the ruby:3.0 module stream, use: -

- 
# yum module install ruby:3.0
-

- If you want to upgrade from an earlier ruby module stream, see Switching - to a later stream. -

-

- (BZ#1938942) -

-
-

Changes in the default separator for the Python urllib parsing functions

-

- To mitigate the Web - Cache Poisoning CVE-2021-23336 in the Python urllib - library, the default separator for the urllib.parse.parse_qsl and - urllib.parse.parse_qs functions is being changed from both - ampersand (&) and semicolon (;) to - only an ampersand. -

-
-

- This change was implemented in Python 3.6 with the release of RHEL 8.4, and now is being backported - to Python 3.8 and Python 2.7. -

-

- The change of the default separator is potentially backwards incompatible, therefore Red Hat - provides a way to configure the behavior in Python packages where the default separator has been - changed. In addition, the affected urllib parsing functions issue a - warning if they detect that a customer’s application has been affected by the change. -

-

- For more information, see the Mitigation of Web Cache Poisoning in the - Python urllib library (CVE-2021-23336) Knowledgebase article. -

-

- Python 3.9 is unaffected and already includes the new default separator (&), which can be changed only by passing the separator parameter when - calling the urllib.parse.parse_qsl and urllib.parse.parse_qs functions in Python code. -

-

- (BZ#1935686, BZ#1931555, BZ#1969517) -

-
-

The Python ipaddress module no longer allows - zeros in IPv4 addresses

-

- To mitigate CVE-2021-29921, the Python - ipaddress module now rejects IPv4 addresses with leading zeros with - an AddressValueError: Leading zeros are not permitted error. -

-
-

- This change has been introduced in the python38 and python39 modules. Earlier Python versions distributed in RHEL are not - affected by CVE-2021-29921. -

-

- Customers who rely on the previous behavior can pre-process their IPv4 address inputs to strip the - leading zeros off. For example: -

- 
>>> def reformat_ip(address): return '.'.join(part.lstrip('0') if part != '0' else part for part in address.split('.'))
->>> reformat_ip('0127.0.0.1')
-'127.0.0.1'
-

- To strip the leading zeros off with an explicit loop for readability, use: -

- 
def reformat_ip(address):
-    parts = []
-    for part in address.split('.'):
-        if part != "0":
-            part = part.lstrip('0')
-        parts.append(part)
-    return '.'.join(parts)
-

- (BZ#1986007, BZ#1970504, BZ#1970505) -

-
-

The php:7.4 module stream rebased to version - 7.4.19

-

- The PHP scripting language, provided by the php:7.4 module stream, - has been upgraded from version 7.4.6 to version 7.4.19. This update provides multiple security - and bug fixes. -

-
-

- (BZ#1944110) -

-
-

A new package: pg_repack

-

- A new pg_repack package has been added to the postgresql:12 and postgresql:13 module - streams. The pg_repack package provides a PostgreSQL extension that lets you remove bloat from tables and - indexes, and optionally restore physical order of clustered indexes. -

-
-

- (BZ#1967193, BZ#1935889) -

-
-

A new module stream: nginx:1.20

-

- The nginx 1.20 web and proxy server is now available as the nginx:1.20 module stream. This update provides a number of bug fixes, - security fixes, new features, and enhancements over the previously released version 1.18. -

-
-

- New features: -

-
-
    -
  • - nginx now supports client SSL certificate validation with - Online Certificate Status Protocol (OCSP). -
    • -
  • - nginx now supports cache clearing based on the minimum amount - of free space. This support is implemented as the min_free - parameter of the proxy_cache_path directive. -
    • -
  • - A new ngx_stream_set_module module has been added, which - enables you to set a value for a variable. -
    • -
-
-

- Enhanced directives: -

-
-
    -
  • - Multiple new directives are now available, such as ssl_conf_command and ssl_reject_handshake. -
    • -
  • - The proxy_cookie_flags directive now supports variables. -
    • -
-
-

- Improved support for HTTP/2: -

-
-
    -
  • - The ngx_http_v2 module now includes the lingering_close, lingering_time, - lingering_timeout directives. -
    • -
  • - Handling connections in HTTP/2 has been aligned with HTTP/1.x. From nginx 1.20, use the keepalive_timeout and keepalive_requests directives instead of the removed http2_recv_timeout, http2_idle_timeout, and http2_max_requests directives. -
    • -
-
-

- To install the nginx:1.20 stream, use: -

- 
# yum module install nginx:1.20
-

- If you want to upgrade from the nginx:1.20 stream, see Switching - to a later stream. -

-

- (BZ#1945671) -

-
-

The squid:4 module stream rebased to version - 4.15

-

- The Squid proxy server, available in the squid:4 module stream, has been upgraded from version 4.11 to version - 4.15. This update provides various bug and security fixes. -

-
-

- (BZ#1964384) -

-
-

LVM system.devices file feature now available - in RHEL 8

-

- RHEL 8.5 introduces the LVM system.devices file feature. By - creating a list of devices in the /etc/lvm/devices/system.devices - file, you can select specific devices for LVM to recognize and use, and prevent LVM from using - unwanted devices. -

-
-

- To enable the system.devices file feature, set use_devicesfile=1 in the lvm.conf - configuration file and add devices to the system.devices file. LVM - ignores any devices filter settings while the system.devices file - feature is enabled. To prevent warning messages, remove your filter settings from the lvm.conf file. -

-

- For more information, see the lvmdevices(8) man page. -

-

- (BZ#1922312) -

-
-

quota now supports HPE XFS

-

- The quota utilities now provide support for the HPE XFS file - system. As a result, users of HPE XFS can monitor and and manage user and group disk usage - through quota utilities. -

-
-

- (BZ#1945408) -

-
-

mutt rebased to version 2.0.7

-

- The Mutt email client has been updated to version 2.0.7, which - provides a number of enhancements and bug fixes. -

-
-

- Notable changes include: -

-
-
    -
  • - Mutt now provides support for the OAuth 2.0 authorization protocol using the XOAUTH2 mechanism. Mutt now also supports the OAUTHBEARER authentication mechanism for the IMAP, POP, and SMTP - protocols. The OAuth-based functionality is provided through external scripts. As a result, - you can connect Mutt with various cloud email providers, such - as Gmail using authentication tokens. For more information on - how to set up Mutt with OAuth support, see How to set up Mutt with Gmail using - OAuth2 authentication. -
    • -
  • - Mutt adds support for domain-literal email addresses, for - example, user@[IPv6:fcXX:…​]. -
    • -
  • - The new $ssl_use_tlsv1_3 configuration variable allows TLS 1.3 - connections if they are supported by the email server. This variable is enabled by default. -
    • -
  • - The new $imap_deflate variable adds support for the COMPRESS=DEFLATE compression. The variable is disabled by - default. -
    • -
  • - The $ssl_starttls variable no longer controls aborting an - unencrypted IMAP PREAUTH connection. Use the $ssl_force_tls variable instead if you rely on the STARTTLS process. -
    • -
-
-

- Note that even after an update to the new Mutt version, the ssl_force_tls configuration variable still defaults to no to prevent RHEL users from encountering problems in their existing - environments. In the upstream version of Mutt, ssl_force_tls is now enabled by default. -

-

- (BZ#1912614, BZ#1890084) -

-
-
-
-
-
-

4.12. Compilers and development tools

-
-
-
-
-

Go Toolset rebased to version 1.16.7

-

- Go Toolset has been upgraded to version 1.16.7. Notable changes include: -

-
-
-
    -
  • - The GO111MODULE environment variable is now set to on by default. To revert this setting, change GO111MODULE to auto. -
    • -
  • - The Go linker now uses less resources and improves code robustness and maintainability. This - applies to all supported architectures and operating systems. -
    • -
  • - With the new embed package you can access embedded files while - compiling programs. -
    • -
  • - All functions of the io/ioutil package have been moved to the - io and os packages. While you can - still use io/ioutil, the io and - os packages provide better definitions. -
    • -
  • - The Delve debugger has been rebased to 1.6.0 and now supports Go 1.16.7 Toolset. -
    • -
-
-

- For more information, see Using Go - Toolset. -

-

- (BZ#1938071) -

-
-

Rust Toolset rebased to version 1.54.0

-

- Rust Toolset has been updated to version 1.54.0. Notable changes include: -

-
-
-
    -
  • - The Rust standard library is now available for the wasm32-unknown-unknown target. With this enhancement, you can - generate WebAssembly binaries, including newly stabilized intrinsics. -
    • -
  • - Rust now includes the IntoIterator implementation for arrays. - With this enhancement, you can use the IntoIterator trait to - iterate over arrays by value and pass arrays to methods. However, array.into_iter() still iterates values by reference until the - 2021 edition of Rust. -
    • -
  • - The syntax for or patterns now allows nesting anywhere in the - pattern. For example: Pattern(1|2) instead of Pattern(1)|Pattern(2). -
    • -
  • - Unicode identifiers can now contain all valid identifier characters as defined in the - Unicode Standard Annex #31. -
    • -
  • - Methods and trait implementations have been stabilized. -
    • -
  • - Incremental compilation is re-enabled by default. -
    • -
-
-

- For more information, see Using Rust - Toolset. -

-

- (BZ#1945805) -

-
-

LLVM Toolset rebased to version 12.0.1

-

- LLVM Toolset has been upgraded to version 12.0.1. Notable changes include: -

-
-
-
    -
  • - The new compiler flag -march=x86-64-v[234] has been added. -
    • -
  • - The compiler flag -fasynchronous-unwind-tables of the Clang - compiler is now the default on Linux AArch64/PowerPC. -
    • -
  • - The Clang compiler now supports the C++20 likelihood attributes [[likely]] and [[unlikely]]. -
    • -
  • - The new function attribute tune-cpu has been added. It allows - microarchitectural optimizations to be applied independently from the target-cpu attribute or TargetMachine CPU. -
    • -
  • - The new sanitizer -fsanitize=unsigned-shift-base has been added - to the integer sanitizer -fsanitize=integer to improve - security. -
    • -
  • - Code generation on PowerPC targets has been optimized. -
    • -
  • - The WebAssembly backend is now enabled in LLVM. With this enhancement, you can generate - WebAssembly binaries with LLVM and Clang. -
    • -
-
-

- For more information, see Using - LLVM Toolset. -

-

- (BZ#1927937) -

-
-

CMake rebased to version 3.20.2

-

- CMake has been rebased from 3.18.2 to 3.20.2. To use CMake on a project that requires the - version 3.20.2 or less, use the command cmake_minimum_required(version 3.20.2). -

-
-

- Notable changes include: -

-
-
    -
  • - C++23 compiler modes can now be specified by using the target properties CXX_STANDARD, CUDA_STANDARD, OBJCXX_STANDARD, or by using the cxx_std_23 meta-feature of the compile features function. -
    • -
  • - CUDA language support now allows the NVIDIA CUDA compiler to be a symbolic link. -
    • -
  • - The Intel oneAPI NextGen LLVM compilers are now supported with the IntelLLVM compiler ID . -
    • -
  • - CMake now facilitates cross compiling for Android by merging with the Android NDK’s - toolchain file. -
    • -
  • - When running cmake(1) to generate a project build system, - unknown command-line arguments starting with a hyphen are now rejected. -
    • -
-
-

- For further information on new features and deprecated functionalities, see the CMake Release Notes. -

-

- (BZ#1957947) -

-
-

New GCC Toolset 11

-

- GCC Toolset 11 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- The following components have been rebased since GCC Toolset 10: -

-
-
    -
  • - GCC to version 11.2 -
    • -
  • - GDB to version 10.2 -
    • -
  • - Valgrind to version 3.17.0 -
    • -
  • - SystemTap to version 4.5 -
    • -
  • - binutils to version 2.36 -
    • -
  • - elfutils to version 0.185 -
    • -
  • - dwz to version 0.14 -
    • -
  • - Annobin to version 9.85 -
    • -
-
-

- For a complete list of components, see GCC - Toolset 11. -

-

- To install GCC Toolset 11, run the following command as root: -

- 
# yum install gcc-toolset-11
-

- To run a tool from GCC Toolset 11: -

- 
$ scl enable gcc-toolset-11 tool
-

- To run a shell session where tool versions from GCC Toolset 11 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-11 bash
-

- For more information, see Using - GCC Toolset. -

-

- The GCC Toolset 11 components are also available in the two container images: -

-
-
    -
  • - rhel8/gcc-toolset-11-toolchain, which includes the GCC - compiler, the GDB debugger, and the make automation tool. -
    • -
  • - rhel8/gcc-toolset-11-perftools, which includes the performance - monitoring tools, such as SystemTap and Valgrind. -
    • -
-
-

- To pull a container image, run the following command as root: -

- 
# podman pull registry.redhat.io/<image_name>
-

- Note that only the GCC Toolset 11 container images are now supported. Container images of earlier - GCC Toolset versions are deprecated. -

-

- (BZ#1953094) -

-
-

.NET updated to version 6.0

-

- Red Hat Enterprise Linux 8.5 is distributed with .NET version 6.0. Notable improvements - include: -

-
-
-
    -
  • - Support for 64-bit Arm (aarch64) -
    • -
  • - Support for IBM Z and LinuxONE (s390x) -
    • -
-
-

- For more information, see Release - Notes for .NET 6.0 RPM packages and Release - Notes for .NET 6.0 containers. -

-

- (BZ#2022794) -

-
-

GCC Toolset 11: GCC rebased to version 11.2

-

- In GCC Toolset 11, the GCC package has been updated to version 11.2. Notable bug fixes and - enhancements include: -

-
-

- General improvements -

-
-
    -
  • - GCC now defaults to the DWARF Version 5 debugging format. -
    • -
  • - Column numbers shown in diagnostics represent real column numbers by default and respect - multicolumn characters. -
    • -
  • - The straight-line code vectorizer considers the whole function when vectorizing. -
    • -
  • - A series of conditional expressions that compare the same variable can be transformed into a - switch statement if each of them contains a comparison expression. -
    • -
  • -

    - Interprocedural optimization improvements: -

    -
    -
      -
    • - A new IPA-modref pass, controlled by the -fipa-modref option, tracks side effects of function - calls and improves the precision of points-to analysis. -
      • -
    • - The identical code folding pass, controlled by the -fipa-icf option, was significantly improved to - increase the number of unified functions and reduce compile-time memory use. -
      • -
    -
    -
    • -
  • -

    - Link-time optimization improvements: -

    -
    -
      -
    • - Memory allocation during linking was improved to reduce peak memory use. -
      • -
    -
    -
    • -
  • - Using a new GCC_EXTRA_DIAGNOSTIC_OUTPUT environment variable in - IDEs, you can request machine-readable “fix-it hints” without adjusting build flags. -
    • -
  • - The static analyzer, run by the -fanalyzer option, is improved - significantly with numerous bug fixes and enhancements provided. -
    • -
-
-

- Language-specific improvements -

-

- C family -

-
-
    -
  • - C and C++ compilers support non-rectangular loop nests in OpenMP constructs and the - allocator routines of the OpenMP 5.0 specification. -
    • -
  • -

    - Attributes: -

    -
    -
      -
    • - The new no_stack_protector attribute marks - functions that should not be instrumented with stack protection (-fstack-protector). -
      • -
    • - The improved malloc attribute can be used to - identify allocator and deallocator API pairs. -
      • -
    -
    -
    • -
  • -

    - New warnings: -

    -
    -
      -
    • - -Wsizeof-array-div, enabled by the -Wall option, warns about divisions of two sizeof operators when the first one is applied to an - array and the divisor does not equal the size of the array element. -
      • -
    • - -Wstringop-overread, enabled by default, warns - about calls to string functions that try to read past the end of the arrays - passed to them as arguments. -
      • -
    -
    -
    • -
  • -

    - Enhanced warnings: -

    -
    -
      -
    • - -Wfree-nonheap-object detects more instances of - calls to deallocation functions with pointers not returned from a dynamic memory - allocation function. -
      • -
    • - -Wmaybe-uninitialized diagnoses the passing of - pointers and references to uninitialized memory to functions that take const-qualified arguments. -
      • -
    • - -Wuninitialized detects reads from uninitialized - dynamically allocated memory. -
      • -
    -
    -
    • -
-
-

- C -

-
-
    -
  • -

    - Several new features from the upcoming C2X revision of the ISO C standard are supported - with the -std=c2x and -std=gnu2x options. For example: -

    -
    -
      -
    • - The - standard attribute is supported. -
      • -
    • - The __has_c_attribute preprocessor operator is - supported. -
      • -
    • - Labels may appear before declarations and at the end of a compound statement. -
      • -
    -
    -
    • -
-
-

- C++ -

-
-
    -
  • - The default mode is changed to -std=gnu++17. -
    • -
  • - The C++ library libstdc++ has improved C++17 support now. -
    • -
  • -

    - Several new C++20 features are implemented. Note that C++20 support is experimental. -

    -

    - For more information about the features, see C++20 Language - Features. -

    -
    • -
  • - The C++ front end has experimental support for some of the upcoming C++23 draft features. -
    • -
  • -

    - New warnings: -

    -
    -
      -
    • - -Wctad-maybe-unsupported, disabled by default, - warns about performing class template argument deduction on a type with no - deduction guides. -
      • -
    • - -Wrange-loop-construct, enabled by -Wall, warns when a range-based for loop is creating - unnecessary and resource inefficient copies. -
      • -
    • - -Wmismatched-new-delete, enabled by -Wall, warns about calls to operator delete with - pointers returned from mismatched forms of operator new or from other mismatched - allocation functions. -
      • -
    • - -Wvexing-parse, enabled by default, warns about the - most vexing parse rule: the cases when a declaration looks like a variable - definition, but the C++ language requires it to be interpreted as a function - declaration. -
      • -
    -
    -
    • -
-
-

- Architecture-specific improvements -

-

- The 64-bit ARM architecture -

-
-
    -
  • - The Armv8-R architecture is supported through the -march=armv8-r option. -
    • -
  • - GCC can autovectorize operations performing addition, subtraction, multiplication, and the - accumulate and subtract variants on complex numbers. -
    • -
-
-

- AMD and Intel 64-bit architectures -

-
-
    -
  • - The following Intel CPUs are supported: Sapphire Rapids, Alder Lake, and Rocket Lake. -
    • -
  • - New ISA extension support for Intel AVX-VNNI is added. The -mavxvnni compiler switch controls the AVX-VNNI intrinsics. -
    • -
  • - AMD CPUs based on the znver3 core are supported with the new -march=znver3 option. -
    • -
  • - Three microarchitecture levels defined in the x86-64 psABI supplement are - supported with the new -march=x86-64-v2, -march=x86-64-v3, and -march=x86-64-v4 options. -
    • -
-
-

- (BZ#1946782) -

-
-

GCC Toolset 11: dwz now supports DWARF - 5

-

- In GCC Toolset 11, the dwz tool now supports the DWARF Version 5 - debugging format. -

-
-

- (BZ#1948709) -

-
-

GCC Toolset 11: GCC now supports the AIA user interrupts

-

- In GCC Toolset 11, GCC now supports the Accelerator Interfacing Architecture (AIA) user - interrupts. -

-
-

- (BZ#1927516) -

-
-

GCC Toolset 11: Generic SVE tuning defaults improved

-

- In GCC Toolset 11, generic SVE tuning defaults have been improved on the 64-bit ARM - architecture. -

-
-

- (BZ#1979715) -

-
-

SystemTap rebased to version 4.5

-

- The SystemTap package has been updated to version 4.5. Notable bug fixes and enhancements - include: -

-
-
-
    -
  • - 32-bit floating-point variables are automatically widened to double variables and, as a - result, can be accessed directly as $context variables. -
    • -
  • - enum values can be accessed as $context variables. -
    • -
  • - The BPF uconversions tapset has been extended and includes more tapset functions to access - values in user space, for example user_long_error(). -
    • -
  • - Concurrency control has been significantly improved to provide stable operation on large - servers. -
    • -
-
-

- For further information, see the upstream SystemTap 4.5 release - notes. -

-

- (BZ#1933889) -

-
-

elfutils rebased to version 0.185

-

- The elfutils package has been updated to version 0.185. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - The eu-elflint and eu-readelf - tools now recognize and show the SHF_GNU_RETAIN and SHT_X86_64_UNWIND flags on ELF sections. -
    • -
  • - The DEBUGINFOD_SONAME macro has been added to debuginfod.h. This macro can be used with the dlopen function to load the libdebuginfod.so library dynamically from an application. -
    • -
  • - A new function debuginfod_set_verbose_fd has been added to the - debuginfod-client library. This function enhances the debuginfod_find_* queries functionality by redirecting the - verbose output to a separate file. -
    • -
  • - Setting the DEBUGINFOD_VERBOSE environment variable now shows - more information about which servers the debuginfod client - connects to and the HTTP responses of those servers. -
    • -
  • - The debuginfod server provides a new thread-busy metric and - more detailed error metrics to make it easier to inspect processes that run on the debuginfod server. -
    • -
  • - The libdw library now transparently handles the DW_FORM_indirect location value so that the dwarf_whatform function returns the actual FORM of an attribute. -
    • -
  • - To reduce network traffic, the debuginfod-client library stores - negative results in a cache, and client objects can reuse an existing connection. -
    • -
-
-

- (BZ#1933890) -

-
-

Valgrind rebased to version 3.17.0

-

- The Valgrind package has been updated to version 3.17.0. Notable bug fixes and enhancements - include: -

-
-
-
    -
  • - Valgrind can read the DWARF Version 5 debugging format. -
    • -
  • - Valgrind supports debugging queries to the debuginfod server. -
    • -
  • - The ARMv8.2 processor instructions are partially supported. -
    • -
  • - The Power ISA v.3.1 instructions on POWER10 processors are partially supported. -
    • -
  • - The IBM z14 processor instructions are supported. -
    • -
  • - Most IBM z15 instructions are supported. The Valgrind tool suite supports the - miscellaneous-instruction-extensions facility 3 and the vector-enhancements facility 2 for - the IBM z15 processor. As a result, Valgrind runs programs compiled with GCC -march=z15 correctly and provides improved performance and - debugging experience. -
    • -
  • - The --track-fds=yes option respects -q (--quiet) and ignores the - standard file descriptors stdin, stdout, and stderr by default. To - track the standard file descriptors, use the --track-fds=all - option. -
    • -
  • - The DHAT tool has two new modes of operation: --mode=copy and - --mode=ad-hoc. -
    • -
-
-

- (BZ#1933891) -

-
-

Dyninst rebased to version 11.0.0

-

- The Dyninst package has been updated to version 11.0.0. Notable bug fixes and enhancements - include: -

-
-
-
    -
  • - Support for the debuginfod server and for fetching separate - debuginfo files. -
    • -
  • - Improved detection of indirect calls to procedure linkage table (PLT) stubs. -
    • -
  • - Improved C++ name demangling. -
    • -
  • - Fixed memory leaks during code emitting. -
    • -
-
-

- (BZ#1933893) -

-
-

DAWR functionality improved in GDB on IBM POWER10

-

- With this enhancement, new hardware watchpoint capabilities are now enabled for GDB on the IBM - POWER10 processors. For example, a new set of DAWR/DAWRX registers has been added. -

-
-

- (BZ#1854784) -

-
-

GCC Toolset 11: GDB rebased to version 10.2

-

- In GCC Toolset 11, the GDB package has been updated to version 10.2. Notable bug fixes and - enhancements include: -

-
-

- New features -

-
-
    -
  • - Multithreaded symbol loading is enabled by default on architectures that support this - feature. This change provides better performance for programs with many symbols. -
    • -
  • - Text User Interface (TUI) windows can be arranged horizontally. -
    • -
  • - GDB supports debugging multiple target connections simultaneously but this support is - experimental and limited. For example, you can connect each inferior to a different remote - server that runs on a different machine, or you can use one inferior to debug a local native - process or a core dump or some other process. -
    • -
-
-

- New and improved commands -

-
-
    -
  • - A new tui new-layout name window weight [window weight…] - command creates a new text user interface (TUI) layout, you can also specify a layout name - and displayed windows. -
    • -
  • - The improved alias [-a] [--] alias = command [default-args] - command can specify default arguments when creating a new alias. -
    • -
  • - The set exec-file-mismatch and show exec-file-mismatch commands set and show a new exec-file-mismatch option. When GDB attaches to a running - process, this option controls how GDB reacts when it detects a mismatch between the current - executable file loaded by GDB and the executable file used to start the process. -
    • -
-
-

- Python API -

-
-
    -
  • - The gdb.register_window_type function implements new TUI - windows in Python. -
    • -
  • - You can now query dynamic types. Instances of the gdb.Type - class can have a new boolean attribute dynamic and the gdb.Type.sizeof attribute can have value None for dynamic types. If Type.fields() returns a field of a dynamic type, the value of its - bitpos attribute can be None. -
    • -
  • - A new gdb.COMMAND_TUI constant registers Python commands as - members of the TUI help class of commands. -
    • -
  • - A new gdb.PendingFrame.architecture() method retrieves the - architecture of the pending frame. -
    • -
  • - A new gdb.Architecture.registers method returns a gdb.RegisterDescriptorIterator object, an iterator that returns - gdb.RegisterDescriptor objects. Such objects do not provide the - value of a register but help understand which registers are available for an architecture. -
    • -
  • - A new gdb.Architecture.register_groups method returns a gdb.RegisterGroupIterator object, an iterator that returns gdb.RegisterGroup objects. Such objects help understand which - register groups are available for an architecture. -
    • -
-
-

- (BZ#1954332) -

-
-

GCC Toolset 11: SystemTap rebased to version 4.5

-

- In GCC Toolset 11, the SystemTap package has been updated to version 4.5. Notable bug fixes and - enhancements include: -

-
-
-
    -
  • - 32-bit floating-point variables are now automatically widened to double variables and, as a - result, can be accessed directly as $context variables. -
    • -
  • - enum values can now be accessed as $context variables. -
    • -
  • - The BPF uconversions tapset has been extended and now includes more tapset functions to - access values in user space, for example user_long_error(). -
    • -
  • - Concurrency control has been significantly improved to provide stable operation on large - servers. -
    • -
-
-

- For further information, see the upstream SystemTap 4.5 release - notes. -

-

- (BZ#1957944) -

-
-

GCC Toolset 11: elfutils rebased to version - 0.185

-

- In GCC Toolset 11, the elfutils package has been updated to version - 0.185. Notable bug fixes and enhancements include: -

-
-
-
    -
  • - The eu-elflint and eu-readelf - tools now recognize and show the SHF_GNU_RETAIN and SHT_X86_64_UNWIND flags on ELF sections. -
    • -
  • - The DEBUGINFOD_SONAME macro has been added to debuginfod.h. This macro can be used with the dlopen function to load the libdebuginfod.so library dynamically from an application. -
    • -
  • - A new function debuginfod_set_verbose_fd has been added to the - debuginfod-client library. This function enhances the debuginfod_find_* queries functionality by redirecting the - verbose output to a separate file. -
    • -
  • - Setting the DEBUGINFOD_VERBOSE environment variable now shows - more information about which servers the debuginfod client - connects to and the HTTP responses of those servers. -
    • -
  • - The debuginfod server provides a new thread-busy metric and - more detailed error metrics to make it easier to inspect processes that run on the debuginfod server. -
    • -
  • - The libdw library now transparently handles the DW_FORM_indirect location value so that the dwarf_whatform function returns the actual FORM of an attribute. -
    • -
  • - The debuginfod-client library now stores negative results in a - cache and client objects can reuse an existing connection. This way unnecessary network - traffic when using the library is prevented. -
    • -
-
-

- (BZ#1957225) -

-
-

GCC Toolset 11: Valgrind rebased to version 3.17.0

-

- In GCC Toolset 11, the Valgrind package has been updated to version 3.17.0. Notable bug fixes - and enhancements include: -

-
-
-
    -
  • - Valgrind can now read the DWARF Version 5 debugging format. -
    • -
  • - Valgrind now supports debugging queries to the debuginfod - server. -
    • -
  • - Valgrind now partially supports the ARMv8.2 processor instructions. -
    • -
  • - Valgrind now supports the IBM z14 processor instructions. -
    • -
  • - Valgrind now partially supports the Power ISA v.3.1 instructions on POWER10 processors. -
    • -
  • - The --track-fds=yes option now respects -q (--quiet) and ignores the - standard file descriptors stdin, stdout, and stderr by default. To - track the standard file descriptors, use the --track-fds=all - option. -
    • -
  • - The DHAT tool now has two new modes of operation: --mode=copy - and --mode=ad-hoc. -
    • -
-
-

- (BZ#1957226) -

-
-

GCC Toolset 11: Dyninst rebased to version 11.0.0

-

- In GCC Toolset 11, the Dyninst package has been updated to version 11.0.0. Notable bug fixes and - enhancements include: -

-
-
-
    -
  • - Support for the debuginfod server and for fetching separate - debuginfo files. -
    • -
  • - Improved detection of indirect calls to procedure linkage table (PLT) stubs. -
    • -
  • - Improved C++ name demangling. -
    • -
  • - Fixed memory leaks during code emitting. -
    • -
-
-

- (BZ#1957942) -

-
-

PAPI library support for Fujitsu A64FX added

-

- PAPI library support for Fujitsu A64FX has been added. With this feature, developers can collect - hardware statistics. -

-
-

- (BZ#1908126) -

-
-

The PCP package was rebased to 5.3.1 -

-

- The Performance Co-Pilot (PCP) package has been rebased to version 5.3.1. This release includes - bug fixes, enhancements, and new features. Notable changes include: -

-
-
-
    -
  • - Scalability improvements, which now support centrally logged performance metrics for - hundreds of hosts (pmlogger farms) and automatic monitoring - with performance rules (pmie farms). -
    • -
  • - Resolved memory leaks in the pmproxy service and the libpcp_web API library, and added instrumentation and new metrics - to pmproxy. -
    • -
  • - A new pcp-ss tool for historical socket statistics. -
    • -
  • - Improvements to the pcp-htop tool. -
    • -
  • - Extensions to the over-the-wire PCP protocol which now support higher resolution timestamps. -
    • -
-
-

- (BZ#1922040) -

-
-

The grafana package was rebased to version - 7.5.9

-

- The grafana package has been rebased to version 7.5.9. Notable - changes include: -

-
-
-
    -
  • - New time series panel (beta) -
    • -
  • - New pie chart panel (beta) -
    • -
  • - Alerting support for Loki -
    • -
  • - Multiple new query transformations -
    • -
-
-

- For more information, see What’s New in Grafana - v7.4, What’s New in Grafana - v7.5. -

-

- (BZ#1921191) -

-
-

The grafana-pcp package was rebased to - 3.1.0

-

- The grafana-pcp package has been rebased to version 3.1.0. Notable - changes include: -

-
-
-
    -
  • - Performance Co-Pilot (PCP) Vector Checklist dashboards use a new time series panel, show - units in graphs, and contain updated help texts. -
    • -
  • - Adding pmproxy URL and hostspec - variables to PCP Vector Host Overview and PCP Checklist dashboards. -
    • -
  • - All dashboards display datasource selection. -
    • -
  • - Marking all included dashboards as readonly. -
    • -
  • - Adding compatibility with Grafana 8. -
    • -
-
-

- (BZ#1921190) -

-
-

grafana-container rebased to version - 7.5.9

-

- The rhel8/grafana container image provides Grafana. Notable changes - include: -

-
-
-
    -
  • - The grafana package is now updated to version 7.5.9. -
    • -
  • - The grafana-pcp package is now updated to version 3.1.0. -
    • -
  • - The container now supports the GF_INSTALL_PLUGINS environment - variable to install custom Grafana plugins at container startup -
    • -
-
-

- The rebase updates the rhel8/grafana image in the Red Hat Container - Registry. -

-

- To pull this container image, execute the following command: -

- 
# podman pull registry.redhat.io/rhel8/grafana
-

- (BZ#1971557) -

-
-

pcp-container rebased to version - 5.3.1

-

- The rhel8/pcp container image provides Performance Co-Pilot. The - pcp-container package has been upgraded to version 5.3.1. Notable - changes include: -

-
-
-
    -
  • - The pcp package is now updated to version 5.3.1. -
    • -
-
-

- The rebase updates the rhel8/pcp image in the Red Hat Container - Registry. -

-

- To pull this container image, execute the following command: -

- 
# podman pull registry.redhat.io/rhel8/pcp
-

- (BZ#1974912) -

-
-

The new pcp-ss PCP utility is now - available

-

- The pcp-ss PCP utility reports socket statistics collected by the - pmdasockets(1) PMDA. The command is compatible with many of the - ss command line options and reporting formats. It also offers the - advantages of local or remote monitoring in live mode and historical replay from a previously - recorded PCP archive. -

-
-

- (BZ#1879350) -

-
-

Power consumption metrics now available in PCP

-

- The new pmda-denki Performance Metrics Domain Agent (PMDA) reports - metrics related to power consumption. Specifically, it reports: -

-
-
-
    -
  • - Consumption metrics based on Running Average Power Limit (RAPL) readings, available on - recent Intel CPUs -
    • -
  • - Consumption metrics based on battery discharge, available on systems which have a battery -
    • -
-
-

- (BZ#1629455) -

-
-
-
-
-
-

4.13. Identity Management

-
-
-
-
-

IdM now supports new password policy options

-

- With this update, Identity Management (IdM) supports additional libpwquality library options: -

-
-
-
-
--maxrepeat
-
- Specifies the maximum number of the same character in sequence. -
-
--maxsequence
-
- Specifies the maximum length of monotonic character sequences (abcd). -
-
--dictcheck
-
- Checks if the password is a dictionary word. -
-
--usercheck
-
- Checks if the password contains the username. -
-
-
-

- Use the ipa pwpolicy-mod command to apply these options. For example, - to apply the user name check to all new passwords suggested by the users in the managers group: -

- 
*$ ipa pwpolicy-mod --usercheck=True managers*
-

- If any of the new password policy options are set, then the minimum length of passwords is 6 - characters regardless of the value of the --minlength option. The new - password policy settings are applied only to new passwords. -

-

- In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced - only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM - client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password - policy requirements set by the system administrator will not be applied. To ensure consistent - behavior, upgrade or update all servers to RHEL 8.4 and later. -

-

- (JIRA:RHELPLAN-89566) -

-
-

Improved the SSSD debug logging by adding a unique identifier tag for each - request

-

- As SSSD processes requests asynchronously, it is not easy to follow log entries for individual - requests in the backend logs, as messages from different requests are added to the same log - file. To improve the readability of debug logs, a unique request identifier is now added to log - messages in the form of RID#<integer>. This allows you to - isolate logs pertaining to an individual request, and you can track requests from start to - finish across log files from multiple SSSD components. -

-
-

- For example, the following sample output from an SSSD log file shows the unique identifiers RID#3 - and RID#4 for two different requests: -

- 
(2021-07-26 18:26:37): [be[testidm.com]] [dp_req_destructor] (0x0400): RID#3 Number of active DP request: 0
-(2021-07-26 18:26:37): [be[testidm.com]] [dp_req_reply_std] (0x1000): RID#3 DP Request AccountDomain #3: Returning [Internal Error]: 3,1432158301,GetAccountDomain() not supported
-(2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): RID#4 DP Request Account #4: REQ_TRACE: New request. sssd.nss CID #1 Flags [0x0001].
-(2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): RID#4 Number of active DP request: 1
-

- (JIRA:RHELPLAN-92473) -

-
-

IdM now supports the automember and server Ansible modules

-

- With this update, the ansible-freeipa package contains the ipaautomember and ipaserver modules: -

-
-
-
    -
  • - Using the ipaautomember module, you can add, remove, and modify - automember rules and conditions. As a result, future IdM users and hosts that meet the - conditions will be assigned to IdM groups automatically. -
    • -
  • - Using the ipaserver module, you can ensure various parameters - of the presence or absence of a server in the IdM topology. You can also ensure that a - replica is hidden or visible. -
    • -
-
-

- (JIRA:RHELPLAN-96640) -

-
-

IdM performance baseline

-

- With this update, a RHEL 8.5 IdM server with 4 CPUs and 8GB of RAM has been tested to - successfully enroll 130 IdM clients simultaneously. -

-
-

- (JIRA:RHELPLAN-97145) -

-
-

SSSD Kerberos cache performance has been improved

-

- The System Security Services Daemon (SSSD) Kerberos Cache Manager (KCM) service now includes the - new operation KCM_GET_CRED_LIST. This enhancement improves KCM - performance by reducing the number of input and output operations while iterating through a - credentials cache. -

-
-

- (BZ#1956388) -

-
-

SSSD now logs backtraces by default

-

- With this enhancement, SSSD now stores detailed debug logs in an in-memory buffer and appends - them to log files when a failure occurs. By default, the following error levels trigger a - backtrace: -

-
-
-
    -
  • - Level 0: fatal failures -
    • -
  • - Level 1: critical failures -
    • -
  • - Level 2: serious failures -
    • -
-
-

- You can modify this behavior for each SSSD process by setting the debug_level option in the corresponding section of the sssd.conf configuration file: -

-
-
    -
  • - If you set the debugging level to 0, only level 0 events trigger a backtrace. -
    • -
  • - If you set the debugging level to 1, levels 0 and 1 trigger a backtrace. -
    • -
  • - If you set the debugging level to 2 or higher, events at level 0 through 2 trigger a - backtrace. -
    • -
-
-

- You can disable this feature per SSSD process by setting the debug_backtrace_enabled option to false in - the corresponding section of sssd.conf: -

- 
[sssd]
-debug_backtrace_enabled = true
-debug_level=0
-...
-
-[nss]
-debug_backtrace_enabled = false
-...
-
-[domain/idm.example.com]
-debug_backtrace_enabled = true
-debug_level=2
-...
-
-...
-

- (BZ#1949149) -

-
-

SSSD KCM now supports the auto-renewal of ticket granting tickets -

-

- With this enhancement, you can now configure the System Security Services Daemon (SSSD) Kerberos - Cache Manager (KCM) service to auto-renew ticket granting tickets (TGTs) stored in the KCM - credential cache on an Identity Management (IdM) server. Renewals are only attempted when half - of the ticket lifetime has been reached. To use auto-renewal, the key distribution center (KDC) - on the IdM server must be configured to support renewable Kerberos tickets. -

-
-

- You can enable TGT auto-renewal by modifying the [kcm] section of the /etc/sssd/sssd.conf file. For example, you can configure SSSD to check - for renewable KCM-stored TGTs every 60 minutes and attempt auto-renewal if half of the ticket - lifetime has been reached by adding the following options to the file: -

- 
[kcm]
-tgt_renewal = true
-krb5_renew_interval = 60m
-

- Alternatively, you can configure SSSD to inherit krb5 options for - renewals from an existing domain: -

- 
[kcm]
-tgt_renewal = true
-tgt_renewal_inherit = domain-name
-

- For more information, see the Renewals section of the sssd-kcm man page. -

-

- (BZ#1627112) -

-
-

samba rebased to version - 4.14.4

-

- - 

The _samba_ packages have been upgraded to upstream version 4.14.4, which provides bug fixes and enhancements over the previous version:
- -

-
-
-
    -
  • - Publishing printers in Active Directory (AD) has increased reliability, and additional - printer features have been added to the published information in AD. Also, Samba now - supports Windows drivers for the ARM64 architecture. -
    • -
  • - The ctdb isnotrecmaster command has been removed. As an - alternative, use ctdb pnn or the ctdb recmaster commands. -
    • -
  • - The clustered trivial database (CTDB) ctdb natgw master and - slave-only parameters have been renamed to ctdb natgw leader and follower-only. -
    • -
-
-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start Samba - automatically updates its tdb database files. Note that Red Hat does - not support downgrading tdb database files. -

-

- After updating Samba, verify the /etc/samba/smb.conf file using the - testparm utility. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- (BZ#1944657) -

-
-

The dnaInterval configuration attribute is now - supported

-

- With this update, Red Hat Directory Server supports setting the dnaInterval attribute of the Distributed Numeric Assignment (DNA) - plug-in in the cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config - entry. The DNA plug-in generates unique values for specified attributes. In a replication - environment, servers can share the same range. To avoid overlaps on different servers, you can - set the dnaInterval attribute to skip some values. For example, if - the interval is 3 and the first number in the range is 1, the next number used in the range is 4, then 7, then 10. -

-
-

- For further details, see the dnaInterval - parameter description. -

-

- (BZ#1938239) -

-
-

Directory Server rebased to version 1.4.3.27

-

- The 389-ds-base packages have been upgraded to upstream version - 1.4.3.27, which provides a number of bug fixes and enhancements over the previous version. For a - complete list of notable changes, read the upstream release notes before updating: -

-
-
- -
-

- (BZ#1947044) -

-
-

Directory Server now supports temporary passwords

-

- This enhancement enables administrators to configure temporary password rules in global and - local password policies. With these rules, you can configure that, when an administrator resets - the password of a user, the password is temporary and only valid for a specific time and for a - defined number of attempts. Additionally, you can configure that the expiration time does not - start directly when the administrator changes the password. As a result, Directory Server allows - the user only to authenticate using the temporary password for a finite period of time or - attempts. Once the user authenticates successfully, Directory Server allows this user only to - change its password. -

-
-

- (BZ#1626633) -

-
-

IdM KDC now issues Kerberos tickets with PAC information to increase - security

-

- With this update, to increase security, RHEL Identity Management (IdM) now issues Kerberos - tickets with Privilege Attribute Certificate (PAC) information by default in new deployments. A - PAC has rich information about a Kerberos principal, including its Security Identifier (SID), - group memberships, and home directory information. As a result, Kerberos tickets are less - susceptible to manipulation by malicious servers. -

-
-

- SIDs, which Microsoft Active Directory (AD) uses by default, are globally unique identifiers that - are never reused. SIDs express multiple namespaces: each domain has a SID, which is a prefix in the - SID of each object. -

-

- Starting with RHEL 8.5, when you install an IdM server or replica, the installation script generates - SIDs for users and groups by default. This allows IdM to work with PAC data. If you installed IdM - before RHEL 8.5, and you have not configured a trust with an AD domain, you may not have generated - SIDs for your IdM objects. For more information about generating SIDs for your IdM objects, see Enabling - Security Identifiers (SIDs) in IdM. -

-

- By evaluating PAC information in Kerberos tickets, you can control resource access with much greater - detail. For example, the Administrator account in one domain has a - uniquely different SID than the Administrator account in any other - domain. In an IdM environment with a trust to an AD domain, you can set access controls based on - globally unique SIDs rather than simple user names or UIDs that might repeat in different locations, - such as every Linux root account having a UID of 0. -

-

- (Jira:RHELPLAN-159143) -

-
-

Directory Server provides monitoring settings that can prevent database - corruption caused by lock exhaustion

-

- This update adds the nsslapd-db-locks-monitoring-enable parameter - to the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config - entry. If it is enabled, which is the default, Directory Server aborts all of the searches if - the number of active database locks is higher than the percentage threshold configured in nsslapd-db-locks-monitoring-threshold. If an issue is encountered, - the administrator can increase the number of database locks in the nsslapd-db-locks parameter in the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry. This - can prevent data corruption. Additionally, the administrator now can set a time interval in - milliseconds that the thread sleeps between the checks. -

-
-

- For further details, see the parameter descriptions in the Red - Hat Directory Server Configuration, Command, and File Reference. -

-

- (BZ#1812286) -

-
-

Directory Server can exclude attributes and suffixes from the retro - changelog database

-

- This enhancement adds the nsslapd-exclude-attrs and nsslapd-exclude-suffix parameters to Directory Server. You can set - these parameters in the cn=Retro Changelog Plugin,cn=plugins,cn=config entry to exclude - certain attributes or suffixes from the retro changelog database. -

-
-

- (BZ#1850664) -

-
-

Directory Server supports the entryUUID - attribute

-

- With this enhancement, Directory Server supports the entryUUID - attribute to be compliant with RFC 4530. For example, with support - for entryUUID, migrations from OpenLDAP are easier. By default, - Directory Server adds the entryUUID attribute only to new entries. - To manually add it to existing entries, use the dsconf <instance_name> plugin entryuuid fixup - command. -

-
-

- (BZ#1944494) -

-
-

Added a new message to help set up nsSSLPersonalitySSL

-

- Previously, many times happened that RHDS instance failed to start if the TLS certificate - nickname didn’t match the value of the configuration parameter nsSSLPersonalitySSL. This mismatch happened when customer copy the - NSS DB from a previous instance or export the certificate’s data but forget to set the nsSSLPersonalitySSL value accordingly. With this update, you can see - log an additional message which should help a user to set up nsSSLPersonalitySSL correctly. -

-
-

- (BZ#1895460) -

-
-
-
-
-
-

4.14. Desktop

-
-
-
-
-

You can now connect to network at the login screen

-

- With this update, you can now connect to your network and configure certain network options at - the GNOME Display Manager (GDM) login screen. As a result, you can log in as an enterprise user - whose home directory is stored on a remote server. -

-
-

- The login screen supports the following network options: -

-
-
    -
  • - Wired network -
    • -
  • - Wireless network, including networks protected by a password -
    • -
  • - Virtual Private Network (VPN) -
    • -
-
-

- The login screen cannot open windows for additional network configuration. As a consequence, you - cannot use the following network options at the login screen: -

-
-
    -
  • - Networks that open a captive portal -
    • -
  • - Modem connections -
    • -
  • - Wireless networks with enterprise WPA or WPA2 encryption that have not been preconfigured -
    • -
-
-

- The network options at the login screen are disabled by default. To enable the network settings, use - the following procedure: -

-
-
    -
  1. -

    - Create the /etc/polkit-1/rules.d/org.gnome.gdm.rules file - with the following content: -

    - 
    polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.NetworkManager.network-control" &&
-        subject.user == "gdm") {
-            return polkit.Result.YES;
-    }
-
-    return polkit.Result.NOT_HANDLED;
-});
    -
    2. -
  2. -

    - Restart GDM: -

    - 
    # systemctl restart gdm
    -
    -
    Warning
    -
    -

    - Restarting GDM terminates all your graphical user sessions. -

    -
    -
    -
    3. -
  3. - At the login screen, access the network settings in the menu on the right side of the top - panel. -
    4. -
-
-

- (BZ#1935261) -

-
-

Displaying the system security classification at login

-

- You can now configure the GNOME Display Manager (GDM) login screen to display an overlay banner - that contains a predefined message. This is useful for deployments where the user is required to - read the security classification of the system before logging in. -

-
-

- To enable the overlay banner and configure a security classification message, use the following - procedure: -

-
-
    -
  1. -

    - Install the gnome-shell-extension-heads-up-display package: -

    - 
    # yum install gnome-shell-extension-heads-up-display
    -
    2. -
  2. -

    - Create the /etc/dconf/db/gdm.d/99-hud-message file with the - following content: -

    - 
    [org/gnome/shell]
-enabled-extensions=['heads-up-display@gnome-shell-extensions.gcampax.github.com']
-
-[org/gnome/shell/extensions/heads-up-display]
-message-heading="Security classification title"
-message-body="Security classification description"
    -

    - Replace the following values with text that describes the security classification of - your system: -

    -
    -
    -
    Security classification - title
    -
    - A short heading that identifies the security classification. -
    -
    Security classification - description
    -
    - A longer message that provides additional details, such as references to various - guidelines. -
    -
    -
    -
    3. -
  3. -

    - Update the dconf database: -

    - 
    # dconf update
    -
    4. -
  4. - Reboot the system. -
    5. -
-
-

- (BZ#1651378) -

-
-

Flicker free boot is available

-

- You can now enable flicker free boot on your system. When flicker free boot is enabled, it - eliminates abrupt graphical transitions during the system boot process, and the display does not - briefly turn off during boot. -

-
-

- To enable flicker free boot, use the following procedure: -

-
-
    -
  1. -

    - Configure the boot loader menu to hide by default: -

    - 
    # grub2-editenv - set menu_auto_hide=1
    -
    2. -
  2. -

    - Update the boot loader configuration: -

    -
    -
      -
    • -

      - On UEFI systems: -

      - 
      # grub2-mkconfig -o /etc/grub2-efi.cfg
      -
      • -
    • -

      - On legacy BIOS systems: -

      - 
      # grub2-mkconfig -o /etc/grub2.cfg
      -
      • -
    -
    -
    3. -
  3. - Reboot the system. -
    4. -
-
-

- As a result, the boot loader menu does not display during system boot, and the boot process is - graphically smooth. -

-

- To access the boot loader menu, repeatedly press Esc - after turning on the system. -

-

- (JIRA:RHELPLAN-99148) -

-
-

Updated support for emoji

-

- This release updates support for Unicode emoji characters from version 11 to version 13 of the - emoji standard. As a result, you can now use more emoji characters on RHEL. -

-
-

- The following packages that provide emoji functionality have been rebased: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PackagePrevious versionRebased to version -
-

- cldr-emoji-annotation -

- 		-

- 33.1.0 -

- 		-

- 38 -

-
-

- google-noto-emoji-fonts -

- 		-

- 20180508 -

- 		-

- 20200723 -

-
-

- unicode-emoji -

- 		-

- 10.90.20180207 -

- 		-

- 13.0 -

-
-
-

- (JIRA:RHELPLAN-61867) -

-
-

You can set a default desktop session for all users

-

- With this update, you can now configure a default desktop session that is preselected for all - users that have not logged in yet. -

-
-

- If a user logs in using a different session than the default, their selection persists to their next - login. -

-

- To configure the default session, use the following procedure: -

-
-
    -
  1. -

    - Copy the configuration file template: -

    - 
    # cp /usr/share/accountsservice/user-templates/standard \
-     /etc/accountsservice/user-templates/standard
    -
    2. -
  2. - Edit the new /etc/accountsservice/user-templates/standard file. - On the Session=gnome - line, replace gnome with - the session that you want to set as the default. -
    3. -
  3. -

    - Optional: To configure an exception to the default session for a certain user, follow - these steps: -

    -
    -
      -
    1. -

      - Copy the template file to /var/lib/AccountsService/users/user-name: -

      - 
      # cp /usr/share/accountsservice/user-templates/standard \
-     /var/lib/AccountsService/users/user-name
      -
      2. -
    2. - In the new file, replace variables such as ${USER} - and ${ID} with the user values. -
      3. -
    3. - Edit the Session value. -
      4. -
    -
    -
    4. -
-
-

- (BZ#1812788) -

-
-
-
-
-
-

4.15. Graphics infrastructures

-
-
-
-
-

Support for new GPUs

-

- The following new GPUs are now supported. -

-
-

- Intel graphics: -

-
-
    -
  • -

    - Alder Lake-S (ADL-S) -

    -

    - Support for Alder Lake-S graphics is disabled by default. To enable it, add the - following option to the kernel command line: -

    - 
    i915.force_probe=PCI_ID
    -

    - Replace PCI_ID with either the PCI device ID of - your Intel GPU, or with the * character to enable support - for all alpha-quality hardware that uses the i915 driver. -

    -
    • -
  • - Elkhart Lake (EHL) -
    • -
  • - Comet Lake Refresh (CML-R) with the TGP Platform Controller Hub (PCH) -
    • -
-
-

- AMD graphics: -

-
-
    -
  • - Cezzane and Barcelo -
    • -
  • - Sienna Cichlid -
    • -
  • - Dimgrey Cavefish -
    • -
-
-

- (JIRA:RHELPLAN-99040, BZ#1784132, BZ#1784136, BZ#1838558) -

-
-

The Wayland session is available with the proprietary NVIDIA - driver

-

- The proprietary NVIDIA driver now supports hardware accelerated OpenGL and Vulkan rendering in - Xwayland. As a result, you can now enable the GNOME Wayland session with the proprietary NVIDIA - driver. Previously, only the legacy X11 session was available with the driver. X11 remains as - the default session to avoid a possible disruption when updating from a previous version of - RHEL. -

-
-

- To enable Wayland with the NVIDIA proprietary driver, use the following procedure: -

-
-
    -
  1. -

    - Enable Direct Rendering Manager (DRM) kernel modesetting by adding the following option - to the kernel command line: -

    - 
    nvidia-drm.modeset=1
    -

    - For details on enabling kernel options, see Configuring - kernel command-line parameters. -

    -
    2. -
  2. -

    - Reboot the system. -

    -

    - The Wayland session is now available at the login screen. -

    -
    3. -
  3. - Optional: To avoid the loss of video allocations when suspending or hibernating the system, - enable the power management option with the driver. For details, see Configuring - Power Management Support. -
    4. -
-
-

- For the limitations related to the use of DRM kernel modesetting in the proprietary NVIDIA driver, - see Direct Rendering - Manager Kernel Modesetting (DRM KMS). -

-

- (JIRA:RHELPLAN-99049) -

-
-

Improvements to GPU support

-

- The following new GPU features are now enabled: -

-
-
-
    -
  • - Panel Self Refresh (PSR) is now enabled for Intel Tiger Lake and later graphics, which - improves power consumption. -
    • -
  • - Intel Tiger Lake, Ice Lake, and later graphics can now use High Bit Rate 3 (HBR3) mode with - the DisplayPort Multi-Stream Transport (DP-MST) transmission method. This enables support - for certain display capabilities with docks. -
    • -
  • - Modesetting is now enabled on NVIDIA Ampere GPUs. This includes the following models: GA102, - GA104, and GA107, including hybrid graphics systems. -
    • -
  • - Most laptops with Intel integrated graphics and an NVIDIA Ampere GPU can now output to - external displays using either GPU. -
    • -
-
-

- (JIRA:RHELPLAN-99043) -

-
-

Updated graphics drivers

-

- The following graphics drivers have been updated: -

-
-
-
    -
  • - amdgpu -
    • -
  • - ast -
    • -
  • - i915 -
    • -
  • - mgag2000 -
    • -
  • - nouveau -
    • -
  • - vmwgfx -
    • -
  • - vmwgfx -
    • -
  • - The Mesa library -
    • -
  • - Vulkan packages -
    • -
-
-

- (JIRA:RHELPLAN-99044) -

-
-

Intel Tiger Lake graphics are fully supported

-

- Intel Tiger Lake UP3 and UP4 Xe graphics, which were previously available as a Technology - Preview, are now fully supported. Hardware acceleration is enabled by default on these GPUs. -

-
-

- (BZ#1783396) -

-
-
-
-
-
-

4.16. Red Hat Enterprise Linux system roles

-
-
-
-
-

Users can configure the maximum root distance using the timesync_max_distance parameter

-

- With this update, the timesync RHEL system role is able to - configure the tos maxdist of ntpd and - the maxdistance parameter of the chronyd service using the new timesync_max_distance parameter. The timesync_max_distance parameter configures the maximum root distance - to accept measurements from Network Time Protocol (NTP) servers. The default value is 0, which - keeps the provider-specific defaults. -

-
-

- (BZ#1938016) -

-
-

Elasticsearch can now accept lists of servers

-

- Previously, the server_host parameter in Elasticsearch output for - the Logging RHEL system role accepted only a string value for a single host. With this - enhancement, it also accepts a list of strings to support multiple hosts. As a result, you can - now configure multiple Elasticsearch hosts in one Elasticsearch output dictionary. -

-
-

- (BZ#1986463) -

-
-

Network Time Security (NTS) option added to the timesync RHEL system role

-

- The nts option was added to the timesync RHEL system role to enable NTS on client servers. NTS is a - new security mechanism specified for Network Time Protocol (NTP), which can secure - synchronization of NTP clients without client-specific configuration and can scale to large - numbers of clients. The NTS option is supported only with the chrony NTP provider in version 4.0 and later. -

-
-

- (BZ#1970664) -

-
-

The SSHD RHEL system role now supports non-exclusive configuration - snippets

-

- With this feature, you can configure SSHD through different roles and playbooks without - rewriting the previous configurations by using namespaces. Namespaces are similar to a drop-in - directory, and define non-exclusive configuration snippets for SSHD. As a result, you can use - the SSHD RHEL system role from a different role, if you need to configure only a small part of - the configuration and not the entire configuration file. -

-
-

- (BZ#1970642) -

-
-

The SELinux role can now manage SELinux - modules

-

- The SElinux RHEL system role has the ability to manage SELinux - modules. With this update, users can provide their own custom modules from .pp or .cil files, which allows for a - more flexible SELinux policy management. -

-
-

- (BZ#1848683) -

-
-

Users can manage the chrony interleaved mode, - NTP filtering, and hardware timestamping

-

- With this update, the timesync RHEL system role enables you to - configure the Network Time Protocol (NTP) interleaved mode, additional filtering of NTP - measurements, and hardware timestamping. The chrony package of - version 4.0 adds support for these functionalities to achieve a highly accurate and stable - synchronization of clocks in local networks. -

-
-
-
    -
  • - To enable the NTP interleaved mode, make sure the server supports this feature, and set the - xleave option to yes for the - server in the timesync_ntp_servers list. The default value is - no. -
    • -
  • - To set the number of NTP measurements per clock update, set the filter option for the NTP server you are configuring. The default - value is 1. -
    • -
  • - To set the list of interfaces which should have hardware timestamping enabled for NTP, use - the timesync_ntp_hwts_interfaces parameter. The special value - ["*"] enables timestamping on all interfaces that support it. - The default is []. -
    • -
-
-

- (BZ#1938020) -

-
-

timesync role enables customization settings - for chrony

-

- Previously, there was no way to provide customized chrony configuration using the timesync role. This update adds the timesync_chrony_custom_settings parameter, which enables users to to - provide customized settings for chrony, such as: -

-
- 
timesync_chrony_custom_settings:
-  - "logdir /var/log/chrony"
-  - "log measurements statistics tracking"
-

- (BZ#1938023) -

-
-

timesync role supports hybrid end-to-end delay - mechanisms

-

- With this enhancement, you can use the new hybrid_e2e option in - timesync_ptp_domains to enable hybrid end-to-end delay mechanisms - in the timesync role. The hybrid end-to-end delay mechanism uses - unicast delay requests, which are useful to reduce multicast traffic in large networks. -

-
-

- (BZ#1957849) -

-
-

ethtool now supports reducing the packet loss - rate and latency

-

- Tx or Rx buffers are memory spaces allocated by a network adapter to handle traffic bursts. - Properly managing the size of these buffers is critical to reduce the packet loss rate and - achieve acceptable network latency. -

-
-

- The ethtool utility now reduces the packet loss rate or latency by - configuring the ring option of the specified network device. -

-

- The list of supported ring parameters is: -

-
-
    -
  • - rx - Changes the number of ring entries for the Rx ring. -
    • -
  • - rx-jumbo - Changes the number of ring entries for the Rx Jumbo - ring. -
    • -
  • - rx-mini - Changes the number of ring entries for the Rx Mini - ring. -
    • -
  • - tx - Changes the number of ring entries for the Tx ring. -
    • -
-
-

- (BZ#1959649) -

-
-

New ipv6_disabled parameter is now - available

-

- With this update, you can now use the ipv6_disabled parameter to - disable ipv6 when configuring addresses. -

-
-

- (BZ#1939711) -

-
-

RHEL system roles now support VPN management

-

- Previously, it was difficult to set up secure and properly configured IPsec tunneling and - virtual private networking (VPN) solutions on Linux. With this enhancement, you can use the VPN - RHEL system role to set up and configure VPN tunnels for host-to-host and mesh connections more - easily across large numbers of hosts. As a result, you have a consistent and stable - configuration interface for VPN and IPsec tunneling configuration within the RHEL system roles - project. -

-
-

- (BZ#1943679) -

-
-

The storage RHEL system role now supports - filesystem relabel

-

- Previously, the storage role did not support relabelling. This - update fixes the issue, providing support to relabel the filesystem - label. To do this, set a new label string to the fs_label parameter - in storage_volumes. -

-
-

- (BZ#1876315) -

-
-

Support for volume sizes expressed as a percentage is available in the - storage system role

-

- This enhancement adds support to the storage RHEL system role to - express LVM volume sizes as a percentage of the pool’s total size. You can specify the size of - LVM volumes as a percentage of the pool/VG size, for example: 50% - in addition to the human-readable size of the file system, for example, 10g, 50 GiB. -

-
-

- (BZ#1894642) -

-
-

New Ansible Role for Microsoft SQL Server Management

-

- The new microsoft.sql.server role is designed to help IT and - database administrators automate processes involved with setup, configuration, and performance - tuning of SQL Server on Red Hat Enterprise Linux. -

-
-

- (BZ#2013853) -

-
-

RHEL system roles do not support Ansible 2.8

-

- With this update, support for Ansible 2.8 is no longer supported because the version is past the - end of the product life cycle. The RHEL system roles support Ansible 2.9. -

-
-

- (BZ#1989199) -

-
-

The postfix role of RHEL system roles is fully - supported

-

- Red Hat Enterprise Linux system roles provides a configuration interface for Red Hat Enterprise - Linux subsystems, which makes system configuration easier through the inclusion of Ansible - Roles. This interface enables managing system configurations across multiple versions of Red Hat - Enterprise Linux, as well as adopting new major releases. -

-
-

- The rhel-system-roles packages are distributed through the AppStream - repository. -

-

- As of RHEL 8.5, the postfix role is fully supported. -

-

- For more information, see the Knowledgebase article about RHEL system roles. -

-

- (BZ#1812552) -

-
-
-
-
-
-

4.17. Virtualization

-
-
-
-
-

Enhancements to managing virtual machines in the web console

-

- The Virtual Machines (VM) section of the RHEL 8 web console has been redesigned for a better - user experience. In addition, the following changes and features have also been introduced: -

-
-
-
    -
  • - A single page now includes all the relevant VM information, such as VM status, disks, - networks, or console information. -
    • -
  • - You can now live migrate a VM using the web console -
    • -
  • - The web console now allows editing the MAC address of a VM’s network interface -
    • -
  • - You can use the web console to view a list of host devices attached to a VM -
    • -
-
-

- (JIRA:RHELPLAN-79074) -

-
-

zPCI device assignment

-

- It is now possible to attach zPCI devices as mediated devices to virtual machines (VMs) hosted - on RHEL 8 running on IBM Z hardware. For example, thís enables the use of NVMe flash drives in - VMs. -

-
-

- (JIRA:RHELPLAN-59528) -

-
-
-
-
-
-

4.18. Supportability

-
-
-
-
-

sos rebased to version 4.1

-

- The sos package has been upgraded to version 4.1, which provides - multiple bug fixes and enhancements. Notable enhancements include: -

-
-
-
    -
  • - Red Hat Update Infrastructure (RHUI) plugin is now natively - implemented in the sos package. With the rhui-debug.py python binary, sos can - collect reports from RHUI including, for example, the main - configuration file, the rhui-manager log file, or the - installation configuration. -
    • -
  • - sos introduces the --cmd-timeout - global option that sets manually a timeout for a command execution. The default value (-1) - defers to the general command timeout, which is 300 seconds. -
    • -
-
-

- (BZ#1928679) -

-
-
-
-
-
-

4.19. Containers

-
-
-
-
-

Default container image signature verification is now available -

-

- Previously, the policy YAML files for the Red Hat Container Registries had to be manually - created in the /etc/containers/registries.d/ directory. Now, the - registry.access.redhat.com.yaml and registry.redhat.io.yaml files are included in the containers-common package. You can now use the podman image trust command to verify the container image signatures - on RHEL. -

-
-

- (JIRA:RHELPLAN-75166) -

-
-

The container-tools:rhel8 module has been - updated

-

- The container-tools:rhel8 module, which contains the Podman, - Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and - enhancements over the previous version. -

-
-

- (JIRA:RHELPLAN-76515) -

-
-

The containers-common package is now - available

-

- The containers-common package has been added to the container-tools:rhel8 module. The containers-common package contains common configuration files and - documentation for container tools ecosystem, such as Podman, Buildah and Skopeo. -

-
-

- (JIRA:RHELPLAN-77542) -

-
-

Native overlay file system support in the kernel is now available -

-

- The overlay file system support is now available from kernel 5.11. The non-root users will have - native overlay performance even when running rootless (as a user). Thus, this enhancement - provides better performance to non-root users who wish to use overlayfs without the need for - bind mounting. -

-
-

- (JIRA:RHELPLAN-77241) -

-
-

A podman container image is now - available

-

- The registry.redhat.io/rhel8/podman container image, previously - available as a Technology Preview, is now fully supported. The registry.redhat.io/rhel8/podman container image is a containerized - implementation of the podman package. The podman tool manages containers and images, volumes mounted into those - containers, and pods made of groups of containers. -

-
-

- (JIRA:RHELPLAN-57941) -

-
-

Universal Base Images are now available on Docker Hub

-

- Previously, Universal Base Images were only available from the Red Hat container catalog. Now, - Universal Base Images are also available from Docker Hub. -

-
-

- For more information, see Red - Hat Brings Red Hat Universal Base Image to Docker Hub. -

-

- (JIRA:RHELPLAN-85064) -

-
-

CNI plugins in Podman are now available

-

- CNI plugins are now available to use in Podman rootless mode. The rootless networking commands - now work without any other requirement on the system. -

-
-

- (BZ#1934480) -

-
-

Podman has been updated to version 3.3.1

-

- The Podman utility has been updated to version 3.3.1. Notable enhancements include: -

-
-
-
    -
  • - Podman now supports restarting containers created with the --restart option after the system is rebooted. -
    • -
  • - The podman container checkpoint and podman container restore commands now support checkpointing and - restoring containers that are in pods and restoring those containers into pods. Further, the - podman container restore command now supports the --publish option to change ports forwarded to a container - restored from an exported checkpoint. -
    • -
-
-

- (JIRA:RHELPLAN-87877) -

-
-

The crun OCI runtime is now available -

-

- The crun OCI runtime is now available for the container-tools:rhel8 module. The crun - container runtime supports an annotation that enables the container to access the rootless - user’s additional groups. This is useful for container operations when volume mounting in a - directory where setgid is set, or where the user only has group access. -

-
-

- (JIRA:RHELPLAN-75164) -

-
-

The podman UBI image is now available -

-

- The registry.access.redhat.com/ubi8/podman is now available as a part of UBI. -

-
-

- (JIRA:RHELPLAN-77489) -

-
-

The container-tools:rhel8 module has been - updated

-

- The container-tools:rhel8 module, which contains the Podman, - Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and - enhancements over the previous version. -

-
-

- For more details, see the RHEA-2022:0352. -

-

- (BZ#2009153) -

-
-

The ubi8/nodejs-16 and ubi8/nodejs-16-minimal container images are now fully - supported

-

- The ubi8/nodejs-16 and ubi8/nodejs-16-minimal container images, previously available as a - Technology Preview, are fully supported with the release of the RHBA-2021:5260 advisory. These - container images include Node.js 16.13, which is a Long Term - Support (LTS) version. -

-
-

- (BZ#2001020) -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel shipped - with Red Hat Enterprise Linux 8.5. These changes could include for example added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
idxd.sva = [HW]
-
-

- Format: <bool> -

-

- With this parameter you can force disable Shared Virtual Memory (SVA) support for the idxd kernel module. -

-

- The default value is true (1). -

-
-
lsm.debug = [SECURITY]
-
- With this parameter you can enable Linux Security Module (LSM) initialization debugging output. -
-
lsm = lsm1,…​,lsmN [SECURITY]
-
-

- With this parameter you can choose the order of Linux Security Module (LSM) initialization. -

-

- This parameter overrides CONFIG_LSM option, and the security= parameter. -

-
-
rcutree.qovld = [KNL]
-
-

- With this parameter you can set a threshold of queued Read-copy-update (RCU) callbacks. - Beyond this threshold, RCU’s force-quiescent-state scan will aggressively enlist help from - the cond_resched() system call and schedule IPIs to help CPUs - reach more quickly quiescent states. -

-

- You can set this parameter to values smaller than zero to make this parameter be set based - on the rcutree.qhimark parameter at boot time. Alternatively, - set this parameter to zero to disable more aggressive help enlistment. -

-
-
rcutree.rcu_unlock_delay = [KNL]
-
-

- With this parameter you can specify the rcu_read_unlock()-time - delay, in kernels where the config boolean is set to CONFIG_RCU_STRICT_GRACE_PERIOD=y. -

-

- The default value is 0. -

-

- Larger delays increase the probability of catching Read-copy-update (RCU) pointer leaks. - That is a flawed use of RCU-protected pointers after the relevant rcu_read_unlock() has completed. -

-
-
rcutorture.irqreader = [KNL]
-
- With this parameter you can run Read-copy-update (RCU) readers from Interrupt request (IRQ) - handlers, or from a timer handler. -
-
rcutorture.leakpointer = [KNL]
-
- With this parameter you can leak a Read-copy-update (RCU) protected pointer out of the reader. - This can result in splats, and is intended to test the ability of configurations such as CONFIG_RCU_STRICT_GRACE_PERIOD=y to detect such leaks. -
-
rcutorture.read_exit = [KNL]
-
- With this parameter you can set the number of read-then-exit kthreads to test the interaction of - Read-copy-update (RCU) updaters and task-exit processing. -
-
rcutorture.read_exit_burst = [KNL]
-
- With this parameter you can specify the number of times in a given read-then-exit episode that a - set of read-then-exit kthreads is spawned. -
-
rcutorture.read_exit_delay = [KNL]
-
- With this parameter you can specify the delay, in seconds, between successive read-then-exit - testing episodes. -
-
rcutorture.stall_cpu_block = [KNL]
-
- With this parameter you can set sleep while stalling. As a result, warnings from pre-emptible - Read-copy-update (RCU) in addition to any other stall-related activity can occur. -
-
rcutorture.stall_gp_kthread = [KNL]
-
-

- With this parameter you can specify duration, in seconds, of forced sleep within - Read-copy-update (RCU) grace-period kthread to test RCU CPU stall warnings. -

-

- Set this parameter to zero to disable the functionality. -

-

- If both stall_cpu and stall_gp_kthread parameters are specified, the kthread is starved - first, then the CPU. -

-
-
rcupdate.rcu_cpu_stall_suppress_at_boot = [KNL]
-
- With this parameter you can suppress RCU CPU stall warning messages and rcutorture writer stall - warnings that occur during early boot. That is during the time before the init task is spawned. -
-
rcupdate.rcu_task_ipi_delay = [KNL]
-
-

- With this parameter you can set time in jiffies during which Read-copy-update (RCU) tasks - avoid sending IPIs, starting with the beginning of a given grace period. -

-

- Setting a large number avoids disturbing real-time workloads, but lengthens grace periods. -

-
-
refscale.holdoff = [KNL]
-
- With this parameter you can set test-start holdoff period. The purpose of this parameter is to - delay the start of the test until boot completes in order to avoid interference. -
-
refscale.loops = [KNL]
-
-

- With this parameter you can set the number of loops over the synchronization primitive under - test. Increasing this number reduces noise due to loop start/end overhead. -

-

- The default value has already reduced the per-pass noise to a handful of picoseconds on - about 2020 x86 laptops. -

-
-
refscale.nreaders = [KNL]
-
-

- With this parameter you can set the number of readers. -

-

- The default value of -1 selects N, where N is roughly 75% of the number of CPUs. -

-
-
refscale.nruns = [KNL]
-
- With this parameter you can set the number of runs, each of which is dumped onto the console - log. -
-
refscale.readdelay = [KNL]
-
- With this parameter you can set the read-side critical-section duration, measured in - microseconds. -
-
refscale.scale_type = [KNL]
-
- With this parameter you can specify the read-protection implementation to test. -
-
refscale.shutdown = [KNL]
-
-

- With this parameter you can shut down the system at the end of the performance test. -

-

- The default value is 1 and it shuts down the system - refscale is built into the kernel. -

-

- The value 0 and leaves the system running - refscale is built as a module. -

-
-
refscale.verbose = [KNL]
-
- With this parameter you can enable additional printk() statements. -
-
scftorture.holdoff = [KNL]
-
-

- With this parameter you can specify the number of seconds to hold off before starting test. -

-

- The paramter defaults to zero for module insertion and to 10 seconds for built-in smp_call_function() tests. -

-
-
scftorture.longwait = [KNL]
-
-

- With this parameter you can request very long waits, which are randomly selected up to the - chosen limit in seconds. -

-

- The default value is zero and it disables this feature. -

-

- Note that requesting even small non-zero numbers of seconds can result in Read-copy-update - (RCU) CPU stall warnings, softlockup complaints, and so on. -

-
-
scftorture.nthreads = [KNL]
-
-

- With this parameter you can specify the number of kthreads to spawn to invoke the smp_call_function() family of functions. -

-

- The default of -1 specifies a number of kthreads equal to the number of CPUs. -

-
-
scftorture.onoff_holdoff = [KNL]
-
- With this parameter you can specify the number of seconds to wait after the start of the test - before initiating CPU-hotplug operations. -
-
scftorture.onoff_interval = [KNL]
-
-

- With this parameter you can specify the number of seconds to wait between successive - CPU-hotplug operations. -

-

- The default value is zero and it disables CPU-hotplug operations. -

-
-
scftorture.shutdown_secs = [KNL]
-
-

- With this parameter you can specify the number of seconds following the start of the test. - After the test the system shuts down. -

-

- With the default value of zero you can avoid shutting down the system. Non-zero values are - useful for automated tests. -

-
-
scftorture.stat_interval = [KNL]
-
-

- With this parameter you can specify the number of seconds between outputting the current - test statistics to the console. -

-

- A value of zero disables statistics output. -

-
-
scftorture.stutter_cpus = [KNL]
-
- With this parameter you can specify the number of jiffies to wait between each change to the set - of CPUs under test. -
-
scftorture.use_cpus_read_lock = [KNL]
-
- With this parameter you can use the use_cpus_read_lock() system - call instead of the default preempt_disable() system call to - disable CPU hotplug while invoking one of the smp_call_function*() - functions. -
-
scftorture.verbose = [KNL]
-
- With this parameter you can enable additional printk() statements. -
-
scftorture.weight_single = [KNL]
-
-

- This parameter specifies the probability weighting to use for the smp_call_function_single() function with a zero "wait" parameter. -

-

- A value of -1 selects the default if all other weights are -1. However, if at least one - weight has some other value, a value of -1 will instead select a weight of zero. -

-
-
scftorture.weight_single_wait = [KNL]
-
- This parameter specifies the probability weighting to use for the smp_call_function_single() function with a non-zero "wait" parameter. - For more information see weight_single. -
-
scftorture.weight_many = [KNL]
-
-

- This parameter specifies the probability weighting to use for the smp_call_function_many() function with a zero "wait" parameter. -

-

- Note that setting a high probability for this weighting can place serious Inter-processor - Interrupt (IPI) load on the system. -

-

- For more information see weight_single. -

-
-
scftorture.weight_many_wait = [KNL]
-
-

- This parameter specifies the probability weighting to use for the smp_call_function_many() function with a non-zero "wait" - parameter. -

-

- For more information see weight_single and weight_many. -

-
-
scftorture.weight_all = [KNL]
-
-

- This parameter specifies the probability weighting to use for the smp_call_function_all() function with a zero "wait" parameter. -

-

- For more information see weight_single and weight_many. -

-
-
scftorture.weight_all_wait = [KNL]
-
-

- This parameter specifies the probability weighting to use for the smp_call_function_all() function with a non-zero "wait" - parameter. -

-

- For more information see weight_single and weight_many. -

-
-
sched_energy_aware
-
-

- This parameter enables or disables Energy Aware Scheduling (EAS). -

-

- EAS starts automatically on platforms with asymmetric CPU topologies which have an Energy - Model available. -

-

- If your platform meets the requirements for EAS but you do not want to use it, change this - value to 0. -

-
-
torture.disable_onoff_at_boot = [KNL]
-
- With this parameter you can prevent the CPU-hotplug component of torturing until after the init task has spawned. -
-
torture.ftrace_dump_at_shutdown = [KNL]
-
-

- With this parameter you can dump the ftrace buffer at - torture-test shutdown, even if there were no errors. -

-

- This can be a very costly operation when many torture tests are running concurrently, - especially on systems with rotating-rust storage. -

-
-
-
-

Updated kernel parameters

-
-
-
iommu.forcedac = [ARM64, X86]
-
-

- With this parameter you can control input-output virtual address (IOVA) allocation for PCI - devices. -

-

- Format: { 0 | 1 } -

-
-
    -
  • - 0 - Try to allocate a 32-bit Direct Memory Access (DMA) - address first, before falling back to the full range if needed. -
    • -
  • - 1 - Allocate directly from the full usable range. The - option is forcing Dual Address Cycle for PCI cards which support greater than 32-bit - addressing. -
    • -
-
-
-
page_poison = [KNL]
-
-

- With this boot-time parameter you can change the state of poisoning on the buddy allocator, - available with the CONFIG_PAGE_POISONING=y configuration. -

-
-
    -
  • - off: turn off poisoning (default) -
    • -
  • - on: turn on poisoning -
    • -
-
-
-
rcuscale.gp_async = [KNL]
-
- With this parameter you can measure performance of asynchronous grace-period primitives such as - call_rcu(). -
-
rcuscale.gp_async_max = [KNL]
-
- With this parameter you can specify the maximum number of outstanding callbacks per writer - thread. When a writer thread exceeds this limit, it invokes the corresponding flavor of rcu_barrier() to allow previously posted callbacks to drain. -
-
rcuscale.gp_exp = [KNL]
-
- With this parameter you can measure the performance of expedited synchronous grace-period - primitives. -
-
rcuscale.holdoff = [KNL]
-
- With this parameter you can set test-start holdoff period. The purpose of this parameter is to - delay the start of the test until boot completes in order to avoid interference. -
-
rcuscale.kfree_rcu_test = [KNL]
-
- With this parameter you can measure performance of kfree_rcu() - flooding. -
-
rcuscale.kfree_nthreads = [KNL]
-
- With this parameter you can specify the number of threads running loops of the kfree_rcu() function. -
-
rcuscale.kfree_alloc_num = [KNL]
-
- With this parameter you can specify the number of allocations and frees done in an iteration. -
-
rcuscale.kfree_loops = [KNL]
-
- With this parameter you can specify the number of loops doing rcuscale.kfree_alloc_num number of allocations and frees. -
-
rcuscale.nreaders = [KNL]
-
-

- With this parameter you can set the number of Read-copy-update (RCU) readers. -

-

- The value -1 selects N, where N is the number of CPUs. -

-
-
rcuscale.nwriters = [KNL]
-
-

- With this parameter you can set the number of Read-copy-update (RCU) writers. -

-

- The values operate the same as for rcuscale.nreaders=N, where N - is the number of CPUs. -

-
-
rcuscale.perf_type = [KNL]
-
- With this parameter you can specify the Read-copy-update (RCU) implementation to test. -
-
rcuscale.shutdown = [KNL]
-
- With this parameter you can shut the system down after performance tests complete. This is - useful for hands-off automated testing. -
-
rcuscale.verbose = [KNL]
-
- With this parameter you can enable additional printk() statements. -
-
rcuscale.writer_holdoff = [KNL]
-
-

- With this parameter you can write-side holdoff between grace periods in microseconds. -

-

- The default value is zero and it means "no holdoff". -

-
-
security = [SECURITY]
-
-

- With this parameter you can choose a legacy "major" security module to be enabled at boot. -

-

- This has been deprecated by the lsm parameter. -

-
-
split_lock_detect = [X86]
-
-

- With this parameter you can enable split lock detection or bus lock detection. -

-

- When enabled, and if hardware support is present, atomic instructions that access data - across cache line boundaries will result in: -

-
-
    -
  • - an alignment check exception for split lock detection -
    • -
  • -

    - a debug exception for bus lock detection -

    -

    - Possible values: -

    -
    • -
  • - off - the functionality is not enabled -
    • -
  • - warn - the kernel emits rate-limited warnings about - applications and trigger the #AC exception or the #DB exception. This mode is the - default on CPUs that support the split lock detection or the bus lock detection. The - default behavior is by #AC if both features are enabled in hardware. -
    • -
  • - fatal - the kernel sends the SIGBUS signal to applications that trigger the #AC - exception or the #DB exception. The default behavior is by #AC if both features are - enabled in hardware. -
    • -
  • -

    - ratelimit:N - sets the system wide rate limit to N - bus locks per second for bus lock detection (0 < N ⇐ 1000). N/A for split - lock detection. -

    -

    - If an #AC exception is hit in the kernel or in firmware (for example not while - executing in user mode) the kernel will oops in either the warn or fatal mode. -

    -

    - #DB exception for bus lock is triggered only when CPL > 0. -

    -
    • -
-
-
-
usb-storage.quirks =
-
- k = NO_SAME (do not use WRITE_SAME, UAS only) -
-
-
-
-
-
-
-
-

Chapter 6. Device Drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - SYNOPSYS DESIGNWARE Ethernet XPCS driver (pcs-xpcs.ko.xz) -
    • -
  • - INTEL 10/100/1000 Ethernet PCI driver (dwmac-intel.ko.xz) -
    • -
  • - STMMAC 10/100/1000 Ethernet device driver (stmmac.ko.xz) -
    • -
  • - Crypto IPSEC for Chelsio Terminator cards. (ch_ipsec.ko.xz): 1.0.0. -
    • -
  • - Chelsio NIC TLS ULD driver (ch_ktls.ko.xz): 1.0.0. -
    • -
  • - Microsoft Azure Network Adapter driver (mana.ko.xz) -
    • -
  • - Core module for Qualcomm Atheros 802.11ax wireless LAN cards. (ath11k.ko.xz) -
    • -
  • - Driver support for Qualcomm Technologies 802.11ax WLAN PCIe devices (ath11k_pci.ko.xz) -
    • -
  • - MAC to optional PHY connection (phylink.ko.xz) -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - MC Driver for Intel client SoC using In-Band ECC (igen6_edac.ko.xz) -
    • -
  • - Regmap SoundWire MBQ Module (regmap-sdw-mbq.ko.xz) -
    • -
  • - Intel Platform Monitoring Technology PMT driver (intel_pmt.ko.xz) -
    • -
  • - Intel PMT Crashlog driver (intel_pmt_crashlog.ko.xz) -
    • -
  • - Sysfs structure for UV systems (uv_sysfs.ko.xz) -
    • -
  • - Intel PMT Telemetry driver (intel_pmt_telemetry.ko.xz) -
    • -
  • - Intel PMT Class driver (intel_pmt_class.ko.xz) -
    • -
  • - AMD PMC Driver (amd-pmc.ko.xz) -
    • -
  • - MHI Host Interface (mhi.ko.xz) -
    • -
  • - Modem Host Interface (MHI) PCI controller driver (mhi_pci_generic.ko.xz) -
    • -
  • - vDPA Device Simulator for block device (vdpa_sim_blk.ko.xz): 0.1 -
    • -
  • - vDPA Device Simulator for networking device (vdpa_sim_net.ko.xz): 0.1 -
    • -
  • - vp-vdpa (vp_vdpa.ko.xz): 1 -
    • -
  • - Mellanox VDPA driver (mlx5_vdpa.ko.xz) -
    • -
  • - Basic STM framing protocol driver (stm_p_basic.ko.xz) -
    • -
  • - MIPI SyS-T STM framing protocol driver (stm_p_sys-t.ko.xz) -
    • -
  • - QMI encoder/decoder helper (qmi_helpers.ko.xz) -
    • -
  • - ACPI DPTF platform power driver (dptf_power.ko.xz) -
    • -
  • - ACPI Platform profile sysfs interface (platform_profile.ko.xz) -
    • -
  • - Intel Emmitsburg PCH pinctrl/GPIO driver (pinctrl-emmitsburg.ko.xz) -
    • -
  • - Intel Alder Lake PCH pinctrl/GPIO driver (pinctrl-alderlake.ko.xz) -
    • -
  • - MPI3 Storage Controller Device Driver (mpi3mr.ko.xz): 00.255.45.01 -
    • -
  • - device-mapper multipath path selector that selects paths based on the CPU IO is being - executed on (dm-io-affinity.ko.xz) -
    • -
  • - device-mapper measured service time oriented path selector - (dm-historical-service-time.ko.xz) -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Network drivers

-
-
    -
  • - Mellanox 5th generation network adapters (ConnectX series) core driver (mlx5_core.ko.xz) has - been updated to version 4.18.0-348.el8.x86_64. -
    • -
  • - Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (r8152.ko.xz) has been updated to - version v1.11.11. -
    • -
-
-

Graphics and miscellaneous driver updates

-
-
    -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version - 37.101.00.00. -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version - 0:12.8.0.10. -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version 10.02.00.106-k. -
    • -
  • - Driver for Microsemi Smart Family Controller version (smartpqi.ko.xz) has been updated to - version 2.1.8-045. -
    • -
  • - Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version - 07.717.02.00-rh1. -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.5 that have a significant impact on users. -

-
-
-
-
-

7.1. Installer and image creation

-
-
-
-
-

RHEL installation no longer aborts when Insights client fails to register - system

-

- Previously, the RHEL installation failed with an error at the end if the Red Hat Insights client - failed to register the system during the installation. With this update, the system completes - the installation even if the insights client fails. The user is notified about the error during - installation so the error can be handled later independently. -

-
-

- (BZ#1931069) -

-
-

Anaconda allows data encryption for automatically created disk layout in - the custom partitioning screen

-

- Previously, requesting encrypted disk layout when the disk layout was automatically created in - the custom partitioning screen was not possible. With this update, Anaconda provides an option - on the custom partitioning screen to encrypt the automatically created disk layout. -

-
-

- (BZ#1903786) -

-
-

Installation program does not attempt automatic partitioning when - partitioning scheme is not specified in the Kickstart file

-

- When using a Kickstart file to perform an automated installation, the installation program does - not attempt to perform automatic partitioning when you do not specify any partitioning scheme in - the Kickstart file. The installation process is interrupted and allows the user to configure the - partitioning. -

-
-

- (BZ#1954408) -

-
-

RHEL-Edge container image now uses nginx and - serves on port 8080

-

- Previously, the edge-container image type was unable to run in - non-root mode. As a result, Red Hat OpenShift 4 was unable to use the edge-container image type. With this enhancement, the container now - uses nginx HTTP server to serve the commit and a configuration file - that allows the server to run as a non-root user inside the container, enabling its use on Red - Hat OpenShift 4. The internal web server now uses the port 8080 - instead of 80. -

-
-

- (BZ#1945238) -

-
-
-
-
-
-

7.2. Shells and command-line tools

-
-
-
-
-

opal-prd rebased to version 6.7.1

-

- opal-prd has been upgraded to version 6.7.1. Notable bug fixes and - enhancements include: -

-
-
-
    -
  • - Fixed xscom error logging issues caused due to xscom OPAL call. -
    • -
  • - Fixed possible deadlock with the DEBUG build. -
    • -
  • - Fallback to full_reboot if fast-reboot fails in core/platform. -
    • -
  • - Fixed next_ungarded_primary in core/cpu. -
    • -
  • - Improved rate limit timer requests and the timer state in Self-Boot Engine (SBE). -
    • -
-
-

- (BZ#1921665) -

-
-

libservicelog rebased to version - 1.1.19

-

- libservicelog has been upgraded to version 1.1.19. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - Fixed output alignment issue. -
    • -
  • - Fixed segfault on servicelog_open() failure. -
    • -
-
-

- (BZ#1844430) -

-
-

ipmitool sol activate command no longer - crashes

-

- Previously, after upgrading from RHEL 7 to RHEL 8 the ipmitool sol activate command would crash while trying to access the - remote console on an IBM DataPower appliance. -

-
-

- With this update, the bug has been fixed and one can use ipmitool to - access the remote console again. -

-

- (BZ#1951480) -

-
-

Relax-and-Recover (ReaR) package now depends on the bootlist - executable

-

- Previously, ReaR could produce a rescue image without the bootlist executable on the IBM Power - Systems, Little Endian architecture. Consequently, if the powerpc-utils-core package is not installed, the rescue image did not - contain the bootlist executable. -

-
-

- With this update, the ReaR package now depends on the bootlist executable. The dependency ensures - that the bootlist executable is present. ReaR does not create a rescue image if the bootlist - executable is missing. This avoids creating an invalid rescue image. -

-

- (BZ#1983013) -

-
-

rsync with an unprivileged remote user can now be used in ReaR

-

- Previously, when rsync was used to back up and restore the system data (BACKUP=RSYNC), the parameters to rsync were incorrectly quoted, and - the --fake-super parameter was not passed to the remote rsync - process. Consequently, the file metadata was not correctly saved and restored. -

-
-

- With this update following bugs have been fixed: -

-
-
    -
  • - ReaR uses the correct parameters for rsync. -
    • -
  • -

    - Improved rsync code for error detection during backup and restore: -

    -
    -
      -
    • - If there is a rsync error detected during the backup, ReaR aborts with an error - message. -
      • -
    • - If there is a rsync error detected during the restore, ReaR displays a warning - message. -
      • -
    -
    -
    • -
-
-

- In the /etc/rear/local.conf file set BACKUP_INTEGRITY_CHECK=1 to turn the warning into an error message. -

-

- (BZ#1930662) -

-
-

Loss of backup data on network shares when using ReaR does not occur - anymore

-

- Previously, when a network file system like NFS was used to store the ReaR backups, in case of - an error ReaR removed the directory where the NFS was mounted. Consequently, this caused backup - data loss. -

-
-

- With this update, ReaR now uses a new method to unmount network shares. This new method does not - remove the content of the mounted filesystem when it is removes the mount point. The loss of backup - data on network shares when using ReaR is now fixed. -

-

- (BZ#1958247) -

-
-

ReaR can now be used to back up and recover machines that use ESP -

-

- Previously, ReaR did not create Extensible Firmware Interface (EFI) entries when software RAID - (MDRAID) is used for the EFI System Partition on machines with Unified Extensible Firmware - Interface (UEFI) firmware. When a system with UEFI firmware and EFI System Partition on software - RAID were recovered using ReaR; the recovered system was unbootable and required manual - intervention to fix the boot EFI variables. -

-
-

- With this update, the support for creating boot EFI entries for software RAID devices is added to - ReaR. ReaR can now be used to back up and recover machines that use EFI System Partition (ESP) on - software RAID, without manual post-recovery intervention. -

-

- (BZ#1958222) -

-
-

/etc/slp.spi file added to openslp package

-

- Previously, the /etc/slp.spi file was missing in the openslp package. Consequently, the /usr/bin/slptool command did not generate output. With this update, - /etc/slp.spi has been added to openslp. -

-
-

- (BZ#1965649) -

-
-

BM Power Systems, Little Endian architecture machines with multipath can - now be safely recovered using ReaR

-

- Previously, the /sys file system was not mounted in the chroot when - ReaR was recovering the system. The ofpathname executable on the - IBM Power Systems, Little Endian architecture failed when installing the boot loader. - Consequently, the error remained undetected and the recovered system was unbootable. -

-
-

- With this update, ReaR now mounts the /sys file system in the recovery - chroot. ReaR ensures that ofpathname is present in the rescue system on - Power Systems, Little Endian architecture machines. -

-

- (BZ#1983003) -

-
-

The which utility no longer aborts with a - syntax error message when used with an alias

-

- Previously, when you tried to use the which command with an alias, - for example, A=B which ls, the which - utility aborted with the syntax error message bash: syntax error near unexpected token `('. -

-
-

- This bug has been fixed, and which correctly displays the full path of - the command without an error message. -

-

- (BZ#1940468) -

-
-
-
-
-
-

7.3. Infrastructure services

-
-
-
-
-

Permissions of the /var/lib/chrony have - changed

-

- Previously, enterprise security scanners would flag the /var/lib/chrony directory for having world-readable and executable - permissions. With this update, the permissions of the /var/lib/chrony directory have changed to limit access only to the - root and chrony users. -

-
-

- (BZ#1939295) -

-
-
-
-
-
-

7.4. Security

-
-
-
-
-

GnuTLS no longer rejects SHA-1-signed CAs if - they are explicitly trusted

-

- Previously, the GnuTLS library checked signature hash strength of - all certificate authorities (CA) even if the CA was explicitly trusted. As a consequence, chains - containing CAs signed with the SHA-1 algorithm were rejected with the error message certificate’s signature hash strength is unacceptable. With this - update, GnuTLS excludes trusted CAs from the signature hash - strength checks and therefore no longer rejects certificate chains containing CAs even if they - are signed using weak algorithms. -

-
-

- (BZ#1965445) -

-
-

Hardware optimization enabled in FIPS mode

-

- Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using - hardware optimization. Therefore, the operation was disabled in the libgcrypt package when in the FIPS mode. This update enables hardware - optimization in FIPS mode, and as a result, all cryptographic operations are performed faster. -

-
-

- (BZ#1976137) -

-
-

leftikeport and rightikeport options work correctly

-

- Previously, Libreswan ignored the leftikeport and rightikeport options in any host-to-host Libreswan connections. As a - consequence, Libreswam used the default ports regardless of any non-default options settings. - With this update, the issue is now fixed and you can use leftikeport and rightikeport connection - options over the default options. -

-
-

- (BZ#1934058) -

-
-

SELinux policy did not allow GDM to set the GRUB boot_success flag

-

- Previously, SELinux policy did not allow the GNOME Display Manager (GDM) to set the GRUB boot_success flag during the power-off and reboot operations. - Consequently, the GRUB menu appeared on the next boot. With this update, the SELinux policy - introduces a new xdm_exec_bootloader boolean that allows the GDM to - set the GRUB boot_success flag, and which is enabled by default. As - a result, the GRUB boot menu is shown on the first boot and the flicker-free boot support - feature works correctly. -

-
-

- (BZ#1994096) -

-
-

selinux-policy now supports IPsec-based VPNs - using TCP encapsulation

-

- Since RHEL 8.4, the libreswan packages have supported IPsec-based - VPNs using TCP encapsulation, but the selinux-policy package did - not reflect this update. As a consequence, when Libreswan was configured to use TCP, the ipsec service failed to bind to the given TCP port. With this update - to the selinux-policy package, the ipsec service can bind and connect to the commonly used TCP port - 4500, and therefore you can use TCP encapsulation in IPsec-based - VPNs. -

-
-

- (BZ#1931848) -

-
-

SELinux policy now prevents staff_u users from - switching to unconfined_r

-

- Previously, when the secure_mode boolean was enabled, staff_u users could incorrectly switch to the unconfined_r role. As a consequence, staff_u users could perform privileged operations affecting the - security of the system. With this fix, SELinux policy prevents staff_u users from switching to the unconfined_r role using the newrole - command. As a result, unprivileged users cannot run privileged operations. -

-
-

- (BZ#1947841) -

-
-

OSCAP Anaconda Addon now handles customized - profiles

-

- Previously, the OSCAP Anaconda Addon plugin did not correctly - handle security profiles with customizations in separate files. Consequently, the customized - profiles were not available in the RHEL graphical installation even when you specified them in - the corresponding Kickstart section. The handling has been fixed, and you can use customized - SCAP profiles in the RHEL graphical installation. -

-
-

- (BZ#1691305) -

-
-

OpenSCAP no longer fails during evaluation of the STIG profile and other - SCAP content

-

- Previously, initialization of the cryptography library in OpenSCAP was not performed properly in - OpenSCAP, specifically in the filehash58 probe. As a consequence, a - segmentation fault occurred while evaluating SCAP content containing the filehash58_test Open Vulnerability Assessment Language (OVAL) test. - This affected in particular the evaluation of the STIG profile for Red Hat Enterprise Linux 8. - The evaluation failed unexpectedly and results were not generated. The process of initializing - libraries has been fixed in the new version of the openscap - package. As a result, OpenSCAP no longer fails during the evaluation of the STIG profile for - RHEL 8 and other SCAP content that contains the filehash58_test - OVAL test. -

-
-

- (BZ#1959570) -

-
-

Ansible updates banner files only when needed

-

- Previously, the playbook used for banner remediation always removed the file and recreated it. - As a consequence, the banner file inodes were always modified regardless of need. With this - update, the Ansible remediation playbook has been improved to use the copy module, which first compares existing content with the intended - content and only updates the file when needed. As a result, banner files are only updated when - the existing content differs from the intended content. -

-
-

- (BZ#1857179) -

-
-

USB devices now work correctly with the DISA STIG profile

-

- Previously, the DISA STIG profile enabled the USBGuard service but - did not configure any initially connected USB devices. Consequently, the USBGuard service blocked any device that was not specifically - allowed. This made some USB devices, such as smart cards, unreachable. With this update, the - initial USBGuard configuration is generated when applying the DISA STIG profile and allows the - use of any connected USB device. As a result, USB devices are not blocked and work correctly. -

-
-

- (BZ#1946252) -

-
-

OSCAP Anaconda Addon now installs all selected - packages in text mode

-

- Previously, the OSCAP Anaconda Addon plugin did not evaluate rules - that required certain partition layout or package installations and removals before the - installation started when running in text mode. Consequently, when a security policy profile was - specified using Kickstart and the installation was running in text mode, any additional packages - required by a selected security profile were not installed. OSCAP Anaconda Addon now performs the required checks before the - installation starts regardless of whether the installation is graphical or text-based, and all - selected packages are installed also in text mode. -

-
-

- (BZ#1674001) -

-
-

rpm_verify_permissions removed from the CIS - profile

-

- The rpm_verify_permissions rule, which compares file permissions to - package default permissions, has been removed from the Center for Internet Security (CIS) Red - Hat Enterprise Linux 8 Benchmark. With this update, the CIS profile is aligned with the CIS RHEL - 8 benchmark, and as a result, this rule no longer affects users who harden their systems - according to CIS. -

-
-

- (BZ#1843913) -

-
-
-
-
-
-

7.5. Kernel

-
-
-
-
-

A revert of upstream patch allows some systemd - services and user-space workloads to run as expected

-

- The backported upstream change to the mknod() system call caused - the open() system call to be more privileged with respect to device - nodes than mknod(). Consequently, multiple user-space workloads and - some systemd services in containers became unresponsive. With this - update, the incorrect behavior has been reverted and no crashes occur any more. -

-
-

- (BZ#1902543) -

-
-

Improved performance regression in memory accounting operations -

-

- Previously, a slab memory controller was increasing the frequency of memory accounting - operations per slab. Consequently, a performance regression occurred due to an increased number - of memory accounting operations. To fix the problem, the memory accounting operations have been - streamlined to use as much caching and as little atomic operations as possible. As a result, a - slight performance regression still remains. However, the user experience is much better. -

-
-

- (BZ#1959772) -

-
-

Hard lockups and system panic no longer occur when issuing multiple SysRg-T - magic keys

-

- Issuing multiple SysRg-T magic key sequences to a system caused an interrupt to be disabled for - an extended period of time, depending on the serial console speed, and on the volume of - information being printed out. This prolonged disabled-interrupt time often resulted in a hard - lockup followed by a system panic. This update brings the SysRg-T key sequence to substantially - reduce the period when interrupt is disabled. As a result, no hard lockups or system panic occur - in the described scenario. -

-
-

- (BZ#1954363) -

-
-

Certain BCC utilities do not display the "macro redefined" warning - anymore

-

- Macro redefinitions in some compiler-specific kernel headers caused some BPF Compiler Collection - (BCC) utilities to display the following zero-impact warning: -

-
- 
warning: '__no_sanitize_address' macro redefined [-Wmacro-redefined]
-

- With this update, the problem has been fixed by removing the macro redefinitions. As a result, the - relevant BCC utilities no longer display the warning in this scenario. -

-

- (BZ#1907271) -

-
-

kdump no longer fails to dump vmcore on SSH or - NFS targets

-

- Previously, when configuring a network interface card (NIC) port to a static IP address and - setting kdump to dump vmcore on SSH or - NFS dump targets, the kdump service started with the following - error message: -

-
- 
ipcalc: command not found
-

- Consequently, a kdump on SSH or NFS dump targets eventually failed. -

-

- This update fixes the problem and the kexec-tools utility no longer - depends on the ipcalc tool for IP address and netmask calculation. As a - result, the kdump works as expected when you use SSH or NFS dump - targets. -

-

- (BZ#1931266) -

-
-

Certain networking kernel drivers now properly display their - version

-

- The behavior for module versioning of many networking kernel drivers changed in RHEL 8.4. - Consequently, those drivers did not display their version. Alternatively, after executing the - ethtool -i command, the drivers displayed the kernel version instead of the driver version. This update fixes the bug by - providing the kernel module strings. As a result, users can determine versions of the affected - kernel drivers. -

-
-

- (BZ#1944639) -

-
-

The hwloc commands now return correct data on - single CPU Power9 and Power10 logical partitions

-

- With the hwloc utility of version 2.2.0, any single-node - Non-Uniform Memory Access (NUMA) system that ran a Power9 or Power10 CPU was considered to be - "disallowed". Consequently, all hwloc commands did not work, - because NODE0 (socket 0, CPU 0) was offline and the hwloc source - code expected NODE0 to be online. The following error message was displayed: -

-
- 
Topology does not contain any NUMA node, aborting!
-

- With this update, hwloc has been fixed so that its source code checks - to see if NODE0 is online before querying it. If NODE0 is not online, the code proceeds to the next - online NODE. -

-

- As a result, the hwloc command does not return any errors in the - described scenario. -

-

- (BZ#1917560) -

-
-
-
-
-
-

7.6. File systems and storage

-
-
-
-
-

Records obtained from getaddrinfo() now - include a default TTL

-

- Previously, API did not convey time-to-live (TTL) information, which left TTL unset for address - records obtained through getaddrinfo(), even if they were obtained - from the DNS. As a consequence, the key.dns_resolver upcall program - did not set an expiry time on dns_resolver records, unless the - records included a component obtained directly from the DNS, such as an SRV or AFSDB record. - With this update, records from getaddrinfo() now include a default - TTL of 10 minutes to prevent an unset expiry time. -

-
-

- (BZ#1661674) -

-
-
-
-
-
-

7.7. High availability and clusters

-
-
-
-
-

The ocf:heartbeat:pgsql resource agent and - some third-party agents no longer fail to stop during a shutdown process

-

- In the RHEL 8.4 GA release, Pacemaker’s crm_mon command-line tool - was modified to display a "shutting down" message rather than the usual cluster information when - Pacemaker starts to shut down. As a consequence, shutdown progress, such as the stopping of - resources, could not be monitored. In this situation, resource agents that parse crm_mon output in their stop operation (such as the ocf:heartbeat:pgsql agent distributed with the resource-agents - package, or some custom or third-party agents) could fail to stop, leading to cluster problems. - This bug has been fixed, and the described problem no longer occurs. -

-
-

- (BZ#1948620) -

-
-
-
-
-
-

7.8. Dynamic programming languages, web and database servers

-
-
-
-
-

pyodbc works again with MariaDB 10.3

-

- The pyodbc module did not work with the MariaDB 10.3 server included in the RHEL 8.4 release. The root cause - in the mariadb-connector-odbc package has been fixed, and pyodbc now works with MariaDB 10.3 as - expected. -

-
-

- Note that earlier versions of the MariaDB 10.3 server and the MariaDB 10.5 server were not affected by this problem. -

-

- (BZ#1944692) -

-
-
-
-
-
-

7.9. Compilers and development tools

-
-
-
-
-

GCC Toolset 11: GCC 11 now defaults to DWARF 4

-

- While upstream GCC 11 defaults to using the DWARF 5 debugging format, GCC of GCC Toolset 11 - defaults to DWARF 4 to stay compatible with RHEL 8 components, for example, rpmbuild. -

-
-

- (BZ#1974402) -

-
-

The tunables framework now parses GLIBC_TUNABLES correctly

-

- Previously, the tunables framework did not parse the GLIBC_TUNABLES - environment variable correctly for non-setuid children of setuid programs. As a consequence, in - some cases all tunables remained in non-setuid children of setuid programs. With this update, - tunables in the GLIBC_TUNABLES environment variable are correctly - parsed. As a result, only a restricted subset of identified tunables are now inherited by - non-setuid children of setuid programs. -

-
-

- (BZ#1934155) -

-
-

The semctl system call wrapper in glibc now treats SEM_STAT_ANY like - SEM_STAT

-

- Previously, the semctl system call wrapper in glibc did not treat the kernel argument SEM_STAT_ANY like SEM_STAT. As a result, - glibc did not pass the address of the result object struct semid_ds to the kernel, so that the kernel failed to update - it. With this update, glibc now treats SEM_STAT_ANY like SEM_STAT, and as a - result, applications can obtain struct semid_ds data using SEM_STAT_ANY. -

-
-

- (BZ#1912670) -

-
-

Glibc now includes definitions for IPPROTO_ETHERNET, IPPROTO_MPTCP, and - INADDR_ALLSNOOPERS_GROUP

-

- Previously, the Glibc system library headers (/usr/include/netinet/in.h) did not include definitions of IPPROTO_ETHERNET, IPPROTO_MPTCP, and - INADDR_ALLSNOOPERS_GROUP. As a consequence, applications needing - these definitions failed to compile. With this update, the system library headers now include - the new network constant definitions for IPPROTO_ETHERNET, IPPROTO_MPTCP, and INADDR_ALLSNOOPERS_GROUP resulting in correctly compiling - applications. -

-
-

- (BZ#1930302) -

-
-

gcc rebased to version 8.5

-

- The GNU Compiler Collection (GCC) has been rebased to upstream version 8.5, which provides a - number of bug fixes over the previous version. -

-
-

- (BZ#1946758) -

-
-

Incorrect file decryption using OpenSSL aes-cbc mode

-

- The OpenSSL EVP aes-cbc mode did not decrypt files correctly, - because it expects to handle padding while the Go CryptoBlocks interface expects full blocks. - This issue has been fixed by disabling padding before executing EVP operations in OpenSSL. -

-
-

- (BZ#1979100) -

-
-
-
-
-
-

7.10. Identity Management

-
-
-
-
-

FreeRADIUS no longer incorrectly generating default certificates when the - bootstrap script is run

-

- A bootstrap script runs each time FreeRADIUS is started. Previously, this script generated new - testing certificates in the /etc/raddb/certs directory and as a - result, the FreeRADIUS server sometimes failed to start as these testing certificates were - invalid. For example, the certificates might have expired. With this update, the bootstrap - script checks the /etc/raddb/certs directory and if it contains any - testing or customer certificates, the script is not run and the FreeRADIUS server should start - correctly. -

-
-

- Note that the testing certificates are only for testing purposes during the configuration of - FreeRADIUS and should not be used in a real environment. The bootstrap script should be deleted once - the users' certificates are used. -

-

- (BZ#1954521) -

-
-

FreeRADIUS no longer fails to create a core dump file

-

- Previously, FreeRADIUS did not create a core dump file when allow_core_dumps was set to yes. - Consequently, no core dump files were created if any process failed. With this update, when you - set allow_core_dumps to yes, - FreeRADIUS now creates a core dump file if any process fails. -

-
-

- (BZ#1977572) -

-
-

SSSD correctly evaluates the default setting for the Kerberos keytab name - in /etc/krb5.conf

-

- Previously, if you defined a non-standard location for your krb5.keytab file, SSSD did not use this location and used the default - /etc/krb5.keytab location instead. As a result, when you tried to - log into the system, the login failed as the /etc/krb5.keytab - contained no entries. -

-
-

- With this update, SSSD now evaluates the default_keytab_name variable - in the /etc/krb5.conf and uses the location specified by this variable. - SSSD only uses the default /etc/krb5.keytab location if the default_keytab_name variable is not set. -

-

- (BZ#1737489) -

-
-

Running sudo commands no longer exports the KRB5CCNAME environment - variable

-

- Previously, after running sudo commands, the environment variable - KRB5CCNAME pointed to the Kerberos credential cache of the original - user, which might not be accessible to the target user. As a result Kerberos related operations - might fail as this cache is not accessible. With this update, running sudo commands no longer sets the KRB5CCNAME environment variable and the target user can use their - default Kerberos credential cache. -

-
-

- (BZ#1879869) -

-
-

Kerberos now only requests permitted encryption types

-

- Previously, RHEL did not apply permitted encryption types specified in the permitted_enctypes parameter in the /etc/krb5.conf file if the default_tgs_enctypes or default_tkt_enctypes parameters were not set. Consequently, Kerberos - clients were able to request deprecated cipher suites, such as RC4, which might cause other - processes to fail. With this update, RHEL applies the encryption types set in permitted_enctypes to the default encryption types as well, and - processes can only request permitted encryption types. -

-
-

- If you use Red Hat Identity Management (IdM) and want to set up a trust with Active Directory (AD), - note that the RC4 cipher suite, which is deprecated in RHEL 8, is the default encryption type for - users, services, and trusts between AD domains in an AD forest. You can use one of the following - options: -

-
- -
-

- (BZ#2005277) -

-
-

The replication session update speed is now enhanced

-

- Previously, when the changelog contained larger updates, the replication session started from - the beginning of the changelog. This slowed the session down. The using of a small buffer to - store the update from a changelog during the replication session caused this. With this update, - the replication session checks that the buffer is large enough to store the update at the - starting point. The replication session starts sending updates immediately. -

-
-

- (BZ#1898541) -

-
-

The database indexes created by plug-ins are now enabled

-

- Previously, when a server plug-in created its own database indexes, you had to enable those - indexes manually. With this update, the indexes are enabled immediately after creation by - default. -

-
-

- (BZ#1951020) -

-
-
-
-
-
-

7.11. Red Hat Enterprise Linux system roles

-
-
-
-
-

Role tasks no longer change when running the same output

-

- Previously, several of the role tasks would report as CHANGED when - running the same input once again, even if there were no changes. Consequently, the role was not - acting idempotent. To fix the issue, perform the following actions: -

-
-
-
    -
  • - Check if configuration variables change before applying them. You can use the option --check for this verification. -
    • -
  • - Do not add a Last Modified: $date header to the configuration - file. -
    • -
-
-

- As a result, the role tasks are idempotent. -

-

- (BZ#1960375) -

-
-

relayhost parameter no longer incorrectly - defined in the Postfix documentation

-

- Previously, the relayhost parameter of the Postfix RHEL system role - was defined as relay_host in the doc /usr/share/doc/rhel-system-roles/postfix/README.md documentation - provided by rhel-system-roles. This update fixes the issue and the - relayhost parameter is now correctly defined in the Postfix documentation. -

-
-

- (BZ#1866544) -

-
-

Postfix RHEL system role README.md no longer - missing variables under the "Role Variables" section

-

- Previously, the Postfix RHEL system role variables, such as postfix_check, postfix_backup, postfix_backup_multiple were not available under the "Role Variables" - section. Consequently, users were not able to consult the Postfix role documentation. This - update adds role variable documentation to the Postfix README - section. The role variables are documented and available for users in the doc/usr/share/doc/rhel-system-roles/postfix/README.md documentation - provided by rhel-system-roles. -

-
-

- (BZ#1961858) -

-
-

Postfix role README no longer uses plain role - name

-

- Previously, the examples provided in the /usr/share/ansible/roles/rhel-system-roles.postfix/README.md used the - plain version of the role name, postfix, instead of using rhel-system-roles.postfix. Consequently, users would consult the - documentation and incorrectly use the plain role name instead of Full Qualified Role Name - (FQRN). This update fixes the issue, and the documentation contains examples with the FQRN, - rhel-system-roles.postfix, enabling users to correctly write - playbooks. -

-
-

- (BZ#1958963) -

-
-

The output log of timesync only reports - harmful errors

-

- Previously, the timesync RHEL system role used the ignore_errors directive with separate checking for task failure in - many tasks. Consequently, the output log of the successful role run was full of harmless errors. - The users were safe to ignore those errors, but still they were distressing to see. In this - update, the relevant tasks have been rewritten not to use ignore_errors. As a result, the output log is now clean, and only - role-stopping errors are reported. -

-
-

- (BZ#1938014) -

-
-

The requirements.txt file no longer missing in - the Ansible collection

-

- Previously, the requirements.txt file, responsible for specifying - the python dependencies, was missing in the Ansible collection. This fix adds the missing file - with the correct dependencies at the /usr/share/ansible/collections/ansible_collections/redhat/rhel_system_roles/requirements.tx - path. -

-
-

- (BZ#1954747) -

-
-

Traceback no longer observed when set type: partition for storage_pools

-

- Previously, when setting the variable type as partition for storage_pools in a - playbook, running this playbook would fail and indicate traceback. - This update fixes the issue and the Traceback error no longer - appears. -

-
-

- (BZ#1854187) -

-
-

SElinux role no longer perform unnecessary - reloads

-

- Previously, the SElinux role would not check if changes were - actually applied before reloading the SElinux policy. As a - consequence, the SElinux policy was being reloaded unnecessarily, - which had an impact on the system resources. With this fix, the SElinux role now uses ansible handlers and conditionals to ensure - that the policy is only reloaded if there is a change. As a result, the SElinux role runs much faster. -

-
-

- (BZ#1757869) -

-
-

sshd role no longer fails to start with the - installed sshd_config file on the RHEL6 host.

-

- Previously, when a managed node was running RHEL6, the version of OpenSSH did not support "Match - all" in the Match criteria, which was added by the install task. As a consequence, sshd failed to start with the installed sshd_config file on the RHEL6 host. This update fixes the issue by - replacing "Match all" with "Match address *" for the RHEL6 sshd_config configuration file, as the criteria is supported in the - version of OpenSSH. As a result, the sshd RHEL system role - successfully starts with the installed sshd_config file on the - RHEL6 host. -

-
-

- (BZ#1990947) -

-
-

The SSHD role name in README.md examples no - longer incorrect

-

- Previously, in the sshd README.md file, the examples reference - calling the role with the willshersystems.sshd name. This update - fixes the issue, and now the example references correctly refers to the role as - "rhel_system_roles.sshd". -

-
-

- (BZ#1952090) -

-
-

The key/certs source files are no longer - copied when tls is false -

-

- Previously, in the logging RHEL system role elasticsearch output, - if the key/certs source files path on the control host were - configured in the playbook, they would be copied to the managed hosts, even if tls was set to false. Consequently, if - the key/cert file paths were configured and tls was set to false, the command would - fail, because the copy source files did not exist. This update fixes the issue, and copying the - key/certs is executed only when the tls param is set to true. -

-
-

- (BZ#1994580) -

-
-

Task to enable logging for targeted hosts in the metric role now works

-

- Previously, a bug in the metric RHEL system role prevented - referring to targeted hosts in the enabling the performance metric logging task. Consequently, the - control file for performance metric logging was not generated. This update fixes the issue, and - now the targeted hosts are correctly referred to. As a result, the control file is successfully - created, enabling the performance metric logging execution. -

-
-

- (BZ#1967335) -

-
-

sshd_hostkey_group and sshd_hostkey_mode variables now configurable in the - playbook

-

- Previously, the sshd_hostkey_group and sshd_hostkey_mode variables were unintentionally defined in both - defaults and vars files. Consequently, - users were unable to configure those variables in the playbook. With this fix, the sshd_hostkey_group is renamed to __sshd_hostkey_group and sshd_hostkey_mode to __sshd_hostkey_mode - for defining the constant value in the vars files. In the default file, sshd_hostkey_group is set - to __sshd_hostkey_group and sshd_hostkey_mode to __sshd_hostkey_mode. As a result, users can now configure the sshd_hostkey_group and sshd_hostkey_mode - variables in the playbook. -

-
-

- (BZ#1966711) -

-
-

RHEL system roles internal links in README.md - are no longer broken

-

- Previously, the internal links available in the README.md files - were broken. Consequently, if a user clicked a specific section documentation link, it would not - redirect users to the specific README.md section. This update fixes - the issue and now the internal links point users to the correct section. -

-
-

- (BZ#1962976) -

-
-
-
-
-
-

7.12. RHEL in cloud environments

-
-
-
-
-

nm-cloud-setup utility now sets the correct - default route on Microsoft Azure

-

- Previously, on Microsoft Azure, the nm-cloud-setup utility failed - to detect the correct gateway of the cloud environment. As a consequence, the utility set an - incorrect default route, and connectivity failed. This update fixes the problem. As a result, - nm-cloud-setup utility now sets the correct default route on - Microsoft Azure. -

-
-

- (BZ#1912236) -

-
-

SSH keys are now generated correctly on EC2 instances created from a backup - AMI

-

- Previously, when creating a new Amazon EC2 instance of RHEL 8 from a backup Amazon Machine Image - (AMI), cloud-init deleted existing SSH keys on the VM but did not - create new ones. Consequently, the VM in some cases could not connect to the host. -

-
-

- This problem has been fixed for newly created RHEL 8.5 VMs. For VMs that were upgraded from RHEL 8.4 - or earlier, you must work around the issue manually. -

-

- To do so, edit the cloud.cfg file and changing the ssh_genkeytypes: ~ line to ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']. This makes it possible for - SSH keys to be deleted and generated correctly when provisioning a RHEL 8 VM in the described - circumstances. -

-

- (BZ#1957532) -

-
-

RHEL 8 running on AWS ARM64 instances can now reach the specified network - speed

-

- When using RHEL 8 as a guest operating system in a virtual machine (VM) that runs on an Amazon - Web Services (AWS) ARM64 instance, the VM previously had lower than expected network performance - when the iommu.strict=1 kernel parameter was used or when no iommu.strict parameter was defined. -

-
-

- This problem no longer occurs in RHEL 8.5 Amazon Machine Images (AMIs) provided by Red Hat. In other - types of images, you can work around the issue by changing the parameter to iommu.strict=0. This includes: -

-
-
    -
  • - RHEL 8.4 and earlier images -
    • -
  • - RHEL 8.5 images upgraded from an earlier version using yum update -
    • -
  • - RHEL 8.5 images not provided by Red Hat -
    • -
-
-

- (BZ#1836058) -

-
-

Core dumping RHEL 8 virtual machines to a remote machine on Azure now works - more reliably

-

- Previously, using the kdump utility to save the core dump file of a - RHEL 8 virtual machine (VM) on a Microsoft Azure hypervisor to a remote machine did not work - correctly when the VM was using a NIC with enabled accelerated networking. As a consequence, the - dump file was saved after approximately 200 seconds, instead of immediately. In addition, the - following error message was logged on the console before the dump file is saved. -

-
- 
device (eth0): linklocal6: DAD failed for an EUI-64 address
-

- With this update, the underlying code has been fixed, and in the described circumstances, dump files - are now saved immediately. -

-

- (BZ#1854037) -

-
-

Hibernating RHEL 8 guests now works correctly when FIPS mode is - enabled

-

- Previously, it was not possible to hibernate a virtual machine (VM) that was using RHEL 8 as its - guest operating system if the VM was using FIPS mode. The underlying code has been fixed and the - affected VMs can now hibernate correctly. -

-
-

- (BZ#1934033, BZ#1944636) -

-
-
-
-
-
-

7.13. Containers

-
-
-
-
-

UBI 9-Beta containers can run on RHEL 7 and 8 hosts

-

- Previously, the UBI 9-Beta container images had an incorrect seccomp profile set in the containers-common package. As a consequence, containers were not able - to deal with certain system calls causing a failure. With this update, the problem has been - fixed. -

-
-

- (BZ#2019901) -

-
-
-
-
-
-
-

Chapter 8. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.5. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

8.1. Shells and command-line tools

-
-
-
-
-

ReaR available on the 64-bit IBM Z architecture as a Technology - Preview

-

- Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture - as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM - environment. Backing up and recovering logical partitions (LPARs) has not been tested. -

-
-

- The only output method currently available is Initial Program Load (IPL). IPL produces a kernel and - an initial ramdisk (initrd) that can be used with the zIPL bootloader. -

-

- For more information, see Using - a ReaR rescue image on the 64-bit IBM Z architecture. -

-

- (BZ#1868421) -

-
-
-
-
-
-

8.2. Networking

-
-
-
-
-

KTLS available as a Technology Preview

-

- RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. KTLS also provides the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that support this functionality. -

-
-

- (BZ#1570255) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It - accompanies XDP and grants efficient redirection of - programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
-
    -
  • - Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the libxdp library is not available for architectures other than AMD - and Intel 64-bit. -
    • -
  • - The XDP hardware offloading. -
    • -
-
-

- (BZ#1889737) -

-
-

Multi-protocol Label Switching for TC available as a Technology - Preview

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route - traffic flow across enterprise networks. In an MPLS network, the router that receives packets - decides the further route of the packets based on the labels attached to the packet. With the - usage of labels, the MPLS network has the ability to handle packets with particular - characteristics. For example, you can add tc filters for managing - packets received from specific ports or carrying specific types of traffic, in a consistent way. -

-
-

- After packets enter the enterprise network, MPLS routers perform multiple operations on the packets, - such as push to add a label, swap to - update a label, and pop to remove a label. MPLS allows defining actions - locally based on one or multiple labels in RHEL. You can configure routers and set traffic control - (tc) filters to take appropriate actions on the packets based on the - MPLS label stack entry (lse) elements, such as label, traffic class, bottom of stack, and time to live. -

-

- For example, the following command adds a filter to the enp0s1 network interface to match incoming packets having the - first label 12323 and the second label 45832. On matching packets, the following actions are taken: -

-
-
    -
  • - the first MPLS TTL is decremented (packet is dropped if TTL reaches 0) -
    • -
  • - the first MPLS label is changed to 549386 -
    • -
  • -

    - the resulting packet is transmitted over enp0s2, - with destination MAC address 00:00:5E:00:53:01 - and source MAC address 00:00:5E:00:53:02 -

    - 
    # tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
-action mpls dec_ttl pipe \
-action mpls modify label 549386 pipe \
-action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
-action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
-action mirred egress redirect dev enp0s2
    -
    • -
-
-

- (BZ#1814836, BZ#1856415) -

-
-

act_mpls module available as a Technology - Preview

-

- The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows - the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) - filters, for example, push and pop MPLS label stack entries with TC filters. The module also - allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set - independently. -

-
-

- (BZ#1839311) -

-
-

The systemd-resolved service is now available - as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-

The nispor package is now available as a - Technology Preview

-

- The nispor package is now available as a Technology Preview, which - is a unified interface for Linux network state querying. It provides a unified way to query all - running network status through the python and C api, and rust crate. nispor works as the dependency in the nmstate tool. -

-
-

- You can install the nispor package as a dependency of nmstate or as an individual package. -

-
-
    -
  • -

    - To install nispor as an individual package, enter: -

    - 
    # yum install nispor
    -
    • -
  • -

    - To install nispor as a dependency of nmstate, enter: -

    - 
    # yum install nmstate
    -

    - nispor is listed as the dependency. -

    -
    • -
-
-

- For more information on using nispor, refer to /usr/share/doc/nispor/README.md file. -

-

- (BZ#1848817) -

-
-
-
-
-
-

8.3. Kernel

-
-
-
-
-

The kexec fast reboot feature is available as Technology Preview -

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. kexec fast reboot significantly speeds the boot - process by allowing the kernel to boot directly into the second kernel without passing through - the Basic Input/Output System (BIOS) first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot the operating system. -
    3. -
-
-

- (BZ#1769727) -

-
-

The accel-config package available as a - Technology Preview

-

- The accel-config package is now available on Intel EM64T and AMD64 architectures as a - Technology Preview. This package helps in controlling and configuring data-streaming accelerator - (DSA) sub-system in the Linux Kernel. Also, it configures devices via sysfs (pseudo-filesystem), saves and loads the configuration in the - json format. -

-
-

- (BZ#1843266) -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially supports SGX v1 and v1.5. The version 1 enables platforms using the Flexible Launch Control mechanism to use the - SGX technology. -

-
-

- (BZ#1660337) -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space, in the restricted - sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which supports - creating various types of maps, and also allows to load programs in a special assembly-like code. - The code is then loaded to the kernel and translated to the native machine code with just-in-time - compilation. Note that the bpf() syscall can be successfully used only - by a user with the CAP_SYS_ADMIN capability, such as the root user. See - the bpf(2) manual page for more information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. All - components are available as a Technology Preview, unless a specific component is indicated as - supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - bpftrace, a high-level tracing language that utilizes the eBPF virtual machine. -
    • -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space - for applications that prioritize packet processing performance. -
    • -
-
-

- (BZ#1559616) -

-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and supports a shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- (BZ#1837187) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol which - implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which supports - two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL - 8. -

-
-

- (BZ#1605216) -

-
-

The stmmac driver is available as a Technology - Preview

-

- Red Hat provides the usage of stmmac for Intel® Elkhart Lake - systems on a chip (SoCs) as an unsupported Technology Preview. -

-
-

- (BZ#1905243) -

-
-
-
-
-
-

8.4. File systems and storage

-
-
-
-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address space. To - use DAX, a system must have some form of persistent memory available, usually in the form of one - or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX - must be created on the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap of a - file on the dax-mounted file system results in a direct mapping of storage into the - application’s address space. -

-
-

- (BZ#1627455) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top of - another. Changes are recorded in the upper file system, while the lower file system remains - unmodified. This allows multiple users to share a file-system image, such as a container or a - DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings - when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other specialized - use cases, such as squashed kdump initramfs. Its use is - supported primarily for container COW content, not for persistent storage. You must place - any persistent storage on non-OverlayFS volumes. You can use only the default container - engine configuration: one level of overlay, one lowerdir, and both lower and upper levels - are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change - in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped with - MAP_SHARED are inconsistent with subsequent - modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on RHEL - 8, but you can enable full POSIX compliance for them with a module option or - mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and index=on options to improve POSIX compliance. - These two options make the format of the upper layer incompatible with an - overlay without these options. That is, you might get unexpected results or - errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, use - the following command and see if the ftype=1 option is - enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel - documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- RHEL 8.3 updated Stratis to version 2.1.0. For more information, see Stratis 2.1.0 Release - Notes. -

-

- (JIRA:RHELPLAN-1212) -

-
-

Setting up a Samba server on an IdM domain member is provided as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the same-named - package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For - example, the utility creates the /etc/samba/smb.conf with the ID - mapping configuration for the sss ID mapping back end. As a result, - administrators can now set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts - cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support - resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) - protocols. As a consequence, AD users can only access the Samba shares and printers from IdM - clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- (JIRA:RHELPLAN-13195) -

-
-

NVMe/TCP is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) - and its corresponding nvme-tcp.ko and nvmet-tcp.ko kernel modules have been added as a Technology Preview. -

-
-

- The use of NVMe/TCP as either a storage client or a target is manageable with tools provided by the - nvme-cli and nvmetcli packages. -

-

- The NVMe/TCP target Technology Preview is included only for testing purposes and is not currently - planned for full support. -

-

- (BZ#1696451) -

-
-
-
-
-
-

8.5. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on Podman, with the container bundle feature being available - as a Technology Preview. There is one exception to this feature being Technology Preview: Red - Hat fully supports the use of Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-

Heuristics in corosync-qdevice available as a - Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is zero), - heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which - partition should be quorate. -

-
-

- (BZ#1784200) -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off - action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent - the agent that does the actual fencing from fencing a node under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make sense - for a node to fence the peer if it can know beforehand that it would not be able to take over the - services properly. For example, it might not make sense for a node to take over services if it has - problems reaching the networking uplink, making the services unreachable to clients, a situation - which a ping to a router might detect in that case. -

-

- (BZ#1775847) -

-
-

Automatic removal of location constraint following resource move available - as a Technology Preview

-

- When you execute the pcs resource move command, this adds a - constraint to the resource to prevent it from running on the node on which it is currently - running. A new --autodelete option for the pcs resource move command is now available as a Technology Preview. - When you specify this option, the location constraint that the command creates is automatically - removed once the resource has been moved. -

-
-

- (BZ#1847102) -

-
-
-
-
-
-

8.6. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now support DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- (BZ#1664718) -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- (JIRA:RHELPLAN-58596) -

-
-
-
-
-
-

8.7. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology - Preview. This enables administrators to configure and manage servers from a graphical user - interface (GUI) remotely, using the VNC session. -

-
-

- As a consequence, new administration applications are available on the 64-bit ARM architecture. For - example: Disk Usage Analyzer (baobab), Firewall - Configuration (firewall-config), Red Hat Subscription Manager (subscription-manager), or the Firefox web browser. Using Firefox, administrators can connect to the local - Cockpit daemon remotely. -

-

- (JIRA:RHELPLAN-27394, BZ#1667225, BZ#1667516, BZ#1724302) -

-
-

GNOME desktop on IBM Z is available as a Technology Preview

-

- The GNOME desktop, including the Firefox web browser, is now available as a Technology Preview - on the IBM Z architecture. You can now connect to a remote graphical session running GNOME using - VNC to configure and manage your IBM Z servers. -

-
-

- (JIRA:RHELPLAN-27737) -

-
-
-
-
-
-

8.8. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available - as a Technology Preview. Note that the rest of the graphics stack is currently unverified for - the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-
-
-
-
-

8.9. Red Hat Enterprise Linux system roles

-
-
-
-
-

HA Cluster RHEL system role available as a Technology Preview

-

- The High Availability Cluster (HA Cluster) role is now available as a Technology Preview. - Currently, the following notable configurations are available: -

-
-
-
    -
  • - Configuring nodes, fence device, resources, resource groups, and resource clones including - meta attributes and resource operations -
    • -
  • - Configuring cluster properties -
    • -
  • - Configuring multi-link clusters -
    • -
  • - Configuring custom cluster names and node names -
    • -
  • - Configuring whether clusters start automatically on boot -
    • -
  • - Configuring a basic corosync cluster and pacemaker cluster properties, stonith and - resources. -
    • -
-
-

- The ha_cluster system role does not currently support constraints. - Running the role after constraints are configured manually will remove the constraints, as well as - any configuration not supported by the role. -

-

- The ha_cluster system role does not currently support SBD. -

-

- (BZ#1893743, BZ#1978726) -

-
-
-
-
-
-

8.10. Virtualization

-
-
-
-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. -

-

- In addition, it is possible to enable a VNC console operated by Intel vGPU. By enabling it, users - can connect to a VNC console of the VM and see the VM’s desktop hosted by Intel vGPU. However, this - currently only works for RHEL guest operating systems. -

-

- (BZ#1528684) -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, and IBM Z systems hosts with RHEL 8. With this feature, a RHEL 7 or - RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs. -

-
-

- (JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437) -

-
-

Select Intel network adapters now support SR-IOV in RHEL guests on - Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V - hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network - adapters supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions - are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently supported with Microsoft Windows Server 2019 and 2016. -

-

- (BZ#1348508) -

-
-

ESXi hypervisor and SEV-ES available as a Technology Preview for RHEL - VMs

-

- As a Technology Preview, in RHEL 8.4 and later, you can enable the AMD Secure Encrypted - Virtualization-Encrypted State (SEV-ES) to secure RHEL virtual machines (VMs) on VMware’s ESXi - hypervisor, versions 7.0.2 and later. -

-
-

- (BZ#1904496) -

-
-

Sharing files between hosts and VMs using virtiofs

-

- As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can - efficiently share files between your host system and its virtual machines (VM). -

-
-

- (BZ#1741615) -

-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines -

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a - Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel and AMD systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following - Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-
-
-
-
-

8.11. Containers

-
-
-
-
-

Toolbox is available as a Technology Preview

-

- Previously, the Toolbox utility was based on RHEL CoreOS github.com/coreos/toolbox. With this - release, Toolbox has been replaced with github.com/containers/toolbox. -

-
-

- (JIRA:RHELPLAN-77238) -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

Chapter 9. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

9.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in the - logs: -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still available - and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you modify - your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-

The Kickstart autostep command has been - deprecated

-

- The autostep command has been deprecated. The related section about - this command has been removed from the RHEL - 8 documentation. -

-
-

- (BZ#1904251) -

-
-

The lorax-composer back end for Image Builder - is deprecated in RHEL 8

-

- The lorax-composer back end for Image Builder is considered - deprecated. It will only receive selected fixes for the rest of the Red Hat Enterprise Linux 8 - lifecycle and will be omitted from future major releases.  Red Hat recommends that you uninstall - lorax-composer and install the osbuild-composer back end instead. -

-
-

- See Composing - a customized RHEL system image for more details. -

-

- (BZ#1893767) -

-
-
-
-
-
-

9.2. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- With this update, the rpmbuild --sign command has become - deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in an - error. It is recommended that you use the rpmsign command instead. -

-
-

- (BZ#1688849) -

-
-
-
-
-
-

9.3. Shells and command-line tools

-
-
-
-
-

The OpenEXR component has been - deprecated

-

- The OpenEXR component has been deprecated. Hence, the support for - the EXR image format has been dropped from the imagecodecs module. -

-
-

- (BZ#1886310) -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the bacula, tar or dd backup utility, based on type of - usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- (BZ#1997366) -

-
-

The hidepid=n mount option is not supported in - RHEL 8 systemd

-

- The mount option hidepid=n, which controls who can access - information in /proc/[pid] directories, is not compatible with - systemd infrastructure provided in RHEL 8. -

-
-

- In addition, using this option might cause certain services started by systemd to produce SELinux AVC denial messages and prevent other - operations from completing. -

-

- For more information, see the related Is mounting /proc with "hidepid=2" - recommended with RHEL7 and RHEL8?. -

-

- (BZ#2038929) -

-
-
-
-
-
-

9.4. Security

-
-
-
-
-

NSS SEED ciphers are deprecated

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends - enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- (BZ#1817533) -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal - and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. - Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note - that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello - has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and earlier - allow to start a negotiation with a Client Hello message formatted - in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature - may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version - 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible - with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next - major release. -

-
-

- (BZ#1657927) -

-
-

crypto-policies derived properties are now - deprecated

-

- With the introduction of scopes for crypto-policies directives in - custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as - well. See the crypto-policies(7) man page for recommended - replacements. -

-
-

- (BZ#2011208) -

-
-

Runtime disabling SELinux using /etc/selinux/config is now deprecated

-

- Runtime disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config file has been deprecated. In RHEL 9, when you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. -

-
-

- If your scenario really requires to completely disable SELinux, Red Hat recommends disabling SELinux - by adding the selinux=0 parameter to the kernel command line as - described in the Changing - SELinux modes at boot time section of the Using - SELinux title. -

-

- (BZ#1932222) -

-
-

The ipa SELinux module removed from selinux-policy

-

- The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The - functionality is now included in the ipa-selinux subpackage. -

-
-

- If your scenario requires the use of types or interfaces from the ipa - module in a local SELinux policy, install the ipa-selinux package. -

-

- (BZ#1461914) -

-
-
-
-
-
-

9.5. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by - default. The basic installation provides a new version of the ifup - and ifdown scripts which call the NetworkManager service through - the nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts - are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
~]# yum install network-scripts
-

- The ifup and ifdown scripts link to the - installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-

The dropwatch tool is deprecated

-

- The dropwatch tool has been deprecated. The tool will not be - supported in future releases, thus it is not recommended for new deployments. As a replacement - of this package, Red Hat recommends to use the perf - command line tool. -

-
-

- For more information on using the perf command line tool, - see the Getting - started with Perf section on the Red Hat customer portal or the perf man page. -

-

- (BZ#1929173) -

-
-

The cgdcbxd package is deprecated

-

- Control group data center bridging exchange daemon (cgdcbxd) is a - service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major - RHEL release. -

-
-

- (BZ#2006665) -

-
-

The xinetd service has been - deprecated

-

- The xinetd service has been deprecated and will be removed in RHEL - 9. As a replacement, use systemd. For further details, see How to convert xinetd - service to systemd. -

-
-

- (BZ#2009113) -

-
-

The term slaves is deprecated in the nmstate API

-

- Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl. -

-
-

- (JIRA:RHELDOCS-17641) -

-
-
-
-
-
-

9.6. Kernel

-
-
-
-
-

Kernel live patching now covers all RHEL minor releases

-

- Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of - RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important - Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently - covered kernels and use cases, the support window for each live patch will be decreased from 12 - to 6 months for every minor, major and zStream version of the kernel. It means that on the day a - kernel live patch is released, it will cover every minor release and scheduled errata kernel - delivered in the past 6 months. For example, 8.4.x will have a one-year support window, but - 8.4.x+1 will have 6 months. -

-
-

- For more information about this feature, see Applying - patches with kernel live patching. -

-

- For details about available kernel live patches, see Kernel Live Patch life cycles. -

-

- (BZ#1958250) -

-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system via the network. While - convenient, diskless boot is prone to introducing network latency in realtime workloads. With a - future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be - supported. -

-
-

- (BZ#1748980) -

-
-

The Linux firewire sub-system and its - associated user-space components are deprecated in RHEL 8

-

- The firewire sub-system provides interfaces to use and maintain any - resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer - be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as - well. -

-
-

- (BZ#1871863) -

-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is - a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is - available as an unsupported Technology Preview. However, due to stability issues, this feature - has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

9.7. File systems and storage

-
-
-
-
-

VDO write modes other than async are - deprecated

-

- VDO supports several write modes in RHEL 8: -

-
-
-
    -
  • - sync -
    • -
  • - async -
    • -
  • - async-unsafe -
    • -
  • - auto -
    • -
-
-

- Starting with RHEL 8.4, the following write modes are deprecated: -

-
-
-
sync
-
- Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the - devices cannot take advantage of the VDO sync mode. -
-
async-unsafe
-
- VDO added this write mode as a workaround for the reduced performance of async mode, which complies to Atomicity, Consistency, Isolation, - and Durability (ACID). Red Hat does not recommend async-unsafe - for most use cases and is not aware of any users who rely on it. -
-
auto
-
- This write mode only selects one of the other write modes. It is no longer necessary when - VDO supports only a single write mode. -
-
-
-

- These write modes will be removed in a future major RHEL release. -

-

- The recommended VDO write mode is now async. -

-

- For more information on VDO write modes, see Selecting - a VDO write mode. -

-

- (JIRA:RHELPLAN-70700) -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. - This change affects only NFS version 3 because version 4 requires the Transmission Control - Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution. -

-
-

- (BZ#1794513) -

-
-

VDO manager has been deprecated

-

- The python-based VDO management software has been deprecated and will be removed from RHEL 9. In - RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create - VDO volumes using the lvcreate command. -

-
-

- The existing volumes created using the VDO management software can be converted using the /usr/sbin/lvm_import_vdo script, provided by the lvm2 package. For more information on the LVM-VDO implementation, see Introduction - to VDO on LVM. -

-

- (BZ#1949163) -

-
-

The elevator kernel command line parameter is - deprecated

-

- The elevator kernel command line parameter was used in earlier RHEL - releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is typically - the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the Tuned service to configure it. Match the selected - devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- (BZ#1665295) -

-
-

LVM mirror is deprecated

-

- The LVM mirror segment type is now deprecated. Support for mirror will be removed in a future major release of RHEL. -

-
-

- Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1 instead of mirror. The raid1 segment type is the default RAID configuration type and replaces - mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 logical volume. -

-

- LVM mirror has several known issues. For details, see known - issues in file systems and storage. -

-

- (BZ#1827628) -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured storage - events. It helps you investigate storage issues. -

-

- (BZ#1871953) -

-
-
-
-
-
-

9.8. High availability and clusters

-
-
-
-
-

pcs commands that support the clufter tool have been deprecated

-

- The pcs commands that support the clufter tool for analyzing cluster configuration formats have been - deprecated. These commands now print a warning that the command has been deprecated and sections - related to these commands have been removed from the pcs help - display and the pcs(8) man page. -

-
-

- The following commands have been deprecated: -

-
-
    -
  • - pcs config import-cman for importing CMAN / RHEL6 HA cluster - configuration -
    • -
  • - pcs config export for exporting cluster configuration to a list - of pcs commands which recreate the same cluster -
    • -
-
-

- (BZ#1851335) -

-
-
-
-
-
-

9.9. Compilers and development tools

-
-
-
-
-

libdwarf has been deprecated

-

- The libdwarf library has been deprecated in RHEL 8. The library - will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for - applications that wish to process ELF/DWARF files. -

-
-

- Alternatives for the libdwarf-tools dwarfdump program are the binutils readelf program or the elfutils eu-readelf program, both used by passing the --debug-dump flag. -

-

- (BZ#1920624) -

-
-

The gdb.i686 packages are deprecated -

-

- In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another - package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions - of GDB, gdb.x86_64, are fully capable of debugging 32-bit - applications. -

-
-

- If you use gdb.i686, note the following important issues: -

-
-
    -
  • - The gdb.i686 packages will no longer be updated. Users must - install gdb.x86_64 instead. -
    • -
  • - If you have gdb.i686 installed, installing gdb.x86_64 will cause dnf to report - package gdb-8.2-14.el8.x86_64 obsoletes gdb < 8.2-14.el8 provided by gdb-8.2-12.el8.i686. - This is expected. Either uninstall gdb.i686 or pass dnf the --allowerasing option to - remove gdb.i686 and install gdb.x8_64. -
    • -
  • - Users will no longer be able to install the gdb.i686 packages - on 64-bit systems, that is, those with the libc.so.6()(64-bit) - packages. -
    • -
-
-

- (BZ#1853140) -

-
-
-
-
-
-

9.10. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, which - integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, if - available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, - enable the ssh responder by adding ssh to - the services option in the sssd.conf file. - See the sssd.conf(5) man page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- (BZ#1871025) -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and - disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) - and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might experience - service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions on - re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, set - supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes, and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from the - previous step, remove them and upgrade. You do not need those settings after upgrading to - the latest Kerberos packages. -
    5. -
-
-

- (BZ#1877991) -

-
-

Standalone use of the ctdb service has been - deprecated

-

- Since RHEL 8.4, customers are advised to use the ctdb clustered - Samba service only when both of the following conditions apply: -

-
-
-
    -
  • - The ctdb service is managed as a pacemaker resource with the resource-agent ctdb. -
    • -
  • - The ctdb service uses storage volumes that contain either a - GlusterFS file system provided by the Red Hat Gluster Storage product or a GFS2 file system. -
    • -
-
-

- The stand-alone use case of the ctdb service has been deprecated and - will not be included in a next major release of Red Hat Enterprise Linux. For further information on - support policies for Samba, see the Knowledgebase article Support Policies for RHEL Resilient Storage - - ctdb General Policies. -

-

- (BZ#1916296) -

-
-

Indirect AD integration with IdM via WinSync has been deprecated -

-

- WinSync is no longer actively developed in RHEL 8 due to several functional limitations: -

-
-
-
    -
  • - WinSync supports only one Active Directory (AD) domain. -
    • -
  • - Password synchronization requires installing additional software on AD Domain Controllers. -
    • -
-
-

- For a more robust solution with better resource and security separation, Red Hat recommends using a - cross-forest trust for indirect integration with - Active Directory. See the Indirect - integration documentation. -

-

- (JIRA:RHELPLAN-100400) -

-
-

Running Samba as a PDC or BDC is deprecated

-

- The classic domain controller mode that enabled administrators to run Samba as an NT4-like - primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and - settings to configure these modes will be removed in a future Samba release. -

-
-

- As long as the Samba version in RHEL 8 provides the PDC and BDC modes, Red Hat supports these modes - only in existing installations with Windows versions which support NT4 domains. Red Hat recommends - not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and - Windows Server 2008 R2 do not support NT4 domains. -

-

- If you use the PDC to authenticate only Linux users, Red Hat suggests migrating to Red Hat Identity Management - (IdM) that is included in RHEL subscriptions. However, you cannot join Windows systems to an - IdM domain. Note that Red Hat continues supporting the PDC functionality IdM uses in the background. -

-

- Red Hat does not support running Samba as an AD domain controller (DC). -

-

- (BZ#1926114) -

-
-

The SSSD version of libwbclient has been - removed

-

- The SSSD implementation of the libwbclient package was deprecated - in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of - libwbclient has now been removed. -

-
-

- (BZ#1947671) -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612 -

-
-
-
-
-
-

9.11. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of the - libsecret library, as libgnome-keyring - is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. - The new libsecret library is the replacement that follows the - necessary security standards. -

-
-

- (BZ#1607766) -

-
-
-
-
-
-

9.12. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement. -

-
-

- (BZ#1569610) -

-
-

Motif is deprecated

-

- The Motif widget toolkit is now deprecated. Development in the upstream Motif community is - inactive. -

-
-

- The following Motif packages are deprecated, including their development and debugging variants: -

-
-
    -
  • - motif -
    • -
  • - motif-static -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- (JIRA:RHELPLAN-98983) -

-
-
-
-
-
-

9.13. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- (BZ#1666722) -

-
-
-
-
-
-

9.14. Red Hat Enterprise Linux System Roles

-
-
-
-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and it - also downloads proprietary content. Therefore, the geoipupdate - package has been deprecated, and will be removed in the next major RHEL version. -

-
-

- (BZ#1874892) -

-
-
-
-
-
-

9.15. Virtualization

-
-
-
-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. As a result, SPICE will remain - supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display - streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Note that the QXL graphics device, which is used - by SPICE, has become deprecated as well. -

-

- (BZ#1849563) -

-
-

virsh iface-* commands have become - deprecated

-

- The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a - future major version of RHEL. In addition, these commands frequently fail due to configuration - dependencies. -

-
-

- Therefore, it is recommended not to use virsh iface-* commands for - configuring and managing host network connections. Instead, use the NetworkManager program and its - related management applications, such as nmcli. -

-

- (BZ#1664592) -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available in the RHEL web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

Virtual machine snapshots are not properly supported in RHEL 8

-

- The current mechanism of creating virtual machine (VM) snapshots has been deprecated, as it is - not working reliably. As a consequence, it is recommended not to use VM snapshots in RHEL 8. -

-
-

- (BZ#1686057) -

-
-

The Cirrus VGA virtual - GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-

KVM on IBM POWER has been deprecated

-

- Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM - POWER is still supported in RHEL 8, but will become unsupported in a future major release of - RHEL. -

-
-

- (JIRA:RHELPLAN-71200) -

-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- (BZ#1935497) -

-
-
-
-
-
-

9.16. Supportability

-
-
-
-
-

The -s split option is no longer supported - with the -f option

-

- When providing files to Red Hat Support by uploading them to Red Hat Secure FTP, you can run the redhat-support-tool addattachment -f command. Due to infrastructure - changes, however, you can no longer use the -s option with this - command for splitting big files into parts and uploading them to Red Hat Secure FTP. -

-
-

- (BZ#2013335) -

-
-

The redhat-support-tool diagnose <file_or_directory> command - has been deprecated

-

- The Red Hat Support Tool no longer supports the redhat-support-tool diagnose <file_or_directory> command - previously used for advanced diagnostic services for files or directories. The redhat-support-tool diagnose command continues to support the plain - text analysis. -

-
-

- (BZ#2019786) -

-
-
-
-
-
-

9.17. Containers

-
-
-
-
-

The Podman varlink-based API v1.0 has been removed

-

- The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 - introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API - v1.0 has been completely removed. -

-
-

- (JIRA:RHELPLAN-45858) -

-
-

container-tools:1.0 has been - deprecated

-

- The container-tools:1.0 module has been deprecated and will no - longer receive security updates. It is recommended to use a newer supported stable module - stream, such as container-tools:2.0 or container-tools:3.0. -

-
-

- (JIRA:RHELPLAN-59825) -

-
-
-
-
-
-

9.18. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 7 and RHEL 8, see Changes - to packages in the Considerations in adopting RHEL 8 - document. -

-

- The following packages have been deprecated and remain supported until the end of life of RHEL 8: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - adobe-source-sans-pro-fonts -
    • -
  • - adwaita-qt -
    • -
  • - amanda -
    • -
  • - amanda-client -
    • -
  • - amanda-libs -
    • -
  • - amanda-server -
    • -
  • - ant-contrib -
    • -
  • - antlr3 -
    • -
  • - antlr32 -
    • -
  • - aopalliance -
    • -
  • - apache-commons-collections -
    • -
  • - apache-commons-compress -
    • -
  • - apache-commons-exec -
    • -
  • - apache-commons-jxpath -
    • -
  • - apache-commons-parent -
    • -
  • - apache-ivy -
    • -
  • - apache-parent -
    • -
  • - apache-resource-bundles -
    • -
  • - apache-sshd -
    • -
  • - apiguardian -
    • -
  • - assertj-core -
    • -
  • - authd -
    • -
  • - auto -
    • -
  • - autoconf213 -
    • -
  • - autogen -
    • -
  • - base64coder -
    • -
  • - batik -
    • -
  • - bea-stax -
    • -
  • - bea-stax-api -
    • -
  • - bind-sdb -
    • -
  • - bouncycastle -
    • -
  • - bsh -
    • -
  • - buildnumber-maven-plugin -
    • -
  • - byaccj -
    • -
  • - cal10n -
    • -
  • - cbi-plugins -
    • -
  • - cdparanoia -
    • -
  • - cdparanoia-devel -
    • -
  • - cdparanoia-libs -
    • -
  • - cdrdao -
    • -
  • - cmirror -
    • -
  • - codehaus-parent -
    • -
  • - codemodel -
    • -
  • - compat-exiv2-026 -
    • -
  • - compat-guile18 -
    • -
  • - compat-libpthread-nonshared -
    • -
  • - compat-openssl10 -
    • -
  • - compat-sap-c++-10 -
    • -
  • - createrepo_c-devel -
    • -
  • - ctags -
    • -
  • - ctags-etags -
    • -
  • - custodia -
    • -
  • - dbus-c++ -
    • -
  • - dbus-c++-devel -
    • -
  • - dbus-c++-glib -
    • -
  • - dbxtool -
    • -
  • - dirsplit -
    • -
  • - dleyna-connector-dbus -
    • -
  • - dleyna-core -
    • -
  • - dleyna-renderer -
    • -
  • - dleyna-server -
    • -
  • - dnssec-trigger -
    • -
  • - dptfxtract -
    • -
  • - drpm -
    • -
  • - drpm-devel -
    • -
  • - dvd+rw-tools -
    • -
  • - dyninst-static -
    • -
  • - eclipse-ecf -
    • -
  • - eclipse-emf -
    • -
  • - eclipse-license -
    • -
  • - ed25519-java -
    • -
  • - ee4j-parent -
    • -
  • - elfutils-devel-static -
    • -
  • - elfutils-libelf-devel-static -
    • -
  • - enca -
    • -
  • - enca-devel -
    • -
  • - environment-modules-compat -
    • -
  • - evince-browser-plugin -
    • -
  • - exec-maven-plugin -
    • -
  • - farstream02 -
    • -
  • - felix-osgi-compendium -
    • -
  • - felix-osgi-core -
    • -
  • - felix-osgi-foundation -
    • -
  • - felix-parent -
    • -
  • - file-roller -
    • -
  • - fipscheck -
    • -
  • - fipscheck-devel -
    • -
  • - fipscheck-lib -
    • -
  • - firewire -
    • -
  • - forge-parent -
    • -
  • - fuse-sshfs -
    • -
  • - fusesource-pom -
    • -
  • - future -
    • -
  • - gamin -
    • -
  • - gamin-devel -
    • -
  • - gavl -
    • -
  • - gcc-toolset-10 -
    • -
  • - gcc-toolset-10-annobin -
    • -
  • - gcc-toolset-10-binutils -
    • -
  • - gcc-toolset-10-binutils-devel -
    • -
  • - gcc-toolset-10-build -
    • -
  • - gcc-toolset-10-dwz -
    • -
  • - gcc-toolset-10-dyninst -
    • -
  • - gcc-toolset-10-dyninst-devel -
    • -
  • - gcc-toolset-10-elfutils -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client-devel -
    • -
  • - gcc-toolset-10-elfutils-devel -
    • -
  • - gcc-toolset-10-elfutils-libelf -
    • -
  • - gcc-toolset-10-elfutils-libelf-devel -
    • -
  • - gcc-toolset-10-elfutils-libs -
    • -
  • - gcc-toolset-10-gcc -
    • -
  • - gcc-toolset-10-gcc-c++ -
    • -
  • - gcc-toolset-10-gcc-gdb-plugin -
    • -
  • - gcc-toolset-10-gcc-gfortran -
    • -
  • - gcc-toolset-10-gdb -
    • -
  • - gcc-toolset-10-gdb-doc -
    • -
  • - gcc-toolset-10-gdb-gdbserver -
    • -
  • - gcc-toolset-10-libasan-devel -
    • -
  • - gcc-toolset-10-libatomic-devel -
    • -
  • - gcc-toolset-10-libitm-devel -
    • -
  • - gcc-toolset-10-liblsan-devel -
    • -
  • - gcc-toolset-10-libquadmath-devel -
    • -
  • - gcc-toolset-10-libstdc++-devel -
    • -
  • - gcc-toolset-10-libstdc++-docs -
    • -
  • - gcc-toolset-10-libtsan-devel -
    • -
  • - gcc-toolset-10-libubsan-devel -
    • -
  • - gcc-toolset-10-ltrace -
    • -
  • - gcc-toolset-10-make -
    • -
  • - gcc-toolset-10-make-devel -
    • -
  • - gcc-toolset-10-perftools -
    • -
  • - gcc-toolset-10-runtime -
    • -
  • - gcc-toolset-10-strace -
    • -
  • - gcc-toolset-10-systemtap -
    • -
  • - gcc-toolset-10-systemtap-client -
    • -
  • - gcc-toolset-10-systemtap-devel -
    • -
  • - gcc-toolset-10-systemtap-initscript -
    • -
  • - gcc-toolset-10-systemtap-runtime -
    • -
  • - gcc-toolset-10-systemtap-sdt-devel -
    • -
  • - gcc-toolset-10-systemtap-server -
    • -
  • - gcc-toolset-10-toolchain -
    • -
  • - gcc-toolset-10-valgrind -
    • -
  • - gcc-toolset-10-valgrind-devel -
    • -
  • - gcc-toolset-9 -
    • -
  • - gcc-toolset-9-annobin -
    • -
  • - gcc-toolset-9-build -
    • -
  • - gcc-toolset-9-perftools -
    • -
  • - gcc-toolset-9-runtime -
    • -
  • - gcc-toolset-9-toolchain -
    • -
  • - GConf2 -
    • -
  • - GConf2-devel -
    • -
  • - genisoimage -
    • -
  • - genwqe-tools -
    • -
  • - genwqe-vpd -
    • -
  • - genwqe-zlib -
    • -
  • - genwqe-zlib-devel -
    • -
  • - geoipupdate -
    • -
  • - geronimo-annotation -
    • -
  • - geronimo-jms -
    • -
  • - geronimo-jpa -
    • -
  • - geronimo-parent-poms -
    • -
  • - gfbgraph -
    • -
  • - gflags -
    • -
  • - gflags-devel -
    • -
  • - glassfish-annotation-api -
    • -
  • - glassfish-el -
    • -
  • - glassfish-fastinfoset -
    • -
  • - glassfish-jaxb-core -
    • -
  • - glassfish-jaxb-txw2 -
    • -
  • - glassfish-jsp -
    • -
  • - glassfish-jsp-api -
    • -
  • - glassfish-legal -
    • -
  • - glassfish-master-pom -
    • -
  • - glassfish-servlet-api -
    • -
  • - glew-devel -
    • -
  • - glib2-fam -
    • -
  • - glog -
    • -
  • - glog-devel -
    • -
  • - gmock -
    • -
  • - gmock-devel -
    • -
  • - gnome-boxes -
    • -
  • - gnome-menus-devel -
    • -
  • - gnome-online-miners -
    • -
  • - gnome-shell-extension-disable-screenshield -
    • -
  • - gnome-shell-extension-horizontal-workspaces -
    • -
  • - gnome-shell-extension-no-hot-corner -
    • -
  • - gnome-shell-extension-window-grouper -
    • -
  • - gnome-themes-standard -
    • -
  • - gnupg2-smime -
    • -
  • - gobject-introspection-devel -
    • -
  • - google-gson -
    • -
  • - gphoto2 -
    • -
  • - gssntlmssp -
    • -
  • - gtest -
    • -
  • - gtest-devel -
    • -
  • - gtkmm24 -
    • -
  • - gtkmm24-devel -
    • -
  • - gtkmm24-docs -
    • -
  • - gtksourceview3 -
    • -
  • - gtksourceview3-devel -
    • -
  • - gtkspell -
    • -
  • - gtkspell-devel -
    • -
  • - gtkspell3 -
    • -
  • - guile -
    • -
  • - gutenprint-gimp -
    • -
  • - gvfs-afc -
    • -
  • - gvfs-afp -
    • -
  • - gvfs-archive -
    • -
  • - hawtjni -
    • -
  • - highlight-gui -
    • -
  • - hivex-devel -
    • -
  • - hostname -
    • -
  • - hplip-gui -
    • -
  • - httpcomponents-project -
    • -
  • - icedax -
    • -
  • - icu4j -
    • -
  • - idm-console-framework -
    • -
  • - iptables -
    • -
  • - ipython -
    • -
  • - isl -
    • -
  • - isl-devel -
    • -
  • - isorelax -
    • -
  • - istack-commons-runtime -
    • -
  • - istack-commons-tools -
    • -
  • - iwl3945-firmware -
    • -
  • - iwl4965-firmware -
    • -
  • - iwl6000-firmware -
    • -
  • - jacoco -
    • -
  • - jaf -
    • -
  • - jakarta-oro -
    • -
  • - janino -
    • -
  • - jansi-native -
    • -
  • - jarjar -
    • -
  • - java_cup -
    • -
  • - java-atk-wrapper -
    • -
  • - javacc -
    • -
  • - javacc-maven-plugin -
    • -
  • - javaewah -
    • -
  • - javaparser -
    • -
  • - javapoet -
    • -
  • - javassist -
    • -
  • - jaxen -
    • -
  • - jboss-annotations-1.2-api -
    • -
  • - jboss-interceptors-1.2-api -
    • -
  • - jboss-logmanager -
    • -
  • - jboss-parent -
    • -
  • - jctools -
    • -
  • - jdepend -
    • -
  • - jdependency -
    • -
  • - jdom -
    • -
  • - jdom2 -
    • -
  • - jetty -
    • -
  • - jffi -
    • -
  • - jflex -
    • -
  • - jgit -
    • -
  • - jline -
    • -
  • - jnr-netdb -
    • -
  • - jolokia-jvm-agent -
    • -
  • - js-uglify -
    • -
  • - jsch -
    • -
  • - json_simple -
    • -
  • - jss-javadoc -
    • -
  • - jtidy -
    • -
  • - junit5 -
    • -
  • - jvnet-parent -
    • -
  • - jzlib -
    • -
  • - kernel-cross-headers -
    • -
  • - ksc -
    • -
  • - ldapjdk-javadoc -
    • -
  • - lensfun -
    • -
  • - lensfun-devel -
    • -
  • - libaec -
    • -
  • - libaec-devel -
    • -
  • - libappindicator-gtk3 -
    • -
  • - libappindicator-gtk3-devel -
    • -
  • - libavc1394 -
    • -
  • - libblocksruntime -
    • -
  • - libcacard -
    • -
  • - libcacard-devel -
    • -
  • - libcgroup -
    • -
  • - libchamplain -
    • -
  • - libchamplain-devel -
    • -
  • - libchamplain-gtk -
    • -
  • - libcroco -
    • -
  • - libcroco-devel -
    • -
  • - libcxl -
    • -
  • - libcxl-devel -
    • -
  • - libdap -
    • -
  • - libdap-devel -
    • -
  • - libdazzle-devel -
    • -
  • - libdbusmenu -
    • -
  • - libdbusmenu-devel -
    • -
  • - libdbusmenu-doc -
    • -
  • - libdbusmenu-gtk3 -
    • -
  • - libdbusmenu-gtk3-devel -
    • -
  • - libdc1394 -
    • -
  • - libdnet -
    • -
  • - libdnet-devel -
    • -
  • - libdv -
    • -
  • - libdwarf -
    • -
  • - libdwarf-devel -
    • -
  • - libdwarf-static -
    • -
  • - libdwarf-tools -
    • -
  • - libepubgen-devel -
    • -
  • - libertas-sd8686-firmware -
    • -
  • - libertas-usb8388-firmware -
    • -
  • - libertas-usb8388-olpc-firmware -
    • -
  • - libgdither -
    • -
  • - libGLEW -
    • -
  • - libgovirt -
    • -
  • - libguestfs-benchmarking -
    • -
  • - libguestfs-devel -
    • -
  • - libguestfs-gfs2 -
    • -
  • - libguestfs-gobject -
    • -
  • - libguestfs-gobject-devel -
    • -
  • - libguestfs-java -
    • -
  • - libguestfs-java-devel -
    • -
  • - libguestfs-javadoc -
    • -
  • - libguestfs-man-pages-ja -
    • -
  • - libguestfs-man-pages-uk -
    • -
  • - libguestfs-tools -
    • -
  • - libguestfs-tools-c -
    • -
  • - libhugetlbfs -
    • -
  • - libhugetlbfs-devel -
    • -
  • - libhugetlbfs-utils -
    • -
  • - libIDL -
    • -
  • - libIDL-devel -
    • -
  • - libidn -
    • -
  • - libiec61883 -
    • -
  • - libindicator-gtk3 -
    • -
  • - libindicator-gtk3-devel -
    • -
  • - libiscsi-devel -
    • -
  • - libjose-devel -
    • -
  • - libldb-devel -
    • -
  • - liblogging -
    • -
  • - libluksmeta-devel -
    • -
  • - libmcpp -
    • -
  • - libmemcached -
    • -
  • - libmetalink -
    • -
  • - libmodulemd1 -
    • -
  • - libmongocrypt -
    • -
  • - libmtp-devel -
    • -
  • - libmusicbrainz5 -
    • -
  • - libmusicbrainz5-devel -
    • -
  • - libnbd-devel -
    • -
  • - liboauth -
    • -
  • - liboauth-devel -
    • -
  • - libpfm-static -
    • -
  • - libpng12 -
    • -
  • - libpurple -
    • -
  • - libpurple-devel -
    • -
  • - libraw1394 -
    • -
  • - libsass -
    • -
  • - libsass-devel -
    • -
  • - libselinux-python -
    • -
  • - libsqlite3x -
    • -
  • - libtalloc-devel -
    • -
  • - libtar -
    • -
  • - libtdb-devel -
    • -
  • - libtevent-devel -
    • -
  • - libunwind -
    • -
  • - libusal -
    • -
  • - libvarlink -
    • -
  • - libvirt-admin -
    • -
  • - libvirt-bash-completion -
    • -
  • - libvirt-daemon-driver-storage-gluster -
    • -
  • - libvirt-daemon-driver-storage-iscsi-direct -
    • -
  • - libvirt-devel -
    • -
  • - libvirt-docs -
    • -
  • - libvirt-gconfig -
    • -
  • - libvirt-gobject -
    • -
  • - libvirt-lock-sanlock -
    • -
  • - libvncserver -
    • -
  • - libwinpr-devel -
    • -
  • - libwmf -
    • -
  • - libwmf-devel -
    • -
  • - libwmf-lite -
    • -
  • - libXNVCtrl -
    • -
  • - libyami -
    • -
  • - log4j12 -
    • -
  • - lorax-composer -
    • -
  • - lua-guestfs -
    • -
  • - lucene -
    • -
  • - mailman -
    • -
  • - mailx -
    • -
  • - make-devel -
    • -
  • - maven-antrun-plugin -
    • -
  • - maven-assembly-plugin -
    • -
  • - maven-clean-plugin -
    • -
  • - maven-dependency-analyzer -
    • -
  • - maven-dependency-plugin -
    • -
  • - maven-doxia -
    • -
  • - maven-doxia-sitetools -
    • -
  • - maven-install-plugin -
    • -
  • - maven-invoker -
    • -
  • - maven-invoker-plugin -
    • -
  • - maven-parent -
    • -
  • - maven-plugins-pom -
    • -
  • - maven-reporting-api -
    • -
  • - maven-reporting-impl -
    • -
  • - maven-scm -
    • -
  • - maven-script-interpreter -
    • -
  • - maven-shade-plugin -
    • -
  • - maven-shared -
    • -
  • - maven-verifier -
    • -
  • - maven2 -
    • -
  • - meanwhile -
    • -
  • - mercurial -
    • -
  • - metis -
    • -
  • - metis-devel -
    • -
  • - mingw32-bzip2 -
    • -
  • - mingw32-bzip2-static -
    • -
  • - mingw32-cairo -
    • -
  • - mingw32-expat -
    • -
  • - mingw32-fontconfig -
    • -
  • - mingw32-freetype -
    • -
  • - mingw32-freetype-static -
    • -
  • - mingw32-gstreamer1 -
    • -
  • - mingw32-harfbuzz -
    • -
  • - mingw32-harfbuzz-static -
    • -
  • - mingw32-icu -
    • -
  • - mingw32-libjpeg-turbo -
    • -
  • - mingw32-libjpeg-turbo-static -
    • -
  • - mingw32-libpng -
    • -
  • - mingw32-libpng-static -
    • -
  • - mingw32-libtiff -
    • -
  • - mingw32-libtiff-static -
    • -
  • - mingw32-openssl -
    • -
  • - mingw32-readline -
    • -
  • - mingw32-sqlite -
    • -
  • - mingw32-sqlite-static -
    • -
  • - mingw64-adwaita-icon-theme -
    • -
  • - mingw64-bzip2 -
    • -
  • - mingw64-bzip2-static -
    • -
  • - mingw64-cairo -
    • -
  • - mingw64-expat -
    • -
  • - mingw64-fontconfig -
    • -
  • - mingw64-freetype -
    • -
  • - mingw64-freetype-static -
    • -
  • - mingw64-gstreamer1 -
    • -
  • - mingw64-harfbuzz -
    • -
  • - mingw64-harfbuzz-static -
    • -
  • - mingw64-icu -
    • -
  • - mingw64-libjpeg-turbo -
    • -
  • - mingw64-libjpeg-turbo-static -
    • -
  • - mingw64-libpng -
    • -
  • - mingw64-libpng-static -
    • -
  • - mingw64-libtiff -
    • -
  • - mingw64-libtiff-static -
    • -
  • - mingw64-nettle -
    • -
  • - mingw64-openssl -
    • -
  • - mingw64-readline -
    • -
  • - mingw64-sqlite -
    • -
  • - mingw64-sqlite-static -
    • -
  • - modello -
    • -
  • - mojo-parent -
    • -
  • - mongo-c-driver -
    • -
  • - mousetweaks -
    • -
  • - mozjs52 -
    • -
  • - mozjs52-devel -
    • -
  • - mozjs60 -
    • -
  • - mozjs60-devel -
    • -
  • - mozvoikko -
    • -
  • - msv-javadoc -
    • -
  • - msv-manual -
    • -
  • - munge-maven-plugin -
    • -
  • - nbd -
    • -
  • - nbdkit-devel -
    • -
  • - nbdkit-example-plugins -
    • -
  • - nbdkit-gzip-plugin -
    • -
  • - ncompress -
    • -
  • - net-tools -
    • -
  • - netcf -
    • -
  • - netcf-devel -
    • -
  • - netcf-libs -
    • -
  • - network-scripts -
    • -
  • - nkf -
    • -
  • - nss_nis -
    • -
  • - nss-pam-ldapd -
    • -
  • - objectweb-asm -
    • -
  • - objectweb-pom -
    • -
  • - ocaml-bisect-ppx -
    • -
  • - ocaml-camlp4 -
    • -
  • - ocaml-camlp4-devel -
    • -
  • - ocaml-lwt -
    • -
  • - ocaml-mmap -
    • -
  • - ocaml-ocplib-endian -
    • -
  • - ocaml-ounit -
    • -
  • - ocaml-result -
    • -
  • - ocaml-seq -
    • -
  • - opencv-contrib -
    • -
  • - opencv-core -
    • -
  • - opencv-devel -
    • -
  • - openhpi -
    • -
  • - openhpi-libs -
    • -
  • - OpenIPMI-perl -
    • -
  • - openssh-cavs -
    • -
  • - openssh-ldap -
    • -
  • - openssl-ibmpkcs11 -
    • -
  • - opentest4j -
    • -
  • - os-maven-plugin -
    • -
  • - pakchois -
    • -
  • - pandoc -
    • -
  • - paranamer -
    • -
  • - parfait -
    • -
  • - parfait-examples -
    • -
  • - parfait-javadoc -
    • -
  • - pcp-parfait-agent -
    • -
  • - pcp-pmda-rpm -
    • -
  • - pcsc-lite-doc -
    • -
  • - peripety -
    • -
  • - perl-B-Debug -
    • -
  • - perl-B-Lint -
    • -
  • - perl-Class-Factory-Util -
    • -
  • - perl-Class-ISA -
    • -
  • - perl-DateTime-Format-HTTP -
    • -
  • - perl-DateTime-Format-Mail -
    • -
  • - perl-File-CheckTree -
    • -
  • - perl-homedir -
    • -
  • - perl-libxml-perl -
    • -
  • - perl-Locale-Codes -
    • -
  • - perl-Mozilla-LDAP -
    • -
  • - perl-NKF -
    • -
  • - perl-Object-HashBase-tools -
    • -
  • - perl-Package-DeprecationManager -
    • -
  • - perl-Pod-LaTeX -
    • -
  • - perl-Pod-Plainer -
    • -
  • - perl-prefork -
    • -
  • - perl-String-CRC32 -
    • -
  • - perl-SUPER -
    • -
  • - perl-Sys-Virt -
    • -
  • - perl-tests -
    • -
  • - perl-YAML-Syck -
    • -
  • - phodav -
    • -
  • - pidgin -
    • -
  • - pidgin-devel -
    • -
  • - pidgin-sipe -
    • -
  • - pinentry-emacs -
    • -
  • - pinentry-gtk -
    • -
  • - pipewire0.2-devel -
    • -
  • - pipewire0.2-libs -
    • -
  • - plexus-ant-factory -
    • -
  • - plexus-bsh-factory -
    • -
  • - plexus-cli -
    • -
  • - plexus-component-api -
    • -
  • - plexus-component-factories-pom -
    • -
  • - plexus-components-pom -
    • -
  • - plexus-i18n -
    • -
  • - plexus-interactivity -
    • -
  • - plexus-pom -
    • -
  • - plexus-velocity -
    • -
  • - plymouth-plugin-throbgress -
    • -
  • - powermock -
    • -
  • - ptscotch-mpich -
    • -
  • - ptscotch-mpich-devel -
    • -
  • - ptscotch-mpich-devel-parmetis -
    • -
  • - ptscotch-openmpi -
    • -
  • - ptscotch-openmpi-devel -
    • -
  • - purple-sipe -
    • -
  • - python-nss-doc -
    • -
  • - python-redis -
    • -
  • - python-schedutils -
    • -
  • - python-slip -
    • -
  • - python-varlink -
    • -
  • - python2-mock -
    • -
  • - python3-click -
    • -
  • - python3-cpio -
    • -
  • - python3-custodia -
    • -
  • - python3-flask -
    • -
  • - python3-gevent -
    • -
  • - python3-gobject-base -
    • -
  • - python3-hivex -
    • -
  • - python3-html5lib -
    • -
  • - python3-hypothesis -
    • -
  • - python3-ipatests -
    • -
  • - python3-itsdangerous -
    • -
  • - python3-jwt -
    • -
  • - python3-libguestfs -
    • -
  • - python3-mock -
    • -
  • - python3-networkx-core -
    • -
  • - python3-nose -
    • -
  • - python3-nss -
    • -
  • - python3-openipmi -
    • -
  • - python3-pillow -
    • -
  • - python3-pydbus -
    • -
  • - python3-pymongo -
    • -
  • - python3-pyOpenSSL -
    • -
  • - python3-pytoml -
    • -
  • - python3-reportlab -
    • -
  • - python3-schedutils -
    • -
  • - python3-scons -
    • -
  • - python3-semantic_version -
    • -
  • - python3-syspurpose -
    • -
  • - python3-virtualenv -
    • -
  • - python3-webencodings -
    • -
  • - python3-werkzeug -
    • -
  • - qemu-kvm-block-gluster -
    • -
  • - qemu-kvm-block-iscsi -
    • -
  • - qemu-kvm-tests -
    • -
  • - qpdf -
    • -
  • - qpid-proton -
    • -
  • - qrencode -
    • -
  • - qrencode-devel -
    • -
  • - qrencode-libs -
    • -
  • - qt5-qtcanvas3d -
    • -
  • - qt5-qtcanvas3d-examples -
    • -
  • - rarian -
    • -
  • - rarian-compat -
    • -
  • - re2c -
    • -
  • - redhat-menus -
    • -
  • - redhat-support-lib-python -
    • -
  • - redhat-support-tool -
    • -
  • - reflections -
    • -
  • - regexp -
    • -
  • - relaxngDatatype -
    • -
  • - rhsm-gtk -
    • -
  • - rpm-plugin-prioreset -
    • -
  • - rsyslog-udpspoof -
    • -
  • - ruby-hivex -
    • -
  • - ruby-libguestfs -
    • -
  • - rubygem-abrt -
    • -
  • - rubygem-abrt-doc -
    • -
  • - rubygem-mongo -
    • -
  • - rubygem-mongo-doc -
    • -
  • - samba-pidl -
    • -
  • - samba-test -
    • -
  • - samba-test-libs -
    • -
  • - sane-frontends -
    • -
  • - sanlk-reset -
    • -
  • - scala -
    • -
  • - scotch -
    • -
  • - scotch-devel -
    • -
  • - SDL_sound -
    • -
  • - selinux-policy-minimum -
    • -
  • - sendmail -
    • -
  • - sgabios -
    • -
  • - sgabios-bin -
    • -
  • - shrinkwrap -
    • -
  • - sisu-mojos -
    • -
  • - SLOF -
    • -
  • - sonatype-oss-parent -
    • -
  • - sonatype-plugins-parent -
    • -
  • - sparsehash-devel -
    • -
  • - spec-version-maven-plugin -
    • -
  • - spice -
    • -
  • - spice-client-win-x64 -
    • -
  • - spice-client-win-x86 -
    • -
  • - spice-glib -
    • -
  • - spice-glib-devel -
    • -
  • - spice-gtk -
    • -
  • - spice-gtk-tools -
    • -
  • - spice-gtk3 -
    • -
  • - spice-gtk3-devel -
    • -
  • - spice-gtk3-vala -
    • -
  • - spice-parent -
    • -
  • - spice-protocol -
    • -
  • - spice-qxl-wddm-dod -
    • -
  • - spice-server-devel -
    • -
  • - spice-streaming-agent -
    • -
  • - spice-vdagent-win-x64 -
    • -
  • - spice-vdagent-win-x86 -
    • -
  • - sssd-libwbclient -
    • -
  • - stax-ex -
    • -
  • - stax2-api -
    • -
  • - stringtemplate -
    • -
  • - stringtemplate4 -
    • -
  • - subscription-manager-initial-setup-addon -
    • -
  • - subscription-manager-migration -
    • -
  • - subscription-manager-migration-data -
    • -
  • - subversion-javahl -
    • -
  • - SuperLU -
    • -
  • - SuperLU-devel -
    • -
  • - supermin-devel -
    • -
  • - swig -
    • -
  • - swig-doc -
    • -
  • - swig-gdb -
    • -
  • - system-storage-manager -
    • -
  • - testng -
    • -
  • - timedatex -
    • -
  • - treelayout -
    • -
  • - trousers -
    • -
  • - tycho -
    • -
  • - uglify-js -
    • -
  • - univocity-output-tester -
    • -
  • - univocity-parsers -
    • -
  • - usbguard-notifier -
    • -
  • - usbredir-devel -
    • -
  • - utf8cpp -
    • -
  • - uthash -
    • -
  • - velocity -
    • -
  • - vinagre -
    • -
  • - vino -
    • -
  • - virt-dib -
    • -
  • - virt-p2v-maker -
    • -
  • - vm-dump-metrics-devel -
    • -
  • - weld-parent -
    • -
  • - wodim -
    • -
  • - woodstox-core -
    • -
  • - xdelta -
    • -
  • - xmlgraphics-commons -
    • -
  • - xmlstreambuffer -
    • -
  • - xinetd -
    • -
  • - xorg-x11-apps -
    • -
  • - xorg-x11-drv-qxl -
    • -
  • - xorg-x11-server-Xspice -
    • -
  • - xpp3 -
    • -
  • - xsane-gimp -
    • -
  • - xsom -
    • -
  • - xz-java -
    • -
  • - yajl-devel -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-

9.19. Deprecated and unmaintained devices

-
-
-
-

- This section lists devices (drivers, adapters) that -

-
-
    -
  • - continue to be supported until the end of life of RHEL 8 but will likely not be supported in - future major releases of this product and are not recommended for new deployments. Support - for devices other than those listed remains unchanged. These are deprecated devices. -
    • -
  • - are available but are no longer being tested or updated on a routine basis in RHEL 8. Red - Hat may fix serious bugs, including security bugs, at its discretion. These devices should - no longer be used in production, and it is likely they will be disabled in the next major - release. These are unmaintained devices. -
    • -
-
-

- PCI device IDs are in the format of vendor:device:subvendor:subdevice. If no device ID is listed, - all devices associated with the corresponding driver have been deprecated. To check the PCI IDs of - the hardware on your system, run the lspci -nn command. -

-
-

Table 9.1. Deprecated devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- bnx2 -

- 		-

- QLogic BCM5706/5708/5709/5716 Driver -

-
  -

- hpsa -

- 		-

- Hewlett-Packard Company: Smart Array Controllers -

-
-

- 0x10df:0x0724 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: OneConnect FCoE Initiator (Skyhawk) -

-
-

- 0x10df:0xe200 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe15000/LPe16000 Series 8Gb/16Gb Fibre Channel Adapter -

-
-

- 0x10df:0xf011 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf015 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf100 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe12000 Series 8Gb Fibre Channel Adapter -

-
-

- 0x10df:0xfc40 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn-X: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xe220 -

- 		-

- be2net -

- 		-

- Emulex Corporation: OneConnect NIC (Lancer) -

-
-

- 0x1000:0x005b -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2208 [Thunderbolt] -

-
-

- 0x1000:0x006E -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0080 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0081 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0082 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0083 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0084 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0085 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0086 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0087 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
  -

- myri10ge -

- 		-

- Myricom 10G driver (10GbE) -

-
  -

- netxen_nic -

- 		-

- QLogic/NetXen (1/10) GbE Intelligent Ethernet Driver -

-
-

- 0x1077:0x2031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP8324-based 16Gb Fibre Channel to PCI Express Adapter -

-
-

- 0x1077:0x2532 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP2532-based 8Gb Fibre Channel to PCI Express HBA -

-
-

- 0x1077:0x8031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: 8300 Series 10GbE Converged Network Adapter (FCoE) -

-
  -

- qla3xxx -

- 		-

- QLogic ISP3XXX Network Driver v2.03.00-k5 -

-
-

- 0x1924:0x0803 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFC9020 10G Ethernet Controller -

-
-

- 0x1924:0x0813 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFL9021 10GBASE-T Ethernet Controller -

-
  -

- Soft-RoCE (rdma_rxe) -

- 		 
  -

- HNS-RoCE -

- 		 
-
-
-
-

Table 9.2. Unmaintained devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- e1000 -

- 		-

- Intel® PRO/1000 Network Driver -

-
  -

- mptbase -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptsas -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptscsih -

- 		-

- Fusion MPT SCSI Host driver -

-
  -

- mptspi -

- 		-

- Fusion MPT SAS Host driver -

-
-

- 0x1000:0x0071 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MR SAS HBA 2004 -

-
-

- 0x1000:0x0073 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2008 [Falcon] -

-
-

- 0x1000:0x0079 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2108 [Liberator] -

-
-
-
[a] - Disabled in RHEL 8.0, re-enabled in RHEL 8.4 due to customer requests. -
-
-
-
-
-
-
-
-
-
-
-

Chapter 10. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.5. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

GUI installation might fail if an attempt to unregister using the CDN is - made before the repository refresh is completed

-

- Since RHEL 8.2, when registering your system and attaching subscriptions using the Content - Delivery Network (CDN), a refresh of the repository metadata is started by the GUI installation - program. The refresh process is not part of the registration and subscription process, and as a - consequence, the Unregister button is - enabled in the Connect to Red Hat window. - Depending on the network connection, the refresh process might take more than a minute to - complete. If you click the Unregister button - before the refresh process is completed, the GUI installation might fail as the unregister - process removes the CDN repository files and the certificates required by the installation - program to communicate with the CDN. -

-
-

- To work around this problem, complete the following steps in the GUI installation after you have - clicked the Register button in the Connect to Red Hat window: -

-
-
    -
  1. - From the Connect to Red Hat window, - click Done to return to the Installation Summary window. -
    2. -
  2. - From the Installation Summary window, - verify that the Installation Source and - Software Selection status messages in - italics are not displaying any processing information. -
    3. -
  3. - When the Installation Source and Software Selection categories are ready, click Connect to Red Hat. -
    4. -
  4. - Click the Unregister button. -
    5. -
-
-

- After performing these steps, you can safely unregister the system during the GUI installation. -

-

- (BZ#1821192) -

-
-

Registration fails for user accounts that belong to multiple - organizations

-

- Currently, when you attempt to register a system with a user account that belongs to multiple - organizations, the registration process fails with the error message You must specify an organization for new - units. -

-
-

- To work around this problem, you can either: -

-
-
    -
  • - Use a different user account that does not belong to multiple organizations. -
    • -
  • - Use the Activation Key authentication - method available in the Connect to Red Hat feature for GUI and Kickstart installations. -
    • -
  • - Skip the registration step in Connect to Red Hat and use Subscription Manager to register - your system post-installation. -
    • -
-
-

- (BZ#1822880) -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- (BZ#1914955) -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- (BZ#1640697) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation sources. - However, network access is not enabled by default, and as a result, these features cannot be - used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a repository - located on the network using boot options also resolves the problem. As a result, the network-based - installation features can be used. -

-

- (BZ#1757877) -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- (BZ#1929105) -

-
-

IBM Power systems with HASH MMU mode fail to - boot with memory allocation failures

-

- IBM Power Systems with HASH memory allocation unit (MMU) mode - support kdump up to a maximum of 192 cores. Consequently, the - system fails to boot with memory allocation failures if kdump is - enabled on more than 192 cores. This limitation is due to RMA memory allocations during early - boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled - instead of using kdump. -

-
-

- (BZ#2028361) -

-
-

Adding the same username in both blueprint and Kickstart files causes Edge - image installation to fail

-

- To install a RHEL for Edge image, users must create a blueprint to build a rhel-edge-container image and also create a Kickstart file to install - the RHEL for Edge image. When a user adds the same username, password, and SSH key in both the - blueprint and the Kickstart file, the RHEL for Edge image installation fails. Currently, there - is no workaround. -

-
-

- (BZ#1951964) -

-
-

The new osbuild-composer back end does not - replicate the blueprint state from lorax-composer on - upgrades

-

- Image Builder users that are upgrading from the lorax-composer back - end to the new osbuild-composer back end, blueprints can disappear. - As a result, once the upgrade is complete, the blueprints do not display automatically. To work - around this problem, perform the following steps. -

-
-
-

Prerequisites

-
    -
  • - You have the composer-cli CLI utility installed. -
    • -
-
-
-

Procedure

-
    -
  1. -

    - Run the command to load the previous lorax-composer based - blueprints into the new osbuild-composer back end: -

    - 
    $ for blueprint in $(find /var/lib/lorax/composer/blueprints/git/workspace/master -name '*.toml'); do composer-cli blueprints push "${blueprint}"; done
    -
    2. -
-
-

- As a result, the same blueprints are now available in osbuild-composer - back end. -

-
-

Additional resources

- -
-

- (BZ#1897383) -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. To work around this problem, do not run Anaconda on the production - system and execute it in a temporary virtual machine. So that the SELinux policy on a production - system is not modified. Running anaconda as part of the system installation process such as - installing from boot.iso or dvd.iso is - not affected by this issue. -

-
-

- (BZ#2050140) -

-
-
-
-
-
-

10.2. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose - command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect - the output of running the subscription-manager attach --auto - command. Users who attempt to set values to the addons argument - will not observe any effect on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-
-
-
-
-

10.3. Software management

-
-
-
-
-

libdnf-devel upgrade fails if the CodeReady - Linux Builder repository is not available on the system

-

- The libdnf-devel package has been moved from the BaseOS to - CodeReady Linux Builder repository. Consequently, upgrading libdnf-devel fails if the CodeReady Linux Builder repository is not - available on the system. -

-
-

- To work around this problem, enable the CodeReady Linux Builder repository, or remove the libdnf-devel package prior to the upgrade. -

-

- (BZ#1960616) -

-
-

cr_compress_file_with_stat() can cause a - memory leak

-

- The createrepo_c library has the API cr_compress_file_with_stat() function. This function is declared with - char **dst as a second parameter. Depending on its other - parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. - This unpredictable behavior can cause a memory leak, because it does not inform the user when to - free dst contents. -

-
-

- To work around this problem, a new API cr_compress_file_with_stat_v2 - function has been added, which uses the dst parameter only as an input. - It is declared as char *dst. This prevents memory leak. -

-

- Note that the cr_compress_file_with_stat_v2 function is temporary and - will be present only in RHEL 8. Later, cr_compress_file_with_stat() - will be fixed instead. -

-

- (BZ#1973588) -

-
-
-
-
-
-

10.4. Shells and command-line tools

-
-
-
-
-

coreutils might report misleading EPERM error - codes

-

- GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter - returns an EPERM error code for unknown system calls, coreutils - might consequently report misleading EPERM error codes because EPERM can not be distinguished - from the actual Operation not permitted error returned by - a working statx() syscall. -

-
-

- To work around this problem, update the seccomp filter to either permit - the statx() syscall, or to return an ENOSYS error code for syscalls it - does not know. -

-

- (BZ#2030661) -

-
-
-
-
-
-

10.5. Infrastructure services

-
-
-
-
-

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to - SHA-256

-

- By default in RHEL 8, postfix uses MD5 fingerprints with the TLS - for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, - which may cause TLS to incorrectly function in the default postfix configuration. To workaround - this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration - file. -

-
-

- For more details, see the related Knowledgebase article Fix postfix TLS in the FIPS mode by switching - to SHA-256 instead of MD5. -

-

- (BZ#1711885) -

-
-

The brltty package is not multilib - compatible

-

- It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is - recommended. -

-
-

- (BZ#2008197) -

-
-
-
-
-
-

10.6. Security

-
-
-
-
-

File permissions of /etc/passwd- are not - aligned with the CIS RHEL 8 Benchmark 1.0.0

-

- Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures - permissions on the /etc/passwd- backup file configures permissions - to 0644. However, the CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0 requires file - permissions 0600 for that file. As a consequence, the file - permissions of /etc/passwd- are not aligned with the benchmark - after remediation. -

-
-

- (BZ#1858866) -

-
-

libselinux-python is available only through - its module

-

- The libselinux-python package contains only Python 2 bindings for - developing SELinux applications and it is used for backward compatibility. For this reason, - libselinux-python is no longer available in the default RHEL 8 - repositories through the dnf install libselinux-python command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# dnf module enable libselinux-python
-# dnf install libselinux-python
-

- Alternatively, install libselinux-python using its install profile with - a single command: -

- 
# dnf module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. - This prevents the udica tool from analyzing a container JavaScript - Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you - use the described workaround. -

-

- (BZ#1763210) -

-
-

Negative effects of the default logging setup on performance

-

- The default logging environment setup might consume 4 GB of memory or even more and adjustments - of rate-limit values are complex when systemd-journald is running - with rsyslog. -

-
-

- See the Negative effects of the - RHEL default logging setup on performance and their mitigations Knowledgebase article for - more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots - with SELinux enabled and switches to disabled mode later in the boot process. This might cause - memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- (JIRA:RHELPLAN-34199) -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic level - name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide - crypto policies only when you disable them through the workaround. -

-

- (BZ#1919155) -

-
-

Using multiple labeled IPsec connections with IKEv2 do not work correctly

-

- When Libreswan uses the IKEv2 protocol, security labels for IPsec - do not work correctly for more than one connection. As a consequence, Libreswan using labeled - IPsec can establish only the first connection, but cannot establish subsequent connections - correctly. To use more than one connection, use the IKEv1 protocol. -

-
-

- (BZ#1934859) -

-
-

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

-

- The file_caching option is enabled in the default OpenSC - configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning - process through OpenSC fails. -

-
-

- To work around the problem, add the following snippet to the /etc/opensc.conf file: -

- 
app pkcs15-init {
-        framework pkcs15 {
-                use_file_caching = false;
-        }
-}
-

- The smart-card provisioning through pkcs15-init only works if you apply - the previously described workaround. -

-

- (BZ#1947025) -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. -

-
-

- To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger - hash, or switch to the LEGACY policy. -

-

- (BZ#1628553) -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, TLS clients that use OpenSSL return a bad dh value - error and abort TLS connections to servers that use manually generated parameters. This is - because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with - Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, - and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL - ignore all other parameters and instead select known parameters of similar size. To work around - this problem, use only the compliant groups. -

-
-

- (BZ#1810911) -

-
-

IKE over TCP connections do not work on custom TCP ports

-

- The tcp-remoteport Libreswan configuration option does not work - properly. Consequently, an IKE over TCP connection cannot be established when a scenario - requires specifying a non-default TCP port. -

-
-

- (BZ#1989050) -

-
-

Conflict in SELinux Audit rules and SELinux boolean configurations -

-

- If the Audit rule list includes an Audit rule that contains a subj_* or obj_* field, and the SELinux - boolean configuration changes, setting the SELinux booleans causes a deadlock. As a consequence, - the system stops responding and requires a reboot to recover. To work around this problem, - disable all Audit rules containing the subj_* or obj_* field, or temporarily disable such rules before changing - SELinux booleans. -

-
-

- With the release of the RHSA-2021:2168 advisory, the kernel - handles this situation properly and no longer deadlocks. -

-

- (BZ#1924230) -

-
-

systemd cannot execute - commands from arbitrary paths

-

- The systemd service cannot execute commands - from /home/user/bin arbitrary paths because the SELinux policy - package does not include any such rule. Consequently, the custom services that are executed on - non-system paths fail and eventually log the Access Vector Cache (AVC) denial audit messages - when SELinux denied access. To work around this problem, do one of the following: -

-
-
-
    -
  • -

    - Execute the command using a shell - script with the -c option. For example, -

    - 
    bash -c command
    -
    • -
  • - Execute the command from a common path using /bin, /sbin, /usr/sbin, /usr/local/bin, and /usr/local/sbin - common directories. -
    • -
-
-

- (BZ#1860443) -

-
-

Certain sets of interdependent rules in SSG can fail

-

- Remediation of SCAP Security Guide (SSG) rules in a benchmark can - fail due to undefined ordering of rules and their dependencies. If two or more rules need to be - executed in a particular order, for example, when one rule installs a component and another rule - configures the same component, they can run in the wrong order and remediation reports an error. - To work around this problem, run the remediation twice, and the second run fixes the dependent - rules. -

-
-

- (BZ#1750755) -

-
-

Installation with the Server with GUI or Workstation software selections and CIS security profile is not - possible

-

- The CIS security profile is not compatible with the Server with GUI - and Workstation software selections. As a consequence, a RHEL 8 - installation with the Server with GUI software selection and CIS - profile is not possible. An attempted installation using the CIS profile and either of these - software selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- To work around the problem, do not use the CIS security profile with the Server with GUI or Workstation software - selections. -

-

- (BZ#1843932) -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on - as org_fedora_oscap instead of com_redhat_oscap which might cause confusion. That is done to - preserve backward compatibility with Red Hat Enterprise Linux 7. -

-
-

- (BZ#1665082) -

-
-

usbguard-notifier logs too many error messages - to the Journal

-

- The usbguard-notifier service does not have inter-process - communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier fails to connect to the interface, and it writes a - corresponding error message to the Journal. Because usbguard-notifier starts with the --wait - option, which ensures that usbguard-notifier attempts to connect to - the IPC interface each second after a connection failure, by default, the log contains an - excessive amount of these messages soon. -

-
-

- To work around the problem, allow a user or a group under which usbguard-notifier is running to connect to the IPC interface. For - example, the following error message contains the UID and GID values for the GNOME Display Manager - (GDM): -

- 
IPC connection denied: uid=42 gid=42 pid=8382, where uid and gid 42 = gdm
-

- To grant the missing permissions to the gdm user, use the usbguard command and restart the usbguard - daemon: -

- 
# usbguard add-user gdm --group --devices listen
-# systemctl restart usbguard
-

- After granting the missing permissions, the error messages no longer appear in the log. -

-

- (BZ#2000000) -

-
-

Certain rsyslog priority strings do not work - correctly

-

- Support for the GnuTLS priority string for - imtcp that allows fine-grained control over encryption is not - complete. Consequently, the following priority strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-
-
-
-
-

10.7. Networking

-
-
-
-
-

The nm-cloud-setup service removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain - cases, other services on the host can configure interfaces as well. For example, these services - could add secondary IP addresses. To avoid that nm-cloud-setup - removes secondary IP addresses: -

-
-
-
    -
  1. -

    - Stop and disable the nm-cloud-setup service and timer: -

    - 
    # systemctl disable --now nm-cloud-setup.service nm-cloud-setup.timer
    -
    2. -
  2. -

    - Display the available connection profiles: -

    - 
    # nmcli connection show
    -
    3. -
  3. -

    - Reactive the affected connection profiles: -

    - 
    # nmcli connection up "<profile_name>"
    -
    4. -
-
-

- As a result, the service no longer removes manually-configured secondary IP addresses from - interfaces. -

-

- (BZ#2132754) -

-
-

NetworkManager does not support activating bond and team ports in a - specific order

-

- NetworkManager activates interfaces alphabetically by interface names. However, if an interface - appears later during the boot, for example, because the kernel needs more time to discover it, - NetworkManager activates this interface later. NetworkManager does not support setting a - priority on bond and team ports. Consequently, the order in which NetworkManager activates ports - of these devices is not always predictable. To work around this problem, write a dispatcher - script. -

-
-

- For an example of such a script, see the corresponding comment in the ticket. -

-

- (BZ#1920398) -

-
-

Systems with the IPv6_rpfilter option enabled - experience low network throughput

-

- Systems with the IPv6_rpfilter option enabled in the firewalld.conf file currently experience suboptimal performance and - low network throughput in high traffic scenarios, such as 100-Gbps links. To work around the - problem, disable the IPv6_rpfilter option. To do so, add the - following line in the /etc/firewalld/firewalld.conf file. -

-
- 
IPv6_rpfilter=no
-

- As a result, the system performs better, but also has reduced security. -

-

- (BZ#1871860) -

-
-
-
-
-
-

10.8. Kernel

-
-
-
-
-

Reloading an identical crash extension may cause segmentation - faults

-

- When you load a copy of an already loaded crash extension file, it might trigger a segmentation - fault. Currently, the crash utility detects if an original file has been loaded. Consequently, - due to two identical files co-existing in the crash utility, a namespace collision occurs, which - triggers the crash utility to cause a segmentation fault. -

-
-

- You can work around the problem by loading the crash extension file only once. As a result, - segmentation faults no longer occur in the described scenario. -

-

- (BZ#1906482) -

-
-

vmcore capture fails after memory hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating the - device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. - The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel crash - is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after hot-plug - or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described scenario. -

-

- (BZ#1793389) -

-
-

Debug kernel fails to boot in crash capture environment on RHEL 8 -

-

- Due to the memory-intensive nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel, and a stack trace is generated instead. To work around this problem, - increase the crash kernel memory as required. As a result, the debug kernel boots successfully - in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

Allocating crash kernel memory fails at boot time

-

- On certain Ampere Altra systems, allocating the crash kernel memory during boot fails when the - 32-bit region is disabled in BIOS settings. Consequently, the kdump - service fails to start. This is caused by memory fragmentation in the region below 4 GB with no - fragment being large enough to contain the crash kernel memory. -

-
-

- To work around this problem, enable the 32-bit memory region in BIOS as follows: -

-
-
    -
  1. - Open the BIOS settings on your system. -
    2. -
  2. - Open the Chipset menu. -
    3. -
  3. - Under Memory Configuration, enable the - Slave 32-bit option. -
    4. -
-
-

- As a result, crash kernel memory allocation within the 32-bit region succeeds and the kdump service works as expected. -

-

- (BZ#1940674) -

-
-

kdump fails on some KVM virtual machines using default crash kernel - memory

-

- On some KVM virtual machines kdump fails when using the default - amount of memory for kdump to capture the kernel crash dump. - Consequently, the crash kernel displays the following error: -

-
- 
/bin/sh: error while loading shared libraries: libtinfo.so.6: cannot open shared object file: No such file or directory
-

- To workaround this problem, increase the crashkernel= option by a - minimum of 32M to fit the size requirement for kdump. For example, the final value must be the sum - of current value and 32M. -

-

- In the case of the crashkernel=auto parameter: -

-
-
    -
  1. -

    - Check the current memory size, and increase the size by 32M as follows: -

    - 
    echo $(($(cat /sys/kernel/kexec_crash_size)/1048576+32))M
    -
    2. -
  2. - Configure the kernel crashkernel parameter to crashkernel=x, where x is the - increased size. -
    3. -
-
-

- (BZ#2004000) -

-
-

The QAT manager leaves no spare device for LKCF

-

- The Intel® QuickAssist Technology (QAT) manager (qatmgr) is a user - space process, which by default uses all QAT devices in the system. As a consequence, there are - no QAT devices left for the Linux Kernel Cryptographic Framework (LKCF). There is no need to - work around this situation, as this behavior is expected and a majority of users will use - acceleration from the user space. -

-
-

- (BZ#1920086) -

-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define - a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus - device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff - memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism - (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration - space over the 256 byte offset with the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- (BZ#1868526) -

-
-

The tuned-adm profile powersave command causes - the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system matches - the mentioned specifications. -

-
-

- (BZ#1609288) -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit ARM - architecture that run on the Amazon Web Services (AWS) cloud platforms, causes vmcore generation failure when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory upon a kernel crash. To work around this - problem: -

-
-
-
    -
  1. -

    - Append irqpoll to KDUMP_COMMANDLINE_REMOVE in the /etc/sysconfig/kdump file. -

    - 
    KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet log_buf_len swiotlb"
    -
    2. -
  2. -

    - Remove irqpoll from KDUMP_COMMANDLINE_APPEND in the /etc/sysconfig/kdump file. -

    - 
    KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory udev.children-max=2 panic=10 swiotlb=noforce novmcoredd"
    -
    3. -
  3. -

    - Restart the kdump service: -

    - 
    systemctl restart kdump
    -
    4. -
-
-

- As a result, the first kernel boots correctly and the vmcore file is - expected to be captured upon the kernel crash. -

-

- Note that the kdump service can use a significant amount of crash - kernel memory to dump the vmcore file. Ensure that the capture kernel - has sufficient memory available for the kdump service. -

-

- For related information on this Known Issue, see the The irqpoll kernel command line parameter - might cause vmcore generation failure article. -

-

- (BZ#1654962) -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is not - able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI to - the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI - handler for both these situations calls the kernel panic() function and - if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called and - vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, - use the virtual Power button to reset or power - cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated - System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even - smaller frequency. -

-

- (BZ#1602962) -

-
-

Connections fail when attaching a virtual function to virtual - machine

-

- Pensando network cards that use the ionic device driver silently - accept VLAN tag configuration requests and attempt configuring network connections while - attaching network virtual functions (VF) to a virtual machine - (VM). Such network connections fail as this feature is not yet - supported by the card’s firmware. -

-
-

- (BZ#1930576) -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication - X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x - series deprecated openib Byte Transfer Layer (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous - cluster (same hardware and software configuration), UCX still uses openib BTL for MPI one-sided operations. As a consequence, this may - trigger execution errors. To work around this problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer over - UCX. -

-

- (BZ#1866402) -

-
-

The Solarflare fails to create maximum number of virtual functions - (VFs)

-

- The Solarflare NICs fail to create a maximum number of VFs due to insufficient resources. You - can check the maximum number of VFs that a PCIe device can create in the /sys/bus/pci/devices/PCI_ID/sriov_totalvfs file. To workaround this - problem, you can either adjust the number of VFs or the VF MSI interrupt value to a lower value, - either from Solarflare Boot Manager on startup, or using Solarflare - sfboot utility. The default VF MSI interrupt value is 8. -

-
-
-
    -
  • - To adjust the VF MSI interrupt value using sfboot: -
    • -
-
- 
# sfboot vf-msix-limit=2
-
-
Note
-
-

- Adjusting VF MSI interrupt value affects the VF performance. -

-
-
-

- For more information about parameters to be adjusted accordingly, see the Solarflare Server Adapter user guide. -

-

- (BZ#1971506) -

-
-
-
-
-
-

10.9. Hardware enablement

-
-
-
-
-

The default 7 4 1 7 printk value sometimes causes temporary system - unresponsiveness

-

- The default 7 4 1 7 printk value allows for better debugging of the kernel activity. - However, when coupled with a serial console, this printk setting - can cause intense I/O bursts that can lead to a RHEL system becoming temporarily unresponsive. - To work around this problem, we have added a new optimize-serial-console TuneD profile, which reduces the default - printk value to 4 4 1 - 7. Users can instrument their system as follows: -

-
- 
# tuned-adm profile throughput-performance optimize-serial-console
-

- Having a lower printk value persistent across a reboot reduces the - likelihood of system hangs. -

-

- Note that this setting change comes at the expense of losing the extra debugging information. -

-

- (JIRA:RHELPLAN-28940) -

-
-
-
-
-
-

10.10. File systems and storage

-
-
-
-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following limitations, - which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in combination - with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- (JIRA:RHELPLAN-27987, BZ#1798631, BZ#1808012) -

-
-

LVM mirror devices that store a LUKS volume - sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject - all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of - raid1 instead of mirror if you need to - stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 device. -

-

- (BZ#1730502) -

-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical volume. - This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) for - system boot entries. This specification requires that the /boot - file system is readable by the platform firmware. On EFI systems, the platform firmware can - read only the /boot configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does - not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- (BZ#1496229) -

-
-

LVM no longer allows creating volume groups with mixed block sizes -

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the - physical volumes (PVs) have different logical block sizes. LVM has adopted this change because - file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a - different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- (BZ#1768536) -

-
-

The GRUB retries to access the disk after initial failures during - boot

-

- Sometimes, Storage Area Networks (SANs) fail to acknowledge the open and read disk calls. Previously, - the GRUB tool used to enter into the grub_rescue prompt resulting - in the boot failure. With this update, GRUB retries to access the disk up to 20 times after the - initial call to open and read the disk fails. If the GRUB tool is still unable to open or read - the disk after these attempts, it will enter into the grub_rescue - mode. -

-
-

- (BZ#1987087) -

-
-

XFS quota warnings are triggered too often

-

- Using the quota timer results in quota warnings triggering too often, which causes soft quotas - to be enforced faster than they should. To work around this problem, do not use soft quotas, - which will prevent triggering warnings. As a result, the amount of warning messages will not - enforce soft quota limit anymore, respecting the configured timeout. -

-
-

- (BZ#2059262) -

-
-
-
-
-
-

10.11. Dynamic programming languages, web and database servers

-
-
-
-
-

MariaDB 10.5 does not warn about dropping a - non-existent table when the OQGraph plug-in is enabled -

-

- When the OQGraph storage engine plug-in is loaded to the MariaDB 10.5 server, MariaDB does not - warn about dropping a non-existent table. In particular, when the user attempts to drop a - non-existent table using the DROP TABLE or DROP TABLE IF EXISTS SQL commands, MariaDB neither returns an error message nor logs a warning. -

-
-

- Note that the OQGraph plug-in is provided by the mariadb-oqgraph-engine package, which is not installed by default. -

-

- (BZ#1944653) -

-
-

PAM plug-in version 1.0 does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) - plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 - and 2.0, version 2.0 is the default. -

-
-

- The MariaDB PAM plug-in version 1.0 does not work in RHEL 8. To work - around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5 module stream. -

-

- (BZ#1942330) -

-
-

getpwnam() might fail when called by a 32-bit - application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- (BZ#1803161) -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

-

- When both the libldap and libldap_r - libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts - between these libraries might occur. Consequently, Apache httpd - child processes using the PHP ldap extension might terminate - unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration. -

-
-

- Since the RHEL 8.3 update to the Apache Portable Runtime (APR) library, you can work around the - problem by setting the APR_DEEPBIND environment variable, which enables - the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- (BZ#1819607) -

-
-
-
-
-
-

10.12. Compilers and development tools

-
-
-
-
-

Using CryptBlocks multiple times over the same input stream leads to - incorrect encryption

-

- When Go FIPS mode is enabled, AES CBC CryptBlocks incorrectly re-initializes the initialization - vector. As a result, using CryptBlocks multiple times over the input stream encrypts files - incorrectly. To work around this issue, do not reinitialize IV in the aes-cbc interface. This action allows files to be encrypted - correctly. -

-
-

- (BZ#1972825) -

-
-
-
-
-
-

10.13. Identity Management

-
-
-
-
-

Windows Server 2008 R2 and earlier no longer supported

-

- In RHEL 8.4 and later, Identity Management (IdM) does not support establishing trust to Active - Directory with Active Directory domain controllers running Windows Server 2008 R2 or earlier - versions. RHEL IdM now requires SMB encryption when establishing the trust relationship, which - is only available with Windows Server 2012 or later. -

-
-

- (BZ#1971061) -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System -

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual steps - are required to recover the system. -

-
-

- (BZ#1729215) -

-
-

FreeRADIUS silently truncates Tunnel-Passwords longer than 249 - characters

-

- If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates - it. This may lead to unexpected password incompatibilities with other systems. -

-
-

- To work around the problem, choose a password that is 249 characters or fewer. -

-

- (BZ#1723362) -

-
-

The /var/log/lastlog sparse file on IdM hosts - can cause performance problems

-

- During the IdM installation, a range of 200,000 UIDs from a total of 10,000 possible ranges is - randomly selected and assigned. Selecting a random range in this way significantly reduces the - probability of conflicting IDs in case you decide to merge two separate IdM domains in the - future. -

-
-

- However, having high UIDs can create problems with the /var/log/lastlog - file. For example, if a user with the UID of 1280000008 logs in to an IdM client, the local /var/log/lastlog file size increases to almost 400 GB. Although the - actual file is sparse and does not use all that space, certain applications are not designed to - identify sparse files by default and may require a specific option to handle them. For example, if - the setup is complex and a backup and copy application does not handle sparse files correctly, the - file is copied as if its size was 400 GB. This behavior can cause performance problems. -

-

- To work around this problem: -

-
-
    -
  • - In case of a standard package, refer to its documentation to identify the option that - handles sparse files. -
    • -
  • - In case of a custom application, ensure that it is able to manage sparse files such as /var/log/lastlog correctly. -
    • -
-
-

- (JIRA:RHELPLAN-59111) -

-
-

FIPS mode does not support using a shared secret to establish a - cross-forest trust

-

- Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP - authentication is not FIPS-compliant. To work around this problem, authenticate with an Active - Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS - mode enabled and an AD domain. -

-
-

- (BZ#1924707) -

-
-

FreeRADIUS server fails to run in FIPS mode

-

- By default, in FIPS mode, OpenSSL disables the use of the MD5 digest algorithm. As the RADIUS - protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, this - causes the FreeRADIUS server to fail in FIPS mode. -

-
-

- To work around this problem, follow these steps: -

-
-

Procedure

-
    -
  1. -

    - Create the environment variable, RADIUS_MD5_FIPS_OVERRIDE - for the radiusd service: -

    - 
    systemctl edit radiusd
-
-[Service]
-Environment=RADIUS_MD5_FIPS_OVERRIDE=1
    -
    2. -
  2. -

    - To apply the change, reload the systemd configuration and - start the radiusd service: -

    - 
    # systemctl daemon-reload
-# systemctl start radiusd
    -
    3. -
  3. -

    - To run FreeRADIUS in debug mode: -

    - 
    # RADIUS_MD5_FIPS_OVERRIDE=1 radiusd -X
    -
    4. -
-
-

- Note that though FreeRADIUS can run in FIPS mode, this does not mean that it is FIPS compliant as it - uses weak ciphers and functions when in FIPS mode. -

-

- For more information on configuring FreeRADIUS authentication in FIPS mode, see How to configure FreeRADIUS authentication in - FIPS mode. -

-

- (BZ#1958979) -

-
-

Actions required when running Samba as a print server

-

- With this update, the samba package no longer creates the /var/spool/samba/ directory. If you use Samba as a print server and - use /var/spool/samba/ in the [printers] share to spool print jobs, SELinux prevents Samba users - from creating files in this directory. Consequently, print jobs fail and the auditd service logs a denied message in - /var/log/audit/audit.log. To avoid this problem after updating your - system to RHEL 8.5: -

-
-
-
    -
  1. - Search the [printers] share in the /etc/samba/smb.conf file. -
    2. -
  2. - If the share definition contains path = /var/spool/samba/, - update the setting and set the path parameter to /var/tmp/. -
    3. -
  3. -

    - Restart the smbd service: -

    - 
    # systemctl restart smbd
    -
    4. -
-
-

- If you newly installed Samba on RHEL 8.5, no action is required. The default /etc/samba/smb.conf file provided by the samba-common package on RHEL 8.5 already uses the /var/tmp/ directory to spool print jobs. -

-

- (BZ#2009213) -

-
-

The default keyword for enabled ciphers in the - NSS does not work in conjunction with other ciphers

-

- In Directory Server you can use the default keyword to refer to the - default ciphers enabled in the network security services (NSS). However, if you want to enable - the default ciphers and additional ones using the command line or web console, Directory Server - fails to resolve the default keyword. As a consequence, the server - enables only the additionally specified ciphers and logs the following error: -

-
- 
Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+__cipher_name__>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)
-

- As a workaround, specify all ciphers that are enabled by default in NSS including the ones you want - to additionally enable. -

-

- (BZ#1817505) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

10.14. Desktop

-
-
-
-
-

Disabling flatpak repositories from Software - Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- (BZ#1668760) -

-
-

Drag-and-drop does not work between desktop and applications

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. Support - for this feature will be added back in a future release. -

-
-

- (BZ#1717947) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft - Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. - In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use - Hyper-V Server 2019 as the host. -

-

- (BZ#1583445) -

-
-

Current limitations of Flatpak

-

- You can install certain applications using the Flatpak package manager. However, Flatpak is currently missing certain functions - or features. Notably: -

-
-
-
    -
  • - Flatpak is missing CVEs and changelog - functionality parity. Using the GNOME - Software application for Flatpak applications currently provides no - information about the respective package or any CVEs. -
    • -
  • - GPG key checking is disabled by default when adding Red Hat Flatpak remote repositories. -
    • -
  • - Flatpak applications do not have unique - icons. In Gnome Software, an application - shows both the rpm and Flatpak versions. As a workaround, you can - find the application origin by clicking Show - Details on the respective icon. -
    • -
  • - Flatpak applications are unable to - process Kerberos tickets. -
    • -
  • - Printing from Flatpak applications is - currently unavailable. -
    • -
  • - Red Hat Flatpak remote is not - automatically added. To enable them, follow the instructions in the product documentation: - Enabling - the Red Hat Flatpak remote -
    • -
-
-

- (JIRA:RHELPLAN-100230) -

-
-
-
-
-
-

10.15. Graphics infrastructures

-
-
-
-
-

Multiple HDR displays on a single MST topology may not power on -

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, using - a DisplayPort hub (such as a laptop dock) with multiple monitors - which support HDR plugged into it may result in failure to turn on. This is due to the system - erroneously thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- (BZ#1812577) -

-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in the - kexec context correctly. Instead, radeon falls over, which causes - the rest of the kdump service to fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After starting - kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-

GUI in ESXi might crash due to low video memory

-

- The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 - hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect - multiple consoles or high-resolution monitors to the VM, the GUI requires least 16 MB of video - memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly. -

-
-

- To work around the problem, configure the hypervisor to assign at least 16 MB of video memory to the - VM. As a result, the GUI on the VM no longer crashes. -

-

- (BZ#1910358) -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z - server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 option - with -depth 24 in the Xvnc configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the server. -

-

- (BZ#1886147) -

-
-

Matrox GPU with a VGA display shows no output

-

- Your display might show no graphical output if you use the following system configuration: -

-
-
-
    -
  • - A GPU in the Matrox MGA G200 family -
    • -
  • - A display connected over the VGA controller -
    • -
  • - UEFI switched to legacy mode -
    • -
-
-

- As a consequence, you cannot use or install RHEL on this configuration. -

-

- To work around the problem, use the following procedure: -

-
-
    -
  1. - Boot the system to the boot loader menu. -
    2. -
  2. - Add the nomodeset option to the kernel command line. -
    3. -
-
-

- As a result, RHEL boots and shows graphical output as expected, but the maximum resolution is - limited. -

-

- (BZ#1953926) -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the application - fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority - file to use regular user credentials for authentication. -

-
-

- To work around this problem, use the sudo -E command to run graphical - applications as a root user. -

-

- (BZ#1673073) -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit - ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- (JIRA:RHELPLAN-57914) -

-
-
-
-
-
-

10.16. Virtualization

-
-
-
-
-

Hot unplugging an IBMVFC device on PowerVM fails

-

- When using a virtual machine (VM) with a RHEL 8 guest operating system on the PowerVM - hypervisor, attempting to remove an IBM Power Virtual Fibre Channel (IBMVFC) device from the - running VM currently fails. Instead, it displays an outstanding translation error. -

-
-

- To work around this problem, remove the IBMVFC device when the VM is shut down. -

-

- (BZ#1959020) -

-
-

IBM POWER hosts may crash when using the ibmvfc driver

-

- When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors may currently - occur due to problems with the ibmvfc driver. As a consequence, the - host’s kernel may panic under certain circumstances, such as: -

-
-
-
    -
  • - Using the Live Partition Mobility (LPM) feature -
    • -
  • - Resetting a host adapter -
    • -
  • - Using SCSI error handling (SCSI EH) functions -
    • -
-
-

- (BZ#1961722) -

-
-

Using perf kvm record on IBM POWER Systems can - cause the VM to crash

-

- When using a RHEL 8 host on the little-endian variant of IBM POWER hardware, using the perf kvm record command to collect trace event samples for a KVM - virtual machine (VM) in some cases results in the VM becoming unresponsive. This situation - occurs when: -

-
-
-
    -
  • - The perf utility is used by an unprivileged user, and the -p option is used to identify the VM - for example perf kvm record -e trace_cycles -p 12345. -
    • -
  • - The VM was started using the virsh shell. -
    • -
-
-

- To work around this problem, use the perf kvm utility with the -i option to monitor VMs that were created using the virsh shell. For example: -

- 
# perf kvm record -e trace_imc/trace_cycles/  -p <guest pid> -i
-

- Note that when using the -i option, child tasks do not inherit - counters, and threads will therefore not be monitored. -

-

- (BZ#1924016) -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible - on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a - physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they should - be configured with the device='disk' option rather than device='lun'. -

-

- (BZ#1777138) -

-
-

Virtual machines with iommu_platform=on fail - to start on IBM POWER

-

- RHEL 8 currently does not support the iommu_platform=on parameter - for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this - parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process. -

-
-

- (BZ#1910848) -

-
-

Windows Server 2016 virtual machines with Hyper-V enabled fail to boot when - using certain CPU models

-

- Currently, it is not possible to boot a virtual machine (VM) that uses Windows Server 2016 as - the guest operating system, has the Hyper-V role enabled, and uses one of the following CPU - models: -

-
-
-
    -
  • - EPYC-IBPB -
    • -
  • - EPYC -
    • -
-
-

- To work around this problem, use the EPYC-v3 CPU - model, or manually enable the xsaves CPU flag - for the VM. -

-

- (BZ#1942888) -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails -

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes - unresponsive with a Migration status: active status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- (BZ#1741436) -

-
-

Using virt-customize sometimes causes guestfs-firstboot to fail

-

- After modifying a virtual machine (VM) disk image using the virt-customize utility, the guestfs-firstboot service in some cases fails due to incorrect - SELinux permissions. This causes a variety of problems during VM startup, such as failing user - creation or system registration. -

-
-

- To avoid this problem, add the --selinux-relabel option to the virt-customize command. -

-

- (BZ#1554735) -

-
-

Deleting a forward interface from a macvtap virtual network resets all - connection counts of this network

-

- Currently, deleting a forward interface from a macvtap virtual - network with multiple forward interfaces also resets the connection status of the other forward - interfaces of the network. As a consequence, the connection information in the live network XML - is incorrect. Note, however, that this does not affect the functionality of the virtual network. - To work around the issue, restart the libvirtd service on your - host. -

-
-

- (BZ#1332758) -

-
-

Virtual machines with SLOF fail to boot in netcat interfaces

-

- When using a netcat (nc) interface to access the console of a - virtual machine (VM) that is currently waiting at the Slimline Open Firmware (SLOF) prompt, the - user input is ignored and VM stays unresponsive. To work around this problem, use the nc -C option when connecting to the VM, or use a telnet interface - instead. -

-
-

- (BZ#1974622) -

-
-

Mounting virtiofs directories fails in certain - circumstances on RHEL 8 guests

-

- Currently, when using the virtiofs feature to provide a host - directory to a virtual machine (VM), mounting the directory on the VM fails with an "Operation - not supported" error if the VM is using a RHEL 8.4 kernel but a RHEL 8.5 selinux-policy package. -

-
-

- To work around this issue, reboot the guest and boot it into the latest available kernel on the - guest. -

-

- (BZ#1995558) -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of - interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, - and displays a dracut-initqueue[392]: Warning: Could not boot - error. -

-
-

- (BZ#1719687) -

-
-

SMT CPU topology is not detected by VMs when using host passthrough mode on - AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the - TOPOEXT CPU feature flag is not present. Consequently, the VM is - not able to detect a virtual CPU topology with multiple threads per core. To work around this - problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- (BZ#1740002) -

-
-
-
-
-
-

10.17. RHEL in cloud environments

-
-
-
-
-

Setting static IP in a RHEL 8 virtual machine on a VMware host does not - work

-

- Currently, when using RHEL 8 as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- (BZ#1750862) -

-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting - the kdump kernel in some cases fails when post-exec notifiers are - enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- (BZ#1865745) -

-
-

The SCSI host address sometimes changes when booting a Hyper-V VM with - multiple guest disks

-

- Currently, when booting a RHEL 8 virtual machine (VM) on the Hyper-V hypervisor, the host - portion of the Host, Bus, Target, Lun (HBTL) SCSI address - in some cases changes. As a consequence, automated tasks set up with the HBTL SCSI - identification or device node in the VM do not work consistently. This occurs if the VM has more - than one disk or if the disks have different sizes. -

-
-

- To work around the problem, modify your kickstart files, using one of the following methods: -

-

- Method 1: Use persistent identifiers for SCSI - devices. -

-

- You can use for example the following powershell script to determine the specific device - identifiers: -

- 
# Output what the /dev/disk/by-id/<value> for the specified hyper-v virtual disk.
-# Takes a single parameter which is the virtual disk file.
-# Note: kickstart syntax works with and without the /dev/ prefix.
-param (
-    [Parameter(Mandatory=$true)][string]$virtualdisk
-)
-
-$what = Get-VHD -Path $virtualdisk
-$part = $what.DiskIdentifier.ToLower().split('-')
-
-$p = $part[0]
-$s0 = $p[6] + $p[7] + $p[4] + $p[5] + $p[2] + $p[3] + $p[0] + $p[1]
-
-$p = $part[1]
-$s1 =  $p[2] + $p[3] + $p[0] + $p[1]
-
-[string]::format("/dev/disk/by-id/wwn-0x60022480{0}{1}{2}", $s0, $s1, $part[4])
-

- You can use this script on the hyper-v host, for example as follows: -

- 
PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_8.vhdx
-/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_9.vhdx
-/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-

- Afterwards, the disk values can be used in the kickstart file, for example as follows: -

- 
part / --fstype=xfs --grow --asprimary --size=8192 --ondisk=/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-part /home --fstype="xfs" --grow --ondisk=/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-

- As these values are specific for each virtual disk, the configuration needs to be done for each VM - instance. It may, therefore, be useful to use the %include syntax to - place the disk information into a separate file. -

-

- Method 2: Set up device selection by size. -

-

- A kickstart file that configures disk selection based on size must include lines similar to the - following: -

- 
...
-
-# Disk partitioning information is supplied in a file to kick start
-%include /tmp/disks
-
-...
-
-# Partition information is created during install using the %pre section
-%pre --interpreter /bin/bash --log /tmp/ks_pre.log
-
-	# Dump whole SCSI/IDE disks out sorted from smallest to largest ouputting
-	# just the name
-	disks=(`lsblk -n -o NAME -l -b -x SIZE -d -I 8,3`) || exit 1
-
-	# We are assuming we have 3 disks which will be used
-	# and we will create some variables to represent
-	d0=${disks[0]}
-	d1=${disks[1]}
-	d2=${disks[2]}
-
-	echo "part /home --fstype="xfs" --ondisk=$d2 --grow" >> /tmp/disks
-	echo "part swap --fstype="swap" --ondisk=$d0 --size=4096" >> /tmp/disks
-	echo "part / --fstype="xfs" --ondisk=$d1 --grow" >> /tmp/disks
-	echo "part /boot --fstype="xfs" --ondisk=$d1 --size=1024" >> /tmp/disks
-
-%end
-

- (BZ#1906870) -

-
-
-
-
-
-

10.18. Supportability

-
-
-
-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet the - requirements by the FUTURE system-wide cryptographic policy, the - redhat-support-tool utility does not work with this policy level at - the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- (BZ#1802026) -

-
-
-
-
-
-

10.19. Containers

-
-
-
-
-

Rootless containers with fuse-overlayfs do not recognize removed - files

-

- In RHEL 8.4 and earlier, rootless images and containers were created or stored using the - fuse-overlayfs file system. Using such images and containers in RHEL 8.5 and later might - introduce problems for unprivileged users using the overlayfs implementation provided by the - kernel and who had removed files or directories from a container or from an image in RHEL 8.4. - This issue does not apply to containers created by the root account. -

-
-

- For example, files or directories that are to be removed from a container or from an image are - marked as such using the whiteout format when using the fuse-overlayfs file system. However, due to - differences in the format, the kernel overlayfs implementation does not recognize the whiteout - format created by fuse-overlayfs. As a result, any removed files or directories still appear. This - problem does not apply to containers that were created by the root account. -

-

- To work around this problem, use one of the following options: -

-
-
    -
  1. - Remove all of the unprivileged user’s containers and images using the podman unshare rm -rf $HOME/.local/share/containers/* command. - When a user next runs Podman, the $HOME/.local/share/containers - directory is recreated, and they will need to recreate their containers. -
    2. -
  2. - Continue to run the podman command as a rootless user. The - first time an updated version of podman is invoked on the - system, it scans all of the files in the $HOME/.local/share/containers directory, and detects whether or - not to use fuse-overlayfs. Podman records the result of the scan so that it will not re-run - the scan later. As a result, the removed files do not appear. -
    3. -
-
-

- The time required to detect if fuse-overlayfs is still necessary is dependent on the number of files - and directories in the containers and images that need to be scanned. -

-

- (JIRA:RHELPLAN-92741) -

-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- (JIRA:RHELPLAN-96940) -

-
-

Container images signed with a Beta GPG key can not be pulled

-

- Currently, when you try to pull RHEL Beta container images, podman - exits with the error message: Error: Source image rejected: None of the signatures were accepted. - The images fail to be pulled due to current builds being configured to not trust the RHEL Beta - GPG keys by default. -

-
-

- As a workaround, ensure that the Red Hat Beta GPG key is stored on your local system and update the - existing trust scope with the podman image trust set command for the - appropriate beta namespace. -

-

- If you do not have the Beta GPG key stored locally, you can pull it by running the following - command: -

- 
sudo wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta https://www.redhat.com/security/data/f21541eb.txt
-

- To add the Beta GPG key as trusted to your namespace, use one of the following commands: -

- 
$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.access.redhat.com/namespace
-

- and -

- 
$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.redhat.io/namespace
-

- Replace namespace with ubi9-beta or rhel9-beta. -

-

- (BZ#2020301) -

-
-
-
-
-
-
-

Chapter 11. Internationalization

-
-
-
-
-
-
-
-

11.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

11.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#1898541, BZ#1951020, BZ#1938239, BZ#1947044, - BZ#1626633, BZ#1812286, BZ#1850664, - BZ#1944494, BZ#1895460, BZ#1817505 -

-
-

- NetworkManager -

- 		-

- BZ#1912236, BZ#1899372, BZ#1942331, BZ#1934465, - BZ#1548825, BZ#1920398 -

-
-

- SLOF -

- 		-

- BZ#1910848 -

-
-

- accel-config -

- 		-

- BZ#1843266 -

-
-

- accountsservice -

- 		-

- BZ#1812788 -

-
-

- anaconda -

- 		-

- BZ#1914955, BZ#1931069, BZ#1903786, - BZ#1954408, BZ#1821192, BZ#1822880, BZ#1929105, BZ#1897657 -

-
-

- ansible-collection-redhat-rhel_mgmt -

- 		-

- BZ#1843859 -

-
-

- apr -

- 		-

- BZ#1819607 -

-
-

- bpftrace -

- 		-

- BZ#1944716 -

-
-

- brltty -

- 		-

- BZ#2008197 -

-
-

- chrony -

- 		-

- BZ#1939295, BZ#1895003 -

-
-

- cloud-init -

- 		-

- BZ#1957532, BZ#1750862 -

-
-

- cmake -

- 		-

- BZ#1957947 -

-
-

- cockpit -

- 		-

- BZ#1666722 -

-
-

- container-tools-rhel8-module -

- 		-

- BZ#2009153 -

-
-

- containers-common -

- 		-

- BZ#2020301, BZ#2019901 -

-
-

- coreutils -

- 		-

- BZ#2030661 -

-
-

- corosync-qdevice -

- 		-

- BZ#1784200 -

-
-

- crash -

- 		-

- BZ#1906482 -

-
-

- createrepo_c -

- 		-

- BZ#1973588 -

-
-

- crypto-policies -

- 		-

- BZ#1960266, - BZ#1876846, BZ#1933016, BZ#1919155, BZ#1660839 -

-
-

- distribution -

- 		-

- BZ#1953991, BZ#1657927 -

-
-

- dotnet6.0 -

- 		-

- BZ#2022794 -

-
-

- dracut -

- 		-

- BZ#1929201 -

-
-

- dwz -

- 		-

- BZ#1948709 -

-
-

- dyninst -

- 		-

- BZ#1933893, BZ#1957942 -

-
-

- edk2 -

- 		-

- BZ#1741615, BZ#1935497 -

-
-

- elfutils -

- 		-

- BZ#1933890, BZ#1957225 -

-
-

- fence-agents -

- 		-

- BZ#1775847 -

-
-

- firewalld -

- 		-

- BZ#1872702, - BZ#1492722, BZ#1871860 -

-
-

- freeradius -

- 		-

- BZ#1954521, BZ#1977572, BZ#1723362, BZ#1958979 -

-
-

- gcc-toolset-11-gdb -

- 		-

- BZ#1954332 -

-
-

- gcc-toolset-11 -

- 		-

- BZ#1953094 -

-
-

- gcc -

- 		-

- BZ#1974402, BZ#1946758, - BZ#1946782, BZ#1927516, BZ#1979715 -

-
-

- gdb -

- 		-

- BZ#1854784, BZ#1853140 -

-
-

- glibc -

- 		-

- BZ#1934155, BZ#1912670, BZ#1930302 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#1717947 -

-
-

- gnome-shell -

- 		-

- BZ#1935261, BZ#1651378 -

-
-

- gnome-software -

- 		-

- BZ#1668760 -

-
-

- gnutls -

- 		-

- BZ#1965445, - BZ#1956783, BZ#1628553 -

-
-

- go-toolset -

- 		-

- BZ#1938071 -

-
-

- golang -

- 		-

- BZ#1979100, BZ#1972825 -

-
-

- grafana-container -

- 		-

- BZ#1971557 -

-
-

- grafana-pcp -

- 		-

- BZ#1921190 -

-
-

- grafana -

- 		-

- BZ#1921191 -

-
-

- grub2 -

- 		-

- BZ#1583445 -

-
-

- hwloc -

- 		-

- BZ#1917560 -

-
-

- ipa -

- 		-

- BZ#1924707, BZ#1664719, BZ#1664718 -

-
-

- ipmitool -

- 		-

- BZ#1951480 -

-
-

- kernel -

- 		-

- BZ#1944639, BZ#1907271, BZ#1902543, BZ#1959772, BZ#1954363, BZ#1924230, BZ#1954024, - BZ#1837389, BZ#1570255, BZ#1938339, BZ#1865745, BZ#1836058, BZ#1906870, BZ#1934033, - BZ#1924016, BZ#1942888, BZ#1868526, BZ#1812577, BZ#1694705, BZ#1910358, BZ#1953926, - BZ#1730502, BZ#1930576, BZ#1609288, BZ#1793389, BZ#1654962, BZ#1666538, BZ#1602962, - BZ#1940674, BZ#1920086, BZ#1971506, BZ#1605216, BZ#1519039, BZ#1627455, BZ#1501618, - BZ#1633143, BZ#1814836, BZ#1696451, BZ#1348508, BZ#1839311, BZ#1783396, - JIRA:RHELPLAN-57712, BZ#1837187, BZ#1904496, BZ#1660337, BZ#1905243, BZ#1878207, - BZ#1665295, BZ#1871863, BZ#1569610, BZ#1794513 -

-
-

- kexec-tools -

- 		-

- BZ#1922951, BZ#1879558, BZ#1854037, BZ#1931266, BZ#2004000 -

-
-

- krb5 -

- 		-

- BZ#1956388, BZ#1877991 -

-
-

- libcomps -

- 		-

- BZ#1960616 -

-
-

- libgcrypt -

- 		-

- BZ#1976137 -

-
-

- libgnome-keyring -

- 		-

- BZ#1607766 -

-
-

- libguestfs -

- 		-

- BZ#1554735 -

-
-

- libmodulemd -

- 		-

- BZ#1894573, BZ#1984402 -

-
-

- librepo -

- 		-

- BZ#1814383 -

-
-

- libreswan -

- 		-

- BZ#1958968, BZ#1934058, BZ#1934859, BZ#1989050 -

-
-

- libselinux-python-2.8-module -

- 		-

- BZ#1666328 -

-
-

- libservicelog -

- 		-

- BZ#1844430 -

-
-

- libvirt -

- 		-

- BZ#1664592, BZ#1332758, - BZ#1528684 -

-
-

- linuxptp -

- 		-

- BZ#1895005 -

-
-

- llvm-toolset -

- 		-

- BZ#1927937 -

-
-

- lsvpd -

- 		-

- BZ#1844428 -

-
-

- lvm2 -

- 		-

- BZ#1899214, - BZ#1496229, BZ#1768536 -

-
-

- mariadb-connector-odbc -

- 		-

- BZ#1944692 -

-
-

- mariadb -

- 		-

- BZ#1944653, BZ#1942330 -

-
-

- mesa -

- 		-

- BZ#1886147 -

-
-

- modulemd-tools -

- 		-

- BZ#1924850 -

-
-

- mutt -

- 		-

- BZ#1912614 -

-
-

- net-snmp -

- 		-

- BZ#1919714 -

-
-

- nfs-utils -

- 		-

- BZ#1868087, BZ#1592011 -

-
-

- nginx -

- 		-

- BZ#1945671 -

-
-

- nispor -

- 		-

- BZ#1848817 -

-
-

- nodejs-16-container -

- 		-

- BZ#2001020 -

-
-

- nss_nis -

- 		-

- BZ#1803161 -

-
-

- nss -

- 		-

- BZ#1817533, - BZ#1645153 -

-
-

- opal-prd -

- 		-

- BZ#1921665 -

-
-

- opencryptoki -

- 		-

- BZ#1919223 -

-
-

- opencv -

- 		-

- BZ#1886310 -

-
-

- openmpi -

- 		-

- BZ#1866402 -

-
-

- opensc -

- 		-

- BZ#1947025 -

-
-

- openscap -

- 		-

- BZ#1959570, BZ#1953092, BZ#1966612 -

-
-

- openslp -

- 		-

- BZ#1965649 -

-
-

- openssl -

- 		-

- BZ#1810911 -

-
-

- osbuild-composer -

- 		-

- BZ#1945238, BZ#1937854, BZ#1915351, BZ#1951964 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1691305, BZ#1674001, BZ#1843932, - BZ#1665082 -

-
-

- pacemaker -

- 		-

- BZ#1948620, BZ#1443666 -

-
-

- papi -

- 		-

- BZ#1908126 -

-
-

- pcp-container -

- 		-

- BZ#1974912 -

-
-

- pcp -

- 		-

- BZ#1922040, BZ#1879350, - BZ#1629455 -

-
-

- pcs -

- 		-

- BZ#1839637, BZ#1872378, BZ#1909901, BZ#1885293, BZ#1290830, - BZ#1619620, BZ#1847102, BZ#1851335 -

-
-

- pg_repack -

- 		-

- BZ#1967193 -

-
-

- php -

- 		-

- BZ#1944110 -

-
-

- pki-core -

- 		-

- BZ#1729215 -

-
-

- podman -

- 		-

- JIRA:RHELPLAN-77542, JIRA:RHELPLAN-77241, BZ#1934480, - JIRA:RHELPLAN-77238, JIRA:RHELPLAN-77489, JIRA:RHELPLAN-92741 -

-
-

- postfix -

- 		-

- BZ#1711885 -

-
-

- powertop -

- 		-

- BZ#1834722 -

-
-

- ppc64-diag -

- 		-

- BZ#1779206 -

-
-

- pykickstart -

- 		-

- BZ#1637872 -

-
-

- qatlib -

- 		-

- BZ#1920237 -

-
-

- qemu-kvm -

- 		-

- BZ#1740002, BZ#1719687, - BZ#1651994 -

-
-

- quota -

- 		-

- BZ#1945408 -

-
-

- rear -

- 		-

- BZ#1983013, BZ#1930662, BZ#1958247, BZ#1988493, BZ#1958222, BZ#1983003, BZ#1747468, - BZ#1868421 -

-
-

- redhat-release -

- 		-

- BZ#1935177 -

-
-

- redhat-support-tool -

- 		-

- BZ#1802026 -

-
-

- restore -

- 		-

- BZ#1997366 -

-
-

- rhel-system-roles -

- 		-

- BZ#1960375, BZ#1866544, BZ#1961858, BZ#1958963, BZ#1938014, BZ#1954747, BZ#1854187, BZ#1757869, BZ#1990947, BZ#1952090, BZ#1994580, BZ#1967335, BZ#1966711, BZ#1962976, BZ#1938016, BZ#1986463, BZ#1970664, BZ#1970642, BZ#1848683, BZ#1938020, BZ#1938023, BZ#1957849, BZ#1959649, BZ#1939711, BZ#1943679, BZ#1882475, BZ#1876315, BZ#1894642, BZ#1989199, BZ#1893743 -

-
-

- rpm -

- 		-

- BZ#1938928, BZ#1688849 -

-
-

- rsyslog -

- 		-

- BZ#1891458, BZ#1932795, BZ#1679512, - JIRA:RHELPLAN-10431 -

-
-

- rt-tests -

- 		-

- BZ#1954387 -

-
-

- ruby -

- 		-

- BZ#1938942 -

-
-

- rust-toolset -

- 		-

- BZ#1945805 -

-
-

- samba -

- 		-

- BZ#1944657, - BZ#2009213, JIRA:RHELPLAN-13195, Jira:RHELDOCS-16612 -

-
-

- scap-security-guide -

- 		-

- BZ#1857179, BZ#1946252, - BZ#1955373, BZ#1966577, BZ#1970137, BZ#1993056, BZ#1993197, BZ#1876483, BZ#1955183, BZ#1843913, BZ#1858866, BZ#1750755 -

-
-

- selinux-policy -

- 		-

- BZ#1994096, BZ#1860443, BZ#1931848, BZ#1947841, - BZ#1461914 -

-
-

- socat -

- 		-

- BZ#1947338 -

-
-

- sos -

- 		-

- BZ#1928679 -

-
-

- spice -

- 		-

- BZ#1849563 -

-
-

- squid -

- 		-

- BZ#1964384 -

-
-

- sssd -

- 		-

- BZ#1737489, BZ#1879869, BZ#1949149, BZ#1627112, BZ#1947671 -

-
-

- systemtap -

- 		-

- BZ#1933889, BZ#1957944 -

-
-

- tboot -

- 		-

- BZ#1947839 -

-
-

- tesseract -

- 		-

- BZ#1826085 -

-
-

- tss2 -

- 		-

- BZ#1822073 -

-
-

- tuned -

- 		-

- BZ#1951992 -

-
-

- udftools -

- 		-

- BZ#1882531 -

-
-

- udica -

- 		-

- BZ#1763210 -

-
-

- usbguard -

- 		-

- BZ#2000000 -

-
-

- valgrind -

- 		-

- BZ#1933891, BZ#1957226 -

-
-

- vdo -

- 		-

- BZ#1949163 -

-
-

- wayland -

- 		-

- BZ#1673073 -

-
-

- xfsprogs -

- 		-

- BZ#1949743 -

-
-

- xorg-x11-server -

- 		-

- BZ#1698565 -

-
-

- other -

- 		-

- BZ#2005277, BZ#1839151, - JIRA:RHELPLAN-89566, JIRA:RHELPLAN-92473, JIRA:RHELPLAN-96640, JIRA:RHELPLAN-97145, - BZ#1935686, BZ#1986007, JIRA:RHELPLAN-75166, JIRA:RHELPLAN-76515, - JIRA:RHELPLAN-57941, JIRA:RHELPLAN-85064, JIRA:RHELPLAN-87877, JIRA:RHELPLAN-75164, - BZ#2011448, - JIRA:RHELPLAN-99040, JIRA:RHELPLAN-99049, JIRA:RHELPLAN-99043, JIRA:RHELPLAN-99044, - JIRA:RHELPLAN-99148, JIRA:RHELPLAN-61867, BZ#2013853, BZ#1957316, - JIRA:RHELPLAN-79074, BZ#2019318, - JIRA:RHELPLAN-59528, JIRA:RHELPLAN-95056, BZ#1971061, - BZ#1959020, BZ#1897383, - BZ#1961722, BZ#1777138, BZ#1640697, BZ#1659609, BZ#1687900, - BZ#1697896, BZ#1757877, BZ#1741436, JIRA:RHELPLAN-59111, JIRA:RHELPLAN-27987, - JIRA:RHELPLAN-28940, JIRA:RHELPLAN-34199, JIRA:RHELPLAN-57914, JIRA:RHELPLAN-96940, - BZ#1987087, BZ#1974622, BZ#1995558, BZ#2028361, BZ#1690207, JIRA:RHELPLAN-1212, - BZ#1559616, BZ#1889737, BZ#1812552, - JIRA:RHELPLAN-14047, BZ#1769727, - JIRA:RHELPLAN-27394, JIRA:RHELPLAN-27737, BZ#1906489, - JIRA:RHELPLAN-58596, BZ#1642765, JIRA:RHELPLAN-10304, BZ#1646541, BZ#1647725, BZ#1932222, BZ#1686057, BZ#1748980, BZ#1958250, - JIRA:RHELPLAN-71200, BZ#1827628, JIRA:RHELPLAN-45858, BZ#1871025, BZ#1871953, - BZ#1874892, BZ#1893767, - BZ#1916296, JIRA:RHELPLAN-100400, BZ#1926114, - BZ#1904251, BZ#2011208, - JIRA:RHELPLAN-59825, BZ#1920624, - JIRA:RHELPLAN-70700, BZ#1929173, BZ#2006665, - JIRA:RHELPLAN-98983, BZ#2013335, BZ#2019786, BZ#2009113, BZ#2038929 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.3-3
-
-

- Wed Jun 10 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Added an enhancement in BZ#1922312 - (File systems and storage). -
    • -
-
-
-
0.3-2
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.3-1
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.3-0
-
-

- Thu Feb 29 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.2-9
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.2-8
-
-

- Tue Nov 7 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fix broken links. -
    • -
-
-
-
0.2-7
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-6
-
-

- September 8 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
- -
-
-
0.2-5
-
-

- Wed Jun 7 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.2-4
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-3
-
-

- Thu Apr 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fixed 2 broken links in DFs and KIs. -
    • -
-
-
-
0.2-2
-
-

- Mon Jan 30 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a new feature BZ#2164986 - (Networking). -
    • -
-
-
-
0.2-1
-
-

- Thu Dec 08 2022, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2132754 - (Networking). -
    • -
-
-
-
0.2-0
-
-

- Fri Jul 29, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added bug fix BZ#1661674 - (File systems and storage). -
    • -
-
-
-
0.1-9
-
-

- Thu Jun 09, Lucie Vařáková (lmanasko@redhat.com) -

-
-
    -
  • - Added known issue BZ#2059262 (File systems - and storage). -
    • -
  • - Added bug fix BZ#1940468 - (Shells and command-line tools). -
    • -
-
-
-
0.1-8
-
-

- Fri Apr 29, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.1-7
-
-

- Wed Apr 27, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added BZ#2050140 - into Known Issues (Installer). -
    • -
-
-
-
0.1-6
-
-

- Fri Apr 1, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added JIRA:RHELPLAN-57712 moved from - Technology previews to Enhancements (Networking). -
    • -
-
-
-
0.1-5
-
-

- Tue Mar 22, 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.1-5
-
-

- Mon Mar 21, 2022, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Removed BZ#1666538 from Known Issues (Kernel). -
    • -
-
-
-
0.1-4
-
-

- Thu Mar 17, 2022, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Removed BZ#1947839 from Known Issues (Kernel). -
    • -
-
-
-
0.1-3
-
-

- Tue Feb 15, 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
- -
-
-
0.1-2
-
-

- Fri Feb 04 2022, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Updated the list of deprecated packages. -
    • -
  • - Added deprecated functionality BZ#1871863 - (Kernel). -
    • -
  • - Added deprecated functionality BZ#2038929 - (Shells and command-line tools). -
    • -
-
-
-
0.1-1
-
-

- Thu Feb 03 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#2009113 (Networking). -
    • -
  • - Added deprecated functionality BZ#1794513 (File systems and storage). -
    • -
-
-
-
0.1-0
-
-

- Tue Feb 01 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#1997366 - (Shells and command-line tools). -
    • -
  • - Changed BZ#1664592 from a - known issue to deprecated functionality (Virtualization). -
    • -
-
-
-
0.0-9
-
-

- Thu Jan 27 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added BZ#2030661 to - known issues (Shells and command-line tools). -
    • -
  • - Updated the list of deprecated devices. -
    • -
-
-
-
0.0-8
-
-

- Mon Jan 17 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added BZ#2009153 to new - features (Containers). -
    • -
  • - Added BZ#2028361 - to known issues (Installer and image creation). -
    • -
  • - Updated the list of deprecated devices. -
    • -
-
-
-
0.0-7
-
-

- Tue Dec 21 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added information about the Soft-RoCE driver, rdma_rxe, - to Technology Previews BZ#1605216 and - Deprecated Functionality BZ#1878207 (Kernel). -
    • -
  • - Moved the ubi8/nodejs-16 and ubi8/nodejs-16-minimal container images BZ#2001020 - from Technology Previews to fully supported features (Containers). -
    • -
-
-
-
0.0-6
-
-

- Thu Dec 16 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Moved the nodejs:16 module stream BZ#1953991 from - Technology Previews to fully supported features (Dynamic programming languages, web - and database servers). -
    • -
-
-
-
0.0-5
-
-

- Fri Dec 10 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#1827628 (File systems and storage). -
    • -
  • - Added BZ#1654962 to known - issues (Kernel). -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.0-4
-
-

- Mon Nov 22 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Updated new feature BZ#1922951 - (Kernel). -
    • -
  • - Added new feature BZ#1934480 (Containers). -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.0-3
-
-

- Fri Nov 19 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added BZ#1959772 - and BZ#1954363 - to bug fixes (Kernel). -
    • -
  • - Added BZ#1977572 to - bug fixes (Identity Management). -
    • -
  • - Added BZ#2022794 to new features (Compilers - and development tools). -
    • -
  • - Added information about changes to external kernel parameters. -
    • -
-
-
-
0.0-2
-
-

- Wed Nov 17 2021, Prerana Sharma (presharm@redhat.com) -

-
-
    -
  • - Added BZ#1944716 (bpftrace) - in Appendix A. -
    • -
-
-
-
0.0-1
-
-

- Wed Nov 10 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.5 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Wed Oct 06 2021, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.5 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.6.html b/app/data/8.6.html deleted file mode 100644 index 3a20359..0000000 --- a/app/data/8.6.html +++ /dev/null @@ -1,18706 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.6
-
-

Release Notes for Red Hat Enterprise Linux 8.6

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.6 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information about installing Red Hat Enterprise Linux, see Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 8.6

-
-
-
-

Security

-

- In RHEL 8.6, SELinux, the fapolicyd framework, and Policy-Based - Decryption (PBD) for automated unlocking of LUKS-encrypted drives support the SAP HANA database - management system. See the Red Hat - Enterprise Linux Security Hardening Guide for SAP HANA 2.0 Knowledgebase article for more - information. -

-

- Packages for fapolicyd have been upgraded to the upstream version 1.1. - Among other improvements, you can now use the new rules.d/ and trust.d/ directories, the fagenrules script, - and new options for the fapolicyd-cli command. -

-

- OpenSSH servers now support drop-in configuration files. -

-

- The pcsc-lite packages have been rebased to upstream version 1.9.5, - which provides many enhancements and bug fixes. -

-

- You can now verify the versions of installed SELinux policy modules with the newly added --checksum option to the semodule command. -

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.60, and the - OpenSCAP packages have been rebased to upstream version 1.3.6. -

-

- See New features - Security - for more information. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - PHP 8.0 -
    • -
  • - Perl 5.32 -
    • -
-
-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-
Updated compiler toolsets
-

- The following compiler toolsets have been updated: -

-
-
    -
  • - GCC Toolset 11 -
    • -
  • - LLVM Toolset 13.0.1 -
    • -
  • - Rust Toolset 1.58.1 -
    • -
  • - Go Toolset 1.17.7 -
    • -
-
-

- See New features - Compilers and development tools - for more information. -

-
Java implementations in RHEL 8
-

- The RHEL 8 AppStream repository includes: -

-
-
    -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- For more information, see OpenJDK - documentation. -

-
Java tools
-

- RHEL 8.6 introduces a new log4j:2 module, which contains Apache Log4j 2, which is a Java logging utility and a library enabling - you to output log statements to a variety of output targets. -

-

- For more information, see New features - Compilers and development - tools. information. -

-

Identity Management

-

- The ansible-freeipa roles and modules are now available in the Ansible - Automation Hub, which provides fast updates of the ansible-freeipa - content. -

-
-
-
-
-
-

1.2. In-place upgrade and OS conversion

-
-
-
-

In-place upgrade from RHEL 7 to RHEL 8

-

- The supported in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.4 and RHEL 8.6 on the 64-bit Intel, IBM POWER 8 (little endian), and - IBM Z architectures -
    • -
  • - From RHEL 7.6 to RHEL 8.4 on architectures that require kernel version 4.14: IBM POWER 9 - (little endian) and IBM Z (Structure A). This is the final in-place upgrade path for these - architectures. -
    • -
  • - From RHEL 7.9 to RHEL 8.2 and RHEL 8.6 on systems with SAP HANA on the 64-bit Intel - architecture. To ensure your system with SAP HANA remains supported after upgrading to RHEL - 8.2, enable the RHEL 8.2 Update Services for SAP Solutions (E4S) repositories. -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. For instructions on performing an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. For instructions on performing an in-place upgrade on systems with - SAP environments, see How to - in-place upgrade SAP environments from RHEL 7 to RHEL 8. -

-

- Notable enhancements include: -

-
-
    -
  • - With the release of RHEL 8.6, multiple upgrade paths are now available for the in-place - upgrade from RHEL 7 to RHEL 8. This allows you to decide which RHEL 8 minor version you want - to upgrade your system to instead of upgrading to the latest RHEL 8 minor version by - default. Note that the available upgrade paths differ between RHEL systems and RHEL systems - with SAP HANA. -
    • -
  • - The Leapp utility now runs significantly faster during the - pre-upgrade and the initial stages of the in-place upgrade. -
    • -
  • -

    - The in-place upgrade is also supported for SAP hosting systems for the following cloud - image types: -

    -
    -
      -
    • - Bring-your-own-subscription (BYOS) systems on any public cloud platform which - uses Red Hat Subscription Manager (RHSM) for a RHEL subscription. -
      • -
    • - Pay-as-you-go (PAYG) instances on Amazon Web Services (AWS) and Microsoft Azure - with Red Hat Update Infrastructure (RHUI). -
      • -
    -
    -
    • -
-
-

In-place upgrade from RHEL 6 to RHEL 8

-

- To upgrade from RHEL 6.10 to RHEL 8, follow instructions in Upgrading - from RHEL 6 to RHEL 8. -

-

In-place upgrade from RHEL 8 to RHEL 9

-

- Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 using the Leapp utility are - provided by the document Upgrading - from RHEL 8 to RHEL 9. Major differences between RHEL 8 and RHEL 9 are documented in Considerations - in adopting RHEL 9. -

-

Conversion from a different Linux - distribution to RHEL

-

- If you are using CentOS Linux 8 or Oracle Linux 8, you can convert your operating system to RHEL 8 - using the Red Hat-supported Convert2RHEL utility. For more - information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using an earlier version of CentOS Linux or Oracle Linux, namely versions 6 or 7, you can - convert your operating system to RHEL and then perform an in-place upgrade to RHEL 8. Note that - CentOS Linux 6 and Oracle Linux 6 conversions use the unsupported Convert2RHEL utility. For more information on unsupported conversions, - see How to perform an unsupported - conversion from a RHEL-derived Linux distribution to RHEL. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, - see the Convert2RHEL Support Policy - document. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-
- -
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.6 is distributed with the kernel version 4.18.0-372, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Binary DVD ISO image is larger than 4.7 GB, and as a result, it might not - fit on a single-layer DVD. A dual-layer DVD or USB key is recommended when using - the Binary DVD ISO image to create bootable installation media. You can also use - the Image Builder tool to create customized RHEL images. For more information - about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.6. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Image Builder supports customized file system partition on LVM

-

- With this enhancement, if you have more than one partition, you can create images with a - customized file system partition on LVM and resize those partitions at runtime. For that, you - can specify a customized filesystem configuration in your blueprint and then create images with - the desired disk layout. The default filesystem layout remains unchanged - if you use plain - images without file system customization, the root partition is resized by cloud-init. -

-
-

- (JIRA:RHELPLAN-102505) -

-
-
-
-
-
-

4.2. RHEL for Edge

-
-
-
-
-

RHEL for Edge now supports Greenboot built-in - health checks by default

-

- With this update, RHEL for Edge Greenboot now includes built-in - health checks with watchdog feature to ensure that the hardware - does not hang or freeze while rebooting. With that, you can benefit from the following features: -

-
-
-
    -
  • - It makes it simple for watchdogs hardware users to adopt the - built-in health checks -
    • -
  • - A set of default health checks that provide value for built-in OS components -
    • -
  • - The watchdog is now present as default presets, which makes it - easy to enable or disable this feature -
    • -
  • - Ability to create custom health checks based on the already available health checks. -
    • -
-
-

- (BZ#2083036) -

-
-

RHEL 8 rebased to rpm-ostree v2022.2 -

-

- RHEL 8 is distributed with the rpm-ostree version v2022.2, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Kernel arguments can now be updated in an idempotent way, by using the new --append-if-missing and --delete-if-present kargs flags. -
    • -
  • - The Count Me feature from YUM is now fully disabled by default - in all repo queries and will only be triggered by the corresponding rpm-ostree-countme.timer and rpm-ostree-countme.service units. See countme. -
    • -
  • - The post-processing logic can now process the user.ima IMA - extended attribute. When an xattr extended attribute is found, - the system automatically translates it to security.ima in the - final OSTree package content. -
    • -
  • - The treefile file has a new repo-packages field. You can use it to pin a set of packages to a - specific repository. -
    • -
  • - Ability to use modularity on the compose and client side. -
    • -
  • - Container images are now used as a compose target and also as an upgrade source. -
    • -
-
-

- (BZ#2032594) -

-
-
-
-
-
-

4.3. Subscription management

-
-
-
-
-

Merged system purpose commands under subscription-manager syspurpose

-

- Previously, there were multiple subscription-manager modules (addons, role, service-level, and usage) for setting - attributes related to system purpose. These modules have been moved under the new subscription-manager syspurpose module. -

-
-

- The original subscription-manager modules (addons, role, service-level, and usage) are now deprecated. Additionally, the package (python3-syspurpose) that provides the syspurpose command line tool has been deprecated in RHEL 8.6. All the - capabilities of this package are covered by the new subscription-manager syspurpose module. -

-

- This update provides a consistent way to view, set, and update all system purpose attributes using a - single command of subscription-manager; this replaces all the existing system purpose commands with - their equivalent versions available as a new subcommand. For example, subscription-manager role --set SystemRole becomes subscription-manager syspurpose role --set SystemRole and so on. -

-

- For complete information about the new commands, options, and other attributes, see the SYSPURPOSE OPTIONS section in the subscription-manager man page. -

-

- (BZ#2000883) -

-
-
-
-
-
-

4.4. Software management

-
-
-
-
-

The modulesync command is now available to - replace certain workflows in RHEL 8

-

- In Red Hat Enterprise Linux 8, modular packages cannot be installed without modular metadata. - Previously, you could use the yum command to download packages, and - then use the createrepo_c command to redistribute those packages. -

-
-

- This enhancement introduces the modulesync command to ensure the - presence of modular metadata, which ensures package installability. This command downloads rpm packages from modules and creates a repository with modular metadata - in a working directory. -

-

- (BZ#1868047) -

-
-

A new --path CLI option is added to - RPM

-

- With this update, you can query packages by a file that is currently not installed using a new - --path CLI option. This option is similar to the existing --file option, but matches packages solely based on the provided - path. Note that the file at that path does not need to exist on disk. -

-
-

- The --path CLI option can be useful when a user excludes all - documentation files at install time by using the --nodocs option with - yum. In this case, by using the --path - option, you can display the owning package of such an excluded file, whereas the --file option will not display the package because the requested file - does not exist. -

-

- (BZ#1940895) -

-
-
-
-
-
-

4.5. Shells and command-line tools

-
-
-
-
-

The lsvpd package rebased to version - 1.7.13

-

- The lsvpd package has been rebased to version 1.7.13. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - Added support for SCSI location code. -
    • -
  • - Fixed length of absolute path getDevTreePath in sysfstreecollector. -
    • -
-
-

- (BZ#1993557) -

-
-

The net-snmp-cert gencert tool now uses the - SHA512 encryption algorithm instead of SHA1

-

- In order to increase security, the net-snmp-cert gencert tool has - been updated to generate certificates using SHA512 encryption algorithm by default. -

-
-

- (BZ#1908331) -

-
-

The dnn and text - modules are available in the opencv package

-

- The dnn module containing Deep Neural Networks for image - classification inference and the text module for scene text - detection and recognition are now available in the opencv package. -

-
-

- (BZ#2007780) -

-
-

The powerpc-utils package rebased to version - 1.3.9

-

- The powerpc-utils package has been upgraded to version 1.3.9. - Notable bug fixes, and enhancements include: -

-
-
-
    -
  • - Increased log size to 1MB in drmgr. -
    • -
  • - Fixed checking HCNID array size at boot time. -
    • -
  • - Implemented autoconnect-slaves on HNV connections in hcnmgr. -
    • -
  • - Improved the HNV bond list connections in hcnmgr. -
    • -
  • - Uses hexdump from util-linux - instead of xxd from vim in hcnmgr. -
    • -
  • - The hcn-init.service starts together with NetworkManager. -
    • -
  • - Fixed OF to logical FC lookup for multipath in ofpathname. -
    • -
  • - Fixed OF to logical lookup with partitions in ofpathname. -
    • -
  • - Fixed bootlist for multipath devices with more than 5 paths. -
    • -
  • - Introduced lparnumascore command to detect the NUMA affinity - score for the running LPAR. -
    • -
  • - Added the -x option in lpartstat - to enhance security. -
    • -
  • - Fixed ofpathname race with udev - rename in hcnmgr. -
    • -
  • - Fixed qrydev in HNV, and removed lsdevinfo. -
    • -
-
-

- (BZ#2028690) -

-
-

The powerpc-utils package now supports vNIC as - a backup device

-

- The powerpc-utils package now supports Virtual Network Interface - cards (vNIC) as a backup vdevice for Hybrid Network Virtualization - (HNV). -

-
-

- (BZ#2022225) -

-
-

The opencryptoki package rebased to version - 3.17.0

-

- The opencryptoki package has been rebased to version 3.17.0. - Notable bug fixes and enhancements include: -

-
-
-
    -
  • - The p11sak tool offers a new function of listing keys. -
    • -
  • - Added support for OpenSSL 3.0. -
    • -
  • - Added support for event notifications. -
    • -
  • - Added SW fallbacks in ICA tokens. -
    • -
  • - The WebSphere Application Server no longer fails to start with the hardware crypto adapter - enabled. -
    • -
  • - The opencryptoki.module was removed, and the p11-kit list-modules command no longer causes error messages. -
    • -
-
-

- (BZ#1984993) -

-
-

Certain network interfaces and IP addresses can be excluded when creating a - rescue image

-

- You can use the EXCLUDE_IP_ADDRESSES variable to ignore certain IP - addresses, and the EXCLUDE_NETWORK_INTERFACES variable to ignore - certain network interfaces when creating a rescue image. -

-
-

- On servers with floating addresses, you need to stop the ReaR rescue environment from configuring - floating addresses that are moved to a fail-over server until the original server is recovered. - Otherwise, a conflict with the fail-over server would occur and cause a consequent disruption of the - services running on the fail-over server. To prevent conflicts, you can perform the following - actions in the ReaR configuration file /etc/rear/local.conf: -

-
-
    -
  • - exclude the IP addresses in the ReaR by providing the EXCLUDE_IP_ADDRESSES variable as a bash array of addresses. For - example: EXCLUDE_IP_ADDRESSES=( 192.0.2.27 192.0.2.10 ), -
    • -
  • - exclude the network interfaces in the ReaR by providing the EXCLUDE_NETWORK_INTERFACES variable as a bash array of - interfaces. For example: EXCLUDE_NETWORK_INTERFACES=( eno1d1 ). -
    • -
-
-

- (BZ#2035939) -

-
-
-
-
-
-

4.6. Infrastructure services

-
-
-
-
-

New bind9.16 package version 9.16.23 - introduced

-

- A new bind9.16 package version 9.16.23 has been introduced as an - alternative to bind component version 9.11.36. Notable enhancements - include: -

-
-
-
    -
  • - Introduced new Key and Signing Policy feature in DNSSEC. -
    • -
  • - Introduced the QNAME minimisation to improve privacy. -
    • -
  • - Introduced the validate-except feature to Permanent. -
    • -
  • - Negative Trust Anchors to temporarily disable DNSSEC validation. -
    • -
  • - Refactored the response policy zones (RPZ). -
    • -
  • - Introduced new naming conventions for zone types: primary and secondary zone types are used as synonyms to master and slave. -
    • -
  • - Introduced a supplementary YAML output mode of dig, mdig, and delv commands. -
    • -
  • - The filter-aaaa functionality was moved into separate filter-a and filter-aaaa plugins. -
    • -
  • - Introduced a new zone type mirror support (RFC 8806). -
    • -
-
-

- Removed features: -

-
-
    -
  • - The dnssec-enabled option has been removed, DNSSEC is enabled - by default, and the dnssec-enabled keywords are no - longer accepted. -
    • -
  • - The lwresd lightweight resolver daemon, and liblwres lightweight resolver library have been removed. -
    • -
-
-

- (BZ#1873486) -

-
-

CUPS is available as a container image

-

- The Common Unix Printing System (CUPS) is now available as a container image, and you can deploy - it from the Red Hat Container Catalog. -

-
-

- (BZ#1913715) -

-
-

The bind component rebased to version - 9.11.36

-

- The bind component has been updated to version 9.11.36. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - Improved the lame-ttl option to be more secure. -
    • -
  • - A multiple threads bug affecting RBTDB instances no longer results in assertion failure in - free_rbtdb(). -
    • -
  • - Updated implementation of the ZONEMD RR type to match RFC 8976. -
    • -
  • - The maximum supported number of NSEC3 iterations has been reduced to 150. Records with more - iterations are treated as insecure. -
    • -
  • - An invalid direction field in a LOC record no longer results in a failure. -
    • -
-
-

- (BZ#2013993) -

-
-

CUPS driverless printing is available in CUPS Web UI

-

- CUPS driverless printing, based on the IPP Everywhere model, is available in the CUPS Web UI. In - addition to the lpadmin command used in the CLI, you can create an - IPP Everywhere queue in the CUPS Web UI to print to network printers without special software. -

-
-

- (BZ#2032965) -

-
-
-
-
-
-

4.7. Security

-
-
-
-
-

The pcsc-lite packages rebased to - 1.9.5

-

- The pcsc-lite packages have been rebased to upstream version 1.9.5. - This update provides new enhancements and bug fixes, most notably: -

-
-
-
    -
  • - The pcscd daemon no longer automatically exits after inactivity - when started manually. -
    • -
  • - The pcsc-spy utility now supports Python 3 and a new --thread option. -
    • -
  • - Performance of the SCardEndTransaction() function has been - improved. -
    • -
  • - The poll() function replaced the select() function, which allows file descriptor numbers higher - than FD_SETSIZE. -
    • -
  • - Many memory leaks and concurrency problems have been fixed. -
    • -
-
-

- (BZ#2014641) -

-
-

Crypto policies support diffie-hellman-group14-sha256

-

- You can now use the diffie-hellman-group14-sha256 key exchange - (KEX) algorithm for the libssh library in RHEL system-wide - cryptographic policies. This update also provides parity with OpenSSH, which also supports this - KEX algorithm. With this update, libssh has diffie-hellman-group14-sha256 enabled by default, but you can disable - it by using a custom crypto policy. -

-
-

- (BZ#2023744) -

-
-

OpenSSH servers now support drop-in configuration files

-

- The sshd_config file supports the Include directive, which means you can include configuration files in - another directory. This makes it easier to apply system-specific configurations on OpenSSH - servers by using automation tools such as Ansible Engine. It is also more consistent with the - capabilities of the ssh_config file. In addition, drop-in - configuration files also make it easier to organize different configuration files for different - uses, such as filter incoming connections. -

-
-

- (BZ#1926103) -

-
-

sshd_config:ClientAliveCountMax=0 disables - connection termination

-

- Setting the SSHD configuration option ClientAliveCountMax to 0 now disables connection termination. This aligns the behavior of - this option with the upstream. As a consequence, OpenSSH no longer disconnects idle SSH users - when it reaches the timeout configured by the ClientAliveInterval - option. -

-
-

- (BZ#2015828) -

-
-

libssh rebased to 0.9.6

-

- The libssh package has been rebased to upstream version 0.9.6. This - version provides bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Support for multiple identity files. The files are processed from the bottom to the top as - listed in the ~/.ssh/config file. -
    • -
  • - Parsing of sub-second times in SFTP is fixed. -
    • -
  • - A regression of the ssh_channel_poll_timeout() function - returning SSH_AGAIN unexpectedly is now fixed. -
    • -
  • - A possible heap-buffer overflow after key re-exchange is fixed. -
    • -
  • - A handshake bug when AEAD cipher is matched but there is no HMAC overlap is fixed. -
    • -
  • - Several memory leaks on error paths are fixed. -
    • -
-
-

- (BZ#1896651) -

-
-

Libreswan rebased to 4.5

-

- Libreswan has been rebased to upstream version 4.5. This version provides many bug fixes and - enhancements, most notably: -

-
-
-
    -
  • - Support of Internet Key Exchange version 2 (IKEv2) for Labeled IPsec. -
    • -
  • - Support for childless initiation of Internet Key Exchange (IKE) Security Association (SA). -
    • -
-
-

- (BZ#2017352) -

-
-

New option to verify SELinux module checksums

-

- With the newly added --checksum option to the semodule command, you can verify the versions of installed SELinux - policy modules. -

-
-

- Because Common Intermediate Language (CIL) does not store module name and module version in the - module itself, there previously was no simple way to verify that the installed module is the same - version as the module which was supposed to be installed. -

-

- With the new command semodule -l --checksum, you receive a SHA256 hash - of the specified module and can compare it with the checksum of the original file, which is faster - than reinstalling modules. -

-

- Example of use: -

- 
# semodule -l --checksum | grep localmodule
-localmodule sha256:db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd
-
-# /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
-db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd  -
-

- (BZ#1731501) -

-
-

OpenSCAP can read local files

-

- OpenSCAP can now consume local files instead of remote SCAP source data stream components. - Previously, you could not perform a complete evaluation of SCAP source data streams containing - remote components on systems that have no internet access. On these systems, OpenSCAP could not - evaluate some of the rules in these data streams because the remote components needed to be - downloaded from the internet. With this update, you can download and copy the remote SCAP source - data stream components to the target system before performing the OpenSCAP scan and provide them - to OpenSCAP by using the --local-files option with the oscap command. -

-
-

- (BZ#1970529) -

-
-

SSG now scans and remediates rules for home directories and interactive - users

-

- OVAL content to check and remediate all existing rules related to home directories used by - interactive users was added to the SCAP Security Guide (SSG) suite. Many benchmarks require - verification of properties and content usually found within home directories of interactive - users. Because the existence and the number of interactive users in a system may vary, there was - previously no robust solution to cover this gap using the OVAL language. This update adds OVAL - checks and remediations that detect local interactive users in a system and their respective - home directories. As a result, SSG can safely check and remediate all related benchmark - requirements. -

-
-

- (BZ#1884687) -

-
-

SCAP rules now have a warning message to configure Audit log buffer for - large systems

-

- The SCAP rule xccdf_org.ssgproject.content_rule_audit_basic_configuration now - displays a performance warning that suggests users of large systems where the Audit log buffer - configured by this rule might be too small and can override the custom value. The warning also - describes the process to configure a larger Audit log buffer. With this enhancement, users of - large systems can stay compliant and have their Audit log buffer set correctly. -

-
-

- (BZ#1993826) -

-
-

SSG now supports the /etc/security/faillock.conf file

-

- This enhancement adds support for the /etc/security/faillock.conf - file in SCAP Security Guide (SSG). With this update, SSG can assess and remediate the /etc/security/faillock.conf file for definition of pam_faillock settings. The authselect - tool is also used to enable the pam_faillock module while ensuring - the integrity of pam files. As a result, the assessment and - remediation of the pam_faillock module is aligned with the latest - versions and best practices. -

-
-

- (BZ#1956972) -

-
-

SCAP Security Guide rebased to 0.1.60

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.60. This - version provides various enhancements and bug fixes, most notably: -

-
-
-
    -
  • - Rules hardening the PAM stack now use authselect as the - configuration tool. -
    • -
  • - Tailoring files that define profiles which represent the differences between DISA STIG - automated SCAP content and SCAP automated content (delta tailoring) are now supported. -
    • -
  • - The rule xccdf_org.ssgproject.content_enable_fips_mode now - checks only whether the FIPS mode has been enabled properly. It does not guarantee that - system components have undergone FIPS certification. -
    • -
-
-

- (BZ#2014485) -

-
-

DISA STIG profile supports Red Hat Virtualization 4.4

-

- The DISA STIG for Red Hat Enterprise Linux 8 profile version V1R5 - has been enhanced to support Red Hat Virtualization 4.4. This profile aligns with the RHEL 8 - Security Technical Implementation Guide (STIG) manual benchmark provided by the Defense - Information Systems Agency (DISA). However, some configurations are not applied on hosts where - Red Hat Virtualization (RHV) is installed because they prevent Red Hat Virtualization from - installing and working properly. -

-
-

- When the STIG profile is applied on a Red Hat Virtualization Host (RHVH), on a self-hosted install - (RHELH), or on a host with RHV Manager installed, the following rules result in 'notapplicable': -

-
-
    -
  • - package_gss_proxy_removed -
    • -
  • - package_krb5-workstation_removed -
    • -
  • - package_tuned_removed -
    • -
  • - sshd_disable_root_login -
    • -
  • - sudo_remove_nopasswd -
    • -
  • - sysctl_net_ipv4_ip_forward -
    • -
  • - xwindows_remove_packages -
    • -
-
-
-
Warning
-
-

- Automatic remediation might render the system non-functional. Run the remediation in a test - environment first. -

-
-
-

- (BZ#2021802) -

-
-

OpenSCAP rebased to 1.3.6

-

- The OpenSCAP packages have been rebased to upstream version 1.3.6. This version provides various - bug fixes and enhancements, most notably: -

-
-
-
    -
  • - You can provide local copies of remote SCAP source data stream components by using the --local-files option. -
    • -
  • - OpenSCAP accepts multiple --rule arguments to select multiple - rules on the command line. -
    • -
  • - OpenSCAP allows skipping evaluation of some rules using the --skip-rule option. -
    • -
  • - You can restrict memory consumed by OpenSCAP probes by using the OSCAP_PROBE_MEMORY_USAGE_RATIO environment variable. -
    • -
  • - OpenSCAP now supports the OSBuild Blueprint as a remediation type. -
    • -
-
-

- (BZ#2041781) -

-
-

clevis-systemd no longer depends on nc

-

- With this enhancement, the clevis-systemd package no longer depends - on the nc package. The dependency did not work correctly when used - with Extra Packages for Enterprise Linux (EPEL). -

-
-

- (BZ#1949289) -

-
-

audit rebased to 3.0.7

-

- The audit packages have been upgraded to version 3.0.7 which - introduces many enhancements and bug fixes. Most notably: -

-
-
-
    -
  • - Added sudoers to Audit base rules. -
    • -
  • - Added the --eoe-timeout option to the ausearch command and its analogous eoe_timeout option to auditd.conf - file that specifies the value for end of event timeout, which impacts how ausearch parses co-located events. -
    • -
  • - Introduced a fix for the 'audisp-remote' plugin that used 100% of CPU capacity when the - remote location was not available. -
    • -
-
-

- (BZ#1939406) -

-
-

Audit now provides options for specifying the end of the event - timeout

-

- With this release, the ausearch tool supports the --eoe-timeout option, and the auditd.conf file contains the end_of_event_timeout option. You can use these options to specify the - end of the event timeout to avoid problems with parsing co-located events. The default value for - the end of the event timeout is set to two seconds. -

-
-

- (BZ#1921658) -

-
-

Adding sudoers to Audit base rules -

-

- With this enhancement, the /etc/sudoers and the etc/sudoers.d/ directories are added to Audit base rules such as the - Payment Card Industry Data Security Standard (PCI DSS) and the Operating Systems Protection - Profile (OSPP). This increases the security by monitoring configuration changes in privileged - areas such as sudoers. -

-
-

- (BZ#1927884) -

-
-

Rsyslog includes the mmfields module for - higher-performance operations and CEF

-

- Rsyslog now includes the rsyslog-mmfields subpackage which provides - the mmfields module. This is an alternative to using the property - replacer field extraction, but in contrast to the property replacer, all fields are extracted at - once and stored inside the structured data part. As a result, you can use mmfields particularly for processing field-based log formats, for - example Common Event Format (CEF), and if you need a large number of fields or reuse specific - fields. In these cases, mmfields has better performance than - existing Rsyslog features. -

-
-

- (BZ#1947907) -

-
-

libcap rebased to version 2.48

-

- The libcap packages have been upgraded to upstream version 2.48, - which provides a number of bug fixes and enhancements over the previous version, most notably: -

-
-
-
    -
  • - Helper library for POSIX semantic system calls (libpsx) -
    • -
  • - Support for overriding system call functions -
    • -
  • - IAB abstraction for capability sets -
    • -
  • - Additional capsh testing features -
    • -
-
-

- (BZ#2032813) -

-
-

fapolicyd rebased to 1.1

-

- The fapolicyd packages have been upgraded to the upstream version - 1.1, which contains many improvements and bug fixes. Most notable changes include the following: -

-
-
-
    -
  • - The /etc/fapolicyd/rules.d/ directory for files containing - allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. See the - new fagenrules(8) man page for more details. -
    • -
  • - In addition to the /etc/fapolicyd/fapolicyd.trust file for - marking files outside of the RPM database as trusted, you can now use the new /etc/fapolicyd/trust.d directory, which supports separating a - list of trusted files into more files. You can also add an entry for a file by using the - fapolicyd-cli -f subcommand with the --trust-file directive to these files. See the fapolicyd-cli(1) and fapolicyd.trust(13) man pages for more information. -
    • -
  • - The fapolicyd trust database now supports white spaces in file - names. -
    • -
  • - fapolicyd now stores the correct path to an executable file - when it adds the file to the trust database. -
    • -
-
-

- (BZ#1939379) -

-
-

libseccomp rebased to 2.5.2

-

- The libseccomp packages have been rebased to upstream version - 2.5.2. This version provides bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Updated the syscall table for Linux to version v5.14-rc7. -
    • -
  • - Added the get_notify_fd() function to the Python bindings to - get the notification file descriptor. -
    • -
  • - Consolidated multiplexed syscall handling for all architectures into one location. -
    • -
  • - Added multiplexed syscall support to the PowerPC (PPC) and MIPS architectures. -
    • -
  • - Changed the meaning of the SECCOMP_IOCTL_NOTIF_ID_VALID - operation within the kernel. -
    • -
  • - Changed the libseccomp file descriptor notification logic to - support the kernel’s previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID. -
    • -
-
-

- (BZ#2019893) -

-
-
-
-
-
-

4.8. Networking

-
-
-
-
-

CleanUpModulesOnExit firewalld global configuration option is now available -

-

- Previously, when restarting or otherwise shutting down firewalld, - firewalld recursively unloaded kernel modules. As a result, other - packages attempting to use these modules or dependent modules would fail. With this upgrade, - users can set the CleanUpModulesOnExit option to no to stop firewalld from unloading - these kernel modules. -

-
-

- (BZ#1980206) -

-
-

Restoring large nftables sets requires less - memory

-

- With this enhancement, the nftables framework requires - significantly less memory when you restore large sets. The algorithm which prepares the netlink message has been improved, and, as a result, restoring a set - can use up to 40% less memory. -

-
-

- (BZ#2047821) -

-
-

The nmstate API now supports OVS-DPDK -

-

- This enhancement adds the schema for the Open vSwitch (OVS) Data Plane Development Kit (DPDK) to - the nmstate API. As a result, you can use nmstate to configure OVS devices with DPDK ports. -

-
-

- (BZ#2003976) -

-
-

The nmstate API now supports VLAN and QoS ID - in SR-IOV virtual functions

-

- This update enhances the nmstate API with support for local area - network (VLAN) and quality of service (QoS) in single root I/O virtualization (SR-IOV) virtual - functions. As a result, you can use nmstate to configure these - features. -

-
-

- (BZ#2004006) -

-
-

NetworkManager rebased to version 1.36.0

-

- The NetworkManager packages have been upgraded to upstream version - 1.36.0, which provides a number of enhancements and bug fixes over the previous version: -

-
-
-
    -
  • - The handling of layer 3 configurations has been reworked to improve the stability, - performance, and memory usage. -
    • -
  • - NetworkManager now supports the rd.znet_ifnames kernel command - line option on the IBM Z platform. -
    • -
  • - The blackhole, unreachable, and - prohibit route types have been added. -
    • -
  • - NetworkManager now ignores routes managed by routing services. -
    • -
  • - The Wi-Fi Protected Access version 3 (WPA3) network security has been improved by enabling - the hash-to-element (H2E) method when generating simultaneous authentication of equals (SAE) - password elements. -
    • -
  • - The service now correctly handles replies from DHCP servers that send duplicate address or - mask options. -
    • -
  • - You can now turn off MAC aging on bridges. -
    • -
  • - NetworkManager no longer listens for netlink events for traffic - control objects, such as qdiscs and filters. -
    • -
  • - Network bonds now support setting a queue ID for bond ports. -
    • -
-
-

- For further information about notable changes, read the upstream release notes: -

-
- -
-

- (BZ#1996617) -

-
-

The hostapd package has been added to RHEL - 8.6

-

- With this release, RHEL provides the hostapd package. However, Red - Hat supports hostapd only to set up a RHEL host as an 802.1X - authenticator in Ethernet networks. Other scenarios, such as Wi-Fi access points or - authenticators in Wi-Fi networks, are not supported. -

-
-

- For details about configuring RHEL as an 802.1X authenticator with a FreeRADIUS back end, see Setting - up an 802.1x network authentication service for LAN clients using hostapd with FreeRADIUS - backend. -

-

- (BZ#2016946) -

-
-

NetworkManager now supports setting the number of receiving queues (rx_queue) on OVS-DPDK interfaces

-

- With this enhancement, you can use NetworkManager to configure the n_rxq setting of Open vSwitch (OVS) Data Plane Development Kit (DPDK) - interfaces. Use the ovs-dpdk.n-rxq attribute in NetworkManager to - set the number of receiving queues on OVS-DPDK interfaces. -

-
-

- For example, to configure 2 receiving queues in OVS interface named ovs-iface0, enter: -

- 
# nmcli connection modify ovs-iface0 ovs-dpdk.nrxq 2
-

- (BZ#2001563) -

-
-

The nftables framework now supports nft set elements with attached counters

-

- Previously, in the netfilter framework, nftables set counters were not supported. The nftables framework is configurable by the nft tool. The kernel allows this tool to count the network packets - from a given source address with a statement add @myset {ip saddr counter}. In this update, you can count packets - that match a specific criteria with a dynamic set and elements with attached counters. -

-
-

- (BZ#1983635) -

-
-

The nispor packages are now fully - supported

-

- The nispor packages, previously available as a Technology Preview, - are now fully supported. This enhancement adds support for NetStateFilter to use the kernel filter on network routes and - interfaces. -

-
-

- With this release, the nispor packages single Root Input and Output - Virtualization (SR-IOV) interfaces can query SR-IOV Virtual Function (SR-IOV VF) information per - (VF), support new bonding options: lacp_active, arp_missed_max, and ns_ip6_target. -

-

- (BZ#1848817) -

-
-
-
-
-
-

4.9. Kernel

-
-
-
-
-

Kernel version in RHEL 8.6

-

- Red Hat Enterprise Linux 8.6 is distributed with the kernel version 4.18.0-372. -

-
-

- See also Important changes to external - kernel parameters and Device Drivers. -

-

- (BZ#1839151) -

-
-

Extended Berkeley Packet Filter for RHEL 8.6

-

- The Extended Berkeley Packet Filter (eBPF) - is an in-kernel virtual machine that allows code execution in the kernel space, in the - restricted sandbox environment with access to a limited set of functions. The virtual machine - executes a special assembly-like code. -

-
-

- The eBPF bytecode first loads to the kernel, - followed by its verification, code translation to the native machine code with just-in-time - compilation, and then the virtual machine executes the code. -

-

- Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a - different development phase, and thus not all components are currently fully supported. In RHEL 8.6, - the following eBPF components are supported: -

-
-
    -
  • - The BPF Compiler Collection (BCC) tools - package, which provides tools for I/O analysis, networking, and monitoring of Linux - operating systems using eBPF. -
    • -
  • - The BCC library which allows the - development of tools similar to those provided in the BCC tools package. -
    • -
  • - The eBPF for Traffic Control (tc) - feature, which enables programmable packet processing inside the kernel network data path. -
    • -
  • - The bpftrace tracing language -
    • -
  • - The eXpress Data Path (XDP) feature, - which provides access to received packets before the kernel networking stack processes them, - is supported under specific conditions. For more information see, XDP - is conditionally supported and Overview - of networking eBPF features in RHEL. -
    • -
  • - The libbpf package, which is crucial for bpf related - applications like bpftrace and bpf/xdp development. -
    • -
  • - The xdp-tools package, which contains userspace support - utilities for the XDP feature, is now - supported on the AMD and Intel 64-bit architectures. This includes the libxdp library, the xdp-loader - utility for loading XDP programs, the xdp-filter example - program for packet filtering, and the xdpdump utility for - capturing packets from a network interface with XDP enabled. -
    • -
-
-

- Note that all other eBPF components are - available as Technology Preview, unless a specific component is indicated as supported. -

-

- The following notable eBPF components are - currently available as Technology Preview: -

-
-
    -
  • - The AF_XDP socket for connecting the eXpress Data Path (XDP) path to user space -
    • -
-
-

- For more information regarding the Technology Preview components, see eBPF available as a Technology Preview. -

-

- (BZ#1780124) -

-
-

Red Hat, by default, enables eBPF in all RHEL versions for privileged - users only

-

- Extended Berkeley Packet Filter (eBPF) is a - complex technology which allows users to execute custom code inside the Linux kernel. Due to its - nature, the eBPF code needs to pass through - the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures - (CVE) instances, where bugs in this code could be misused for unauthorized operations. To - mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users - only. It is possible to enable eBPF for - unprivileged users by using the kernel.command-line parameter unprivileged_bpf_disabled=0. -

-
-

- However, note that: -

-
-
    -
  • - Applying unprivileged_bpf_disabled=0 disqualifies your kernel - from Red Hat support and opens your system to security risks. -
    • -
  • - Red Hat urges you to treat processes with the CAP_BPF - capability as if the capability was equal to CAP_SYS_ADMIN. -
    • -
  • - Setting unprivileged_bpf_disabled=0 will not be sufficient to - execute many BPF programs by unprivileged users as loading of most BPF program types - requires additional capabilities (typically CAP_SYS_ADMIN or - CAP_PERFMON). -
    • -
-
-

- For information on how to apply kernel command-line parameters, see Configuring - kernel command-line parameters. -

-

- (BZ#2089409) -

-
-

The osnoise and timerlat tracers were added in RHEL 8

-

- The osnoise tracer measures operating system noise. That is, the - interruptions of applications by the OS and hardware interrupts. It also provides a set of - tracepoints to help find the source of the OS noise. The timerlat - tracer measures the wakeup latencies and helps to identify the causes of such latencies of - real-time (RT) threads. In RT computing, latency is absolutely crucial and even a minimal delay - can be detrimental. The osnoise and timerlat tracers enable you to investigate and find causes of OS - interference with applications and wakeup delay of RT threads. -

-
-

- (BZ#1979382) -

-
-

The strace utility can now display mismatches - between the actual SELinux contexts and the definitions extracted from the SELinux context - database

-

- An existing --secontext option of strace has been extended with the mismatch parameter. This parameter enables to print the expected - context along with the actual one upon mismatch only. The output is separated by double - exclamation marks (!!), first the actual context, then the expected - one. In the examples below, the full,mismatch parameters print the - expected full context along with the actual one because the user part of the contexts - mismatches. However, when using a solitary mismatch, it only checks - the type part of the context. The expected context is not printed because the type part of the - contexts matches. -

-
- 
[...]
-$ strace --secontext=full,mismatch -e statx stat /home/user/file
-statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ...
-
-$ strace --secontext=mismatch -e statx stat /home/user/file
-statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...
-

- SELinux context mismatches often cause access control issues associated with SELinux. The mismatches - printed in the system call traces can significantly expedite the checks of SELinux context - correctness. The system call traces can also explain specific kernel behavior with respect to access - control checks. -

-

- (BZ#2038992, BZ#2038810) -

-
-

The --cyclictest-threshold option has been - added to the rteval utility

-

- With this enhancement, the --cyclictest-threshold=USEC option has - been added to the rteval test suite. Using this option you can - specify a threshold value. The rteval test run ends immediately if - any latency measurements exceed this threshold value. When latency expectations are not met, the - run aborts with a failure status. -

-
-

- (BZ#2012285) -

-
-
-
-
-
-

4.10. File systems and storage

-
-
-
-
-

RHEL 8.6 is compatible with RHEL 9 XFS images

-

- With this update, RHEL 8.6 is now able to use RHEL 9 XFS images. RHEL 9 XFS guest images must - have bigtime and inode btree counters (inobtcount) on-disk capabilities allowed in order to mount the guest - image with RHEL 8.6. Note that file systems created with bigtime - and inobtcount features are not compatible with versions earlier - than RHEL 8.6. -

-
-

- (BZ#2022903, BZ#2024201) -

-
-

Options in Samba utilities have been renamed and removed for a consistent - user experience

-

- The Samba utilities have been improved to provide a consistent command-line interface. These - improvements include renamed and removed options. Therefore, to avoid problems after the update, - review your scripts that use Samba utilities, and update them, if necessary. -

-
-

- Samba 4.15 introduces the following changes to the Samba utilities: -

-
-
    -
  • - Previously, Samba command-line utilities silently ignored unknown options. To prevent - unexpected behavior, the utilities now consistently reject unknown options. -
    • -
  • - Several command-line options now have a corresponding smb.conf - variable to control their default value. See the man pages of the utilities to identify if a - command-line option has an smb.conf variable name. -
    • -
  • - By default, Samba utilities now log to standard error (stderr). - Use the --debug-stdout option to change this behavior. -
    • -
  • - The --client-protection=off|sign|encrypt option has been added - to the common parser. -
    • -
  • -

    - The following options have been renamed in all utilities: -

    -
    -
      -
    • - --kerberos to --use-kerberos=required|desired|off -
      • -
    • - --krb5-ccache to --use-krb5-ccache=CCACHE -
      • -
    • - --scope to --netbios-scope=SCOPE -
      • -
    • - --use-ccache to --use-winbind-ccache -
      • -
    -
    -
    • -
  • -

    - The following options have been removed from all utilities: -

    -
    -
      -
    • - -e and --encrypt -
      • -
    • - -C removed from --use-winbind-ccache -
      • -
    • - -i removed from --netbios-scope -
      • -
    • - -S and --signing -
      • -
    -
    -
    • -
  • -

    - To avoid duplicate options, certain options have been removed or renamed from the - following utilities: -

    -
    -
      -
    • - ndrdump: -l is no - longer available for --load-dso -
      • -
    • - net: -l is no longer - available for --long -
      • -
    • - sharesec: -V is no - longer available for --viewsddl -
      • -
    • - smbcquotas: --user has - been renamed to --quota-user -
      • -
    • - nmbd: --log-stdout has - been renamed to --debug-stdout -
      • -
    • - smbd: --log-stdout has - been renamed to --debug-stdout -
      • -
    • - winbindd: --log-stdout - has been renamed to --debug-stdout -
      • -
    -
    -
    • -
-
-

- (BZ#2062117) -

-
-

Compiler barrier changed to static inline function compiler_barrier to avoid name conflict with function - pointers

-

- This enhancement provides additional features and a patch for a potential data corruption bug. - The compiler barrier is now set to a static inline function compiler_barrier. No name conflict occurs with the hardware store - barrier, when implementing hardware fencing for non-temporal memcpy variants, while using a - function pointer. As a result, RHEL 8.6 now includes pmdk version - 1.11.1. -

-
-

- (BZ#2009889) -

-
-
-
-
-
-

4.11. High availability and clusters

-
-
-
-
-

The pcmk_delay_base parameter may now take - different values for different nodes

-

- When configuring a fence device, you now can specify different values for different nodes with - the pcmk_delay_base parameter. This allows a single fence device to - be used in a two-node cluster, with a different delay for each node. This helps prevent a - situation where each node attempts to fence the other node at the same time. To specify - different values for different nodes, you map the host names to the delay value for that node - using a similar syntax to pcmk_host_map. For example, node1:0;node2:10s would use no delay when - fencing node1 and a 10-second delay when fencing node2. -

-
-

- (BZ#1082146) -

-
-

Specifying automatic removal of location constraint following resource - move

-

- When you execute the pcs resource move command, this adds a - constraint to the resource to prevent it from running on the node on which it is currently - running. A new --autodelete option for the pcs resource move command, previously available as a Technology - Preview, is now fully supported. When you specify this option, the location constraint that the - command creates is automatically removed once the resource has been moved. -

-
-

- (BZ#1990784) -

-
-

Detailed Pacemaker status display for internal errors

-

- If Pacemaker can not execute a resource or fence agent for some reason, for example the agent is - not installed or there has been an internal timeout, the Pacemaker status displays now show a - detailed exit reason for the internal error. -

-
-

- (BZ#1470834) -

-
-

Support for special characters inside pcmk_host_map values

-

- The pcmk_host_map property now supports special characters inside - pcmk_host_map values using a backslash (\) in front of the value. - For example, you can specify pcmk_host_map="node3:plug\ 1" to - include a space in the host alias. -

-
-

- (BZ#1376538) -

-
-

pcs suppport for OCF Resource Agent API 1.1 - standard

-

- The pcs command-line interface now supports OCF 1.1 resource and - STONITH agents. An OCF 1.1 agent’s metadata must comply with the OCF 1.1 schema. If an OCF 1.1 - agent’s metadata does not comply with the OCF 1.1 schema, pcs - considers the agent invalid and will not create or update a resource of the agent unless the - --force option is specified. The pcsd - Web UI and pcs commands for listing agents omit OCF 1.1 agents with - invalid metadata from the listing. -

-
-

- An OCF agent that declares that it implements any OCF version other than 1.1, or does not declare a - version at all, is validated against the OCF 1.0 schema. Validation issues are reported as warnings, - but for those agents it is not necessary to specify the --force option - when creating or updating a resource of the agent. -

-

- (BZ#1936833) -

-
-

New fencing agent for OpenShift

-

- The fence_kubevirt fencing agent is now available for use with RHEL - High Availability on Red Hat OpenShift Virtualization. For information on the fence_kubevirt agent, see the fence_kubevirt(8) man page. -

-
-

- (BZ#1977588) -

-
-
-
-
-
-

4.12. Dynamic programming languages, web and database servers

-
-
-
-
-

A new module stream: php:8.0

-

- RHEL 8.6 adds PHP 8.0, which provides a number of bug fixes and - enhancements over version 7.4 -

-
-

- Notable enhancements include: -

-
-
    -
  • - New named arguments are order-independent and self-documented, and enable you to specify - only required parameters. -
    • -
  • - New attributes enable you to use structured metadata with PHP’s native syntax. -
    • -
  • - New union types enable you to use native union type declarations that are validated at - runtime instead of PHPDoc annotations for a combination of types. -
    • -
  • - Internal functions now more consistently raise an Error exception instead of warnings if - parameter validation fails. -
    • -
  • - The Just-In-Time compilation has improved the performance. -
    • -
  • - The Xdebug debugging and productivity extension for PHP has - been updated to version 3. This version introduces major changes in functionality and - configuration compared to Xdebug 2. -
    • -
-
-

- To install the php:8.0 module stream, use: -

- 
# yum module install php:8.0
-

- If you want to upgrade from the php:7.4 stream, see Switching - to a later stream. -

-

- For details regarding PHP usage on RHEL 8, see Using - the PHP scripting language. -

-

- (BZ#1978356, BZ#2027285) -

-
-

A new module stream: perl:5.32

-

- RHEL 8.6 introduces Perl 5.32, which provides a number of bug fixes - and enhancements over Perl 5.30 distributed in RHEL 8.3. -

-
-

- Notable enhancement include: -

-
-
    -
  • - Perl now supports unicode version 13.0. -
    • -
  • - The qr qoute-like operator has been enhanced. -
    • -
  • - The POSIX::mblen(), mbtowc, and - wctomb functions now work on shift state locales and are - thread-safe on C99 and above compilers when executed on a platform that has locale - thread-safety; the length parameters are now optional. -
    • -
  • - The new experimental isa infix operator tests whether a given - object is an instance of a given class or a class derived from it. -
    • -
  • - Alpha assertions are no longer experimental. -
    • -
  • - Script runs are no longer experimental. -
    • -
  • - Feature checks are now faster. -
    • -
  • - Perl can now dump compiled patterns before optimization. -
    • -
-
-

- To upgrade from an earlier perl module stream, see Switching - to a later stream. -

-

- (BZ#2021471) -

-
-

A new package: nginx-mod-devel

-

- A new nginx-mod-devel package has been added to the nginx:1.20 module stream. The package provides all necessary files, - including RPM macros and nginx source code, for building external - dynamic modules for nginx. -

-
-

- (BZ#1991787) -

-
-

MariaDB Galera now includes an upstream version of the garbd systemd service and a wrapper script

-

- MariaDB 10.3 and MariaDB 10.5 in RHEL 8 include a Red Hat version of garbd systemd service and a wrapper script for the galera package in the /usr/lib/systemd/system/garbd.service and /usr/sbin/garbd-wrapper files, respectively. -

-
-

- In addition to the Red Hat version of these files, RHEL 8 now also provides an upstream version. The - upstream files are located at /usr/share/doc/galera/garb-systemd and - /usr/share/doc/galera/garbd.service. -

-

- RHEL 9 provides only the upstream version of these files, located at /usr/lib/systemd/system/garbd.service and /usr/sbin/garb-systemd. -

-

- (BZ#2042306, BZ#2042298, BZ#2050543, BZ#2050546) -

-
-
-
-
-
-

4.13. Compilers and development tools

-
-
-
-
-

New command for capturing glibc optimization - data

-

- The new ld.so --list-diagnostics command captures data that - influences glibc optimization decisions, such as IFUNC selection - and glibc-hwcaps configuration, in a single machine-readable file. -

-
-

- (BZ#2023420) -

-
-

glibc string functions are now optimized for - Fujitsu A64FX

-

- With this update, glibc string functions exhibit increased - throughput and reduced latency on A64FX CPUs. -

-
-

- (BZ#1929928) -

-
-

New UTF-8 locale en_US@ampm with 12-hour - clock

-

- With this update, you can now use a new UTF-8 locale en_US@ampm - with a 12-hour clock. This new locale can be combined with other locales by using the LC_TIME environment variable. -

-
-

- (BZ#2000374) -

-
-

New location for libffi's self-modifying - code

-

- With this update libffi's self-modifying code takes advantage of a - feature in the RHEL 8 kernel to create a suitable file independent of any file system. As a - result, libffi's self-modifying code no longer depends on making - part of the filesystem insecure. -

-
-

- (BZ#1875340) -

-
-

Updated GCC Toolset 11

-

- GCC Toolset 11 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- Notable changes introduced with RHEL 8.6 include: -

-
-
    -
  • - The GCC compiler has been updated to version 11.2.1. -
    • -
  • - annobin has been updated to version 10.23. -
    • -
-
-

- The following tools and versions are provided by GCC Toolset 10: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 11.2.1 -

-
-

- GDB -

- 		-

- 10.2 -

-
-

- Valgrind -

- 		-

- 3.17.0 -

-
-

- SystemTap -

- 		-

- 4.5 -

-
-

- Dyninst -

- 		-

- 11.0.0 -

-
-

- binutils -

- 		-

- 2.36.1 -

-
-

- elfutils -

- 		-

- 0.185 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- make -

- 		-

- 4.3 -

-
-

- strace -

- 		-

- 5.13 -

-
-

- ltrace -

- 		-

- 0.7.91 -

-
-

- annobin -

- 		-

- 10.23 -

-
-
-

- To install GCC Toolset 11, run the following command as root: -

- 
# yum install gcc-toolset-11
-

- To run a tool from GCC Toolset 11: -

- 
$ scl enable gcc-toolset-11 tool
-

- To run a shell session where tool versions from GCC Toolset 11 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-11 bash
-

- For more information about usage, see Using - GCC Toolset. -

-

- The GCC Toolset 11 components are available in the two container images: -

-
-
    -
  • - rhel8/gcc-toolset-11-toolchain, which includes the GCC - compiler, the GDB debugger, and the make automation tool. -
    • -
  • - rhel8/gcc-toolset-11-perftools, which includes the performance - monitoring tools, such as SystemTap and Valgrind. -
    • -
-
-

- To pull a container image, run the following command as root: -

- 
# podman pull registry.redhat.io/<image_name>
-

- Note that only the GCC Toolset 11 container images are now supported. Container images of earlier - GCC Toolset versions are deprecated. -

-

- For details regarding the container images, see Using - the GCC Toolset container images. -

-

- (BZ#1996862) -

-
-

GDB disassembler now supports the new arch14 instructions

-

- With this update, GDB is able to disassemble new arch14 instructions. -

-
-

- (BZ#2012818) -

-
-

LLVM Toolset rebased to version 13.0.1

-

- LLVM Toolset has been upgraded to version 13.0.1. Notable changes include: -

-
-
-
    -
  • - Clang now supports guaranteed tail calls with statement attributes [[clang::musttail]] in C++ and __attribute__((musttail)) in C. -
    • -
  • - Clang now supports the -Wreserved-identifier warning, which - warns developers when using reserved identifiers in their code. -
    • -
  • - Clang’s -Wshadow flag now also checks for shadowed structured - bindings. -
    • -
  • - Clang’s -Wextra now also implies Wnull-pointer-subtraction. -
    • -
-
-

- (BZ#2001133) -

-
-

Rust Toolset rebased to 1.58.1

-

- The Rust Toolset has been rebased to version 1.58.1. Notable - changes include: -

-
-
-
    -
  • - The Rust compiler now supports the 2021 edition of the language, featuring disjoint capture - in closure, IntoIterator for arrays, a new Cargo feature - resolver, and more. -
    • -
  • - Added Cargo support for new custom profiles. -
    • -
  • - Cargo deduplicates compiler errors. -
    • -
  • - Added new open range patterns. -
    • -
  • - Added captured identifiers in format strings. -
    • -
-
-

- For further information, see: -

-
- -
-

- (BZ#2002883) -

-
-

Go Toolset rebased to version 1.17.7

-

- Go Toolset has been upgraded to version 1.17.7. Notable changes include: -

-
-
-
    -
  • - Added an option to convert slices to array pointers. -
    • -
  • - Added support for //go:build lines. -
    • -
  • - Improvements to function call performance on amd64. -
    • -
  • - Function arguments are formatted more clearly in stack traces. -
    • -
  • - Functions containing closures can be inlined. -
    • -
  • - Reduced resource consumption in x509 certificate parsing. -
    • -
-
-

- (BZ#2014088) -

-
-

pcp rebased to 5.3.5

-

- The pcp package has been rebased to version 5.3.5. Notable changes - include: -

-
-
-
    -
  • - Added new pmieconf(1) rules for CPU and disk saturation. -
    • -
  • - Improved stability and scalability of pmproxy(1) service. -
    • -
  • - Improved service latency and robustness of pmlogger(1) service. -
    • -
  • - Added new performance metrics related to electrical power. -
    • -
  • - Added new features in the pcp-htop(1) utility. -
    • -
  • - Added new features in the pcp-atop(1) utility. -
    • -
  • - Updated Nvidia GPU metrics. -
    • -
  • - Added new Linux kernel KVM and networking metrics. -
    • -
  • - Added a new MongoDB metrics agent. -
    • -
  • - Added a new sockets metrics agent and pcp-ss(1) utility. -
    • -
  • - Disabled pmcd(1) and pmproxy(1) - Avahi service advertising by default. -
    • -
-
-

- (BZ#1991763) -

-
-

The grafana package rebased to version - 7.5.11

-

- The grafana package has been rebased to version 7.5.11. Notable - changes include: -

-
-
-
    -
  • - Added a new prepare time series transformation for backward - compatibility of panels that do not support the new data frame format. -
    • -
-
-

- (BZ#1993214) -

-
-

grafana-pcp rebased to 3.2.0

-

- The grafana-pcp package has been rebased to version 3.2.0. Notable - changes include: -

-
-
-
    -
  • - Added a new MS SQL server dashboard for PCP Redis. -
    • -
  • - Added visibility of empty histogram buckets in the PCP Vector eBPF/BCC Overview dashboard. -
    • -
  • - Fixed a bug where the metric() function of PCP Redis did not - return all metric names. -
    • -
-
-

- (BZ#1993149) -

-
-

js-d3-flame-graph rebased to 4.0.7 -

-

- The js-d3-flame-graph package has been rebased to version 4.0.7. - Notable changes include: -

-
-
-
    -
  • - Added new blue and green color scheme. -
    • -
  • - Added functionality to display flame graph context. -
    • -
-
-

- (BZ#1993194) -

-
-

Power consumption metrics now available in PCP

-

- The new pmda-denki Performance Metrics Domain Agent (PMDA) reports - metrics related to power consumption. Specifically, it reports: -

-
-
-
    -
  • - Consumption metrics based on Running Average Power Limit (RAPL) readings, available on - recent Intel CPUs -
    • -
  • - Consumption metrics based on battery discharge, available on systems which have a battery -
    • -
-
-

- (BZ#1629455) -

-
-

A new module: log4j:2

-

- A new log4j:2 module is now available in the AppStream repository. - This module contains Apache Log4j 2, which is a Java logging - utility and a library enabling you to output log statements to a variety of output targets. -

-
-

- Log4j 2 provides significant improvements over Log4j 1. Notably, Log4j 2 introduces - enhancements to the Logback framework and fixes some inherent problems - in the Logback architecture. -

-

- To install the log4j:2 module stream, use: -

- 
# yum module install log4j:2
-

- (BZ#1937468) -

-
-
-
-
-
-

4.14. Identity Management

-
-
-
-
-

ansible-freeipa is now available in the - AppStream repository with all dependencies

-

- Previously in RHEL 8, before installing the ansible-freeipa - package, you first had to enable the Ansible repository and install the ansible package. In RHEL 8.6 and RHEL 9, you can install ansible-freeipa without any preliminary steps. Installing ansible-freeipa automatically installs the ansible-core package, a more basic version of ansible, as a dependency. Both ansible-freeipa and ansible-core are - available in the rhel-9-for-x86_64-appstream-rpms repository. -

-
-

- ansible-freeipa in RHEL 8.6 and RHEL 9 contains all the modules that it - contained in RHEL 8. -

-

- (JIRA:RHELPLAN-100359) -

-
-

IdM now supports the automountlocation, automountmap, and automountkey - Ansible modules

-

- With this update, the ansible-freeipa package contains the ipaautomountlocation, ipaautomountmap, - and ipaautomountkey modules. You can use these modules to configure - directories to be mounted automatically for IdM users logged in to IdM clients in an IdM - location. Note that currently, only direct maps are supported. -

-
-

- (JIRA:RHELPLAN-79161) -

-
-

The support for managing subID ranges is available in the - shadow-utils

-

- Previously, shadow-utils configured the subID ranges automatically - from the /etc/subuid and /etc/subgid - files. With this update, the configuration of subID ranges is available in the /etc/nsswitch.conf file by setting a value in the subid field. For more information, see man subuid and man subgid. Also, with - this update, an SSSD implementation of the shadow-utils plugin is - available, which provides the subID ranges from the IPA server. To use this functionality, add - the subid: sss value to the /etc/nsswitch.conf file. This solution might be useful in the - containerized environment to facilitate rootless containers. -

-
-

- Note that in case the /etc/nsswitch.conf file is configured by the - authselect tool, you must follow the procedures described in the authselect documentation. When it is not the case, you can modify the - /etc/nsswitch.conf file manually. -

-

- (JIRA:RHELPLAN-103579) -

-
-

An alternative to the traditional RHEL ansible-freeipa repository: Ansible - Automation Hub

-

- With this update, you can download ansible-freeipa modules from the - Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By - using AAH, you can benefit from the faster updates of the ansible-freeipa modules available in this repository. -

-
-

- In AAH, ansible-freeipa roles and modules are distributed in the - collection format. Note that you need an Ansible Automation Platform (AAP) subscription to access - the content on the AAH portal. You also need ansible version 2.9 or - later. -

-

- The redhat.rhel_idm collection has the same content as the traditional - ansible-freeipa package. However, the collection format uses a fully - qualified collection name (FQCN) that consists of a namespace and the collection name. For example, - the redhat.rhel_idm.ipadnsconfig module corresponds to the ipadnsconfig module in ansible-freeipa - provided by a RHEL repository. The combination of a namespace and a collection name ensures that the - objects are unique and can be shared without any conflicts. -

-

- (JIRA:RHELPLAN-103147) -

-
-

ansible-freeipa modules can now be executed remotely on IdM - clients

-

- Previously, ansible-freeipa modules could only be executed on IdM - servers. This required your Ansible administrator to have SSH - access to your IdM server, causing a potential security threat. With this update, you can - execute ansible-freeipa modules remotely on systems that are IdM - clients. As a result, you can manage IdM configuration and entities in a more secure way. -

-
-

- To execute ansible-freeipa modules on an IdM client, choose one of the - following options: -

-
-
    -
  • - Set the hosts variable of the playbook to an IdM client host. -
    • -
  • - Add the ipa_context: client line to the playbook task that uses - the ansible-freeipa module. -
    • -
-
-

- You can set the ipa_context variable to client on an IdM server, too. However, the server context usually - provides better performance. If ipa_context is not set, ansible-freeipa checks if it is running on a server or a client, and sets - the context accordingly. Note that executing an ansible-freeipa module - with context set to server on an IdM - client host raises an error of missing libraries. -

-

- (JIRA:RHELPLAN-103146) -

-
-

The ipadnsconfig module now requires action: member to exclude a global forwarder

-

- With this update, excluding global forwarders in Identity Management (IdM) by using the ansible-freeipa ipadnsconfig module - requires using the action: member option in addition to the state: absent option. If you only use state: absent in your playbook without also using action: member, the playbook fails. Consequently, to remove all - global forwarders, you must specify all of them individually in the playbook. In contrast, the - state: present option does not require action: member. -

-
-

- (BZ#2046325) -

-
-

Identity Management now supports SHA384withRSA signing by default -

-

- With this update, the Certificate Authority (CA) in IdM supports the SHA-384 With RSA Encryption - signing algorithm. SHA384withRSA is compliant with the Federal Information Processing Standard - (FIPS). -

-
-

- (BZ#1731484) -

-
-

SSSD default SSH hashing value is now consistent with the OpenSSH - setting

-

- The default value of ssh_hash_known_hosts has been changed to - false. It is now consistent with the OpenSSH setting, which does not hash host names by default. -

-
-

- However, if you need to continue to hash host names, add ssh_hash_known_hosts = True to the [ssh] - section of the /etc/sssd/sssd.conf configuration file. -

-

- (BZ#2015070) -

-
-

samba rebased to version - 4.15.5

-

- The samba packages have been upgraded to upstream version - 4.15.5, which provides bug fixes and enhancements over the previous version: -

-
-
- -
-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Note that Red Hat does - not support downgrading tdb database files. -

-

- After updating Samba, verify the /etc/samba/smb.conf file using the - testparm utility. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- (BZ#2013596) -

-
-

Directory Server rebased to version 1.4.3.28

-

- The 389-ds-base packages have been upgraded to upstream version - 1.4.3, which provides a number of bug fixes and enhancements over the previous version: -

-
-
-
    -
  • - A potential deadlock in replicas has been fixed. -
    • -
  • - The server no longer terminates unexpectedly when the dnaInterval is set to 0. -
    • -
  • - The performance of connection handling has been improved. -
    • -
  • - Improved performance of targetfilter in access control - instructions (ACI). -
    • -
-
-

- (BZ#2016014) -

-
-

Directory Server now stores memory-mapped files of databases on a tmpfs file system

-

- In Directory Server, the nsslapd-db-home-directory parameter - defines the location of memory-mapped files of databases. This enhancement changes the default - value of the parameter from /var/lib/dirsrv/slapd-instance_name/db/ - to /dev/shm/. As a result, with the internal databases stored on a - tmpfs file system, the performance of Directory Server increases. -

-
-

- (BZ#1780842) -

-
-
-
-
-
-

4.15. Desktop

-
-
-
-
-

Security classification banners at login and in the desktop - session

-

- You can now configure classification banners to state the overall security classification level - of the system. This is useful for deployments where the user must be aware of the security - classification level of the system that they are logged into. -

-
-

- The classification banners can appear in the following contexts, depending on your configuration: -

-
-
    -
  • - Within the running session -
    • -
  • - On the lock screen -
    • -
  • - On the login screen -
    • -
-
-

- The classification banners can take the form of either a notification that you can dismiss, or a - permanent banner. -

-

- For more information, see Displaying - the system security classification. -

-

- (BZ#1751336) -

-
-
-
-
-
-

4.16. Graphics infrastructures

-
-
-
-
-

Intel Alder Lake-P GPUs are now supported

-

- This release adds support for the Intel Alder Lake-P CPU microarchitecture with integrated - graphics. This includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following - CPU models: -

-
-
-
    -
  • - Intel Core i7-1280P -
    • -
  • - Intel Core i7-1270P -
    • -
  • - Intel Core i7-1260P -
    • -
  • - Intel Core i5-1250P -
    • -
  • - Intel Core i5-1240P -
    • -
  • - Intel Core i3-1220P -
    • -
-
-

- Support for Alder Lake-P graphics is disabled by default. To enable it, add the following option to - the kernel command line: -

- 
i915.force_probe=PCI_ID
-

- Replace PCI_ID with either the PCI device ID of your Intel - GPU, or with the * character to enable support for all alpha-quality - hardware that uses the i915 driver. -

-

- (BZ#1964761) -

-
-
-
-
-
-

4.17. The web console

-
-
-
-
-

Smart card authentication for sudo and SSH from the web console -

-

- Previously, it was not possible to use smart card authentication to obtain sudo privileges or - use SSH in the web console. With this update, Identity Management users can use a smart card to - gain sudo privileges or to connect to a different host with SSH. -

-
-
-
Note
-
-

- It is only possible to use one smart card to authenticate and gain sudo privileges. Using a - separate smart card for sudo is not supported. -

-
-
-

- (JIRA:RHELPLAN-95126) -

-
-

RHEL web console provides Insights registration by default

-

- With this update, when you use the Red Hat Enterprise Linux web console to register a RHEL - system, the Connect this system to Red Hat - Insights. check box is checked by default. If you do not want to connect - to the Insights service, uncheck the box. -

-
-

- (BZ#2049441) -

-
-

Cockpit now supports using an existing TLS certificate

-

- With this enhancement, the certificate does not have strict file permission requirements any - more (such as root:cockpit-ws 0640), and thus it can be shared with - other services. -

-
-

- (JIRA:RHELPLAN-103855) -

-
-
-
-
-
-

4.18. Red Hat Enterprise Linux system roles

-
-
-
-
-

The Firewall RHEL system role has been added in RHEL 8

-

- The rhel-system-roles.firewall RHEL system role was added to the - rhel-system-roles package. As a result, administrators can automate - their firewall settings for managed nodes. -

-
-

- (BZ#1854988) -

-
-

Full Support for HA Cluster RHEL system role

-

- The High Availability Cluster (HA Cluster) role, previously available as a Technology Preview, - is now fully supported. The following notable configurations are available: -

-
-
-
    -
  • - Configuring fence devices, resources, resource groups, and resource clones including meta - attributes and resource operations -
    • -
  • - Configuring resource location constraints, resource colocation constraints, resource order - constraints, and resource ticket constraints -
    • -
  • - Configuring cluster properties -
    • -
  • - Configuring cluster nodes, custom cluster names and node names -
    • -
  • - Configuring multi-link clusters -
    • -
  • - Configuring whether clusters start automatically on boot -
    • -
-
-

- Running the role removes any configuration not supported by the role or not specified when running - the role. -

-

- The HA Cluster system role does not currently support SBD. -

-

- (BZ#1893743) -

-
-

The Networking system role now supports OWE

-

- Opportunistic Wireless Encryption (OWE) is a mode of opportunistic security for Wi-Fi networks - that provides encryption of the wireless medium but no authentication, such as public hot spots. - OWE uses encryption between Wi-Fi clients and access points, protecting them from sniffing - attacks. With this enhancement, the Networking RHEL system role supports OWE. As a result, - administrators can now use the Networking system role to configure connections to Wi-Fi networks - which use OWE. -

-
-

- (BZ#1993379) -

-
-

The Networking system role now supports SAE

-

- In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals - (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the - Networking RHEL system role supports SAE. As a result, administrators can now use the Networking - system role to configure connections to Wi-Fi networks, which use WPA-SAE. -

-
-

- (BZ#1993311) -

-
-

The Cockpit RHEL system role is now supported

-

- With this enhancement, you can install and configure the web console in your system. - Consequently, you can manage web console in an automated manner. -

-
-

- (BZ#2021661) -

-
-

Add support for raid_level for LVM - volumes

-

- The Storage RHEL system role can now specify the raid_level - parameter for LVM volumes. As a result, LVM volumes can be grouped into RAIDs using the lvmraid feature. -

-
-

- (BZ#2016514) -

-
-

The NBDE client system role supports systems with static IP - addresses

-

- Previously, restarting a system with a static IP address and configured with the NBDE client - system role would change the system’s IP address. With this change, systems with static IP - addresses are supported by the NBDE client system role, and their IP addresses do not change - after a reboot. -

-
-

- (BZ#1985022) -

-
-

Support for cached volumes is available in the Storage system role -

-

- Storage RHEL system role can now create and manage cached LVM logical volumes. LVM cache can be - used to improve performance of slower logical volumes by temporarily storing subsets of an LV’s - data on a smaller, faster device, for example an SSD. -

-
-

- (BZ#2016511) -

-
-

Support to add Elasticsearch username and - password for authentication from rsyslog

-

- This update adds the Elasticsearch username and password parameters - to the logging system role, to enable the rsyslog to authenticate to Elasticsearch using username and password. -

-
-

- (BZ#2010327) -

-
-

Ansible Core support for the RHEL system roles

-

- As of RHEL 8.6 GA release, Ansible Core is provided, with a limited scope of support, to enable - RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was previously - provided in a separate repository. Ansible Core is available in the AppStream repository for - RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core - package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. Users must - manually migrate their systems from Ansible Engine to Ansible Core. -

-
-

- For details on that, see Using - Ansible in RHEL 8.6 and later. -

-

- (BZ#2012316) -

-
-

The network RHEL system role now supports both - named and numeric routing tables - in static routes.

-

- This update adds support for both the named and numeric routing tables in static routes, which is a prerequisite for - supporting the policy routing (for example, source routing). The users can define policy routing - rules later to instruct the system which table to use to determine the correct route. As a - result, after the user specifies the table attribute in the route, the system can add routes into the routing table. -

-
-

- (BZ#2031521) -

-
-

The Certificate role consistently uses "Ansible_managed" comment in its - hook scripts

-

- With this enhancement, the Certificate role generates pre-scripts and post-scripts to support - providers, to which the role inserts the "Ansible managed" comment using the Ansible standard - "ansible_managed" variable: -

-
-
-
    -
  • - /etc/certmonger/pre-scripts/script_name.sh -
    • -
  • - /etc/certmonger/post-scripts/script_name.sh -
    • -
-
-

- The comment indicates that the script files should not be directly edited because the Certificate - role can overwrite the file. As a result, the configuration files contain a declaration stating that - the configuration files are managed by Ansible. -

-

- (BZ#2054364) -

-
-

The Terminal session recording system role uses the "Ansible managed" - comment in its managed configuration files

-

- The Terminal session recording role generates 2 configuration files: -

-
-
-
    -
  • - /etc/sssd/conf.d/sssd-session-recording.conf -
    • -
  • - /etc/tlog/tlog-rec-session.conf -
    • -
-
-

- With this update, the Terminal session recording role inserts the Ansible managed comment into the configuration files, using the standard - Ansible variable ansible_managed. The comment indicates that the - configuration files should not be directly edited because the Terminal session recording role can - overwrite the file. As a result, the configuration files contain a declaration stating that the - configuration files are managed by Ansible. -

-

- (BZ#2054363) -

-
-

Microsoft SQL system role now supports customized repository for - disconnected or Satellite subscriptions

-

- Previously, users in disconnected environments that needed to pull packages from a custom server - or Satellite users that needed to point to Satellite or Capsule had no support from Microsoft - SQL Role . This update fixes it, by enabling users to provide a customized URL to use for RPM key, client and server mssql repositories. If no URL is provided, the mssql role uses the official Microsoft servers to download RPMs. -

-
-

- (BZ#2038256) -

-
-

The Microsoft SQL system role consistently uses "Ansible_managed" comment - in its managed configuration files

-

- The mssql role generates the following configuration file: -

-
-
-
    -
  • - /var/opt/mssql/mssql.conf -
    • -
-
-

- With this update, the Microsoft SQL role inserts the "Ansible managed" comment to the configuration - files, using the Ansible standard ansible_managed variable. The comment - indicates that the configuration files should not be directly edited because the mssql role can overwrite the file. As a result, the configuration files - contain a declaration stating that the configuration files are managed by Ansible. -

-

- (BZ#2057651) -

-
-

Support to all bonding options added to the Networking system role -

-

- This update provides support to all bonding options to the Networking RHEL system role. - Consequently, it enables you to flexibly control the network transmission over the bonded - interface. As a result, you can control the network transmission over the bonded interface by - specifying several options to that interface. -

-
-

- (BZ#2008931) -

-
-

NetworkManager supports specifying a network card using its PCI - address

-

- Previously, during setting a connection profile, NetworkManager was only allowed to specify a - network card using either its name or MAC address. In this case, the device name is not stable - and the MAC address requires inventory to maintain record of used MAC addresses. Now, you can - specify a network card based on its PCI address in a connection profile. -

-
-

- (BZ#1695634) -

-
-

A new option auto_gateway controls the default - route behavior

-

- Previously, the DEFROUTE parameter was not configurable with - configuration files but only manually configurable by naming every route. This update adds a new - auto_gateway option in the ip - configuration section for connections, with which you can control the default route behavior. - You can configure auto_gateway in the following ways: -

-
-
-
    -
  • - If set to true, default gateway settings apply to a default - route. -
    • -
  • - If set to false, the default route is removed. -
    • -
  • - If unspecified, the network role uses the default behavior of - the selected network_provider. -
    • -
-
-

- (BZ#1897565) -

-
-

The VPN role consistently uses Ansible_managed - comment in its managed configuration files

-

- The VPN role generates the following configuration file: -

-
-
-
    -
  • - /etc/ipsec.d/mesh.conf -
    • -
  • - /etc/ipsec.d/policies/clear -
    • -
  • - /etc/ipsec.d/policies/private -
    • -
  • - /etc/ipsec.d/policies/private-or-clear -
    • -
-
-

- With this update, the VPN role inserts the Ansible managed comment to - the configuration files, using the Ansible standard ansible_managed - variable. The comment indicates that the configuration files should not be directly edited because - the VPN role can overwrite the file. As a result, the configuration files contain a declaration - stating that the configuration files are managed by Ansible. -

-

- (BZ#2054365) -

-
-

New source parameter in the Firewall system - role

-

- You can now use the source parameter of the Firewall system role to - add or remove sources in the firewall configuration. -

-
-

- (BZ#1932678) -

-
-

The Networking system role now uses the ‘Ansible managed’ comment in its - managed configuration files

-

- When using the initscripts provider, the Networking system role now - generates commented ifcfg files in the /etc/sysconfig/network-scripts directory. The Networking role inserts - the Ansible managed comment using the Ansible standard ansible_managed variable. The comment declares that an ifcfg file is managed by Ansible, and indicates that the ifcfg file should not be edited directly as the Networking role will - overwrite the file. The Ansible managed comment is added when the - provider is initscripts. When using the Networking role with the - nm (NetworkManager) provider, the ifcfg file is managed by NetworkManager and not by the Networking - role. -

-
-

- (BZ#2057656) -

-
-

The Firewall system role now supports setting the firewall default - zone

-

- You can now set a default firewall zone in the Firewall system role. Zones represent a concept - to manage incoming traffic more transparently. The zones are connected to networking interfaces - or assigned a range of source addresses. Firewall rules for each zone are managed independently - enabling the administrator to define complex firewall settings and apply them to the traffic. - This feature allows setting the default zone used as the default zone to assign interfaces to, - same as firewall-cmd --set-default-zone zone-name. -

-
-

- (BZ#2022458) -

-
-

The Metrics system role now generates files with the proper ansible_managed comment in the header

-

- Previously, the Metrics role did not add an ansible_managed header - comment to files generated by the role. With this fix, the Metrics role adds the ansible_managed header comment to files it generates, and as a - result, users can easily identify files generated by the Metrics role. -

-
-

- (BZ#2057645) -

-
-

The Postfix system role now generates files with the proper ansible_managed comment in the header

-

- Previously, the Postfix role did not add an ansible_managed header - comment to files generated by the role. With this fix, the Postfix role adds the ansible_managed header comment to files it generates, and as a - result, users can easily identify files generated by the Postfix role. -

-
-

- (BZ#2057661) -

-
-
-
-
-
-

4.19. Virtualization

-
-
-
-
-

Mediated devices are now supported by virtualization CLIs on IBM Z -

-

- Using virt-install or virt-xml, you - can now attach mediated devices to your virtual machines (VMs), such as vfio-ap and vfio-ccw. - This for example enables more flexible management of DASD storage devices and cryptographic - coprocessors on IBM Z hosts. In addition, using virt-install, you - can create a VM that uses an existing DASD mediated device as its primary disk. For instructions - to do so, see the Configuring and Managing Virtualization in RHEL 8 guide. -

-
-

- (BZ#1995125) -

-
-

Virtualization support for Intel Atom P59 series processors

-

- With this update, virtualization on RHEL 8 adds support for the Intel Atom P59 series - processors, formerly known as Snow Ridge. As a result, virtual machines hosted on RHEL 8 can now - use the Snowridge CPU model and utilise new features that the - processors provide. -

-
-

- (BZ#1662007) -

-
-

ESXi hypervisor and SEV-ES is now fully supported

-

- You can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to secure - RHEL virtual machines (VMs) on VMware’s ESXi hypervisor, versions 7.0.2 and later. This feature - was previously introduced in RHEL 8.4 as a Technology Preview. It is now fully supported. -

-
-

- (BZ#1904496) -

-
-

Windows 11 and Windows Server 2022 guests are supported

-

- RHEL 8 now supports using Windows 11 and Windows Server 2022 as the guest operating systems on - KVM virtual machines. -

-
-

- (BZ#2036863, BZ#2004162) -

-
-
-
-
-
-

4.20. RHEL in cloud environments

-
-
-
-
-

RHEL 8 virtual machines are now supported on certain ARM64 hosts on - Azure

-

- Virtual machines that use RHEL 8.6 or later as the guest operating system are now supported on - Microsoft Azure hypervisors running on Ampere Altra ARM-based processors. -

-
-

- (BZ#1949614) -

-
-

New SSH module for cloud-init

-

- With this update, an SSH module has been added to the cloud-init - utility, which automatically generates host keys during instance creation. -

-
-

- Note that with this change, the default cloud-init configuration has - been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg - contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line. -

-

- Otherwise, cloud-init creates an image which fails to start the sshd service. If this occurs, do the following to work around the - problem: -

-
-
    -
  1. -

    - Make sure the /etc/cloud/cloud.cfg file contains the - following line: -

    - 
    ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
    -
    2. -
  2. - Check whether /etc/ssh/ssh_host_* files exist in the instance. -
    3. -
  3. -

    - If the /etc/ssh/ssh_host_* files do not exist, use the - following command to generate host keys: -

    - 
    cloud-init single --name cc_ssh
    -
    4. -
  4. -

    - Restart the sshd service: -

    - 
    systemctl restart sshd
    -
    5. -
-
-

- (BZ#2115791) -

-
-

cloud-init supports user data on Microsoft - Azure

-

- The --user-data option has been introduced for the cloud-init utility. Using this option, you can pass scripts and - metadata from the Azure Instance Metadata Service (IMDS) when setting up a RHEL 8 virtual - machine on Azure. -

-
-

- (BZ#2023940) -

-
-

cloud-init supports the VMware GuestInfo - datasource

-

- With this update, the cloud-init utility is able to read the - datasource for VMware guestinfo data. As a result, using cloud-init - to set up RHEL 8 virtual machines on VMware vSphere is now more efficient and reliable. -

-
-

- (BZ#2026587) -

-
-
-
-
-
-

4.21. Supportability

-
-
-
-
-

A new package: rig

-

- RHEL 8 introduces the rig package, which provides the rig system monitoring and event handling utility. -

-
-

- The rig utility is designed to assist system administrators and support - engineers in diagnostic data collection for issues that are seemingly random in their occurrence, or - occur at inopportune times for human intervention. -

-

- (BZ#1888705) -

-
-

sos report now offers an estimate mode - run

-

- This sos report update adds the --estimate-only option with which you can approximate the disk space - required for collecting an sos report from a RHEL server. Running - the sos report --estimate-only command: -

-
-
-
    -
  • - executes a dry run of sos report -
    • -
  • - mimics all plugins consecutively and estimates their disk size. -
    • -
-
-

- Note that the final disk space estimation is very approximate. Therefore, it is recommended to - double the estimated value. -

-

- (BZ#1873185) -

-
-

Red Hat Support Tool now uses Hydra - APIs

-

- The Red Hat Support Tool has moved from the deprecated Strata APIs - to the new Hydra APIs. This has no impact on functionality. However, if you have configured the - firewall to allow only the Strata API /rs/ path explicitly, update - it to /support/ to ensure the firewall works correctly. -

-
-

- In addition, due to this change, you can now download files greater than 5 GB when using the Red Hat Support Tool. -

-

- (BZ#2018194) -

-
-

Red Hat Support Tool now supports Red Hat Secure FTP

-

- When using Red Hat Support Tool, you can now upload files to the - case by the Red Hat Secure FTP. Red Hat Secure FTP is a more secure replacement of the deprecated - Dropbox utility that Red Hat Support Tool used to support in its earlier versions. -

-
-

- (BZ#2018195) -

-
-

Red Hat Support Tool now supports S3 - APIs

-

- The Red Hat Support Tool now uses S3 APIs to upload files to the - Red Hat Technical Support case. As a result, users can upload a file greater than 1 GB to the - case directly. -

-
-

- (BZ#1767195) -

-
-
-
-
-
-

4.22. Containers

-
-
-
-
-

container-tools:4.0 stable stream is now - available

-

- The container-tools:4.0 stable module stream, which contains the - Podman, Buildah, Skopeo, and runc tools is now available. This update provides bug fixes and - enhancements over the previous version. -

-
-

- For instructions on how to upgrade from an earlier stream, see Switching - to a later stream. -

-

- (JIRA:RHELPLAN-100175) -

-
-

The NFS storage is now available

-

- You can now use the NFS file system as a backend storage for containers and images if your file - system has xattr support. -

-
-

- (JIRA:RHELPLAN-75169) -

-
-

The container-tools:rhel8 module has been - updated

-

- The container-tools:rhel8 module, which contains the Podman, - Buildah, Skopeo, crun, and runc tools is now available. This update provides a list of bug fixes - and enhancements over the previous version. -

-
-

- Notable changes include: -

-
-
    -
  • - Due to the changes in the network stack, containers created by Podman v3 and earlier will - not be usable in v4.0 -
    • -
  • - The native overlay file system is usable as a rootless user -
    • -
  • - Support for NFS storage within a container -
    • -
  • - Downgrading to earlier versions of Podman is not supported unless all containers are - destroyed and recreated -
    • -
-
-

- Podman tool has been upgraded to version 4.0, for further information about notable changes, see the - upstream - release notes. -

-

- (JIRA:RHELPLAN-100174) -

-
-

Universal Base Images are now available on Docker Hub

-

- Previously, Universal Base Images were only available from the Red Hat container catalog. With - this enhancement, Universal Base Images are also available from Docker Hub as a Verified Publisher image. -

-
-

- (JIRA:RHELPLAN-101137) -

-
-

A podman container image is now - available

-

- The registry.redhat.io/rhel8/podman container image, previously - available as a Technology Preview, is now fully supported. The registry.redhat.io/rhel8/podman container image is a containerized - implementation of the podman package. The podman tool manages containers and images, volumes mounted into those - containers, and pods made of groups of containers. -

-
-

- (JIRA:RHELPLAN-57941) -

-
-

Podman now supports auto-building and auto-running pods using a YAML - file

-

- The podman play kube command automatically builds and runs multiple - pods with multiple containers in the pods using a YAML file. -

-
-

- (JIRA:RHELPLAN-108830) -

-
-

Podman now has ability to source subUID and subGID ranges from IdM -

-

- The subUID and subGID ranges can now be managed by IdM. Instead of deploying the same /etc/subuid and /etc/subgid files onto - every host, you can now define range in a single central storage. You have to modify the /etc/nsswitch.conf file and add sss to - the services map line: services: files sss. -

-
-

- For more details, see Managing - subID ranges manually in IdM documentation. -

-

- (JIRA:RHELPLAN-101133) -

-
-

The openssl container image is now - available

-

- The openssl image provides an openssl - command-line tool for using the various functions of the OpenSSL crypto library. Using the - OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and - display certificate information. -

-
-

- The openssl container image is available in these repositories: -

-
-
    -
  • - registry.redhat.io/rhel8/openssl -
    • -
  • - registry.access.redhat.com/ubi8/openssl -
    • -
-
-

- (JIRA:RHELPLAN-101138) -

-
-

Netavark network stack is now available

-

- The new network stack available starting with Podman 4.1.1-7 consists of two tools, the Netavark - network setup tool and the Aardvark DNS server. The Netavark stack, previously available as a - Technology Preview, is with the release of the RHBA-2022:7127 advisory fully - supported. -

-
-

- This network stack has the following capabilities: -

-
-
    -
  • - Configuration of container networks using the JSON configuration file -
    • -
  • - Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces -
    • -
  • - Configuring firewall settings, such as network address translation (NAT) and port mapping - rules -
    • -
  • - IPv4 and IPv6 -
    • -
  • - Improved capability for containers in multiple networks -
    • -
  • - Container DNS resolution using the aardvark-dns project -
    • -
-
-
-
Note
-
-

- You have to use the same version of Netavark stack and the Aardvark authoritative DNS - server. -

-
-
-

- (JIRA:RHELPLAN-137623) -

-
-

Podman now supports the --health-on-failure - option

-

- With the release of the RHBA-2022:7127 advisory. the - podman run and podman create commands - now support the --health-on-failure option to determine the actions - to be performed when the status of a container becomes unhealthy. -

-
-

- The --health-on-failure option supports four actions: -

-
-
    -
  • - none: Take no action, this is the default action. -
    • -
  • - kill: Kill the container. -
    • -
  • - restart: Restart the container. -
    • -
  • - stop: Stop the container. -
    • -
-
-
-
Note
-
-

- Do not combine the restart action with the --restart option. When running inside of a systemd unit, consider - using the kill or stop action - instead to make use of systemd’s restart policy. -

-
-
-

- (BZ#2130912) -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel shipped - with Red Hat Enterprise Linux 8.6. These changes could include for example added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
fw_devlink.strict = [KNL]
-
-

- Format: <bool> -

-

- With this parameter you can treat all inferred dependencies as mandatory dependencies. This - setting only applies if fw_devlink=on|rpm. -

-
-
no_hash_pointers
-
- With this parameter you can force pointers that are printed to the console or buffers to be - unhashed. By default, when a pointer is printed using the %p format - string that pointer’s value is obscured by hashing. This is a security feature that hides actual - kernel addresses from unprivileged users. However, it also makes debugging the kernel more - difficult since you cannot compare unequal pointers. If this command-line parameter is - specified, then all normal pointers will have their true value printed. Pointers that are - printed using the %pK format string can still be hashed. Specify - no_hash_pointers only when debugging the kernel and do not use it - in production. -
-
no_entry_flush = [PPC]
-
- With this parameter it is possible to avoid flushing the L1-D cache when entering the kernel. -
-
no_uaccess_flush = [PPC]
-
- With this parameter it is possible to avoid flushing the L1-D cache after accessing user data. -
-
rcutorture.nocbs_nthreads = [KNL]
-
-

- With this parameter you can set the number of Read-copy-update (RCU) callback-offload - togglers. -

-

- The default value is 0 (zero) and it disables toggling. -

-
-
rcutorture.nocbs_toggle = [KNL]
-
- With this parameter you can set the delay in milliseconds between successive callback-offload - toggling attempts. -
-
refscale.verbose_batched = [KNL]
-
-

- With this parameter you can batch the additional printk() - statements. -

-

- You can print everything, by specifying zero (the default) or a negative value. Otherwise, - print every Nth verbose statement, where N is the value specified. -

-
-
strict_sas_size = [X86]
-
-

- Format: <bool> -

-

- With this parameter you can enable or disable strict sigaltstack size checks against the required signal frame size - which depends on the supported floating-point unit (FPU) features. You can use this - parameter to filter out binaries, which have not yet been made aware of the AT_MINSIGSTKSZ auxiliary vector. -

-
-
torture.verbose_sleep_frequency = [KNL]
-
-

- This parameter specifies how many verbose printk() statements - should be emitted between each sleep. -

-

- The default value of 0 (zero) disables the verbose-printk() sleeping. -

-
-
torture.verbose_sleep_duration = [KNL]
-
- This parameter specifies the duration of each verbose-printk() sleep in jiffies. -
-
tsc_early_khz = [X86]
-
-

- Format: <unsigned int> -

-

- This parameter enables to skip the early Time Stamp Counter (TSC) calibration and use the - given value instead. The parameter proves useful when the early TSC frequency discovery - procedure is not reliable. Such as on overclocked systems with CPUID.16h support and partial - CPUID.15h support. -

-
-
-
-

Updated kernel parameters

-
-
-
amd_iommu = [HW,X86-64]
-
-

- You can pass parameters to the AMD IOMMU driver in the system. -

-

- Possible values are: -

-
-
    -
  • - fullflush - Enable flushing of IO/TLB entries when they - are unmapped. Otherwise they are flushed before they will be reused, which is a lot - of faster. -
    • -
  • - off - Do not initialize any AMD IOMMU found in the - system. -
    • -
  • - force_isolation - Force device isolation for all - devices. The IOMMU driver is not allowed anymore to lift isolation requirements as - needed. This option does not override iommu=pt. -
    • -
  • - force_enable - Force enable the IOMMU on platforms - known to be buggy with IOMMU enabled. Use this option with care. -
    • -
-
-
-
acpi.debug_level = [HW,ACPI,ACPI_DEBUG]
-
-

- Format: <int> -

-

- CONFIG_ACPI_DEBUG must be enabled to produce any Advanced - Configuration and Power Interface (ACPI) debug output. Bits in debug_layer correspond to a _COMPONENT in an ACPI source file. For example #define _COMPONENT ACPI_EVENTS Bits in debug_level correspond to - a level in ACPI_DEBUG_PRINT statements. For example ACPI_DEBUG_PRINT((ACPI_DB_INFO, … -

-

- The debug_level mask defaults to "info". See Documentation/acpi/debug.txt for more information about debug - layers and levels. -

-

- Enable processor driver info messages: -

-

- acpi.debug_layer=0x20000000 -

-

- Enable AML "Debug" output, for example, stores to the Debug object while interpreting AML: -

-

- acpi.debug_layer=0xffffffff, acpi.debug_level=0x2 Enable all messages related to ACPI - hardware: acpi.debug_layer=0x2, acpi.debug_level=0xffffffff -

-

- Some values produce so much output that the system is unusable. The log_buf_len parameter is useful if you need to capture more - output. -

-
-
acpi_mask_gpe = [HW,ACPI]
-
-

- Format: <byte> or <bitmap-list> -

-

- Due to the existence of _Lxx/_Exx, some general purpose events - (GPEs) triggered by unsupported hardware or firmware features can result in GPE floodings - that cannot be automatically disabled by the GPE dispatcher. You can use this facility to - prevent such uncontrolled GPE floodings. -

-
-
cgroup_disable = [KNL]
-
-

- Format: <name of the controller(s) or feature(s) to disable> -

-

- With this parameter you can disable a particular controller or optional feature. -

-

- The effects of cgroup_disable = <controller/feature> are: -

-
-
    -
  • - controller/feature is not auto-mounted if you mount all - cgroups in a single hierarchy -
    • -
  • - controller/feature is not visible as an individually - mountable subsystem -
    • -
  • -

    - if controller/feature is an optional feature then - the feature is disabled and corresponding cgroups - files are not created -

    -

    - Currently only memory controller deals with this and cut the overhead, others - just disable the usage. So only cgroup_disable=memory is actually worthy. -

    -

    - Specifying "pressure" disables per-cgroup pressure stall information accounting - feature. -

    -
    • -
-
-
-
clearcpuid = BITNUM[,BITNUM…​] [X86]
-
- With this parameter you can disable CPUID feature X for the kernel. See arch/x86/include/asm/cpufeatures.h for the valid bit numbers. Linux - specific bits are not necessarily stable over kernel options, but the vendor specific ones - should be. User programs calling CPUID directly or using the feature without checking anything - will still see it. This just prevents it from being used by the kernel or shown in /proc/cpuinfo. Also note the kernel could malfunction if you disable - some critical bits. -
-
iommu.strict = [ARM64, X86]
-
-

- Format: <"0" | "1"> -

-

- With this parameter you can configure translation look-aside buffer (TLB) invalidation - behavior. -

-

- Possible values are: -

-
-
    -
  • - 0 - lazy mode, requests that use of Direct Memory Access (DMA) unmap operations is - deferred -
    • -
  • -

    - 1 - strict mode (default), DMA unmap operations invalidate IOMMU hardware TLBs - synchronously. -

    -

    - On AMD64 and Intel 64, the default behavior depends on the equivalent - driver-specific parameters. However, a strict mode explicitly specified by - either method takes precedence. -

    -
    • -
-
-
-
rcutree.use_softirq = [KNL]
-
-

- If this parameter is set to zero, it moves all RCU_SOFTIRQ - processing to per-CPU rcuc kthreads. The default is a non-zero value. It means that RCU_SOFTIRQ is used by default. -

-

- Specify rcutree.use_softirq = 0 to use rcuc kthreads. But note - that CONFIG_PREEMPT_RT=y kernels disable this kernel boot - parameter (forcibly setting it to zero). -

-
-
rcupdate.rcu_normal_after_boot = [KNL]
-
-

- This parameter enables to use only normal grace-period primitives once boot has completed. - That is after the rcu_end_inkernel_boot() call has been - invoked. There is no effect on CONFIG_TINY_RCU kernels. -

-

- The kernels with the CONFIG_PREEMPT_RT=y setting, enable this - kernel boot parameter and forcibly they set it to the value one. That is, converting any - post-boot attempt at an expedited Read-copy-update (RCU) grace period to instead use normal - non-expedited grace-period processing. -

-
-
spectre_v2 = [X86]
-
-

- With this parameter you can control mitigation of Spectre variant 2 (indirect branch - speculation) vulnerability. -

-

- The default operation protects the kernel from user space attacks. -

-

- Possible values are: -

-
-
    -
  • - on - unconditionally enable, implies spectre_v2_user=on -
    • -
  • - off - unconditionally disable, implies spectre_v2_user=off -
    • -
  • -

    - auto - the kernel detects whether your CPU model is vulnerable -

    -

    - Selecting 'on' will, and 'auto' may, choose a mitigation method at run time - according to the CPU. The available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the - compiler with which the kernel was built. -

    -

    - Selecting 'on' will also enable the mitigation against user space to user space - task attacks. -

    -

    - Selecting 'off' will disable both the kernel and the user space protections. -

    -

    - You can also select specific mitigations manually: -

    -
    • -
  • - retpoline - replace indirect branches -
    • -
  • - retpoline,generic - Retpolines -
    • -
  • - retpoline,lfence - LFENCE; indirect branch -
    • -
  • - retpoline,amd - alias for retpoline,lfence -
    • -
  • - eibrs - enhanced indirect branch restricted speculation (IBRS) -
    • -
  • - eibrs,retpoline - enhanced IBRS + Retpolines -
    • -
  • - eibrs,lfence - enhanced IBRS + LFENCE -
    • -
  • - ibrs - use IBRS to protect kernel -
    • -
  • - ibrs_always - use IBRS to protect both kernel and userland -
    • -
  • - retpoline,ibrs_user - replace indirect branches with retpolines and use IBRS to - protect userland -
    • -
-
-
-
-
-

- Not specifying this option is equivalent to spectre_v2=auto. -

-
-
-
-
-
-

Chapter 6. Device Drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - MT7921E 802.11ax wireless driver (mt7921e.ko.xz) -
    • -
  • - Realtek 802.11ax wireless core module (rtw89_core.ko.xz) -
    • -
  • - Realtek 802.11ax wireless PCI driver (rtw89_pci.ko.xz) -
    • -
  • - ntb_netdev (ntb_netdev.ko.xz) -
    • -
  • - Intel® Ethernet Protocol Driver for RDMA (irdma.ko.xz) -
    • -
  • - Intel® PCI-E Non-Transparent Bridge Driver (ntb_hw_intel.ko.xz) -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - Generic Counter interface (counter.ko.xz) -
    • -
  • - Intel Quadrature Encoder Peripheral driver (intel-qep.ko.xz) -
    • -
  • - AMD ® PCIe MP2 Communication Driver (amd_sfh.ko.xz) -
    • -
  • - Driver to initialize some steering wheel joysticks from Thrustmaster - (hid-thrustmaster.ko.xz) -
    • -
  • - HID over I2C ACPI driver (i2c-hid-acpi.ko.xz) -
    • -
  • - Intel PMC Core Driver (intel_pmc_core.ko.xz) -
    • -
  • - ThinkLMI Driver (think-lmi.ko.xz) -
    • -
  • - Processor Thermal Reporting Device Driver (int3401_thermal.ko.xz) -
    • -
  • - Processor Thermal Reporting Device Driver (processor_thermal_device_pci.ko.xz) -
    • -
  • - Processor Thermal Reporting Device Driver (processor_thermal_device_pci_legacy.ko.xz) -
    • -
  • - TI TPS6598x USB Power Delivery Controller Driver (tps6598x.ko.xz) -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Network drivers

-
-
    -
  • - Intel® PRO/1000 Network Driver (e1000e.ko.xz) has been updated. -
    • -
  • - Intel® Ethernet Switch Host Interface Driver (fm10k.ko.xz) has been updated. -
    • -
  • - Intel® Ethernet Connection XL710 Network Driver (i40e.ko.xz) has been updated. -
    • -
  • - Intel® Ethernet Adaptive Virtual Function Network Driver (iavf.ko.xz) has been updated. -
    • -
  • - Intel® Gigabit Ethernet Network Driver (igb.ko.xz) has been updated. -
    • -
  • - Intel® Gigabit Virtual Function Network Driver (igbvf.ko.xz) has been updated. -
    • -
  • - Intel® 2.5G Ethernet Linux Driver (igc.ko.xz) has been updated. -
    • -
  • - Intel® 10 Gigabit PCI Express Network Driver (ixgbe.ko.xz) has been updated. -
    • -
  • - Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf.ko.xz) has been updated. -
    • -
  • - Mellanox 5th generation network adapters (ConnectX series) core driver (mlx5_core.ko.xz) has - been updated. -
    • -
  • - VMware vmxnet3 virtual NIC driver (vmxnet3.ko.xz) has been updated to version 1.6.0.0-k. -
    • -
-
-

Storage drivers

-
-
    -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version - 0:14.0.0.4. -
    • -
  • - Broadcom MegaRAID SAS Driver (megaraid_sas.ko.xz) has been updated to version - 07.719.03.00-rh1. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas.ko.xz) has been updated to version - 39.100.00.00. -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx.ko.xz) has been updated to version 10.02.06.200-k. -
    • -
  • - Driver for Microchip Smart Family Controller (smartpqi.ko.xz) has been updated to version - 2.1.12-055. -
    • -
-
-

Graphics and miscellaneous driver updates

-
-
    -
  • - Standalone drm driver for the VMware SVGA device (vmwgfx.ko.xz) has been updated to version - 2.18.1.0. -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.6 that have a significant impact on users. -

-
-
-
-
-

7.1. Installer and image creation

-
-
-
-
-

The network --defroute option now works - correctly in the %include script

-

- Previously, the network --defroute option got ignored when used in - the %include script during the kickstart installation. As a - consequence, the device was set as the default route. -

-
-

- With this update, the kickstart installation does not ignore the network --defroute option added in the %include script and the network connection is configured as expected. -

-

- (BZ#1990145) -

-
-

Users can now specify user accounts in the RHEL for Edge Installer - blueprint

-

- Previously, performing an update on your blueprint without a user account defined in the RHEL - for Edge Commit for the upgrade, such as adding a rpm package, would cause users to be locked - out of their system, after the upgrade was applied. It caused users to have redefine user - accounts when upgrading an existing system. This issue has been fixed to allow users to specify - user accounts in the RHEL for Edge Installer blueprint, that creates a user on the system at - installation time, rather than having the user as part of the ostree commit. -

-
-

- (BZ#1951936) -

-
-

osbuild no longer fails to build an ISO image - bigger than 4GB

-

- Image Builder users can create a customized image by adding additional packages. If the total - size of the packages and their dependencies exceeded 4GB size, users of RHEL 8.5 and earlier - releases would see the following error: -

-
- 
ubprocess.CalledProcessError: Command '['/usr/bin/xorrisofs', '-verbose', '-V', 'RHEL-8-5-0-BaseOS-x86_64', '-sysid', 'LINUX', '-isohybrid-mbr', '/usr/share/syslinux/isohdpfx.bin', '-b', 'isolinux/isolinux.bin', '-c', 'isolinux/boot.cat', '-boot-load-size', '4', '-boot-info-table', '-no-emul-boot', '-rock', '-joliet', '-eltorito-alt-boot', '-e', 'images/efiboot.img', '-no-emul-boot', '-isohybrid-gpt-basdat', '-o', '/run/osbuild/tree/installer.iso', '/run/osbuild/inputs/tree']' returned non-zero exit status 32.
-

- The problem happened because the ISO 9660 Level Of Interchange -isolevel 3 argument was not passed to the xorrisofs command. To work around the problem, users had to permanently - alter the ISO level value to 3. -

-

- With the RHEL 8.6 release, the problem has been fixed, and users no longer need to permanently alter - the ISO level value. -

-

- (BZ#2056451) -

-
-
-
-
-
-

7.2. Software management

-
-
-
-
-

Running createrepo_c --update on a modular - repository now preserves modular metadata in it

-

- Previously, when running the createrepo_c --update command on an - already existing modular repository without the original source of modular metadata present, the - default policy was to remove all additional metadata including modular metadata from this - repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update command with the additional --keep-all-metadata option. -

-
-

- With this update, you can preserve modular metadata on a modular repository by running createrepo_c --update without any additional option. -

-

- To remove additional metadata, you can use the new --discard-additional-metadata option. -

-

- (BZ#1992209) -

-
-
-
-
-
-

7.3. Shells and command-line tools

-
-
-
-
-

Errors during the installation of the info - subpackage do not happen anymore

-

- Previously the fix-info-dir script expected the existence of a - /dev/null file. With a new version of the texinfo package for software documentation, the installation of the - info subpackage does not fail on systems that do not contain the - /dev/null special file. Now the fix-info-dir script does not expect the existence of the /dev/null file, and avoids the possibility of an infinite loop. -

-
-

- (BZ#2022201) -

-
-

ReaR backs up a system with an unused LVM - physical volume correctly

-

- Previously, ReaR produced an incorrect disk layout when an unused - LVM physical volume (PV) was present on the system. As a result, ReaR commands that need to - produce the disk layout, such as the mkrescue, mkbackup, mkbackuponly, savelayout commands, aborted with the error message: -

-
- 
ERROR: LVM 'lvmdev' entry in /var/lib/rear/layout/disklayout.conf where volume_group or device is empty or more than one word
-

- With this update, ReaR now comments out unused PVs in the disk layout - file and is thus able to back up a system with unused PVs correctly. -

-

- (BZ#2048454) -

-
-

ReaR does not incorrectly exclude multipath - devices from the backup

-

- Previously, ReaR was incorrectly excluding certain multipath - devices whose names contained the names of multipath devices that should have been excluded from - the backup. -

-
-

- For example, if a device named /dev/mapper/mpatha was excluded from the - backup, then a second device named /dev/mapper/mpathaa would be - incorrectly excluded as well. This would occur with more than 26 multipath devices. -

-

- The bug has been fixed and ReaR now does not exclude multipath devices - from the backup unless they should be excluded. Note that you have to specify AUTOEXCLUDE_MULTIPATH=n in the ReaR - configuration file if there are multipath devices that should be included in the backup, otherwise - ReaR excludes all multipath devices automatically. This behavior has - not changed. -

-

- (BZ#2049091) -

-
-
-
-
-
-

7.4. Security

-
-
-
-
-

Remote users are no longer repetitively prompted to access smart - cards

-

- Previously, the polkit policy for the pcscd daemon incorrectly requested user interaction. As a - consequence, non-local and non-privileged users could not access smart cards and encountered - large numbers of prompts. With this update, the pcsc-lite package - policy no longer includes the interactive prompts. As a result, remote card users are no longer - repeatedly asked for privilege escalation. -

-
-

- For additional information about adjusting the policy to escalate privileges of non-privileged - users, see Controlling - access to smart cards using polkit in Security - hardening in RHEL product documentation. -

-

- (BZ#1928154) -

-
-

64-bit IBM Z systems no longer become unbootable when installing in FIPS - mode

-

- Previously, the fips-mode-setup command with the --no-bootcfg option did not execute the zipl tool. Because fips-mode-setup - regenerates the initial RAM disk (initrd), and the resulting system - needs an update of zipl internal state to boot, this put 64-bit IBM - Z systems into an unbootable state after installing in FIPS mode. With this update, fips-mode-setup now executes zipl on - 64-bit IBM Z systems even if invoked with --no-bootcfg, and as a - result, the newly installed system boots successfully. -

-
-

- (BZ#2020295) -

-
-

crypto-policies can disable ChaCha20 in - OpenSSL

-

- Previously, the crypto-policies component used a wrong keyword to - disable the ChaCha20 cipher in OpenSSL. As a consequence, use of ChaCha20 in TLS 1.2 in OpenSSL - could not be disabled through crypto-policies. With this update, - crypto-policies use the -CHACHA20 - keyword instead of the -CHACHA20-POLY1305 keyword. As a result, you - can now use crypto-policies to disable the use of the ChaCha20 - cipher in OpenSSL for both TLS 1.2 and TLS 1.3. -

-
-

- (BZ#2023734) -

-
-

systemd can now execute files from /home/user/bin -

-

- Previously, systemd services could not execute files from the /home/user/bin/ directory - because the SELinux policy did not include the policy rules that allow such access. - Consequently, the systemd services failed and eventually logged the - Access Vector Cache (AVC) denial Audit messages. This update adds the missing SELinux rules that - allow access, and systemd services can now correctly execute - commands from /home/user/bin/. -

-
-

- (BZ#1860443) -

-
-

STIG-specific default banner text removed from other profiles

-

- Previously, banner text from the STIG profile was used as default by other profiles that did not - have a default text defined, such as CIS. As a consequence, systems using these profiles were - configured with the specific text required by DISA. With this update, a generic default text was - created and a standard CIS banner aligned with the guidelines was defined. As a result, profiles - based on guidelines which explicitly require a text banner are now aligned with the requirements - and set the correct text. -

-
-

- (BZ#1983061) -

-
-

ANSSI Enhanced Profile correctly selects the "Ensure SELinux State is - Enforcing" rule

-

- Previously, the ANSSI Enhanced profile (anssi_bp28_enhanced) did - not select the "Ensure SELinux State is Enforcing" (selinux_state) - rule. This update modified the rule selection and now the ANSSI Enhanced Profile selects the - "Ensure SELinux State is Enforcing" rule. -

-
-

- (BZ#2053587) -

-
-

Descriptions for restorecon and seunshare SSG rules fixed

-

- Previously, descriptions for rules "Record Any Attempts to Run restorecon" (CCE-80699-2) and - "Record Any Attempts to Run seunshare" (CCE-80933-5) were incorrect. With this update, the - descriptions of these rules are aligned with the automated OVAL check. As a result, applying the - fix recommended in the description now correctly fixes these rules. -

-
-

- (BZ#2023569) -

-
-

The CIS profile no longer automatically disables IPv6

-

- Previously, the CIS profile for RHEL 8 provided inappropriate automated remediation for - recommendation “3.6 Disable IPv6”, which disabled IPv6 by configuring /etc/modprobe.d/ipv6.conf to prevent the IPv6 module from loading. - This could have undesired effects on the dependent features and services. In RHEL 8 CIS - Benchmark v1.0.1, the recommendation 3.6 must be implemented manually, and therefore the RHEL8 - CIS profiles do not apply any remediation for this configuration item. As a result, the CIS - profile is aligned with the benchmark and does not disable IPv6 automatically. To disable IPv6 - manually by configuring GRUB2 or sysctl settings as recommended by CIS, see How do I disable or enable the - IPv6 protocol in Red Hat Enterprise Linux?. -

-
-

- (BZ#1990736) -

-
-

CIS profile no longer blocks the SSH service

-

- Previously, the xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key - rule by default set the permissions to 640 on SSH private keys. As - a consequence, the SSH daemon did not start. This update removes the file_permissions_sshd_private_key rule from the CIS profile and as a - result, the SSH service works correctly. -

-
-

- (BZ#2002850) -

-
-

Files in /usr/share/audit/sample-rules are now - accepted by SCAP rules

-

- Previously, according to the description of SCAP rules xccdf_org.ssgproject.content_rule_audit_ospp_general and xccdf_org.ssgproject.content_rule_audit_immutable_login_uids, users - were able to make systems compliant by copying appropriate files from the /usr/share/audit/sample-rules directory. However, OVAL checks of - these rules failed, and the system was consequently marked as non-compliant after the scan. With - this update, the OVAL checks now accept the files from /usr/share/audit/sample-rules, and the SCAP rules pass successfully. -

-
-

- (BZ#2000264) -

-
-

ANSSI Kickstart now reserves enough disk space

-

- Previously, GUI installation required more disk space than ANSSI Kickstart reserved in the /usr partition. As a consequence, RHEL 8.6 GUI installations failed, - with an error message stating that At least 429 MB more space needed on the /usr filesystem. This update - increases the disk space for the /usr partition, and RHEL 8.6 - installations using the ANSSI Kickstarts provided in the scap-security-guide now completes successfully. -

-
-

- (BZ#2058033) -

-
-

Remediations of GRUB2 arguments are now persistent

-

- Previously, the remediations for GRUB2 rules that set kernel arguments were using incorrect - procedures and the configuration changes were not persistent across kernel upgrades. As a - consequence, the remediations had to be reapplied with every kernel upgrade. With this update, - remediations use the grubby tool that configures GRUB2 in a - persistent way. -

-
-

- (BZ#2030966) -

-
-

scap-workbench no longer hangs when scanning - remote systems from RHEL 8 hosts

-

- Previously, sending content files to the scanned system would hang and the scap-workbench utility could not complete the scan. This was due to a - bug in the kernel which blocked executed Qt subprocesses. As a consequence, scanning of remote - systems using the scap-workbench command from RHEL 8 hosts did not - work. With this update, the underlying kernel bug is fixed, and therefore remote scans no longer - hang on copying files to a remote system and successfully finish. -

-
-

- (BZ#2051890) -

-
-

usbguard-notifier no longer logs too many - error messages to the Journal

-

- Previously, the usbguard-notifier service did not have - inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier failed to connect to the interface, and it wrote a - corresponding error message to the Journal. Because usbguard-notifier started with the --wait option, which ensured that usbguard-notifier attempted to connect to the IPC interface each - second after a connection failure, by default, the log contained an excessive amount of these - messages soon. -

-
-

- With this update, usbguard-notifier does not start with --wait by default. The service attempts to connect to the daemon only - three times in the 1-second intervals. As a result, the log contains three such error messages at - maximum. -

-

- (BZ#2000000) -

-
-

Ambient capabilities are now applied correctly to non-root users -

-

- As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, - effective, and ambient sets of capabilities. -

-
-

- However, the pam_cap.so module is unable to set ambient capabilities - because a capability needs to be in both the permitted and the inheritable set to be in the ambient - set. In addition, the permitted set gets nullified after changing the UID (for example by using the - setuid utility), so the ambient capability cannot be set. -

-

- To fix this problem, the pam_cap.so module now supports the keepcaps option, which allows a process to retain its permitted - capabilities after changing the UID from root to non-root. The pam_cap.so module now also supports the defer option, which causes pam_cap.so to - reapply ambient capabilities within a callback to pam_end(). This - callback can be used by other applications after changing the UID. -

-

- Therefore, if the su and login utilities - are updated and PAM-compliant, you can now use pam_cap.so with the - keepcaps and defer options to set ambient - capabilities for non-root users. -

-

- (BZ#1950187) -

-
-

The usbguard-selinux package is no longer - dependent on usbguard

-

- Previously, the usbguard-selinux package was dependent on the usbguard package. This, in combination with other dependencies of - these packages, led to file conflicts when installing usbguard. As - a consequence, this prevented the installation of usbguard on - certain systems. With this version, usbguard-selinux no longer - depends on usbguard, and as a result, yum can install usbguard correctly. -

-
-

- (BZ#1963271) -

-
-

audisp-remote now correctly detects the - availability of the remote locations

-

- Previously, the audisp-remote plugin did not detect that remote - services became unavailable. As a consequence, the audisp-remote - process would enter a state with high CPU usage. With this update, audisp-remote can properly detect remote services becoming - unavailable. As a result, the process no longer enters a high-CPU-usage state. -

-
-

- (BZ#1906065) -

-
-

Clevis no longer stops on certain configurations before automated - unlocking

-

- Previously, the Clevis utility, which performs automated unlocking of LUKS-encrypted volumes, - stopped on certain system configurations. Consequently, encrypted volumes were not unlocked - automatically, and the administrator had to provide a passphrase manually. In some cases, Clevis - restarted after the administrator pressed Enter and unlocked the encrypted volumes. With this - update, the utility has been fixed to not stop on these configurations, and the process of - automated unlocking now works properly. -

-
-

- (BZ#2018292) -

-
-
-
-
-
-

7.5. Networking

-
-
-
-
-

NetworkManager now uses a static IPv4 IP address as primary

-

- The main purpose of primary and secondary addresses is to enable source address selection for - connections that are not yet bound to an IP address. For these connections, the kernel - automatically chooses an address. In a NetworkManager connection profile, you can configure a - static IPv4 address and DHCP at the same time for one connection. Previously, if you configured - a connection with DHCP and a static IPv4 address from the same range as the one provided by the - DHCP server, NetworkManager incorrectly assigned the IP address that it received from the DHCP - server as primary and the static IP address as secondary. -

-
-

- RHEL 8.6 changes this to the intended behavior. As a result, if you configure both a static IPv4 - address and DHCP in one connection profile, the static IP address is now always the primary and the - address received from the DHCP server the secondary. Additionally, NetworkManager now also sets the - src attribute for routes assigned by a DHCP server. With this - functionality, destinations reachable through these routes use the IP address received from the DHCP - server as a source. -

-

- (BZ#2096256) -

-
-
-
-
-
-

7.6. Kernel

-
-
-
-
-

The dmidecode --type 17 command now - successfully decodes DDR5 memory information

-

- Previously, the dmidecode command failed to decode the DDR5 memory - information. Consequently, dmidecode --type 17 returned the <OUT OF SPEC> message. The latest update of the package (dmidecode-3.3-3.el8) has fixed this problem. As a result, dmidecode --type 17 now successfully decodes DDR5 memory information. -

-
-

- (BZ#2027665) -

-
-

kdump no longer fails on KVM virtual machines - that use the default amount of memory

-

- Previously, kdump failed on some kernel-based virtual machines - (KVM) that uses the default amount of memory. Consequently, the crash kernel failed to capture - the crash dump file with following error: -

-
-

- /bin/sh: error while loading shared libraries: libtinfo.so.6: cannot open shared object file: No such file or directory -

-

- With this update, the problem has been fixed and kdump works correctly - on KVM virtual machines that use the default amount of memory. -

-

- (BZ#2004000) -

-
-

Tunnel offloading now works as expected and supports the available - hardware

-

- Previously, the driver was not setting certain feature flags. Hence, tunnel offloading was not - working as expected. In this update, the driver sets the required flags to enable tunnel - offloading and works as expected. -

-
-

- (BZ#1910885) -

-
-

Fixed the kernel warning while setting the rx - ring buffer to max

-

- Previously, an internal function expecting clean input was called with a reused and already - initialized structure. It caused the kernel to give the warning message: “missing unregister, - handled but fix driver”. This update fixes the bug, reinitializing the structure before trying - to register it again. -

-
-

- (BZ#2040171) -

-
-
-
-
-
-

7.7. File systems and storage

-
-
-
-
-

xfsrestore command works correctly while - restoring a backup

-

- Previously, while restoring a backup created using the xfsdump - command, xfsrestore created an orphanage directory. As a - consequence, a few files were moved into the created orphanage directory with the following - messages: -

-
- 
 # xfsdump -L test -M test -f /scratch.dmp /mnt/test
- ...
- xfsdump: NOTE: root ino 128 differs from mount dir ino 1024, bind mount?
- ...
- xfsdump: Dump Status: SUCCESS
-
- # xfsrestore -f /scratch.dmp /mnt/restore/
- ...
- xfsrestore: restoring non-directory files
- xfsrestore: NOTE: ino 128 salvaging file, placing in orphanage/1024.0/dir17/file60
- xfsrestore: NOTE: ino 129 salvaging file, placing in orphanage/1024.0/dir17/file61
- xfsrestore: NOTE: ino 130 salvaging file, placing in orphanage/1024.0/dir17/file62
- xfsrestore: NOTE: ino 131 salvaging file, placing in orphanage/1024.0/dir17/file63
- xfsrestore: NOTE: ino 132 salvaging file, placing in orphanage/1024.0/dir17/file64
- xfsrestore: NOTE: ino 133 salvaging file, placing in orphanage/1024.0/dir17/file65
- xfsrestore: NOTE: ino 134 salvaging file, placing in orphanage/1024.0/dir17/file66
- ...
-

- With this update, the problem has been fixed and xfsrestore now works - correctly. -

-

- (BZ#2020494) -

-
-

The multipathd.socket unit file no longer - disables multipathd after too many startup attempts -

-

- Previously, the starting conditions for multipathd in the multipath.service unit file differed from the triggering conditions - in multipathd.socket. Consequently, the unit file repeatedly tried - to start multipathd and failed. This resulted in disabling multipathd after too many failed attempts. With this fix, the - starting conditions for multipathd.socket and multipathd.service have been set to the same values. As a result, the - multipathd.socket unit file no longer attempts to start multipathd where the starting conditions for multipathd.service are not met. -

-
-

- (BZ#2008101) -

-
-

Protection uevents no longer cause reload failure of multipath - devices

-

- Previously, when a read-only path device was rescanned, the kernel - sent out two write protection uevents - one with the device set to read/write, and the following with the device set to read-only. Consequently, upon detection of the read/write uevent on a path device, multipathd tried to reload the multipath device, which caused a - reload error message. With this update, multipathd now checks that - all the paths are set to read/write before reloading a device - read/write. As a result, multipathd no longer tries to reload read/write whenever a read-only device - is rescanned. -

-
-

- (BZ#2009624) -

-
-
-
-
-
-

7.8. Compilers and development tools

-
-
-
-
-

The -j flag now works when used in a - Makefile

-

- Previously, when you added the -j flag to MAKEFLAGS inside the - Makefile, the targets were built sequentially instead of in parallel. This bug has been fixed, - and now the targets are built at the same time when you use the -j - flag in the Makefile. -

-
-

- (BZ#2004246) -

-
-

Statically linked applications no longer crash

-

- Previously, the initialization code of the dynamic loader, which is linked into statically - linked binaries, did not initialize a link map variable correctly. Consequently, statically - linked applications crashed if LD_LIBRABY__PATH contained a dynamic - token string. With this update statically linked applications no longer crash. -

-
-

- (BZ#1934162) -

-
-

pthread_once() in glibc has been fixed to - correctly support C++ exceptions

-

- Previously, the pthread_once() implementation could result in a - hang when using libstdc++ library functions. For example libstdc++'s std::call_once() called a - function that threw an exception which would result in a hang. With this update, pthread_once() is fixed and no longer hangs when an exception is - thrown. -

-
-

- (BZ#2007327) -

-
-
-
-
-
-

7.9. Identity Management

-
-
-
-
-

Certmonger can now automatically renew SCEP certificates with AD when challengePassword is required for enrollment

-

- Previously, requests for renewal of SCEP certificates sent by certmonger to an Active Directory (AD) Network Device Enrollment - Service (NDES) server included the challengePassword used to - originally obtain the certificate. However, AD treats challengePassword as a one-time password (OTP). As a consequence, the - renewal request was rejected. -

-
-

- This update adds the challenge_password_otp option to certmonger. When enabled, this option prevents certmonger from sending the OTP with the SCEP renewal request. The - administrator must also add the DisableRenewalSubjectNameMatch entry - with a value of 1 to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP - subkey in the AD registry. With this modification, AD no longer requires the signer certificate and - requested certificate subject names to match. As a result, the SCEP certificate renewal is - successful. -

-

- To configure certmonger and the AD server for SCEP renewals to work: -

-
-
    -
  1. - Open regedit on the AD server. -
    2. -
  2. - In the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP - subkey, add a new 32-bit REG_DWORD entry DisableRenewalSubjectNameMatch and set its value to 1. -
    3. -
  3. -

    - On the server where certmonger is running, open the /etc/certmonger/certmonger.conf file and add the following - section: -

    - 
    [scep]
-challenge_password_otp = yes
    -
    4. -
  4. -

    - Restart certmonger: -

    - 
    # systemctl restart certmonger
    -
    5. -
-
-

- (BZ#1577570) -

-
-

FreeRADIUS proxy server no longer stops working when a second FreeRADIUS - server is unavailable

-

- When a FreeRADIUS server is configured as a proxy server it forwards request messages to another - FreeRADIUS server. Previously, if the connection between these two servers was interrupted, the - FreeRADIUS proxy server stopped working. With this fix, the FreeRADIUS proxy server is now able - to reestablish a connection when the other server becomes available. -

-
-

- (BZ#2030173) -

-
-

Authenticating to Directory Server in FIPS mode with PBKDF2-hashed - passwords now works as expected

-

- When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue() function is not available. As a consequence, - users with a password-based key derivation function 2 (PBKDF2) hashed password could not - authenticate to the server when FIPS mode was enabled. With this update, Directory Server now - uses the PK11_Decrypt() function to get the password hash data. As - a result, authenticating to Directory Server in FIPS mode now works for users with PBKDF2-hashed - passwords. -

-
-

- (BZ#2033398) -

-
-

Socket activation of SSSD succeeds when the SSSD cache is mounted in tmpfs - as the SSSD user

-

- Previously, socket activation of SSSD would fail if the SSSD cache was mounted in a tmpfs temporary file system because the /var/lib/sss/db/config.ldb SSSD configuration file was not owned by - the sssd user. With this fix, SSSD creates the config.ldb file as the sssd user and - socket activation succeeds. If you have mounted the /var/lib/sssd/db/ SSSD cache directory in tpmfs, you must remount it as the sssd - user so SSSD can create the config.ldb file in that location. -

-
-
-
Warning
-
-

- Perform the following steps only if you have mounted your SSSD cache into tmpfs for faster performance according to the steps in the Tuning - performance in Identity Management guide. In standard circumstances, Red Hat - recommends using the default location for the SSSD cache, on standard disk storage, instead. -

-
-
-
-

Procedure

-
    -
  1. -

    - Confirm that /var/lib/sss/db is a mount point: -

    - 
    # mount -t tmpfs | grep /var/lib/sss/db
-tmpfs on /var/lib/sss/db type tmpfs (rw,relatime,rootcontext=system_u:object_r:sssd_var_lib_t:s0,seclabel,size=307200k,mode=700)
    -
    2. -
  2. -

    - If /var/lib/sss/db is a valid mount point, check if it is - owned by the root user: -

    - 
    # ls -l /var/lib/sss | grep db
-drwx------. 2 *root root* 40 Jul 26 04:48 db
    -
    3. -
  3. -

    - If the db directory is a mount point and it is owned by the - root user, add uid=sssd,gid=sssd to the corresponding entry in the /etc/fstab file to mount it as the SSSD user: -

    - 
    tmpfs /var/lib/sss/db/ tmpfs size=300M,mode=0700,*uid=sssd,gid=sssd*,rootcontext=system_u:object_r:sssd_var_lib_t:s0 0 0
    -
    4. -
  4. -

    - Remount the directory and restart the SSSD service: -

    - 
    # systemctl stop sssd
-# umount /var/lib/sss/db
-# mount /var/lib/sss/db
-# systemctl start sssd
    -
    5. -
-
-
-

Verification

-
    -
  • -

    - Verify that the /var/lib/sss/db directory is owned by the - sssd user: -

    - 
    # ls -l /var/lib/sss | grep db
-drwx------. 2 sssd sssd 160 Jul 26 05:00 db
    -
    • -
-
-

- (BZ#2108316) -

-
-
-
-
-
-

7.10. Graphics infrastructures

-
-
-
-
-

Matrox GPU with a VGA display now works as expected

-

- Prior to this release, your display showed no graphical output if you used the following system - configuration: -

-
-
-
    -
  • - A GPU in the Matrox MGA G200 family -
    • -
  • - A display connected over the VGA controller -
    • -
  • - UEFI switched to legacy mode -
    • -
-
-

- As a consequence, you could not use or install RHEL on this configuration. -

-

- With this update, the mgag200 driver has been significantly rewritten, - and as a result, the graphics output now works as expected. -

-

- (BZ#1953926) -

-
-
-
-
-
-

7.11. Red Hat Enterprise Linux system roles

-
-
-
-
-

A playbook using the Metrics role completes successfully on multiple runs - even if the Grafana admin password is changed

-

- Previously, changes to the Grafana admin user password after - running the Metrics role with the metrics_graph_service: yes - boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks - using the Metrics role, and the affected systems were only partially set up for performance - analysis. Now, the Metrics role uses the Grafana deployment API - when it is available and no longer requires knowledge of username or password to perform the - necessary configuration actions. As a result, a playbook using the Metrics role completes - successfully on multiple runs even if the administrator changes the Grafana admin password. -

-
-

- (BZ#1967321) -

-
-

The SSHD system role uses the correct template file

-

- In RHEL 8.5, the SSHD system role used a wrong template file. As a consequence, the generated - sshd_config file did not contain the # Ansible managed comment. The missing comment did not affect any - functionality on the system. With this update, the system role uses the correct template file - and sshd_config contains the correct # Ansible managed comment. -

-
-

- (BZ#2040038) -

-
-

The Networking system role no longer fails to set a DNS search domain if - IPv6 is disabled

-

- Previously, the nm_connection_verify() function of the libnm library did not ignore the DNS search domain if the IPv6 - protocol was disabled. As a consequence, when you used the Networking RHEL system role and set - dns_search together with ipv6_disabled: true, the system role failed with the following error: -

-
- 
nm-connection-error-quark: ipv6.dns-search: this property is not allowed for 'method=ignore' (7)
-

- With this update, the nm_connection_verify() function ignores the DNS - search domain if IPv6 is disabled. As a consequence, you can use dns_search as expected, even if IPv6 is disabled. -

-

- (BZ#2041627) -

-
-

The nm provider in the Networking system role - now correctly manages bridges

-

- Previously, if you used the initscripts provider, the Networking - system role created an ifcfg file which configured NetworkManager - to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript actions. For example, the down and absent actions of initscript - provider will not change the NetworkManager’s understanding on unmanaged state of this interface - if not reloading the connection after the down and absent actions. With this fix, the Networking system role uses the - NM.Client.reload_connections_async() function to reload - NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages - the bridge interface when switching the provider from initscript to - nm. -

-
-

- (BZ#2034908) -

-
-

The SSH server role now detects FIPS mode and handles tasks correctly in - FIPS mode

-

- Previously, when managing RHEL8 and older systems in FIPS mode, one of the default hostkeys was - not allowed to be created. As a consequence, the SSH server role operation failed to generate - the not allowed key type when invoked. With this fix, the SSH - server role detects FIPS mode and adjusts default hostkey list accordingly. As a result, the SSH - server role can now manage systems in FIPS mode with default hostkeys configuration. -

-
-

- (BZ#1979714) -

-
-

The Logging system role no longer calls tasks multiple times

-

- Previously, the Logging role was calling tasks multiple times that should have been called only - once. As a consequence, the extra task calls slowed down the execution of the role. With this - fix, the Logging role was changed to call the tasks only once, improving the Logging role - performance. -

-
-

- (BZ#2005727) -

-
-

RHEL system roles now handle multi-line ansible_managed comments in generated files

-

- Previously, some of the RHEL system roles were using # {{ ansible_managed }} to generate some of the files. As a - consequence, if a customer had a custom multi-line ansible_managed - setting, the files would be generated incorrectly. With this fix, all of the system roles use - the equivalent of {{ ansible_managed | comment }} when generating - files so that the ansible_managed string is always properly - commented, including multi-line ansible_managed values. - Consequently, generated files have the correct multi-line ansible_managed value. -

-
-

- (BZ#2006231) -

-
-

The Logging role no longer misses quotes for the immark module interval value

-

- Previously, the "interval" field value for the immark module was - not properly quoted, because the immark module was not properly - configured. This fix ensures that the "interval" value is properly quoted. Now, the immark module works as expected. -

-
-

- (BZ#2021678) -

-
-

The group option no longer keeps certificates - inaccessible to the group

-

- Previously, when setting the group for a certificate, the mode was - not set to allow group read permission. As a consequence, group members were unable to read - certificates issued by the Certificate role. With this fix, the group setting now ensures that - the file mode includes group read permission. As a result, the certificates issued by the - Certificate role for groups are accessible by the group members. -

-
-

- (BZ#2021683) -

-
-

The /etc/tuned/kernel_settings/tuned.conf file - has a proper ansible_managed header

-

- Previously, the Kernel settings RHEL system role had a hard-coded value for the ansible_managed header in the /etc/tuned/kernel_settings/tuned.conf file. Consequently, users could - not provide their custom ansible_managed header. In this update, - the problem has been fixed so that kernel_settings updates the - header of /etc/tuned/kernel_settings/tuned.conf with user’s ansible_managed setting. As a result, /etc/tuned/kernel_settings/tuned.conf has a proper ansible_managed header. -

-
-

- (BZ#2047504) -

-
-

The logging_purge_confs option no longer fails - to delete unnecessary configuration files

-

- Previously, the logging_purge_confs variable was prepared to delete - unnecessary logging configuration files, but failed to clean them up. Consequently, even though - the logging_purge_confs variable was set to true, unnecessary - configuration files were not cleaned up, but left in the configuration directory. This issue is - now fixed and the logging_purge_confs variable has been redefined - to work as follows. -

-
-
-
    -
  • - If logging_purge_confs is set to true, it removes files in rsyslog.d - which do not belong to any rpm packages. That includes configuration files generated by the - previous logging role run. The logging_purge_confs default value is false. -
    • -
-
-

- (BZ#2040812) -

-
-

Fixed a typo to support active-backup for the - correct bonding mode

-

- Previously, there was a typo,active_backup, in supporting the - InfiniBand port while specifying active-backup bonding mode. Due to - this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding - port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the - InfiniBand bonding port. -

-
-

- (BZ#2064388) -

-
-

Configuration by the Metrics role now follows symbolic links - correctly

-

- When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the Metrics - role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the Metrics role changed the - symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed - symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The - issue is now fixed and the follow: yes option to follow the - symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the - symbolic links and correctly configures the main configuration file. -

-
-

- (BZ#2058655) -

-
-

The Kernel settings system role now correctly installs python3-configobj

-

- Previously, the Kernel settings role returned an error that the python3-configobj package could not be found. The role failed to find - the package because it did not install python3-configobj on managed - hosts. With this update, the role now installs python3-configobj on - managed hosts and works correctly. -

-
-

- (BZ#2058772) -

-
-

The Kdump system role does not ignore hosts anymore

-

- Previously, the Kdump role ignored managed nodes that do not have memory reserved for crash - kernel, and consequently completed with the “Success” status even when not configuring the - system correctly. The role has been redesigned to fail in cases where managed nodes do not have - memory reserved for crash kernel, and to prompt the user to set the kdump_reboot_ok variable to true to - correctly configure kdump on managed nodes. As a result, the Kdump role now does not ignore - hosts, and either completes successfully with the correct configuration, or fails with an error - message describing what users need to do to fix the issue. -

-
-

- (BZ#2029605) -

-
-

The Firewall system role now reloads the firewall immediately when target changes

-

- Previously, the Firewall system role was not reloading the firewall when the target parameter has been changed. With this fix, the Firewall role - reloads the firewall when the target changes, and as a result, the - target change is immediate and available for subsequent operations. -

-
-

- (BZ#2057172) -

-
-

Default pcsd permissions for HA Cluster system - role now allow access for group haclient

-

- Previously, when a user ran the HA Cluster system role with the default pcsd permissions that were set with the ha_cluster_pcs_permission_list variable, only members of the group - hacluster had access to the cluster. With this fix, the default - pcsd permissions allow the group haclient to manage the cluster and all members of haclient can now access and manage the cluster. -

-
-

- (BZ#2049747) -

-
-
-
-
-
-

7.12. Virtualization

-
-
-
-
-

strict NUMA binding policy no longer allows - for moving runtime memory

-

- Previously, when the strict NUMA binding policy was enabled in a VM - (<memory mode='strict'/>), attempting to move runtime memory - from that VM to another NUMA node in some cases partly or completely failed. To avoid this - problem, the strict policy now completely prohibits moving runtime - memory. -

-
-

- In addition, the restrictive policy has been added, which works like - the strict policy did previously. This means that it does allow for - moving runtime memory to other NUMA nodes, but cannot ensure that the memory is moved completely. -

-

- (BZ#2014369) -

-
-

multifd migration now works reliably -

-

- Previously, attempting to migrate a virtual machine (VM) using the multifd feature of QEMU caused the migration to fail and the VM to - terminate unexpectedly. The underlying code has been fixed, and multifd migration now works as expected. -

-
-

- (BZ#1982993) -

-
-

VM migration and snapshots no longer failing due to virtio-balloon

-

- Previously, attempting to migrate a virtual machine (VMs) with a more recent guest operating - system (such as RHEL 9) failed if the VM was using the virtio-balloon device. Similarly, creating a snapshot of such a VM - failed. This update fixes a bug in the page poison feature of virtio-balloon, which prevents the described problem from occurring. -

-
-

- (BZ#2004416) -

-
-

Hot unplugging an IBMVFC device on PowerVM now works as expected -

-

- Previously, when using a virtual machine (VM) with a RHEL 8 guest operating system on the - PowerVM hypervisor, attempting to remove an IBM Power Virtual Fibre Channel (IBMVFC) device from - the running VM failed. Instead, it displayed an outstanding translation error. The underlying code has been fixed and - live hot unplugs of IBMVFC device now work correctly on PowerVM. -

-
-

- (BZ#1959020) -

-
-
-
-
-
-

7.13. Containers

-
-
-
-
-

Rootless containers created in RHEL 8.5 and earlier using fuse-overlayfs - now recognize removed files

-

- Previously, in RHEL 8.4 and earlier, rootless images and containers were created or stored using - the fuse-overlayfs file system. Using such images and containers in RHEL 8.5 and later - introduced problems for unprivileged users using the overlayfs implementation provided by the - kernel and who had removed files or directories from a container or from an image in RHEL 8.4. - This problem did not apply to containers created by the root account. -

-
-

- As a consequence, files or directories that were removed from a container or from an image were - marked as such using the whiteout format when using the fuse-overlayfs file system. However, due to - differences in the format, the kernel overlayfs implementation did not recognize the whiteout format - created by fuse-overlayfs. As a result, any removed files or directories still appeared. This - problem did not apply to containers created by the root account. -

-

- With this update, the problem is solved. -

-

- (JIRA:RHELPLAN-92741) -

-
-
-
-
-
-
-

Chapter 8. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.6. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

8.1. RHEL for Edge

-
-
-
-
-

FDO process available as a Technology Preview

-

- The FDO process for automatic provisioning and onboarding RHEL for Edge images is available as a - Technology Preview. With that, you can build a RHEL for Edge Simplified Installer image, - provision it to a RHEL for Edge image, and use the FDO (FIDO device onboarding) process to - automatically provision and onboard your Edge devices, exchange data with other devices and - systems connected on the networks. As a result, the FIDO device onboarding protocol performs - device initialization at the manufacturing stage and then late binding to actually use the - device. -

-
-

- (BZ#1989930) -

-
-
-
-
-
-

8.2. Shells and command-line tools

-
-
-
-
-

ReaR available on the 64-bit IBM Z architecture as a Technology - Preview

-

- Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture - as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM - environment. Backing up and recovering logical partitions (LPARs) has not been tested. -

-
-

- The only output method currently available is Initial Program Load (IPL). IPL produces a kernel and - an initial ramdisk (initrd) that can be used with the zIPL bootloader. -

-
-
Warning
-
-

- Currently, the rescue process reformats all the DASDs (Direct Attached Storage Devices) - connected to the system. Do not attempt a system recovery if there is any valuable data - present on the system storage devices. This also includes the device prepared with the zIPL bootloader, ReaR kernel, and initrd that were used to boot - into the rescue environment. Ensure to keep a copy. -

-
-
-

- For more information, see Using - a ReaR rescue image on the 64-bit IBM Z architecture. -

-

- (BZ#1868421) -

-
-
-
-
-
-

8.3. Networking

-
-
-
-
-

KTLS available as a Technology Preview

-

- RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. KTLS also includes the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that provides this functionality. -

-
-

- (BZ#1570255) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It - accompanies XDP and grants efficient redirection of - programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
-
    -
  • - Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the libxdp library is not available for architectures other than AMD - and Intel 64-bit. -
    • -
  • - The XDP hardware offloading. -
    • -
-
-

- (BZ#1889737) -

-
-

Multi-protocol Label Switching for TC available as a Technology - Preview

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route - traffic flow across enterprise networks. In an MPLS network, the router that receives packets - decides the further route of the packets based on the labels attached to the packet. With the - usage of labels, the MPLS network has the ability to handle packets with particular - characteristics. For example, you can add tc filters for managing - packets received from specific ports or carrying specific types of traffic, in a consistent way. -

-
-

- After packets enter the enterprise network, MPLS routers perform multiple operations on the packets, - such as push to add a label, swap to - update a label, and pop to remove a label. MPLS allows defining actions - locally based on one or multiple labels in RHEL. You can configure routers and set traffic control - (tc) filters to take appropriate actions on the packets based on the - MPLS label stack entry (lse) elements, such as label, traffic class, bottom of stack, and time to live. -

-

- For example, the following command adds a filter to the enp0s1 network interface to match incoming packets having the - first label 12323 and the second label 45832. On matching packets, the following actions are taken: -

-
-
    -
  • - the first MPLS TTL is decremented (packet is dropped if TTL reaches 0) -
    • -
  • - the first MPLS label is changed to 549386 -
    • -
  • -

    - the resulting packet is transmitted over enp0s2, - with destination MAC address 00:00:5E:00:53:01 - and source MAC address 00:00:5E:00:53:02 -

    - 
    # tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
-action mpls dec_ttl pipe \
-action mpls modify label 549386 pipe \
-action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
-action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
-action mirred egress redirect dev enp0s2
    -
    • -
-
-

- (BZ#1814836, BZ#1856415) -

-
-

The systemd-resolved service is now available - as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-
-
-
-
-

8.4. Kernel

-
-
-
-
-

The kexec fast reboot feature is available as - a Technology Preview

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. The kexec fast reboot significantly speeds the - boot process as the kernel enables booting directly into the second kernel without passing - through the Basic Input/Output System (BIOS) first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot the operating system. -
    3. -
-
-

- (BZ#1769727) -

-
-

The accel-config package available as a - Technology Preview

-

- The accel-config package is now available on Intel EM64T and AMD64 architectures as a - Technology Preview. This package helps in controlling and configuring data-streaming accelerator - (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the - json format. -

-
-

- (BZ#1843266) -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms - using the Flexible Launch Control mechanism - to use the SGX technology. -

-
-

- (BZ#1660337) -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space, in the restricted - sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which enables - creating various types of maps, and also allows to load programs in a special assembly-like code. - The code is then loaded to the kernel and translated to the native machine code with just-in-time - compilation. Note that the bpf() syscall can be successfully used only - by a user with the CAP_SYS_ADMIN capability, such as the root user. See - the bpf(2) manual page for more information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase. All components are available as a Technology Preview, unless a specific - component is indicated as supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space - for applications that prioritize packet processing performance. -
    • -
-
-

- (BZ#1559616) -

-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes a shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- (BZ#1837187) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that - implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains - two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL - 8. -

-
-

- (BZ#1605216) -

-
-

The stmmac driver is available as a Technology - Preview

-

- Red Hat provides the usage of stmmac for Intel® Elkhart Lake - systems on a chip (SoCs) as an unsupported Technology Preview. -

-
-

- (BZ#1905243) -

-
-
-
-
-
-

8.5. File systems and storage

-
-
-
-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address space. To - use DAX, a system must have some form of persistent memory available, usually in the form of one - or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the - capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with - the dax mount option. Then, a mmap of - a file on the dax-mounted file system results in a direct mapping of storage into the - application’s address space. -

-
-

- (BZ#1627455) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top of - another. Changes are recorded in the upper file system, while the lower file system remains - unmodified. This allows multiple users to share a file-system image, such as a container or a - DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings - when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other specialized - use cases, such as squashed kdump initramfs. Its use is - supported primarily for container COW content, not for persistent storage. You must place - any persistent storage on non-OverlayFS volumes. You can use only the default container - engine configuration: one level of overlay, one lowerdir, and both lower and upper levels - are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change - in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped with - MAP_SHARED are inconsistent with subsequent - modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on RHEL - 8, but you can enable full POSIX compliance for them with a module option or - mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and index=on options to improve POSIX compliance. - These two options make the format of the upper layer incompatible with an - overlay without these options. That is, you might get unexpected results or - errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, use - the following command and see if the ftype=1 option is - enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel - documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- RHEL 8.3 updated Stratis to version 2.1.0. For more information, see Stratis 2.1.0 Release - Notes. -

-

- (JIRA:RHELPLAN-1212) -

-
-

Setting up a Samba server on an IdM domain member is provided as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the same-named - package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For - example, the utility creates the /etc/samba/smb.conf with the ID - mapping configuration for the sss ID mapping back end. As a result, - administrators can now set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts - cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support - resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) - protocols. As a consequence, AD users can only access the Samba shares and printers from IdM - clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- (JIRA:RHELPLAN-13195) -

-
-

NVMe/TCP host is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) - and its corresponding nvme_tcp.ko kernel module has been added as a - Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included - only for testing purposes and is not currently planned for full support. -

-
-

- (BZ#1696451) -

-
-
-
-
-
-

8.6. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on Podman, with the container bundle feature being available - as a Technology Preview. There is one exception to this feature being Technology Preview: Red - Hat fully supports the use of Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-

Heuristics in corosync-qdevice available as a - Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is zero), - heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which - partition should be quorate. -

-
-

- (BZ#1784200) -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off - action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent - the agent that does the actual fencing from fencing a node under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make sense - for a node to fence the peer if it can know beforehand that it would not be able to take over the - services properly. For example, it might not make sense for a node to take over services if it has - problems reaching the networking uplink, making the services unreachable to clients, a situation - which a ping to a router might detect in that case. -

-

- (BZ#1775847) -

-
-

Automatic removal of location constraint following resource move available - as a Technology Preview

-

- When you execute the pcs resource move command, this adds a - constraint to the resource to prevent it from running on the node on which it is currently - running. A new --autodelete option for the pcs resource move command is now available as a Technology Preview. - When you specify this option, the location constraint that the command creates is automatically - removed once the resource has been moved. -

-
-

- (BZ#1847102) -

-
-
-
-
-
-

8.7. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- (BZ#1664718) -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- (BZ#1628987) -

-
-
-
-
-
-

8.8. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology - Preview. This enables administrators to configure and manage servers from a graphical user - interface (GUI) remotely, using the VNC session. -

-
-

- As a consequence, new administration applications are available on the 64-bit ARM architecture. For - example: Disk Usage Analyzer (baobab), Firewall - Configuration (firewall-config), Red Hat Subscription Manager (subscription-manager), or the Firefox web browser. Using Firefox, administrators can connect to the local - Cockpit daemon remotely. -

-

- (JIRA:RHELPLAN-27394, BZ#1667225, BZ#1667516, BZ#1724302) -

-
-

GNOME desktop on IBM Z is available as a Technology Preview

-

- The GNOME desktop, including the Firefox web browser, is now available as a Technology Preview - on the IBM Z architecture. You can now connect to a remote graphical session running GNOME using - VNC to configure and manage your IBM Z servers. -

-
-

- (JIRA:RHELPLAN-27737) -

-
-
-
-
-
-

8.9. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available - as a Technology Preview. Note that the rest of the graphics stack is currently unverified for - the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-
-
-
-
-

8.10. The web console

-
-
-
-
-

Stratis available as a Technology Preview in the RHEL web console -

-

- With this update, the Red Hat Enterprise Linux web console provides the ability to manage - Stratis storage as a Technology Preview. -

-
-

- To learn more about Stratis, see What - is Stratis. -

-

- (JIRA:RHELPLAN-108438) -

-
-
-
-
-
-

8.11. Virtualization

-
-
-
-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. -

-

- In addition, it is possible to enable a VNC console operated by Intel vGPU. By enabling it, users - can connect to a VNC console of the VM and see the VM’s desktop hosted by Intel vGPU. However, this - currently only works for RHEL guest operating systems. -

-

- (BZ#1528684) -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a - RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its - own VMs. -

-
-

- (JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437) -

-
-

Technology Preview: Select Intel network adapters now provide SR-IOV in - RHEL guests on Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V - hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network - adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions - are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently provided with Microsoft Windows Server 2016 and later. -

-

- (BZ#1348508) -

-
-

Sharing files between hosts and VMs using virtiofs

-

- As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can - efficiently share files between your host system and its virtual machines (VM). -

-
-

- (BZ#1741615) -

-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines -

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a - Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel and AMD systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following - Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-
-
-
-
-

8.12. Containers

-
-
-
-
-

Toolbox is available as a Technology Preview

-

- Previously, the Toolbox utility was based on RHEL CoreOS github.com/coreos/toolbox. With this - release, Toolbox has been replaced with github.com/containers/toolbox. -

-
-

- (JIRA:RHELPLAN-77238) -

-
-

The Netavark network stack is available as a Technology Preview -

-

- Before Podman version 4.1.1-7, the Netavark network stack for containers is available as a - Technology Preview. -

-
-

- This network stack has the following capabilities: -

-
-
    -
  • - Configuration of container networks using the JSON configuration file -
    • -
  • - Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces -
    • -
  • - Configuring firewall settings, such as network address translation (NAT) and port mapping - rules -
    • -
  • - IPv4 and IPv6 -
    • -
  • - Improved capability for containers in multiple networks -
    • -
  • - Container DNS resolution using the aardvark-dns project -
    • -
-
-
-
Note
-
-

- You have to use the same version of Netavark stack and the aardvark-dns authoritative DNS server. -

-
-
-

- (JIRA:RHELPLAN-137622) -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

Chapter 9. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

9.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in the - logs: -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still available - and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you modify - your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-

The Kickstart autostep command has been - deprecated

-

- The autostep command has been deprecated. The related section about - this command has been removed from the RHEL - 8 documentation. -

-
-

- (BZ#1904251) -

-
-
-
-
-
-

9.2. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- The rpmbuild --sign command is deprecated since RHEL 8.1. Using - this command in future releases of Red Hat Enterprise Linux can result in an error. It is - recommended that you use the rpmsign command instead. -

-
-

- (BZ#1688849) -

-
-
-
-
-
-

9.3. Shells and command-line tools

-
-
-
-
-

The OpenEXR component has been - deprecated

-

- The OpenEXR component has been deprecated. Hence, the support for - the EXR image format has been dropped from the imagecodecs module. -

-
-

- (BZ#1886310) -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type - of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- (BZ#1997366) -

-
-

The ABRT tool has been deprecated

-

- The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been - deprecated in RHEL 8. As a replacement, use the systemd-coredump - tool to log and store core dumps, which are automatically generated files after a program - crashes. -

-
-

- (BZ#2055826) -

-
-

The ReaR crontab has been deprecated

-

- The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available - in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened. -

-
-

- If you require this functionality, after an upgrade to RHEL 9, configure periodic runs of ReaR - manually. -

-

- (BZ#2083301) -

-
-

The hidepid=n mount option is not supported in - RHEL 8 systemd

-

- The mount option hidepid=n, which controls who can access - information in /proc/[pid] directories, is not compatible with - systemd infrastructure provided in RHEL 8. -

-
-

- In addition, using this option might cause certain services started by systemd to produce SELinux AVC denial messages and prevent other - operations from completing. -

-

- For more information, see the related Is mounting /proc with "hidepid=2" - recommended with RHEL7 and RHEL8?. -

-

- (BZ#2038929) -

-
-

The /usr/lib/udev/rename_device utility has - been deprecated

-

- The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been - deprecated. -

-
-

- (BZ#1875485) -

-
-
-
-
-
-

9.4. Security

-
-
-
-
-

NSS SEED ciphers are deprecated

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends - enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- (BZ#1817533) -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal - and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. - Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note - that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello - has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and earlier - allow to start a negotiation with a Client Hello message formatted - in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature - may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard version was updated to version - 2.0 in 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible - with the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next - major release. -

-
-

- (BZ#1657927) -

-
-

crypto-policies derived properties are now - deprecated

-

- With the introduction of scopes for crypto-policies directives in - custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as - well. See the crypto-policies(7) man page for recommended - replacements. -

-
-

- (BZ#2011208) -

-
-

Runtime disabling SELinux using /etc/selinux/config is now deprecated

-

- Runtime disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config file has been deprecated. In RHEL 9, when you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. -

-
-

- If your scenario really requires to completely disable SELinux, Red Hat recommends disabling SELinux - by adding the selinux=0 parameter to the kernel command line as - described in the Changing - SELinux modes at boot time section of the Using - SELinux title. -

-

- (BZ#1932222) -

-
-

The ipa SELinux module removed from selinux-policy

-

- The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The - functionality is now included in the ipa-selinux subpackage. -

-
-

- If your scenario requires the use of types or interfaces from the ipa - module in a local SELinux policy, install the ipa-selinux package. -

-

- (BZ#1461914) -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- (BZ#2054741) -

-
-
-
-
-
-

9.5. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by - default. The basic installation provides a new version of the ifup - and ifdown scripts which call the NetworkManager service through - the nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts - are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
~]# yum install network-scripts
-

- The ifup and ifdown scripts link to the - installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-

The dropwatch tool is deprecated

-

- The dropwatch tool has been deprecated. The tool will not be - supported in future releases, thus it is not recommended for new deployments. As a replacement - of this package, Red Hat recommends to use the perf - command line tool. -

-
-

- For more information on using the perf command line tool, - see the Getting - started with Perf section on the Red Hat customer portal or the perf man page. -

-

- (BZ#1929173) -

-
-

The cgdcbxd package is deprecated

-

- Control group data center bridging exchange daemon (cgdcbxd) is a - service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major - RHEL release. -

-
-

- (BZ#2006665) -

-
-

The xinetd service has been - deprecated

-

- The xinetd service has been deprecated and will be removed in RHEL - 9. As a replacement, use systemd. For further details, see How to convert xinetd - service to systemd. -

-
-

- (BZ#2009113) -

-
-

The WEP Wi-Fi connection method is deprecated

-

- The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8.6 - and will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 - (WPA3) or WPA2 connection methods. -

-
-

- (BZ#2029338) -

-
-

The unsupported xt_u32 module is now - deprecated

-

- Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. - In RHEL 8.6, the xt_u32 module is deprecated and will be removed in - RHEL 9. -

-
-

- If you use xt_u32, migrate to the nftables - packet filtering framework. For example, first change your firewall to use iptables with native matches to incrementally replace individual rules, - and later use the iptables-translate and accompanying utilities to - migrate to nftables. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) - man page. -

-

- (BZ#2061288) -

-
-

The term slaves is deprecated in the nmstate API

-

- Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl. -

-
-

- (JIRA:RHELDOCS-17641) -

-
-
-
-
-
-

9.6. Kernel

-
-
-
-
-

Kernel live patching now covers all RHEL minor releases

-

- Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of - RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important - Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently - covered kernels and use cases, the support window for each live patch will be decreased from 12 - to 6 months for every minor, major and zStream version of the kernel. It means that on the day a - kernel live patch is released, it will cover every minor release and scheduled errata kernel - delivered in the past 6 months. For example, 8.4.x will have a one-year support window, but - 8.4.x+1 will have 6 months. -

-
-

- For more information about this feature, see Applying - patches with kernel live patching. -

-

- For details about available kernel live patches, see Kernel Live Patch life cycles. -

-

- (BZ#1958250) -

-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system through the network. While - convenient, diskless boot is prone to introducing network latency in real-time workloads. With a - future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be - supported. -

-
-

- (BZ#1748980) -

-
-

The Linux firewire sub-system and its - associated user-space components are deprecated in RHEL 8

-

- The firewire sub-system provides interfaces to use and maintain any - resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer - be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as - well. -

-
-

- (BZ#1871863) -

-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is - a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is - available as an unsupported Technology Preview. However, due to stability issues, this feature - has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

9.7. Boot loader

-
-
-
-
-

The kernelopts environment variable has been - deprecated

-

- In RHEL 8, the kernel command-line parameters for systems using the GRUB2 bootloader were - defined in the kernelopts environment variable. The variable was - stored in the /boot/grub2/grubenv file for each kernel boot entry. - However, storing the kernel command-line parameters using kernelopts was not robust. Therefore, with a future major update of - RHEL, kernelopts will be removed and the kernel command-line - parameters will be stored in the Boot Loader Specification (BLS) snippet instead. -

-
-

- (BZ#2060759) -

-
-
-
-
-
-

9.8. File systems and storage

-
-
-
-
-

VDO write modes other than async are - deprecated

-

- VDO supports several write modes in RHEL 8: -

-
-
-
    -
  • - sync -
    • -
  • - async -
    • -
  • - async-unsafe -
    • -
  • - auto -
    • -
-
-

- Starting with RHEL 8.4, the following write modes are deprecated: -

-
-
-
sync
-
- Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the - devices cannot take advantage of the VDO sync mode. -
-
async-unsafe
-
- VDO added this write mode as a workaround for the reduced performance of async mode, which complies to Atomicity, Consistency, Isolation, - and Durability (ACID). Red Hat does not recommend async-unsafe - for most use cases and is not aware of any users who rely on it. -
-
auto
-
- This write mode only selects one of the other write modes. It is no longer necessary when - VDO supports only a single write mode. -
-
-
-

- These write modes will be removed in a future major RHEL release. -

-

- The recommended VDO write mode is now async. -

-

- For more information on VDO write modes, see Selecting - a VDO write mode. -

-

- (JIRA:RHELPLAN-70700) -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. - This change affects only NFS version 3 because version 4 requires the Transmission Control - Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution. -

-
-

- (BZ#1794513) -

-
-

VDO manager has been deprecated

-

- The python-based VDO management software has been deprecated and will be removed from RHEL 9. In - RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create - VDO volumes using the lvcreate command. -

-
-

- The existing volumes created using the VDO management software can be converted using the /usr/sbin/lvm_import_vdo script, provided by the lvm2 package. For more information on the LVM-VDO implementation, see Deduplicating - and compressing logical volumes on RHEL. -

-

- (BZ#1949163) -

-
-

The elevator kernel command line parameter is - deprecated

-

- The elevator kernel command line parameter was used in earlier RHEL - releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is typically - the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the TuneD service to configure it. Match the selected - devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- (BZ#1665295) -

-
-

LVM mirror is deprecated

-

- The LVM mirror segment type is now deprecated. Support for mirror will be removed in a future major release of RHEL. -

-
-

- Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1 instead of mirror. The raid1 segment type is the default RAID configuration type and replaces - mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 logical volume. -

-

- LVM mirror has several known issues. For details, see known issues - in file systems and storage. -

-

- (BZ#1827628) -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured storage - events. It helps you investigate storage issues. -

-

- (BZ#1871953) -

-
-
-
-
-
-

9.9. High availability and clusters

-
-
-
-
-

pcs commands that support the clufter tool have been deprecated

-

- The pcs commands that support the clufter tool for analyzing cluster configuration formats have been - deprecated. These commands now print a warning that the command has been deprecated and sections - related to these commands have been removed from the pcs help - display and the pcs(8) man page. -

-
-

- The following commands have been deprecated: -

-
-
    -
  • - pcs config import-cman for importing CMAN / RHEL6 HA cluster - configuration -
    • -
  • - pcs config export for exporting cluster configuration to a list - of pcs commands which recreate the same cluster -
    • -
-
-

- (BZ#1851335) -

-
-
-
-
-
-

9.10. Dynamic programming languages, web and database servers

-
-
-
-
-

The mod_php module provided with PHP for use - with the Apache HTTP Server has been deprecated

-

- The mod_php module provided with PHP for use with the Apache HTTP - Server in RHEL 8 is available but not enabled in the default configuration. The module is no - longer available in RHEL 9. -

-
-

- Since RHEL 8, PHP scripts are run using the FastCGI Process Manager (php-fpm) by default. For more information, see Using - PHP with the Apache HTTP Server. -

-

- (BZ#2225332) -

-
-
-
-
-
-

9.11. Compilers and development tools

-
-
-
-
-

libdwarf has been deprecated

-

- The libdwarf library has been deprecated in RHEL 8. The library - will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for - applications that wish to process ELF/DWARF files. -

-
-

- Alternatives for the libdwarf-tools dwarfdump program are the binutils readelf program or the elfutils eu-readelf program, both used by passing the --debug-dump flag. -

-

- (BZ#1920624) -

-
-

The gdb.i686 packages are deprecated -

-

- In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another - package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions - of GDB, gdb.x86_64, are fully capable of debugging 32-bit - applications. -

-
-

- If you use gdb.i686, note the following important issues: -

-
-
    -
  • - The gdb.i686 packages will no longer be updated. Users must - install gdb.x86_64 instead. -
    • -
  • - If you have gdb.i686 installed, installing gdb.x86_64 will cause dnf to report - package gdb-8.2-14.el8.x86_64 obsoletes gdb < 8.2-14.el8 provided by gdb-8.2-12.el8.i686. - This is expected. Either uninstall gdb.i686 or pass dnf the --allowerasing option to - remove gdb.i686 and install gdb.x8_64. -
    • -
  • - Users will no longer be able to install the gdb.i686 packages - on 64-bit systems, that is, those with the libc.so.6()(64-bit) - packages. -
    • -
-
-

- (BZ#1853140) -

-
-
-
-
-
-

9.12. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, which - integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, if - available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, - enable the ssh responder by adding ssh to - the services option in the sssd.conf file. - See the sssd.conf(5) man page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- (BZ#1871025) -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and - disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) - and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might experience - service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions on - re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, set - supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes, and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from the - previous step, remove them and upgrade. You do not need those settings after upgrading to - the latest Kerberos packages. -
    5. -
-
-

- (BZ#1877991) -

-
-

Standalone use of the ctdb service has been - deprecated

-

- Since RHEL 8.4, customers are advised to use the ctdb clustered - Samba service only when both of the following conditions apply: -

-
-
-
    -
  • - The ctdb service is managed as a pacemaker resource with the resource-agent ctdb. -
    • -
  • - The ctdb service uses storage volumes that contain either a - GlusterFS file system provided by the Red Hat Gluster Storage product or a GFS2 file system. -
    • -
-
-

- The stand-alone use case of the ctdb service has been deprecated and - will not be included in a next major release of Red Hat Enterprise Linux. For further information on - support policies for Samba, see the Knowledgebase article Support Policies for RHEL Resilient Storage - - ctdb General Policies. -

-

- (BZ#1916296) -

-
-

Running Samba as a PDC or BDC is deprecated

-

- The classic domain controller mode that enabled administrators to run Samba as an NT4-like - primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and - settings to configure these modes will be removed in a future Samba release. -

-
-

- As long as the Samba version in RHEL 8 provides the PDC and BDC modes, Red Hat supports these modes - only in existing installations with Windows versions which support NT4 domains. Red Hat recommends - not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and - Windows Server 2008 R2 do not support NT4 domains. -

-

- If you use the PDC to authenticate only Linux users, Red Hat suggests migrating to Red Hat Identity Management - (IdM) that is included in RHEL subscriptions. However, you cannot join Windows systems to an - IdM domain. Note that Red Hat continues supporting the PDC functionality IdM uses in the background. -

-

- Red Hat does not support running Samba as an AD domain controller (DC). -

-

- (BZ#1926114) -

-
-

Indirect AD integration with IdM via WinSync has been deprecated -

-

- WinSync is no longer actively developed in RHEL 8 due to several functional limitations: -

-
-
-
    -
  • - WinSync supports only one Active Directory (AD) domain. -
    • -
  • - Password synchronization requires installing additional software on AD Domain Controllers. -
    • -
-
-

- For a more robust solution with better resource and security separation, Red Hat recommends using a - cross-forest trust for indirect integration with - Active Directory. See the Indirect - integration documentation. -

-

- (JIRA:RHELPLAN-100400) -

-
-

The SSSD version of libwbclient has been - removed

-

- The SSSD implementation of the libwbclient package was deprecated - in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of - libwbclient has now been removed. -

-
-

- (BZ#1947671) -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612 -

-
-

Limited support for FreeRADIUS

-

- In RHEL 8, the following external authentication modules are deprecated as part of the - FreeRADIUS offering: -

-
-
-
    -
  • - The MySQL, PostgreSQL, SQlite, and unixODBC database connectors -
    • -
  • - The Perl language module -
    • -
  • - The REST API module -
    • -
-
-
-
Note
-
-

- The PAM authentication module and other authentication modules that are provided as part of - the base package are not affected. -

-
-
-

- You can find replacements for the deprecated modules in community-supported packages, for example in - the Fedora project. -

-

- In addition, the scope of support for the freeradius package will be - limited to the following use cases in future RHEL releases: -

-
-
    -
  • - Using FreeRADIUS as an authentication provider with Identity Management (IdM) as the backend - source of authentication. The authentication occurs through the krb5 and LDAP authentication packages or as PAM authentication in - the main FreeRADIUS package. -
    • -
  • - Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the Python - 3 authentication package. -
    • -
-
-

- In contrast to these deprecations, Red Hat will strengthen the support of the following external - authentication modules with FreeRADIUS: -

-
-
    -
  • - Authentication based on krb5 and LDAP -
    • -
  • - Python 3 authentication -
    • -
-
-

- The focus on these integration options is in close alignment with the strategic direction of Red Hat - IdM. -

-

- Jira:RHELDOCS-17573 -

-
-
-
-
-
-

9.13. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of the - libsecret library, as libgnome-keyring - is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. - The new libsecret library is the replacement that follows the - necessary security standards. -

-
-

- (BZ#1607766) -

-
-
-
-
-
-

9.14. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement. -

-
-

- (BZ#1569610) -

-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- (JIRA:RHELPLAN-98983) -

-
-
-
-
-
-

9.15. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- (BZ#1666722) -

-
-

The remotectl command is deprecated -

-

- The remotectl command has been deprecated and will not be available - in future releases of RHEL. You can use the cockpit-certificate-ensure command as a replacement. However, note - that cockpit-certificate-ensure does not have feature parity with - remotectl. It does not support bundled certificates and keychain - files and requires them to be split out. -

-
-

- (JIRA:RHELPLAN-147538) -

-
-
-
-
-
-

9.16. Red Hat Enterprise Linux system roles

-
-
-
-
-

The networking system role displays a - deprecation warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL system role on an RHEL 8 controller to configure a - network team on RHEL 9 nodes, shows a warning about its deprecation. -

-
-

- (BZ#2021685) -

-
-

Ansible Engine has been deprecated

-

- Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited - scope of support, to enable supported RHEL Automation use cases, such as RHEL system roles and - Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no - support after September 29, 2023. For more details on the supported use cases, see Scope of support for the - Ansible Core package included in the RHEL 9 AppStream. -

-
-

- Users must manually migrate their systems from Ansible Engine to Ansible Core. For that, follow the - steps: -

-
-

Procedure

-
    -
  1. -

    - Check if the system is running RHEL 8.6: -

    - 
    # cat /etc/redhat-release
    -
    2. -
  2. -

    - Uninstall Ansible Engine 2.9: -

    - 
    # yum remove ansible
    -
    3. -
  3. -

    - Disable the ansible-2-for-rhel-8-x86_64-rpms repository: -

    - 
    # subscription-manager repos --disable
-ansible-2-for-rhel-8-x86_64-rpms
    -
    4. -
  4. -

    - Install the Ansible Core package from the RHEL 8 AppStream repository: -

    - 
    # yum install ansible-core
    -
    5. -
-
-

- For more details, see: Using - Ansible in RHEL 8.6 and later. -

-

- (BZ#2006081) -

-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and it - also downloads proprietary content. Therefore, the geoipupdate - package has been deprecated, and will be removed in the next major RHEL version. -

-
-

- (BZ#1874892) -

-
-
-
-
-
-

9.17. Virtualization

-
-
-
-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. As a result, SPICE will remain - supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display - streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Note that the QXL graphics device, which is used - by SPICE, has become deprecated as well. -

-

- (BZ#1849563) -

-
-

virsh iface-* commands have become - deprecated

-

- The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a - future major version of RHEL. In addition, these commands frequently fail due to configuration - dependencies. -

-
-

- Therefore, it is recommended not to use virsh iface-* commands for - configuring and managing host network connections. Instead, use the NetworkManager program and its - related management applications, such as nmcli. -

-

- (BZ#1664592) -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available in the RHEL web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. -

-

- (BZ#1686057) -

-
-

The Cirrus VGA virtual - GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-

KVM on IBM POWER has been deprecated

-

- Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM - POWER is still supported in RHEL 8, but will become unsupported in a future major release of - RHEL. -

-
-

- (JIRA:RHELPLAN-71200) -

-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- (BZ#1935497) -

-
-

Using SPICE to attach smart card readers to virtual machines has been - deprecated

-

- The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way - to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage - of smart cards in VMs has also become deprecated in RHEL 8. -

-
-

- In a future major version of RHEL, the functionality of attaching smart card readers to VMs will - only be supported by third party remote visualization solutions. -

-

- (BZ#2059626) -

-
-
-
-
-
-

9.18. Containers

-
-
-
-
-

The Podman varlink-based API v1.0 has been removed

-

- The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 - introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API - v1.0 has been completely removed. -

-
-

- (JIRA:RHELPLAN-45858) -

-
-

container-tools:1.0 has been - deprecated

-

- The container-tools:1.0 module has been deprecated and will no - longer receive security updates. It is recommended to use a newer supported stable module - stream, such as container-tools:2.0 or container-tools:3.0. -

-
-

- (JIRA:RHELPLAN-59825) -

-
-

The container-tools:2.0 module has been - deprecated

-

- The container-tools:2.0 module has been deprecated and will no longer receive security updates. - It is recommended to use a newer supported stable module stream, such as container-tools:3.0. -

-
-

- (JIRA:RHELPLAN-85066) -

-
-
-
-
-
-

9.19. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 7 and RHEL 8, see Changes - to packages in the Considerations in adopting RHEL 8 - document. -

-

- The following packages have been deprecated and remain supported until the end of life of RHEL 8: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - abrt -
    • -
  • - abrt-addon-ccpp -
    • -
  • - abrt-addon-kerneloops -
    • -
  • - abrt-addon-pstoreoops -
    • -
  • - abrt-addon-vmcore -
    • -
  • - abrt-addon-xorg -
    • -
  • - abrt-cli -
    • -
  • - abrt-console-notification -
    • -
  • - abrt-dbus -
    • -
  • - abrt-desktop -
    • -
  • - abrt-gui -
    • -
  • - abrt-gui-libs -
    • -
  • - abrt-libs -
    • -
  • - abrt-tui -
    • -
  • - adobe-source-sans-pro-fonts -
    • -
  • - adwaita-qt -
    • -
  • - alsa-plugins-pulseaudio -
    • -
  • - amanda -
    • -
  • - amanda-client -
    • -
  • - amanda-libs -
    • -
  • - amanda-server -
    • -
  • - ant-contrib -
    • -
  • - antlr3 -
    • -
  • - antlr32 -
    • -
  • - aopalliance -
    • -
  • - apache-commons-collections -
    • -
  • - apache-commons-compress -
    • -
  • - apache-commons-exec -
    • -
  • - apache-commons-jxpath -
    • -
  • - apache-commons-parent -
    • -
  • - apache-ivy -
    • -
  • - apache-parent -
    • -
  • - apache-resource-bundles -
    • -
  • - apache-sshd -
    • -
  • - apiguardian -
    • -
  • - aspnetcore-runtime-3.0 -
    • -
  • - aspnetcore-runtime-3.1 -
    • -
  • - aspnetcore-runtime-5.0 -
    • -
  • - aspnetcore-targeting-pack-3.0 -
    • -
  • - aspnetcore-targeting-pack-3.1 -
    • -
  • - aspnetcore-targeting-pack-5.0 -
    • -
  • - assertj-core -
    • -
  • - authd -
    • -
  • - auto -
    • -
  • - autoconf213 -
    • -
  • - autogen -
    • -
  • - autogen-libopts -
    • -
  • - awscli -
    • -
  • - base64coder -
    • -
  • - batik -
    • -
  • - bea-stax -
    • -
  • - bea-stax-api -
    • -
  • - bind-export-devel -
    • -
  • - bind-export-libs -
    • -
  • - bind-libs-lite -
    • -
  • - bind-pkcs11 -
    • -
  • - bind-pkcs11-devel -
    • -
  • - bind-pkcs11-libs -
    • -
  • - bind-pkcs11-utils -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb-chroot -
    • -
  • - bluez-hid2hci -
    • -
  • - boost-jam -
    • -
  • - boost-signals -
    • -
  • - bouncycastle -
    • -
  • - bpg-algeti-fonts -
    • -
  • - bpg-chveulebrivi-fonts -
    • -
  • - bpg-classic-fonts -
    • -
  • - bpg-courier-fonts -
    • -
  • - bpg-courier-s-fonts -
    • -
  • - bpg-dedaena-block-fonts -
    • -
  • - bpg-dejavu-sans-fonts -
    • -
  • - bpg-elite-fonts -
    • -
  • - bpg-excelsior-caps-fonts -
    • -
  • - bpg-excelsior-condenced-fonts -
    • -
  • - bpg-excelsior-fonts -
    • -
  • - bpg-fonts-common -
    • -
  • - bpg-glaho-fonts -
    • -
  • - bpg-gorda-fonts -
    • -
  • - bpg-ingiri-fonts -
    • -
  • - bpg-irubaqidze-fonts -
    • -
  • - bpg-mikhail-stephan-fonts -
    • -
  • - bpg-mrgvlovani-caps-fonts -
    • -
  • - bpg-mrgvlovani-fonts -
    • -
  • - bpg-nateli-caps-fonts -
    • -
  • - bpg-nateli-condenced-fonts -
    • -
  • - bpg-nateli-fonts -
    • -
  • - bpg-nino-medium-cond-fonts -
    • -
  • - bpg-nino-medium-fonts -
    • -
  • - bpg-sans-fonts -
    • -
  • - bpg-sans-medium-fonts -
    • -
  • - bpg-sans-modern-fonts -
    • -
  • - bpg-sans-regular-fonts -
    • -
  • - bpg-serif-fonts -
    • -
  • - bpg-serif-modern-fonts -
    • -
  • - bpg-ucnobi-fonts -
    • -
  • - brlapi-java -
    • -
  • - bsh -
    • -
  • - buildnumber-maven-plugin -
    • -
  • - byaccj -
    • -
  • - cal10n -
    • -
  • - cbi-plugins -
    • -
  • - cdparanoia -
    • -
  • - cdparanoia-devel -
    • -
  • - cdparanoia-libs -
    • -
  • - cdrdao -
    • -
  • - cmirror -
    • -
  • - codehaus-parent -
    • -
  • - codemodel -
    • -
  • - compat-exiv2-026 -
    • -
  • - compat-guile18 -
    • -
  • - compat-hwloc1 -
    • -
  • - compat-libpthread-nonshared -
    • -
  • - compat-libtiff3 -
    • -
  • - compat-openssl10 -
    • -
  • - compat-sap-c++-11 -
    • -
  • - compat-sap-c++-10 -
    • -
  • - compat-sap-c++-9 -
    • -
  • - createrepo_c-devel -
    • -
  • - ctags -
    • -
  • - ctags-etags -
    • -
  • - custodia -
    • -
  • - cyrus-imapd-vzic -
    • -
  • - dbus-c++ -
    • -
  • - dbus-c++-devel -
    • -
  • - dbus-c++-glib -
    • -
  • - dbxtool -
    • -
  • - dhcp-libs -
    • -
  • - dirsplit -
    • -
  • - dleyna-connector-dbus -
    • -
  • - dleyna-core -
    • -
  • - dleyna-renderer -
    • -
  • - dleyna-server -
    • -
  • - dnssec-trigger -
    • -
  • - dnssec-trigger-panel -
    • -
  • - dotnet-apphost-pack-3.0 -
    • -
  • - dotnet-apphost-pack-3.1 -
    • -
  • - dotnet-apphost-pack-5.0 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-hostfxr-3.0 -
    • -
  • - dotnet-hostfxr-3.1 -
    • -
  • - dotnet-hostfxr-5.0 -
    • -
  • - dotnet-runtime-2.1 -
    • -
  • - dotnet-runtime-3.0 -
    • -
  • - dotnet-runtime-3.1 -
    • -
  • - dotnet-runtime-5.0 -
    • -
  • - dotnet-sdk-2.1 -
    • -
  • - dotnet-sdk-2.1.5xx -
    • -
  • - dotnet-sdk-3.0 -
    • -
  • - dotnet-sdk-3.1 -
    • -
  • - dotnet-sdk-5.0 -
    • -
  • - dotnet-targeting-pack-3.0 -
    • -
  • - dotnet-targeting-pack-3.1 -
    • -
  • - dotnet-targeting-pack-5.0 -
    • -
  • - dotnet-templates-3.0 -
    • -
  • - dotnet-templates-3.1 -
    • -
  • - dotnet-templates-5.0 -
    • -
  • - dotnet5.0-build-reference-packages -
    • -
  • - dptfxtract -
    • -
  • - drpm -
    • -
  • - drpm-devel -
    • -
  • - dump -
    • -
  • - dvd+rw-tools -
    • -
  • - dyninst-static -
    • -
  • - eclipse-ecf -
    • -
  • - eclipse-emf -
    • -
  • - eclipse-license -
    • -
  • - ed25519-java -
    • -
  • - ee4j-parent -
    • -
  • - elfutils-devel-static -
    • -
  • - elfutils-libelf-devel-static -
    • -
  • - enca -
    • -
  • - enca-devel -
    • -
  • - environment-modules-compat -
    • -
  • - evince-browser-plugin -
    • -
  • - exec-maven-plugin -
    • -
  • - farstream02 -
    • -
  • - felix-osgi-compendium -
    • -
  • - felix-osgi-core -
    • -
  • - felix-osgi-foundation -
    • -
  • - felix-parent -
    • -
  • - file-roller -
    • -
  • - fipscheck -
    • -
  • - fipscheck-devel -
    • -
  • - fipscheck-lib -
    • -
  • - firewire -
    • -
  • - fonts-tweak-tool -
    • -
  • - forge-parent -
    • -
  • - freeradius-mysql -
    • -
  • - freeradius-perl -
    • -
  • - freeradius-postgresql -
    • -
  • - freeradius-sqlite -
    • -
  • - freeradius-unixODBC -
    • -
  • - fuse-sshfs -
    • -
  • - fusesource-pom -
    • -
  • - future -
    • -
  • - gamin -
    • -
  • - gamin-devel -
    • -
  • - gavl -
    • -
  • - gcc-toolset-10 -
    • -
  • - gcc-toolset-10-annobin -
    • -
  • - gcc-toolset-10-binutils -
    • -
  • - gcc-toolset-10-binutils-devel -
    • -
  • - gcc-toolset-10-build -
    • -
  • - gcc-toolset-10-dwz -
    • -
  • - gcc-toolset-10-dyninst -
    • -
  • - gcc-toolset-10-dyninst-devel -
    • -
  • - gcc-toolset-10-elfutils -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client-devel -
    • -
  • - gcc-toolset-10-elfutils-devel -
    • -
  • - gcc-toolset-10-elfutils-libelf -
    • -
  • - gcc-toolset-10-elfutils-libelf-devel -
    • -
  • - gcc-toolset-10-elfutils-libs -
    • -
  • - gcc-toolset-10-gcc -
    • -
  • - gcc-toolset-10-gcc-c++ -
    • -
  • - gcc-toolset-10-gcc-gdb-plugin -
    • -
  • - gcc-toolset-10-gcc-gfortran -
    • -
  • - gcc-toolset-10-gdb -
    • -
  • - gcc-toolset-10-gdb-doc -
    • -
  • - gcc-toolset-10-gdb-gdbserver -
    • -
  • - gcc-toolset-10-libasan-devel -
    • -
  • - gcc-toolset-10-libatomic-devel -
    • -
  • - gcc-toolset-10-libitm-devel -
    • -
  • - gcc-toolset-10-liblsan-devel -
    • -
  • - gcc-toolset-10-libquadmath-devel -
    • -
  • - gcc-toolset-10-libstdc++-devel -
    • -
  • - gcc-toolset-10-libstdc++-docs -
    • -
  • - gcc-toolset-10-libtsan-devel -
    • -
  • - gcc-toolset-10-libubsan-devel -
    • -
  • - gcc-toolset-10-ltrace -
    • -
  • - gcc-toolset-10-make -
    • -
  • - gcc-toolset-10-make-devel -
    • -
  • - gcc-toolset-10-perftools -
    • -
  • - gcc-toolset-10-runtime -
    • -
  • - gcc-toolset-10-strace -
    • -
  • - gcc-toolset-10-systemtap -
    • -
  • - gcc-toolset-10-systemtap-client -
    • -
  • - gcc-toolset-10-systemtap-devel -
    • -
  • - gcc-toolset-10-systemtap-initscript -
    • -
  • - gcc-toolset-10-systemtap-runtime -
    • -
  • - gcc-toolset-10-systemtap-sdt-devel -
    • -
  • - gcc-toolset-10-systemtap-server -
    • -
  • - gcc-toolset-10-toolchain -
    • -
  • - gcc-toolset-10-valgrind -
    • -
  • - gcc-toolset-10-valgrind-devel -
    • -
  • - gcc-toolset-9 -
    • -
  • - gcc-toolset-9-annobin -
    • -
  • - gcc-toolset-9-build -
    • -
  • - gcc-toolset-9-perftools -
    • -
  • - gcc-toolset-9-runtime -
    • -
  • - gcc-toolset-9-toolchain -
    • -
  • - gcc-toolset-11-make-devel -
    • -
  • - GConf2 -
    • -
  • - GConf2-devel -
    • -
  • - gegl -
    • -
  • - genisoimage -
    • -
  • - genwqe-tools -
    • -
  • - genwqe-vpd -
    • -
  • - genwqe-zlib -
    • -
  • - genwqe-zlib-devel -
    • -
  • - geoipupdate -
    • -
  • - geronimo-annotation -
    • -
  • - geronimo-jms -
    • -
  • - geronimo-jpa -
    • -
  • - geronimo-parent-poms -
    • -
  • - gfbgraph -
    • -
  • - gflags -
    • -
  • - gflags-devel -
    • -
  • - glassfish-annotation-api -
    • -
  • - glassfish-el -
    • -
  • - glassfish-fastinfoset -
    • -
  • - glassfish-jaxb-core -
    • -
  • - glassfish-jaxb-txw2 -
    • -
  • - glassfish-jsp -
    • -
  • - glassfish-jsp-api -
    • -
  • - glassfish-legal -
    • -
  • - glassfish-master-pom -
    • -
  • - glassfish-servlet-api -
    • -
  • - glew-devel -
    • -
  • - glib2-fam -
    • -
  • - glog -
    • -
  • - glog-devel -
    • -
  • - gmock -
    • -
  • - gmock-devel -
    • -
  • - gnome-abrt -
    • -
  • - gnome-boxes -
    • -
  • - gnome-menus-devel -
    • -
  • - gnome-online-miners -
    • -
  • - gnome-shell-extension-disable-screenshield -
    • -
  • - gnome-shell-extension-horizontal-workspaces -
    • -
  • - gnome-shell-extension-no-hot-corner -
    • -
  • - gnome-shell-extension-window-grouper -
    • -
  • - gnome-themes-standard -
    • -
  • - gnu-free-fonts-common -
    • -
  • - gnu-free-mono-fonts -
    • -
  • - gnu-free-sans-fonts -
    • -
  • - gnu-free-serif-fonts -
    • -
  • - gnupg2-smime -
    • -
  • - gnuplot -
    • -
  • - gnuplot-common -
    • -
  • - gobject-introspection-devel -
    • -
  • - google-gson -
    • -
  • - google-noto-sans-syriac-eastern-fonts -
    • -
  • - google-noto-sans-syriac-estrangela-fonts -
    • -
  • - google-noto-sans-syriac-western-fonts -
    • -
  • - google-noto-sans-tibetan-fonts -
    • -
  • - google-noto-sans-ui-fonts -
    • -
  • - gphoto2 -
    • -
  • - gsl-devel -
    • -
  • - gssntlmssp -
    • -
  • - gtest -
    • -
  • - gtest-devel -
    • -
  • - gtkmm24 -
    • -
  • - gtkmm24-devel -
    • -
  • - gtkmm24-docs -
    • -
  • - gtksourceview3 -
    • -
  • - gtksourceview3-devel -
    • -
  • - gtkspell -
    • -
  • - gtkspell-devel -
    • -
  • - gtkspell3 -
    • -
  • - guile -
    • -
  • - gutenprint-gimp -
    • -
  • - gutenprint-libs-ui -
    • -
  • - gvfs-afc -
    • -
  • - gvfs-afp -
    • -
  • - gvfs-archive -
    • -
  • - hamcrest-core -
    • -
  • - hawtjni -
    • -
  • - hawtjni -
    • -
  • - hawtjni-runtime -
    • -
  • - highlight-gui -
    • -
  • - hivex-devel -
    • -
  • - hostname -
    • -
  • - hplip-gui -
    • -
  • - httpcomponents-project -
    • -
  • - hwloc-plugins -
    • -
  • - hyphen-fo -
    • -
  • - hyphen-grc -
    • -
  • - hyphen-hsb -
    • -
  • - hyphen-ia -
    • -
  • - hyphen-is -
    • -
  • - hyphen-ku -
    • -
  • - hyphen-mi -
    • -
  • - hyphen-mn -
    • -
  • - hyphen-sa -
    • -
  • - hyphen-tk -
    • -
  • - ibus-sayura -
    • -
  • - icedax -
    • -
  • - icu4j -
    • -
  • - idm-console-framework -
    • -
  • - iptables -
    • -
  • - ipython -
    • -
  • - isl -
    • -
  • - isl-devel -
    • -
  • - isorelax -
    • -
  • - istack-commons-runtime -
    • -
  • - istack-commons-tools -
    • -
  • - iwl3945-firmware -
    • -
  • - iwl4965-firmware -
    • -
  • - iwl6000-firmware -
    • -
  • - jacoco -
    • -
  • - jaf -
    • -
  • - jakarta-oro -
    • -
  • - janino -
    • -
  • - jansi-native -
    • -
  • - jarjar -
    • -
  • - java-1.8.0-ibm -
    • -
  • - java-1.8.0-ibm-demo -
    • -
  • - java-1.8.0-ibm-devel -
    • -
  • - java-1.8.0-ibm-headless -
    • -
  • - java-1.8.0-ibm-jdbc -
    • -
  • - java-1.8.0-ibm-plugin -
    • -
  • - java-1.8.0-ibm-src -
    • -
  • - java-1.8.0-ibm-webstart -
    • -
  • - java-1.8.0-openjdk-accessibility -
    • -
  • - java-1.8.0-openjdk-accessibility-slowdebug -
    • -
  • - java_cup -
    • -
  • - java-atk-wrapper -
    • -
  • - javacc -
    • -
  • - javacc-maven-plugin -
    • -
  • - javaewah -
    • -
  • - javaparser -
    • -
  • - javapoet -
    • -
  • - javassist -
    • -
  • - javassist-javadoc -
    • -
  • - jaxen -
    • -
  • - jboss-annotations-1.2-api -
    • -
  • - jboss-interceptors-1.2-api -
    • -
  • - jboss-logmanager -
    • -
  • - jboss-parent -
    • -
  • - jctools -
    • -
  • - jdepend -
    • -
  • - jdependency -
    • -
  • - jdom -
    • -
  • - jdom2 -
    • -
  • - jetty -
    • -
  • - jffi -
    • -
  • - jflex -
    • -
  • - jgit -
    • -
  • - jline -
    • -
  • - jnr-netdb -
    • -
  • - jolokia-jvm-agent -
    • -
  • - js-uglify -
    • -
  • - jsch -
    • -
  • - json_simple -
    • -
  • - jss-javadoc -
    • -
  • - jtidy -
    • -
  • - junit5 -
    • -
  • - jvnet-parent -
    • -
  • - jzlib -
    • -
  • - kernel-cross-headers -
    • -
  • - ksc -
    • -
  • - kurdit-unikurd-web-fonts -
    • -
  • - kyotocabinet-libs -
    • -
  • - ldapjdk-javadoc -
    • -
  • - lensfun -
    • -
  • - lensfun-devel -
    • -
  • - lftp-scripts -
    • -
  • - libaec -
    • -
  • - libaec-devel -
    • -
  • - libappindicator-gtk3 -
    • -
  • - libappindicator-gtk3-devel -
    • -
  • - libatomic-static -
    • -
  • - libavc1394 -
    • -
  • - libblocksruntime -
    • -
  • - libcacard -
    • -
  • - libcacard-devel -
    • -
  • - libcgroup -
    • -
  • - libcgroup-tools -
    • -
  • - libchamplain -
    • -
  • - libchamplain-devel -
    • -
  • - libchamplain-gtk -
    • -
  • - libcroco -
    • -
  • - libcroco-devel -
    • -
  • - libcxl -
    • -
  • - libcxl-devel -
    • -
  • - libdap -
    • -
  • - libdap-devel -
    • -
  • - libdazzle-devel -
    • -
  • - libdbusmenu -
    • -
  • - libdbusmenu-devel -
    • -
  • - libdbusmenu-doc -
    • -
  • - libdbusmenu-gtk3 -
    • -
  • - libdbusmenu-gtk3-devel -
    • -
  • - libdc1394 -
    • -
  • - libdnet -
    • -
  • - libdnet-devel -
    • -
  • - libdv -
    • -
  • - libdwarf -
    • -
  • - libdwarf-devel -
    • -
  • - libdwarf-static -
    • -
  • - libdwarf-tools -
    • -
  • - libeasyfc -
    • -
  • - libeasyfc-gobject -
    • -
  • - libepubgen-devel -
    • -
  • - libertas-sd8686-firmware -
    • -
  • - libertas-usb8388-firmware -
    • -
  • - libertas-usb8388-olpc-firmware -
    • -
  • - libgdither -
    • -
  • - libGLEW -
    • -
  • - libgovirt -
    • -
  • - libguestfs-benchmarking -
    • -
  • - libguestfs-devel -
    • -
  • - libguestfs-gfs2 -
    • -
  • - libguestfs-gobject -
    • -
  • - libguestfs-gobject-devel -
    • -
  • - libguestfs-java -
    • -
  • - libguestfs-java-devel -
    • -
  • - libguestfs-javadoc -
    • -
  • - libguestfs-man-pages-ja -
    • -
  • - libguestfs-man-pages-uk -
    • -
  • - libguestfs-tools -
    • -
  • - libguestfs-tools-c -
    • -
  • - libhugetlbfs -
    • -
  • - libhugetlbfs-devel -
    • -
  • - libhugetlbfs-utils -
    • -
  • - libIDL -
    • -
  • - libIDL-devel -
    • -
  • - libidn -
    • -
  • - libiec61883 -
    • -
  • - libindicator-gtk3 -
    • -
  • - libindicator-gtk3-devel -
    • -
  • - libiscsi-devel -
    • -
  • - libjose-devel -
    • -
  • - libkkc -
    • -
  • - libkkc-common -
    • -
  • - libkkc-data -
    • -
  • - libldb-devel -
    • -
  • - liblogging -
    • -
  • - libluksmeta-devel -
    • -
  • - libmalaga -
    • -
  • - libmcpp -
    • -
  • - libmemcached -
    • -
  • - libmemcached-libs -
    • -
  • - libmetalink -
    • -
  • - libmodulemd1 -
    • -
  • - libmongocrypt -
    • -
  • - libmtp-devel -
    • -
  • - libmusicbrainz5 -
    • -
  • - libmusicbrainz5-devel -
    • -
  • - libnbd-devel -
    • -
  • - liboauth -
    • -
  • - liboauth-devel -
    • -
  • - libpfm-static -
    • -
  • - libpng12 -
    • -
  • - libpurple -
    • -
  • - libpurple-devel -
    • -
  • - libraw1394 -
    • -
  • - libreport-plugin-mailx -
    • -
  • - libreport-plugin-rhtsupport -
    • -
  • - libreport-plugin-ureport -
    • -
  • - libreport-rhel -
    • -
  • - libreport-rhel-bugzilla -
    • -
  • - librpmem -
    • -
  • - librpmem-debug -
    • -
  • - librpmem-devel -
    • -
  • - libsass -
    • -
  • - libsass-devel -
    • -
  • - libselinux-python -
    • -
  • - libsqlite3x -
    • -
  • - libtalloc-devel -
    • -
  • - libtar -
    • -
  • - libtdb-devel -
    • -
  • - libtevent-devel -
    • -
  • - libtpms-devel -
    • -
  • - libunwind -
    • -
  • - libusal -
    • -
  • - libvarlink -
    • -
  • - libverto-libevent -
    • -
  • - libvirt-admin -
    • -
  • - libvirt-bash-completion -
    • -
  • - libvirt-daemon-driver-storage-gluster -
    • -
  • - libvirt-daemon-driver-storage-iscsi-direct -
    • -
  • - libvirt-devel -
    • -
  • - libvirt-docs -
    • -
  • - libvirt-gconfig -
    • -
  • - libvirt-gobject -
    • -
  • - libvirt-lock-sanlock -
    • -
  • - libvirt-wireshark -
    • -
  • - libvmem -
    • -
  • - libvmem-debug -
    • -
  • - libvmem-devel -
    • -
  • - libvmmalloc -
    • -
  • - libvmmalloc-debug -
    • -
  • - libvmmalloc-devel -
    • -
  • - libvncserver -
    • -
  • - libwinpr-devel -
    • -
  • - libwmf -
    • -
  • - libwmf-devel -
    • -
  • - libwmf-lite -
    • -
  • - libXNVCtrl -
    • -
  • - libyami -
    • -
  • - log4j12 -
    • -
  • - log4j12-javadoc -
    • -
  • - lohit-malayalam-fonts -
    • -
  • - lohit-nepali-fonts -
    • -
  • - lorax-composer -
    • -
  • - lua-guestfs -
    • -
  • - lucene -
    • -
  • - mailman -
    • -
  • - mailx -
    • -
  • - make-devel -
    • -
  • - malaga -
    • -
  • - malaga-suomi-voikko -
    • -
  • - marisa -
    • -
  • - maven-antrun-plugin -
    • -
  • - maven-assembly-plugin -
    • -
  • - maven-clean-plugin -
    • -
  • - maven-dependency-analyzer -
    • -
  • - maven-dependency-plugin -
    • -
  • - maven-doxia -
    • -
  • - maven-doxia-sitetools -
    • -
  • - maven-install-plugin -
    • -
  • - maven-invoker -
    • -
  • - maven-invoker-plugin -
    • -
  • - maven-parent -
    • -
  • - maven-plugins-pom -
    • -
  • - maven-reporting-api -
    • -
  • - maven-reporting-impl -
    • -
  • - maven-resolver-api -
    • -
  • - maven-resolver-connector-basic -
    • -
  • - maven-resolver-impl -
    • -
  • - maven-resolver-spi -
    • -
  • - maven-resolver-transport-wagon -
    • -
  • - maven-resolver-util -
    • -
  • - maven-scm -
    • -
  • - maven-script-interpreter -
    • -
  • - maven-shade-plugin -
    • -
  • - maven-shared -
    • -
  • - maven-verifier -
    • -
  • - maven-wagon-file -
    • -
  • - maven-wagon-http -
    • -
  • - maven-wagon-http-shared -
    • -
  • - maven-wagon-provider-api -
    • -
  • - maven2 -
    • -
  • - meanwhile -
    • -
  • - mercurial -
    • -
  • - mercurial-hgk -
    • -
  • - metis -
    • -
  • - metis-devel -
    • -
  • - mingw32-bzip2 -
    • -
  • - mingw32-bzip2-static -
    • -
  • - mingw32-cairo -
    • -
  • - mingw32-expat -
    • -
  • - mingw32-fontconfig -
    • -
  • - mingw32-freetype -
    • -
  • - mingw32-freetype-static -
    • -
  • - mingw32-gstreamer1 -
    • -
  • - mingw32-harfbuzz -
    • -
  • - mingw32-harfbuzz-static -
    • -
  • - mingw32-icu -
    • -
  • - mingw32-libjpeg-turbo -
    • -
  • - mingw32-libjpeg-turbo-static -
    • -
  • - mingw32-libpng -
    • -
  • - mingw32-libpng-static -
    • -
  • - mingw32-libtiff -
    • -
  • - mingw32-libtiff-static -
    • -
  • - mingw32-openssl -
    • -
  • - mingw32-readline -
    • -
  • - mingw32-sqlite -
    • -
  • - mingw32-sqlite-static -
    • -
  • - mingw64-adwaita-icon-theme -
    • -
  • - mingw64-bzip2 -
    • -
  • - mingw64-bzip2-static -
    • -
  • - mingw64-cairo -
    • -
  • - mingw64-expat -
    • -
  • - mingw64-fontconfig -
    • -
  • - mingw64-freetype -
    • -
  • - mingw64-freetype-static -
    • -
  • - mingw64-gstreamer1 -
    • -
  • - mingw64-harfbuzz -
    • -
  • - mingw64-harfbuzz-static -
    • -
  • - mingw64-icu -
    • -
  • - mingw64-libjpeg-turbo -
    • -
  • - mingw64-libjpeg-turbo-static -
    • -
  • - mingw64-libpng -
    • -
  • - mingw64-libpng-static -
    • -
  • - mingw64-libtiff -
    • -
  • - mingw64-libtiff-static -
    • -
  • - mingw64-nettle -
    • -
  • - mingw64-openssl -
    • -
  • - mingw64-readline -
    • -
  • - mingw64-sqlite -
    • -
  • - mingw64-sqlite-static -
    • -
  • - modello -
    • -
  • - mojo-parent -
    • -
  • - mongo-c-driver -
    • -
  • - mousetweaks -
    • -
  • - mozjs52 -
    • -
  • - mozjs52-devel -
    • -
  • - mozjs60 -
    • -
  • - mozjs60-devel -
    • -
  • - mozvoikko -
    • -
  • - msv-javadoc -
    • -
  • - msv-manual -
    • -
  • - munge-maven-plugin -
    • -
  • - mythes-mi -
    • -
  • - mythes-ne -
    • -
  • - nafees-web-naskh-fonts -
    • -
  • - nbd -
    • -
  • - nbdkit-devel -
    • -
  • - nbdkit-example-plugins -
    • -
  • - nbdkit-gzip-plugin -
    • -
  • - nbdkit-plugin-python-common -
    • -
  • - nbdkit-plugin-vddk -
    • -
  • - ncompress -
    • -
  • - ncurses-compat-libs -
    • -
  • - net-tools -
    • -
  • - netcf -
    • -
  • - netcf-devel -
    • -
  • - netcf-libs -
    • -
  • - network-scripts -
    • -
  • - network-scripts-ppp -
    • -
  • - nkf -
    • -
  • - nss_nis -
    • -
  • - nss-pam-ldapd -
    • -
  • - objectweb-asm -
    • -
  • - objectweb-asm-javadoc -
    • -
  • - objectweb-pom -
    • -
  • - ocaml-bisect-ppx -
    • -
  • - ocaml-camlp4 -
    • -
  • - ocaml-camlp4-devel -
    • -
  • - ocaml-lwt -
    • -
  • - ocaml-mmap -
    • -
  • - ocaml-ocplib-endian -
    • -
  • - ocaml-ounit -
    • -
  • - ocaml-result -
    • -
  • - ocaml-seq -
    • -
  • - opencryptoki-tpmtok -
    • -
  • - opencv-contrib -
    • -
  • - opencv-core -
    • -
  • - opencv-devel -
    • -
  • - openhpi -
    • -
  • - openhpi-libs -
    • -
  • - OpenIPMI-perl -
    • -
  • - openssh-cavs -
    • -
  • - openssh-ldap -
    • -
  • - openssl-ibmpkcs11 -
    • -
  • - opentest4j -
    • -
  • - os-maven-plugin -
    • -
  • - pakchois -
    • -
  • - pandoc -
    • -
  • - paps-libs -
    • -
  • - paranamer -
    • -
  • - parfait -
    • -
  • - parfait-examples -
    • -
  • - parfait-javadoc -
    • -
  • - pcp-parfait-agent -
    • -
  • - pcp-pmda-rpm -
    • -
  • - pcp-pmda-vmware -
    • -
  • - pcsc-lite-doc -
    • -
  • - peripety -
    • -
  • - perl-B-Debug -
    • -
  • - perl-B-Lint -
    • -
  • - perl-Class-Factory-Util -
    • -
  • - perl-Class-ISA -
    • -
  • - perl-DateTime-Format-HTTP -
    • -
  • - perl-DateTime-Format-Mail -
    • -
  • - perl-File-CheckTree -
    • -
  • - perl-homedir -
    • -
  • - perl-libxml-perl -
    • -
  • - perl-Locale-Codes -
    • -
  • - perl-Mozilla-LDAP -
    • -
  • - perl-NKF -
    • -
  • - perl-Object-HashBase-tools -
    • -
  • - perl-Package-DeprecationManager -
    • -
  • - perl-Pod-LaTeX -
    • -
  • - perl-Pod-Plainer -
    • -
  • - perl-prefork -
    • -
  • - perl-String-CRC32 -
    • -
  • - perl-SUPER -
    • -
  • - perl-Sys-Virt -
    • -
  • - perl-tests -
    • -
  • - perl-YAML-Syck -
    • -
  • - phodav -
    • -
  • - php-recode -
    • -
  • - php-xmlrpc -
    • -
  • - pidgin -
    • -
  • - pidgin-devel -
    • -
  • - pidgin-sipe -
    • -
  • - pinentry-emacs -
    • -
  • - pinentry-gtk -
    • -
  • - pipewire0.2-devel -
    • -
  • - pipewire0.2-libs -
    • -
  • - platform-python-coverage -
    • -
  • - plexus-ant-factory -
    • -
  • - plexus-bsh-factory -
    • -
  • - plexus-cli -
    • -
  • - plexus-component-api -
    • -
  • - plexus-component-factories-pom -
    • -
  • - plexus-components-pom -
    • -
  • - plexus-i18n -
    • -
  • - plexus-interactivity -
    • -
  • - plexus-pom -
    • -
  • - plexus-velocity -
    • -
  • - plymouth-plugin-throbgress -
    • -
  • - powermock -
    • -
  • - prometheus-jmx-exporter -
    • -
  • - prometheus-jmx-exporter-openjdk11 -
    • -
  • - ptscotch-mpich -
    • -
  • - ptscotch-mpich-devel -
    • -
  • - ptscotch-mpich-devel-parmetis -
    • -
  • - ptscotch-openmpi -
    • -
  • - ptscotch-openmpi-devel -
    • -
  • - purple-sipe -
    • -
  • - pygobject2-doc -
    • -
  • - pygtk2 -
    • -
  • - pygtk2-codegen -
    • -
  • - pygtk2-devel -
    • -
  • - pygtk2-doc -
    • -
  • - python-nose-docs -
    • -
  • - python-nss-doc -
    • -
  • - python-podman-api -
    • -
  • - python-psycopg2-doc -
    • -
  • - python-pymongo-doc -
    • -
  • - python-redis -
    • -
  • - python-schedutils -
    • -
  • - python-slip -
    • -
  • - python-sqlalchemy-doc -
    • -
  • - python-varlink -
    • -
  • - python-virtualenv-doc -
    • -
  • - python2-backports -
    • -
  • - python2-backports-ssl_match_hostname -
    • -
  • - python2-bson -
    • -
  • - python2-coverage -
    • -
  • - python2-docs -
    • -
  • - python2-docs-info -
    • -
  • - python2-funcsigs -
    • -
  • - python2-ipaddress -
    • -
  • - python2-mock -
    • -
  • - python2-nose -
    • -
  • - python2-numpy-doc -
    • -
  • - python2-psycopg2-debug -
    • -
  • - python2-psycopg2-tests -
    • -
  • - python2-pymongo -
    • -
  • - python2-pymongo-gridfs -
    • -
  • - python2-pytest-mock -
    • -
  • - python2-sqlalchemy -
    • -
  • - python2-tools -
    • -
  • - python2-virtualenv -
    • -
  • - python3-bson -
    • -
  • - python3-click -
    • -
  • - python3-coverage -
    • -
  • - python3-cpio -
    • -
  • - python3-custodia -
    • -
  • - python3-docs -
    • -
  • - python3-flask -
    • -
  • - python3-gevent -
    • -
  • - python3-gobject-base -
    • -
  • - python3-hivex -
    • -
  • - python3-html5lib -
    • -
  • - python3-hypothesis -
    • -
  • - python3-ipatests -
    • -
  • - python3-itsdangerous -
    • -
  • - python3-jwt -
    • -
  • - python3-libguestfs -
    • -
  • - python3-mock -
    • -
  • - python3-networkx-core -
    • -
  • - python3-nose -
    • -
  • - python3-nss -
    • -
  • - python3-openipmi -
    • -
  • - python3-pillow -
    • -
  • - python3-ptyprocess -
    • -
  • - python3-pydbus -
    • -
  • - python3-pymongo -
    • -
  • - python3-pymongo-gridfs -
    • -
  • - python3-pyOpenSSL -
    • -
  • - python3-pytoml -
    • -
  • - python3-reportlab -
    • -
  • - python3-schedutils -
    • -
  • - python3-scons -
    • -
  • - python3-semantic_version -
    • -
  • - python3-slip -
    • -
  • - python3-slip-dbus -
    • -
  • - python3-sqlalchemy -
    • -
  • - python3-syspurpose -
    • -
  • - python3-virtualenv -
    • -
  • - python3-webencodings -
    • -
  • - python3-werkzeug -
    • -
  • - python38-asn1crypto -
    • -
  • - python38-numpy-doc -
    • -
  • - python38-psycopg2-doc -
    • -
  • - python38-psycopg2-tests -
    • -
  • - python39-numpy-doc -
    • -
  • - python39-psycopg2-doc -
    • -
  • - python39-psycopg2-tests -
    • -
  • - qemu-kvm-block-gluster -
    • -
  • - qemu-kvm-block-iscsi -
    • -
  • - qemu-kvm-block-ssh -
    • -
  • - qemu-kvm-hw-usbredir -
    • -
  • - qemu-kvm-tests -
    • -
  • - qpdf -
    • -
  • - qpdf-doc -
    • -
  • - qpid-proton -
    • -
  • - qrencode -
    • -
  • - qrencode-devel -
    • -
  • - qrencode-libs -
    • -
  • - qt5-qtcanvas3d -
    • -
  • - qt5-qtcanvas3d-examples -
    • -
  • - rarian -
    • -
  • - rarian-compat -
    • -
  • - re2c -
    • -
  • - recode -
    • -
  • - redhat-menus -
    • -
  • - redhat-support-lib-python -
    • -
  • - redhat-support-tool -
    • -
  • - reflections -
    • -
  • - regexp -
    • -
  • - relaxngDatatype -
    • -
  • - rhsm-gtk -
    • -
  • - rpm-plugin-prioreset -
    • -
  • - rpmemd -
    • -
  • - rsyslog-udpspoof -
    • -
  • - ruby-hivex -
    • -
  • - ruby-libguestfs -
    • -
  • - rubygem-abrt -
    • -
  • - rubygem-abrt-doc -
    • -
  • - rubygem-bson -
    • -
  • - rubygem-bson-doc -
    • -
  • - rubygem-mongo -
    • -
  • - rubygem-mongo-doc -
    • -
  • - s390utils-cmsfs -
    • -
  • - samba-pidl -
    • -
  • - samba-test -
    • -
  • - samba-test-libs -
    • -
  • - samyak-devanagari-fonts -
    • -
  • - samyak-fonts-common -
    • -
  • - samyak-gujarati-fonts -
    • -
  • - samyak-malayalam-fonts -
    • -
  • - samyak-odia-fonts -
    • -
  • - samyak-tamil-fonts -
    • -
  • - sane-frontends -
    • -
  • - sanlk-reset -
    • -
  • - scala -
    • -
  • - scotch -
    • -
  • - scotch-devel -
    • -
  • - SDL_sound -
    • -
  • - selinux-policy-minimum -
    • -
  • - sendmail -
    • -
  • - sgabios -
    • -
  • - sgabios-bin -
    • -
  • - shrinkwrap -
    • -
  • - sisu-inject -
    • -
  • - sisu-mojos -
    • -
  • - sisu-plexus -
    • -
  • - skkdic -
    • -
  • - SLOF -
    • -
  • - smc-anjalioldlipi-fonts -
    • -
  • - smc-dyuthi-fonts -
    • -
  • - smc-fonts-common -
    • -
  • - smc-kalyani-fonts -
    • -
  • - smc-raghumalayalam-fonts -
    • -
  • - smc-suruma-fonts -
    • -
  • - softhsm-devel -
    • -
  • - sonatype-oss-parent -
    • -
  • - sonatype-plugins-parent -
    • -
  • - sos-collector -
    • -
  • - sparsehash-devel -
    • -
  • - spax -
    • -
  • - spec-version-maven-plugin -
    • -
  • - spice -
    • -
  • - spice-client-win-x64 -
    • -
  • - spice-client-win-x86 -
    • -
  • - spice-glib -
    • -
  • - spice-glib-devel -
    • -
  • - spice-gtk -
    • -
  • - spice-gtk-tools -
    • -
  • - spice-gtk3 -
    • -
  • - spice-gtk3-devel -
    • -
  • - spice-gtk3-vala -
    • -
  • - spice-parent -
    • -
  • - spice-protocol -
    • -
  • - spice-qxl-wddm-dod -
    • -
  • - spice-server -
    • -
  • - spice-server-devel -
    • -
  • - spice-qxl-xddm -
    • -
  • - spice-server -
    • -
  • - spice-streaming-agent -
    • -
  • - spice-vdagent-win-x64 -
    • -
  • - spice-vdagent-win-x86 -
    • -
  • - sssd-libwbclient -
    • -
  • - star -
    • -
  • - stax-ex -
    • -
  • - stax2-api -
    • -
  • - stringtemplate -
    • -
  • - stringtemplate4 -
    • -
  • - subscription-manager-initial-setup-addon -
    • -
  • - subscription-manager-migration -
    • -
  • - subscription-manager-migration-data -
    • -
  • - subversion-javahl -
    • -
  • - SuperLU -
    • -
  • - SuperLU-devel -
    • -
  • - supermin-devel -
    • -
  • - swig -
    • -
  • - swig-doc -
    • -
  • - swig-gdb -
    • -
  • - swtpm-devel -
    • -
  • - swtpm-tools-pkcs11 -
    • -
  • - system-storage-manager -
    • -
  • - tcl-brlapi -
    • -
  • - testng -
    • -
  • - tibetan-machine-uni-fonts -
    • -
  • - timedatex -
    • -
  • - tpm-quote-tools -
    • -
  • - tpm-tools -
    • -
  • - tpm-tools-pkcs11 -
    • -
  • - treelayout -
    • -
  • - trousers -
    • -
  • - trousers-lib -
    • -
  • - tuned-profiles-compat -
    • -
  • - tuned-profiles-nfv-host-bin -
    • -
  • - tuned-utils-systemtap -
    • -
  • - tycho -
    • -
  • - uglify-js -
    • -
  • - unbound-devel -
    • -
  • - univocity-output-tester -
    • -
  • - univocity-parsers -
    • -
  • - usbguard-notifier -
    • -
  • - usbredir-devel -
    • -
  • - utf8cpp -
    • -
  • - uthash -
    • -
  • - velocity -
    • -
  • - vinagre -
    • -
  • - vino -
    • -
  • - virt-dib -
    • -
  • - virt-p2v-maker -
    • -
  • - vm-dump-metrics-devel -
    • -
  • - weld-parent -
    • -
  • - wodim -
    • -
  • - woodstox-core -
    • -
  • - wqy-microhei-fonts -
    • -
  • - wqy-unibit-fonts -
    • -
  • - xdelta -
    • -
  • - xmlgraphics-commons -
    • -
  • - xmlstreambuffer -
    • -
  • - xinetd -
    • -
  • - xorg-x11-apps -
    • -
  • - xorg-x11-drv-qxl -
    • -
  • - xorg-x11-server-Xspice -
    • -
  • - xpp3 -
    • -
  • - xsane-gimp -
    • -
  • - xsom -
    • -
  • - xz-java -
    • -
  • - xz-java-javadoc -
    • -
  • - yajl-devel -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-

9.20. Deprecated and unmaintained devices

-
-
-
-

- This section lists devices (drivers, adapters) that -

-
-
    -
  • - continue to be supported until the end of life of RHEL 8 but will likely not be supported in - future major releases of this product and are not recommended for new deployments. Support - for devices other than those listed remains unchanged. These are deprecated devices. -
    • -
  • - are available but are no longer being tested or updated on a routine basis in RHEL 8. Red - Hat may fix serious bugs, including security bugs, at its discretion. These devices should - no longer be used in production, and it is likely they will be disabled in the next major - release. These are unmaintained devices. -
    • -
-
-

- PCI device IDs are in the format of vendor:device:subvendor:subdevice. If no device ID is listed, - all devices associated with the corresponding driver have been deprecated. To check the PCI IDs of - the hardware on your system, run the lspci -nn command. -

-
-

Table 9.1. Deprecated devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- bnx2 -

- 		-

- QLogic BCM5706/5708/5709/5716 Driver -

-
  -

- hpsa -

- 		-

- Hewlett-Packard Company: Smart Array Controllers -

-
-

- 0x10df:0x0724 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: OneConnect FCoE Initiator (Skyhawk) -

-
-

- 0x10df:0xe200 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe15000/LPe16000 Series 8Gb/16Gb Fibre Channel Adapter -

-
-

- 0x10df:0xf011 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf015 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf100 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe12000 Series 8Gb Fibre Channel Adapter -

-
-

- 0x10df:0xfc40 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn-X: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xe220 -

- 		-

- be2net -

- 		-

- Emulex Corporation: OneConnect NIC (Lancer) -

-
-

- 0x1000:0x005b -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2208 [Thunderbolt] -

-
-

- 0x1000:0x006E -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0080 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0081 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0082 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0083 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0084 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0085 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0086 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0087 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
  -

- myri10ge -

- 		-

- Myricom 10G driver (10GbE) -

-
  -

- netxen_nic -

- 		-

- QLogic/NetXen (1/10) GbE Intelligent Ethernet Driver -

-
-

- 0x1077:0x2031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP8324-based 16Gb Fibre Channel to PCI Express Adapter -

-
-

- 0x1077:0x2532 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP2532-based 8Gb Fibre Channel to PCI Express HBA -

-
-

- 0x1077:0x8031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: 8300 Series 10GbE Converged Network Adapter (FCoE) -

-
  -

- qla3xxx -

- 		-

- QLogic ISP3XXX Network Driver v2.03.00-k5 -

-
-

- 0x1924:0x0803 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFC9020 10G Ethernet Controller -

-
-

- 0x1924:0x0813 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFL9021 10GBASE-T Ethernet Controller -

-
  -

- Soft-RoCE (rdma_rxe) -

- 		 
  -

- HNS-RoCE -

- 		-

- HNS GE/10GE/25GE/50GE/100GE RDMA Network Controller -

-
  -

- liquidio -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Driver -

-
  -

- liquidio_vf -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Virtual Function Driver -

-
-
-
-
-

Table 9.2. Unmaintained devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- e1000 -

- 		-

- Intel® PRO/1000 Network Driver -

-
  -

- mptbase -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptsas -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptscsih -

- 		-

- Fusion MPT SCSI Host driver -

-
  -

- mptspi -

- 		-

- Fusion MPT SAS Host driver -

-
-

- 0x1000:0x0071 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MR SAS HBA 2004 -

-
-

- 0x1000:0x0073 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2008 [Falcon] -

-
-

- 0x1000:0x0079 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2108 [Liberator] -

-
  -

- nvmet_tcp -

- 		-

- NVMe/TCP target driver -

-
-
-
[a] - Disabled in RHEL 8.0, re-enabled in RHEL 8.4 due to customer requests. -
-
-
-
-
-
-
-
-
-
-
-

Chapter 10. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.6. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

Installation fails on IBM Power 10 systems with LPAR and secure boot - enabled

-

- RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. - Consequently, when logical partition (LPAR) is enabled with the secure boot option, the - installation fails with the error, Unable to proceed with RHEL-x.x Installation. -

-
-

- To work around this problem, install RHEL without enabling secure boot. After booting the system: -

-
-
    -
  1. - Copy the signed Kernel into the PReP partition using the dd - command. -
    2. -
  2. - Restart the system and enable secure boot. -
    3. -
-
-

- Once the firmware verifies the bootloader and the kernel, the system boots up successfully. -

-

- For more information, see https://www.ibm.com/support/pages/node/6528884 -

-

- (BZ#2025814) -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. To work around this problem, do not run Anaconda on the production - system and execute it in a temporary virtual machine. So that the SELinux policy on a production - system is not modified. Running anaconda as part of the system installation process such as - installing from boot.iso or dvd.iso is - not affected by this issue. -

-
-

- (BZ#2050140) -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- (BZ#1640697) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- (BZ#1914955) -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation sources. - However, network access is not enabled by default, and as a result, these features cannot be - used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a repository - located on the network using boot options also resolves the problem. As a result, the network-based - installation features can be used. -

-

- (BZ#1757877) -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- (BZ#1929105) -

-
-

IBM Power systems with HASH MMU mode fail to - boot with memory allocation failures

-

- IBM Power Systems with HASH memory allocation unit (MMU) mode - support kdump up to a maximum of 192 cores. Consequently, the - system fails to boot with memory allocation failures if kdump is - enabled on more than 192 cores. This limitation is due to RMA memory allocations during early - boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled - instead of using kdump. -

-
-

- (BZ#2028361) -

-
-
-
-
-
-

10.2. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose - command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect - the output of running the subscription-manager attach --auto - command. Users who attempt to set values to the addons argument - will not observe any effect on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-
-
-
-
-

10.3. Software management

-
-
-
-
-

cr_compress_file_with_stat() can cause a - memory leak

-

- The createrepo_c C library has the API cr_compress_file_with_stat() function. This function is declared with - char **dst as a second parameter. Depending on its other - parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. - This unpredictable behavior can cause a memory leak, because it does not inform the user when to - free dst contents. -

-
-

- To work around this problem, a new API cr_compress_file_with_stat_v2 - function has been added, which uses the dst parameter only as an input. - It is declared as char *dst. This prevents memory leak. -

-

- Note that the cr_compress_file_with_stat_v2 function is temporary and - will be present only in RHEL 8. Later, cr_compress_file_with_stat() - will be fixed instead. -

-

- (BZ#1973588) -

-
-

YUM transactions reported as successful when a scriptlet fails

-

- Since RPM version 4.6, post-install scriptlets are allowed to fail without being fatal to the - transaction. This behavior propagates up to YUM as well. This results in scriptlets which might - occasionally fail while the overall package transaction reports as successful. -

-
-

- There is no workaround available at the moment. -

-

- Note that this is expected behavior that remains consistent between RPM and YUM. Any issues in - scriptlets should be addressed at the package level. -

-

- (BZ#1986657) -

-
-

A security DNF upgrade can skip obsoleted packages

-

- The patch for BZ#2095764, released with the - RHBA-2022:5816 - advisory, introduced the following regression: The DNF upgrade using security filters, such as - the --security option, can skip upgrading obsoleted packages. This - issue happens specifically when an installed package is obsoleted by a different available - package, and an advisory exists for the available package. -

-
-

- Consequently, dnf leaves the obsoleted package in the system, and the - security upgrade is not fully performed, potentially leaving the system in a vulnerable state. -

-

- To work around this problem, perform the full upgrade without security filters, or, first, verify - that there are no obsoleted packages involved in the upgrade process. -

-

- (BZ#2095764) -

-
-
-
-
-
-

10.4. Shells and command-line tools

-
-
-
-
-

coreutils might report misleading EPERM error - codes

-

- GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter - returns an EPERM error code for unknown system calls, coreutils - might consequently report misleading EPERM error codes because EPERM can not be distinguished - from the actual Operation not permitted error returned by - a working statx() syscall. -

-
-

- To work around this problem, update the seccomp filter to either permit - the statx() syscall, or to return an ENOSYS error code for syscalls it - does not know. -

-

- (BZ#2030661) -

-
-
-
-
-
-

10.5. Infrastructure services

-
-
-
-
-

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to - SHA-256

-

- By default in RHEL 8, postfix uses MD5 fingerprints with the TLS - for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, - which may cause TLS to incorrectly function in the default postfix configuration. To workaround - this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration - file. -

-
-

- For more details, see the related Knowledgebase article Fix postfix TLS in the FIPS mode by switching - to SHA-256 instead of MD5. -

-

- (BZ#1711885) -

-
-

The brltty package is not multilib - compatible

-

- It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is - recommended. -

-
-

- (BZ#2008197) -

-
-
-
-
-
-

10.6. Security

-
-
-
-
-

File permissions of /etc/passwd- are not - aligned with the CIS RHEL 8 Benchmark 1.0.0

-

- Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures - permissions on the /etc/passwd- backup file configures permissions - to 0644. However, the CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0 requires file - permissions 0600 for that file. As a consequence, the file - permissions of /etc/passwd- are not aligned with the benchmark - after remediation. -

-
-

- (BZ#1858866) -

-
-

libselinux-python is available only through - its module

-

- The libselinux-python package contains only Python 2 bindings for - developing SELinux applications and it is used for backward compatibility. For this reason, - libselinux-python is no longer available in the default RHEL 8 - repositories through the yum install libselinux-python command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# yum module enable libselinux-python
-# yum install libselinux-python
-

- Alternatively, install libselinux-python using its install profile with - a single command: -

- 
# yum module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. - This prevents the udica tool from analyzing a container JavaScript - Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you - use the described workaround. -

-

- (BZ#1763210) -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots - with SELinux enabled and switches to disabled mode later in the boot process. This might cause - memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- (JIRA:RHELPLAN-34199) -

-
-

sshd -T provides inaccurate information about - Ciphers, MACs and KeX algorithms

-

- The output of the sshd -T command does not contain the system-wide - crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did - not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. - Crypto policies are applied as command-line arguments to the sshd - executable in the sshd.service unit during the service’s start by - using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy - as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX - algorithms differ from sshd -T to what is provided by current - crypto policy level. As a result, the output from sshd -T - matches the currently configured crypto policy. -

-
-

- (BZ#2044354) -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, TLS clients that use OpenSSL return a bad dh value - error and abort TLS connections to servers that use manually generated parameters. This is - because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with - Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, - and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL - ignore all other parameters and instead select known parameters of similar size. To work around - this problem, use only the compliant groups. -

-
-

- (BZ#1810911) -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic level - name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide - crypto policies only when you disable them through the workaround. -

-

- (BZ#1919155) -

-
-

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

-

- The file_caching option is enabled in the default OpenSC - configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning - process through OpenSC fails. -

-
-

- To work around the problem, add the following snippet to the /etc/opensc.conf file: -

- 
app pkcs15-init {
-        framework pkcs15 {
-                use_file_caching = false;
-        }
-}
-

- The smart-card provisioning through pkcs15-init only works if you apply - the previously described workaround. -

-

- (BZ#1947025) -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. -

-
-

- To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger - hash, or switch to the LEGACY policy. -

-

- (BZ#1628553) -

-
-

IKE over TCP connections do not work on custom TCP ports

-

- The tcp-remoteport Libreswan configuration option does not work - properly. Consequently, an IKE over TCP connection cannot be established when a scenario - requires specifying a non-default TCP port. -

-
-

- (BZ#1989050) -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- (BZ#1834716) -

-
-

RHV hypervisor may not work correctly when hardening the system during - installation

-

- When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise - Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and - remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work - around the problem, install the RHV-H system without applying any profile hardening, and after - the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV - hypervisor works correctly. -

-
-

- (BZ#2075508) -

-
-

Red Hat provides the CVE OVAL reports in compressed format

-

- Red Hat provides CVE OVAL feeds in the bzip2-compressed format, and - they are no longer available in the XML file format. The location of feeds for RHEL 8 has been - updated accordingly to reflect this change. Because referencing compressed content is not - standardized, third-party SCAP scanners can have problems with scanning rules that use the feed. -

-
-

- (BZ#2028428) -

-
-

Certain sets of interdependent rules in SSG can fail

-

- Remediation of SCAP Security Guide (SSG) rules in a benchmark can - fail due to undefined ordering of rules and their dependencies. If two or more rules need to be - executed in a particular order, for example, when one rule installs a component and another rule - configures the same component, they can run in the wrong order and remediation reports an error. - To work around this problem, run the remediation twice, and the second run fixes the dependent - rules. -

-
-

- (BZ#1750755) -

-
-

Server with GUI and Workstation installations are not possible with CIS Server - profiles

-

- The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software - selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not - possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either - of these software selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- If you need to align systems with the Server with GUI or Workstation software selections according to CIS benchmarks, use the CIS - Workstation Level 1 or Level 2 profiles instead. -

-

- (BZ#1843932) -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on - as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary for - backwards compatibility backward compatibility with Red Hat Enterprise Linux 7. -

-
-

- (BZ#1665082) -

-
-

SSH timeout rules in STIG profiles configure incorrect options

-

- An update of OpenSSH affected the rules in the following Defense Information Systems Agency - Security Technical Implementation Guide (DISA STIG) profiles: -

-
-
-
    -
  • - DISA STIG for RHEL 8 (xccdf_org.ssgproject.content_profile_stig) -
    • -
  • - DISA STIG with GUI for RHEL 8 (xccdf_org.ssgproject.content_profile_stig_gui) -
    • -
-
-

- In each of these profiles, the following two rules are affected: -

- 
Title: Set SSH Client Alive Count Max to zero
-CCE Identifier: CCE-83405-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
-STIG ID: RHEL-08-010200
-
-Title: Set SSH Idle Timeout Interval
-CCE Identifier: CCE-80906-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
-STIG ID: RHEL-08-010201
-

- When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax and ClientAliveInterval) - that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users - when it reaches the timeout configured by these rules. As a workaround, these rules have been - temporarily removed from the DISA STIG for RHEL 8 and DISA STIG with GUI for RHEL 8 profiles until a - solution is developed. -

-

- (BZ#2038977) -

-
-

Certain rsyslog priority strings do not work - correctly

-

- Support for the GnuTLS priority string for - imtcp that allows fine-grained control over encryption is not - complete. Consequently, the following priority strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-

Negative effects of the default logging setup on performance

-

- The default logging environment setup might consume 4 GB of memory or even more and adjustments - of rate-limit values are complex when systemd-journald is running - with rsyslog. -

-
-

- See the Negative effects of the - RHEL default logging setup on performance and their mitigations Knowledgebase article for - more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

Ansible remediations require additional collections

-

- With the replacement of Ansible Engine by the ansible-core package, - the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, - running remediations that use Ansible content included within the scap-security-guide package requires collections from the rhc-worker-playbook package. -

-
-

- For an Ansible remediation, perform the following steps: -

-
-
    -
  1. -

    - Install the required packages: -

    - 
    # dnf install -y ansible-core scap-security-guide rhc-worker-playbook
    -
    2. -
  2. -

    - Navigate to the /usr/share/scap-security-guide/ansible - directory: -

    - 
    # cd /usr/share/scap-security-guide/ansible
    -
    3. -
  3. -

    - Run the relevant Ansible playbook using environment variables that define the path to - the additional Ansible collections: -

    - 
    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-playbook-cis_server_l1.yml
    -

    - Replace cis_server_l1 with the - ID of the profile against which you want to remediate the system. -

    -
    4. -
-
-

- As a result, the Ansible content is processed correctly. -

-
-
Note
-
-

- Support of the collections provided in rhc-worker-playbook is - limited to enabling the Ansible content sourced in scap-security-guide. -

-
-
-

- (BZ#2114981) -

-
-
-
-
-
-

10.7. Networking

-
-
-
-
-

The nm-cloud-setup service removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain - cases, other services on the host can configure interfaces as well. For example, these services - could add secondary IP addresses. To avoid that nm-cloud-setup - removes secondary IP addresses: -

-
-
-
    -
  1. -

    - Stop and disable the nm-cloud-setup service and timer: -

    - 
    # systemctl disable --now nm-cloud-setup.service nm-cloud-setup.timer
    -
    2. -
  2. -

    - Display the available connection profiles: -

    - 
    # nmcli connection show
    -
    3. -
  3. -

    - Reactive the affected connection profiles: -

    - 
    # nmcli connection up "<profile_name>"
    -
    4. -
-
-

- As a result, the service no longer removes manually-configured secondary IP addresses from - interfaces. -

-

- (BZ#2132754) -

-
-

The primary IP address of an instance changes after starting the - nm-cloud-setup service in Alibaba Cloud

-

- After launching an instance in the Alibaba Cloud, the nm-cloud-setup service assigns the primary IP address to an instance. - However, if you assign multiple secondary IP addresses to an instance and start the nm-cloud-setup service, the former primary IP address gets replaced - by one of the already assigned secondary IP addresses. The returned list of metadata verifies - the same. To work around the problem, configure secondary IP addresses manually to avoid that - the primary IP address changes. As a result, an instance retains both IP addresses and the - primary IP address does not change. -

-
-

- (BZ#2079849) -

-
-

NetworkManager does not support activating bond and team ports in a - specific order

-

- NetworkManager activates interfaces alphabetically by interface names. However, if an interface - appears later during the boot, for example, because the kernel needs more time to discover it, - NetworkManager activates this interface later. NetworkManager does not support setting a - priority on bond and team ports. Consequently, the order in which NetworkManager activates ports - of these devices is not always predictable. To work around this problem, write a dispatcher - script. -

-
-

- For an example of such a script, see the corresponding comment in the ticket. -

-

- (BZ#1920398) -

-
-

Systems with the IPv6_rpfilter option enabled - experience low network throughput

-

- Systems with the IPv6_rpfilter option enabled in the firewalld.conf file currently experience suboptimal performance and - low network throughput in high traffic scenarios, such as 100-Gbps links. To work around the - problem, disable the IPv6_rpfilter option. To do so, add the - following line in the /etc/firewalld/firewalld.conf file. -

-
- 
IPv6_rpfilter=no
-

- As a result, the system performs better, but also has reduced security. -

-

- (BZ#1871860) -

-
-

RoCE interfaces lose their IP settings due to an unexpected change of the - network interface name

-

- The RDMA over Converged Ethernet (RoCE) interfaces lose their IP settings due to an unexpected - change of the network interface name if both conditions are met: -

-
-
-
    -
  • - User upgrades from a RHEL 8.6 system or earlier. -
    • -
  • - The RoCE card is enumerated by UID. -
    • -
-
-

- To workaround this problem: -

-
-
    -
  1. -

    - Create the /etc/systemd/network/98-rhel87-s390x.link file - with the following content: -

    - 
    [Match]
-Architecture=s390x
-KernelCommandLine=!net.naming-scheme=rhel-8.7
-
-[Link]
-NamePolicy=kernel database slot path
-AlternativeNamesPolicy=database slot path
-MACAddressPolicy=persistent
    -
    2. -
  2. - Reboot the system for the changes to take effect. -
    3. -
  3. - Upgrade to RHEL 8.7 or newer. -
    4. -
-
-

- Note that RoCE interfaces that are enumerated by function ID (FID) and are non-unique, will still - use unpredictable interface names unless you set the net.naming-scheme=rhel-8.7 kernel parameter. In this case, the RoCE - interfaces will switch to predictable names with the "ens" prefix. -

-

- (BZ#2169382) -

-
-
-
-
-
-

10.8. Kernel

-
-
-
-
-

Using net_prio or net_cls controllers in v1 mode deactivates some controllers of - the cgroup-v2 hierarchy

-

- In cgroup-v2 environments, using either net_prio or net_cls controllers in v1 - mode disables the hierarchical tracking of socket data. As a result, the cgroup-v2 hierarchy for socket data tracking controllers is not - active, and the dmesg command reports the following message: -

-
- 
cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
-

- (BZ#2046396) -

-
-

Anaconda in some cases fails after entering the passphrase for encrypted - devices

-

- If kdump is disabled when preparing an installation and the user - selects encrypted disk partitioning, the Anaconda installer fails with a traceback after - entering the passphrase for the encrypted device. -

-
-

- To work around this problem, do one of the following: -

-
-
    -
  • - Create the encrypted disk partitioning before disabling kdump. -
    • -
  • - Keep kdump enabled during the installation and disable it after - the installation process is complete. -
    • -
-
-

- (BZ#2086100) -

-
-

Reloading an identical crash extension may cause segmentation - faults

-

- When you load a copy of an already loaded crash extension file, it might trigger a segmentation - fault. Currently, the crash utility detects if an original file has been loaded. Consequently, - due to two identical files co-existing in the crash utility, a namespace collision occurs, which - triggers the crash utility to cause a segmentation fault. -

-
-

- You can work around the problem by loading the crash extension file only once. As a result, - segmentation faults no longer occur in the described scenario. -

-

- (BZ#1906482) -

-
-

vmcore capture fails after memory hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating the - device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. - The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel crash - is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after hot-plug - or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described scenario. -

-

- (BZ#1793389) -

-
-

Debug kernel fails to boot in crash capture environment on RHEL 8 -

-

- Due to the memory-intensive nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel and a stack trace is generated instead. To work around this problem, - increase the crash kernel memory as required. As a result, the debug kernel boots successfully - in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

Allocating crash kernel memory fails at boot time

-

- On some Ampere Altra systems, allocating the crash kernel memory during boot fails when the - 32-bit region is disabled in BIOS settings. Consequently, the kdump - service fails to start. This is caused by memory fragmentation in the region below 4 GB with no - fragment being large enough to contain the crash kernel memory. -

-
-

- To work around this problem, enable the 32-bit memory region in BIOS as follows: -

-
-
    -
  1. - Open the BIOS settings on your system. -
    2. -
  2. - Open the Chipset menu. -
    3. -
  3. - Under Memory Configuration, enable the - Slave 32-bit option. -
    4. -
-
-

- As a result, crash kernel memory allocation within the 32-bit region succeeds and the kdump service works as expected. -

-

- (BZ#1940674) -

-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define - a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus - device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff - memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism - (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration - space over the 256 byte offset with the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- (BZ#1868526) -

-
-

The tuned-adm profile powersave command causes - the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system matches - the mentioned specifications. -

-
-

- (BZ#1609288) -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is not - able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI to - the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI - handler for both these situations calls the kernel panic() function and - if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called and - vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, - use the virtual Power button to reset or power - cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated - System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even - smaller frequency. -

-

- (BZ#1602962) -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit ARM - architecture that run on the Amazon Web Services Graviton 1 processor, causes vmcore generation to fail when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory upon a kernel crash. To work around this - problem: -

-
-
-
    -
  1. -

    - Append irqpoll to KDUMP_COMMANDLINE_REMOVE variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet log_buf_len swiotlb"
    -
    2. -
  2. -

    - Remove irqpoll from KDUMP_COMMANDLINE_APPEND variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory udev.children-max=2 panic=10 swiotlb=noforce novmcoredd"
    -
    3. -
  3. -

    - Restart the kdump service: -

    - 
    # systemctl restart kdump
    -
    4. -
-
-

- As a result, the first kernel boots correctly and the vmcore file is - expected to be captured upon the kernel crash. -

-

- Note that the Amazon Web Services Graviton 2 and Amazon Web Services Graviton 3 processors do not - require you to manually remove the irqpoll parameter in the /etc/sysconfig/kdump file. -

-

- The kdump service can use a significant amount of crash kernel memory - to dump the vmcore file. Ensure that the capture kernel has sufficient - memory available for the kdump service. -

-

- For related information on this Known Issue, see the The irqpoll kernel command line parameter - might cause vmcore generation failure article. -

-

- (BZ#1654962) -

-
-

Connections fail when attaching a virtual function to virtual - machine

-

- Pensando network cards that use the ionic device driver silently - accept VLAN tag configuration requests and attempt configuring network connections while - attaching network virtual functions (VF) to a virtual machine - (VM). Such network connections fail as this feature is not yet - supported by the card’s firmware. -

-
-

- (BZ#1930576) -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication - X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x - series deprecated openib Byte Transfer Layer (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous - cluster (same hardware and software configuration), UCX still uses openib BTL for MPI one-sided operations. As a consequence, this may - trigger execution errors. To work around this problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer over - UCX. -

-

- (BZ#1866402) -

-
-

The Solarflare fails to create maximum number of virtual functions - (VFs)

-

- The Solarflare NICs fail to create a maximum number of VFs due to insufficient resources. You - can check the maximum number of VFs that a PCIe device can create in the /sys/bus/pci/devices/PCI_ID/sriov_totalvfs file. To workaround this - problem, you can either adjust the number of VFs or the VF MSI interrupt value to a lower value, - either from Solarflare Boot Manager on startup, or using Solarflare - sfboot utility. The default VF MSI interrupt value is 8. -

-
-
-
    -
  • - To adjust the VF MSI interrupt value using sfboot: -
    • -
-
- 
# sfboot vf-msix-limit=2
-
-
Note
-
-

- Adjusting VF MSI interrupt value affects the VF performance. -

-
-
-

- For more information about parameters to be adjusted accordingly, see the Solarflare Server Adapter user guide. -

-

- (BZ#1971506) -

-
-

Memory allocation for kdump fails on the - 64-bit ARM architectures

-

- On certain 64-bit ARM based systems, the firmware uses the non-contiguous memory allocation - method, which reserves memory randomly at different scattered locations. Consequently, due to - the unavailability of consecutive blocks of memory, the crash kernel cannot reserve memory space - for the kdump mechanism. -

-
-

- To work around this problem, install the kernel version provided by RHEL 8.8 and later. The latest - version of RHEL supports the fallback dump capture mechanism that helps - to find a suitable memory region in the described scenario. -

-

- (BZ#2214235) -

-
-

Hardware certification of the real-time kernel on systems with large - core-counts might require passing the skew-tick=1 boot - parameter to avoid lock contentions

-

- Large or moderate sized systems with numerous sockets and large core-counts can experience - latency spikes due to lock contentions on xtime_lock, which is used - in the timekeeping system. As a consequence, latency spikes and delays in hardware - certifications might occur on multiprocessing systems. As a workaround, you can offset the timer - tick per CPU to start at a different time by adding the skew_tick=1 - boot parameter. -

-
-

- To avoid lock conflicts, enable skew_tick=1: -

-
-
    -
  1. -

    - Enable the skew_tick=1 parameter with grubby. -

    - 
    # grubby --update-kernel=ALL --args="skew_tick=1"
    -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
  3. - Verify the new settings by running the cat /proc/cmdline - command. -
    4. -
-
-

- Note that enabling skew_tick=1 causes a significant increase in power - consumption and, therefore, it must be enabled only if you are running latency sensitive real-time - workloads. -

-

- (BZ#2214508) -

-
-
-
-
-
-

10.9. File systems and storage

-
-
-
-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following limitations, - which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in combination - with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- (JIRA:RHELPLAN-27987, BZ#1798631, BZ#1808012) -

-
-

XFS quota warnings are triggered too often

-

- Using the quota timer results in quota warnings triggering too often, which causes soft quotas - to be enforced faster than they should. To work around this problem, do not use soft quotas, - which will prevent triggering warnings. As a result, the amount of warning messages will not - enforce soft quota limit anymore, respecting the configured timeout. -

-
-

- (BZ#2059262) -

-
-

LVM mirror devices that store a LUKS volume - sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject - all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of - raid1 instead of mirror if you need to - stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 device. -

-

- (BZ#1730502) -

-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical volume. - This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) for - system boot entries. This specification requires that the /boot - file system is readable by the platform firmware. On EFI systems, the platform firmware can - read only the /boot configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does - not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- (BZ#1496229) -

-
-

LVM no longer allows creating volume groups with mixed block sizes -

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the - physical volumes (PVs) have different logical block sizes. LVM has adopted this change because - file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a - different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- (BZ#1768536) -

-
-

Using Device mapper multipath with the NVMe/TCP driver causes system - instability

-

- DM multipath is not supported with the NVMe/TCP driver. Using it causes sleeping functions in - the kernel to be called in an atomic context, which then results in system instability. -

-
-

- To workaround the problem, enable native NVMe multipath. Do not use DM multipath tools. For RHEL 8, - add the option nvme_core.multipath=Y to the kernel command line. -

-

- (BZ#2022359) -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- (BZ#2011699) -

-
-
-
-
-
-

10.10. Dynamic programming languages, web and database servers

-
-
-
-
-

getpwnam() might fail when called by a 32-bit - application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- (BZ#1803161) -

-
-

MariaDB 10.5 does not warn about dropping a - non-existent table when the OQGraph plug-in is enabled -

-

- When the OQGraph storage engine plug-in is loaded to the MariaDB 10.5 server, MariaDB does not - warn about dropping a non-existent table. In particular, when the user attempts to drop a - non-existent table using the DROP TABLE or DROP TABLE IF EXISTS SQL commands, MariaDB neither returns an error message nor logs a warning. -

-
-

- Note that the OQGraph plug-in is provided by the mariadb-oqgraph-engine package, which is not installed by default. -

-

- (BZ#1944653) -

-
-

PAM plug-in version 1.0 does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) - plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 - and 2.0, version 2.0 is the default. -

-
-

- The MariaDB PAM plug-in version 1.0 does not work in RHEL 8. To work - around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5 module stream. -

-

- (BZ#1942330) -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

-

- When both the libldap and libldap_r - libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts - between these libraries might occur. Consequently, Apache httpd - child processes using the PHP ldap extension might terminate - unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration. -

-
-

- Since the RHEL 8.3 update to the Apache Portable Runtime (APR) library, you can work around the - problem by setting the APR_DEEPBIND environment variable, which enables - the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- (BZ#1819607) -

-
-
-
-
-
-

10.11. Identity Management

-
-
-
-
-

Windows Server 2008 R2 and earlier no longer supported

-

- In RHEL 8.4 and later, Identity Management (IdM) does not support establishing trust to Active - Directory with Active Directory domain controllers running Windows Server 2008 R2 or earlier - versions. RHEL IdM now requires SMB encryption when establishing the trust relationship, which - is only available with Windows Server 2012 or later. -

-
-

- (BZ#1971061) -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System -

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual steps - are required to recover the system. -

-
-

- (BZ#1729215) -

-
-

The /var/log/lastlog sparse file on IdM hosts - can cause performance problems

-

- During the IdM installation, a range of 200,000 UIDs from a total of 10,000 possible ranges is - randomly selected and assigned. Selecting a random range in this way significantly reduces the - probability of conflicting IDs in case you decide to merge two separate IdM domains in the - future. -

-
-

- However, having high UIDs can create problems with the /var/log/lastlog - file. For example, if a user with the UID of 1280000008 logs in to an IdM client, the local /var/log/lastlog file size increases to almost 400 GB. Although the - actual file is sparse and does not use all that space, certain applications are not designed to - identify sparse files by default and may require a specific option to handle them. For example, if - the setup is complex and a backup and copy application does not handle sparse files correctly, the - file is copied as if its size was 400 GB. This behavior can cause performance problems. -

-

- To work around this problem: -

-
-
    -
  • - In case of a standard package, refer to its documentation to identify the option that - handles sparse files. -
    • -
  • - In case of a custom application, ensure that it is able to manage sparse files such as /var/log/lastlog correctly. -
    • -
-
-

- (JIRA:RHELPLAN-59111) -

-
-

FIPS mode does not support using a shared secret to establish a - cross-forest trust

-

- Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP - authentication is not FIPS-compliant. To work around this problem, authenticate with an Active - Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS - mode enabled and an AD domain. -

-
-

- (BZ#1924707) -

-
-

FreeRADIUS server fails to run in FIPS mode

-

- By default, in FIPS mode, OpenSSL disables the use of the MD5 digest algorithm. As the RADIUS - protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, this - causes the FreeRADIUS server to fail in FIPS mode. -

-
-

- To work around this problem, follow these steps: -

-
-

Procedure

-
    -
  1. -

    - Create the environment variable, RADIUS_MD5_FIPS_OVERRIDE - for the radiusd service: -

    - 
    systemctl edit radiusd
-
-[Service]
-Environment=RADIUS_MD5_FIPS_OVERRIDE=1
    -
    2. -
  2. -

    - To apply the change, reload the systemd configuration and - start the radiusd service: -

    - 
    # systemctl daemon-reload
-# systemctl start radiusd
    -
    3. -
  3. -

    - To run FreeRADIUS in debug mode: -

    - 
    # RADIUS_MD5_FIPS_OVERRIDE=1 radiusd -X
    -
    4. -
-
-

- Note that though FreeRADIUS can run in FIPS mode, this does not mean that it is FIPS compliant as it - uses weak ciphers and functions when in FIPS mode. -

-

- For more information on configuring FreeRADIUS authentication in FIPS mode, see How to configure FreeRADIUS authentication in - FIPS mode. -

-

- (BZ#1958979) -

-
-

Actions required when running Samba as a print server and updating from - RHEL 8.4 and earlier

-

- With this update, the samba package no longer creates the /var/spool/samba/ directory. If you use Samba as a print server and - use /var/spool/samba/ in the [printers] share to spool print jobs, SELinux prevents Samba users - from creating files in this directory. Consequently, print jobs fail and the auditd service logs a denied message in - /var/log/audit/audit.log. To avoid this problem after updating your - system from 8.4 and earlier: -

-
-
-
    -
  1. - Search the [printers] share in the /etc/samba/smb.conf file. -
    2. -
  2. - If the share definition contains path = /var/spool/samba/, - update the setting and set the path parameter to /var/tmp/. -
    3. -
  3. -

    - Restart the smbd service: -

    - 
    # systemctl restart smbd
    -
    4. -
-
-

- If you newly installed Samba on RHEL 8.5 or later, no action is required. The default /etc/samba/smb.conf file provided by the samba-common package in this case already uses the /var/tmp/ directory to spool print jobs. -

-

- (BZ#2009213) -

-
-

Downgrading authselect after the rebase to - version 1.2.2 breaks system authentication

-

- The authselect package has been rebased to the latest upstream - version 1.2.2. Downgrading authselect - is not supported and breaks system authentication for all users, including root. -

-
-

- If you downgraded the authselect package to 1.2.1 or earlier, perform the following steps to work around this - problem: -

-
-
    -
  1. - At the GRUB boot screen, select Red Hat Enterprise Linux with - the version of the kernel that you want to boot and press e to - edit the entry. -
    2. -
  2. - Type single as a separate word at the end of the line that - starts with linux and press Ctrl+X - to start the boot process. -
    3. -
  3. - Upon booting in single-user mode, enter the root password. -
    4. -
  4. -

    - Restore authselect configuration using the following command: -

    - 
    # authselect select sssd --force
    -
    5. -
-
-

- (BZ#1892761) -

-
-

The default keyword for enabled ciphers in the - NSS does not work in conjunction with other ciphers

-

- In Directory Server you can use the default keyword to refer to the - default ciphers enabled in the network security services (NSS). However, if you want to enable - the default ciphers and additional ones using the command line or web console, Directory Server - fails to resolve the default keyword. As a consequence, the server - enables only the additionally specified ciphers and logs the following error: -

-
- 
Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+__cipher_name__>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)
-

- As a workaround, specify all ciphers that are enabled by default in NSS including the ones you want - to additionally enable. -

-

- (BZ#1817505) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

10.12. Desktop

-
-
-
-
-

Disabling flatpak repositories from Software - Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- (BZ#1668760) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft - Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. - In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use - Hyper-V Server 2019 or later as the host. -

-

- (BZ#1583445) -

-
-

Drag-and-drop does not work between desktop and applications

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. Support - for this feature will be added back in a future release. -

-
-

- (BZ#1717947) -

-
-
-
-
-
-

10.13. Graphics infrastructures

-
-
-
-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in the - kexec context correctly. Instead, radeon falls over, which causes - the rest of the kdump service to fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After starting - kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-

Multiple HDR displays on a single MST topology may not power on -

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, using - a DisplayPort hub (such as a laptop dock) with multiple monitors - which support HDR plugged into it may result in failure to turn on. This is due to the system - erroneously thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- (BZ#1812577) -

-
-

GUI in ESXi might crash due to low video memory

-

- The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 - hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect - multiple consoles or high-resolution monitors to the VM, the GUI requires at least 16 MB of - video memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly. -

-
-

- To work around the problem, configure the hypervisor to assign at least 16 MB of video memory to the - VM. As a result, the GUI on the VM no longer crashes. -

-

- If you encounter this issue, Red Hat recommends that you report it to VMware. -

-

- See also the following VMware article: VMs with high resolution VM console may experience - a crash on ESXi 7.0.1 (83194). -

-

- (BZ#1910358) -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z - server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 option - with -depth 24 in the Xvnc configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the server. -

-

- (BZ#1886147) -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the application - fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority - file to use regular user credentials for authentication. -

-
-

- To work around this problem, use the sudo -E command to run graphical - applications as a root user. -

-

- (BZ#1673073) -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit - ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- (JIRA:RHELPLAN-57914) -

-
-
-
-
-
-

10.14. The web console

-
-
-
-
-

Removing USB host devices using the web console does not work as - expected

-

- When you attach a USB device to a virtual machine (VM), the device number and bus number of the - USB device might change after they are passed to the VM. As a consequence, using the web console - to remove such devices fails due to the incorrect correlation of the device and bus numbers. To - workaround this problem, remove the <hostdev> part of the USB - device, from the VM’s XML configuration. -

-
-

- (JIRA:RHELPLAN-109067) -

-
-

Attaching multiple host devices using the web console does not - work

-

- When you select multiple devices to attach to a virtual machine (VM) using the web console, only - a single device is attached and the rest are ignored. To work around this problem, attach only - one device at a time. -

-
-

- (JIRA:RHELPLAN-115603) -

-
-
-
-
-
-

10.15. Red Hat Enterprise Linux system roles

-
-
-
-
-

Unable to manage localhost by using the localhost hostname in the playbook or inventory

-

- With the inclusion of the ansible-core 2.12 package in RHEL, if you - are running Ansible on the same host you manage your nodes, you cannot do it by using the localhost hostname in your playbook or inventory. This happens - because ansible-core 2.12 uses the python38 module, and many of the libraries are missing, for example, - blivet for the storage role, gobject for the network role. To - workaround this problem, if you are already using the localhost - hostname in your playbook or inventory, you can add a connection, by using ansible_connection=local, or by creating an inventory file that lists - localhost with the ansible_connection=local option. With that, you are able to manage - resources on localhost. For more details, see the article RHEL system roles playbooks - fail when run on localhost. -

-
-

- (BZ#2041997) -

-
-
-
-
-
-

10.16. Virtualization

-
-
-
-
-

Network traffic performance in virtual machines might be reduced -

-

- In some cases, RHEL 8.6 guest virtual machines (VMs) have somewhat decreased performance when - handling high levels of network traffic. -

-
-

- (BZ#2069047) -

-
-

Using a large number of queues might cause Windows virtual machines to - fail

-

- Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device - is enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- (BZ#2020133) -

-
-

Live post-copy migration of VMs with failover VFs does not work -

-

- Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a - device with the virtual function (VF) failover capability enabled. To work around the problem, - use the standard migration type, rather than post-copy migration. -

-
-

- (BZ#2054656) -

-
-

Live migrating VMs to a RHEL 8.6 Intel host from an earlier minor version - of RHEL 8 does not work

-

- Because the Intel Transactional Synchronization Extensions (TSX) feature has become deprecated, - RHEL 8.6 hosts on Intel hardware no longer use the hle and rtm CPU flags. As a consequence, live migrating a virtual machine - (VM) to a RHEL 8.6 host fails if the source host uses RHEL 8.5 or an earlier minor version of - RHEL 8. -

-
-

- For more information on TSX deprecation, see the Red Hat KnowledgeBase. -

-

- (BZ#2134184) -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the 'Milan' CPU type might not be available on these systems. In - addition, VM live migration between Milan hosts with different feature flag settings might fail. - To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- (BZ#2077770) -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible - on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a - physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they should - be configured with the device='disk' option rather than device='lun'. -

-

- (BZ#1777138) -

-
-

Virtual machines with iommu_platform=on fail - to start on IBM POWER

-

- RHEL 8 currently does not support the iommu_platform=on parameter - for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this - parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process. -

-
-

- (BZ#1910848) -

-
-

IBM POWER hosts may crash when using the ibmvfc driver

-

- When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors may currently - occur due to problems with the ibmvfc driver. As a consequence, the - host’s kernel may panic under certain circumstances, such as: -

-
-
-
    -
  • - Using the Live Partition Mobility (LPM) feature -
    • -
  • - Resetting a host adapter -
    • -
  • - Using SCSI error handling (SCSI EH) functions -
    • -
-
-

- (BZ#1961722) -

-
-

Using perf kvm record on IBM POWER Systems can - cause the VM to crash

-

- When using a RHEL 8 host on the little-endian variant of IBM POWER hardware, using the perf kvm record command to collect trace event samples for a KVM - virtual machine (VM) in some cases results in the VM becoming unresponsive. This situation - occurs when: -

-
-
-
    -
  • - The perf utility is used by an unprivileged user, and the -p option is used to identify the VM - for example perf kvm record -e trace_cycles -p 12345. -
    • -
  • - The VM was started using the virsh shell. -
    • -
-
-

- To work around this problem, use the perf kvm utility with the -i option to monitor VMs that were created using the virsh shell. For example: -

- 
# perf kvm record -e trace_imc/trace_cycles/  -p <guest pid> -i
-

- Note that when using the -i option, child tasks do not inherit - counters, and threads will therefore not be monitored. -

-

- (BZ#1924016) -

-
-

Windows Server 2016 virtual machines with Hyper-V enabled fail to boot when - using certain CPU models

-

- Currently, it is not possible to boot a virtual machine (VM) that uses Windows Server 2016 as - the guest operating system, has the Hyper-V role enabled, and uses one of the following CPU - models: -

-
-
-
    -
  • - EPYC-IBPB -
    • -
  • - EPYC -
    • -
-
-

- To work around this problem, use the EPYC-v3 CPU - model, or manually enable the xsaves CPU flag - for the VM. -

-

- (BZ#1942888) -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails -

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes - unresponsive with a Migration status: active status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- (BZ#1741436) -

-
-

Using virt-customize sometimes causes guestfs-firstboot to fail

-

- After modifying a virtual machine (VM) disk image using the virt-customize utility, the guestfs-firstboot service in some cases fails due to incorrect - SELinux permissions. This causes a variety of problems during VM startup, such as failing user - creation or system registration. -

-
-

- To avoid this problem, add the --selinux-relabel option to the virt-customize command. -

-

- (BZ#1554735) -

-
-

Deleting a forward interface from a macvtap virtual network resets all - connection counts of this network

-

- Currently, deleting a forward interface from a macvtap virtual - network with multiple forward interfaces also resets the connection status of the other forward - interfaces of the network. As a consequence, the connection information in the live network XML - is incorrect. Note, however, that this does not affect the functionality of the virtual network. - To work around the issue, restart the libvirtd service on your - host. -

-
-

- (BZ#1332758) -

-
-

Virtual machines with SLOF fail to boot in netcat interfaces

-

- When using a netcat (nc) interface to access the console of a - virtual machine (VM) that is currently waiting at the Slimline Open Firmware (SLOF) prompt, the - user input is ignored and VM stays unresponsive. To work around this problem, use the nc -C option when connecting to the VM, or use a telnet interface - instead. -

-
-

- (BZ#1974622) -

-
-

Attaching mediated devices to virtual machines in virt-manager in some cases fails

-

- The virt-manager application is currently able to detect mediated - devices, but cannot recognize whether the device is active. As a consequence, attempting to - attach an inactive mediated device to a running virtual machine (VM) using virt-manager fails. Similarly, attempting to create a new VM that - uses an inactive mediated device fails with a device not found - error. -

-
-

- To work around this issue, use the virsh nodedev-start or mdevctl start commands to activate the mediated device before using it in - virt-manager. -

-

- (BZ#2026985) -

-
-

RHEL 9 virtual machines fail to boot in POWER8 compatibility mode -

-

- Currently, booting a virtual machine (VM) that runs RHEL 9 as its guest operating system fails - if the VM also uses CPU configuration similar to the following: -

-
- 
  <cpu mode="host-model">
-    <model>power8</model>
-  </cpu>
-

- To work around this problem, do not use POWER8 compatibility mode in RHEL 9 VMs. -

-

- In addition, note that running RHEL 9 VMs is not possible on POWER8 hosts. -

-

- (BZ#2035158) -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of - interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, - and displays a dracut-initqueue[392]: Warning: Could not boot - error. -

-
-

- (BZ#1719687) -

-
-

Windows Server 2022 guests in some cases boot very slowly on AMD - Milan

-

- Virtual machines (VMs) that use the Windows Server 2022 guest operating system and the qemu64 CPU model currently take a very long time to boot on hosts - with an AMD EPYC 7003 series processor (also known as AMD Milan). -

-
-

- To work work around the problem, do not use qemu64 as the CPU model, - because it is an unsupported setting for VMs in RHEL 8. For example, use the host-model CPU instead. -

-

- (BZ#2012373) -

-
-

SMT CPU topology is not detected by VMs when using host passthrough mode on - AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the - TOPOEXT CPU feature flag is not present. Consequently, the VM is - not able to detect a virtual CPU topology with multiple threads per core. To work around this - problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- (BZ#1740002) -

-
-

Migrating VMs to a later z-stream versions of RHEL 8.6 sometimes - fails

-

- Attempting to migrate a virtual machine (VM) fails if the destination host uses a RHEL 8.6 - version with the qemu-kvm package version - 6.2.0-11.module+el8.6.0+21121 and later, and the source host uses qemu-kvm version 6.2.0-11.module+el8.6.0+21120 or earlier on RHEL - 8.6. -

-
-

- (JIRA:RHELDOCS-17666) -

-
-
-
-
-
-

10.17. RHEL in cloud environments

-
-
-
-
-

SR-IOV performs suboptimally in ARM 64 RHEL 8 virtual machines on - Azure

-

- Currently, SR-IOV networking devices have significantly lower throughout and higher latency than - expected in ARM 64 RHEL 8 virtual machines (VMs) running on a Microsoft Azure platform. -

-
-

- (BZ#2068429) -

-
-

Setting static IP in a RHEL 8 virtual machine on a VMware host does not - work

-

- Currently, when using RHEL 8 as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- (BZ#1750862) -

-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting - the kdump kernel in some cases fails when post-exec notifiers are - enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- (BZ#1865745) -

-
-

The SCSI host address sometimes changes when booting a Hyper-V VM with - multiple guest disks

-

- Currently, when booting a RHEL 8 virtual machine (VM) on the Hyper-V hypervisor, the host - portion of the Host, Bus, Target, Lun (HBTL) SCSI address - in some cases changes. As a consequence, automated tasks set up with the HBTL SCSI - identification or device node in the VM do not work consistently. This occurs if the VM has more - than one disk or if the disks have different sizes. -

-
-

- To work around the problem, modify your kickstart files, using one of the following methods: -

-

- Method 1: Use persistent identifiers for SCSI - devices. -

-

- You can use for example the following powershell script to determine the specific device - identifiers: -

- 
# Output what the /dev/disk/by-id/<value> for the specified hyper-v virtual disk.
-# Takes a single parameter which is the virtual disk file.
-# Note: kickstart syntax works with and without the /dev/ prefix.
-param (
-    [Parameter(Mandatory=$true)][string]$virtualdisk
-)
-
-$what = Get-VHD -Path $virtualdisk
-$part = $what.DiskIdentifier.ToLower().split('-')
-
-$p = $part[0]
-$s0 = $p[6] + $p[7] + $p[4] + $p[5] + $p[2] + $p[3] + $p[0] + $p[1]
-
-$p = $part[1]
-$s1 =  $p[2] + $p[3] + $p[0] + $p[1]
-
-[string]::format("/dev/disk/by-id/wwn-0x60022480{0}{1}{2}", $s0, $s1, $part[4])
-

- You can use this script on the hyper-v host, for example as follows: -

- 
PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_8.vhdx
-/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_9.vhdx
-/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-

- Afterwards, the disk values can be used in the kickstart file, for example as follows: -

- 
part / --fstype=xfs --grow --asprimary --size=8192 --ondisk=/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-part /home --fstype="xfs" --grow --ondisk=/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-

- As these values are specific for each virtual disk, the configuration needs to be done for each VM - instance. It may, therefore, be useful to use the %include syntax to - place the disk information into a separate file. -

-

- Method 2: Set up device selection by size. -

-

- A kickstart file that configures disk selection based on size must include lines similar to the - following: -

- 
...
-
-# Disk partitioning information is supplied in a file to kick start
-%include /tmp/disks
-
-...
-
-# Partition information is created during install using the %pre section
-%pre --interpreter /bin/bash --log /tmp/ks_pre.log
-
-	# Dump whole SCSI/IDE disks out sorted from smallest to largest ouputting
-	# just the name
-	disks=(`lsblk -n -o NAME -l -b -x SIZE -d -I 8,3`) || exit 1
-
-	# We are assuming we have 3 disks which will be used
-	# and we will create some variables to represent
-	d0=${disks[0]}
-	d1=${disks[1]}
-	d2=${disks[2]}
-
-	echo "part /home --fstype="xfs" --ondisk=$d2 --grow" >> /tmp/disks
-	echo "part swap --fstype="swap" --ondisk=$d0 --size=4096" >> /tmp/disks
-	echo "part / --fstype="xfs" --ondisk=$d1 --grow" >> /tmp/disks
-	echo "part /boot --fstype="xfs" --ondisk=$d1 --size=1024" >> /tmp/disks
-
-%end
-

- (BZ#1906870) -

-
-

Starting a RHEL 8 virtual machine on AWS using cloud-init takes longer than expected

-

- Currently, initializing an EC2 instance of RHEL 8 using the cloud-init service on Amazon Web Services (AWS) takes an excessive - amount of time. To avoid this problem, remove the /etc/resolv.conf - file from the image you are using for VM creation before uploading the image to AWS. -

-
-

- (BZ#1862930) -

-
-
-
-
-
-

10.18. Supportability

-
-
-
-
-

The getattachment command fails to download - multiple attachments

-

- The getattachment command is able to download only a single - attachment, but fails to download multiple attachments. -

-
-

- As a workaround, you can download multiple attachments one by one by passing the case number and - UUID for each attachment in the getattachment command. -

-

- (BZ#2064575) -

-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet the - requirements by the FUTURE system-wide cryptographic policy, the - redhat-support-tool utility does not work with this policy level at - the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- (BZ#1802026) -

-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- (BZ#2011413) -

-
-
-
-
-
-

10.19. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- (JIRA:RHELPLAN-96940) -

-
-

Container images signed with a Beta GPG key can not be pulled

-

- Currently, when you try to pull RHEL Beta container images, podman - exits with the error message: Error: Source image rejected: None of the signatures were accepted. - The images fail to be pulled due to current builds being configured to not trust the RHEL Beta - GPG keys by default. -

-
-

- As a workaround, ensure that the Red Hat Beta GPG key is stored on your local system and update the - existing trust scope with the podman image trust set command for the - appropriate beta namespace. -

-

- If you do not have the Beta GPG key stored locally, you can pull it by running the following - command: -

- 
sudo wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta https://www.redhat.com/security/data/f21541eb.txt
-

- To add the Beta GPG key as trusted to your namespace, use one of the following commands: -

- 
$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.access.redhat.com/namespace
-

- and -

- 
$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.redhat.io/namespace
-

- Replace namespace with ubi9-beta or rhel9-beta. -

-

- (BZ#2020301) -

-
-
-
-
-
-
-

Chapter 11. Internationalization

-
-
-
-
-
-
-
-

11.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

11.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#2033398, BZ#2016014, BZ#1817505, BZ#1780842 -

-
-

- NetworkManager -

- 		-

- BZ#1996617, BZ#2001563, BZ#2079849, BZ#1920398 -

-
-

- SLOF -

- 		-

- BZ#1910848 -

-
-

- accel-config -

- 		-

- BZ#1843266 -

-
-

- anaconda -

- 		-

- BZ#1990145, BZ#2050140, BZ#1914955, BZ#1929105 -

-
-

- ansible-collection-microsoft-sql -

- 		-

- BZ#2038256, BZ#2057651 -

-
-

- apr -

- 		-

- BZ#1819607 -

-
-

- audit -

- 		-

- BZ#1906065, BZ#1939406, BZ#1921658, - BZ#1927884 -

-
-

- authselect -

- 		-

- BZ#1892761 -

-
-

- bind9.16 -

- 		-

- BZ#1873486 -

-
-

- bind -

- 		-

- BZ#2013993 -

-
-

- brltty -

- 		-

- BZ#2008197 -

-
-

- certmonger -

- 		-

- BZ#1577570 -

-
-

- clevis -

- 		-

- BZ#1949289, - BZ#2018292 -

-
-

- cloud-init -

- 		-

- BZ#2023940, BZ#2026587, BZ#1750862 -

-
-

- cockpit -

- 		-

- BZ#1666722 -

-
-

- coreutils -

- 		-

- BZ#2030661 -

-
-

- corosync-qdevice -

- 		-

- BZ#1784200 -

-
-

- crash -

- 		-

- BZ#1906482 -

-
-

- createrepo_c -

- 		-

- BZ#1992209, - BZ#1973588 -

-
-

- crypto-policies -

- 		-

- BZ#2020295, BZ#2023734, BZ#2023744, BZ#1919155, BZ#1660839 -

-
-

- cups-container -

- 		-

- BZ#1913715 -

-
-

- cups -

- 		-

- BZ#2032965 -

-
-

- device-mapper-multipath -

- 		-

- BZ#2008101, - BZ#2009624, BZ#2011699 -

-
-

- distribution -

- 		-

- BZ#1657927 -

-
-

- dmidecode -

- 		-

- BZ#2027665 -

-
-

- dnf-plugins-core -

- 		-

- BZ#1868047 -

-
-

- dnf -

- 		-

- BZ#1986657 -

-
-

- ec2-images -

- 		-

- BZ#1862930 -

-
-

- edk2 -

- 		-

- BZ#1741615, BZ#1935497 -

-
-

- fapolicyd -

- 		-

- BZ#1939379, BZ#2054741 -

-
-

- fence-agents -

- 		-

- BZ#1977588, - BZ#1775847 -

-
-

- fido-device-onboard -

- 		-

- BZ#1989930 -

-
-

- firewalld -

- 		-

- BZ#1980206, BZ#1871860 -

-
-

- freeradius -

- 		-

- BZ#2030173, BZ#1958979 -

-
-

- galera -

- 		-

- BZ#2042306 -

-
-

- gcc -

- 		-

- BZ#1996862 -

-
-

- gdb -

- 		-

- BZ#2012818, BZ#1853140 -

-
-

- glibc -

- 		-

- BZ#1934162, BZ#2007327, BZ#2023420, - BZ#1929928, BZ#2000374 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#1751336, BZ#1717947 -

-
-

- gnome-software -

- 		-

- BZ#1668760 -

-
-

- gnutls -

- 		-

- BZ#1628553 -

-
-

- golang -

- 		-

- BZ#2014088 -

-
-

- grafana-pcp -

- 		-

- BZ#1993149 -

-
-

- grafana -

- 		-

- BZ#1993214 -

-
-

- grub2 -

- 		-

- BZ#1583445 -

-
-

- hostapd -

- 		-

- BZ#2016946 -

-
-

- initscripts -

- 		-

- BZ#1875485 -

-
-

- ipa -

- 		-

- BZ#1731484, BZ#1924707, BZ#1664719, BZ#1664718 -

-
-

- js-d3-flame-graph -

- 		-

- BZ#1993194 -

-
-

- kdump-anaconda-addon -

- 		-

- BZ#2086100 -

-
-

- kernel -

- 		-

- BZ#1953926, BZ#2068429, BZ#1910885, BZ#2040171, BZ#2022903, BZ#2036863, BZ#1979382, - BZ#1949614, BZ#1983635, BZ#1964761, BZ#2069047, BZ#2054656, BZ#1868526, BZ#1694705, - BZ#1730502, BZ#1609288, BZ#1602962, BZ#1865745, BZ#1906870, BZ#1924016, BZ#1942888, - BZ#1812577, BZ#1910358, BZ#1930576, BZ#2046396, BZ#1793389, BZ#1654962, BZ#1940674, - BZ#1971506, BZ#2022359, BZ#2059262, BZ#1605216, BZ#1519039, BZ#1627455, BZ#1501618, - BZ#1633143, BZ#1814836, BZ#1696451, BZ#1348508, BZ#1837187, BZ#1904496, BZ#1660337, - BZ#1905243, BZ#1878207, BZ#1665295, BZ#1871863, BZ#1569610, BZ#1794513 -

-
-

- kexec-tools -

- 		-

- BZ#2004000 -

-
-

- krb5 -

- 		-

- BZ#1877991 -

-
-

- libcap -

- 		-

- BZ#1950187, BZ#2032813 -

-
-

- libffi -

- 		-

- BZ#1875340 -

-
-

- libgnome-keyring -

- 		-

- BZ#1607766 -

-
-

- libguestfs -

- 		-

- BZ#1554735 -

-
-

- libreswan -

- 		-

- BZ#2017352, BZ#1989050 -

-
-

- libseccomp -

- 		-

- BZ#2019893 -

-
-

- libselinux-python-2.8-module -

- 		-

- BZ#1666328 -

-
-

- libssh -

- 		-

- BZ#1896651 -

-
-

- libvirt -

- 		-

- BZ#2014369, BZ#1664592, BZ#1332758, - BZ#1528684 -

-
-

- llvm-toolset -

- 		-

- BZ#2001133 -

-
-

- log4j-2-module -

- 		-

- BZ#1937468 -

-
-

- lsvpd -

- 		-

- BZ#1993557 -

-
-

- lvm2 -

- 		-

- BZ#1496229, BZ#1768536 -

-
-

- make -

- 		-

- BZ#2004246 -

-
-

- mariadb -

- 		-

- BZ#1944653, BZ#1942330 -

-
-

- mesa -

- 		-

- BZ#1886147 -

-
-

- net-snmp -

- 		-

- BZ#1908331 -

-
-

- nfs-utils -

- 		-

- BZ#1592011 -

-
-

- nftables -

- 		-

- BZ#2047821 -

-
-

- nginx-1.20-module -

- 		-

- BZ#1991787 -

-
-

- nispor -

- 		-

- BZ#1848817 -

-
-

- nmstate -

- 		-

- BZ#2003976, BZ#2004006 -

-
-

- nss_nis -

- 		-

- BZ#1803161 -

-
-

- nss -

- 		-

- BZ#1817533, - BZ#1645153 -

-
-

- opencryptoki -

- 		-

- BZ#1984993 -

-
-

- opencv -

- 		-

- BZ#2007780, BZ#1886310 -

-
-

- openmpi -

- 		-

- BZ#1866402 -

-
-

- opensc -

- 		-

- BZ#1947025 -

-
-

- openscap -

- 		-

- BZ#1970529, BZ#2041781 -

-
-

- openssh -

- 		-

- BZ#1926103, BZ#2015828, - BZ#2044354 -

-
-

- openssl -

- 		-

- BZ#1810911 -

-
-

- osbuild-composer -

- 		-

- BZ#1951936, BZ#2056451 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1834716, BZ#2075508, BZ#1843932, - BZ#1665082 -

-
-

- pacemaker -

- 		-

- BZ#1082146, - BZ#1470834, BZ#1376538 -

-
-

- pcp -

- 		-

- BZ#1991763, - BZ#1629455 -

-
-

- pcs -

- 		-

- BZ#1990784, BZ#1936833, - BZ#1619620, BZ#1847102, BZ#1851335 -

-
-

- pcsc-lite -

- 		-

- BZ#1928154, BZ#2014641 -

-
-

- perl -

- 		-

- BZ#2021471 -

-
-

- php -

- 		-

- BZ#1978356 -

-
-

- pki-core -

- 		-

- BZ#1729215, - BZ#1628987 -

-
-

- pmdk-1_fileformat_v6-module -

- 		-

- BZ#2009889 -

-
-

- podman -

- 		-

- JIRA:RHELPLAN-92741, JIRA:RHELPLAN-108830, JIRA:RHELPLAN-77238 -

-
-

- policycoreutils -

- 		-

- BZ#1731501 -

-
-

- postfix -

- 		-

- BZ#1711885 -

-
-

- powerpc-utils -

- 		-

- BZ#2028690, BZ#2022225 -

-
-

- pykickstart -

- 		-

- BZ#1637872 -

-
-

- qemu-kvm -

- 		-

- BZ#1982993, BZ#2004416, - BZ#1662007, BZ#2020133, BZ#2012373, BZ#1740002, BZ#1719687, - BZ#1651994 -

-
-

- rear -

- 		-

- BZ#2048454, BZ#2049091, BZ#2035939, - BZ#1868421, BZ#2083301 -

-
-

- redhat-support-tool -

- 		-

- BZ#2018194, BZ#2018195, - BZ#1767195, BZ#2064575, BZ#1802026 -

-
-

- restore -

- 		-

- BZ#1997366 -

-
-

- rhel-system-roles -

- 		-

- BZ#1967321, BZ#2040038, BZ#2041627, BZ#2034908, BZ#1979714, BZ#2005727, BZ#2006231, BZ#2021678, BZ#2021683, BZ#2047504, BZ#2040812, BZ#2064388, BZ#2058655, BZ#2058772, BZ#2029605, BZ#2057172, BZ#2049747, - BZ#1854988, BZ#1893743, BZ#1993379, BZ#1993311, BZ#2021661, BZ#2016514, BZ#1985022, BZ#2016511, BZ#2010327, BZ#2012316, BZ#2031521, BZ#2054364, BZ#2054363, BZ#2008931, - BZ#1695634, BZ#1897565, BZ#2054365, BZ#1932678, BZ#2057656, BZ#2022458, BZ#2057645, BZ#2057661, BZ#2021685, BZ#2006081 -

-
-

- rig -

- 		-

- BZ#1888705 -

-
-

- rpm-ostree -

- 		-

- BZ#2032594 -

-
-

- rpm -

- 		-

- BZ#1940895, BZ#1688849 -

-
-

- rsyslog -

- 		-

- BZ#1947907, BZ#1679512, - JIRA:RHELPLAN-10431 -

-
-

- rteval -

- 		-

- BZ#2012285 -

-
-

- rust-toolset -

- 		-

- BZ#2002883 -

-
-

- samba -

- 		-

- BZ#2013596, - BZ#2009213, JIRA:RHELPLAN-13195, Jira:RHELDOCS-16612 -

-
-

- scap-security-guide -

- 		-

- BZ#1983061, BZ#2053587, BZ#2023569, - BZ#1990736, BZ#2002850, BZ#2000264, BZ#2058033, BZ#2030966, BZ#1884687, BZ#1993826, BZ#1956972, BZ#2014485, BZ#2021802, BZ#2028428, BZ#1858866, BZ#1750755, BZ#2038977 -

-
-

- scap-workbench -

- 		-

- BZ#2051890 -

-
-

- selinux-policy -

- 		-

- BZ#1860443, - BZ#1461914 -

-
-

- sos -

- 		-

- BZ#1873185, BZ#2011413 -

-
-

- spice -

- 		-

- BZ#1849563 -

-
-

- sssd -

- 		-

- BZ#2015070, BZ#1947671 -

-
-

- strace -

- 		-

- BZ#2038992 -

-
-

- subscription-manager -

- 		-

- BZ#2000883, BZ#2049441 -

-
-

- texinfo -

- 		-

- BZ#2022201 -

-
-

- udica -

- 		-

- BZ#1763210 -

-
-

- usbguard -

- 		-

- BZ#2000000, BZ#1963271 -

-
-

- vdo -

- 		-

- BZ#1949163 -

-
-

- virt-manager -

- 		-

- BZ#1995125, BZ#2026985 -

-
-

- wayland -

- 		-

- BZ#1673073 -

-
-

- xfsdump -

- 		-

- BZ#2020494 -

-
-

- xorg-x11-server -

- 		-

- BZ#1698565 -

-
-

- other -

- 		-

- BZ#1839151, BZ#1780124, - BZ#2089409, JIRA:RHELPLAN-100359, JIRA:RHELPLAN-103147, JIRA:RHELPLAN-103146, - JIRA:RHELPLAN-79161, BZ#2046325, - JIRA:RHELPLAN-108438, JIRA:RHELPLAN-100175, BZ#2083036, - JIRA:RHELPLAN-102505, BZ#2062117, - JIRA:RHELPLAN-75169, JIRA:RHELPLAN-100174, JIRA:RHELPLAN-101137, - JIRA:RHELPLAN-57941, JIRA:RHELPLAN-101133, JIRA:RHELPLAN-101138, - JIRA:RHELPLAN-95126, JIRA:RHELPLAN-103855, JIRA:RHELPLAN-103579, BZ#2025814, - BZ#2077770, BZ#1777138, BZ#1640697, BZ#1697896, BZ#1971061, - BZ#1959020, BZ#1961722, BZ#1659609, BZ#1687900, - BZ#1757877, BZ#1741436, JIRA:RHELPLAN-59111, JIRA:RHELPLAN-27987, - JIRA:RHELPLAN-34199, JIRA:RHELPLAN-57914, JIRA:RHELPLAN-96940, BZ#1974622, BZ#2020301, - BZ#2028361, BZ#2041997, BZ#2035158, - JIRA:RHELPLAN-109067, JIRA:RHELPLAN-115603, BZ#1690207, JIRA:RHELPLAN-1212, - BZ#1559616, BZ#1889737, - JIRA:RHELPLAN-14047, BZ#1769727, - JIRA:RHELPLAN-27394, JIRA:RHELPLAN-27737, BZ#1906489, - JIRA:RHELPLAN-100039, BZ#1642765, JIRA:RHELPLAN-10304, BZ#1646541, BZ#1647725, BZ#1932222, BZ#1686057, BZ#1748980, - JIRA:RHELPLAN-71200, BZ#1827628, JIRA:RHELPLAN-45858, BZ#1871025, BZ#1871953, - BZ#1874892, BZ#1916296, JIRA:RHELPLAN-100400, BZ#1926114, - BZ#1904251, BZ#2011208, - JIRA:RHELPLAN-59825, BZ#1920624, - JIRA:RHELPLAN-70700, BZ#1929173, - JIRA:RHELPLAN-85066, BZ#2006665, - JIRA:RHELPLAN-98983, BZ#2009113, BZ#1958250, BZ#2038929, BZ#2029338, BZ#2061288, BZ#2060759, - BZ#2055826, BZ#2059626 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.3-4
-
-

- Thu Jul 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the text in a Deprecated Functionality RHELDOCS-17573 (Identity management) -
    • -
-
-
-
0.3-3
-
-

- Thu May 16 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.3-2
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.3-1
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.2-9
-
-

- Thu February 29 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.2-8
-
-

- Tue February 13 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.2-7
-
-

- Fri November 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.2-6
-
-

- Fri October 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-5
-
-

- Fri September 8 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.2-4
-
-

- Tue September 05 2023, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Fixed an ordered list for known issue BZ#2169382 - (Networking). -
    • -
-
-
-
0.2-3
-
-

- Thu August 24 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2214508 - (Kernel). -
    • -
-
-
-
0.2-2
-
-

- Fri August 4 2023, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.2-1
-
-

- Tue August 1 2023, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#2225332. -
    • -
  • - Improved abstract. -
    • -
-
-
-
0.2-0
-
-

- Tue Aug 01 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.1-9
-
-

- Thu Jun 29 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a Technology Preview BZ#1570255 (Kernel). -
    • -
-
-
-
0.1-8
-
-

- Fri Jun 16 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2214235 - (Kernel). -
    • -
-
-
-
0.1-7
-
-

- Wed May 10 2023, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2169382 - (Networking). -
    • -
-
-
-
0.1-6
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-5
-
-

- Thu Apr 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fixed 2 broken links in DFs and KIs. -
    • -
-
-
-
0.1-4
-
-

- Thu Mar 2 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Updated a new feature BZ#2089409 - (Kernel). -
    • -
-
-
-
0.1-4
-
-

- Tue Jan 24 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2115791 (RHEL in cloud - environments). -
    • -
-
-
-
0.1-3
-
-

- Thu Dec 08 2022, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2132754 - (Networking). -
    • -
-
-
-
0.1-2
-
-

- Tue Nov 08 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.1-1
-
-

- Wed Sep 07 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added bug fix BZ#2096256 - (Networking). -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.1-0
-
-

- Fri Aug 19 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added bug fix BZ#2108316 - (Identity Management). -
    • -
-
-
-
0.0-9
-
-

- Fri Aug 05 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added known issue BZ#2114981 - (Security). -
    • -
-
-
-
0.0-8
-
-

- Wed Aug 03 2022, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added known issue BZ#2095764 - (Software management). -
    • -
-
-
-
0.0-7
-
-

- Fri Jul 22 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added bug fix BZ#2020494 - (File systems and storage). -
    • -
  • - Added known issue BZ#2054656 - (Virtualization). -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.0-6
-
-

- Mon Jul 11 2022, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added bug fix BZ#2056451 - (Installer and image creation). -
    • -
  • - Added bug fix BZ#2051890 - (Security). -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.0-5
-
-

- Jun 08 2022, Lucie Vařáková (lmanasko@redhat.com) -

-
-
    -
  • - Added new feature BZ#2089409 - (Kernel). -
    • -
-
-
-
0.0-4
-
-

- May 31 2022, Lucie Vařáková (lmanasko@redhat.com) -

-
- -
-
-
0.0-3
-
-

- May 18 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added new feature BZ#2049441 - (The web console). -
    • -
  • - Added known issues BZ#2086100 - (Kernel) and BZ#2020133 - (Virtualization). -
    • -
  • - Other small updates. -
    • -
-
-
-
0.0-2
-
-

- May 16 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Added bug fix BZ#2014369 - (Virtualization). -
    • -
  • - Added known issue BZ#1554735 - (Virtualization). -
    • -
  • - Other small updates. -
    • -
-
-
-
0.0-1
-
-

- May 11 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.6 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Mar 30 2022, Lucie Maňásková (lmanasko@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.6 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.7.html b/app/data/8.7.html deleted file mode 100644 index 1737ed6..0000000 --- a/app/data/8.7.html +++ /dev/null @@ -1,21000 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.7
-
-

Release Notes for Red Hat Enterprise Linux 8.7

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.7 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information about installing Red Hat Enterprise Linux, see Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 8.7

-
-
-
-

Installer and image creation

-

- Following are image builder key highlights in RHEL 8.7-GA: -

-
-
    -
  • -

    - Image builder on-premise now supports: -

    -
    -
      -
    • - Uploading images to GCP -
      • -
    • - Customizing the /boot partition -
      • -
    • - Pushing a container image directly to a registry -
      • -
    • - Users can now customize their blueprints during the image creation process -
      • -
    -
    -
    • -
-
-

- For more information, see Section 4.1, “Installer and image creation”. -

-

Security

-

- The DISA STIG for Red Hat Enterprise Linux 8 profile available in the scap-security-guide (SSG) package is now better aligned with DISA’s - content. This leads to fewer findings against DISA content after SSG remediations. -

-

- The Center for Internet Security (CIS) profiles available in the scap-security-guide (SSG) package are now aligned with CIS Red Hat - Enterprise Linux 8 Benchmark version 2.0.0. This version of the benchmark adds new requirements, - removed requirements that are no longer relevant, and reordered some existing requirements. The - update impacts the references in the relevant rules and the accuracy of the respective profiles. -

-

- Changes in the system configuration and the clevis-luks-systemd - subpackage enable the Clevis encryption client to unlock also LUKS-encrypted volumes that mount late - in the boot process without using the systemctl enable clevis-luks-askpass.path command during the deployment - process. -

-

- See New features - Security - for more information. -

-

Shells and command-line tools

-

- RHEL 8.7 introduces a new package xmlstarlet. With XMLStarlet, you can parse, - transform, query, validate, and edit XML files. -

-

- The following command-line tools have been updated in RHEL 8.7: -

-
-
    -
  • - opencryptoki to version 3.18.0 -
    • -
  • - powerpc-utils to version 1.3.10 -
    • -
  • - libva to version 2.13.0 -
    • -
-
-

- For more information, see New Features - Shells and command-line tools -

-

Infrastructure services

-

- The following infrastructure services tools have been updated in RHEL 8.7: -

-
-
    -
  • - chrony to version 4.2 -
    • -
  • - unbound to version 1.16.2 -
    • -
-
-

- For more information, see New Features - Infrastructure services. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - Ruby 3.1 -
    • -
  • - Mercurial 6.2 -
    • -
  • - Node.js 18 -
    • -
-
-

- In addition, Redis 6 has been upgraded to - version 6.2.7. -

-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-
Updated performance tools and debuggers
-

- The following performance tools and debuggers have been updated in RHEL 8.7: -

-
-
    -
  • - Valgrind 3.19 -
    • -
  • - SystemTap 4.7 -
    • -
  • - Dyninst 12.1.0 -
    • -
  • - elfutils 0.187 -
    • -
-
-
Updated performance monitoring tools
-

- The following performance monitoring tools have been updated in RHEL 8.7: -

-
-
    -
  • - PCP 5.3.7 -
    • -
  • - Grafana 7.5.13 -
    • -
-
-
Updated compiler toolsets
-

- The following compiler toolsets have been updated in RHEL 8.7: -

-
-
    -
  • - GCC Toolset 12 -
    • -
  • - LLVM Toolset 14.0.6 -
    • -
  • - Rust Toolset 1.62 -
    • -
  • - Go Toolset 1.18 -
    • -
-
-

- See New features - Compilers and development tools - for more information. -

-
Java implementations in RHEL 8
-

- The RHEL 8 AppStream repository includes: -

-
-
    -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- For more information, see OpenJDK - documentation. -

-
Java tools
-

- RHEL 8.7 introduces Maven 3.8 as a new module - stream. -

-

- For more information, see New features - Compilers and development - tools. information. -

-

Identity Management

-

- Identity Management (IdM) in RHEL 8.7 introduces a Technology Preview where you can delegate user - authentication to external identity providers (IdPs) that support the OAuth 2 Device Authorization - Grant flow. When these users authenticate with SSSD, and after they complete authentication and - authorization at the external IdP, they receive RHEL IdM single sign-on capabilities with Kerberos - tickets. -

-

- For more information, see Technology Previews - Identity Management -

-

Red Hat Enterprise Linux System Roles

-

- Notable new features in 8.7 RHEL System Roles: -

-
-
    -
  • - RHEL System Roles are now available also in playbooks with fact gathering disabled. -
    • -
  • - The ha_cluster role now supports SBD fencing, configuration of - Corosync settings, and configuration of bundle resources. -
    • -
  • - The network role now configures network settings for routing - rules, supports network configuration using the nmstate API, - and users can create connections with IPoIB capability. -
    • -
  • - The microsoft.sql.server role has new variables, such as - variables to control configuring a high availability cluster, to manage firewall ports - automatically, or variables to search for mssql_tls_cert and - mssql_tls_private_key values on managed nodes. -
    • -
  • - The logging role supports various new options, for example - startmsg.regex and endmsg.regex in - files inputs, or template, severity and facility options. -
    • -
  • - The storage role now includes support for thinly provisioned - volumes, and the role now also has less verbosity by default. -
    • -
  • - The sshd role verifies the include directive for the drop-in - directory, and the role can now be managed through /etc/ssh/sshd_config. -
    • -
  • - The metrics role can now export postfix performance data. -
    • -
  • - The postfix role now has a new option for overwriting previous - configuration. -
    • -
  • - The firewall role does not require the state parameter when - configuring masquerade or icmp_block_inversion. In the firewall - role, you can now add, update, or remove services using absent and present states. The role - can also provide Ansible facts, and add or remove an interface to the zone using PCI device - ID. The firewall role has a new option for overwriting previous - configuration. -
    • -
  • - The selinux role now includes setting of seuser and selevel parameters. -
    • -
-
-
-
-
-
-
-

1.2. In-place upgrade and OS conversion

-
-
-
-

In-place upgrade from RHEL 7 to RHEL 8

-

- The possible in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.4 and RHEL 8.6 on the 64-bit Intel, IBM POWER 8 (little endian), and - IBM Z architectures -
    • -
  • - From RHEL 7.6 to RHEL 8.4 on architectures that require kernel version 4.14: IBM POWER 9 - (little endian) and IBM Z (Structure A). This is the final in-place upgrade path for these - architectures. -
    • -
  • - From RHEL 7.9 to RHEL 8.2 and RHEL 8.6 on systems with SAP HANA on the 64-bit Intel - architecture. -
    • -
-
-

- To ensure your system remains supported after upgrading to RHEL 8.6, either update to the latest - RHEL 8.7 version or ensure that the RHEL 8.6 Extended Update Support (EUS) repositories have been - enabled. -

-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- For instructions on performing an in-place upgrade on systems with SAP environments, see How to in-place upgrade SAP - environments from RHEL 7 to RHEL 8. -

-
-
Note
-
-

- For the successful in-place upgrade of RHEL 7.6 for IBM POWER 9 (little endian) and IBM Z - (structure A) architectures, you must manually download the specific Leapp data. For more - information, see the Leapp - data snapshots for an in-place upgrade Knowledgebase article. -

-
-
-

- Notable enhancements include: -

-
-
    -
  • - The in-place upgrade of SAP Apps systems is now possible on Microsoft Azure with Red Hat - Update Infrastructure (RHUI). -
    • -
  • - The in-place upgrade is now possible on Google Cloud Platform with Red Hat Update - Infrastructure (RHUI). -
    • -
-
-

In-place upgrade from RHEL 6 to RHEL 8

-

- To upgrade from RHEL 6.10 to RHEL 8, follow instructions in Upgrading - from RHEL 6 to RHEL 8. -

-

In-place upgrade from RHEL 8 to RHEL 9

-

- Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 using the Leapp utility are - provided by the document Upgrading - from RHEL 8 to RHEL 9. Major differences between RHEL 8 and RHEL 9 are documented in Considerations - in adopting RHEL 9. -

-

Conversion from a different Linux - distribution to RHEL

-

- If you are using CentOS Linux 8 or Oracle Linux 8, you can convert your operating system to RHEL 8 - using the Red Hat-supported Convert2RHEL utility. For more - information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using an earlier version of CentOS Linux or Oracle Linux, namely versions 6 or 7, you can - convert your operating system to RHEL and then perform an in-place upgrade to RHEL 8. Note that - CentOS Linux 6 and Oracle Linux 6 conversions use the unsupported Convert2RHEL utility. For more information on unsupported conversions, - see How to perform an unsupported - conversion from a RHEL-derived Linux distribution to RHEL. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, - see the Convert2RHEL Support Policy - document. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-
- -
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.7 is distributed with the kernel version 4.18.0-425, which provides support - for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-

- For a list of users and groups created by RPMs in a base RHEL installation, and the steps to obtain - this list, see the What are all - of the users and groups in a base RHEL installation? Knowledgebase article. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.7. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Automatic FCP SCSI LUN scanning support in installer

-

- The installer can now use the automatic LUN scanning when attaching FCP SCSI LUNs on IBM Z - systems. Automatic LUN scanning is available for FCP devices operating in NPIV mode, if it is - not disabled through the zfcp.allow_lun_scan kernel module - parameter. It is enabled by default. It provides access to all SCSI devices found in the storage - area network attached to the FCP device with the specified device bus ID. It is not necessary to - specify WWPN and FCP LUNs anymore and it is sufficient to provide just the FCP device bus ID. -

-
-

- (BZ#1497089) -

-
-

Image builder on-premise now supports the /boot partition customization

-

- Image builder on-premise version now supports building images with custom /boot mount point partition size. You can specify the size of the - /boot mount point partition in the blueprint customization, to - increase the size of the /boot partition in case the default boot - partition size is too small. For example: -

-
- 
[[customizations.filesystem]]
-mountpoint = "/boot"
-size = "20 GiB"
-

- (JIRA:RHELPLAN-130379) -

-
-

Image builder on-premise now supports uploading images to GCP

-

- With this enhancement, you can use image builder CLI to build a gce - image, providing credentials for the user or service account that you want to use to upload the - images. As a result, image builder creates the image and then uploads the gce image directly to the GCP environment that you specified. -

-
-

- (BZ#2049492) -

-
-

Image builder on-premise CLI supports pushing a container image directly to - a registry

-

- With this enhancement, you can push RHEL for Edge container images directly to a container - registry after it has been built, using the image builder CLI. To build the container image: -

-
-
-
    -
  1. - Set up an upload provider and optionally, add credentials. -
    2. -
  2. -

    - Build the container image, passing the container registry and the repository to composer-cli as arguments. -

    -

    - After the image is ready, it is available in the container registry you set up. -

    -
    3. -
-
-

- (JIRA:RHELPLAN-130376) -

-
-

Image builder on-premise users now customize their blueprints during the - image creation process

-

- With this update, the Edit Blueprint page - was removed to unify the user experience in the image builder service and in the image builder - app in cockpit-composer. Users can now create their blueprints and - add their customization, such as adding packages, and create users, during the image creation - process. The versioning of blueprints has also been removed so that blueprints only have one - version: the current one. Users have access to older blueprint versions through their already - created images. -

-
-

- (JIRA:RHELPLAN-122735) -

-
-
-
-
-
-

4.2. Shells and command-line tools

-
-
-
-
-

Cronie adds support for a randomized time - within a selected range

-

- The Cronie utility now supports the ~ - (random within range) operator for cronjob execution. As a result, you can start a cronjob on a - randomized time within the selected range. -

-
-

- (BZ#1832510) -

-
-

A new package: xmlstarlet

-

- XMLStarlet is a set of command-line utilities for parsing, transforming, querying, validating, - and editing XML files. The new xmlstarlet package offers a simple - set of shell commands that you can use in a similar way as you use UNIX commands for plain text - files like grep, sed, awk, diff, patch, join and other. -

-
-

- (BZ#1882020) -

-
-

ReaR adds new variables for executing commands before and after - recovery

-

- With this enhancement, ReaR introduces two new variables for easier automation of commands to be - executed before and after recovery: -

-
-
-
    -
  • - PRE_RECOVERY_COMMANDS accepts an array of commands. These - commands will be executed before recovery starts. -
    • -
  • - POST_RECOVERY_COMMANDS accepts an array of commands. These - commands will be executed after recovery finishes. -
    • -
-
-

- These variables are an alternative to PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT with the following differences: -

-
-
    -
  • - The earlier PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT variables accept a single shell command. To - pass multiple commands to these variables, you must separate the commands by semicolons. -
    • -
  • - The new PRE_RECOVERY_COMMANDS and POST_RECOVERY_COMMANDS variables accept arrays of commands, and - each element of the array is executed as a separate command. -
    • -
-
-

- As a result, providing multiple commands to be executed in the rescue system before and after - recovery is now easier and less error-prone. -

-

- For more information, see the default.conf file. -

-

- (BZ#2035872) -

-
-

libva rebased to version 2.13.0

-

- The libva library for video acceleration API has been updated to - version 2.13.0. Notable improvements and new features include: -

-
-
-
    -
  • - Two new FourCC video coding formats: X2R10G10B10 and X2B10G10R10 for capturing, processing, and displaying video in - the 10-bit RGB format (excluding Alpha). -
    • -
  • - The VAAPI driver mapping for iris and crocus DRI drivers. -
    • -
  • - The vaSyncBuffer function for output buffers synchronization. -
    • -
  • - The vaCopy interface to copy surface and buffer. -
    • -
  • - The LibVA Protected Content API for digital rights management (DRM) protected video. -
    • -
  • - The 3DLUT Filter in Video Processing, which maps input colors to new output values. -
    • -
-
-

- (BZ#2099907) -

-
-

powerpc-utils rebased to version - 1.3.10

-

- The powerpc-utils package, which provides various utilities for a - PowerPC platform, has been updated to version 1.3.10. Notable improvements include: -

-
-
-
    -
  • - Added the capability to parsing the Power architecture platform reference (PAPR) information - for energy and frequency in the ppc64_cpu tool. -
    • -
  • - Improved the lparstat utility to display enhanced error - messages, when the lparstat -E command fails on max config - systems. The lparstat command reports logical partition-related - information. -
    • -
  • - Fixed reported online memory in legacy format in the lparstat - command. -
    • -
  • - Added support for the acc command for changing the quality of - service credits (QoS) dynamically for the NX GZIP accelerator. -
    • -
  • - Added improvements to format specifiers in printf() and sprintf() calls. -
    • -
  • -

    - The hcnmgr utility, which provides the HMC tools to hybrid - virtual network, includes following enhancements: -

    -
    -
      -
    • - Added the wicked feature to the Hybrid Network - Virtualization HNV FEATURE list. The hcnmgr utility supports wicked hybrid network - virtualization (HNV) to use the wicked functions - for bonding. -
      • -
    • - hcnmgr maintains an hcnid state for later cleanup. -
      • -
    • - hcnmgr excludes NetworkManager (NM) nmcli code. -
      • -
    • - The NM HNV primary slave setting was fixed. -
      • -
    • - hcnmgr supports the virtual Network Interface - Controller (vNIC) as a backup device. -
      • -
    -
    -
    • -
  • - Fixed the invalid hexadecimal numbering system message in bootlist. -
    • -
  • - The -l flag included in kpartx - utility as -p delimiter value in the bootlist command. -
    • -
  • - Fixes added to sslot utility to prevent memory leak when - listing IO slots. -
    • -
  • - Added the DRC type description strings for the latest peripheral component interconnect - express (PCIe) slot types in the lsslot utility. -
    • -
  • - Fixed the invalid config address to RTAS in errinjct tool. -
    • -
  • - Added support for non-volatile memory over fabrics (NVMf) devices in the ofpathname utility. The utility provides a mechanism for - converting a logical device name to an open firmware device path and the other way round. -
    • -
  • - Added fixes to the non-volatile memory (NVMe) support in asymmetric namespace access (ANA) - mode in the ofpathname utility. -
    • -
  • - Installed smt.state file as a configuration file. -
    • -
-
-

- (BZ#2051330) -

-
-

opencryptoki rebased to version - 3.18.0

-

- The opencryptoki package, which is an implementation of the - Public-Key Cryptography Standard (PKCS) #11, has been updated to version 3.18.0. Notable - improvements include: -

-
-
-
    -
  • - Default to Federal Information Processing Standards (FIPS) compliant token data format - (tokversion = 3.12). -
    • -
  • - Added support for restricting usage of mechanisms and keys with a global policy. -
    • -
  • - Added support for statistics counting of mechanism usage. -
    • -
  • - The ICA/EP11 tokens now support libica library version 4. -
    • -
  • - The p11sak tool enables setting different attributes for public - and private keys. -
    • -
  • - The C_GetMechanismList does not return CKR_BUFFER_TOO_SMALL in the EP11 token. -
    • -
-
-

- openCryptoki supports two different token data formats: -

-
-
    -
  • - the earlier data format, which uses non-FIPS-approved algorithms (such as DES and SHA1) -
    • -
  • - the new data format, which uses FIPS-approved algorithms only. -
    • -
-
-

- The earlier data format no longer works because the FIPS provider allows the use of only - FIPS-approved algorithms. -

-
-
Important
-
-

- To make openCryptoki work on RHEL 8, migrate the tokens to use the new data format before - enabling FIPS mode on the system. This is necessary because the earlier data format is still - the default in openCryptoki 3.17. Existing openCryptoki installations that use the earlier token data format - will no longer function when the system is changed to FIPS-enabled. -

-
-
-

- You can migrate the tokens to the new data format by using the pkcstok_migrate utility, which is provided with openCryptoki. Note that pkcstok_migrate uses - non-FIPS-approved algorithms during the migration. Therefore, use this tool before enabling FIPS - mode on the system. For additional information, see Migrating to - FIPS compliance - pkcstok_migrate utility. -

-

- (BZ#2043845) -

-
-

The Redfish modules are now part of the redhat.rhel_mgmt Ansible collection

-

- The redhat.rhel_mgmt Ansible collection now includes the following - modules: -

-
-
-
    -
  • - redfish_info -
    • -
  • - redfish_command -
    • -
  • - redfish_config -
    • -
-
-

- With that, users can benefit from the management automation, by using the Redfish modules to - retrieve server health status, get information about hardware and firmware inventory, perform power - management, change BIOS settings, configure Out-Of-Band (OOB) controllers, configure hardware RAID, - and perform firmware updates. -

-

- (BZ#2112435) -

-
-

sysctl now matches the systemd directory order

-

- The configuration directory order of the sysctl utility is now - synchronized with the systemd-sysctl directory order. The - configuration directory examines and changes kernel parameters at runtime. The configuration - files in /etc/sysctl.d directory have higher priority than - configuration files in /run/sysctl.d, and no more disruptions to - the precedence of files between sysctl and systemd happen. -

-
-

- (BZ#2111915) -

-
-
-
-
-
-

4.3. Infrastructure services

-
-
-
-
-

chrony rebased to version 4.2

-

- The chrony suite has been updated to version 4.2. Notable - enhancements over version 4.1 include: -

-
-
-
    -
  • - The server interleaved mode has been improved to be more reliable and support multiple - clients behind a single address translator (Network Address Translation - NAT). -
    • -
  • - Experimental support for the Network Time Protocol Version 4 (NTPv4) extension field has - been added to improve time synchronization stability and precision of estimated errors. You - can enable this field, which extends the capabilities of the protocol NTPv4, by using the - extfield F323 option. -
    • -
  • - Experimental support for NTP forwarding over the Precision Time Protocol (PTP) has been - added to enable full hardware timestamping on Network Interface Cards (NIC) that have - timestamping limited to PTP packets. You can enable NTP over PTP by using the ptpport 319 directive. -
    • -
-
-

- (BZ#2062356) -

-
-

unbound rebased to version 1.16.2

-

- The unbound component has been updated to version 1.16.2. unbound is a validating, recursive, and caching DNS resolver. Notable - improvements include: -

-
-
-
    -
  • - With the ZONEMD Zone Verification with RFC 8976 support, - recipients can now verify the zone contents for data integrity and origin authenticity. -
    • -
  • - With unbound, you can now configure persistent TCP connections. -
    • -
  • - The SVCB and HTTPS types and handling according to the Service binding and parameter - specification via the DNS draft-ietf-dnsop-svcb-https document - were added. -
    • -
  • - unbound takes the default TLS ciphers from crypto policies. -
    • -
  • - You can use a Special-Use Domain home.arpa. according to the - RFC8375. This domain is designated for non-unique use in - residential home networks. -
    • -
  • - unbound now supports selective enabling of tcp-upstream queries for stub or forward zones. -
    • -
  • - The default of aggressive-nsec option is now yes. -
    • -
  • - The ratelimit logic was updated. -
    • -
  • - You can use a new rpz-signal-nxdomain-ra option for unsetting - the RA flag when a query is blocked by an Unbound response - policy zone (RPZ) nxdomain reply. -
    • -
  • - With the basic support for Extended DNS Errors (EDE) according to the RFC8914, you can benefit from additional error information. -
    • -
-
-

- (BZ#2027735) -

-
-
-
-
-
-

4.4. Security

-
-
-
-
-

NSS no longer support RSA keys shorter than 1023 bits

-

- The update of the Network Security Services (NSS) libraries changes the minimum key size for all - RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following - functions: -

-
-
-
    -
  • - Generate RSA keys shorter than 1023 bits. -
    • -
  • - Sign or verify RSA signatures with RSA keys shorter than 1023 bits. -
    • -
  • - Encrypt or decrypt values with RSA key shorter than 1023 bits. -
    • -
-
-

- (BZ#2097837) -

-
-

SCAP Security Guide rebased to 0.1.63

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.63. This - version provides various enhancements and bug fixes, most notably: -

-
-
-
    -
  • - New compliance rules for sysctl, grub2, pam_pwquality, and build time - kernel configuration were added. -
    • -
  • - Rules hardening the PAM stack now use authselect as the - configuration tool. Note: With this change the rules hardening the PAM stack will not be - applied if the PAM stack was edited by other means. -
    • -
-
-

- (BZ#2070564) -

-
-

SSG CIS profiles aligned to the CIS RHEL 8 benchmark 2.0.0

-

- The SCAP Security Guide (SSG) now contains changes that align the Center for Internet Security - (CIS) profiles with CIS Red Hat Enterprise Linux 8 Benchmark version 2.0.0. This version of the - benchmark adds new requirements, removed requirements that are no longer relevant, and reordered - some existing requirements. The update impacts the references in the relevant rules and the - accuracy of the respective profiles. -

-
-

- (BZ#2058203) -

-
-

The RHEL 8 STIG profile is now better aligned with the DISA STIG - content

-

- The DISA STIG for Red Hat Enterprise Linux 8 profile (xccdf_org.ssgproject.content_profile_stig) available in the scap-security-guide (SSG) package can be used to evaluate systems - according to the Security Technical Implementation Guides (STIG) by the Defense Information - Systems Agency (DISA). You can remediate your systems by using the content in SSG, but you might - need to evaluate them using DISA STIG automated content. With this update, the DISA STIG RHEL 8 - profile is better aligned with DISA’s content. This leads to fewer findings against DISA content - after SSG remediation. -

-
-

- Note that the evaluations of the following rules still diverge: -

-
-
    -
  • - SV-230264r627750_rule - CCE-80790-9 (ensure_gpgcheck_globally_activated) -
    • -
  • - SV-230349r833388_rule - CCE-82266-8 (configure_bashrc_exec_tmux) -
    • -
  • - SV-230311r833305_rule - CCE-82215-5 (sysctl_kernel_core_pattern) -
    • -
  • - SV-230546r833361_rule - CCE-80953-3 (sysctl_kernel_yama_ptrace_scope) -
    • -
  • - SV-230287r743951_rule - CCE-82424-3 (file_permissions_sshd_private_key) -
    • -
  • - SV-230364r627750_rule - CCE-82472-2 (accounts_password_set_min_life_existing) -
    • -
  • - SV-230343r743981_rule - CCE-86107-0 (account_passwords_pam_faillock_audit) -
    • -
-
-

- (BZ#1967947) -

-
-

SSG rules for mount options no longer fail incorrectly if the /tmp and /var/tmp partitions do not - exist

-

- Previously, the SCAP Security Guide (SSG) rules for mount options of /tmp and /var/tmp partitions were - incorrectly reporting the fail result if such partitions did not - exist on the system. -

-
-

- This enhancement makes those rules not applicable instead of failing. Now, the rules fail only when - the partition exists and the system does not have correct mount options. -

-

- If these mount options are essential for a particular policy, a rule that prescribes the existence - of such partitions should be present in the profile, and that one rule should fail. -

-

- (BZ#2032403) -

-
-

STIG security profile updated to version V1R7

-

- The DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP - Security Guide has been updated to align with the latest version V1R7. -

-
-

- The profile is more stable and better aligns with the RHEL 8 STIG (Security Technical Implementation - Guide) manual benchmark provided by the Defense Information Systems Agency (DISA). This iteration - brings updates to align the sysctl content to the new STIG. -

-

- You should use only the current version of this profile because older versions are no longer valid. -

-
-
Warning
-
-

- Automatic remediation might render the system non-functional. Run the remediation in a test - environment first. -

-
-
-

- (BZ#2112937) -

-
-

clevis-luks-askpass is now enabled by - default

-

- The /lib/systemd/system-preset/90-default.preset file now contains - the enable clevis-luks-askpass.path configuration option and the - installation of the clevis-systemd sub-package ensures that the - clevis-luks-askpass.path unit file is enabled. This enables the - Clevis encryption client to unlock also LUKS-encrypted volumes that mount late in the boot - process. Before this update, the administrator must use the systemctl enable clevis-luks-askpass.path command to enable Clevis to - unlock such volumes. -

-
-

- (BZ#2107081) -

-
-

Added a maximum size option for Rsyslog error files

-

- Using the new action.errorfile.maxsize option, you can specify a - maximum number of bytes of the error file for the Rsyslog log processing system. When the error - file reaches the specified size, Rsyslog cannot write any additional errors or other data in it. - This prevents the error file from filling up the file system and making the host unusable. -

-
-

- (BZ#1962318) -

-
-

fapolicyd rebased to 1.1.3

-

- The fapolicyd packages have been upgraded to version 1.1.3. Notable - improvements and bug fixes include: -

-
-
-
    -
  • - Rules can now contain the new subject PPID attribute, which matches the parent PID (process - ID) of a subject. -
    • -
  • - The OpenSSL library replaced the Libgcrypt library as a cryptographic engine for hash - computations. -
    • -
  • - The fagenrules --load command now works correctly. -
    • -
-
-

- (BZ#2100087) -

-
-
-
-
-
-

4.5. Networking

-
-
-
-
-

The save speed of large iptables rule sets has - been improved

-

- This enhancement optimizes the iptables-save utility to reduce the - overhead when saving large rule sets. The utility has been improved when reading entries from - the /etc/protocols file, and it no longer searches for extension - shared object files in cases where this is not necessary. As a result, the run time of iptables-save has been significantly improved when you save large - rule sets in environments with high storage access delays. -

-
-

- (BZ#2058444) -

-
-

NetworkManager rebased to version 1.40

-

- The NetworkManager packages have been upgraded to upstream version - 1.40, which provides a number of enhancements and bug fixes over the previous version: -

-
-
-
    -
  • - The device state files in the /run/NetworkManager/devices/ - directory now have new sections, [dhcp4] and [dhcp6], which contain the DHCP options of the current lease. -
    • -
  • - NetworkManager supports setting an IPv6 Maximum Transmission Unit (MTU) in the ipv6.mtu property of connections. -
    • -
  • - NetworkManager uses the nm.debug kernel command line option to - enable debug logging. -
    • -
  • - Carrier detection has been improved. -
    • -
  • - NetworkManager now restarts the DHCP client for a connection if the MAC address changes on a - device. -
    • -
  • - Wifi hotspots now use a stable random channel number unless you select a specific channel. -
    • -
  • - NetworkManager now disables the Wi-Fi Protected Access 3 (WPA3) transition mode if you set - the wifi.key-mgmt property to wpa-psk and the network interface does not support Protected - Management Frames (PMF). The transition mode caused problems in certain setups in this - scenario. To explicitly enable the WPA3 transitioning mode, set wifi.key-mgmt to sae. -
    • -
  • - NetworkManager now shortens an excessively long hostname received from a DHCP server to the - first dot or to 64 characters. -
    • -
-
-

- For further information about notable changes, read the upstream release - notes. -

-

- (BZ#2063109) -

-
-

cloud-init updates network configuration at - every boot on Microsoft Azure

-

- Microsoft Azure does not change the instance ID when an administrator updates the network - interface configuration while a VM is offline. With this enhancement, the cloud-init service always updates the network configuration when the - VM boots to ensure that RHEL on Microsoft Azure uses the latest network settings. -

-
-

- As a consequence, if you manually configure settings on interfaces, such as an additional search - domain, cloud-init may override them when you reboot the VM. For - further details and a workaround, see the cloud-init-22.1-5 updates network config on - every boot solution. -

-

- (BZ#2144898) -

-
-

NetworkManger now stores DHCP lease information in the /run/NetworkManager/devices/ directory

-

- NetworkManager now stores lease information from the DHCP server in the /run/NetworkManager/devices/ directory. Previously, the file-based - API was not available and this information was only visible in the output of the nmcli -f all devices show DEVICE command. With this enhancement, - other utilities and scripts can access DHCP options without calling nmcli. -

-
-

- (BZ#1943153) -

-
-
-
-
-
-

4.6. Kernel

-
-
-
-
-

Kernel version in RHEL 8.7

-

- Red Hat Enterprise Linux 8.7 is distributed with the kernel version 4.18.0-425. -

-
-

- (BZ#2125545) -

-
-

The default mitigation of SSBD and STIBP has been changed

-

- The default mitigation of the spec_store_bypass_disable (SSBD) and spectre_v2_user (STIBP) boot parameters has been changed from the seccomp mode to prctl. With this update, - performance of containers and applications under the control of seccomp improves. -

-
-

- (BZ#2101938) -

-
-

The vmcore dump file generates correctly on - the debug kernel variant

-

- With this update, the kdump mechanism now uses the same version of - the non-debug kernel as the capture kernel when the current kernel is debug variant. By using a - non-debug kernel as the capture kernel, kdump consumes less memory - than the debug variant. As a result, kdump generates the vmcore file correctly and captures the memory contents of the crashed - kernel. -

-
-

- (BZ#2006000) -

-
-

Intel E800 devices now support iWARP and RoCE protocols

-

- With this enhancement, you can now use the enable_iwarp and enable_roce devlink parameters to turn on and off iWARP or RoCE - protocol support. With this mandatory feature, you can configure the device with one of the - protocols. The Intel E800 devices do not support both protocols simultaneously on the same port. -

-
-

- To enable or disable the iWARP protocol for a specific E800 device, first obtain the PCI location of - the card: -

- 
$ lspci | awk '/E810/ {print $1}'
-44:00.0
-44:00.1
-$
-

- Then enable, or disable, the protocol. You can use use pci/0000:44:00.0 - for the first port, and pci/0000:44:00.1 for second port of the card as - argument to the devlink command -

- 
$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value true cmode runtime
-$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value false cmode runtime
-

- To enable or disable the RoCE protocol for a specific E800 device, obtain the PCI location of the - card as shown above. Then use one of the following commands: -

- 
$ devlink dev param set pci/0000:44:00.0 name enable_roce value true cmode runtime
-$ devlink dev param set pci/0000:44:00.0 name enable_roce value false cmode runtime
-

- (BZ#2096127) -

-
-
-
-
-
-

4.7. Boot loader

-
-
-
-
-

GRUB is signed by new keys

-

- Due to security reasons, GRUB is now signed with new keys. As a consequence, if you are using - RHEL on the little-endian variant of IBM POWER with the Secure Boot feature enabled, you must - update the firmware to version FW1010.30 (or later) or FW1020 to be able to boot. -

-
-

- (BZ#2074762) -

-
-

Configurable disk access retries when booting a VM on IBM POWER -

-

- You can now configure how many times the GRUB boot loader retries accessing a remote disk when a - logical partition (lpar) virtual machine (VM) boots on the IBM - POWER architecture. Lowering the number of retries can prevent a slow boot in certain - situations. -

-
-

- Previously, GRUB retried accessing disks 20 times when disk access failed at boot. This caused - problems if you performed a Live Partition Mobility (LPM) migration on an lpar system that connected to slow Storage Area Network (SAN) disks. As a - consequence, the boot might have taken very long on the system until the 20 retries finished. -

-

- With this update, you can now configure and decrease the number of disk access retries using the - ofdisk_retries GRUB option. For details, see Configure disk access retries when booting a - VM on IBM POWER. -

-

- As a result, the lpar boot is no longer slow after LPM on POWER, and - the lpar system boots without the failed disks. -

-

- (BZ#2070347) -

-
-
-
-
-
-

4.8. File systems and storage

-
-
-
-
-

nfsrahead has been added to RHEL 8 -

-

- With the introduction of the nfsrahead tool, you can use it to - modify the readahead value for NFS mounts, and thus affect the NFS - read performance. -

-
-

- (BZ#1946283) -

-
-

rpcctl command now displays SunRPC connection - information

-

- With this update, you can use the rpcctl command to display the - information collected in the SunRPC sysfs files about the system’s - SunRPC objects. You can show, remove, and set objects in the SunRPC network layer through the - sysfs file system. -

-
-

- (BZ#2087187) -

-
-

multipath.conf can now include - protocol-specific configuration overrides in DM Multipath

-

- You can access paths of multipath devices through various protocols. Because various protocols - can have various optimal configurations, it was previously not possible to set the optimal - configuration for all protocols in the Device Mapper Multipath feature without a per-protocol - option. With this enhancement, you can include protocol-specific configuration overrides in the - multipath.conf file. As a result, you can now configure multipath - device paths on a per-protocol basis, allowing for the correct configuration of multipath - devices accessible through multiple protocols. -

-
-

- (BZ#2065477) -

-
-

multipathd now supports detecting FPIN-Li - events

-

- When you add a new value fpin for the marginal_pathgroups config option, you enable multipathd to monitor the Link Integrity Fabric Performance Impact - Notification (PFIN-Li) events and move paths with link integrity issues to a marginal pathgroup. - With the fpin value set, multipathd - overrides its existing marginal path detection methods and relies on the Fibre Channel fabric to - identify link integrity issues. -

-
-

- With this enhancement, the multipathd method becomes more robust in - detecting marginal paths on Fibre Channel fabrics that can issue PFIN-Li events. -

-

- (BZ#2083077) -

-
-
-
-
-
-

4.9. High availability and clusters

-
-
-
-
-

pcs command-line supports updating multipath - SCSI devices without requiring a system restart

-

- You can now update multipath SCSI devices with the pcs stonith update-scsi-devices command. This command updates SCSI - devices without causing a restart of other cluster resources running on the same node. -

-
-

- (BZ#2023845) -

-
-

Support for cluster UUID

-

- During cluster setup, the pcs command now generates a UUID for - every cluster. Since a cluster name is not a unique cluster identifier, you can use the cluster - UUID to identify clusters with the same name when you administer multiple clusters. -

-
-

- You can display the current cluster UUID with the pcs cluster config [show] command. You can add a UUID to an existing - cluster or regenerate a UUID if it already exists by using the pcs cluster config uuid generate command. -

-

- (BZ#1950551) -

-
-

The multiple-active resource parameter now - accepts a value of stop_unexpected

-

- The multiple-active resource parameter determines recovery behavior - when a resource is active on more than one node when it should not be. By default, this - situation requires a full restart of the resource, even if the resource is running successfully - where it should be. With this update, the multiple-active resource - parameter accepts a value of stop_unexpected, which allows you to - specify that only unexpected instances of a multiply-active resource are stopped. It is the - user’s responsibility to verify that the service and its resource agent can function with extra - active instances without requiring a full restart. -

-
-

- (BZ#2036815) -

-
-

New allow-unhealthy-node Pacemaker resource - meta-attribute

-

- Pacemaker now supports the allow-unhealthy-node resource - meta-attribute. When this meta-attribute is set to true, the - resource is not forced off a node due to degraded node health. When health resources have this - attribute set, the cluster can automatically detect if the node’s health recovers and move - resources back to it. -

-
-

- (BZ#2059638) -

-
-

Support for High Availability on Red Hat OpenStack platform

-

- You can now configure a high availability cluster on the Red Hat OpenStack platform. In support - of this feature, Red Hat provides the following new cluster agents: -

-
-
-
    -
  • - fence_openstack: fencing agent for HA clusters on OpenStack -
    • -
  • - openstack-info: resource agent to configure the openstack-info cloned resource, which is required for an HA - cluster on OpenStack -
    • -
  • - openstack-virtual-ip: resource agent to configure a virtual IP - address resource -
    • -
  • - openstack-floating-ip: resource agent to configure a floating - IP address resource -
    • -
  • - openstack-cinder-volume: resource agent to configure a block - storage resource -
    • -
-
-

- (BZ#1182956) -

-
-

Pacemaker now supports specifying Access Control Lists (ACLs) for system - groups

-

- Pacemaker previously allowed ACLs to be specified for individual users, but it is sometimes - simpler and would comform better with local policies to specify ACLs for a system group, and to - have them apply to all users in that group. The pcs acl group - command was present in earlier releases but had no effect. Now, users can now specify ACLs for a - system group using this command. -

-
-

- (BZ#1724310) -

-
-

New pcs stonith config command option to - display the pcs commands that re-create configured fence - devices

-

- The pcs stonith config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured fence devices on a - different system. -

-
-

- (BZ#1909904) -

-
-

New pcs resource config command option to - display the pcs commands that re-create configured - resources

-

- The pcs resource config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured resources on a - different system. -

-
-

- (BZ#1874624) -

-
-
-
-
-
-

4.10. Dynamic programming languages, web and database servers

-
-
-
-
-

The nodejs:18 module stream is now fully - supported

-

- The nodejs:18 module stream, previously available as a Technology - Preview, is fully supported with the release of the RHSA-2022:8833 advisory. The - nodejs:18 module stream now provides Node.js 18.12, which is a Long Term Support (LTS) version. -

-
-

- Node.js 18 included in RHEL 8.7 provides numerous new features together - with bug and security fixes over Node.js 16 available since RHEL 8.5. -

-

- Notable changes include: -

-
-
    -
  • - The V8 engine has been upgraded to version 10.2. -
    • -
  • - The npm package manager has been upgraded to version 8.18.0. -
    • -
  • - Node.js now provides a new experimental fetch API. -
    • -
  • - Node.js now provides a new experimental node:test module, which facilitates the creation of tests that - report results in the Test Anything Protocol (TAP) format. -
    • -
  • - Node.js now prefers IPv6 addresses over IPv4. -
    • -
-
-

- To install the nodejs:18 module stream, use: -

- 
# yum module install nodejs:18
-

- If you want to upgrade from the nodejs:16 stream, see Switching - to a later stream. -

-

- (BZ#2083073) -

-
-

nodejs:18 rebased to version 18.14 with npm rebased to version 9 -

-

- Node.js 18.14, released in RHSA-2023:1583, includes a SemVer - major upgrade of npm from version 8 to version 9. This update was - necessary due to maintenance reasons and may require you to adjust your npm configuration. -

-
-

- Notably, auth-related settings that are not scoped to a specific registry are no longer supported. - This change was made for security reasons. If you used unscoped authentication configurations, the - supplied token was sent to every registry listed in the .npmrc file. -

-

- If you use unscoped authentication tokens, generate and supply registry-scoped tokens in your .npmrc file. -

-

- If you have configuration lines using _auth, such as //registry.npmjs.org/:_auth in your .npmrc - files, replace them with //registry.npmjs.org/:_authToken=${NPM_TOKEN} - and supply the scoped token that you generated. -

-

- For a complete list of changes, see the upstream changelog. -

-

- (BZ#2178087) -

-
-

A new module stream: ruby:3.1

-

- RHEL 8.7 introduces Ruby 3.1.2 in a new ruby:3.1 module stream. This version provides a number of performance - improvements, bug and security fixes, and new features over Ruby 3.0 distributed with RHEL 8.5. -

-
-

- Notable enhancements include: -

-
-
    -
  • - The Interactive Ruby (IRB) utility now provides an autocomplete - feature and a documentation dialog -
    • -
  • - A new debug gem, which replaces lib/debug.rb, provides improved performance, and supports remote - debugging and multi-process/multi-thread debugging -
    • -
  • - The error_highlight gem now provides a fine-grained error - location in the backtrace -
    • -
  • - Values in the hash literal data types and keyword arguments can now be omitted -
    • -
  • - The pin operator (^) now accepts an expression in pattern - matching -
    • -
  • - Parentheses can now be omitted in one-line pattern matching -
    • -
  • - YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD - and Intel 64-bit architectures -
    • -
  • - The TypeProf For IDE utility has been introduced, which is an - experimental static type analysis tool for Ruby code in IDEs -
    • -
-
-

- The following performance improvements have been implemented in Method Based Just-in-Time Compiler - (MJIT): -

-
-
    -
  • - For workloads like Rails, the default maximum JIT cache value - has increased from 100 to 10000 -
    • -
  • - Code compiled using JIT is no longer canceled when a TracePoint - for class events is enabled -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - The tracer.rb file has been removed -
    • -
  • - Since version 4.0, the Psych YAML parser uses the safe_load method by default -
    • -
-
-

- To install the ruby:3.1 module stream, use: -

- 
# yum module install ruby:3.1
-

- If you want to upgrade from an earlier ruby module stream, see Switching - to a later stream. -

-

- (BZ#2063772) -

-
-

A new module stream: mercurial:6.2 -

-

- RHEL 8.7 adds Mercurial 6.2 as a new module stream. This version - provides a number of bug fixes, enhancements, and performance improvements over Mercurial 4.8 available since RHEL 8.0. -

-
-

- Notable changes include: -

-
-
    -
  • - Mercurial 6.2 supports Python 3.6 - or later -
    • -
  • - Mercurial no longer supports Python 2 -
    • -
  • - The hg purge and hg clean commands - now provide a new -i option, which enables you to delete - ignored files instead of untracked files -
    • -
  • - The hg diff and hg extdiff - commands now support the --from <revision> and --to <revision> arguments -
    • -
  • - A new internal merge utility, internal:mergediff, is now - available -
    • -
  • - The Zstandard (ZSTD) compression is now used by default for new repositories when available -
    • -
  • - A new way of specifying required extensions is now available that prevents Mercurial from starting if the required extensions are not found -
    • -
-
-

- In addition, a new mercurial-chg utility is available, which provides a - C wrapper for the hg command. When you use the chg command, a Mercurial command server - background process is created, a C program connects to that background process and executes Mercurial commands. As a result, the performance is significantly - increased. -

-

- To install the mercurial:6.2 module stream, use: -

- 
# yum module install mercurial:6.2
-

- If you want to upgrade from the mercurial:4.8 stream, see Switching - to a later stream. -

-

- (BZ#2089849) -

-
-

mariadb-java-client rebased to version - 2.7.1

-

- The mariadb-java-client package, which provides a MariaDB connector for applications developed in Java, has been - updated to version 2.7.1. -

-
-

- This update introduces the following changes in services: -

-
-
    -
  • - Client authentication plug-ins are now defined as services. As a result, you can easily add - new client authentication plug-ins. The driver includes the caching_sha2_password and sha256_password plug-ins for compatibility with MySQL. -
    • -
  • - Credential plug-ins are now permitted to provide credential information. The driver includes - three default plug-ins: AWS IAM, Environment, and Property. -
    • -
  • - The SSL factory service now enables you to use custom SSL implementation. For example, you - can create a new HostnameVerifier implementation. -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - The enabledSslProtocolSuites option now includes TLSv1.2 by - default. -
    • -
-
-

- (BZ#2043212) -

-
-

redis rebased to version 6.2.7

-

- Redis 6, which is an advanced key-value store provided the redis:6 module stream, has been updated to version 6.2.7. This update - provides bug fixes, security fixes, and improvements over version 6.0 available since RHEL 8.4. -

-
-

- (BZ#1999873) -

-
-

A new default for the LimitRequestBody - directive in httpd configuration

-

- To fix CVE-2022-29404, the default - value for the LimitRequestBody directive in the Apache HTTP Server - has been changed from 0 (unlimited) to 1 GiB. -

-
-

- On systems where the value of LimitRequestBody is not explicitly - specified in an httpd configuration file, updating the httpd package sets LimitRequestBody to the - default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 - GiB default limit, httpd returns the 413 Request Entity Too Large error code. -

-

- If the new default allowed size of an HTTP request message body is insufficient for your use case, - update your httpd configuration files within the respective context - (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For - example, to set a new 2 GiB limit, use: -

- 
LimitRequestBody 2147483648
-

- Systems already configured to use any explicit value for the LimitRequestBody directive are unaffected by this change. -

-

- (BZ#2128016) -

-
-
-
-
-
-

4.11. Compilers and development tools

-
-
-
-
-

New GCC Toolset 12

-

- GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- The GCC compiler has been updated to version 12.1.1, which provides many bug fixes and enhancements - that are available in upstream GCC. -

-

- The following tools and versions are provided by GCC Toolset 12: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 12.1.1 -

-
-

- GDB -

- 		-

- 11.2 -

-
-

- binutils -

- 		-

- 2.35 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- annobin -

- 		-

- 10.76 -

-
-
-

- To install GCC Toolset 12, run the following command as root: -

- 
# yum install gcc-toolset-12
-

- To run a tool from GCC Toolset 12: -

- 
$ scl enable gcc-toolset-12 tool
-

- To run a shell session where tool versions from GCC Toolset 12 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-12 bash
-

- For more information, see Using - GCC Toolset. -

-

- (BZ#2077276) -

-
-

GCC Toolset 12: Annobin rebased to version 10.76

-

- In GCC Toolset 12, the Annobin package has been updated to version 10.76. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - A new command line option for annocheck tells it to avoid using the debuginfod service, if it is unable to find debug information in - another way. Using debuginfod provides annocheck with more - information, but it can also cause significant slow downs in annocheck’s performance if the - debuginfod server is unavailable. -
    • -
  • - The Annobin sources can now be built using meson and ninja rather than configure and make if desired. -
    • -
  • - Annocheck now supports binaries built by the Rust 1.18 compiler. -
    • -
-
-

- Additionally, the following known issue has been reported in the GCC Toolset 12 version of Annobin: -

-

- Under some circumstances it is possible for a compilation to fail with an error message that looks - similar to the following: -

- 
cc1: fatal error: inaccessible plugin file
-opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin/gcc-annobin.so
-expanded from short plugin name gcc-annobin: No such file or directory
-

- To work around the problem, create a symbolic link in the plugin directory from annobin.so to gcc-annobin.so: -

- 
# cd /opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin
-# ln -s annobin.so gcc-annobin.so
-

- Where architecture is replaced with the architecture being - used: -

-
-
    -
  • - aarch64 -
    • -
  • - i686 -
    • -
  • - ppc64le -
    • -
  • - s390x -
    • -
  • - x86_64 -
    • -
-
-

- (BZ#2077447) -

-
-

GCC Toolset 12: binutils rebased to version - 2.38

-

- In GCC Toolset 12, the binutils package has been updated to version - 2.38. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - All tools in the binutils package now support options to - display or warn about the presence of multibyte characters. -
    • -
  • - The readelf and objdump tools now - automatically follow any links to separate debuginfo files by - default. This behavior can be disabled by using the --debug-dump=no-follow-links option for readelf or the --dwarf=no-follow-links option for objdump. -
    • -
-
-

- (BZ#2077448) -

-
-

GCC 12 and later supports _FORTIFY_SOURCE - level 3

-

- With this enhancement, users can build applications with -D_FORTIFY_SOURCE=3 in the compiler command line when building with - GCC version 12 or later. _FORTIFY_SOURCE level 3 improves coverage - of source code fortification, thus improving security for applications built with -D_FORTIFY_SOURCE=3 in the compiler command line. This is supported - in GCC versions 12 and later and Clang versions 9.0 and later with the __builtin_dynamic_object_size builtin. -

-
-

- (BZ#2033684) -

-
-

DNS stub resolver option now supports no-aaaa - option

-

- With this enhancement, glibc now recognizes the no-aaaa stub resolver option in /etc/resolv.conf and the RES_OPTIONS - environment variable. When this option is active, no AAAA queries will be sent over the network. - System administrators can disable AAAA DNS lookups for diagnostic purposes, such as ruling out - that the superfluous lookups on IPv4-only networks do not contribute to DNS issues. -

-
-

- (BZ#2096189) -

-
-

Added support for IBM Z Series z16 in glibc

-

- The support is now available for the s390 instruction set with the - IBM z16 platform in glibc. IBM z16 provides two additional hardware capabilities that are HWCAP_S390_VXRS_PDE2 and HWCAP_S390_NNPA. As a result, applications can now use these - capabilities to deliver optimized libraries and functions. -

-
-

- (BZ#2077835) -

-
-

New make-latest package

-

- This enhancement introduces the make-latest package which includes - the latest version of the make utility. Previously, we provided the - latest make version through GCC Toolset. Now, you can separately - install the make-latest package and run the latest version with - scl enable make43 /bin/bash (in case the make43 version is the latest). -

-
-

- (BZ#2083419) -

-
-

GCC Toolset 12: GDB rebased to version 11.2

-

- In GCC Toolset 12, the GDB package has been updated to version 11.2. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - New support for Aarch64 MTE. See new commands with the memory-tag prefix. -
    • -
  • -

    - --qualified option for -break-insert and -dprintf-insert. This option looks for an exact match of the - user’s event location instead of searching in all scopes. -

    -

    - For example, break --qualified foo - will look for a symbol named foo in the global - scope. Without --qualified, GDB will search all scopes for - a symbol with that name. -

    -
    • -
  • - --force-condition: Any supplied condition is defined even if it - is currently invalid. -
    • -
  • - -break-condition --force: Likewise for the MI command. -
    • -
  • - -file-list-exec-source-files accepts optional REGEXP to limit output. -
    • -
  • -

    - .gdbinit search path includes the config directory. The - order is: -

    -
    -
      -
    1. - $XDG_CONFIG_HOME/gdb/gdbinit -
      2. -
    2. - $HOME/.config/gdb/gdbinit -
      3. -
    3. - $HOME/.gdbinit -
      4. -
    -
    -
    • -
  • - Support for ~/.config/gdb/gdbearlyinit or ~/.gdbearlyinit. -
    • -
  • - -eix and -eiex early - initialization file options. -
    • -
-
-

- Terminal user interface (TUI): -

-
-
    -
  • - Support for mouse actions inside terminal user interface (TUI) windows. -
    • -
  • - Key combinations that do not act on the focused window are now passed to GDB. -
    • -
-
-

- New commands: -

-
-
    -
  • - show print memory-tag-violations -
    • -
  • - set print memory-tag-violations -
    • -
  • - memory-tag show-logical-tag -
    • -
  • - memory-tag with-logical-tag -
    • -
  • - memory-tag show-allocation-tag -
    • -
  • - memory-tag check -
    • -
  • - show startup-quietly and set startup-quietly: A way to specify -q or -quiet in GDB scripts. Only - valid in early initialization files. -
    • -
  • - show print type hex and set print type hex: Tells GDB to print sizes or offsets for - structure members in hexadecimal instead of decimal. -
    • -
  • - show python ignore-environment and set python ignore-environment: If enabled, GDB’s Python - interpreter ignores Python environment variables, much like passing -E to the Python executable. Only valid in early initialization - files. -
    • -
  • - show python dont-write-bytecode and set python dont-write-bytecode: If off, these commands suppress GDB’s Python interpreter from - writing bytecode compiled objects of imported modules, much like passing -B to the Python executable. Only valid in early initialization - files. -
    • -
-
-

- Changed commands: -

-
-
    -
  • - break LOCATION if CONDITION: - If CONDITION is invalid, GDB refuses to set a - breakpoint. The -force-condition option overrides this. -
    • -
  • - CONDITION -force N COND: - Same as the previous command. -
    • -
  • - inferior [ID]: When ID is omitted, this command prints - information about the current inferior. Otherwise, unchanged. -
    • -
  • - ptype[/FLAGS] TYPE | EXPRESSION: - Use the /x flag to use hexadecimal notation when printing sizes - and offsets of struct members. Use the /d flag to do the same - but using decimal. -
    • -
  • - info sources: Output has been restructured. -
    • -
-
-

- Python API: -

-
-
    -
  • - Inferior objects contain a read-only connection_num attribute. -
    • -
  • - New gdb.Frame.level() method. -
    • -
  • - New gdb.PendingFrame.level() method. -
    • -
  • - gdb.BreakpoiontEvent emitted instead of gdb.Stop. -
    • -
-
-

- (BZ#2077492) -

-
-

libpfm now supports AMD Zen 2 and Zen 3 - processors

-

- With this enhancement, users now can access the AMD Zen 2 and Zen 3 performance monitoring - hardware using libpfm. -

-
-

- (BZ#2067218) -

-
-

papi now supports AMD Zen 2 and Zen 3 - processors

-

- With this enhancement, users now can access the AMD Zen 2 and Zen 3 performance monitoring - hardware using papi. -

-
-

- (BZ#2071558) -

-
-

Improved hardware identification for ARM processors

-

- With this enhancement, the papi_avail utility now correctly reports - the vendor string and code information for various ARM vendors. This utility allows the PAPI_get_hardware_info() function to identify processors manufactured - by companies other than ARM limited to the aarch64 architecture. As a result, developers can tune the code for - the required architecture. -

-
-

- (BZ#2037427) -

-
-

Updated Fujitsu A64FX event mappings

-

- The PAPI library has been updated for Fujitsu A64FX processors. - Users can now use additional presets in the output of papi_avail - that can be used to analyze program performance. -

-
-

- These include the IDL event presets: -

-
-
-
PAPI_BRU_IDL
-
- Branch unit idle -
-
PAPI_FXU_IDL
-
- Integer unit idle -
-
PAPI_FPU_IDL
-
- Floating point unit idle -
-
PAPI_LSU_IDL
-
- Load store unit idle -
-
-
-

- (BZ#2037417) -

-
-

The dyninst packaged rebased to version - 12.1

-

- The dyninst package has been rebased to version 12.1. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - Initial support for glibc-2.35 multiple namespaces. -
    • -
  • - Concurrency fixes for DWARF parallel parsing. -
    • -
  • - Better support for the CUDA and CDNA2 GPU binaries. -
    • -
  • - Better support for IBM POWER Systems (little endian) register access. -
    • -
  • - Better support for PIE binaries. -
    • -
  • - Corrected parsing for catch blocks. -
    • -
  • - Corrected access to 64-bit ARM (aarch64) floating point - registers. -
    • -
-
-

- (BZ#2057676) -

-
-

The systemtap package rebased to version - 4.7

-

- The systemtap package has been rebased to version 4.7. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - A new --sign-module option to manually sign modules with a MOK - key, for use on SecureBoot systems. -
    • -
  • - A new stap-profile-annotate tool to produce system-wide - profiles of annotated source code. -
    • -
  • - A new general Python tapset for probing function entry and return. -
    • -
  • - Extended $foo$ - processing for kernel-space probes for strings that may be in user-space. -
    • -
  • - Extended the regular-expression language for non-capturing groups. -
    • -
  • - Added tapset support for several recently added kernel system calls. -
    • -
-
-

- (BZ#2057565) -

-
-

Rust Toolset rebased to version 1.62.1

-

- Rust Toolset has been updated to version 1.62.1. Notable changes include: -

-
-
-
    -
  • - Destructuring assignment allows patterns to assign to existing variables in the left-hand - side of an assignment. For example, a tuple assignment can swap to variables: (a, b) = (b, a); -
    • -
  • - Inline assembly is now supported on 64-bit x86 and 64-bit ARM using the core::arch::asm! macro. See more details in the Inline assembly chapter of the reference, /usr/share/doc/rust/html/reference/inline-assembly.html (online - at https://doc.rust-lang.org/reference/inline-assembly.html). -
    • -
  • - Enums can now derive the Default trait with an explicitly - annotated #[default] variant. -
    • -
  • - Mutex, CondVar, and RwLock now use a custom futex-based - implementation rather than pthreads, with new optimizations made possible by Rust language - guarantees. -
    • -
  • - Rust now supports custom exit codes from main, including - user-defined types that implement the newly-stabilized Termination trait. -
    • -
  • - Cargo supports more control over dependency features. The dep: - prefix can refer to an optional dependency without exposing that as a feature, and a ? only enables a dependency feature if that dependency is enabled - elsewhere, like package-name?/feature-name. -
    • -
  • - Cargo has a new cargo add subcommand for adding dependencies to - Cargo.toml. -
    • -
  • -

    - For more details, please see the series of upstream release announcements: -

    -
    - -
    -
    • -
-
-

- (BZ#2075344) -

-
-

LLVM Toolset rebased to version 14.0.6

-

- LLVM Toolset has been rebased to version 14.0.6. Notable changes include: -

-
-
-
    -
  • - On 64-bit x86, support for AVX512-FP16 instructions has been - added. -
    • -
  • - Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added. -
    • -
  • - On PowerPC, added the __ibm128 type to represent IBM - double-double format, also available as __attribute__((mode(IF))). -
    • -
-
-

- clang changes: -

-
-
    -
  • - if consteval for C++2b is now - implemented. -
    • -
  • - On 64-bit x86, support for AVX512-FP16 instructions has been - added. -
    • -
  • - Completed support of OpenCL C 3.0 and C++ for OpenCL 2021 at - experimental state. -
    • -
  • - The -E -P preprocessor output now always omits blank lines, - matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the - output. -
    • -
  • - Support -Wdeclaration-after-statement with C99 and later standards, and not just C89, matching GCC’s - behavior. A notable use case is supporting style guides that forbid mixing declarations and - code, but want to move to newer C standards. -
    • -
-
-

- For more information, see the LLVM Toolset and Clang upstream - release notes. -

-

- (BZ#2061042) -

-
-

Go Toolset rebased to version 1.18.2

-

- Go Toolset has been rebased to version 1.18.2. -

-
-

- Notable changes include: -

-
-
    -
  • - The introduction of generics while maintaining backwards compatibility with earlier versions - of Go. -
    • -
  • - A new fuzzing library. -
    • -
  • - New debug/buildinfo and net/netip packages. -
    • -
  • - The go get tool no longer builds or installs packages. Now, it - only handles dependencies in go.mod. -
    • -
  • - If the main module’s go.mod file specifies go 1.17 or higher, the go mod download command used without any additional arguments - only downloads source code for the explicitly required modules in the main module’s go.mod file. To also download source code for transitive - dependencies, use the go mod download all command. -
    • -
  • - The go mod vendor subcommand now supports a -o option to set the output directory. -
    • -
  • - The go mod tidy command now retains additional checksums in the - go.sum file for modules whose source code is required to verify - that only one module in the build list provides each imported package. This change is not - conditioned on the Go version in the main module’s go.mod file. -
    • -
-
-

- (BZ#2075162) -

-
-

The LLVM gold plugin is now available on the - IBM Z architecture

-

- With this enhancement, users can create LTO builds with clang and - ld.bfd on the IBM Z (s390x) - architecture. The s390x architecture now supports linking with - ld.bfd and LTO. -

-
-

- (BZ#2088315) -

-
-

A new module stream: maven:3.8

-

- RHEL 8.7 introduces Maven 3.8 as a new module stream. -

-
-

- To install the maven:3.8 module stream, use: -

- 
# yum module install maven:3.8
-

- If you want to upgrade from the maven:3.6 stream, see Switching - to a later stream. -

-

- (BZ#2083114, BZ#2064785, BZ#2088473) -

-
-

.NET version 7.0 is available

-

- Red Hat Enterprise Linux 8.7 is distributed with .NET version 7.0. Notable improvements - include: -

-
-
-
    -
  • - Support for IBM Power (ppc64le) -
    • -
-
-

- For more information, see Release - Notes for .NET 7.0 RPM packages and Release - Notes for .NET 7.0 containers. -

-

- (BZ#2112096) -

-
-
-
-
-
-

4.12. Identity Management

-
-
-
-
-

SSSD now supports memory caching for SID requests

-

- With this enhancement, SSSD now supports memory caching for SID requests, which are GID and UID - lookups by SID and vice versa. Memory caching results in improved performance, for example, when - copying large amounts of files to or from a Samba server. -

-
-

- (JIRA:RHELPLAN-123369) -

-
-

IdM now supports configuring an AD Trust with Windows Server 2022 -

-

- With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) - domains and Active Directory forests that use Domain Controllers running Windows Server 2022. -

-
-

- (BZ#2122716) -

-
-

IdM now supports a limit on the number of LDAP binds allowed after a user - password has expired

-

- With this enhancement, you can set the number of LDAP binds allowed when the password of an - Identity Management (IdM) user has expired: -

-
-
-
-
-1
-
- IdM grants the user unlimited LDAP binds before the user must reset the password. This is - the default value, which matches the previous behavior. -
-
0
-
- This value disables all LDAP binds once a password is expired. In effect, the users must - reset their password immediately. -
-
1-MAXINT
-
- The value entered allows exactly that many binds post-expiration. -
-
-
-

- The value can be set in the global password policy and in group policies. -

-

- Note that the count is stored per server. -

-

- In order for a user to reset their own password they need to bind with their current, expired - password. If the user has exhausted all post-expiration binds, then the password must be - administratively reset. -

-

- (BZ#782917) -

-
-

IdM now indicates whether a given name is a user or a group in a trusted AD - domain during a name search

-

- With this update, new getorigbyusername() and getorigbygroupname() calls are added to libsss_nss_idmap, a utility library for SID-based lookups. This - addition makes user and group lookup more robust when Identity Management (IdM) is in a trust - with an Active Directory (AD) domain. When performing a user or group lookup, IdM can now - display whether the given name belongs to a user or a group in the trusted domain. -

-
-

- (BZ#2062379) -

-
-

New ipasmartcard_server and ipasmartcard_client roles

-

- With this update, the ansible-freeipa package provides Ansible - roles to configure Identity Management (IdM) servers and clients for smart card authentication. - The ipasmartcard_server and ipasmartcard_client roles replace the ipa-advise scripts to automate and simplify the integration. The same - inventory and naming scheme are used as in the other ansible-freeipa roles. -

-
-

- (BZ#2076554) -

-
-

samba rebased to version 4.16.1

-

- The samba packages have been upgraded to upstream version 4.16.1, - which provides bug fixes and enhancements over the previous version: -

-
-
-
    -
  • - By default, the smbd process automatically starts the new samba-dcerpcd process on demand to serve Distributed Computing - Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always - requires samba-dcerpcd to use DCERPC. If you disable the rpc start on demand helpers setting in the [global] section in the /etc/samba/smb.conf file, you must create a systemd service unit to run samba-dcerpcd in standalone mode. -
    • -
  • -

    - The Cluster Trivial Database (CTDB) recovery master role - has been renamed to leader. As a result, the following - ctdb sub-commands have been renamed: -

    -
    -
      -
    • - recmaster to leader -
      • -
    • - setrecmasterrole to setleaderrole -
      • -
    -
    -
    • -
  • - The CTDB recovery lock configuration has been renamed to cluster lock. -
    • -
  • - CTDB now uses leader broadcasts and an associated timeout to determine if an election is - required. -
    • -
-
-

- Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will - be removed in a future release. -

-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Note that Red Hat does - not support downgrading tdb database files. -

-

- After updating Samba, verify the /etc/samba/smb.conf file using the - testparm utility. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- (BZ#2077468) -

-
-

SSSD now supports direct integration with Windows Server 2022

-

- With this enhancement, you can use SSSD to directly integrate your RHEL system with Active - Directory forests that use Domain Controllers running Windows Server 2022. -

-
-

- (BZ#2070793) -

-
-

Directory Server now supports canceling the Auto Membership plug-in - task.

-

- Previously, the Auto Membership plug-in task could generate high CPU usage on the server if - Directory Server has complex configuration (large groups, complex rules and interaction with - other plugins). With this enhancement, you can cancel the Auto Membership plug-in task. As a - result, performance issues no longer occur. -

-
-

- (BZ#2052528) -

-
-

Directory Server now supports recursive delete operations when using ldapdelete

-

- With this enhancement, Directory Server now supports the Tree Delete Control [1.2.840.113556.1.4.805] OpenLDAP control. As a - result, you can use the ldapdelete utility to recursively delete - subentries of a parent entry. -

-
-

- (BZ#2057063) -

-
-

You can now set basic replication options during the Directory Server - installation

-

- With this enhancement, you can configure basic replication options like authentication - credentials and changelog trimming during an instance installation using an .inf file. -

-
-

- (BZ#2057066) -

-
-

Replication changelog trimming is now enabled by default in Directory - Server

-

- Previously, Directory Server was not configured to automatically trim the replication changelog file by default. Consequently, the changelog file could become very large. With this update, Directory - Server is configured by default to trim changelog entries that are older than seven days, - preventing excessive growth of the changelog file. -

-
-

- (BZ#2062679) -

-
-

pki packages renamed to idm-pki

-

- The following pki packages are now renamed to idm-pki to better distinguish between IDM packages and Red Hat - Certificate System ones: -

-
-
-
    -
  • - idm-pki-symkey -
    • -
  • - idm-pki-tools -
    • -
  • - idm-pki-symkey-debuginfo -
    • -
  • - idm-pki-tools-debuginfo -
    • -
  • - idm-pki-acme -
    • -
  • - idm-pki-base -
    • -
  • - idm-pki-base-java -
    • -
  • - idm-pki-ca -
    • -
  • - idm-pki-kra -
    • -
  • - idm-pki-server -
    • -
  • - python3-idm-pki -
    • -
-
-

- pki-core stays unchanged (this also includes pki-core-debuginfo and pki-core-debugsource). -

-

- (BZ#2139821) -

-
-
-
-
-
-

4.13. Graphics infrastructures

-
-
-
-
-

Vulkan packages are available on 64-bit IBM POWER

-

- Packages that provide support for the Vulkan 3D graphics API are now available on the - little-endian 64-bit IBM POWER architecture (ppc64le): -

-
-
-
    -
  • - vulkan-headers -
    • -
  • - vulkan-loader -
    • -
  • - vulkan-loader-devel -
    • -
  • - vulkan-tools -
    • -
-
-

- With these packages, you can run software that uses a Vulkan rendering engine. -

-

- Previously, these packages were only available on the AMD64 and Intel 64 architecture. -

-

- (BZ#2012639) -

-
-

Support for new AMD GPUs

-

- This release adds support for several AMD Radeon RX 6000 Series GPUs and integrated graphics of - the AMD Ryzen 6000 Series CPUs. -

-
-

- The following AMD Radeon RX 6000 Series GPU models are now supported: -

-
-
    -
  • - AMD Radeon RX 6400 -
    • -
  • - AMD Radeon RX 6500 XT -
    • -
  • - AMD Radeon RX 6300M -
    • -
  • - AMD Radeon RX 6500M -
    • -
-
-

- AMD Ryzen 6000 Series includes integrated GPUs found with the following CPU models: -

-
-
    -
  • - AMD Ryzen 5 6600U -
    • -
  • - AMD Ryzen 5 6600H -
    • -
  • - AMD Ryzen 5 6600HS -
    • -
  • - AMD Ryzen 7 6800U -
    • -
  • - AMD Ryzen 7 6800H -
    • -
  • - AMD Ryzen 7 6800HS -
    • -
  • - AMD Ryzen 9 6900HS -
    • -
  • - AMD Ryzen 9 6900HX -
    • -
  • - AMD Ryzen 9 6980HS -
    • -
  • - AMD Ryzen 9 6980HX -
    • -
-
-

- (JIRA:RHELPLAN-135602) -

-
-

The force_probe option is no longer required with 12th Gen Intel Core - GPUs

-

- Prior to this release, you had to set the i915.alpha_support=1 or - i915.force_probe=* kernel option to enable support for the 12th Gen - Intel Core GPUs, formerly known as Alder Lake-S and Alder Lake-P. -

-
-

- With this release, you no longer have to set the option, and full support for these GPUs is enabled - by default. -

-

- (JIRA:RHELPLAN-136150) -

-
-
-
-
-
-

4.14. The web console

-
-
-
-
-

RHEL web console now features RHEL as an option for the Download an OS VM workflow

-

- With this enhancement, the RHEL web console now supports the installation of RHEL virtual - machines (VMs) using the default Download an OS workflow. As a - result, you can download and install the RHEL OS as a VM directly within the web console. -

-
-

- (JIRA:RHELPLAN-121982) -

-
-

A new button in RHEL web console for installing kernel patches - separately

-

- With this update, the RHEL web console provides the Install - kpatch updates button. You can use it to install only kernel patches - without the necessity to install other updates and reboot your system. -

-
-

- (JIRA:RHELPLAN-121981) -

-
-

The diagnostics reports page now offers new functionalities

-

- In the updated web console diagnostics report (sos report) page you - now can: -

-
-
-
    -
  • - label the report -
    • -
  • - encrypt the report with a passphrase -
    • -
  • - conceal private data within the report -
    • -
-
-

- Additionally, you can see a list of previously generated reports and download or delete them. -

-

- (JIRA:RHELPLAN-121983) -

-
-

Crypto policies setup from the web console UI

-

- With this update, you can change different cryptographic policy levels directly from the RHEL - web console user interface (UI). You can access your cryptographic policy configuration options - from the Configuration field in the Overview page of your UI. -

-
-

- Note that you must have the administrative access active to be able to change the settings. -

-

- (JIRA:RHELPLAN-121980) -

-
-

Update progress page in the web console now supports an automatic restart - option

-

- The update progress page now has a Reboot after - completion switch. This reboots the system automatically after - installing the updates. -

-
-

- (BZ#2056786) -

-
-
-
-
-
-

4.15. Red Hat Enterprise Linux system roles

-
-
-
-
-

The ha_cluster RHEL system role now supports - SBD fencing and configuration of Corosync settings

-

- The ha_cluster system role now supports the following features: -

-
-
-
-
SBD fencing
-
- Fencing is a crucial part of HA cluster configuration. SBD provides a means for nodes to - reliably self-terminate when fencing is required. SBD fencing can be particularly useful in - environments where traditional fencing mechanisms are not possible. It is now possible to - configure SBD fencing with the ha_cluster system role. -
-
Corosync settings
-
- The ha_cluster system role now supports the configuration of - Corosync settings, such as transport, compression, encryption, links, totem, and quorum. - These settings are required to match cluster configuration with customers' needs and - environment when the default settings are not suitable. -
-
-
-

- (BZ#2065339, BZ#2066868) -

-
-

Users can create connections with IPoIB capability using the network RHEL system role

-

- The infiniband connection type of the network RHEL system role now supports the Internet Protocol over - Infiniband (IPoIB) capability. To enable this feature, define a value to the p_key option of infiniband. Note that if - you specify p_key, the interface_name - option of the network_connections variable must be left unset. The - previous implementation of the network RHEL system role did not - properly validate the p_key value and the interface_name option for the infiniband - connection type. Therefore, the IPoIB functionality never worked before. For more information, - see a README file in the /usr/share/doc/rhel-system-roles/network/ - directory. -

-
-

- (BZ#2086869) -

-
-

The network RHEL system role now configures - network settings for routing rules

-

- Previously, you could route the packet based on the destination address field in the packet, but - you could not define the source routing and other policy routing rules. With this enhancement, - network RHEL system role supports routing rules so that the users - have control over the packet transmission or route selection. -

-
-

- (BZ#1996731) -

-
-

The Networking system role now uses the Ansible managed comment in its managed configuration - files

-

- When using the initscripts provider, the Networking system role now - generates commented ifcfg files in the /etc/sysconfig/network-scripts directory. The Networking role inserts - the Ansible managed comment using the Ansible standard ansible_managed variable. The comment declares that an ifcfg file is managed by Ansible, and indicates that the ifcfg file should not be edited directly as the Networking role will - overwrite the file. The Ansible managed comment is added when the - provider is initscripts. When using the Networking role with the - nm (NetworkManager) provider, the ifcfg file is managed by NetworkManager and not by the Networking - role. -

-
-

- (BZ#2065670) -

-
-

The new previous:replaced configuration - enables firewall system role to reset the firewall settings to - default

-

- System administrators who manage different sets of machines, where each machine has different - pre-existing firewall settings, can now use the previous: replaced - configuration in the firewall role to ensure that all machines have - the same firewall configuration settings. The previous: replaced - configuration can erase all the existing firewall settings and replace them with consistent - settings. -

-
-

- (BZ#2043009) -

-
-

Enhanced Microsoft SQL Server RHEL system role

-

- The following new variables are now available for the microsoft.sql.server RHEL system role: -

-
-
-
    -
  • - Variables with the mssql_ha_ prefix to control configuring a - high availability cluster. -
    • -
  • - The mssql_tls_remote_src variable to search for mssql_tls_cert and mssql_tls_private_key values on managed nodes. If you keep the - default false setting, the role searches for these files on the - control node. -
    • -
  • - The mssql_manage_firewall variable to manage firewall ports - automatically. If this variable is set to false, you must - enable firewall ports manually. -
    • -
  • - The mssql_pre_input_sql_file and mssql_post_input_sql_file variables to control whether you want - to run the SQL scripts before the role execution or after it. These new variables replace - the former mssql_input_sql_file variable, which did not allow - you to influence the time of SQL script execution. -
    • -
-
-

- (BZ#2066338, BZ#2120713, BZ#2039990, BZ#2120714) -

-
-

The logging RHEL system role supports options - startmsg.regex and endmsg.regex in - files inputs

-

- With this enhancement, you can now filter log messages coming from files by using regular - expressions. Options startmsg_regex and endmsg_regex are now included in the files’ input. The startmsg_regex represents the regular expression that matches the - start part of a message, and the endmsg_regex represents the - regular expression that matches the last part of a message. As a result, you can now filter - messages based upon properties such as date-time, priority, and severity. -

-
-

- (BZ#2112143) -

-
-

Support for thinly provisioned volumes is available in the storage RHEL system role

-

- The storage RHEL system role can now create and manage thinly - provisioned LVM logical volumes. Thin provisioned LVs are allocated as they are written, - allowing better flexibility when creating volumes as physical storage provided for thin - provisioned LVs can be increased later as the need arises. LVM thin provisioning also allows - creating more efficient snapshots because the data blocks common to a thin LV and any of its - snapshots are shared. -

-
-

- (BZ#2066876) -

-
-

The logging RHEL system role now supports - template, severity and facility options

-

- The logging RHEL system role now features new useful severity and facility options to the - files inputs as well as a new template option to the files and - forwards outputs. Use the template option to specify the - traditional time format by using the parameter traditional, the - syslog protocol 23 format by using the parameter syslog, and the - modern style format by using the parameter modern. As a result, you - can now use the logging role to filter by the severity and facility - as well as to specify the output format by template. -

-
-

- (BZ#2075116) -

-
-

RHEL system roles now available also in playbooks with fact gathering - disabled

-

- Ansible fact gathering might be disabled in your environment for performance or other reasons. - Previously, it was not possible to use RHEL system roles in such configurations. With this - update, the system detects the ANSIBLE_GATHERING=explicit parameter - in your configuration and gather_facts: false parameter in your - playbooks, and use the setup: module to gather only the facts - required by the given role, if not available from the fact cache. -

-
-
-
Note
-
-

- If you have disabled Ansible fact gathering due to performance, you can enable Ansible fact - caching instead, which does not cause a performance hit of retrieving them from source. -

-
-
-

- (BZ#2079008) -

-
-

The sshd RHEL system role verifies the include - directive for the drop-in directory

-

- The sshd RHEL system role on RHEL 9 manages only a file in the - drop-in directory, but previously did not verify that the directory is included from the main - sshd_config file. With this update, the role verifies that sshd_config contains the include directive for the drop-in directory. - As a result, the role more reliably applies the provided configuration. -

-
-

- (BZ#2086934) -

-
-

The sshd RHEL system role can be managed - through /etc/ssh/sshd_config

-

- The sshd RHEL system role applied to a RHEL 9 managed node places - the SSHD configuration in a drop-in directory (/etc/ssh/sshd_config.d/00-ansible_system_role.conf by default). - Previously, any changes to the /etc/ssh/sshd_config file overwrote - the default values in 00-ansible_system_role.conf. With this - update, you can manage SSHD by using /etc/ssh/sshd_config instead - of 00-ansible_system_role.conf while preserving the system default - values in 00-ansible_system_role.conf. -

-
-

- (BZ#2086935) -

-
-

The firewall RHEL system role does not require - the state parameter when configuring masquerade or icmp_block_inversion

-

- When configuring custom firewall zones, variables masquerade and - icmp_block_inversion are boolean settings. A value of true implies state: present and a value - of false implies state: absent. - Therefore, the state parameter is not required when configuring - masquerade or icmp_block_inversion. -

-
-

- (BZ#2093437) -

-
-

The metrics role can export postfix performance data

-

- You can now use the new metrics_from_postfix boolean variable in - the metrics role for recording and detailed performance analysis. - With this enhancement, setting the variable enables the pmdapostfix - metrics agent on the system, making statistics about postfix - available. -

-
-

- (BZ#2079114) -

-
-

The storage system role now has less verbosity - by default

-

- The storage role output is now less verbose by default. With this - update, users can increase the verbosity of the storage role output - to only produce debugging output if they are using Ansible verbosity level 1 or above. -

-
-

- (BZ#2056480) -

-
-

The metrics system role now generates files - with the proper ansible_managed comment in the header -

-

- Previously, the metrics role did not add an ansible_managed header comment to files generated by the role. With - this fix, the metrics role adds the ansible_managed header comment to files it generates, and as a - result, users can easily identify files generated by the metrics - role. -

-
-

- (BZ#2065215) -

-
-

The postfix system role now generates files - with the proper ansible_managed comment in the header -

-

- Previously, the postfix role did not add an ansible_managed header comment to files generated by the role. With - this fix, the postfix role adds the ansible_managed header comment to files it generates, and as a - result, users can easily identify files generated by the postfix - role. -

-
-

- (BZ#2065216) -

-
-

New option in the postfix RHEL system role for - overwriting previous configuration

-

- If you manage a group of systems which have inconsistent postfix - configurations, you may want to make the configuration consistent on all of them. With this - enhancement, you can specify the previous: replaced option within - the postfix_conf dictionary to remove any existing configuration - and apply the desired configuration on top of a clean postfix - installation. As a result, you can erase any existing postfix - configuration and ensure consistency on all the systems being managed. -

-
-

- (BZ#2065218) -

-
-

You can now add, update, or remove services using absent and present states in the - firewall RHEL system role

-

- With this enhancement, you can use the present state to add ports, - modules, protocols, services, and destination addresses, or use the absent state to remove them. Note that to use the absent and present states in the firewall RHEL system role, set the permanent option to true. With the permanent option set to true, the state - settings apply until changed, and remain unaffected by role reloads. -

-
-

- (BZ#2100297) -

-
-

The firewall system role can add or remove an - interface to the zone using PCI device ID

-

- Using the PCI device ID, the firewall system role can now assign or - remove a network interface to or from a zone. Previously, if only the PCI device ID was known - instead of the interface name, users had to first identify the corresponding interface name to - use the firewall system role. With this update, the firewall system role can now use the PCI device ID to manage a - network interface in a zone. -

-
-

- (BZ#2100939) -

-
-

The network RHEL system role supports network - configuration using the nmstate API

-

- With this update, the network RHEL system role supports network - configuration through the nmstate API. Users can now directly apply - the configuration of the required network state to a network interface instead of creating - connection profiles. The feature also allows partial configuration of a network. As a result, - the following benefits exist: -

-
-
-
    -
  • - decreased network configuration complexity -
    • -
  • - reliable way to apply the network state changes -
    • -
  • - no need to track the entire network configuration -
    • -
-
-

- (BZ#2100979) -

-
-

New cockpit system role variable for setting a - custom listening port

-

- The cockpit system role introduces the cockpit_port variable that allows you to set a custom listening port - other than the default 9090 port. Note that if you decide to set a custom listening port, you - will also need to adjust your SELinux policy to allow the web console to listen on that port. -

-
-

- (BZ#2115159) -

-
-

The firewall RHEL system role can provide - Ansible facts

-

- With this enhancement, you can now gather the firewall RHEL system - role’s Ansible facts from all of your systems by including the firewall: variable in the playbook with no arguments. To gather a - more detailed version of the Ansible facts, use the detailed: true - argument, for example: -

-
- 
vars:
-  firewall:
-    detailed: true
-

- (BZ#2115160) -

-
-

Added setting of seuser and selevel to the selinux RHEL system - role

-

- Sometimes, it is necessary to set seuser and selevel parameters when setting SELinux context file system mappings. - With this update, you can use the seuser and selevel optional arguments in selinux_fcontext to specify SELinux user and level in the SELinux - context file system mappings. -

-
-

- (BZ#2115162) -

-
-
-
-
-
-

4.16. Virtualization

-
-
-
-
-

ap-check is now available in RHEL 8 -

-

- The mdevctl tool now provides a new ap-check support utility. You can use mdevctl to persistently configure cryptographic adapters and domains - that are allowed for pass-through usage into virtual machines as well as the matrix and vfio-ap devices. With mdevctl, you do not have to reconfigure these adapters, domains, and - devices after every IPL. In addition, mdevctl prevents the - distributor from inventing other ways to reconfigure them. -

-
-

- When invoking mdevctl commands for vfio-ap - devices, the new ap-check support utility is invoked as part of the - mdevctl command to perform additional validity checks against vfio-ap device configurations. -

-

- In addition, the chzdev tool now provides the ability to manage the - system-wide Adjunct Processor (AP) mask settings, which determine what AP resources are available - for vfio-ap devices. When used, chzdev - makes it possible to persist these settings by generating an associated udev rule. Using lszdev, you can can now - also query the system-wide AP mask settings. -

-

- (BZ#1660911) -

-
-

Selected VMs on IBM Z can now boot with kernel command lines longer than - 896 bytes

-

- Previously, booting a virtual machine (VM) on a RHEL 8 IBM Z host always failed if the kernel - command line of the VM was longer than 896 bytes. With this update, the QEMU emulator can handle - kernel command lines longer than 896 bytes. As a result, you can now use QEMU direct kernel boot - for VMs with very long kernel command lines, if the VM kernel supports it. Specifically, to use - a command line longer than 896 bytes, the VM must use Linux kernel version 5.16-rc1 or later. -

-
-

- (BZ#2043830) -

-
-

VM memory preallocation using multiple threads

-

- You can now define multiple CPU threads for virtual machine (VM) memory allocation in the domain - XML configuration, for example as follows: -

-
- 
<memoryBacking>
-  <allocation threads='8'/>
-</memoryBacking>
-

- This ensures that more than one thread is used for allocating memory pages when starting a VM. As a - result, VMs with multiple allocation threads configured start significantly faster, especially if - the VMs has large amounts of RAM assigned and backed by hugepages. -

-

- (BZ#2067126) -

-
-

ESXi hypervisor and SEV-ES is now fully supported

-

- You can now enable the AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES) to secure - RHEL virtual machines (VMs) on VMware’s ESXi hypervisor, versions 7.0.2 and later. This feature - was previously introduced in RHEL 8.4 as a Technology Preview. It is now fully supported. -

-
-

- (BZ#1904496) -

-
-

Secure Execution on IBM Z now supports remote attestation

-

- The Secure Execution feature on the IBM Z architecture now supports remote attestation. The - pvattest utility can create a remote attestation request to verify - the integrity of a virtual machine (VM) that has Secure Execution enabled. -

-
-

- Additionally, the Guest Interruption State Area (GISA) mechanism has now been enabled for Secure - Execution VMs, which allows interrupts to be delivered directly into the VM by completely bypassing - the host operating system. -

-

- (JIRA:RHELPLAN-98420, BZ#1984905, BZ#2043870) -

-
-
-
-
-
-

4.17. RHEL in cloud environments

-
-
-
-
-

RHEL virtual machines are now supported on the Ampere Altra - architecture

-

- With this update, running a RHEL operating system is now supported on Azure Virtual Machines - with processors based on the Ampere® Altra® architecture. -

-
-

- (JIRA:RHELPLAN-121252) -

-
-

open-vm-tools rebased to 12.0.5

-

- The open-vm-tools packages have been upgraded to version 12.0.5, - which introduces a number of bug fixes and new features. Most notably, support has been added - for the Salt Minion tool to be managed through guest OS variables. -

-
-

- (BZ#2061193) -

-
-

New SSH module for cloud-init

-

- With this update, an SSH module has been added to the cloud-init - utility, which automatically generates host keys during instance creation. -

-
-

- Note that with this change, the default cloud-init configuration has - been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg - contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line. -

-

- Otherwise, cloud-init creates an image which fails to start the sshd service. If this occurs, do the following to work around the - problem: -

-
-
    -
  1. -

    - Make sure the /etc/cloud/cloud.cfg file contains the - following line: -

    - 
    ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
    -
    2. -
  2. - Check whether /etc/ssh/ssh_host_* files exist in the instance. -
    3. -
  3. -

    - If the /etc/ssh/ssh_host_* files do not exist, use the - following command to generate host keys: -

    - 
    cloud-init single --name cc_ssh
    -
    4. -
  4. -

    - Restart the sshd service: -

    - 
    systemctl restart sshd
    -
    5. -
-
-

- (BZ#2115791) -

-
-
-
-
-
-

4.18. Containers

-
-
-
-
-

The Container Tools packages have been updated

-

- The Container Tools packages which contain the Podman, Buildah, Skopeo, crun, and runc tools are - now available. This update provides a list of bug fixes and enhancements over the previous - version. -

-
-

- Notable changes include: -

-
-
    -
  • - The podman pod create command now supports setting the CPU and - memory limits. You can set a limit for all containers in the pod, while individual - containers within the pod can have their own limits. -
    • -
  • - The podman pod clone command creates a copy of an existing pod. -
    • -
  • - The podman play kube command now supports the security context - settings using the BlockDevice and CharDevice volumes. -
    • -
  • - Pods created by the podman play kube can now be managed by - systemd unit files using a podman-kube@<service>.service - (for example systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service). -
    • -
  • - The podman push and podman push manifest commands now support the sigstore - signatures. -
    • -
  • - The Podman networks can now be isolated by using the podman network --opt isolate command. -
    • -
-
-

- Podman has been upgraded to version 4.2, for further information about notable changes, see the upstream - release notes. -

-

- (JIRA:RHELPLAN-118463) -

-
-

GitLab Runner is now available on RHEL using Podman

-

- Beginning with GitLab Runner 15.1, you can use Podman as the container runtime in the GitLab - Runner Docker Executor. For more details, see GitLab’s Release Note. -

-
-

- (JIRA:RHELPLAN-100037) -

-
-

Podman now supports the --health-on-failure - option

-

- The podman run and podman create - commands now support the --health-on-failure option to determine - the actions to be performed when the status of a container becomes unhealthy. -

-
-

- The --health-on-failure option supports four actions: -

-
-
    -
  • - none: Take no action, this is the default action. -
    • -
  • - kill: Kill the container. -
    • -
  • - restart: Restart the container. -
    • -
  • - stop: Stop the container. -
    • -
-
-
-
Note
-
-

- Do not combine the restart action with the --restart option. When running inside of a systemd unit, consider - using the kill or stop action - instead to make use of systemd’s restart policy. -

-
-
-

- (BZ#2097708) -

-
-

Netavark network stack is now available

-

- The new network stack available starting with Podman 4.0 consists of two tools, the Netavark - network setup tool and the Aardvark DNS server. In RHEL 8, the Netavark stack, previously - available as a Technology Preview, is now fully supported. -

-
-

- This network stack has the following capabilities: -

-
-
    -
  • - Configuration of container networks using the JSON configuration file -
    • -
  • - Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces -
    • -
  • - Configuring firewall settings, such as network address translation (NAT) and port mapping - rules -
    • -
  • - IPv4 and IPv6 -
    • -
  • - Improved capability for containers in multiple networks -
    • -
  • - Container DNS resolution using the aardvark-dns project -
    • -
-
-
-
Note
-
-

- You have to use the same version of Netavark stack and the Aardvark authoritative DNS - server. -

-
-
-

- (JIRA:RHELPLAN-100039) -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel shipped - with Red Hat Enterprise Linux 8.7. These changes could include for example added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
idxd.tc_override = [HW]
-
-

- With this parameter in the <bool> format you can allow - override of default traffic class configuration for the device. -

-

- The default value is set to false (0). -

-
-
kvm.eager_page_split = [KVM,X86]
-
-

- With this parameter you can control whether or not a KVM proactively splits all huge pages - during dirty logging. Eager page splitting reduces interruptions to vCPU execution by - eliminating the write-protection faults and Memory Management Unit (MMU) lock contention - that is otherwise required to split huge pages lazily. -

-

- VM workloads that rarely perform writes or that write only to a small region of VM memory - can benefit from disabling eager page splitting to allow huge pages to still be used for - reads. -

-

- The behavior of eager page splitting depends on whether the KVM_DIRTY_LOG_INITIALLY_SET option is enabled or disabled. -

-
-
    -
  • - If disabled, all huge pages in a memslot are eagerly - split when dirty logging is enabled on that memslot. -
    • -
  • -

    - If enabled, eager page splitting is performed during the KVM_CLEAR_DIRTY ioctl() - system call, and only for the pages being cleared. -

    -

    - Eager page splitting currently only supports splitting huge pages mapped by the - two dimensional paging (TDP) MMU. -

    -

    - The default value is set to Y (on). -

    -
    • -
-
-
-
kvm.nx_huge_pages_recovery_period_ms = [KVM]
-
-

- With this parameter you can control the time period at which KVM zaps 4 KiB pages back to - huge pages. -

-
-
    -
  • - If the value is a non-zero N, KVM zaps a portion of the - pages every N milliseconds. -
    • -
  • -

    - If the value is 0, KVM picks a period based on the - ratio, such that a page is zapped after 1 hour on average. -

    -

    - The default value is set to 0. -

    -
    • -
-
-
-
mmio_stale_data = [X86,INTEL]
-
-

- With this parameter you can control mitigation for the Processor Memory-mapped I/O (MMIO) - Stale Data vulnerabilities. -

-

- Processor MMIO Stale Data is a class of vulnerabilities that can expose data after an MMIO - operation. Exposed data could originate or end in the same CPU buffers as affected by - metadata server (MDS) and Transactional Asynchronous Abort (TAA). Therefore, similar to MDS - and TAA, the mitigation is to clear the affected CPU buffers. -

-

- The available options are: -

-
-
    -
  • - full: enable mitigation on vulnerable CPUs -
    • -
  • - full,nosmt: enable mitigation and disable SMT on - vulnerable CPUs. -
    • -
  • -

    - off: unconditionally disable mitigation -

    -

    - On MDS or TAA affected machines, mmio_stale_data=off can be prevented by an active MDS - or TAA mitigation as these vulnerabilities are mitigated with the same - mechanism. Thus, in order to disable this mitigation, you need to specify mds=off and tsx_async_abort=off, too. -

    -

    - Not specifying this option is equivalent to mmio_stale_data=full. -

    -

    - For more information, see Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst. -

    -
    • -
-
-
-
rcutree.rcu_delay_page_cache_fill_msec = [KNL]
-
- With this parameter you can set the page-cache refill delay in milliseconds in response to - low-memory conditions. The range of permitted values is 0:100000. -
-
rcuscale.kfree_rcu_test_double = [KNL]
-
- With this parameter you can test the double-argument variant of the kfree_rcu() function. If this parameter has the same value as rcuscale.kfree_rcu_test_single, both the single- and double-argument - variants are tested. -
-
rcuscale.kfree_rcu_test_single = [KNL]
-
- With this parameter you can test the single-argument variant of the kfree_rcu() function. If this parameter has the same value as rcuscale.kfree_rcu_test_double, both the single- and double-argument - variants are tested. -
-
retbleed = [X86]
-
-

- With this parameter you can control mitigation of Arbitrary Speculative Code Execution with - Return Instructions (RETBleed) vulnerability. The available options are: -

-
-
    -
  • - off: no mitigation -
    • -
  • - auto: automatically select a migitation -
    • -
  • - auto,nosmt: automatically select a mitigation, - disabling SMT if necessary for the full mitigation (only on Zen1 and older without - STIBP). -
    • -
  • - ibpb: mitigate short speculation windows on basic block - boundaries too. Safe, highest performance impact. -
    • -
  • - unret: force enable untrained return thunks, only - effective on AMD f15h-f17h based systems. -
    • -
  • -

    - unret,nosmt: like the unret option, will disable SMT when STIBP is not - available. -

    -

    - Selecting the auto option chooses a mitigation - method at run time according to the CPU. -

    -

    - Not specifying this option is equivalent to retbleed=auto. -

    -
    • -
-
-
-
s390_iommu_aperture = [KNL,S390]
-
-

- With this parameter you can specify the size of the per device DMA address space accessible - through the DMA and IOMMU APIs as a decimal factor of the size of main memory. -

-
-
    -
  • - The default value is set to 1 which means that you can - concurrently use as many DMA addresses as physical memory is installed, if supported - by hardware, and thus map all of memory at once. -
    • -
  • - With a value of 2 you can map all of memory twice. -
    • -
  • - The value of 0 imposes no restrictions other than those - given by hardware at the cost of significant additional memory use for tables. -
    • -
-
-
-
-
-

Updated kernel parameters

-
-
-
acpi_sleep = [HW,ACPI]
-
-

- Format: { s3_bios, s3_mode, s3_beep, s4_hwsig, s4_nohwsig, old_ordering, nonvs, - sci_force_enable, nobl } -

-
-
    -
  • - For more information on s3_bios and s3_mode, see Documentation/power/video.rst. -
    • -
  • - s3_beep is for debugging; it makes the PC’s speaker - beep as soon as the kernel real-mode entry point is called. -
    • -
  • - s4_hwsig causes the kernel to check the ACPI hardware - signature during resume from hibernation, and gracefully refuse to resume if it has - changed. The default behavior is to allow resume and simply warn when the signature - changes, unless the s4_hwsig option is enabled. -
    • -
  • - s4_nohwsig prevents ACPI hardware signature from being - used, or even warned about, during resume. old_ordering - causes the ACPI 1.0 ordering of the _PTS control - method, with respect to putting devices into low power states, to be enforced. The - ACPI 2.0 ordering of _PTS is used by default. -
    • -
  • - nonvs prevents the kernel from saving and restoring the - ACPI NVS memory during suspend, hibernation, and resume. -
    • -
  • - sci_force_enable causes the kernel to set SCI_EN directly on resume from S1/S3. Even though this - behavior is contrary to the ACPI specifications, some corrupted systems do not work - without it. -
    • -
  • -

    - nobl causes the internal denylist of systems known - to behave incorrectly in some ways with respect to system suspend and resume to - be ignored. Use this option wisely. -

    -

    - For more information, see Documentation/power/video.rst. -

    -
    • -
-
-
-
crashkernel=size[KMG],high = [KNL, X86-64, ARM64]
-
-

- With this parameter you can allocate physical memory region from top as follows: -

-
-
    -
  • - If the system has more than 4 GB RAM installed, the physical memory region can - exceed 4 GB. -
    • -
  • -

    - If the system has less than 4 GB RAM installed, the physical memory region will - be allocated below 4 GB, if available. -

    -

    - This parameter is ignored if the crashkernel=X - parameter is specified. -

    -
    • -
-
-
-
crashkernel=size[KMG],low = [KNL, X86-64]
-
-

- When you pass crashkernel=X,high, the kernel can allocate a - physical memory region above 4 GB. This causes the second kernel crash on systems that - require some amount of low memory (for example, swiotlb - requires at least 64M+32K low memory) and enough extra low memory to make sure DMA buffers - for 32-bit devices are not exhausted. Kernel tries to allocate at least 256 M below 4 GB - automatically. With this parameter you can specify the low range under 4 GB for the second - kernel instead. -

-
-
    -
  • - 0: disables low allocation. It will be ignored when - crashkernel=X,high is not used or memory reserved is - below 4 GB. -
    • -
-
-
-
kvm.nx_huge_pages_recovery_ratio = [KVM]
-
-

- With this parameter you can control how many 4KiB pages are periodically zapped back to huge - pages: -

-
-
    -
  • - 0 disables the recovery -
    • -
  • -

    - N KVM will zap 1/Nth - of the 4KiB pages every period. -

    -

    - The default is set to 60. -

    -
    • -
-
-
-
module.sig_enforce = norid [S390]
-
- With this parameter you can ignore the RID field and force the use of one PCI domain per PCI - function. -
-
rcu_nocbs[=cpu-list] = [KNL]
-
-

- The optional argument is a CPU list. -

-

- In kernels built with CONFIG_RCU_NOCB_CPU=y, you can enable the - no-callback CPU mode, which prevents such CPUs callbacks from being invoked in softirq - context. Invocation of such CPUs' RCU callbacks will instead be offloaded to rcuox/N kthreads created for that - purpose, where x is p for - RCU-preempt, s for RCU-sched, and g for the kthreads that mediate - grace periods; and N is the CPU number. This reduces OS jitter - on the offloaded CPUs, which can be useful for HPC and real-time workloads. It can also - improve energy efficiency for asymmetric multiprocessors. -

-
-
    -
  • - If a cpulist is passed as an argument, the specified - list of CPUs is set to no-callback mode from boot. -
    • -
  • - If the = sign and the cpulist arguments are omitted, no CPU will be set to - no-callback mode from boot but you can toggle the mode at runtime using cpusets. -
    • -
-
-
-
spectre_v2_user = [X86]
-
-

- With this parameter you can control mitigation of Spectre variant 2 (indirect branch - speculation) vulnerability between user space tasks. -

-
-
    -
  • - auto: kernel selects the mitigation depending on the - available CPU features and vulnerability. -
    • -
  • - The default mitigation is set to prctl. -
    • -
  • - Not specifying this option is equivalent to spectre_v2_user=auto. -
    • -
-
-
-
spec_store_bypass_disable = [X86]
-
-

- With this parameter you can control whether the Speculative Store Bypass (SSB) optimization - to mitigate the SSB vulnerability is used. -

-
-
    -
  • - Not specifying this option is equivalent to spec_store_bypass_disable=auto. -
    • -
  • - The default mitigation is set to prctl. -
    • -
-
-
-
-
-

New sysctl parameters

-
-
-
perf_user_access = [ARM64]
-
-

- With this parameter you can control user space access for reading performance event - counters. -

-
-
    -
  • - When set to 1, user space can read performance monitor - counter registers directly. -
    • -
  • -

    - The default is set to 0, which means access disabled. -

    -

    - For more information, see Documentation/arm64/perf.rst. -

    -
    • -
-
-
-
force_cgroup_v2_swappiness
-
-

- With this parameter you can deprecate the per-cgroup swappiness value available only in - cgroupsV1. Due to a systemd design - choice, most of all system and user processes are run within a cgroup. Furthermore these cgroup - swappiness values default to 60. This can lead to undesireable - effects where systems swappiness value has little effect on the swap behavior of the system. -

-

- If you do want to use the per-cgroup swappiness feature, you - can configure the system with force_cgroup_v2_swappiness=1 to - have more consistent swappiness behavior across the whole system. -

-

- Note that this is a RHEL specific feature. -

-
-
-
-
-
-
-
-
-

Chapter 6. Device Drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - Maxlinear Ethernet GPY Driver (mxl-gpy) -
    • -
  • - Realtek 802.11ax wireless 8852A driver (rtw89_8852a) -
    • -
  • - Realtek 802.11ax wireless 8852AE driver (rtw89_8852ae) -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - MHI Host Interface (mhi) -
    • -
  • - Modem Host Interface (MHI) PCI controller driver (mhi_pci_generic) -
    • -
  • - IDXD driver dsa_bus_type driver (idxd_bus) -
    • -
  • - AMD PassThru DMA driver (ptdma) -
    • -
  • - Cirrus Logic DSP Support (cs_dsp) -
    • -
  • - DRM DisplayPort helper (drm_dp_helper) -
    • -
  • - DRM Buddy Allocator (drm_buddy) -
    • -
  • - DRM SHMEM memory-management helpers (drm_shmem_helper) -
    • -
  • - DRM driver using bochs dispi interface (bochs) -
    • -
  • - Intel® PMT Class driver (pmt_class) -
    • -
  • - Intel® PMT Crashlog driver (pmt_crashlog) -
    • -
  • - Intel® PMT Telemetry driver (pmt_telemetry) -
    • -
  • - Intel® speed select interface driver (isst_if_common) -
    • -
  • - Intel® speed select interface mailbox driver (isst_if_mbox_msr) -
    • -
  • - Intel® speed select interface pci mailbox driver (isst_if_mbox_pci) -
    • -
  • - Intel® speed select interface mmio driver (isst_if_mmio) -
    • -
  • - Intel® Software Defined Silicon driver (intel_sdsi) -
    • -
  • - Intel® Extended Capabilities auxiliary bus driver (intel_vsec) -
    • -
  • - ISH ISHTP eclite client opregion driver (ishtp_eclite) -
    • -
  • - Serial multi instantiate pseudo device driver (serial-multi-instantiate) -
    • -
  • - AMD® SPI Master Controller Driver (spi-amd) -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Network drivers

-
-
    -
  • - VMware vmxnet3 virtual NIC driver (vmxnet3) has been updated to - version 1.7.0.0-k. -
    • -
  • - Intel® PRO/1000 Network Driver (e1000e) has been updated to - version 4.18.0-425.3.1. -
    • -
  • - Intel® Ethernet Switch Host Interface Driver (fm10k) has been - updated to version 4.18.0-425.3.1. -
    • -
  • - Intel® Ethernet Connection XL710 Network Driver (i40e) has been - updated to version 4.18.0-425.3.1. -
    • -
  • - Intel® Ethernet Adaptive Virtual Function Network Driver (iavf) - has been updated to version 4.18.0-425.3.1. -
    • -
  • - Intel® Gigabit Ethernet Network Driver (igb) has been updated - to version 4.18.0-425.3.1. -
    • -
  • - Intel® Gigabit Virtual Function Network Driver (igbvf) has been - updated to version 4.18.0-425.3.1. -
    • -
  • - Intel® 2.5G Ethernet Linux Driver (igc) has been updated to - version 4.18.0-425.3.1. -
    • -
  • - Intel® 10 Gigabit PCI Express Network Driver (ixgbe) has been - updated to version 4.18.0-425.3.1. -
    • -
  • - Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf) has - been updated to version 4.18.0-425.3.1. -
    • -
  • - Mellanox 5th generation network adapters (ConnectX series) core driver (mlx5_core) has been updated to version 4.18.0-425.3.1. -
    • -
-
-

Storage drivers

-
-
    -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc) has been - updated to version 14.0.0.15. -
    • -
  • - MPI3 Storage Controller Device Driver (mpi3mr) has been updated - to version 8.0.0.69.0. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas) has been updated - to version 42.100.00.00. -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx) has been updated to - version 10.02.07.400-k. -
    • -
  • - Driver for Microchip Smart Family Controller (smartpqi) has - been updated to version 2.1.18-045. -
    • -
-
-

Graphics and miscellaneous driver updates

-
-
    -
  • - Standalone drm driver for the VMware SVGA device (vmwgfx) has - been updated to version 2.20.0.0. -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Available BPF Features

-
-
-
-

- This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel of this minor version of Red Hat - Enterprise Linux 8. The tables include the lists of: -

-
- -
-

- This chapter contains automatically generated output of the bpftool feature - command. -

-
-

Table 7.1. System configuration and other options

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionValue
-

- unprivileged_bpf_disabled -

- 		-

- 1 (bpf() syscall restricted to privileged users, without recovery) -

-
-

- JIT compiler -

- 		-

- 1 (enabled) -

-
-

- JIT compiler hardening -

- 		-

- 1 (enabled for unprivileged users) -

-
-

- JIT compiler kallsyms exports -

- 		-

- 1 (enabled for root) -

-
-

- Memory limit for JIT for unprivileged users -

- 		-

- 264241152 -

-
-

- CONFIG_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_SYSCALL -

- 		-

- y -

-
-

- CONFIG_HAVE_EBPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT_ALWAYS_ON -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF_MODULES -

- 		-

- n -

-
-

- CONFIG_CGROUPS -

- 		-

- y -

-
-

- CONFIG_CGROUP_BPF -

- 		-

- y -

-
-

- CONFIG_CGROUP_NET_CLASSID -

- 		-

- y -

-
-

- CONFIG_SOCK_CGROUP_DATA -

- 		-

- y -

-
-

- CONFIG_BPF_EVENTS -

- 		-

- y -

-
-

- CONFIG_KPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_UPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_TRACING -

- 		-

- y -

-
-

- CONFIG_FTRACE_SYSCALLS -

- 		-

- y -

-
-

- CONFIG_FUNCTION_ERROR_INJECTION -

- 		-

- y -

-
-

- CONFIG_BPF_KPROBE_OVERRIDE -

- 		-

- y -

-
-

- CONFIG_NET -

- 		-

- y -

-
-

- CONFIG_XDP_SOCKETS -

- 		-

- y -

-
-

- CONFIG_LWTUNNEL_BPF -

- 		-

- y -

-
-

- CONFIG_NET_ACT_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_ACT -

- 		-

- y -

-
-

- CONFIG_NET_SCH_INGRESS -

- 		-

- m -

-
-

- CONFIG_XFRM -

- 		-

- y -

-
-

- CONFIG_IP_ROUTE_CLASSID -

- 		-

- y -

-
-

- CONFIG_IPV6_SEG6_BPF -

- 		-

- n -

-
-

- CONFIG_BPF_LIRC_MODE2 -

- 		-

- n -

-
-

- CONFIG_BPF_STREAM_PARSER -

- 		-

- y -

-
-

- CONFIG_NETFILTER_XT_MATCH_BPF -

- 		-

- m -

-
-

- CONFIG_BPFILTER -

- 		-

- n -

-
-

- CONFIG_BPFILTER_UMH -

- 		-

- n -

-
-

- CONFIG_TEST_BPF -

- 		-

- m -

-
-

- CONFIG_HZ -

- 		-

- 1000 -

-
-

- bpf() syscall -

- 		-

- available -

-
-

- Large program size limit -

- 		-

- available -

-
-
-
-
-

Table 7.2. Available program types and supported helpers

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Program typeAvailable helpers
-

- socket_filter -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- kprobe -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_override_return, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_cls -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_act -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- xdp -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, bpf_redirect, - bpf_perf_event_output, bpf_csum_diff, bpf_get_current_task, - bpf_get_numa_node_id, bpf_xdp_adjust_head, bpf_redirect_map, - bpf_xdp_adjust_meta, bpf_xdp_adjust_tail, bpf_fib_lookup, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- perf_event -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_get_task_stack, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, - bpf_snprintf -

-
-

- cgroup_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_skb_cgroup_id, bpf_get_local_storage, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, - bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_sk_cgroup_id, - bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_current_cgroup_id, - bpf_get_local_storage, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_in -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_push_encap, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_out -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_xmit -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, - bpf_csum_diff, bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid, - bpf_get_numa_node_id, bpf_skb_change_head, bpf_lwt_push_encap, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sock_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_setsockopt, bpf_sock_map_update, bpf_getsockopt, - bpf_sock_ops_cb_flags_set, bpf_sock_hash_update, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_tail_call, bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_adjust_room, bpf_sk_redirect_map, bpf_sk_redirect_hash, - bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, - bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, - bpf_skc_lookup_tcp, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_device -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_msg -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_cgroup_classid, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_msg_redirect_hash, bpf_get_current_cgroup_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_msg_push_data, - bpf_msg_pop_data, bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock_addr -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_setsockopt, bpf_getsockopt, - bpf_bind, bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_seg6local -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lirc_mode2 -

- 		-

- not supported -

-
-

- sk_reuseport -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_skb_load_bytes_relative, bpf_sk_select_reuseport, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- flow_dissector -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sysctl -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_sysctl_get_name, bpf_sysctl_get_current_value, - bpf_sysctl_get_new_value, bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint_writable -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sockopt -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracing -

- 		-

- not supported -

-
-

- struct_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, - bpf_skb_store_bytes, bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, - bpf_clone_redirect, bpf_get_current_pid_tgid, bpf_get_current_uid_gid, - bpf_get_current_comm, bpf_get_cgroup_classid, bpf_skb_vlan_push, - bpf_skb_vlan_pop, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_perf_event_read, bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_get_stackid, bpf_csum_diff, bpf_skb_get_tunnel_opt, - bpf_skb_set_tunnel_opt, bpf_skb_change_proto, bpf_skb_change_type, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_current_task_under_cgroup, bpf_skb_change_tail, bpf_skb_pull_data, - bpf_csum_update, bpf_set_hash_invalid, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_xdp_adjust_head, bpf_probe_read_str, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_setsockopt, - bpf_skb_adjust_room, bpf_redirect_map, bpf_sk_redirect_map, bpf_sock_map_update, - bpf_xdp_adjust_meta, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_getsockopt, bpf_override_return, bpf_sock_ops_cb_flags_set, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_bind, bpf_xdp_adjust_tail, bpf_skb_get_xfrm_state, - bpf_get_stack, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_sock_hash_update, bpf_msg_redirect_hash, bpf_sk_redirect_hash, - bpf_lwt_push_encap, bpf_lwt_seg6_store_bytes, bpf_lwt_seg6_adjust_srh, - bpf_lwt_seg6_action, bpf_rc_repeat, bpf_rc_keydown, bpf_skb_cgroup_id, - bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_select_reuseport, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_msg_push_data, bpf_msg_pop_data, bpf_rc_pointer_rel, bpf_spin_lock, - bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, bpf_skb_ecn_set_ce, - bpf_get_listener_sock, bpf_skc_lookup_tcp, bpf_tcp_check_syncookie, - bpf_sysctl_get_name, bpf_sysctl_get_current_value, bpf_sysctl_get_new_value, - bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_send_signal, bpf_tcp_gen_syncookie, bpf_skb_output, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_tcp_send_ack, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_xdp_output, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_seq_printf, bpf_seq_write, - bpf_sk_cgroup_id, bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, - bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, - bpf_get_task_stack, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_inode_storage_get, bpf_inode_storage_delete, bpf_d_path, bpf_copy_from_user, - bpf_snprintf_btf, bpf_seq_printf_btf, bpf_skb_cgroup_classid, - bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_redirect_peer, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_bprm_opts_set, bpf_ktime_get_coarse_ns, bpf_ima_inode_hash, - bpf_sock_from_file, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_sys_bpf, bpf_btf_find_by_name_kind, bpf_sys_close -

-
-

- ext -

- 		-

- not supported -

-
-

- lsm -

- 		-

- not supported -

-
-

- sk_lookup -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-
-
-
-

Table 7.3. Available map types

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Map typeAvailable
-

- hash -

- 		-

- yes -

-
-

- array -

- 		-

- yes -

-
-

- prog_array -

- 		-

- yes -

-
-

- perf_event_array -

- 		-

- yes -

-
-

- percpu_hash -

- 		-

- yes -

-
-

- percpu_array -

- 		-

- yes -

-
-

- stack_trace -

- 		-

- yes -

-
-

- cgroup_array -

- 		-

- yes -

-
-

- lru_hash -

- 		-

- yes -

-
-

- lru_percpu_hash -

- 		-

- yes -

-
-

- lpm_trie -

- 		-

- yes -

-
-

- array_of_maps -

- 		-

- yes -

-
-

- hash_of_maps -

- 		-

- yes -

-
-

- devmap -

- 		-

- yes -

-
-

- sockmap -

- 		-

- yes -

-
-

- cpumap -

- 		-

- yes -

-
-

- xskmap -

- 		-

- yes -

-
-

- sockhash -

- 		-

- yes -

-
-

- cgroup_storage -

- 		-

- yes -

-
-

- reuseport_sockarray -

- 		-

- yes -

-
-

- percpu_cgroup_storage -

- 		-

- yes -

-
-

- queue -

- 		-

- yes -

-
-

- stack -

- 		-

- yes -

-
-

- sk_storage -

- 		-

- yes -

-
-

- devmap_hash -

- 		-

- yes -

-
-

- struct_ops -

- 		-

- no -

-
-

- ringbuf -

- 		-

- yes -

-
-

- inode_storage -

- 		-

- yes -

-
-

- task_storage -

- 		-

- no -

-
-
-
-
-
-
-
-
-

Chapter 8. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.7 that have a significant impact on users. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

The installer no longer installs earlier versions of packages

-

- Previously, the installer did not correctly load the DNF configuration file during the - installation process. As a consequence, the installer sometimes installed earlier versions of - select packages in the RPM transaction. -

-
-

- This bug has been fixed, and only the latest versions of packages are now installed from the - installation repositories. In cases where it is impossible to install the latest versions of the - packages, the installation fails as expected. -

-

- (BZ#1899494) -

-
-

Anaconda installation is successful even if changing the network - configuration in stage2

-

- Previously, when using the rd.live.ram boot argument, Anaconda did - not unmount an NFS mount point that is used in initramfs to fetch - the installation image into memory. As a consequence, the installation process could become - unresponsive or fail with a timeout error if the network configuration was changed in stage2. -

-
-

- To fix this problem, the NFS mount point used to fetch the installation image into memory is - unmounted in initramfs before switchroot. As a result, the installation - process is completed without any interruption. -

-

- (BZ#1970726) -

-
-

Installer asks for the passphrase missing in the Kickstart file for the - encrypted devices during the installation

-

- Previously, when running the installer in graphical mode, if the passphrase was not specified in - the Kickstart file, the installer would not ask for entering the passphrase for encrypted - devices. As a consequence, the partitioning specified in the Kickstart file was not applied - during the installation. -

-
-

- This update adds a dialog window that appears during the installation and asks for the missing - passphrase. As a result, the installer properly applies the partitioning scheme specified in the - Kickstart file. -

-

- (BZ#2029101) -

-
-

Images now build successfully for packages in blueprint that contain - conditional dependencies

-

- Previously, when using the web console to customize a blueprint with packages that contained - conditional dependencies, such as ipa-client, cockpit, podman, would cause the build - to fail because of the missing dependencies. As a consequence, the conditional dependency was - not met during the dep-solve packages. This issue is fixed now, and the builds will no longer - fail when dep-solving conditional dependencies. -

-
-

- (BZ#2065734) -

-
-
-
-
-
-

8.2. Software management

-
-
-
-
-

DNF now correctly rolls back a transaction containing an item with the - Reason Change Action type

-

- Previously, running the dnf history rollback command on a - transaction containing an item with the Reason Change Action type - failed. With this update, the issue has been fixed, and dnf history rollback now works as expected. -

-
-

- (BZ#2060815) -

-
-
-
-
-
-

8.3. Shells and command-line tools

-
-
-
-
-

The cmx operation with no parameter no longer - crashes the CIM Client

-

- The cmx operation calls a method and returns XML, a parameter - specifies the name of the called method. Previously, the command line sblim-wbemcli Common Information Model (CIM) Client crashed when - running the cmx operation without an additional parameter. With - this update, the cmx operation requires the parameter that defines - the name of the called method. Invoking the cmx operation without - this parameter results in an error message, and the CIM Client no longer crashes. -

-
-

- (BZ#2075807) -

-
-

The cvSaveImage function in the opencv library no longer terminates the user application -

-

- Previously, the opencv library could not use the cvSaveImage function correctly. Consequently, the user application - was terminated unexpectedly. With this update, the cvSaveImage - function writes the image data on disk and no longer terminates the user application. -

-
-

- (BZ#2104776) -

-
-

ReaR no longer fails to display an error message if it does not update the - UUID in /etc/fstab

-

- Previously, ReaR did not display an error message during recovery when it failed to update the - universally unique identifier (UUID) in /etc/fstab to match the - UUID of the newly created partition in case the UUIDs were different. This could have happened - if the rescue image was out of sync with the backup. With this update, an error message occurs - during recovery if the restored basic system files do not match the recreated system. -

-
-

- (BZ#2072978) -

-
-

ReaR with the PXE output method no longer fails to store the output files - in the rsync OUTPUT_URL location

-

- In RHEL 8.5, the handling of the OUTPUT_URL variable with the OUTPUT=PXE and BACKUP=RSYNC options was - removed. As a consequence, when using an rsync location for OUTPUT_URL, ReaR failed to copy the initrd and kernel files to this location, although it uploaded them - to the location specified by BACKUP_URL. With this update, the - behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the - designated OUTPUT_URL destination using rsync. -

-
-

- (BZ#2115918) -

-
-

ReaR now supports restoring a system using NetBackup version 9

-

- Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or - later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH variable contains the required library paths and - the rescue system now incorporates the required files, and ReaR can use the NetBackup method. -

-
-

- (BZ#2077404) -

-
-

ReaR no longer displays a false error message about missing symlink - targets

-

- Previously, ReaR displayed incorrect error messages about missing symlink targets for the build and source symlinks under /usr/lib/modules/ when creating the rescue image. This situation was - harmless, and you could safely ignore the error message. With this update, ReaR does not report - a false error message about missing symlink targets in this situation. -

-
-

- (BZ#2021935) -

-
-

Fallbacks of SR-IOV devices now complete successfully

-

- Previously, Single Root I/O Virtualization (SR-IOV) devices did not fallback after device - failover because the hcnmgr script used an incorrect active_slave attribute instead of a primary attribute. With this update, the hcnmgr script uses the correct attribute and fallbacks for SR-IOV - devices complete successfully. -

-
-

- (BZ#2078514) -

-
-

ppc64-diag rebased to version 2.7.8 -

-

- The ppc64-diag package for platform diagnostics has been updated to - version 2.7.8. Notable improvements and bug fixes include: -

-
-
-
    -
  • - Updated build dependency to use libvpd utility version 2.2.9 or - higher -
    • -
  • - Fixed extract_opal_dump error message on unsupported platform -
    • -
  • - Fixed build warning with GCC-8.5 and GCC-11 compilers -
    • -
-
-

- (BZ#2051313) -

-
-

lsvpd rebased to version 1.7.14

-

- The lsvpd package, which provides commands for constituting a - hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd utility prevents corruption of the database file when you run - the vpdupdate command. -

-
-

- (BZ#2051316) -

-
-

libvpd rebased to version 2.2.9

-

- The libvpd package, which contains classes for accessing the Vital - Product Data (VPD), has been updated to version 2.2.9. Notable improvements and bug fixes - include: -

-
-
-
    -
  • - Fixed database locking -
    • -
  • - Updated libtool utility version information -
    • -
-
-

- (BZ#2051319) -

-
-
-
-
-
-

8.4. Infrastructure services

-
-
-
-
-

The printer test page layout in RHEL 8 has changed

-

- Previously, the print test page was not printed if the destination document format was PDF. This - update introduces a new test page layout to work with a broader set of printers. Note that the - test page does not contain any information regarding the printer or the test page print job. -

-
-

- (BZ#2064606) -

-
-

The frr binary files and scripts have a new - location

-

- Previously, the frr package for managing dynamic routing stack - contained its binary files and scripts in the /usr/lib/frr - directory, which caused certain issues when applying the new targeted SELinux policy. - Consequently, SELinux logged denial messages in access vector cache (AVC) and prevented frr from starting properly. -

-
-

- With this update, /usr/libexec/frr is the new location of the frr binary files and scripts. As a result, SELinux applies rules for - binaries and scripts in /usr/libexec/frr and for other frr libraries in /usr/lib64/frr separately, - and no longer produces denial messages. -

-

- (BZ#1714984, BZ#1941765) -

-
-
-
-
-
-

8.5. Security

-
-
-
-
-

OpenSCAP remediation sets correct permissions for /etc/tmux.conf

-

- Previously, when remediating the SCAP rule configure_tmux_lock_after_time, the /etc/tmux.conf file was created with permissions respecting umask - (600). This caused /etc/tmux.conf to be unreadable by regular - users. If a regular user logged in, they received an error message and had to wait for several - minutes before a timeout ran out and they were logged in. With this update, the remediation of - rule configure_tmux_lock_after_time sets specific permissions of - /etc/tmux.conf to 644. As a result, regular users no longer - encounter the error message or login delay. -

-
-

- (BZ#2064696) -

-
-

SCAP rule for Rsyslog correctly identifies .conf files

-

- Previously, rule "Ensure System Log Files Have Correct Permissions" (xccdf_org.ssgproject.content_rule_rsyslog_files_permissions) did not - expand glob expressions in Rsyslog include statements. As a consequence, the rule did not parse - all relevant configuration files, and some log files did not have their permissions checked. - With this update, the rule correctly expands the glob expressions to identify the .conf files it needs to parse. As a result, the rule now correctly - processes the required .conf files to ensure that all configured - log files have the correct permissions. -

-
-

- (BZ#2075384) -

-
-

Rules for chronyd do not require explicit - chrony user configuration

-

- RHEL runs chronyd under the chrony - user by default. Previously, the check and remediation for the chronyd service configuration user were stricter than necessary. The - overly strict check led to false positives and to excessive remediations. In this version, the - check and remediations of the rule xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user are - updated, for both the minimalistic correct configuration and legacy explicit correct - configurations pass. As a result, the rule respects the default RHEL behavior and does not - require explicit chrony user configuration. -

-
-

- (BZ#2077531) -

-
-

Warning added to rsyslog_remote_loghost

-

- The SCAP rule xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost ensures that - the Rsyslog daemon is configured to send log messages to a remote log host. However, the rule - does not configure TCP queues. As a consequence, the system hangs if TCP queues are not - configured, and the remote log host becomes unavailable. This update adds a warning message that - explains how to configure TCP queues. If you encounter system hangs while using this rule, read - the warning and configure the system properly. -

-
-

- (BZ#2078974) -

-
-

Remediation of sudo_custom_logfile works for - custom sudo log files

-

- Previously, remediation of the SCAP Security Guide rule xccdf_org.ssgproject.content_sudo_custom_logfile did not work for - custom sudo log files with a different path than /var/log/sudo.log. With this update, the rule is fixed so that it can - properly remediate if the system has a custom sudo log file that - does not match the expected path. -

-
-

- (BZ#2083109) -

-
-

Remediation of firewalld_sshd_port_enabled now - works correctly

-

- Previously, Bash remediation of the SCAP rule xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled - incorrectly handled lists of network interfaces. Additionally, configuration files had different - names than required. This update has fixed the remediation. As a result, the remediation handles - all network interfaces correctly, and configuration files have predictable names. -

-
-

- (BZ#2109602) -

-
-

fagenrules --load now works correctly -

-

- Previously, the fapolicyd service did not correctly handle the - signal hang up (SIGHUP). Consequently, fapolicyd terminated after - receiving the SIGHUP signal, and the fagenrules --load command did - not work properly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer - require manual restarts of fapolicyd. -

-
-

- (BZ#2070639) -

-
-
-
-
-
-

8.6. Networking

-
-
-
-
-

The NetworkManager utility enforces correct - ordering of IPv6 addresses from various sources

-

- In general, the ordering of IPv6 addresses affects the priority for source address selection. - For example, when you make an outgoing TCP connection. Previously, the relative priority of IPv6 - addresses added through the manual, dhcpv6, and autoconf6 methods, was not - correct. With this update, the problem has been fixed and the ordering priority now reflects - this logic: manual > dhcpv6 > - autoconf6. However, the order of addresses under the ipv6.addresses setting did not change and the address added last - still has the highest priority. -

-
-

- (BZ#2097270) -

-
-

Asymmetric routing now works correctly

-

- The previous minor version of RHEL 8 contained a change that caused connection tracking to fail - in some cases. Consequently, asymmetric routing was not working correctly. This release reverts - the change that was introduced in RHEL 8.6. As a result, the asymmetric routing works correctly. -

-
-

- (BZ#2062870) -

-
-
-
-
-
-

8.7. Kernel

-
-
-
-
-

A new ability to deprecate CgroupV1 memory.swappiness allowing for - consistent swap behavior

-

- CgroupV1 includes the memory.swappiness per-cgroup swappiness value - that controls the swap behavior of the given cgroup. -

-
-

- However, systemd processes run within cgroups and the sysctl swappiness value has - minimal effect on swap heuristics. Such cgroups ignore the values in - sysctl or tuned configurations and - processes running on the system are assigned a default swappiness value of 60. As a consequence, in cases with high memory pressure and page - reclamation, earlier or more aggressive swapping can occur compared to the assigned swappiness - value. -

-

- This update introduces a new sysctl variable, /proc/sys/vm/force_cgroupv2_swappiness, with a default value of 0. When set to 1, the memory.swappiness value becomes deprecated and all per-cgroups swappiness - values mirror the system-wide swappiness value in the /proc/sys/vm/swappiness file. As a result, the memory swapping behavior - of cgroups is more consistent. -

-

- (BZ#2084242) -

-
-

Anaconda no longer fails after entering a passphrase for encrypted - devices

-

- Previously, if kdump was disabled when preparing an installation, - and the user selected encrypted disk partitioning, the Anaconda installer failed with a - traceback after entering a passphrase for the encrypted device. -

-
-

- This update fixes the problem, and users no longer need to enable kdump - to create encrypted disk partitioning. -

-

- (BZ#2086100) -

-
-

The net_prio or net_cls controllers in v1 mode now work correctly

-

- Previously, in cgroup-v2 environments, using either net_prio or net_cls controllers in v1 - mode disabled the hierarchical tracking of socket data. As a consequence, the cgroup-v2 hierarchy for socket data tracking controllers was not - active, and the dmesg command reported the following message: -

-
- 
cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
-

- This update ensures cgroup-v2 is correctly active after the reboot. -

-

- (BZ#2046396) -

-
-
-
-
-
-

8.8. Boot loader

-
-
-
-
-

grubby now passes arguments to future - kernels

-

- When installing a newer version of the kernel, the grubby tool did - not pass the kernel command-line arguments from the previous kernel version. As a consequence, - the GRUB boot loader ignored user settings. With this fix, the user settings now persist after - installing the new kernel version. -

-
-

- (BZ#1978226) -

-
-
-
-
-
-

8.9. High availability and clusters

-
-
-
-
-

pcs now recognizes the mode option when creating a new Booth ticket

-

- Previously, when a user specified a mode option when adding a new - Booth ticket, pcs reported the error invalid booth ticket option 'mode'. With this fix, you can now - specify the mode option when creating a Booth ticket. -

-
-

- (BZ#1786964) -

-
-

pcs now validates the value of stonith-watchdog-timeout

-

- Previously, it was possible to set the stonith-watchdog-timeout - property to a value that is incompatible with SBD configuration. This could result in a fence - loop, or could cause the cluster to consider a fencing action to be successful even if the - action is not finished. With this fix, pcs validates the value of - stonith-watchdog-property when you set it, to prevent incorrect - configuration. -

-
-

- (BZ#1954099) -

-
-
-
-
-
-

8.10. Dynamic programming languages, web and database servers

-
-
-
-
-

MariaDB 10.5 now warns about dropping a - non-existent table when the OQGraph plug-in is enabled -

-

- Previously, when the OQGraph storage engine plug-in was loaded to - the MariaDB 10.5 server, MariaDB did - not warn about dropping a non-existent table. In particular, when the user attempted to drop a - non-existent table using the DROP TABLE or DROP TABLE IF EXISTS SQL commands, MariaDB neither returned an error message nor logged a warning. This - bug has been fixed, and a warning is now shown in the described scenario. -

-
-

- (BZ#1944653) -

-
-
-
-
-
-

8.11. Compilers and development tools

-
-
-
-
-

Applications no longer deadlock when invoking pthread_atfork or dclose from fork - handler callbacks

-

- Previously, applications invoked pthread_atfork handler callbacks - while glibc had acquired an internal lock. As a result, registering - fork handlers or calling dclose from a fork handler could deadlock - applications. -

-
-

- A different synchronization mechanism is now used to protect internal data structures while fork - handlers are running. As a result, applications no longer deadlock when invoking pthread_atfork or dclose from fork handler - callbacks. -

-

- (BZ#1888660) -

-
-

Wildcard functions in Makefiles no longer return symbolic links when only - directories are expected

-

- Previously, the GLOB_ONLYDIR hint used by glob() misreported symbolic links as directories on certain XFS - filesystems. When using glob(), make - did not confirm that the hints were actually directories and, as a result, wildcard functions in - Makefiles returned symbolic links when only directories were expected. -

-
-

- The bug has been fixed and wildcard functions in Makefiles no longer return symbolic links when only - directories are expected. -

-

- (BZ#1982608) -

-
-

popen() no longer causes multithreaded - processes to crash

-

- Previously, a defect in popen() caused applications to crash when - using the interface from a multithreaded process. With this update, the bug has been fixed and - multithreaded processes no longer crash when using popen(). -

-
-

- (BZ#2065588) -

-
-

The mapping for the 0xBC code point for some - IBM character sets is now U+00AF MACRON

-

- Previously, the IBM256, IBM277, IBM278, IBM280, IBM284, IBM297, and IBM424 character sets encoded the EBCDIC - code point 0xBC as the Unicode character U+203E OVERLINE. As a result, when using the iconv program provided by glibc, - converting text in those character sets containing the 0xBC code - point failed for non-Unicode character sets such as ISO-8859-1 - because they could not encode the U+203E OVERLINE character. -

-
-

- With this update, the bug has been fixed. As a result, input in the IBM277, IBM278, IBM280, IBM284, and IBM297 character sets can be converted to ISO-8859-1 in all cases. For the IBM256 and - IBM424 character sets, conversion no longer fails if the input text - contains the 0xBC code point and the respective output is U+00AF MACRON. -

-

- (BZ#1961109) -

-
-

The tempnam function now uses getrandom to increase the randomness of generated file - names

-

- Previously, the tempnam function in Red Hat Enterprise Linux 8.4 - and later used time-derived randomness for choosing paths. As a result, the tempnam function was not producing the full set of possible file - names when invoked repeatedly in quick succession. This bug has been fixed by a new - implementation that uses the getrandom function to increase the - randomness of the generated file names. As a result, the tempnam - function now generates more distinct file names. -

-
-

- (BZ#2089247) -

-
-

POWER9-optimized strncpy function no longer gives incorrect - results

-

- Previously, the POWER9 strncpy function did not use the correct register as the source of the - NUL bytes for padding. Consequently, the output buffer contained uninitialized register content - instead of the NUL padding. With this update, the strncpy function has been fixed, and the end - of the output buffer is now correctly padded with NUL bytes. -

-
-

- (BZ#2091553) -

-
-

The en_US@ampm locale is now listed correctly - by locale -a

-

- Previously, there was a defect in the listing of en_US@ampm in the - output of the locale -a command. Consequently, the setlocale API failed when trying to set this locale using its - name/alias printed by locale -a. With this update, en_US@ampm is now listed correctly and calls to setlocale succeed for all locales printed by locale -a. -

-
-

- (BZ#2104907) -

-
-

Unit masks for events are now all included in the papi_xml_event_info output

-

- Previously, the testing of event unit mask information in papi_xml_event_info was incomplete. In some cases, unit masks for - events were not included in the papi_xml_event_info output. This - bug has been fixed and as a result, papi_xml_event_command now - prints out all the unit masks for an event. -

-
-

- (BZ#2037426) -

-
-
-
-
-
-

8.12. Identity Management

-
-
-
-
-

Debug messages no longer logged to /var/log/messages by default -

-

- Previously, the ipa-dnskeysyncd and ipa-ods-exporter daemons logged all debug messages to /var/log/messages by default, resulting in log files growing - substantially. If required, you can now configure the debug log level by setting debug=True in the /etc/ipa/dns.conf - file. For more information refer to the default.conf(5) man page. -

-
-

- (BZ#2059396) -

-
-

Preserving users accounts

-

- Previously, if you ran the ipa user-del --preserve user_login - command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”. This message incorrectly indicates that - the user was deleted and not preserved as expected. With this update, the output now returns - Preserved user “user_login”. -

-
-

- (BZ#2022028) -

-
-

Transferring Kerberos databases greater than 4 GB

-

- Previously, the kprop service and the kpropd command used a 32 bit value when storing the size of the - Kerberos KDC database. As a result the transfer of the Kerberos database dump file from the - primary Kerberos server to a replica server failed if the database size exceeded 4 GB. -

-
-

- This update modifies Kerberos and it can now transfer KDC databases greater than 4 GB. -

-

- (BZ#2026462) -

-
-

Handling unreadable objects in an LDAP group’s member list

-

- Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member - list and this resulted in unreadable objects causing an error or in certain situations - unreadable objects were ignored. -

-
-

- With this update, SSSD has a new option ldap_ignore_unreadable_references to modify this behavior. If the ldap_ignore_unreadable_references option is set to false, unreadable objects cause an error and if set to true, unreadable objects are ignored. The default is set to false and because of the original inconsistent behavior, after the - update, some group lookups may fail. In this case, set ldap_ignore_unreadable_references = True in the corresponding [domain/name of the domain] - section in the /etc/sssd/sssd.conf file. -

-

- This allows unreadable objects to be handled in a consistent manner and the behavior can be tuned - using the new ldap_ignore_unreadable_references option. -

-

- (BZ#2069379) -

-
-
-
-
-
-

8.13. Desktop

-
-
-
-
-

The Airplane Mode switch is always displayed

-

- Previously, the Airplane Mode switch in the - Wi-Fi section of the Settings application disappeared after you - enabled airplane mode. With this update, the problem has been fixed, and Settings always display the Airplane Mode switch, regardless of its state. -

-
-

- (BZ#2079139) -

-
-
-
-
-
-

8.14. Graphics infrastructures

-
-
-
-
-

Hotkeys in Motif applications activate the correct item

-

- Previously, menu hotkeys activated the wrong menu item in applications using the Motif toolkit. - When a submenu was open and you pressed a hotkey associated with its item, the application - activated an item in the parent menu instead. -

-
-

- With this update, the problem has been fixed, and hotkeys now activate the correct submenu items. -

-

- (BZ#2060571) -

-
-

The desktop no longer fails to start with disabled IPv6 and - DisallowTCP=false

-

- Previously, the X11 desktop session failed to start after login under the following - circumstances: -

-
-
-
    -
  • - IPv6 networking was disabled on your system. -
    • -
  • - The DisallowTCP=false option was enabled in GDM configuration. -
    • -
-
-

- With this update, the problem has been fixed, and you can log into the X11 session as expected with - the described configuration. -

-

- (BZ#2075132) -

-
-
-
-
-
-

8.15. The web console

-
-
-
-
-

Removing USB host devices using the web console now works as - expected

-

- Previously, when you attached a USB device to a virtual machine (VM), the device number and bus - number of the USB device changed after they were passed to the VM. As a consequence, using the - web console to remove such devices failed due to the incorrect correlation of the device and bus - numbers. With this update, the issue has been fixed and you can remove the USB host devices - using the web console. -

-
-

- (JIRA:RHELPLAN-109067) -

-
-

Attaching multiple host devices using the web console now works as - expected

-

- Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web - console, only a single device was attached and the rest were ignored. With this update, the - issue has been fixed and you can now simultaneously attach multiple host devices using the web - console. -

-
-

- (JIRA:RHELPLAN-115603) -

-
-
-
-
-
-

8.16. Red Hat Enterprise Linux system roles

-
-
-
-
-

Fixed a typo to support active-backup for the - correct bonding mode

-

- Previously, there was a typo,active_backup, in supporting the - InfiniBand port while specifying active-backup bonding mode. Due to - this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding - port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the - InfiniBand bonding port. -

-
-

- (BZ#2064067) -

-
-

The IPRouteUtils.get_route_tables_mapping() - function now accepts any whitespace sequence

-

- Previously, a parser for the iproute2 routing table database, such - as /etc/iproute2/rt_tables, asserted that entries in the file were - of the form 254 main and only a single space character separated - the numeric id and the name. Consequently, the parser failed to cache all the mappings between - the route table name and table id.Therefore the user could not add a static route into the route - table by defining the route table name. With this update, the parser accepts any whitespace - sequence in between the table ID and table name. As a result, as the parser caches all the - mapping between the route table name and table ID, users can add a static route into the route - table by defining the route table name. -

-
-

- (BZ#2115884) -

-
-

Configuration by the metrics RHEL system role - follows symbolic links correctly

-

- When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the metrics role overwrote the symbolic link instead of following it and - configuring mssql.conf. Consequently, running the metrics role changed the symbolic link to a regular file and the - configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed - symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The - problem is now fixed and the follow: yes option to follow the - symbolic link has been added to the metrics role. As a result, the - metrics role preserves the symbolic links and correctly configures - the main configuration file. -

-
-

- (BZ#2060377) -

-
-

The tlog RHEL system roles is now correctly - overlaid by SSSD

-

- Previously, the tlog RHEL system role relied on the System Security - Services Daemon (SSSD) files provider and on enabled authselect - option with-files-domain to set up correct passwd entries in the nsswitch.conf - file. With this fix, the tlog role now updates the nsswitch.conf to ensure tlog-rec-session - is correctly overlaid by SSSD. -

-
-

- (BZ#2072749) -

-
-

The mount_options parameter for volumes is now - valid for a volume

-

- Previously, the parameter was accidentally removed from the list of valid parameters for a - volume. Consequently, users were unable to set the mount_options - parameter for volumes. With this bug fix, the mount_options - parameter has been added back to the list of valid parameters and the code has been refactored - to catch the errors. As a result, the storage RHEL system role can - set the mount_options parameter for volumes. -

-
-

- (BZ#2083378) -

-
-

The metrics RHEL system role README and - documentation now clearly specifies supported Redis and Grafana versions on specific - versions of RHEL by the role

-

- Previously, when trying to use the metrics role with unsupported - versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies - the documentation about which versions of Redis and Grafana are supported on which versions of - RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and - Grafana on unsupported platforms. -

-
-

- (BZ#2100285) -

-
-

The kernel_settings RHEL system role now - correctly installs python3-configobj

-

- Previously, the kernel_settings role returned an error that the - python3-configobj package could not be found. The role failed to - find the package because it did not install python3-configobj on - managed hosts. With this update, the role now installs python3-configobj on managed hosts and works correctly. -

-
-

- (BZ#2060378) -

-
-

The storage RHEL system role now correctly - supports striped and raid0 levels - for LVM volumes

-

- The storage RHEL system role previously incorrectly reported RAID - levels striped and raid0 as not - supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes - of all RAID levels supported by LVM: raid0, raid1, raid4, raid5, raid6, raid10, striped and mirror. -

-
-

- (BZ#2083426) -

-
-

The metrics RHEL system role automatically - restarts pmie and pmlogger - services after an update to their configuration

-

- Previously, the pmie and pmlogger - services did not restart after their configuration was changed and waited for handler execution. - This caused errors with other metrics services, which required - pmie and pmlogger configuration to - match their runtime behavior. With this update, the role restarts pmie and pmlogger immediately after a - configuration update, their configuration matches runtime behavior of dependent metrics - services, and they work correctly. -

-
-

- (BZ#2100298) -

-
-

The forward_port parameter now accepts both - the string and dict - option

-

- Previously, in the firewall RHEL system role, the forward_port parameter only accepted the string option. However, the role documentation claimed that both - string and - dict options were supported. Consequently, the users reading and - following the documentation were getting an error. This bug has been fixed by making forward_port accept both options. As a result, the users can safely - follow the documentation to configure port forwarding. -

-
-

- (BZ#2101607) -

-
-

The nbde_client system role now uses proper - spacing when specifying extra Dracut command line-parameters

-

- The Dracut framework requires proper spacing when specifying additional parameters, such as - kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut - might not append the specified extra parameters to the kernel command line. With this update, - the nbde_client system role uses proper spacing when creating - add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line - parameters. -

-
-

- (BZ#2115161) -

-
-

Minimal RSA key bit length option in the ssh - and sshd RHEL system roles

-

- Accidentally using short RSA keys might make the system more vulnerable to attacks. With this - update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the - RSAMinSize option in the ssh and sshd RHEL system roles. -

-
-

- (BZ#2109997) -

-
-

The NBDE Client system role supports static IP addresses

-

- In previous versions of RHEL, restarting a system with a static IP address and configured with - the Network Bound Disk Encryption (NBDE) Client system role would change the system’s IP - address. With this change, systems with static IP addresses are supported by the NBDE Client - system role, and their IP addresses do not change after a reboot. -

-
-

- Note that by default, the NBDE role uses DHCP when booting, and switches to the configured static IP - when the system is booted. -

-

- (BZ#2071011) -

-
-
-
-
-
-

8.17. Virtualization

-
-
-
-
-

Live pre-copy migration of VMs with failover VFs now works - correctly

-

- Previously, attempting to pre-copy migrate a running virtual machine (VM) failed if the VM used - a device with the virtual function (VF) failover capability enabled. This update fixes the - problem, and migrating VMs in the described scenario now works correctly. -

-
-

- (BZ#2054656) -

-
-
-
-
-
-

8.18. RHEL in cloud environments

-
-
-
-
-

An instance now retains the primary IP address even after starting the - nm-cloud-setup service in Alibaba Cloud

-

- Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service - configured the incorrect IP address as the primary IP address in case of multiple IPv4 - addresses. Consequently, this affected the selection of the IPv4 source address for outgoing - connections. With this update, after configuring secondary IP addresses manually, the - NetworkManager package fetches the primary IP address from primary-ip-address metadata and - configures both primary and secondary IP addresses correctly. -

-
-

- (BZ#2082000) -

-
-

SR-IOV no longer performs suboptimally in ARM 64 RHEL 8 virtual machines on - Azure

-

- Previously, SR-IOV networking devices had significantly lower throughout and higher latency than - expected in ARM 64 RHEL 8 virtual machines (VMs) running on a Microsoft Azure platform. The - problem has been fixed, and the affected VMs now perform as expected. -

-
-

- (BZ#2068429) -

-
-

Starting a RHEL 8 virtual machine on AWS using cloud-init no longer takes longer than expected

-

- Previously, initializing an EC2 instance of RHEL 8 using the cloud-init service on Amazon Web Services (AWS) took an excessive - amount of time. The Amazon Machine Images (AMIs) of RHEL 8 have been updated to include a fix - for the problem, and intializing EC2 instances of RHEL 8 now works correctly. -

-
-

- However, you might still encounter slow intialization when customizing and uploading your own RHEL 8 - image. To avoid this problem, remove the /etc/resolv.conf file from the - image you are using for VM creation before uploading the image to AWS. -

-

- (BZ#1862930) -

-
-
-
-
-
-

8.19. Containers

-
-
-
-
-

DNF and YUM no longer fail because of non-matching repository IDs -

-

- Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For - example, if you ran the following example, the error occurred: -

-
- 
# podman run -ti ubi8-ubi
-# dnf debuginfo-install dnsmasq
-...
-This system is not registered with an entitlement server. You can use subscription-manager to register.
-

- With this update, the problem has been fixed. Suffix --debug-rpms was - added to all debug repository names (for example ubi-8-appstream-debug-rpms), and also the suffix -rpms was added to all UBI repository names (for example ubi-8-appstream-rpms). -

-

- For more information, see Universal Base Images (UBI): Images, - repositories, packages, and source code. -

-

- (BZ#2120378) -

-
-

Container images signed with a Beta GPG key can now be pulled

-

- Previously, when you pulled RHEL Beta container images, Podman failed with the error message: - Error: Source image rejected: None of the signatures were accepted. - The images failed to be pulled due to current builds being configured to not trust the RHEL Beta - GPG keys by default. With this update, the /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted - keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in - the default configuration. -

-
-

- (BZ#2020301) -

-
-
-
-
-
-
-

Chapter 9. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.7. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

9.1. Shells and command-line tools

-
-
-
-
-

ReaR available on the 64-bit IBM Z architecture as a Technology - Preview

-

- Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture - as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM - environment. Backing up and recovering logical partitions (LPARs) has not been tested. -

-
-

- The only output method currently available is Initial Program Load (IPL). IPL produces a kernel and - an initial ramdisk (initrd) that can be used with the zIPL bootloader. -

-
-
Warning
-
-

- Currently, the rescue process reformats all the DASDs (Direct Attached Storage Devices) - connected to the system. Do not attempt a system recovery if there is any valuable data - present on the system storage devices. This also includes the device prepared with the zIPL bootloader, ReaR kernel, and initrd that were used to boot - into the rescue environment. Ensure to keep a copy. -

-
-
-

- For more information, see Using - a ReaR rescue image on the 64-bit IBM Z architecture. -

-

- (BZ#1868421) -

-
-
-
-
-
-

9.2. Networking

-
-
-
-
-

KTLS available as a Technology Preview

-

- RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. KTLS also includes the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that provides this functionality. -

-
-

- (BZ#1570255) -

-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It - accompanies XDP and grants efficient redirection of - programmatically selected packets to user space applications for further processing. -

-
-

- (BZ#1633143) -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
-
    -
  • - Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the libxdp library is not available for architectures other than AMD - and Intel 64-bit. -
    • -
  • - The XDP hardware offloading. -
    • -
-
-

- (BZ#1889737) -

-
-

Multi-protocol Label Switching for TC available as a Technology - Preview

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route - traffic flow across enterprise networks. In an MPLS network, the router that receives packets - decides the further route of the packets based on the labels attached to the packet. With the - usage of labels, the MPLS network has the ability to handle packets with particular - characteristics. For example, you can add tc filters for managing - packets received from specific ports or carrying specific types of traffic, in a consistent way. -

-
-

- After packets enter the enterprise network, MPLS routers perform multiple operations on the packets, - such as push to add a label, swap to - update a label, and pop to remove a label. MPLS allows defining actions - locally based on one or multiple labels in RHEL. You can configure routers and set traffic control - (tc) filters to take appropriate actions on the packets based on the - MPLS label stack entry (lse) elements, such as label, traffic class, bottom of stack, and time to live. -

-

- For example, the following command adds a filter to the enp0s1 network interface to match incoming packets having the - first label 12323 and the second label 45832. On matching packets, the following actions are taken: -

-
-
    -
  • - the first MPLS TTL is decremented (packet is dropped if TTL reaches 0) -
    • -
  • - the first MPLS label is changed to 549386 -
    • -
  • -

    - the resulting packet is transmitted over enp0s2, - with destination MAC address 00:00:5E:00:53:01 - and source MAC address 00:00:5E:00:53:02 -

    - 
    # tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
-action mpls dec_ttl pipe \
-action mpls modify label 549386 pipe \
-action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
-action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
-action mirred egress redirect dev enp0s2
    -
    • -
-
-

- (BZ#1814836, BZ#1856415) -

-
-

The systemd-resolved service is now available - as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, a Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- (BZ#1906489) -

-
-
-
-
-
-

9.3. Kernel

-
-
-
-
-

The kexec fast reboot feature is available as - a Technology Preview

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. The kexec fast reboot significantly speeds the - boot process as the kernel enables booting directly into the second kernel without passing - through the Basic Input/Output System (BIOS) first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot the operating system. -
    3. -
-
-

- (BZ#1769727) -

-
-

The accel-config package available as a - Technology Preview

-

- The accel-config package is now available on Intel EM64T and AMD64 architectures as a - Technology Preview. This package helps in controlling and configuring data-streaming accelerator - (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the - json format. -

-
-

- (BZ#1843266) -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms - using the Flexible Launch Control mechanism - to use the SGX technology. -

-
-

- (BZ#1660337) -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space, in the restricted - sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which enables - creating various types of maps, and also allows to load programs in a special assembly-like code. - The code is then loaded to the kernel and translated to the native machine code with just-in-time - compilation. Note that the bpf() syscall can be successfully used only - by a user with the CAP_SYS_ADMIN capability, such as the root user. See - the bpf(2) manual page for more information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase. All components are available as a Technology Preview, unless a specific - component is indicated as supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space - for applications that prioritize packet processing performance. -
    • -
-
-

- (BZ#1559616) -

-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes a shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- (BZ#1837187) -

-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that - implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains - two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL - 8. -

-
-

- (BZ#1605216) -

-
-

The stmmac driver is available as a Technology - Preview

-

- Red Hat provides the usage of stmmac for Intel® Elkhart Lake - systems on a chip (SoCs) as an unsupported Technology Preview. -

-
-

- (BZ#1905243) -

-
-
-
-
-
-

9.4. File systems and storage

-
-
-
-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address space. To - use DAX, a system must have some form of persistent memory available, usually in the form of one - or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the - capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with - the dax mount option. Then, a mmap of - a file on the dax-mounted file system results in a direct mapping of storage into the - application’s address space. -

-
-

- (BZ#1627455) -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top of - another. Changes are recorded in the upper file system, while the lower file system remains - unmodified. This allows multiple users to share a file-system image, such as a container or a - DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings - when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other specialized - use cases, such as squashed kdump initramfs. Its use is - supported primarily for container COW content, not for persistent storage. You must place - any persistent storage on non-OverlayFS volumes. You can use only the default container - engine configuration: one level of overlay, one lowerdir, and both lower and upper levels - are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change - in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped with - MAP_SHARED are inconsistent with subsequent - modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on RHEL - 8, but you can enable full POSIX compliance for them with a module option or - mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and index=on options to improve POSIX compliance. - These two options make the format of the upper layer incompatible with an - overlay without these options. That is, you might get unexpected results or - errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, use - the following command and see if the ftype=1 option is - enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel - documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- (BZ#1690207) -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager. It provides managed file systems on top of pools of - storage with additional features to the user. -

-
-

- Stratis enables you to more easily perform storage tasks such as: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- RHEL 8.3 updated Stratis to version 2.1.0. For more information, see Stratis 2.1.0 Release - Notes. -

-

- (JIRA:RHELPLAN-1212) -

-
-

Setting up a Samba server on an IdM domain member is provided as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the same-named - package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For - example, the utility creates the /etc/samba/smb.conf with the ID - mapping configuration for the sss ID mapping back end. As a result, - administrators can now set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts - cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support - resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) - protocols. As a consequence, AD users can only access the Samba shares and printers from IdM - clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- (JIRA:RHELPLAN-13195) -

-
-

NVMe/TCP host is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) - and its corresponding nvme_tcp.ko kernel module has been added as a - Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included - only for testing purposes and is not currently planned for full support. -

-
-

- (BZ#1696451) -

-
-
-
-
-
-

9.5. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on Podman, with the container bundle feature being available - as a Technology Preview. There is one exception to this feature being Technology Preview: Red - Hat fully supports the use of Pacemaker bundles for Red Hat Openstack. -

-
-

- (BZ#1619620) -

-
-

Heuristics in corosync-qdevice available as a - Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is zero), - heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which - partition should be quorate. -

-
-

- (BZ#1784200) -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off - action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent - the agent that does the actual fencing from fencing a node under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make sense - for a node to fence the peer if it can know beforehand that it would not be able to take over the - services properly. For example, it might not make sense for a node to take over services if it has - problems reaching the networking uplink, making the services unreachable to clients, a situation - which a ping to a router might detect in that case. -

-

- (BZ#1775847) -

-
-

Automatic removal of location constraint following resource move available - as a Technology Preview

-

- When you execute the pcs resource move command, this adds a - constraint to the resource to prevent it from running on the node on which it is currently - running. A new --autodelete option for the pcs resource move command is now available as a Technology Preview. - When you specify this option, the location constraint that the command creates is automatically - removed once the resource has been moved. -

-
-

- (BZ#1847102) -

-
-
-
-
-
-

9.6. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#1664719) -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- (BZ#1664718) -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- (BZ#1628987) -

-
-

RHEL IdM allows delegating user authentication to external identity - providers as a Technology Preview

-

- In RHEL IdM, you can now associate users with external identity providers (IdP) that support the - OAuth 2 device authorization flow. When these users authenticate with the SSSD version available - in RHEL 8.7, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after - performing authentication and authorization at the external IdP. -

-
-

- Notable features include: -

-
-
    -
  • - Adding, modifying, and deleting references to external IdPs with ipa idp-* commands -
    • -
  • - Enabling IdP authentication for users with the ipa user-mod --user-auth-type=idp command -
    • -
-
-

- For additional information, see Using - external identity providers to authenticate to IdM. -

-

- (BZ#2101770) -

-
-

sssd-idp sub-package available as a Technology Preview

-

- The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which - are client-side components that perform OAuth2 authentication against Identity Management (IdM) - servers. This feature is available only with IdM servers on RHEL 8.7 and higher, and RHEL 9.1 - and higher. -

-
-

- (BZ#2065692) -

-
-

SSSD internal krb5 idp plugin available as a Technology Preview -

-

- The SSSD krb5 idp plugin allows you to authenticate against an - external identity provider (IdP) using the OAuth2 protocol. This feature is available only with - IdM servers on RHEL 8.7 and higher, and RHEL 9.1 and higher. -

-
-

- (BZ#2056483) -

-
-
-
-
-
-

9.7. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is now available for the 64-bit ARM architecture as a Technology - Preview. This enables administrators to configure and manage servers from a graphical user - interface (GUI) remotely, using the VNC session. -

-
-

- As a consequence, new administration applications are available on the 64-bit ARM architecture. For - example: Disk Usage Analyzer (baobab), Firewall Configuration (firewall-config), Red Hat Subscription Manager (subscription-manager-cockpit), or the Firefox web browser. Using Firefox, - administrators can connect to the local Cockpit daemon remotely. -

-

- (JIRA:RHELPLAN-27394, BZ#1667225, BZ#1667516, BZ#1724302) -

-
-

GNOME desktop on IBM Z is available as a Technology Preview

-

- The GNOME desktop, including the Firefox web browser, is now available as a Technology Preview - on the IBM Z architecture. You can now connect to a remote graphical session running GNOME using - VNC to configure and manage your IBM Z servers. -

-
-

- (JIRA:RHELPLAN-27737) -

-
-
-
-
-
-

9.8. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available - as a Technology Preview. Note that the rest of the graphics stack is currently unverified for - the 64-bit ARM architecture. -

-
-

- (BZ#1698565) -

-
-
-
-
-
-

9.9. Virtualization

-
-
-
-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- (BZ#1501618, BZ#1501607, JIRA:RHELPLAN-7677) -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. -

-

- In addition, it is possible to enable a VNC console operated by Intel vGPU. By enabling it, users - can connect to a VNC console of the VM and see the VM’s desktop hosted by Intel vGPU. However, this - currently only works for RHEL guest operating systems. -

-

- (BZ#1528684) -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a - RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its - own VMs. -

-
-

- (JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437) -

-
-

Technology Preview: Select Intel network adapters now provide SR-IOV in - RHEL guests on Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V - hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network - adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions - are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently provided with Microsoft Windows Server 2016 and later. -

-

- (BZ#1348508) -

-
-

Sharing files between hosts and VMs using virtiofs

-

- As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can - efficiently share files between your host system and its virtual machines (VM). -

-
-

- (BZ#1741615) -

-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines -

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a - Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel and AMD systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following - Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- (BZ#1519039) -

-
-
-
-
-
-

9.10. RHEL in cloud environments

-
-
-
-
-

RHEL confidential VMs are now available on Azure as a Technology - Preview

-

- With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on - Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL - confidential VM images during boot on Azure. -

-
-

- (JIRA:RHELPLAN-122316) -

-
-
-
-
-
-

9.11. Containers

-
-
-
-
-

Toolbox is available as a Technology Preview

-

- Previously, the Toolbox utility was based on RHEL CoreOS coreos/toolbox. With this release, Toolbox has - been replaced with containers/toolbox. -

-
-

- (JIRA:RHELPLAN-77238) -

-
-

The sigstore signatures are now available as a Technology Preview -

-

- Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The - sigstore signatures are stored in the container registry together with the container image - without the need to have a separate signature server to store image signatures. -

-
-

- (JIRA:RHELPLAN-75165) -

-
-

The capability for multiple trusted GPG keys for signing images is - available as a Technology Preview

-

- The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted - keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in - the default configuration. -

-
-

- For example: -

- 
"registry.redhat.io": [
-        {
-            "type": "signedBy",
-            "keyType": "GPGKeys",
-            "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
-        }
-]
-

- (JIRA:RHELPLAN-118470) -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

Chapter 10. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in the - logs: -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still available - and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- (BZ#1642765) -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you modify - your Kickstart file to remove the option. -

-
-

- (BZ#1637872) -

-
-

The Kickstart autostep command has been - deprecated

-

- The autostep command has been deprecated. The related section about - this command has been removed from the RHEL - 8 documentation. -

-
-

- (BZ#1904251) -

-
-
-
-
-
-

10.2. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- The rpmbuild --sign command is deprecated since RHEL 8.1. Using - this command in future releases of Red Hat Enterprise Linux can result in an error. It is - recommended that you use the rpmsign command instead. -

-
-

- (BZ#1688849) -

-
-
-
-
-
-

10.3. Shells and command-line tools

-
-
-
-
-

The OpenEXR component has been - deprecated

-

- The OpenEXR component has been deprecated. Hence, the support for - the EXR image format has been dropped from the imagecodecs module. -

-
-

- (BZ#1886310) -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type - of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- (BZ#1997366) -

-
-

The ABRT tool has been deprecated

-

- The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been - deprecated in RHEL 8. As a replacement, use the systemd-coredump - tool to log and store core dumps, which are automatically generated files after a program - crashes. -

-
-

- (BZ#2055826) -

-
-

The ReaR crontab has been deprecated

-

- The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available - in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened. -

-
-

- If you require this functionality, after an upgrade to RHEL 9, configure periodic runs of ReaR - manually. -

-

- (BZ#2083301) -

-
-

The SQLite database backend in Bacula has been deprecated

-

- The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. - The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. - As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the - SQLite backend in new deployments. -

-
-

- (BZ#2089399) -

-
-

The hidepid=n mount option is not supported in - RHEL 8 systemd

-

- The mount option hidepid=n, which controls who can access - information in /proc/[pid] directories, is not compatible with - systemd infrastructure provided in RHEL 8. -

-
-

- In addition, using this option might cause certain services started by systemd to produce SELinux AVC denial messages and prevent other - operations from completing. -

-

- For more information, see the related Knowledgebase solution Is mounting /proc with "hidepid=2" - recommended with RHEL7 and RHEL8?. -

-

- (BZ#2038929) -

-
-

The /usr/lib/udev/rename_device utility has - been deprecated

-

- The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been - deprecated. -

-
-

- (BZ#1875485) -

-
-

The raw command has been deprecated -

-

- The raw (/usr/bin/raw) command has - been deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in - an error. -

-
-

- (JIRA:RHELPLAN-133171) -

-
-
-
-
-
-

10.4. Security

-
-
-
-
-

NSS SEED ciphers are deprecated

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends - enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- (BZ#1817533) -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal - and the update-crypto-policies(8) man page. -

-

- (BZ#1660839) -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. - Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note - that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- (BZ#1646541) -

-
-

SSL2 Client Hello - has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and earlier - allow to start a negotiation with a Client Hello message formatted - in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature - may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- (BZ#1645153) -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard was updated to version 2.0 in - 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with - the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major - release. -

-
-

- (BZ#1657927) -

-
-

crypto-policies derived properties are now - deprecated

-

- With the introduction of scopes for crypto-policies directives in - custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as - well. See the crypto-policies(7) man page for recommended - replacements. -

-
-

- (BZ#2011208) -

-
-

Runtime disabling SELinux using /etc/selinux/config is now deprecated

-

- Runtime disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config file has been deprecated. In RHEL 9, when you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. -

-
-

- If your scenario really requires to completely disable SELinux, Red Hat recommends disabling SELinux - by adding the selinux=0 parameter to the kernel command line as - described in the Changing - SELinux modes at boot time section of the Using - SELinux title. -

-

- (BZ#1932222) -

-
-

The ipa SELinux module removed from selinux-policy

-

- The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The - functionality is now included in the ipa-selinux subpackage. -

-
-

- If your scenario requires the use of types or interfaces from the ipa - module in a local SELinux policy, install the ipa-selinux package. -

-

- (BZ#1461914) -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- (BZ#2054741) -

-
-
-
-
-
-

10.5. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by - default. The basic installation provides a new version of the ifup - and ifdown scripts which call the NetworkManager service through - the nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts - are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
# yum install network-scripts
-

- The ifup and ifdown scripts link to the - installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- (BZ#1647725) -

-
-

The dropwatch tool is deprecated

-

- The dropwatch tool has been deprecated. The tool will not be - supported in future releases, thus it is not recommended for new deployments. As a replacement - of this package, Red Hat recommends to use the perf - command line tool. -

-
-

- For more information on using the perf command line tool, - see the Getting - started with Perf section on the Red Hat customer portal or the perf man page. -

-

- (BZ#1929173) -

-
-

The cgdcbxd package is deprecated

-

- Control group data center bridging exchange daemon (cgdcbxd) is a - service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major - RHEL release. -

-
-

- (BZ#2006665) -

-
-

The xinetd service has been - deprecated

-

- The xinetd service has been deprecated and will be removed in RHEL - 9. As a replacement, use systemd. For further details, see How to convert xinetd - service to systemd. -

-
-

- (BZ#2009113) -

-
-

The WEP Wi-Fi connection method is deprecated

-

- The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8 and - will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 - (WPA3) or WPA2 connection methods. -

-
-

- (BZ#2029338) -

-
-

The unsupported xt_u32 module is now - deprecated

-

- Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. - Since RHEL 8.6, the xt_u32 module is deprecated and will be removed - in RHEL 9. -

-
-

- If you use xt_u32, migrate to the nftables - packet filtering framework. For example, first change your firewall to use iptables with native matches to incrementally replace individual rules, - and later use the iptables-translate and accompanying utilities to - migrate to nftables. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) - man page. -

-

- (BZ#2061288) -

-
-

The term slaves is deprecated in the nmstate API

-

- Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl. -

-
-

- (JIRA:RHELDOCS-17641) -

-
-
-
-
-
-

10.6. Kernel

-
-
-
-
-

Kernel live patching now covers all RHEL minor releases

-

- Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of - RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important - Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently - covered kernels and use cases, the support window for each live patch has been decreased from 12 - to 6 months for every minor, major, and zStream version of the kernel. It means that on the day - a kernel live patch is released, it will cover every minor release and scheduled errata kernel - delivered in the past 6 months. -

-
-

- For more information about this feature, see Applying - patches with kernel live patching. -

-

- For details about available kernel live patches, see Kernel Live Patch life cycles. -

-

- (BZ#1958250) -

-
-

The crash-ptdump-command package is - deprecated

-

- The crash-ptdump-command package, which is a ptdump extension module for the crash utility, is deprecated and - might not be available in future RHEL releases. The ptdump command - fails to retrieve the log buffer when working in the Single Range Output mode and only works in - the Table of Physical Addresses (ToPA) mode. crash-ptdump-command - is currently not maintained upstream -

-
-

- (BZ#1838927) -

-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system through the network. While - convenient, diskless boot is prone to introducing network latency in real-time workloads. With a - future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be - supported. -

-
-

- (BZ#1748980) -

-
-

The Linux firewire sub-system and its - associated user-space components are deprecated in RHEL 8

-

- The firewire sub-system provides interfaces to use and maintain any - resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer - be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as - well. -

-
-

- (BZ#1871863) -

-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is - a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is - available as an unsupported Technology Preview. However, due to stability issues, this feature - has been deprecated and will be removed in RHEL 9. -

-
-

- (BZ#1878207) -

-
-
-
-
-
-

10.7. Boot loader

-
-
-
-
-

The kernelopts environment variable has been - deprecated

-

- In RHEL 8, the kernel command-line parameters for systems using the GRUB2 bootloader were - defined in the kernelopts environment variable. The variable was - stored in the /boot/grub2/grubenv file for each kernel boot entry. - However, storing the kernel command-line parameters using kernelopts was not robust. Therefore, with a future major update of - RHEL, kernelopts will be removed and the kernel command-line - parameters will be stored in the Boot Loader Specification (BLS) snippet instead. -

-
-

- (BZ#2060759) -

-
-
-
-
-
-

10.8. File systems and storage

-
-
-
-
-

VDO write modes other than async are - deprecated

-

- VDO supports several write modes in RHEL 8: -

-
-
-
    -
  • - sync -
    • -
  • - async -
    • -
  • - async-unsafe -
    • -
  • - auto -
    • -
-
-

- Starting with RHEL 8.4, the following write modes are deprecated: -

-
-
-
sync
-
- Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the - devices cannot take advantage of the VDO sync mode. -
-
async-unsafe
-
- VDO added this write mode as a workaround for the reduced performance of async mode, which complies to Atomicity, Consistency, Isolation, - and Durability (ACID). Red Hat does not recommend async-unsafe - for most use cases and is not aware of any users who rely on it. -
-
auto
-
- This write mode only selects one of the other write modes. It is no longer necessary when - VDO supports only a single write mode. -
-
-
-

- These write modes will be removed in a future major RHEL release. -

-

- The recommended VDO write mode is now async. -

-

- For more information on VDO write modes, see Selecting - a VDO write mode. -

-

- (JIRA:RHELPLAN-70700) -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. - This change affects only NFS version 3 because version 4 requires the Transmission Control - Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- (BZ#1592011) -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution. -

-
-

- (BZ#1794513) -

-
-

VDO manager has been deprecated

-

- The python-based VDO management software has been deprecated and will be removed from RHEL 9. In - RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create - VDO volumes using the lvcreate command. -

-
-

- The existing volumes created using the VDO management software can be converted using the /usr/sbin/lvm_import_vdo script, provided by the lvm2 package. For more information on the LVM-VDO implementation, see Deduplicating - and compressing logical volumes on RHEL. -

-

- (BZ#1949163) -

-
-

The elevator kernel command line parameter is - deprecated

-

- The elevator kernel command line parameter was used in earlier RHEL - releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is typically - the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the TuneD service to configure it. Match the selected - devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- (BZ#1665295) -

-
-

LVM mirror is deprecated

-

- The LVM mirror segment type is now deprecated. Support for mirror will be removed in a future major release of RHEL. -

-
-

- Red Hat recommends that you use LVM RAID 1 devices with a segment type of raid1 instead of mirror. The raid1 segment type is the default RAID configuration type and replaces - mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 logical volume. -

-

- LVM mirror has several known issues. For details, see known - issues in file systems and storage. -

-

- (BZ#1827628) -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured storage - events. It helps you investigate storage issues. -

-

- (BZ#1871953) -

-
-
-
-
-
-

10.9. High availability and clusters

-
-
-
-
-

pcs commands that support the clufter tool have been deprecated

-

- The pcs commands that support the clufter tool for analyzing cluster configuration formats have been - deprecated. These commands now print a warning that the command has been deprecated and sections - related to these commands have been removed from the pcs help - display and the pcs(8) man page. -

-
-

- The following commands have been deprecated: -

-
-
    -
  • - pcs config import-cman for importing CMAN / RHEL6 HA cluster - configuration -
    • -
  • - pcs config export for exporting cluster configuration to a list - of pcs commands which recreate the same cluster -
    • -
-
-

- (BZ#1851335) -

-
-
-
-
-
-

10.10. Dynamic programming languages, web and database servers

-
-
-
-
-

The mod_php module provided with PHP for use - with the Apache HTTP Server has been deprecated

-

- The mod_php module provided with PHP for use with the Apache HTTP - Server in RHEL 8 is available but not enabled in the default configuration. The module is no - longer available in RHEL 9. -

-
-

- Since RHEL 8, PHP scripts are run using the FastCGI Process Manager (php-fpm) by default. For more information, see Using - PHP with the Apache HTTP Server. -

-

- (BZ#2225332) -

-
-
-
-
-
-

10.11. Compilers and development tools

-
-
-
-
-

libdwarf has been deprecated

-

- The libdwarf library has been deprecated in RHEL 8. The library - will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for - applications that wish to process ELF/DWARF files. -

-
-

- Alternatives for the libdwarf-tools dwarfdump program are the binutils readelf program or the elfutils eu-readelf program, both used by passing the --debug-dump flag. -

-

- (BZ#1920624) -

-
-

The gdb.i686 packages are deprecated -

-

- In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another - package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions - of GDB, gdb.x86_64, are fully capable of debugging 32-bit - applications. -

-
-

- If you use gdb.i686, note the following important issues: -

-
-
    -
  • - The gdb.i686 packages will no longer be updated. Users must - install gdb.x86_64 instead. -
    • -
  • - If you have gdb.i686 installed, installing gdb.x86_64 will cause yum to report - package gdb-8.2-14.el8.x86_64 obsoletes gdb < 8.2-14.el8 provided by gdb-8.2-12.el8.i686. - This is expected. Either uninstall gdb.i686 or pass dnf the --allowerasing option to - remove gdb.i686 and install gdb.x8_64. -
    • -
  • - Users will no longer be able to install the gdb.i686 packages - on 64-bit systems, that is, those with the libc.so.6()(64-bit) - packages. -
    • -
-
-

- (BZ#1853140) -

-
-
-
-
-
-

10.12. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, which - integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, if - available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, - enable the ssh responder by adding ssh to - the services option in the sssd.conf file. - See the sssd.conf(5) man page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- (BZ#1871025) -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and - disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) - and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might experience - service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions on - re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, set - supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes, and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from the - previous step, remove them and upgrade. You do not need those settings after upgrading to - the latest Kerberos packages. -
    5. -
-
-

- (BZ#1877991) -

-
-

Standalone use of the ctdb service has been - deprecated

-

- Since RHEL 8.4, customers are advised to use the ctdb clustered - Samba service only when both of the following conditions apply: -

-
-
-
    -
  • - The ctdb service is managed as a pacemaker resource with the resource-agent ctdb. -
    • -
  • - The ctdb service uses storage volumes that contain either a - GlusterFS file system provided by the Red Hat Gluster Storage product or a GFS2 file system. -
    • -
-
-

- The stand-alone use case of the ctdb service has been deprecated and - will not be included in a next major release of Red Hat Enterprise Linux. For further information on - support policies for Samba, see the Knowledgebase article Support Policies for RHEL Resilient Storage - - ctdb General Policies. -

-

- (BZ#1916296) -

-
-

Running Samba as a PDC or BDC is deprecated

-

- The classic domain controller mode that enabled administrators to run Samba as an NT4-like - primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and - settings to configure these modes will be removed in a future Samba release. -

-
-

- As long as the Samba version in RHEL 8 provides the PDC and BDC modes, Red Hat supports these modes - only in existing installations with Windows versions which support NT4 domains. Red Hat recommends - not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and - Windows Server 2008 R2 do not support NT4 domains. -

-

- If you use the PDC to authenticate only Linux users, Red Hat suggests migrating to Red Hat Identity Management - (IdM) that is included in RHEL subscriptions. However, you cannot join Windows systems to an - IdM domain. Note that Red Hat continues supporting the PDC functionality IdM uses in the background. -

-

- Red Hat does not support running Samba as an AD domain controller (DC). -

-

- (BZ#1926114) -

-
-

Indirect AD integration with IdM via WinSync has been deprecated -

-

- WinSync is no longer actively developed in RHEL 8 due to several functional limitations: -

-
-
-
    -
  • - WinSync supports only one Active Directory (AD) domain. -
    • -
  • - Password synchronization requires installing additional software on AD Domain Controllers. -
    • -
-
-

- For a more robust solution with better resource and security separation, Red Hat recommends using a - cross-forest trust for indirect integration with - Active Directory. See the Indirect - integration documentation. -

-

- (JIRA:RHELPLAN-100400) -

-
-

The SSSD version of libwbclient has been - removed

-

- The SSSD implementation of the libwbclient package was deprecated - in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of - libwbclient has now been removed. -

-
-

- (BZ#1947671) -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- (Jira:RHELDOCS-16612) -

-
-

Limited support for FreeRADIUS

-

- In RHEL 8, the following external authentication modules are deprecated as part of the - FreeRADIUS offering: -

-
-
-
    -
  • - The MySQL, PostgreSQL, SQlite, and unixODBC database connectors -
    • -
  • - The Perl language module -
    • -
  • - The REST API module -
    • -
-
-
-
Note
-
-

- The PAM authentication module and other authentication modules that are provided as part of - the base package are not affected. -

-
-
-

- You can find replacements for the deprecated modules in community-supported packages, for example in - the Fedora project. -

-

- In addition, the scope of support for the freeradius package will be - limited to the following use cases in future RHEL releases: -

-
-
    -
  • - Using FreeRADIUS as an authentication provider with Identity Management (IdM) as the backend - source of authentication. The authentication occurs through the krb5 and LDAP authentication packages or as PAM authentication in - the main FreeRADIUS package. -
    • -
  • - Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the Python - 3 authentication package. -
    • -
-
-

- In contrast to these deprecations, Red Hat will strengthen the support of the following external - authentication modules with FreeRADIUS: -

-
-
    -
  • - Authentication based on krb5 and LDAP -
    • -
  • - Python 3 authentication -
    • -
-
-

- The focus on these integration options is in close alignment with the strategic direction of Red Hat - IdM. -

-

- (JIRA:RHELDOCS-17573) -

-
-
-
-
-
-

10.13. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of the - libsecret library, as libgnome-keyring - is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. - The new libsecret library is the replacement that follows the - necessary security standards. -

-
-

- (BZ#1607766) -

-
-
-
-
-
-

10.14. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement. -

-
-

- (BZ#1569610) -

-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- (JIRA:RHELPLAN-98983) -

-
-
-
-
-
-

10.15. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- (BZ#1666722) -

-
-
-
-
-
-

10.16. Red Hat Enterprise Linux system roles

-
-
-
-
-

The networking system role displays a - deprecation warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL system role on an RHEL 8 controller to configure a - network team on RHEL 9 nodes, shows a warning about its deprecation. -

-
-

- (BZ#2021685) -

-
-

Ansible Engine has been deprecated

-

- Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited - scope of support, to enable supported RHEL Automation use cases, such as RHEL system roles and - Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no - support after September 29, 2023. For more details on the supported use cases, see Scope of support for the - Ansible Core package included in the RHEL 9 AppStream. -

-
-

- Users must manually migrate their systems from Ansible Engine to Ansible Core. For that, follow the - steps: -

-
-

Procedure

-
    -
  1. -

    - Check if the system is running RHEL 8.7: -

    - 
    # cat /etc/redhat-release
    -
    2. -
  2. -

    - Uninstall Ansible Engine 2.9: -

    - 
    # yum remove ansible
    -
    3. -
  3. -

    - Disable the ansible-2-for-rhel-8-x86_64-rpms repository: -

    - 
    # subscription-manager repos --disable
-ansible-2-for-rhel-8-x86_64-rpms
    -
    4. -
  4. -

    - Install the Ansible Core package from the RHEL 8 AppStream repository: -

    - 
    # yum install ansible-core
    -
    5. -
-
-

- For more details, see: Using - Ansible in RHEL 8.6 and later. -

-

- (BZ#2006081) -

-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and it - also downloads proprietary content. Therefore, the geoipupdate - package has been deprecated, and will be removed in the next major RHEL version. -

-
-

- (BZ#1874892) -

-
-
-
-
-
-

10.17. Virtualization

-
-
-
-
-

virsh iface-* commands have become - deprecated

-

- The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a - future major version of RHEL. In addition, these commands frequently fail due to configuration - dependencies. -

-
-

- Therefore, it is recommended not to use virsh iface-* commands for - configuring and managing host network connections. Instead, use the NetworkManager program and its - related management applications, such as nmcli. -

-

- (BZ#1664592) -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available in the RHEL web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. -

-

- (BZ#1686057) -

-
-

The Cirrus VGA virtual - GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- (BZ#1651994) -

-
-

KVM on IBM POWER has been deprecated

-

- Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM - POWER is still supported in RHEL 8, but will become unsupported in a future major release of - RHEL. -

-
-

- (JIRA:RHELPLAN-71200) -

-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- (BZ#1935497) -

-
-

Using SPICE to attach smart card readers to virtual machines has been - deprecated

-

- The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way - to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage - of smart cards in VMs has also become deprecated in RHEL 8. -

-
-

- In a future major version of RHEL, the functionality of attaching smart card readers to VMs will - only be supported by third party remote visualization solutions. -

-

- (BZ#2059626) -

-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. As a result, SPICE will remain - supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display - streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Note that the QXL graphics device, which is used - by SPICE, has become deprecated as well. (BZ#1849563) -

-
-
-
-
-
-

10.18. Containers

-
-
-
-
-

The Podman varlink-based API v1.0 has been removed

-

- The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 - introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API - v1.0 has been completely removed. -

-
-

- (JIRA:RHELPLAN-45858) -

-
-

container-tools:1.0 has been - deprecated

-

- The container-tools:1.0 module has been deprecated and will no - longer receive security updates. It is recommended to use a newer supported stable module - stream, such as container-tools:2.0 or container-tools:3.0. -

-
-

- (JIRA:RHELPLAN-59825) -

-
-

The container-tools:2.0 module has been - deprecated

-

- The container-tools:2.0 module has been deprecated and will no longer receive security updates. - It is recommended to use a newer supported stable module stream, such as container-tools:3.0. -

-
-

- (JIRA:RHELPLAN-85066) -

-
-

Flatpak images except GIMP has been deprecated

-

- The rhel8/firefox-flatpak, rhel8/thunderbird-flatpak, rhel8/inkscape-flatpak, and rhel8/libreoffice-flatpak RHEL 8 Flatpak Applications have been - deprecated and replaced by the RHEL 9 versions. The rhel8/gimp-flatpak Flatpak Application is not deprecated because - there is no replacement yet in RHEL 9. -

-
-

- (BZ#2142499) -

-
-
-
-
-
-

10.19. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 7 and RHEL 8, see Changes - to packages in the Considerations in adopting RHEL 8 - document. -

-

- The following packages have been deprecated and remain supported until the end of life of RHEL 8: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - abrt -
    • -
  • - abrt-addon-ccpp -
    • -
  • - abrt-addon-kerneloops -
    • -
  • - abrt-addon-pstoreoops -
    • -
  • - abrt-addon-vmcore -
    • -
  • - abrt-addon-xorg -
    • -
  • - abrt-cli -
    • -
  • - abrt-console-notification -
    • -
  • - abrt-dbus -
    • -
  • - abrt-desktop -
    • -
  • - abrt-gui -
    • -
  • - abrt-gui-libs -
    • -
  • - abrt-libs -
    • -
  • - abrt-tui -
    • -
  • - adobe-source-sans-pro-fonts -
    • -
  • - adwaita-qt -
    • -
  • - alsa-plugins-pulseaudio -
    • -
  • - amanda -
    • -
  • - amanda-client -
    • -
  • - amanda-libs -
    • -
  • - amanda-server -
    • -
  • - ant-contrib -
    • -
  • - antlr3 -
    • -
  • - antlr32 -
    • -
  • - aopalliance -
    • -
  • - apache-commons-collections -
    • -
  • - apache-commons-compress -
    • -
  • - apache-commons-exec -
    • -
  • - apache-commons-jxpath -
    • -
  • - apache-commons-parent -
    • -
  • - apache-ivy -
    • -
  • - apache-parent -
    • -
  • - apache-resource-bundles -
    • -
  • - apache-sshd -
    • -
  • - apiguardian -
    • -
  • - aspnetcore-runtime-3.0 -
    • -
  • - aspnetcore-runtime-3.1 -
    • -
  • - aspnetcore-runtime-5.0 -
    • -
  • - aspnetcore-targeting-pack-3.0 -
    • -
  • - aspnetcore-targeting-pack-3.1 -
    • -
  • - aspnetcore-targeting-pack-5.0 -
    • -
  • - assertj-core -
    • -
  • - authd -
    • -
  • - auto -
    • -
  • - autoconf213 -
    • -
  • - autogen -
    • -
  • - autogen-libopts -
    • -
  • - awscli -
    • -
  • - base64coder -
    • -
  • - batik -
    • -
  • - batik-css -
    • -
  • - batik-util -
    • -
  • - bea-stax -
    • -
  • - bea-stax-api -
    • -
  • - bind-export-devel -
    • -
  • - bind-export-libs -
    • -
  • - bind-libs-lite -
    • -
  • - bind-pkcs11 -
    • -
  • - bind-pkcs11-devel -
    • -
  • - bind-pkcs11-libs -
    • -
  • - bind-pkcs11-utils -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb-chroot -
    • -
  • - bluez-hid2hci -
    • -
  • - boost-jam -
    • -
  • - boost-signals -
    • -
  • - bouncycastle -
    • -
  • - bpg-algeti-fonts -
    • -
  • - bpg-chveulebrivi-fonts -
    • -
  • - bpg-classic-fonts -
    • -
  • - bpg-courier-fonts -
    • -
  • - bpg-courier-s-fonts -
    • -
  • - bpg-dedaena-block-fonts -
    • -
  • - bpg-dejavu-sans-fonts -
    • -
  • - bpg-elite-fonts -
    • -
  • - bpg-excelsior-caps-fonts -
    • -
  • - bpg-excelsior-condenced-fonts -
    • -
  • - bpg-excelsior-fonts -
    • -
  • - bpg-fonts-common -
    • -
  • - bpg-glaho-fonts -
    • -
  • - bpg-gorda-fonts -
    • -
  • - bpg-ingiri-fonts -
    • -
  • - bpg-irubaqidze-fonts -
    • -
  • - bpg-mikhail-stephan-fonts -
    • -
  • - bpg-mrgvlovani-caps-fonts -
    • -
  • - bpg-mrgvlovani-fonts -
    • -
  • - bpg-nateli-caps-fonts -
    • -
  • - bpg-nateli-condenced-fonts -
    • -
  • - bpg-nateli-fonts -
    • -
  • - bpg-nino-medium-cond-fonts -
    • -
  • - bpg-nino-medium-fonts -
    • -
  • - bpg-sans-fonts -
    • -
  • - bpg-sans-medium-fonts -
    • -
  • - bpg-sans-modern-fonts -
    • -
  • - bpg-sans-regular-fonts -
    • -
  • - bpg-serif-fonts -
    • -
  • - bpg-serif-modern-fonts -
    • -
  • - bpg-ucnobi-fonts -
    • -
  • - brlapi-java -
    • -
  • - bsh -
    • -
  • - buildnumber-maven-plugin -
    • -
  • - byaccj -
    • -
  • - cal10n -
    • -
  • - cbi-plugins -
    • -
  • - cdparanoia -
    • -
  • - cdparanoia-devel -
    • -
  • - cdparanoia-libs -
    • -
  • - cdrdao -
    • -
  • - cmirror -
    • -
  • - codehaus-parent -
    • -
  • - codemodel -
    • -
  • - compat-exiv2-026 -
    • -
  • - compat-guile18 -
    • -
  • - compat-hwloc1 -
    • -
  • - compat-libpthread-nonshared -
    • -
  • - compat-libtiff3 -
    • -
  • - compat-openssl10 -
    • -
  • - compat-sap-c++-11 -
    • -
  • - compat-sap-c++-10 -
    • -
  • - compat-sap-c++-9 -
    • -
  • - createrepo_c-devel -
    • -
  • - ctags -
    • -
  • - ctags-etags -
    • -
  • - custodia -
    • -
  • - cyrus-imapd-vzic -
    • -
  • - dbus-c++ -
    • -
  • - dbus-c++-devel -
    • -
  • - dbus-c++-glib -
    • -
  • - dbxtool -
    • -
  • - dhcp-libs -
    • -
  • - directory-maven-plugin -
    • -
  • - directory-maven-plugin-javadoc -
    • -
  • - dirsplit -
    • -
  • - dleyna-connector-dbus -
    • -
  • - dleyna-core -
    • -
  • - dleyna-renderer -
    • -
  • - dleyna-server -
    • -
  • - dnssec-trigger -
    • -
  • - dnssec-trigger-panel -
    • -
  • - dotnet-apphost-pack-3.0 -
    • -
  • - dotnet-apphost-pack-3.1 -
    • -
  • - dotnet-apphost-pack-5.0 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-hostfxr-3.0 -
    • -
  • - dotnet-hostfxr-3.1 -
    • -
  • - dotnet-hostfxr-5.0 -
    • -
  • - dotnet-runtime-2.1 -
    • -
  • - dotnet-runtime-3.0 -
    • -
  • - dotnet-runtime-3.1 -
    • -
  • - dotnet-runtime-5.0 -
    • -
  • - dotnet-sdk-2.1 -
    • -
  • - dotnet-sdk-2.1.5xx -
    • -
  • - dotnet-sdk-3.0 -
    • -
  • - dotnet-sdk-3.1 -
    • -
  • - dotnet-sdk-5.0 -
    • -
  • - dotnet-targeting-pack-3.0 -
    • -
  • - dotnet-targeting-pack-3.1 -
    • -
  • - dotnet-targeting-pack-5.0 -
    • -
  • - dotnet-templates-3.0 -
    • -
  • - dotnet-templates-3.1 -
    • -
  • - dotnet-templates-5.0 -
    • -
  • - dotnet5.0-build-reference-packages -
    • -
  • - dptfxtract -
    • -
  • - drpm -
    • -
  • - drpm-devel -
    • -
  • - dump -
    • -
  • - dvd+rw-tools -
    • -
  • - dyninst-static -
    • -
  • - eclipse-ecf -
    • -
  • - eclipse-ecf-core -
    • -
  • - eclipse-ecf-runtime -
    • -
  • - eclipse-emf -
    • -
  • - eclipse-emf-core -
    • -
  • - eclipse-emf-runtime -
    • -
  • - eclipse-emf-xsd -
    • -
  • - eclipse-equinox-osgi -
    • -
  • - eclipse-jdt -
    • -
  • - eclipse-license -
    • -
  • - eclipse-p2-discovery -
    • -
  • - eclipse-pde -
    • -
  • - eclipse-platform -
    • -
  • - eclipse-swt -
    • -
  • - ed25519-java -
    • -
  • - ee4j-parent -
    • -
  • - elfutils-devel-static -
    • -
  • - elfutils-libelf-devel-static -
    • -
  • - enca -
    • -
  • - enca-devel -
    • -
  • - environment-modules-compat -
    • -
  • - evince-browser-plugin -
    • -
  • - exec-maven-plugin -
    • -
  • - farstream02 -
    • -
  • - felix-gogo-command -
    • -
  • - felix-gogo-runtime -
    • -
  • - felix-gogo-shell -
    • -
  • - felix-scr -
    • -
  • - felix-osgi-compendium -
    • -
  • - felix-osgi-core -
    • -
  • - felix-osgi-foundation -
    • -
  • - felix-parent -
    • -
  • - file-roller -
    • -
  • - fipscheck -
    • -
  • - fipscheck-devel -
    • -
  • - fipscheck-lib -
    • -
  • - firewire -
    • -
  • - fonts-tweak-tool -
    • -
  • - forge-parent -
    • -
  • - freeradius-mysql -
    • -
  • - freeradius-perl -
    • -
  • - freeradius-postgresql -
    • -
  • - freeradius-rest -
    • -
  • - freeradius-sqlite -
    • -
  • - freeradius-unixODBC -
    • -
  • - fuse-sshfs -
    • -
  • - fusesource-pom -
    • -
  • - future -
    • -
  • - gamin -
    • -
  • - gamin-devel -
    • -
  • - gavl -
    • -
  • - gcc-toolset-10 -
    • -
  • - gcc-toolset-10-annobin -
    • -
  • - gcc-toolset-10-binutils -
    • -
  • - gcc-toolset-10-binutils-devel -
    • -
  • - gcc-toolset-10-build -
    • -
  • - gcc-toolset-10-dwz -
    • -
  • - gcc-toolset-10-dyninst -
    • -
  • - gcc-toolset-10-dyninst-devel -
    • -
  • - gcc-toolset-10-elfutils -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client-devel -
    • -
  • - gcc-toolset-10-elfutils-devel -
    • -
  • - gcc-toolset-10-elfutils-libelf -
    • -
  • - gcc-toolset-10-elfutils-libelf-devel -
    • -
  • - gcc-toolset-10-elfutils-libs -
    • -
  • - gcc-toolset-10-gcc -
    • -
  • - gcc-toolset-10-gcc-c++ -
    • -
  • - gcc-toolset-10-gcc-gdb-plugin -
    • -
  • - gcc-toolset-10-gcc-gfortran -
    • -
  • - gcc-toolset-10-gdb -
    • -
  • - gcc-toolset-10-gdb-doc -
    • -
  • - gcc-toolset-10-gdb-gdbserver -
    • -
  • - gcc-toolset-10-libasan-devel -
    • -
  • - gcc-toolset-10-libatomic-devel -
    • -
  • - gcc-toolset-10-libitm-devel -
    • -
  • - gcc-toolset-10-liblsan-devel -
    • -
  • - gcc-toolset-10-libquadmath-devel -
    • -
  • - gcc-toolset-10-libstdc++-devel -
    • -
  • - gcc-toolset-10-libstdc++-docs -
    • -
  • - gcc-toolset-10-libtsan-devel -
    • -
  • - gcc-toolset-10-libubsan-devel -
    • -
  • - gcc-toolset-10-ltrace -
    • -
  • - gcc-toolset-10-make -
    • -
  • - gcc-toolset-10-make-devel -
    • -
  • - gcc-toolset-10-perftools -
    • -
  • - gcc-toolset-10-runtime -
    • -
  • - gcc-toolset-10-strace -
    • -
  • - gcc-toolset-10-systemtap -
    • -
  • - gcc-toolset-10-systemtap-client -
    • -
  • - gcc-toolset-10-systemtap-devel -
    • -
  • - gcc-toolset-10-systemtap-initscript -
    • -
  • - gcc-toolset-10-systemtap-runtime -
    • -
  • - gcc-toolset-10-systemtap-sdt-devel -
    • -
  • - gcc-toolset-10-systemtap-server -
    • -
  • - gcc-toolset-10-toolchain -
    • -
  • - gcc-toolset-10-valgrind -
    • -
  • - gcc-toolset-10-valgrind-devel -
    • -
  • - gcc-toolset-9 -
    • -
  • - gcc-toolset-9-annobin -
    • -
  • - gcc-toolset-9-build -
    • -
  • - gcc-toolset-9-perftools -
    • -
  • - gcc-toolset-9-runtime -
    • -
  • - gcc-toolset-9-toolchain -
    • -
  • - gcc-toolset-11-make-devel -
    • -
  • - GConf2 -
    • -
  • - GConf2-devel -
    • -
  • - gegl -
    • -
  • - genisoimage -
    • -
  • - genwqe-tools -
    • -
  • - genwqe-vpd -
    • -
  • - genwqe-zlib -
    • -
  • - genwqe-zlib-devel -
    • -
  • - geoipupdate -
    • -
  • - geronimo-annotation -
    • -
  • - geronimo-jms -
    • -
  • - geronimo-jpa -
    • -
  • - geronimo-parent-poms -
    • -
  • - gfbgraph -
    • -
  • - gflags -
    • -
  • - gflags-devel -
    • -
  • - glassfish-annotation-api -
    • -
  • - glassfish-el -
    • -
  • - glassfish-fastinfoset -
    • -
  • - glassfish-jaxb-core -
    • -
  • - glassfish-jaxb-txw2 -
    • -
  • - glassfish-jsp -
    • -
  • - glassfish-jsp-api -
    • -
  • - glassfish-legal -
    • -
  • - glassfish-master-pom -
    • -
  • - glassfish-servlet-api -
    • -
  • - glew-devel -
    • -
  • - glib2-fam -
    • -
  • - glog -
    • -
  • - glog-devel -
    • -
  • - gmock -
    • -
  • - gmock-devel -
    • -
  • - gnome-abrt -
    • -
  • - gnome-boxes -
    • -
  • - gnome-menus-devel -
    • -
  • - gnome-online-miners -
    • -
  • - gnome-shell-extension-disable-screenshield -
    • -
  • - gnome-shell-extension-horizontal-workspaces -
    • -
  • - gnome-shell-extension-no-hot-corner -
    • -
  • - gnome-shell-extension-window-grouper -
    • -
  • - gnome-themes-standard -
    • -
  • - gnu-free-fonts-common -
    • -
  • - gnu-free-mono-fonts -
    • -
  • - gnu-free-sans-fonts -
    • -
  • - gnu-free-serif-fonts -
    • -
  • - gnupg2-smime -
    • -
  • - gnuplot -
    • -
  • - gnuplot-common -
    • -
  • - gobject-introspection-devel -
    • -
  • - google-gson -
    • -
  • - google-noto-sans-syriac-eastern-fonts -
    • -
  • - google-noto-sans-syriac-estrangela-fonts -
    • -
  • - google-noto-sans-syriac-western-fonts -
    • -
  • - google-noto-sans-tibetan-fonts -
    • -
  • - google-noto-sans-ui-fonts -
    • -
  • - gphoto2 -
    • -
  • - gsl-devel -
    • -
  • - gssntlmssp -
    • -
  • - gtest -
    • -
  • - gtest-devel -
    • -
  • - gtkmm24 -
    • -
  • - gtkmm24-devel -
    • -
  • - gtkmm24-docs -
    • -
  • - gtksourceview3 -
    • -
  • - gtksourceview3-devel -
    • -
  • - gtkspell -
    • -
  • - gtkspell-devel -
    • -
  • - gtkspell3 -
    • -
  • - guile -
    • -
  • - gutenprint-gimp -
    • -
  • - gutenprint-libs-ui -
    • -
  • - gvfs-afc -
    • -
  • - gvfs-afp -
    • -
  • - gvfs-archive -
    • -
  • - hamcrest-core -
    • -
  • - hawtjni -
    • -
  • - hawtjni -
    • -
  • - hawtjni-runtime -
    • -
  • - HdrHistogram -
    • -
  • - HdrHistogram-javadoc -
    • -
  • - highlight-gui -
    • -
  • - hivex-devel -
    • -
  • - hostname -
    • -
  • - hplip-gui -
    • -
  • - httpcomponents-project -
    • -
  • - hwloc-plugins -
    • -
  • - hyphen-fo -
    • -
  • - hyphen-grc -
    • -
  • - hyphen-hsb -
    • -
  • - hyphen-ia -
    • -
  • - hyphen-is -
    • -
  • - hyphen-ku -
    • -
  • - hyphen-mi -
    • -
  • - hyphen-mn -
    • -
  • - hyphen-sa -
    • -
  • - hyphen-tk -
    • -
  • - ibus-sayura -
    • -
  • - icedax -
    • -
  • - icu4j -
    • -
  • - idm-console-framework -
    • -
  • - iptables -
    • -
  • - ipython -
    • -
  • - isl -
    • -
  • - isl-devel -
    • -
  • - isorelax -
    • -
  • - istack-commons-runtime -
    • -
  • - istack-commons-tools -
    • -
  • - iwl3945-firmware -
    • -
  • - iwl4965-firmware -
    • -
  • - iwl6000-firmware -
    • -
  • - jacoco -
    • -
  • - jaf -
    • -
  • - jaf-javadoc -
    • -
  • - jakarta-oro -
    • -
  • - janino -
    • -
  • - jansi-native -
    • -
  • - jarjar -
    • -
  • - java-1.8.0-ibm -
    • -
  • - java-1.8.0-ibm-demo -
    • -
  • - java-1.8.0-ibm-devel -
    • -
  • - java-1.8.0-ibm-headless -
    • -
  • - java-1.8.0-ibm-jdbc -
    • -
  • - java-1.8.0-ibm-plugin -
    • -
  • - java-1.8.0-ibm-src -
    • -
  • - java-1.8.0-ibm-webstart -
    • -
  • - java-1.8.0-openjdk-accessibility -
    • -
  • - java-1.8.0-openjdk-accessibility-slowdebug -
    • -
  • - java_cup -
    • -
  • - java-atk-wrapper -
    • -
  • - javacc -
    • -
  • - javacc-maven-plugin -
    • -
  • - javaewah -
    • -
  • - javaparser -
    • -
  • - javapoet -
    • -
  • - javassist -
    • -
  • - javassist-javadoc -
    • -
  • - jaxen -
    • -
  • - jboss-annotations-1.2-api -
    • -
  • - jboss-interceptors-1.2-api -
    • -
  • - jboss-logmanager -
    • -
  • - jboss-parent -
    • -
  • - jctools -
    • -
  • - jdepend -
    • -
  • - jdependency -
    • -
  • - jdom -
    • -
  • - jdom2 -
    • -
  • - jetty -
    • -
  • - jetty-continuation -
    • -
  • - jetty-http -
    • -
  • - jetty-io -
    • -
  • - jetty-security -
    • -
  • - jetty-server -
    • -
  • - jetty-servlet -
    • -
  • - jetty-util -
    • -
  • - jffi -
    • -
  • - jflex -
    • -
  • - jgit -
    • -
  • - jline -
    • -
  • - jmc -
    • -
  • - jnr-netdb -
    • -
  • - jolokia-jvm-agent -
    • -
  • - js-uglify -
    • -
  • - jsch -
    • -
  • - json_simple -
    • -
  • - jss-javadoc -
    • -
  • - jtidy -
    • -
  • - junit5 -
    • -
  • - jvnet-parent -
    • -
  • - jzlib -
    • -
  • - kernel-cross-headers -
    • -
  • - ksc -
    • -
  • - kurdit-unikurd-web-fonts -
    • -
  • - kyotocabinet-libs -
    • -
  • - ldapjdk-javadoc -
    • -
  • - lensfun -
    • -
  • - lensfun-devel -
    • -
  • - lftp-scripts -
    • -
  • - libaec -
    • -
  • - libaec-devel -
    • -
  • - libappindicator-gtk3 -
    • -
  • - libappindicator-gtk3-devel -
    • -
  • - libatomic-static -
    • -
  • - libavc1394 -
    • -
  • - libblocksruntime -
    • -
  • - libcacard -
    • -
  • - libcacard-devel -
    • -
  • - libcgroup -
    • -
  • - libcgroup-tools -
    • -
  • - libchamplain -
    • -
  • - libchamplain-devel -
    • -
  • - libchamplain-gtk -
    • -
  • - libcroco -
    • -
  • - libcroco-devel -
    • -
  • - libcxl -
    • -
  • - libcxl-devel -
    • -
  • - libdap -
    • -
  • - libdap-devel -
    • -
  • - libdazzle-devel -
    • -
  • - libdbusmenu -
    • -
  • - libdbusmenu-devel -
    • -
  • - libdbusmenu-doc -
    • -
  • - libdbusmenu-gtk3 -
    • -
  • - libdbusmenu-gtk3-devel -
    • -
  • - libdc1394 -
    • -
  • - libdnet -
    • -
  • - libdnet-devel -
    • -
  • - libdv -
    • -
  • - libdwarf -
    • -
  • - libdwarf-devel -
    • -
  • - libdwarf-static -
    • -
  • - libdwarf-tools -
    • -
  • - libeasyfc -
    • -
  • - libeasyfc-gobject -
    • -
  • - libepubgen-devel -
    • -
  • - libertas-sd8686-firmware -
    • -
  • - libertas-usb8388-firmware -
    • -
  • - libertas-usb8388-olpc-firmware -
    • -
  • - libgdither -
    • -
  • - libGLEW -
    • -
  • - libgovirt -
    • -
  • - libguestfs-benchmarking -
    • -
  • - libguestfs-devel -
    • -
  • - libguestfs-gfs2 -
    • -
  • - libguestfs-gobject -
    • -
  • - libguestfs-gobject-devel -
    • -
  • - libguestfs-java -
    • -
  • - libguestfs-java-devel -
    • -
  • - libguestfs-javadoc -
    • -
  • - libguestfs-man-pages-ja -
    • -
  • - libguestfs-man-pages-uk -
    • -
  • - libguestfs-tools -
    • -
  • - libguestfs-tools-c -
    • -
  • - libhugetlbfs -
    • -
  • - libhugetlbfs-devel -
    • -
  • - libhugetlbfs-utils -
    • -
  • - libIDL -
    • -
  • - libIDL-devel -
    • -
  • - libidn -
    • -
  • - libiec61883 -
    • -
  • - libindicator-gtk3 -
    • -
  • - libindicator-gtk3-devel -
    • -
  • - libiscsi-devel -
    • -
  • - libjose-devel -
    • -
  • - libkkc -
    • -
  • - libkkc-common -
    • -
  • - libkkc-data -
    • -
  • - libldb-devel -
    • -
  • - liblogging -
    • -
  • - libluksmeta-devel -
    • -
  • - libmalaga -
    • -
  • - libmcpp -
    • -
  • - libmemcached -
    • -
  • - libmemcached-libs -
    • -
  • - libmetalink -
    • -
  • - libmodulemd1 -
    • -
  • - libmongocrypt -
    • -
  • - libmtp-devel -
    • -
  • - libmusicbrainz5 -
    • -
  • - libmusicbrainz5-devel -
    • -
  • - libnbd-devel -
    • -
  • - liboauth -
    • -
  • - liboauth-devel -
    • -
  • - libpfm-static -
    • -
  • - libpng12 -
    • -
  • - libpurple -
    • -
  • - libpurple-devel -
    • -
  • - libraw1394 -
    • -
  • - libreport-plugin-mailx -
    • -
  • - libreport-plugin-rhtsupport -
    • -
  • - libreport-plugin-ureport -
    • -
  • - libreport-rhel -
    • -
  • - libreport-rhel-bugzilla -
    • -
  • - librpmem -
    • -
  • - librpmem-debug -
    • -
  • - librpmem-devel -
    • -
  • - libsass -
    • -
  • - libsass-devel -
    • -
  • - libselinux-python -
    • -
  • - libsqlite3x -
    • -
  • - libtalloc-devel -
    • -
  • - libtar -
    • -
  • - libtdb-devel -
    • -
  • - libtevent-devel -
    • -
  • - libtpms-devel -
    • -
  • - libunwind -
    • -
  • - libusal -
    • -
  • - libvarlink -
    • -
  • - libverto-libevent -
    • -
  • - libvirt-admin -
    • -
  • - libvirt-bash-completion -
    • -
  • - libvirt-daemon-driver-storage-gluster -
    • -
  • - libvirt-daemon-driver-storage-iscsi-direct -
    • -
  • - libvirt-devel -
    • -
  • - libvirt-docs -
    • -
  • - libvirt-gconfig -
    • -
  • - libvirt-gobject -
    • -
  • - libvirt-lock-sanlock -
    • -
  • - libvirt-wireshark -
    • -
  • - libvmem -
    • -
  • - libvmem-debug -
    • -
  • - libvmem-devel -
    • -
  • - libvmmalloc -
    • -
  • - libvmmalloc-debug -
    • -
  • - libvmmalloc-devel -
    • -
  • - libvncserver -
    • -
  • - libwinpr-devel -
    • -
  • - libwmf -
    • -
  • - libwmf-devel -
    • -
  • - libwmf-lite -
    • -
  • - libXNVCtrl -
    • -
  • - libyami -
    • -
  • - log4j12 -
    • -
  • - log4j12-javadoc -
    • -
  • - lohit-malayalam-fonts -
    • -
  • - lohit-nepali-fonts -
    • -
  • - lorax-composer -
    • -
  • - lua-guestfs -
    • -
  • - lucene -
    • -
  • - lucene-analysis -
    • -
  • - lucene-analyzers-smartcn -
    • -
  • - lucene-queries -
    • -
  • - lucene-queryparser -
    • -
  • - lucene-sandbox -
    • -
  • - lz4-java -
    • -
  • - lz4-java-javadoc -
    • -
  • - mailman -
    • -
  • - mailx -
    • -
  • - make-devel -
    • -
  • - malaga -
    • -
  • - malaga-suomi-voikko -
    • -
  • - marisa -
    • -
  • - maven-antrun-plugin -
    • -
  • - maven-assembly-plugin -
    • -
  • - maven-clean-plugin -
    • -
  • - maven-dependency-analyzer -
    • -
  • - maven-dependency-plugin -
    • -
  • - maven-doxia -
    • -
  • - maven-doxia-sitetools -
    • -
  • - maven-install-plugin -
    • -
  • - maven-invoker -
    • -
  • - maven-invoker-plugin -
    • -
  • - maven-parent -
    • -
  • - maven-plugins-pom -
    • -
  • - maven-reporting-api -
    • -
  • - maven-reporting-impl -
    • -
  • - maven-resolver-api -
    • -
  • - maven-resolver-connector-basic -
    • -
  • - maven-resolver-impl -
    • -
  • - maven-resolver-spi -
    • -
  • - maven-resolver-transport-wagon -
    • -
  • - maven-resolver-util -
    • -
  • - maven-scm -
    • -
  • - maven-script-interpreter -
    • -
  • - maven-shade-plugin -
    • -
  • - maven-shared -
    • -
  • - maven-verifier -
    • -
  • - maven-wagon-file -
    • -
  • - maven-wagon-http -
    • -
  • - maven-wagon-http-shared -
    • -
  • - maven-wagon-provider-api -
    • -
  • - maven2 -
    • -
  • - meanwhile -
    • -
  • - mercurial -
    • -
  • - mercurial-hgk -
    • -
  • - metis -
    • -
  • - metis-devel -
    • -
  • - mingw32-bzip2 -
    • -
  • - mingw32-bzip2-static -
    • -
  • - mingw32-cairo -
    • -
  • - mingw32-expat -
    • -
  • - mingw32-fontconfig -
    • -
  • - mingw32-freetype -
    • -
  • - mingw32-freetype-static -
    • -
  • - mingw32-gstreamer1 -
    • -
  • - mingw32-harfbuzz -
    • -
  • - mingw32-harfbuzz-static -
    • -
  • - mingw32-icu -
    • -
  • - mingw32-libjpeg-turbo -
    • -
  • - mingw32-libjpeg-turbo-static -
    • -
  • - mingw32-libpng -
    • -
  • - mingw32-libpng-static -
    • -
  • - mingw32-libtiff -
    • -
  • - mingw32-libtiff-static -
    • -
  • - mingw32-openssl -
    • -
  • - mingw32-readline -
    • -
  • - mingw32-sqlite -
    • -
  • - mingw32-sqlite-static -
    • -
  • - mingw64-adwaita-icon-theme -
    • -
  • - mingw64-bzip2 -
    • -
  • - mingw64-bzip2-static -
    • -
  • - mingw64-cairo -
    • -
  • - mingw64-expat -
    • -
  • - mingw64-fontconfig -
    • -
  • - mingw64-freetype -
    • -
  • - mingw64-freetype-static -
    • -
  • - mingw64-gstreamer1 -
    • -
  • - mingw64-harfbuzz -
    • -
  • - mingw64-harfbuzz-static -
    • -
  • - mingw64-icu -
    • -
  • - mingw64-libjpeg-turbo -
    • -
  • - mingw64-libjpeg-turbo-static -
    • -
  • - mingw64-libpng -
    • -
  • - mingw64-libpng-static -
    • -
  • - mingw64-libtiff -
    • -
  • - mingw64-libtiff-static -
    • -
  • - mingw64-nettle -
    • -
  • - mingw64-openssl -
    • -
  • - mingw64-readline -
    • -
  • - mingw64-sqlite -
    • -
  • - mingw64-sqlite-static -
    • -
  • - modello -
    • -
  • - mojo-parent -
    • -
  • - mongo-c-driver -
    • -
  • - mousetweaks -
    • -
  • - mozjs52 -
    • -
  • - mozjs52-devel -
    • -
  • - mozjs60 -
    • -
  • - mozjs60-devel -
    • -
  • - mozvoikko -
    • -
  • - msv-javadoc -
    • -
  • - msv-manual -
    • -
  • - munge-maven-plugin -
    • -
  • - mythes-mi -
    • -
  • - mythes-ne -
    • -
  • - nafees-web-naskh-fonts -
    • -
  • - nbd -
    • -
  • - nbdkit-devel -
    • -
  • - nbdkit-example-plugins -
    • -
  • - nbdkit-gzip-plugin -
    • -
  • - nbdkit-plugin-python-common -
    • -
  • - nbdkit-plugin-vddk -
    • -
  • - ncompress -
    • -
  • - ncurses-compat-libs -
    • -
  • - net-tools -
    • -
  • - netcf -
    • -
  • - netcf-devel -
    • -
  • - netcf-libs -
    • -
  • - network-scripts -
    • -
  • - network-scripts-ppp -
    • -
  • - nkf -
    • -
  • - nodejs-devel -
    • -
  • - nodejs-packaging -
    • -
  • - nss_nis -
    • -
  • - nss-pam-ldapd -
    • -
  • - objectweb-asm -
    • -
  • - objectweb-asm-javadoc -
    • -
  • - objectweb-pom -
    • -
  • - ocaml-bisect-ppx -
    • -
  • - ocaml-camlp4 -
    • -
  • - ocaml-camlp4-devel -
    • -
  • - ocaml-lwt -
    • -
  • - ocaml-mmap -
    • -
  • - ocaml-ocplib-endian -
    • -
  • - ocaml-ounit -
    • -
  • - ocaml-result -
    • -
  • - ocaml-seq -
    • -
  • - opencryptoki-tpmtok -
    • -
  • - opencv-contrib -
    • -
  • - opencv-core -
    • -
  • - opencv-devel -
    • -
  • - openhpi -
    • -
  • - openhpi-libs -
    • -
  • - OpenIPMI-perl -
    • -
  • - openssh-cavs -
    • -
  • - openssh-ldap -
    • -
  • - openssl-ibmpkcs11 -
    • -
  • - opentest4j -
    • -
  • - os-maven-plugin -
    • -
  • - pakchois -
    • -
  • - pandoc -
    • -
  • - paps-libs -
    • -
  • - paranamer -
    • -
  • - parfait -
    • -
  • - parfait-examples -
    • -
  • - parfait-javadoc -
    • -
  • - pcp-parfait-agent -
    • -
  • - pcp-pmda-rpm -
    • -
  • - pcp-pmda-vmware -
    • -
  • - pcsc-lite-doc -
    • -
  • - peripety -
    • -
  • - perl-B-Debug -
    • -
  • - perl-B-Lint -
    • -
  • - perl-Class-Factory-Util -
    • -
  • - perl-Class-ISA -
    • -
  • - perl-DateTime-Format-HTTP -
    • -
  • - perl-DateTime-Format-Mail -
    • -
  • - perl-File-CheckTree -
    • -
  • - perl-homedir -
    • -
  • - perl-libxml-perl -
    • -
  • - perl-Locale-Codes -
    • -
  • - perl-Mozilla-LDAP -
    • -
  • - perl-NKF -
    • -
  • - perl-Object-HashBase-tools -
    • -
  • - perl-Package-DeprecationManager -
    • -
  • - perl-Pod-LaTeX -
    • -
  • - perl-Pod-Plainer -
    • -
  • - perl-prefork -
    • -
  • - perl-String-CRC32 -
    • -
  • - perl-SUPER -
    • -
  • - perl-Sys-Virt -
    • -
  • - perl-tests -
    • -
  • - perl-YAML-Syck -
    • -
  • - phodav -
    • -
  • - php-recode -
    • -
  • - php-xmlrpc -
    • -
  • - pidgin -
    • -
  • - pidgin-devel -
    • -
  • - pidgin-sipe -
    • -
  • - pinentry-emacs -
    • -
  • - pinentry-gtk -
    • -
  • - pipewire0.2-devel -
    • -
  • - pipewire0.2-libs -
    • -
  • - platform-python-coverage -
    • -
  • - plexus-ant-factory -
    • -
  • - plexus-bsh-factory -
    • -
  • - plexus-cli -
    • -
  • - plexus-component-api -
    • -
  • - plexus-component-factories-pom -
    • -
  • - plexus-components-pom -
    • -
  • - plexus-i18n -
    • -
  • - plexus-interactivity -
    • -
  • - plexus-pom -
    • -
  • - plexus-velocity -
    • -
  • - plymouth-plugin-throbgress -
    • -
  • - pmreorder -
    • -
  • - postgresql-test-rpm-macros -
    • -
  • - powermock -
    • -
  • - prometheus-jmx-exporter -
    • -
  • - prometheus-jmx-exporter-openjdk11 -
    • -
  • - ptscotch-mpich -
    • -
  • - ptscotch-mpich-devel -
    • -
  • - ptscotch-mpich-devel-parmetis -
    • -
  • - ptscotch-openmpi -
    • -
  • - ptscotch-openmpi-devel -
    • -
  • - purple-sipe -
    • -
  • - pygobject2-doc -
    • -
  • - pygtk2 -
    • -
  • - pygtk2-codegen -
    • -
  • - pygtk2-devel -
    • -
  • - pygtk2-doc -
    • -
  • - python-nose-docs -
    • -
  • - python-nss-doc -
    • -
  • - python-podman-api -
    • -
  • - python-psycopg2-doc -
    • -
  • - python-pymongo-doc -
    • -
  • - python-redis -
    • -
  • - python-schedutils -
    • -
  • - python-slip -
    • -
  • - python-sqlalchemy-doc -
    • -
  • - python-varlink -
    • -
  • - python-virtualenv-doc -
    • -
  • - python2-backports -
    • -
  • - python2-backports-ssl_match_hostname -
    • -
  • - python2-bson -
    • -
  • - python2-coverage -
    • -
  • - python2-docs -
    • -
  • - python2-docs-info -
    • -
  • - python2-funcsigs -
    • -
  • - python2-ipaddress -
    • -
  • - python2-mock -
    • -
  • - python2-nose -
    • -
  • - python2-numpy-doc -
    • -
  • - python2-psycopg2-debug -
    • -
  • - python2-psycopg2-tests -
    • -
  • - python2-pymongo -
    • -
  • - python2-pymongo-gridfs -
    • -
  • - python2-pytest-mock -
    • -
  • - python2-sqlalchemy -
    • -
  • - python2-tools -
    • -
  • - python2-virtualenv -
    • -
  • - python3-bson -
    • -
  • - python3-click -
    • -
  • - python3-coverage -
    • -
  • - python3-cpio -
    • -
  • - python3-custodia -
    • -
  • - python3-docs -
    • -
  • - python3-flask -
    • -
  • - python3-gevent -
    • -
  • - python3-gobject-base -
    • -
  • - python3-hivex -
    • -
  • - python3-html5lib -
    • -
  • - python3-hypothesis -
    • -
  • - python3-ipatests -
    • -
  • - python3-itsdangerous -
    • -
  • - python3-jwt -
    • -
  • - python3-libguestfs -
    • -
  • - python3-mock -
    • -
  • - python3-networkx-core -
    • -
  • - python3-nose -
    • -
  • - python3-nss -
    • -
  • - python3-openipmi -
    • -
  • - python3-pillow -
    • -
  • - python3-ptyprocess -
    • -
  • - python3-pydbus -
    • -
  • - python3-pymongo -
    • -
  • - python3-pymongo-gridfs -
    • -
  • - python3-pyOpenSSL -
    • -
  • - python3-pytoml -
    • -
  • - python3-reportlab -
    • -
  • - python3-schedutils -
    • -
  • - python3-scons -
    • -
  • - python3-semantic_version -
    • -
  • - python3-slip -
    • -
  • - python3-slip-dbus -
    • -
  • - python3-sqlalchemy -
    • -
  • - python3-syspurpose -
    • -
  • - python3-virtualenv -
    • -
  • - python3-webencodings -
    • -
  • - python3-werkzeug -
    • -
  • - python38-asn1crypto -
    • -
  • - python38-numpy-doc -
    • -
  • - python38-psycopg2-doc -
    • -
  • - python38-psycopg2-tests -
    • -
  • - python39-numpy-doc -
    • -
  • - python39-psycopg2-doc -
    • -
  • - python39-psycopg2-tests -
    • -
  • - qemu-kvm-block-gluster -
    • -
  • - qemu-kvm-block-iscsi -
    • -
  • - qemu-kvm-block-ssh -
    • -
  • - qemu-kvm-hw-usbredir -
    • -
  • - qemu-kvm-tests -
    • -
  • - qpdf -
    • -
  • - qpdf-doc -
    • -
  • - qpid-proton -
    • -
  • - qrencode -
    • -
  • - qrencode-devel -
    • -
  • - qrencode-libs -
    • -
  • - qt5-qtcanvas3d -
    • -
  • - qt5-qtcanvas3d-examples -
    • -
  • - rarian -
    • -
  • - rarian-compat -
    • -
  • - re2c -
    • -
  • - recode -
    • -
  • - redhat-lsb -
    • -
  • - redhat-lsb-core -
    • -
  • - redhat-lsb-cxx -
    • -
  • - redhat-lsb-desktop -
    • -
  • - redhat-lsb-languages -
    • -
  • - redhat-lsb-printing -
    • -
  • - redhat-lsb-submod-multimedia -
    • -
  • - redhat-lsb-submod-security -
    • -
  • - redhat-lsb-supplemental -
    • -
  • - redhat-lsb-trialuse -
    • -
  • - redhat-menus -
    • -
  • - redhat-support-lib-python -
    • -
  • - redhat-support-tool -
    • -
  • - reflections -
    • -
  • - regexp -
    • -
  • - relaxngDatatype -
    • -
  • - rhsm-gtk -
    • -
  • - rpm-plugin-prioreset -
    • -
  • - rpmemd -
    • -
  • - rsyslog-udpspoof -
    • -
  • - ruby-hivex -
    • -
  • - ruby-libguestfs -
    • -
  • - rubygem-abrt -
    • -
  • - rubygem-abrt-doc -
    • -
  • - rubygem-bson -
    • -
  • - rubygem-bson-doc -
    • -
  • - rubygem-bundler-doc -
    • -
  • - rubygem-mongo -
    • -
  • - rubygem-mongo-doc -
    • -
  • - rubygem-net-telnet -
    • -
  • - rubygem-xmlrpc -
    • -
  • - s390utils-cmsfs -
    • -
  • - samba-pidl -
    • -
  • - samba-test -
    • -
  • - samba-test-libs -
    • -
  • - samyak-devanagari-fonts -
    • -
  • - samyak-fonts-common -
    • -
  • - samyak-gujarati-fonts -
    • -
  • - samyak-malayalam-fonts -
    • -
  • - samyak-odia-fonts -
    • -
  • - samyak-tamil-fonts -
    • -
  • - sane-frontends -
    • -
  • - sanlk-reset -
    • -
  • - sat4j -
    • -
  • - scala -
    • -
  • - scotch -
    • -
  • - scotch-devel -
    • -
  • - SDL_sound -
    • -
  • - selinux-policy-minimum -
    • -
  • - sendmail -
    • -
  • - sgabios -
    • -
  • - sgabios-bin -
    • -
  • - shrinkwrap -
    • -
  • - sisu-inject -
    • -
  • - sisu-mojos -
    • -
  • - sisu-plexus -
    • -
  • - skkdic -
    • -
  • - SLOF -
    • -
  • - smc-anjalioldlipi-fonts -
    • -
  • - smc-dyuthi-fonts -
    • -
  • - smc-fonts-common -
    • -
  • - smc-kalyani-fonts -
    • -
  • - smc-raghumalayalam-fonts -
    • -
  • - smc-suruma-fonts -
    • -
  • - softhsm-devel -
    • -
  • - sonatype-oss-parent -
    • -
  • - sonatype-plugins-parent -
    • -
  • - sos-collector -
    • -
  • - sparsehash-devel -
    • -
  • - spax -
    • -
  • - spec-version-maven-plugin -
    • -
  • - spice -
    • -
  • - spice-client-win-x64 -
    • -
  • - spice-client-win-x86 -
    • -
  • - spice-glib -
    • -
  • - spice-glib-devel -
    • -
  • - spice-gtk -
    • -
  • - spice-gtk-tools -
    • -
  • - spice-gtk3 -
    • -
  • - spice-gtk3-devel -
    • -
  • - spice-gtk3-vala -
    • -
  • - spice-parent -
    • -
  • - spice-protocol -
    • -
  • - spice-qxl-wddm-dod -
    • -
  • - spice-server -
    • -
  • - spice-server-devel -
    • -
  • - spice-qxl-xddm -
    • -
  • - spice-server -
    • -
  • - spice-streaming-agent -
    • -
  • - spice-vdagent-win-x64 -
    • -
  • - spice-vdagent-win-x86 -
    • -
  • - sssd-libwbclient -
    • -
  • - star -
    • -
  • - stax-ex -
    • -
  • - stax2-api -
    • -
  • - stringtemplate -
    • -
  • - stringtemplate4 -
    • -
  • - subscription-manager-initial-setup-addon -
    • -
  • - subscription-manager-migration -
    • -
  • - subscription-manager-migration-data -
    • -
  • - subversion-javahl -
    • -
  • - SuperLU -
    • -
  • - SuperLU-devel -
    • -
  • - supermin-devel -
    • -
  • - swig -
    • -
  • - swig-doc -
    • -
  • - swig-gdb -
    • -
  • - swtpm-devel -
    • -
  • - swtpm-tools-pkcs11 -
    • -
  • - system-storage-manager -
    • -
  • - tcl-brlapi -
    • -
  • - testng -
    • -
  • - tibetan-machine-uni-fonts -
    • -
  • - timedatex -
    • -
  • - tpm-quote-tools -
    • -
  • - tpm-tools -
    • -
  • - tpm-tools-pkcs11 -
    • -
  • - treelayout -
    • -
  • - trousers -
    • -
  • - trousers-lib -
    • -
  • - tuned-profiles-compat -
    • -
  • - tuned-profiles-nfv-host-bin -
    • -
  • - tuned-utils-systemtap -
    • -
  • - tycho -
    • -
  • - uglify-js -
    • -
  • - unbound-devel -
    • -
  • - univocity-output-tester -
    • -
  • - univocity-parsers -
    • -
  • - usbguard-notifier -
    • -
  • - usbredir-devel -
    • -
  • - utf8cpp -
    • -
  • - uthash -
    • -
  • - velocity -
    • -
  • - vinagre -
    • -
  • - vino -
    • -
  • - virt-dib -
    • -
  • - virt-p2v-maker -
    • -
  • - vm-dump-metrics-devel -
    • -
  • - weld-parent -
    • -
  • - wodim -
    • -
  • - woodstox-core -
    • -
  • - wqy-microhei-fonts -
    • -
  • - wqy-unibit-fonts -
    • -
  • - xdelta -
    • -
  • - xmlgraphics-commons -
    • -
  • - xmlstreambuffer -
    • -
  • - xinetd -
    • -
  • - xorg-x11-apps -
    • -
  • - xorg-x11-drv-qxl -
    • -
  • - xorg-x11-server-Xspice -
    • -
  • - xpp3 -
    • -
  • - xsane-gimp -
    • -
  • - xsom -
    • -
  • - xz-java -
    • -
  • - xz-java-javadoc -
    • -
  • - yajl-devel -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-

10.20. Deprecated and unmaintained devices

-
-
-
-

- This section lists devices (drivers, adapters) that -

-
-
    -
  • - continue to be supported until the end of life of RHEL 8 but will likely not be supported in - future major releases of this product and are not recommended for new deployments. Support - for devices other than those listed remains unchanged. These are deprecated devices. -
    • -
  • - are available but are no longer being tested or updated on a routine basis in RHEL 8. Red - Hat may fix serious bugs, including security bugs, at its discretion. These devices should - no longer be used in production, and it is likely they will be disabled in the next major - release. These are unmaintained devices. -
    • -
-
-

- PCI device IDs are in the format of vendor:device:subvendor:subdevice. If no device ID is listed, - all devices associated with the corresponding driver have been deprecated. To check the PCI IDs of - the hardware on your system, run the lspci -nn command. -

-
-

Table 10.1. Deprecated devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- bnx2 -

- 		-

- QLogic BCM5706/5708/5709/5716 Driver -

-
  -

- hpsa -

- 		-

- Hewlett-Packard Company: Smart Array Controllers -

-
-

- 0x10df:0x0724 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: OneConnect FCoE Initiator (Skyhawk) -

-
-

- 0x10df:0xe200 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe15000/LPe16000 Series 8Gb/16Gb Fibre Channel Adapter -

-
-

- 0x10df:0xf011 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf015 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf100 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe12000 Series 8Gb Fibre Channel Adapter -

-
-

- 0x10df:0xfc40 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn-X: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xe220 -

- 		-

- be2net -

- 		-

- Emulex Corporation: OneConnect NIC (Lancer) -

-
-

- 0x1000:0x005b -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2208 [Thunderbolt] -

-
-

- 0x1000:0x006E -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0080 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0081 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0082 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0083 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0084 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0085 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0086 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0087 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
  -

- myri10ge -

- 		-

- Myricom 10G driver (10GbE) -

-
  -

- netxen_nic -

- 		-

- QLogic/NetXen (1/10) GbE Intelligent Ethernet Driver -

-
-

- 0x1077:0x2031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP8324-based 16Gb Fibre Channel to PCI Express Adapter -

-
-

- 0x1077:0x2532 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP2532-based 8Gb Fibre Channel to PCI Express HBA -

-
-

- 0x1077:0x8031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: 8300 Series 10GbE Converged Network Adapter (FCoE) -

-
  -

- qla3xxx -

- 		-

- QLogic ISP3XXX Network Driver v2.03.00-k5 -

-
-

- 0x1924:0x0803 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFC9020 10G Ethernet Controller -

-
-

- 0x1924:0x0813 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFL9021 10GBASE-T Ethernet Controller -

-
  -

- Soft-RoCE (rdma_rxe) -

- 		 
  -

- HNS-RoCE -

- 		-

- HNS GE/10GE/25GE/50GE/100GE RDMA Network Controller -

-
  -

- liquidio -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Driver -

-
  -

- liquidio_vf -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Virtual Function Driver -

-
-
-
-
-

Table 10.2. Unmaintained devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- e1000 -

- 		-

- Intel® PRO/1000 Network Driver -

-
  -

- mptbase -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptsas -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptscsih -

- 		-

- Fusion MPT SCSI Host driver -

-
  -

- mptspi -

- 		-

- Fusion MPT SAS Host driver -

-
-

- 0x1000:0x0071 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MR SAS HBA 2004 -

-
-

- 0x1000:0x0073 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2008 [Falcon] -

-
-

- 0x1000:0x0079 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2108 [Liberator] -

-
  -

- nvmet_tcp -

- 		-

- NVMe/TCP target driver -

-
-
-
[a] - Disabled in RHEL 8.0, re-enabled in RHEL 8.4 due to customer requests. -
-
-
-
-
-
-
-
-
-
-
-

Chapter 11. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.7. -

-
-
-
-
-

11.1. Installer and image creation

-
-
-
-
-

During RHEL installation on IBM Z, udev does - not assign predictable interface names to RoCE cards enumerated by FID

-

- If you start a RHEL 8.7 or later installation with the net.naming-scheme=rhel-8.7 kernel command-line option, the udev device manager on the RHEL installation media ignores this - setting for RoCE cards enumerated by the function identifier (FID). As a consequence, udev assigns unpredictable interface names to these devices. There is - no workaround during the installation, but you can configure the feature after the installation. - For further details, see Determining - a predictable RoCE device name on the IBM Z platform. -

-
-

- (JIRA:RHEL-11397) -

-
-

Installation fails on IBM Power 10 systems with LPAR and secure boot - enabled

-

- RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. - Consequently, when logical partition (LPAR) is enabled with the secure boot option, the - installation fails with the error, Unable to proceed with RHEL-x.x Installation. -

-
-

- To work around this problem, install RHEL without enabling secure boot. After booting the system: -

-
-
    -
  1. - Copy the signed Kernel into the PReP partition using the dd - command. -
    2. -
  2. - Restart the system and enable secure boot. -
    3. -
-
-

- Once the firmware verifies the bootloader and the kernel, the system boots up successfully. -

-

- For more information, see https://www.ibm.com/support/pages/node/6528884 -

-

- (BZ#2025814) -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. To work around this problem, do not run Anaconda on the production - system and execute it in a temporary virtual machine. So that the SELinux policy on a production - system is not modified. Running anaconda as part of the system installation process such as - installing from boot.iso or dvd.iso is - not affected by this issue. -

-
-

- (BZ#2050140) -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- (BZ#1640697) -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- (BZ#1914955) -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation sources. - However, network access is not enabled by default, and as a result, these features cannot be - used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a repository - located on the network using boot options also resolves the problem. As a result, the network-based - installation features can be used. -

-

- (BZ#1757877) -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- (BZ#1929105) -

-
-

IBM Power systems with HASH MMU mode fail to - boot with memory allocation failures

-

- IBM Power Systems with HASH memory allocation unit (MMU) mode - support kdump up to a maximum of 192 cores. Consequently, the - system fails to boot with memory allocation failures if kdump is - enabled on more than 192 cores. This limitation is due to RMA memory allocations during early - boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled - instead of using kdump. -

-
-

- (BZ#2028361) -

-
-

RHEL for Edge installer image fails to create mount points when installing - an rpm-ostree payload

-

- When deploying rpm-ostree payloads, used for example in a RHEL for - Edge installer image, the installer does not properly create some mount points for custom - partitions. As a consequence, the installation is aborted with the following error: -

-
- 
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
-

- To work around this issue: -

-
-
    -
  • - Use an automatic partitioning scheme and do not add any mount points manually. -
    • -
  • - Manually assign mount points only inside /var directory. For - example, /var/my-mount-point), and - the following standard directories: /, /boot, /var. -
    • -
-
-

- As a result, the installation process finishes successfully. -

-

- (BZ#2126506) -

-
-

The --size parameter of composer-cli compose start treats values as bytes instead of - MiB

-

- When using the composer-cli compose start --size size_value blueprint_name image_type - command, the --size parameter should use its parameter in the MiB - format. However, a bug in the settings causes the composer-cli tool - to treat this parameter as bytes units. -

-
-

- To work around this issue, multiply the size value by 1048576. Alternatively, use the in your blueprint. The customization allows a - more granular control over filesystems and accepts units like MiB or GiB. See Supported - image customizations. -

-

- (BZ#2033192) -

-
-
-
-
-
-

11.2. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the subscription-manager attach --auto output.

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose - command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect - the output of running the subscription-manager attach --auto - command. Users who attempt to set values to the addons argument - will not observe any effect on the subscriptions that are auto-attached. -

-
-

- (BZ#1687900) -

-
-
-
-
-
-

11.3. Software management

-
-
-
-
-

cr_compress_file_with_stat() can cause a - memory leak

-

- The createrepo_c C library has the API cr_compress_file_with_stat() function. This function is declared with - char **dst as a second parameter. Depending on its other - parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. - This unpredictable behavior can cause a memory leak, because it does not inform the user when to - free dst contents. -

-
-

- To work around this problem, a new API cr_compress_file_with_stat_v2 - function has been added, which uses the dst parameter only as an input. - It is declared as char *dst. This prevents memory leak. -

-

- Note that the cr_compress_file_with_stat_v2 function is temporary and - will be present only in RHEL 8. Later, cr_compress_file_with_stat() - will be fixed instead. -

-

- (BZ#1973588) -

-
-

YUM transactions reported as successful when a scriptlet fails

-

- Since RPM version 4.6, post-install scriptlets are allowed to fail without being fatal to the - transaction. This behavior propagates up to YUM as well. This results in scriptlets which might - occasionally fail while the overall package transaction reports as successful. -

-
-

- There is no workaround available at the moment. -

-

- Note that this is expected behavior that remains consistent between RPM and YUM. Any issues in - scriptlets should be addressed at the package level. -

-

- (BZ#1986657) -

-
-

A security YUM upgrade fails for packages that change their architecture - through the upgrade

-

- The patch for BZ#2088149, released with the - RHBA-2022:7711 - advisory, introduced the following regression: The YUM upgrade using security filters fails for - packages that change their architecture from or to noarch through - the upgrade. Consequently, it can leave the system in a vulnerable state. -

-
-

- To work around this problem, perform the regular upgrade without security filters. -

-

- (BZ#2088149) -

-
-
-
-
-
-

11.4. Shells and command-line tools

-
-
-
-
-

ipmitool is incompatible with certain server - platforms

-

- The ipmitool utility serves for monitoring, configuring, and - managing devices that support the Intelligent Platform Management Interface (IPMI). The current - version of ipmitool uses Cipher Suite 17 by default instead of the - previous Cipher Suite 3. Consequently, ipmitool fails to - communicate with certain bare metal nodes that announced support for Cipher Suite 17 during - negotiation, but do not actually support this cipher suite. As a result, ipmitool aborts with the no matching cipher suite error message. -

-
-

- For more details, see the related Knowledgebase article. -

-

- To solve this problem, update your baseboard management controller (BMC) firmware to use the Cipher - Suite 17. -

-

- Optionally, if the BMC firmware update is not available, you can work around this problem by forcing - ipmitool to use a certain cipher suite. When invoking a managing task - with ipmitool, add the -C option to the - ipmitool command together with the number of the cipher suite you want to use. See the following - example: -

- 
# ipmitool -I lanplus -H _myserver.example.com_ -P _mypass_ -C 3 chassis power status
-

- (BZ#1873614) -

-
-

ReaR fails to recreate a volume group when you do not use clean disks for - restoring

-

- ReaR fails to perform recovery when you want to restore to disks that contain existing data. -

-
-

- To work around this problem, wipe the disks manually before restoring to them if they have been - previously used. To wipe the disks in the rescue environment, use one of the following commands - before running the rear recover command: -

-
-
    -
  • - The dd command to overwrite the disks. -
    • -
  • - The wipefs command with the -a - flag to erase all available metadata. -
    • -
-
-

- See the following example of wiping metadata from the /dev/sda disk: -

- 
# wipefs -a /dev/sda[1-9] /dev/sda
-

- This command wipes the metadata from the partitions on /dev/sda first, - and then the partition table itself. -

-

- (BZ#1925531) -

-
-

coreutils might report misleading EPERM error - codes

-

- GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter - returns an EPERM error code for unknown system calls, coreutils - might consequently report misleading EPERM error codes because EPERM can not be distinguished - from the actual Operation not permitted error returned by - a working statx() syscall. -

-
-

- To work around this problem, update the seccomp filter to either permit - the statx() syscall, or to return an ENOSYS error code for syscalls it - does not know. -

-

- (BZ#2030661) -

-
-
-
-
-
-

11.5. Infrastructure services

-
-
-
-
-

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to - SHA-256

-

- By default in RHEL 8, postfix uses MD5 fingerprints with the TLS - for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, - which may cause TLS to incorrectly function in the default postfix configuration. To workaround - this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration - file. -

-
-

- For more details, see the related Knowledgebase article Fix postfix TLS in the FIPS mode by switching - to SHA-256 instead of MD5. -

-

- (BZ#1711885) -

-
-

rsync fails while using the --delete and the --filter '-x string.*' - option together

-

- The rsync utility for transferring and synchronizing files is - unable to handle extended attributes in RHEL 8 correctly. Consequently, if you pass the --delete option together with the --filter '-x string.*' option - for extended attributes to the rsync command, and a file on your - system satisfies the regular expression, an error stating protocol incompatibilities occurs. For - example, if you use the --filter '-x system.*' option, the filter - finds the system.mwmrc file, which is present on your system, and - rsync fails. See the following error message that occurs after - using the --filter '-x system.*' option: -

-
- 
# /usr/bin/rsync -a --delete --filter '-x system.*' / 192.0.2.2::some/test/dir/
-ERROR: rejecting excluded file-list name: path/to/excluded/system.mwmrc
-rsync error: protocol incompatibility (code 2) at flist.c(912) [receiver=3.1.3]
-rsync error: protocol incompatibility (code 2) at io.c(1649) [generator=3.1.3])
-

- To prevent this problem, use regular expressions for extended attributes with caution. -

-

- (BZ#2139118) -

-
-

The brltty package is not multilib - compatible

-

- It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is - recommended. -

-
-

- (BZ#2008197) -

-
-
-
-
-
-

11.6. Security

-
-
-
-
-

File permissions of /etc/passwd- are not - aligned with the CIS RHEL 8 Benchmark 1.0.0

-

- Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures - permissions on the /etc/passwd- backup file configures permissions - to 0644. However, the CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0 requires file - permissions 0600 for that file. As a consequence, the file - permissions of /etc/passwd- are not aligned with the benchmark - after remediation. -

-
-

- (BZ#1858866) -

-
-

libselinux-python is available only through - its module

-

- The libselinux-python package contains only Python 2 bindings for - developing SELinux applications and it is used for backward compatibility. For this reason, - libselinux-python is no longer available in the default RHEL 8 - repositories through the yum install libselinux-python command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# yum module enable libselinux-python
-# yum install libselinux-python
-

- Alternatively, install libselinux-python using its install profile with - a single command: -

- 
# yum module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- (BZ#1666328) -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. - This prevents the udica tool from analyzing a container JavaScript - Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you - use the described workaround. -

-

- (BZ#1763210) -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots - with SELinux enabled and switches to disabled mode later in the boot process. This might cause - memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- (JIRA:RHELPLAN-34199) -

-
-

sshd -T provides inaccurate information about - Ciphers, MACs and KeX algorithms

-

- The output of the sshd -T command does not contain the system-wide - crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did - not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. - Crypto policies are applied as command-line arguments to the sshd - executable in the sshd.service unit during the service’s start by - using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy - as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX - algorithms differ from sshd -T to what is provided by current - crypto policy level. As a result, the output from sshd -T - matches the currently configured crypto policy. -

-
-

- (BZ#2044354) -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, TLS clients that use OpenSSL return a bad dh value - error and abort TLS connections to servers that use manually generated parameters. This is - because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with - Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, - and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL - ignore all other parameters and instead select known parameters of similar size. To work around - this problem, use only the compliant groups. -

-
-

- (BZ#1810911) -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic level - name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide - crypto policies only when you disable them through the workaround. -

-

- (BZ#1919155) -

-
-

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

-

- The file_caching option is enabled in the default OpenSC - configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning - process through OpenSC fails. -

-
-

- To work around the problem, add the following snippet to the /etc/opensc.conf file: -

- 
app pkcs15-init {
-        framework pkcs15 {
-                use_file_caching = false;
-        }
-}
-

- The smart-card provisioning through pkcs15-init only works if you apply - the previously described workaround. -

-

- (BZ#1947025) -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. -

-
-

- To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger - hash, or switch to the LEGACY policy. -

-

- (BZ#1628553) -

-
-

IKE over TCP connections do not work on custom TCP ports

-

- The tcp-remoteport Libreswan configuration option does not work - properly. Consequently, an IKE over TCP connection cannot be established when a scenario - requires specifying a non-default TCP port. -

-
-

- (BZ#1989050) -

-
-

RHV hypervisor may not work correctly when hardening the system during - installation

-

- When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise - Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and - remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work - around the problem, install the RHV-H system without applying any profile hardening, and after - the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV - hypervisor works correctly. -

-
-

- (BZ#2075508) -

-
-

Red Hat provides the CVE OVAL reports in compressed format

-

- Red Hat provides CVE OVAL feeds in the bzip2-compressed format, and - they are no longer available in the XML file format. The location of feeds for RHEL 8 has been - updated accordingly to reflect this change. Because referencing compressed content is not - standardized, third-party SCAP scanners can have problems with scanning rules that use the feed. -

-
-

- (BZ#2028428) -

-
-

Certain sets of interdependent rules in SSG can fail

-

- Remediation of SCAP Security Guide (SSG) rules in a benchmark can - fail due to undefined ordering of rules and their dependencies. If two or more rules need to be - executed in a particular order, for example, when one rule installs a component and another rule - configures the same component, they can run in the wrong order and remediation reports an error. - To work around this problem, run the remediation twice, and the second run fixes the dependent - rules. -

-
-

- (BZ#1750755) -

-
-

Server with GUI and Workstation installations are not possible with CIS Server - profiles

-

- The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software - selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not - possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either - of these software selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- If you need to align systems with the Server with GUI or Workstation software selections according to CIS benchmarks, use the CIS - Workstation Level 1 or Level 2 profiles instead. -

-

- (BZ#1843932) -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on - as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary for - backwards compatibility backward compatibility with Red Hat Enterprise Linux 7. -

-
-

- (BZ#1665082) -

-
-

SSH timeout rules in STIG profiles configure incorrect options

-

- An update of OpenSSH affected the rules in the following Defense Information Systems Agency - Security Technical Implementation Guide (DISA STIG) profiles: -

-
-
-
    -
  • - DISA STIG for RHEL 8 (xccdf_org.ssgproject.content_profile_stig) -
    • -
  • - DISA STIG with GUI for RHEL 8 (xccdf_org.ssgproject.content_profile_stig_gui) -
    • -
-
-

- In each of these profiles, the following two rules are affected: -

- 
Title: Set SSH Client Alive Count Max to zero
-CCE Identifier: CCE-83405-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
-STIG ID: RHEL-08-010200
-
-Title: Set SSH Idle Timeout Interval
-CCE Identifier: CCE-80906-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
-STIG ID: RHEL-08-010201
-

- When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax and ClientAliveInterval) - that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users - when it reaches the timeout configured by these rules. As a workaround, these rules have been - temporarily removed from the DISA STIG for RHEL 8 and DISA STIG with GUI for RHEL 8 profiles until a - solution is developed. -

-

- (BZ#2038977) -

-
-

Bash remediations of certain Audit rules do not work correctly

-

- SCAP Security Guide (SSG) Bash remediations for the following SCAP rules do not add the Audit - key: -

-
-
-
    -
  • - audit_rules_login_events -
    • -
  • - audit_rules_login_events_faillock -
    • -
  • - audit_rules_login_events_lastlog -
    • -
  • - audit_rules_login_events_tallylog -
    • -
  • - audit_rules_usergroup_modification -
    • -
  • - audit_rules_usergroup_modification_group -
    • -
  • - audit_rules_usergroup_modification_gshadow -
    • -
  • - audit_rules_usergroup_modification_opasswd -
    • -
  • - audit_rules_usergroup_modification_passwd -
    • -
  • - audit_rules_usergroup_modification_shadow -
    • -
  • - audit_rules_time_watch_localtime -
    • -
  • - audit_rules_mac_modification -
    • -
  • - audit_rules_networkconfig_modification -
    • -
  • - audit_rules_sysadmin_actions -
    • -
  • - audit_rules_session_events -
    • -
  • - audit_rules_sudoers -
    • -
  • - audit_rules_sudoers_d -
    • -
-
-

- Consequently, remediation scripts fix access bits and paths in the remediated rules, but the rules - without the Audit key do not conform to the OVAL check. Therefore, scans after remediations of such - rules report FAIL. To work around the problem, add the keys to the - affected rules manually. -

-

- (BZ#2119356) -

-
-

Certain rsyslog priority strings do not work - correctly

-

- Support for the GnuTLS priority string for imtcp that allows - fine-grained control over encryption is not complete. Consequently, the following priority - strings do not work properly in rsyslog: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- (BZ#1679512) -

-
-

Negative effects of the default logging setup on performance

-

- The default logging environment setup might consume 4 GB of memory or even more and adjustments - of rate-limit values are complex when systemd-journald is running - with rsyslog. -

-
-

- See the Negative effects of the - RHEL default logging setup on performance and their mitigations Knowledgebase article for - more information. -

-

- (JIRA:RHELPLAN-10431) -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- (BZ#1834716) -

-
-
-
-
-
-

11.7. Networking

-
-
-
-
-

NetworkManager does not support activating bond and team ports in a - specific order

-

- NetworkManager activates interfaces alphabetically by interface names. However, if an interface - appears later during the boot, for example, because the kernel needs more time to discover it, - NetworkManager activates this interface later. NetworkManager does not support setting a - priority on bond and team ports. Consequently, the order in which NetworkManager activates ports - of these devices is not always predictable. To work around this problem, write a dispatcher - script. -

-
-

- For an example of such a script, see the corresponding comment in the ticket. -

-

- (BZ#1920398) -

-
-

The nm-cloud-setup service removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain - cases, other services on the host can configure interfaces as well. For example, these services - could add secondary IP addresses. To avoid that nm-cloud-setup - removes secondary IP addresses: -

-
-
-
    -
  1. -

    - Stop and disable the nm-cloud-setup service and timer: -

    - 
    # systemctl disable --now nm-cloud-setup.service nm-cloud-setup.timer
    -
    2. -
  2. -

    - Display the available connection profiles: -

    - 
    # nmcli connection show
    -
    3. -
  3. -

    - Reactive the affected connection profiles: -

    - 
    # nmcli connection up "<profile_name>"
    -
    4. -
-
-

- As a result, the service no longer removes manually-configured secondary IP addresses from - interfaces. -

-

- (BZ#2132754) -

-
-

Systems with the IPv6_rpfilter option enabled - experience low network throughput

-

- Systems with the IPv6_rpfilter option enabled in the firewalld.conf file currently experience suboptimal performance and - low network throughput in high traffic scenarios, such as 100-Gbps links. To work around the - problem, disable the IPv6_rpfilter option. To do so, add the - following line in the /etc/firewalld/firewalld.conf file. -

-
- 
IPv6_rpfilter=no
-

- As a result, the system performs better, but also has reduced security. -

-

- (BZ#1871860) -

-
-

RoCE interfaces on IBM Z lose their IP settings due to an unexpected change - of the network interface name

-

- In RHEL 8.6 and earlier, the udev device manager assigns on the IBM - Z platform unpredictable device names to RoCE interfaces that are enumerated by a unique - identifier (UID). However, in RHEL 8.7 and later, udev assigns - predictable device names with the eno prefix to these interfaces. -

-
-

- If you update from RHEL 8.6 or earlier to 8.7 or later, these UID-enumerated interfaces have new - names and no longer match the device names in NetworkManager connection profiles. Consequently, - these interfaces have no IP configuration after the update. -

-

- For workarounds you can apply before the update and a fix if you have already updated the system, - see RoCE interfaces on IBM Z lose - their IP settings after updating to RHEL 8.7 or later. -

-

- (BZ#2169382) -

-
-
-
-
-
-

11.8. Kernel

-
-
-
-
-

Secure boot on IBM Power Systems does not support migration

-

- Currently, on IBM Power Systems, logical partition (LPAR) does not boot after successful - physical volume (PV) migration. As a consequence, any type of automated migration with secure - boot enabled on a partition fails. -

-
-

- (BZ#2126777) -

-
-

Using page_poison=1 can cause a kernel - crash

-

- When using page_poison=1 as the kernel parameter on firmware with - faulty EFI implementation, the operating system can cause the kernel to crash. By default, this - option is disabled and it is not recommended to enable it, especially in production systems. -

-
-

- (BZ#2050411) -

-
-

weak-modules from kmod fails to work with module inter-dependencies

-

- The weak-modules script provided by the kmod package determines which modules are kABI-compatible with - installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to - lower release of the kernel for which they were built. As a consequence, modules with - inter-dependencies built against different kernel releases might be interpreted as - non-compatible, and therefore the weak-modules script fails to work - in this scenario. -

-
-

- To work around the problem, build or put the extra modules against the latest stock kernel before - you install the new kernel. -

-

- (BZ#2103605) -

-
-

Reloading an identical crash extension may cause segmentation - faults

-

- When you load a copy of an already loaded crash extension file, it might trigger a segmentation - fault. Currently, the crash utility detects if an original file has been loaded. Consequently, - due to two identical files co-existing in the crash utility, a namespace collision occurs, which - triggers the crash utility to cause a segmentation fault. -

-
-

- You can work around the problem by loading the crash extension file only once. As a result, - segmentation faults no longer occur in the described scenario. -

-

- (BZ#1906482) -

-
-

vmcore capture fails after memory hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating the - device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. - The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel crash - is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after hot-plug - or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described scenario. -

-

- (BZ#1793389) -

-
-

Debug kernel fails to boot in crash capture environment on RHEL 8 -

-

- Due to the memory-intensive nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel and a stack trace is generated instead. To work around this problem, - increase the crash kernel memory as required. As a result, the debug kernel boots successfully - in the crash capture environment. -

-
-

- (BZ#1659609) -

-
-

Allocating crash kernel memory fails at boot time

-

- On some Ampere Altra systems, allocating the crash kernel memory during boot fails when the - 32-bit region is disabled in BIOS settings. Consequently, the kdump - service fails to start. This is caused by memory fragmentation in the region below 4 GB with no - fragment being large enough to contain the crash kernel memory. -

-
-

- To work around this problem, enable the 32-bit memory region in BIOS as follows: -

-
-
    -
  1. - Open the BIOS settings on your system. -
    2. -
  2. - Open the Chipset menu. -
    3. -
  3. - Under Memory Configuration, enable the - Slave 32-bit option. -
    4. -
-
-

- As a result, crash kernel memory allocation within the 32-bit region succeeds and the kdump service works as expected. -

-

- (BZ#1940674) -

-
-

The QAT manager leaves no spare device for LKCF

-

- The Intel® QuickAssist Technology (QAT) manager (qatmgr) is a user - space process, which by default uses all QAT devices in the system. As a consequence, there are - no QAT devices left for the Linux Kernel Cryptographic Framework (LKCF). There is no need to - work around this situation, as this behavior is expected and a majority of users will use - acceleration from the user space. -

-
-

- (BZ#1920086) -

-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define - a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus - device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff - memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism - (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration - space over the 256 byte offset with the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- (BZ#1868526) -

-
-

The tuned-adm profile powersave command causes - the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system matches - the mentioned specifications. -

-
-

- (BZ#1609288) -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is not - able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI to - the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI - handler for both these situations calls the kernel panic() function and - if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called and - vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, - use the virtual Power button to reset or power - cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated - System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even - smaller frequency. -

-

- (BZ#1602962) -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit ARM - architecture that run on the Amazon Web Services Graviton 1 processor, causes vmcore generation to fail when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory upon a kernel crash. To work around this - problem: -

-
-
-
    -
  1. -

    - Append irqpoll to KDUMP_COMMANDLINE_REMOVE variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet log_buf_len swiotlb"
    -
    2. -
  2. -

    - Remove irqpoll from KDUMP_COMMANDLINE_APPEND variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory udev.children-max=2 panic=10 swiotlb=noforce novmcoredd"
    -
    3. -
  3. -

    - Restart the kdump service: -

    - 
    # systemctl restart kdump
    -
    4. -
-
-

- As a result, the first kernel boots correctly and the vmcore file is - expected to be captured upon the kernel crash. -

-

- Note that the Amazon Web Services Graviton 2 and Amazon Web Services Graviton 3 processors do not - require you to manually remove the irqpoll parameter in the /etc/sysconfig/kdump file. -

-

- The kdump service can use a significant amount of crash kernel memory - to dump the vmcore file. Ensure that the capture kernel has sufficient - memory available for the kdump service. -

-

- For related information on this Known Issue, see The irqpoll kernel command line parameter - might cause vmcore generation failure article. -

-

- (BZ#1654962) -

-
-

Connections fail when attaching a virtual function to virtual - machine

-

- Pensando network cards that use the ionic device driver silently - accept VLAN tag configuration requests and attempt configuring network connections while - attaching network virtual functions (VF) to a virtual machine - (VM). Such network connections fail as this feature is not yet - supported by the card’s firmware. -

-
-

- (BZ#1930576) -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication - X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x - series deprecated openib Byte Transfer Layer (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous - cluster (same hardware and software configuration), UCX still uses openib BTL for MPI one-sided operations. As a consequence, this may - trigger execution errors. To work around this problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer over - UCX. -

-

- (BZ#1866402) -

-
-

The Solarflare fails to create maximum number of virtual functions - (VFs)

-

- The Solarflare NICs fail to create a maximum number of VFs due to insufficient resources. You - can check the maximum number of VFs that a PCIe device can create in the /sys/bus/pci/devices/PCI_ID/sriov_totalvfs file. To workaround this - problem, you can either adjust the number of VFs or the VF MSI interrupt value to a lower value, - either from Solarflare Boot Manager on startup, or using Solarflare - sfboot utility. The default VF MSI interrupt value is 8. -

-
-
-
    -
  • - To adjust the VF MSI interrupt value using sfboot: -
    • -
-
- 
# sfboot vf-msix-limit=2
-
-
Note
-
-

- Adjusting VF MSI interrupt value affects the VF performance. -

-
-
-

- For more information about parameters to be adjusted accordingly, see the Solarflare Server Adapter user guide. -

-

- (BZ#1971506) -

-
-

The iwl7260-firmware breaks Wi-Fi on Intel - Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

-

- After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 8.7 and/or RHEL - 9.1 (and later), the hardware gets into an incorrect internal state. reports its state - incorrectly. Consequently, Intel Wifi 6 cards may not work and display the error message: -

-
- 
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110
-kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms)
-kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
-

- An unconfirmed work around is to power off the system and back on again. Do not reboot. -

-

- (BZ#2106341) -

-
-

Memory allocation for kdump fails on the - 64-bit ARM architectures

-

- On certain 64-bit ARM based systems, the firmware uses the non-contiguous memory allocation - method, which reserves memory randomly at different scattered locations. Consequently, due to - the unavailability of consecutive blocks of memory, the crash kernel cannot reserve memory space - for the kdump mechanism. -

-
-

- To work around this problem, install the kernel version provided by RHEL 8.8 and later. The latest - version of RHEL supports the fallback dump capture mechanism that helps - to find a suitable memory region in the described scenario. -

-

- (BZ#2214235) -

-
-

Hardware certification of the real-time kernel on systems with large - core-counts might require passing the skew-tick=1 boot - parameter to avoid lock contentions

-

- Large or moderate sized systems with numerous sockets and large core-counts can experience - latency spikes due to lock contentions on xtime_lock, which is used - in the timekeeping system. As a consequence, latency spikes and delays in hardware - certifications might occur on multiprocessing systems. As a workaround, you can offset the timer - tick per CPU to start at a different time by adding the skew_tick=1 - boot parameter. -

-
-

- To avoid lock conflicts, enable skew_tick=1: -

-
-
    -
  1. -

    - Enable the skew_tick=1 parameter with grubby. -

    - 
    # grubby --update-kernel=ALL --args="skew_tick=1"
    -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
  3. - Verify the new settings by running the cat /proc/cmdline - command. -
    4. -
-
-

- Note that enabling skew_tick=1 causes a significant increase in power - consumption and, therefore, it must be enabled only if you are running latency sensitive real-time - workloads. -

-

- (BZ#2214508) -

-
-
-
-
-
-

11.9. Boot loader

-
-
-
-
-

The behavior of grubby diverges from its - documentation

-

- When you add a new kernel using the grubby tool and do not specify - any arguments, grubby passes the default arguments to the new - entry. This behavior occurs even without passing the --copy-default - argument. Using --args and --copy-default options ensures those arguments are appended to the - default arguments as stated in the grubby documentation. -

-
-

- However, when you add additional arguments, such as $tuned_params, the - grubby tool does not pass these arguments unless the --copy-default option is invoked. -

-

- In this situation, two workarounds are available: -

-
-
    -
  • -

    - Either set the root= argument and leave --args empty: -

    - 
    # grubby --add-kernel /boot/my_kernel --initrd /boot/my_initrd --args "root=/dev/mapper/rhel-root" --title "entry_with_root_set"
    -
    • -
  • -

    - Or set the root= argument and the specified arguments, but - not the default ones: -

    - 
    # grubby --add-kernel /boot/my_kernel --initrd /boot/my_initrd --args "root=/dev/mapper/rhel-root some_args and_some_more" --title "entry_with_root_set_and_other_args_too"
    -
    • -
-
-

- (BZ#1900829) -

-
-
-
-
-
-

11.10. File systems and storage

-
-
-
-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following limitations, - which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in combination - with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- (JIRA:RHELPLAN-27987, BZ#1798631, BZ#1808012) -

-
-

XFS quota warnings are triggered too often

-

- Using the quota timer results in quota warnings triggering too often, which causes soft quotas - to be enforced faster than they should. To work around this problem, do not use soft quotas, - which will prevent triggering warnings. As a result, the amount of warning messages will not - enforce soft quota limit anymore, respecting the configured timeout. -

-
-

- (BZ#2059262) -

-
-

LVM mirror devices that store a LUKS volume - sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject - all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of - raid1 instead of mirror if you need to - stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 device. -

-

- (BZ#1730502) -

-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical volume. - This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) for - system boot entries. This specification requires that the /boot - file system is readable by the platform firmware. On EFI systems, the platform firmware can - read only the /boot configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does - not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- (BZ#1496229) -

-
-

LVM no longer allows creating volume groups with mixed block sizes -

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the - physical volumes (PVs) have different logical block sizes. LVM has adopted this change because - file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a - different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- (BZ#1768536) -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- (BZ#2011699) -

-
-

VDO driver bug can cause device freezes through journal blocks

-

- While tracking a device-mapper suspend operation, a bug in the VDO - driver causes the system to mark some journal blocks as waiting for metadata updates. The - updates already apply since the suspend call. -

-
-

- When the journal wraps around back to the same physical block, the block stops being available. - Eventually, all writes stop until the block is available again. The growPhysical, growLogical, and setWritePolicy operations on VDO devices include a suspend/resume cycle, - which can lead to the device freezing after a number of journal updates. -

-

- Increasing the size of the VDO pool or the logical volume on top of it or using the pvmove and lvchange operations on LVM tools - managed VDO devices can also trigger this problem. -

-

- For a workaround, change the VDO device settings in any way that involves a suspend/resume cycle, - shut down the VDO device completely and then start it again. This clears the incorrect in-memory - state and resets the journal blocks. As a result, the device is not frozen anymore and works - correctly. -

-

- (BZ#2109047) -

-
-

System hangs due to soft lockup while starting a VDO volume

-

- Due to fixing the kernel ABI breakage in the pv_mmu_ops structure, - RHEL 8.7 systems with kernel version 4.18.0-425.10.1.el8_7, that is - RHEL-8.7.0.2-BaseOS, hang or encounter a kernel panic due to soft lockup while starting a - Virtual Data Optimizer (VDO) volume. To work around this issue, disable any enabled VDO volumes - before booting into kernel-4.18.0-425.10.1.el8_7 to prevent system - hangs, or downgrade to the previous version of the kernel, which is 4.18.0-425.3.1.el8, to retain VDO functionality. -

-
-

- (BZ#2158783) -

-
-
-
-
-
-

11.11. Dynamic programming languages, web and database servers

-
-
-
-
-

getpwnam() might fail when called by a 32-bit - application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- (BZ#1803161) -

-
-

PAM plug-in version 1.0 does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) - plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 - and 2.0, version 2.0 is the default. -

-
-

- The MariaDB PAM plug-in version 1.0 does not work in RHEL 8. To work - around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5 module stream. -

-

- (BZ#1942330) -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

-

- When both the libldap and libldap_r - libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts - between these libraries might occur. Consequently, Apache httpd - child processes using the PHP ldap extension might terminate - unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration. -

-
-

- Since the RHEL 8.3 update to the Apache Portable Runtime (APR) library, you can work around the - problem by setting the APR_DEEPBIND environment variable, which enables - the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- (BZ#1819607) -

-
-
-
-
-
-

11.12. Identity Management

-
-
-
-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System -

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual steps - are required to recover the system. -

-
-

- (BZ#1729215) -

-
-

The /var/log/lastlog sparse file on IdM hosts - can cause performance problems

-

- During the IdM installation, a range of 200,000 UIDs from a total of 10,000 possible ranges is - randomly selected and assigned. Selecting a random range in this way significantly reduces the - probability of conflicting IDs in case you decide to merge two separate IdM domains in the - future. -

-
-

- However, having high UIDs can create problems with the /var/log/lastlog - file. For example, if a user with the UID of 1280000008 logs in to an IdM client, the local /var/log/lastlog file size increases to almost 400 GB. Although the - actual file is sparse and does not use all that space, certain applications are not designed to - identify sparse files by default and may require a specific option to handle them. For example, if - the setup is complex and a backup and copy application does not handle sparse files correctly, the - file is copied as if its size was 400 GB. This behavior can cause performance problems. -

-

- To work around this problem: -

-
-
    -
  • - In case of a standard package, refer to its documentation to identify the option that - handles sparse files. -
    • -
  • - In case of a custom application, ensure that it is able to manage sparse files such as /var/log/lastlog correctly. -
    • -
-
-

- (JIRA:RHELPLAN-59111) -

-
-

FIPS mode does not support using a shared secret to establish a - cross-forest trust

-

- Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP - authentication is not FIPS-compliant. To work around this problem, authenticate with an Active - Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS - mode enabled and an AD domain. -

-
-

- (BZ#1924707) -

-
-

FreeRADIUS server fails to run in FIPS mode

-

- By default, in FIPS mode, OpenSSL disables the use of the MD5 digest algorithm. As the RADIUS - protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, this - causes the FreeRADIUS server to fail in FIPS mode. -

-
-

- To work around this problem, follow these steps: -

-
-

Procedure

-
    -
  1. -

    - Create the environment variable, RADIUS_MD5_FIPS_OVERRIDE - for the radiusd service: -

    - 
    systemctl edit radiusd
-
-[Service]
-Environment=RADIUS_MD5_FIPS_OVERRIDE=1
    -
    2. -
  2. -

    - To apply the change, reload the systemd configuration and - start the radiusd service: -

    - 
    # systemctl daemon-reload
-# systemctl start radiusd
    -
    3. -
  3. -

    - To run FreeRADIUS in debug mode: -

    - 
    # RADIUS_MD5_FIPS_OVERRIDE=1 radiusd -X
    -
    4. -
-
-

- Note that though FreeRADIUS can run in FIPS mode, this does not mean that it is FIPS compliant as it - uses weak ciphers and functions when in FIPS mode. -

-

- For more information on configuring FreeRADIUS authentication in FIPS mode, see How to configure FreeRADIUS authentication in - FIPS mode. -

-

- (BZ#1958979) -

-
-

IdM to AD cross-realm TGS requests fail

-

- The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with - AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). -

-
-

- Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with - the following error: -

- 
"Generic error (see e-text) while getting credentials for <service principal>"
-

- (BZ#2125182) -

-
-

Migrated IdM users might be unable to log in due to mismatching domain - SIDs

-

- If you have used the ipa migrate-ds script to migrate users from - one IdM deployment to another, those users might have problems using IdM services because their - previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM - environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, - see the following Knowledgebase article: Migrated IdM users unable to log in due - to mismatching domain SIDs. -

-
-

- (JIRA:RHELPLAN-109613) -

-
-

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a - two-way cross-forest trust

-

- Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management - (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support - Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the - RC4 NTLM hash that the AD domain controller uses when attempting to authenticate. -

-
-

- (BZ#2120572) -

-
-

IdM Vault encryption and decryption fails in FIPS mode

-

- The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, - Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 - padding for wrapping the session key with the transport certificate. -

-
-

- (BZ#2122919) -

-
-

Actions required when running Samba as a print server and updating from - RHEL 8.4 and earlier

-

- With this update, the samba package no longer creates the /var/spool/samba/ directory. If you use Samba as a print server and - use /var/spool/samba/ in the [printers] share to spool print jobs, SELinux prevents Samba users - from creating files in this directory. Consequently, print jobs fail and the auditd service logs a denied message in - /var/log/audit/audit.log. To avoid this problem after updating your - system from 8.4 and earlier: -

-
-
-
    -
  1. - Search the [printers] share in the /etc/samba/smb.conf file. -
    2. -
  2. - If the share definition contains path = /var/spool/samba/, - update the setting and set the path parameter to /var/tmp/. -
    3. -
  3. -

    - Restart the smbd service: -

    - 
    # systemctl restart smbd
    -
    4. -
-
-

- If you newly installed Samba on RHEL 8.5 or later, no action is required. The default /etc/samba/smb.conf file provided by the samba-common package in this case already uses the /var/tmp/ directory to spool print jobs. -

-

- (BZ#2009213) -

-
-

Downgrading authselect after the rebase to - version 1.2.2 breaks system authentication

-

- The authselect package has been rebased to the latest upstream - version 1.2.2. Downgrading authselect - is not supported and breaks system authentication for all users, including root. -

-
-

- If you downgraded the authselect package to 1.2.1 or earlier, perform the following steps to work around this - problem: -

-
-
    -
  1. - At the GRUB boot screen, select Red Hat Enterprise Linux with - the version of the kernel that you want to boot and press e to - edit the entry. -
    2. -
  2. - Type single as a separate word at the end of the line that - starts with linux and press Ctrl+X - to start the boot process. -
    3. -
  3. - Upon booting in single-user mode, enter the root password. -
    4. -
  4. -

    - Restore authselect configuration using the following command: -

    - 
    # authselect select sssd --force
    -
    5. -
-
-

- (BZ#1892761) -

-
-

The default keyword for enabled ciphers in the - NSS does not work in conjunction with other ciphers

-

- In Directory Server you can use the default keyword to refer to the - default ciphers enabled in the network security services (NSS). However, if you want to enable - the default ciphers and additional ones using the command line or web console, Directory Server - fails to resolve the default keyword. As a consequence, the server - enables only the additionally specified ciphers and logs an error similar to the following: -

-
- 
Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+cipher_name>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)
-

- As a workaround, specify all ciphers that are enabled by default in NSS including the ones you want - to additionally enable. -

-

- (BZ#1817505) -

-
-

pki-core-debuginfo update from RHEL 8.6 to - RHEL 8.7 fails

-

- Updating the pki-core-debuginfo package from RHEL 8.6 to RHEL 8.7 - fails. To work around this problem, run the following commands: -

-
-
-
    -
  1. - yum remove pki-core-debuginfo -
    2. -
  2. - yum update -y -
    3. -
  3. - yum install pki-core-debuginfo -
    4. -
  4. - yum install idm-pki-symkey-debuginfo idm-pki-tools-debuginfo -
    5. -
-
-

- (BZ#2134093) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

11.13. Desktop

-
-
-
-
-

Disabling flatpak repositories from Software - Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- (BZ#1668760) -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft - Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. - In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use - Hyper-V Server 2019 or later as the host. -

-

- (BZ#1583445) -

-
-

Drag-and-drop does not work between desktop and applications

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. Support - for this feature will be added back in a future release. -

-
-

- (BZ#1717947) -

-
-
-
-
-
-

11.14. Graphics infrastructures

-
-
-
-
-

radeon fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in the - kexec context correctly. Instead, radeon falls over, which causes - the rest of the kdump service to fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the machine and kdump. After starting - kdump, the force_rebuild 1 line may be removed from the configuration file. -

-

- Note that in this scenario, no graphics will be available during kdump, but kdump will work successfully. -

-

- (BZ#1694705) -

-
-

Multiple HDR displays on a single MST topology may not power on -

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, using - a DisplayPort hub (such as a laptop dock) with multiple monitors - which support HDR plugged into it may result in failure to turn on. This is due to the system - erroneously thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- (BZ#1812577) -

-
-

GUI in ESXi might crash due to low video memory

-

- The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 - hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect - multiple consoles or high-resolution monitors to the VM, the GUI requires at least 16 MB of - video memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly. -

-
-

- To work around the problem, configure the hypervisor to assign at least 16 MB of video memory to the - VM. As a result, the GUI on the VM no longer crashes. -

-

- If you encounter this issue, Red Hat recommends that you report it to VMware. -

-

- See also the following VMware article: VMs with high resolution VM console may experience - a crash on ESXi 7.0.1 (83194). -

-

- (BZ#1910358) -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z - server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 option - with -depth 24 in the Xvnc configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the server. -

-

- (BZ#1886147) -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the application - fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority - file to use regular user credentials for authentication. -

-
-

- To work around this problem, use the sudo -E command to run graphical - applications as a root user. -

-

- (BZ#1673073) -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit - ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- (JIRA:RHELPLAN-57914) -

-
-

Matrox G200e shows no output on a VGA display

-

- Your display might show no graphical output if you use the following system configuration: -

-
-
-
    -
  • - The Matrox G200e GPU -
    • -
  • - A display connected over the VGA controller -
    • -
-
-

- As a consequence, you cannot use or install RHEL on this configuration. -

-

- To work around the problem, use the following procedure: -

-
-
    -
  1. - Boot the system to the boot loader menu. -
    2. -
  2. - Add the module_blacklist=mgag200 option to the kernel command - line. -
    3. -
-
-

- As a result, RHEL boots and shows graphical output as expected, but the maximum resolution is - limited to 1024x768 at the 16-bit color depth. -

-

- (BZ#2130159) -

-
-
-
-
-
-

11.15. The web console

-
-
-
-
-

VNC console works incorrectly at certain resolutions

-

- When using the Virtual Network Computing (VNC) console under certain display resolutions, you - might experience a mouse offset issue or you might see only a part of the interface. - Consequently, using the VNC console might not be possible. To work around this issue, you can - try expanding the size of the VNC console or use the Desktop Viewer in the Console tab to launch - the remote viewer instead. -

-
-

- (BZ#2030836) -

-
-
-
-
-
-

11.16. Red Hat Enterprise Linux system roles

-
-
-
-
-

Unable to manage localhost by using the localhost hostname in the playbook or inventory

-

- With the inclusion of the ansible-core 2.13 package in RHEL, if you - are running Ansible on the same host you manage your nodes, you cannot do it by using the localhost hostname in your playbook or inventory. This happens - because ansible-core 2.13 uses the python38 module, and many of the libraries are missing, for example, - blivet for the storage role, gobject for the network role. To - workaround this problem, if you are already using the localhost - hostname in your playbook or inventory, you can add a connection, by using ansible_connection=local, or by creating an inventory file that lists - localhost with the ansible_connection=local option. With that, you are able to manage - resources on localhost. For more details, see the article RHEL system roles playbooks - fail when run on localhost. -

-
-

- (BZ#2041997) -

-
-
-
-
-
-

11.17. Virtualization

-
-
-
-
-

Using a large number of queues might cause Windows virtual machines to - fail

-

- Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device - is enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- (BZ#2020133) -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the Milan CPU type might not be available - on these systems. In addition, VM live migration between Milan hosts with different feature flag - settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- (BZ#2077770) -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible - on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a - physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they should - be configured with the device='disk' option rather than device='lun'. -

-

- (BZ#1777138) -

-
-

Virtual machines with iommu_platform=on fail - to start on IBM POWER

-

- RHEL 8 currently does not support the iommu_platform=on parameter - for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this - parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process. -

-
-

- (BZ#1910848) -

-
-

IBM POWER hosts may crash when using the ibmvfc driver

-

- When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors may currently - occur due problems with the ibmvfc driver. As a consequence, the - host’s kernel may panic under certain circumstances, such as: -

-
-
-
    -
  • - Using the Live Partition Mobility (LPM) feature -
    • -
  • - Resetting a host adapter -
    • -
  • - Using SCSI error handling (SCSI EH) functions -
    • -
-
-

- (BZ#1961722) -

-
-

Using perf kvm record on IBM POWER Systems can - cause the VM to crash

-

- When using a RHEL 8 host on the little-endian variant of IBM POWER hardware, using the perf kvm record command to collect trace event samples for a KVM - virtual machine (VM) in some cases results in the VM becoming unresponsive. This situation - occurs when: -

-
-
-
    -
  • - The perf utility is used by an unprivileged user, and the -p option is used to identify the VM - for example perf kvm record -e trace_cycles -p 12345. -
    • -
  • - The VM was started using the virsh shell. -
    • -
-
-

- To work around this problem, use the perf kvm utility with the -i option to monitor VMs that were created using the virsh shell. For example: -

- 
# perf kvm record -e trace_imc/trace_cycles/  -p <guest pid> -i
-

- Note that when using the -i option, child tasks do not inherit - counters, and threads will therefore not be monitored. -

-

- (BZ#1924016) -

-
-

Windows Server 2016 virtual machines with Hyper-V enabled fail to boot when - using certain CPU models

-

- Currently, it is not possible to boot a virtual machine (VM) that uses Windows Server 2016 as - the guest operating system, has the Hyper-V role enabled, and uses one of the following CPU - models: -

-
-
-
    -
  • - EPYC-IBPB -
    • -
  • - EPYC -
    • -
-
-

- To work around this problem, use the EPYC-v3 CPU - model, or manually enable the xsaves CPU flag - for the VM. -

-

- (BZ#1942888) -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails -

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes - unresponsive with a Migration status: active status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- (BZ#1741436) -

-
-

Using virt-customize sometimes causes guestfs-firstboot to fail

-

- After modifying a virtual machine (VM) disk image using the virt-customize utility, the guestfs-firstboot service in some cases fails due to incorrect - SELinux permissions. This causes a variety of problems during VM startup, such as failing user - creation or system registration. -

-
-

- To avoid this problem, add --selinux-relabel to the kernel command line - of the VM after modifying its disk image with virt-customize. -

-

- (BZ#1554735) -

-
-

Deleting a forward interface from a macvtap virtual network resets all - connection counts of this network

-

- Currently, deleting a forward interface from a macvtap virtual - network with multiple forward interfaces also resets the connection status of the other forward - interfaces of the network. As a consequence, the connection information in the live network XML - is incorrect. Note, however, that this does not affect the functionality of the virtual network. - To work around the issue, restart the libvirtd service on your - host. -

-
-

- (BZ#1332758) -

-
-

Virtual machines with SLOF fail to boot in netcat interfaces

-

- When using a netcat (nc) interface to access the console of a - virtual machine (VM) that is currently waiting at the Slimline Open Firmware (SLOF) prompt, the - user input is ignored and VM stays unresponsive. To work around this problem, use the nc -C option when connecting to the VM, or use a telnet interface - instead. -

-
-

- (BZ#1974622) -

-
-

Attaching mediated devices to virtual machines in virt-manager in some cases fails

-

- The virt-manager application is currently able to detect mediated - devices, but cannot recognize whether the device is active. As a consequence, attempting to - attach an inactive mediated device to a running virtual machine (VM) using virt-manager fails. Similarly, attempting to create a new VM that - uses an inactive mediated device fails with a device not found - error. -

-
-

- To work around this issue, use the virsh nodedev-start or mdevctl start commands to activate the mediated device before using it in - virt-manager. -

-

- (BZ#2026985) -

-
-

RHEL 9 virtual machines fail to boot in POWER8 compatibility mode -

-

- Currently, booting a virtual machine (VM) that runs RHEL 9 as its guest operating system fails - if the VM also uses CPU configuration similar to the following: -

-
- 
  <cpu mode="host-model">
-    <model>power8</model>
-  </cpu>
-

- To work around this problem, do not use POWER8 compatibility mode in RHEL 9 VMs. -

-

- In addition, note that running RHEL 9 VMs is not possible on POWER8 hosts. -

-

- (BZ#2035158) -

-
-

Restarting the OVS service on a host might block network connectivity on - its running VMs

-

- When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that - are running on this host cannot recover the state of the networking device. As a consequence, - VMs might be completely unable to receive packets. -

-
-

- This problem only affects systems that use the packed virtqueue format in their virtio networking stack. -

-

- To work around this problem, use the packed=off parameter in the virtio networking device definition to disable packed virtqueue. With - packed virtqueue disabled, the state of the networking device can, in some situations, be recovered - from RAM. -

-

- (BZ#1792683) -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of - interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, - and displays a dracut-initqueue[392]: Warning: Could not boot - error. -

-
-

- (BZ#1719687) -

-
-

SUID and SGID are not cleared automatically on virtiofs

-

- When you run the virtiofsd service with the killpriv_v2 feature, your system may not automatically clear the SUID - and SGID permissions after performing some file-system operations. Consequently, not clearing - the permissions might cause a potential security threat. To work around this issue, disable the - killpriv_v2 feature by entering the following command: -

-
- 
# virtiofsd -o no_killpriv_v2
-

- (BZ#1966475) -

-
-

SMT CPU topology is not detected by VMs when using host passthrough mode on - AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the - TOPOEXT CPU feature flag is not present. Consequently, the VM is - not able to detect a virtual CPU topology with multiple threads per core. To work around this - problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- (BZ#1740002) -

-
-
-
-
-
-

11.18. RHEL in cloud environments

-
-
-
-
-

Setting static IP in a RHEL virtual machine on a VMware host does not - work

-

- Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- (BZ#1750862) -

-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting - the kdump kernel in some cases fails when post-exec notifiers are - enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- (BZ#1865745) -

-
-

The SCSI host address sometimes changes when booting a Hyper-V VM with - multiple guest disks

-

- Currently, when booting a RHEL 8 virtual machine (VM) on the Hyper-V hypervisor, the host - portion of the Host, Bus, Target, Lun (HBTL) SCSI address - in some cases changes. As a consequence, automated tasks set up with the HBTL SCSI - identification or device node in the VM do not work consistently. This occurs if the VM has more - than one disk or if the disks have different sizes. -

-
-

- To work around the problem, modify your kickstart files, using one of the following methods: -

-

- Method 1: Use persistent identifiers for SCSI - devices. -

-

- You can use for example the following powershell script to determine the specific device - identifiers: -

- 
# Output what the /dev/disk/by-id/<value> for the specified hyper-v virtual disk.
-# Takes a single parameter which is the virtual disk file.
-# Note: kickstart syntax works with and without the /dev/ prefix.
-param (
-    [Parameter(Mandatory=$true)][string]$virtualdisk
-)
-
-$what = Get-VHD -Path $virtualdisk
-$part = $what.DiskIdentifier.ToLower().split('-')
-
-$p = $part[0]
-$s0 = $p[6] + $p[7] + $p[4] + $p[5] + $p[2] + $p[3] + $p[0] + $p[1]
-
-$p = $part[1]
-$s1 =  $p[2] + $p[3] + $p[0] + $p[1]
-
-[string]::format("/dev/disk/by-id/wwn-0x60022480{0}{1}{2}", $s0, $s1, $part[4])
-

- You can use this script on the hyper-v host, for example as follows: -

- 
PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_8.vhdx
-/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_9.vhdx
-/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-

- Afterwards, the disk values can be used in the kickstart file, for example as follows: -

- 
part / --fstype=xfs --grow --asprimary --size=8192 --ondisk=/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-part /home --fstype="xfs" --grow --ondisk=/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-

- As these values are specific for each virtual disk, the configuration needs to be done for each VM - instance. It may, therefore, be useful to use the %include syntax to - place the disk information into a separate file. -

-

- Method 2: Set up device selection by size. -

-

- A kickstart file that configures disk selection based on size must include lines similar to the - following: -

- 
...
-
-# Disk partitioning information is supplied in a file to kick start
-%include /tmp/disks
-
-...
-
-# Partition information is created during install using the %pre section
-%pre --interpreter /bin/bash --log /tmp/ks_pre.log
-
-	# Dump whole SCSI/IDE disks out sorted from smallest to largest ouputting
-	# just the name
-	disks=(`lsblk -n -o NAME -l -b -x SIZE -d -I 8,3`) || exit 1
-
-	# We are assuming we have 3 disks which will be used
-	# and we will create some variables to represent
-	d0=${disks[0]}
-	d1=${disks[1]}
-	d2=${disks[2]}
-
-	echo "part /home --fstype="xfs" --ondisk=$d2 --grow" >> /tmp/disks
-	echo "part swap --fstype="swap" --ondisk=$d0 --size=4096" >> /tmp/disks
-	echo "part / --fstype="xfs" --ondisk=$d1 --grow" >> /tmp/disks
-	echo "part /boot --fstype="xfs" --ondisk=$d1 --size=1024" >> /tmp/disks
-
-%end
-

- (BZ#1906870) -

-
-

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

-

- Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if - the VM was provisioned by the cloud-init tool and the guest - operating system of the VM has an NFSv3 mount entry in the /etc/fstab file. -

-
-

- (BZ#2081114) -

-
-
-
-
-
-

11.19. Supportability

-
-
-
-
-

The getattachment command fails to download - multiple attachments at once

-

- The redhat-support-tool command offers the getattachment subcommand for downloading attachments. However, getattachment is currently only able to download a single attachment - and fails to download multiple attachments. -

-
-

- As a workaround, you can download multiple attachments one by one by passing the case number and - UUID for each attachment in the getattachment subcommand. -

-

- (BZ#2064575) -

-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet the - requirements by the FUTURE system-wide cryptographic policy, the - redhat-support-tool utility does not work with this policy level at - the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- (BZ#1802026) -

-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- (BZ#2011413) -

-
-
-
-
-
-

11.20. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- (JIRA:RHELPLAN-96940) -

-
-
-
-
-
-
-

Chapter 12. Internationalization

-
-
-
-
-
-
-
-

12.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

12.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#2052528, BZ#2057063, BZ#2057066, BZ#2062679, BZ#1817505 -

-
-

- NetworkManager -

- 		-

- BZ#2097270, BZ#2082000, BZ#2063109, BZ#1943153, BZ#1920398, BZ#2132754 -

-
-

- SLOF -

- 		-

- BZ#1910848 -

-
-

- accel-config -

- 		-

- BZ#1843266 -

-
-

- anaconda -

- 		-

- BZ#1899494, - BZ#1970726, BZ#2029101, BZ#2050140, BZ#1914955, BZ#1929105, BZ#2126506 -

-
-

- ansible-collection-microsoft-sql -

- 		-

- BZ#2066338 -

-
-

- ansible-collection-redhat-rhel_mgmt -

- 		-

- BZ#2112435 -

-
-

- ansible-freeipa -

- 		-

- BZ#2076554 -

-
-

- apr -

- 		-

- BZ#1819607 -

-
-

- authselect -

- 		-

- BZ#1892761 -

-
-

- bacula -

- 		-

- BZ#2089399 -

-
-

- brltty -

- 		-

- BZ#2008197 -

-
-

- chrony -

- 		-

- BZ#2062356 -

-
-

- clevis -

- 		-

- BZ#2107081 -

-
-

- cloud-init -

- 		-

- BZ#1750862 -

-
-

- cockpit-appstream -

- 		-

- BZ#2030836 -

-
-

- cockpit -

- 		-

- BZ#2056786, BZ#1666722 -

-
-

- coreutils -

- 		-

- BZ#2030661 -

-
-

- corosync-qdevice -

- 		-

- BZ#1784200 -

-
-

- crash-ptdump-command -

- 		-

- BZ#1838927 -

-
-

- crash -

- 		-

- BZ#1906482 -

-
-

- createrepo_c -

- 		-

- BZ#1973588 -

-
-

- cronie -

- 		-

- BZ#1832510 -

-
-

- crypto-policies -

- 		-

- BZ#1919155, BZ#1660839 -

-
-

- cups-filters -

- 		-

- BZ#2064606 -

-
-

- device-mapper-multipath -

- 		-

- BZ#2065477, - BZ#2011699 -

-
-

- distribution -

- 		-

- BZ#2063772, BZ#1657927 -

-
-

- dnf -

- 		-

- BZ#2060815, BZ#1986657 -

-
-

- dotnet7.0 -

- 		-

- BZ#2112096 -

-
-

- dyninst -

- 		-

- BZ#2057676 -

-
-

- ec2-images -

- 		-

- BZ#1862930 -

-
-

- edk2 -

- 		-

- BZ#1741615, BZ#1935497 -

-
-

- fapolicyd -

- 		-

- BZ#2070639, BZ#2100087, BZ#2054741 -

-
-

- fence-agents -

- 		-

- BZ#1775847 -

-
-

- firewalld -

- 		-

- BZ#1871860 -

-
-

- freeradius -

- 		-

- BZ#1958979 -

-
-

- frr -

- 		-

- BZ#1714984 -

-
-

- gcc-toolset-12-annobin -

- 		-

- BZ#2077447 -

-
-

- gcc-toolset-12-binutils -

- 		-

- BZ#2077448 -

-
-

- gcc-toolset-12-gcc -

- 		-

- BZ#2077276 -

-
-

- gcc-toolset-12-gdb -

- 		-

- BZ#2077492 -

-
-

- gdb -

- 		-

- BZ#1853140 -

-
-

- glibc -

- 		-

- BZ#1888660, BZ#1982608, BZ#2065588, BZ#1961109, BZ#2089247, BZ#2091553, BZ#2104907, - BZ#2033684, BZ#2096189, - BZ#2077835 -

-
-

- gnome-control-center -

- 		-

- BZ#2079139 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#1717947 -

-
-

- gnome-software -

- 		-

- BZ#1668760 -

-
-

- gnutls -

- 		-

- BZ#1628553 -

-
-

- golang -

- 		-

- BZ#2075162 -

-
-

- grub2 -

- 		-

- BZ#2074762, BZ#1583445 -

-
-

- grubby -

- 		-

- BZ#1978226, BZ#1900829 -

-
-

- initscripts -

- 		-

- BZ#1875485 -

-
-

- ipa -

- 		-

- BZ#2059396, BZ#2022028, BZ#782917, BZ#2062379, BZ#1924707, BZ#2120572, BZ#2122919, BZ#1664719, BZ#1664718, BZ#2101770 -

-
-

- ipmitool -

- 		-

- BZ#1873614 -

-
-

- iptables -

- 		-

- BZ#2058444 -

-
-

- kdump-anaconda-addon -

- 		-

- BZ#2086100 -

-
-

- kernel -

- 		-

- BZ#2084242, BZ#2062870, BZ#2068429, BZ#2101938, JIRA:RHELPLAN-121252, BZ#2096127, - BZ#2054656, BZ#1868526, BZ#1694705, BZ#1730502, BZ#1609288, BZ#1602962, BZ#1865745, - BZ#1906870, BZ#1924016, BZ#1942888, BZ#1812577, BZ#1910358, BZ#1930576, BZ#2046396, - BZ#1793389, BZ#1654962, BZ#1940674, BZ#1920086, BZ#1971506, BZ#2059262, BZ#2050411, - BZ#2106341, BZ#2130159, BZ#1605216, BZ#1519039, BZ#1627455, BZ#1501618, BZ#1633143, - BZ#1814836, BZ#1696451, BZ#1348508, BZ#1837187, BZ#1904496, BZ#1660337, BZ#1905243, - BZ#1878207, BZ#1665295, BZ#1871863, BZ#1569610, BZ#1794513 -

-
-

- kexec-tools -

- 		-

- BZ#2006000 -

-
-

- kmod-kvdo -

- 		-

- BZ#2109047 -

-
-

- kmod -

- 		-

- BZ#2103605 -

-
-

- krb5 -

- 		-

- BZ#2026462, BZ#2125182, BZ#1877991 -

-
-

- libdnf -

- 		-

- BZ#2088149 -

-
-

- libgnome-keyring -

- 		-

- BZ#1607766 -

-
-

- libguestfs -

- 		-

- BZ#1554735 -

-
-

- libpfm -

- 		-

- BZ#2067218 -

-
-

- libreswan -

- 		-

- BZ#1989050 -

-
-

- libselinux-python-2.8-module -

- 		-

- BZ#1666328 -

-
-

- libva -

- 		-

- BZ#2099907 -

-
-

- libvirt -

- 		-

- BZ#1664592, BZ#1332758, BZ#2067126, - BZ#1528684 -

-
-

- libvpd -

- 		-

- BZ#2051319 -

-
-

- llvm-toolset -

- 		-

- BZ#2061042, BZ#2088315 -

-
-

- lsvpd -

- 		-

- BZ#2051316 -

-
-

- lvm2 -

- 		-

- BZ#1496229, BZ#1768536 -

-
-

- make43 -

- 		-

- BZ#2083419 -

-
-

- mariadb-java-client -

- 		-

- BZ#2043212 -

-
-

- mariadb -

- 		-

- BZ#1944653, BZ#1942330 -

-
-

- maven -

- 		-

- BZ#2083114 -

-
-

- mercurial -

- 		-

- BZ#2089849 -

-
-

- mesa -

- 		-

- BZ#1886147 -

-
-

- motif -

- 		-

- BZ#2060571 -

-
-

- nfs-utils -

- 		-

- BZ#1946283, BZ#2087187, BZ#2081114, BZ#1592011 -

-
-

- nispor -

- 		-

- BZ#1848817 -

-
-

- nodejs -

- 		-

- BZ#2083073 -

-
-

- nss_nis -

- 		-

- BZ#1803161 -

-
-

- nss -

- 		-

- BZ#1817533, - BZ#1645153, BZ#2097837 -

-
-

- open-vm-tools -

- 		-

- BZ#2061193 -

-
-

- opencryptoki -

- 		-

- BZ#2043845 -

-
-

- opencv -

- 		-

- BZ#2104776, BZ#1886310 -

-
-

- openmpi -

- 		-

- BZ#1866402 -

-
-

- opensc -

- 		-

- BZ#1947025 -

-
-

- openssh -

- 		-

- BZ#2044354 -

-
-

- openssl -

- 		-

- BZ#1810911 -

-
-

- osbuild-composer -

- 		-

- BZ#2065734 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#2075508, BZ#1843932, - BZ#1665082 -

-
-

- pacemaker -

- 		-

- BZ#2036815, BZ#2059638, BZ#1182956, BZ#1724310 -

-
-

- papi -

- 		-

- BZ#2037426, BZ#2071558, - BZ#2037427, BZ#2037417 -

-
-

- pcs -

- 		-

- BZ#1786964, BZ#1954099, BZ#2023845, BZ#1950551, BZ#1909904, BZ#1874624, - BZ#1619620, BZ#1847102, BZ#1851335 -

-
-

- pki-core -

- 		-

- BZ#1729215, BZ#2134093, - BZ#1628987 -

-
-

- podman -

- 		-

- BZ#2097708, - JIRA:RHELPLAN-77238 -

-
-

- postfix -

- 		-

- BZ#1711885 -

-
-

- powerpc-utils -

- 		-

- BZ#2078514, BZ#2051330 -

-
-

- ppc64-diag -

- 		-

- BZ#2051313 -

-
-

- procps-ng -

- 		-

- BZ#2111915 -

-
-

- pykickstart -

- 		-

- BZ#1637872 -

-
-

- qemu-kvm -

- 		-

- BZ#2043830, BZ#2020133, BZ#1740002, BZ#1719687, - BZ#1966475, BZ#1792683, - BZ#1651994 -

-
-

- rear -

- 		-

- BZ#2072978, BZ#2115918, - BZ#2077404, BZ#2021935, BZ#2035872, BZ#1925531, - BZ#1868421, BZ#2083301 -

-
-

- redhat-support-tool -

- 		-

- BZ#2064575, BZ#1802026 -

-
-

- redis -

- 		-

- BZ#1999873 -

-
-

- restore -

- 		-

- BZ#1997366 -

-
-

- rhel-system-roles -

- 		-

- BZ#2064067, BZ#2115884, BZ#2060377, BZ#2072749, BZ#2083378, BZ#2100285, BZ#2060378, BZ#2083426, BZ#2100298, BZ#2101607, BZ#2115161, BZ#2109997, BZ#2065339, BZ#2086869, BZ#1996731, BZ#2065670, BZ#2043009, BZ#2112143, BZ#2066876, BZ#2071011, BZ#2075116, BZ#2079008, BZ#2086934, BZ#2086935, BZ#2093437, BZ#2079114, BZ#2056480, BZ#2065215, BZ#2065216, BZ#2065218, BZ#2100297, BZ#2100939, BZ#2100979, BZ#2115159, BZ#2115160, BZ#2115162, BZ#2021685, BZ#2006081 -

-
-

- rpm -

- 		-

- BZ#1688849 -

-
-

- rsync -

- 		-

- BZ#2139118 -

-
-

- rsyslog -

- 		-

- BZ#1962318, BZ#1679512, - JIRA:RHELPLAN-10431 -

-
-

- rust-toolset -

- 		-

- BZ#2075344 -

-
-

- s390utils -

- 		-

- BZ#1660911 -

-
-

- samba -

- 		-

- BZ#2077468, - BZ#2009213, JIRA:RHELPLAN-13195, Jira:RHELDOCS-16612 -

-
-

- sblim-wbemcli -

- 		-

- BZ#2075807 -

-
-

- scap-security-guide -

- 		-

- BZ#2064696, - BZ#2075384, BZ#2077531, BZ#2078974, BZ#2083109, BZ#2109602, BZ#2070564, BZ#2058203, - BZ#1967947, BZ#2032403, BZ#2112937, BZ#2028428, BZ#1858866, BZ#1750755, BZ#2038977, BZ#2119356 -

-
-

- selinux-policy -

- 		-

- BZ#1461914 -

-
-

- sos -

- 		-

- BZ#2011413 -

-
-

- spice -

- 		-

- BZ#1849563 -

-
-

- sssd -

- 		-

- BZ#2065692, BZ#2056483, BZ#1947671 -

-
-

- systemtap -

- 		-

- BZ#2057565 -

-
-

- ubi8-container -

- 		-

- BZ#2120378 -

-
-

- udica -

- 		-

- BZ#1763210 -

-
-

- unbound -

- 		-

- BZ#2027735 -

-
-

- vdo -

- 		-

- BZ#1949163 -

-
-

- virt-manager -

- 		-

- BZ#2026985 -

-
-

- vulkan-loader -

- 		-

- BZ#2012639 -

-
-

- wayland -

- 		-

- BZ#1673073 -

-
-

- weldr-client -

- 		-

- BZ#2033192 -

-
-

- xmlstarlet -

- 		-

- BZ#1882020 -

-
-

- xorg-x11-server -

- 		-

- BZ#1698565 -

-
-

- xorg-x11-xtrans-devel -

- 		-

- BZ#2075132 -

-
-

- other -

- 		-

- JIRA:RHELPLAN-109067, JIRA:RHELPLAN-115603, BZ#2020301, BZ#2125545, - BZ#2128016, JIRA:RHELPLAN-121982, JIRA:RHELPLAN-118463, JIRA:RHELPLAN-100037, - BZ#1497089, JIRA:RHELPLAN-121981, JIRA:RHELPLAN-121983, JIRA:RHELPLAN-121980, BZ#2049492, - JIRA:RHELPLAN-98420, JIRA:RHELPLAN-100039, JIRA:RHELPLAN-123369, - JIRA:RHELPLAN-130379, JIRA:RHELPLAN-130376, JIRA:RHELPLAN-122735, BZ#2070793, BZ#2122716, - JIRA:RHELPLAN-135602, JIRA:RHELPLAN-136150, BZ#2139821, - BZ#2025814, BZ#2077770, BZ#1777138, BZ#1640697, BZ#1697896, BZ#1961722, BZ#1659609, - BZ#1687900, - BZ#1757877, BZ#1741436, JIRA:RHELPLAN-59111, JIRA:RHELPLAN-27987, - JIRA:RHELPLAN-34199, JIRA:RHELPLAN-57914, JIRA:RHELPLAN-96940, BZ#1974622, - BZ#2028361, BZ#2041997, BZ#2035158, - JIRA:RHELPLAN-109613, BZ#2126777, BZ#1690207, JIRA:RHELPLAN-1212, BZ#1559616, BZ#1889737, - JIRA:RHELPLAN-14047, BZ#1769727, - JIRA:RHELPLAN-27394, JIRA:RHELPLAN-27737, BZ#1906489, - JIRA:RHELPLAN-75165, JIRA:RHELPLAN-118470, JIRA:RHELPLAN-122316, BZ#1642765, - JIRA:RHELPLAN-10304, BZ#1646541, BZ#1647725, BZ#1932222, BZ#1686057, BZ#1748980, - JIRA:RHELPLAN-71200, BZ#1827628, JIRA:RHELPLAN-45858, BZ#1871025, BZ#1871953, - BZ#1874892, BZ#1916296, JIRA:RHELPLAN-100400, BZ#1926114, - BZ#1904251, BZ#2011208, - JIRA:RHELPLAN-59825, BZ#1920624, - JIRA:RHELPLAN-70700, BZ#1929173, - JIRA:RHELPLAN-85066, BZ#2006665, - JIRA:RHELPLAN-98983, BZ#2009113, BZ#1958250, BZ#2038929, BZ#2029338, BZ#2061288, BZ#2060759, - BZ#2055826, BZ#2059626, - JIRA:RHELPLAN-133171, BZ#2142499 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.2-9
-
-

- Fri Aug 9 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added a Known Issue RHEL-11397 - (Installer and image creation) -
    • -
-
-
-
0.2-8
-
-

- Thu May 9 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.2-7
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.2-6
-
-

- Thu Feb 29 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-5
-
-

- Tue Feb 13 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.2-4
-
-

- Fri Feb 2 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#1834716 - (Security). -
    • -
-
-
-
0.2-3
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.2-2
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-1
-
-

- October 9 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#2169382 - (Networking). -
    • -
-
-
-
0.2-0
-
-

- Fri September 8 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.1-9
-
-

- Thu August 24 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2214508 - (Kernel). -
    • -
-
-
-
0.1-8
-
-

- Fri August 4 2023, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.1-7
-
-

- Tue August 1 2023, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#2225332. -
    • -
  • - Improved abstract. -
    • -
-
-
-
0.1-6
-
-

- Mon Jul 17 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fixed a mistake in BZ#2072749 - (System Roles). -
    • -
-
-
-
0.1-5
-
-

- Thu Jun 29 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a Technology Preview BZ#1570255 (Kernel). -
    • -
-
-
-
0.1-4
-
-

- Fri Jun 16 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2214235 - (Kernel). -
    • -
-
-
-
0.1-3
-
-

- Thu Jun 15 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2070347 - (Boot loader). -
    • -
-
-
-
0.1-3
-
-

- Thu May 18 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2083077 (File - systems and storage). -
    • -
-
-
-
0.1-2
-
-

- Wed May 10 2023, Jaroslav Klech (jklech@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2169382 - (Networking). -
    • -
-
-
-
0.1-1
-
-

- Thu Apr 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-0
-
-

- Tue Apr 18 2023, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added an enhancement from an asynchronous update BZ#2178087 - (Dynamic programming languages, web and database servers). -
    • -
-
-
-
0.0-9
-
-

- Thu Apr 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Fixed 2 broken links in DFs and KIs. -
    • -
-
-
-
0.0-8
-
-

- Feb 17 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2158783 - (File systems and storage). -
    • -
-
-
-
0.0-7
-
-

- Feb 14 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2144898 - (Networking). -
    • -
-
-
-
0.0-6
-
-

- Feb 08 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added bug fixes BZ#2046396 - (Kernel) and BZ#2069379 - (Identity Management). -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.0-5
-
-

- Jan 24 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2115791 (RHEL in cloud - environments). -
    • -
-
-
-
0.0-4
-
-

- Jan 18 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#1920086 (Kernel). -
    • -
-
-
-
0.0-3
-
-

- Dec 07 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Moved the nodejs:18 module stream BZ#2083073 from - Technology Previews to fully supported features (Dynamic programming languages, web - and database servers). -
    • -
  • - Added a known issue BZ#2132754 - (Networking). -
    • -
-
-
-
0.0-2
-
-

- Nov 23 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of Directory Server RNs and subsequent republishing of RHEL 8.7 RNs. -
    • -
-
-
-
0.0-1
-
-

- Nov 09 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.7 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Sep 28 2022, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.7 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.8.html b/app/data/8.8.html deleted file mode 100644 index 1d42a0f..0000000 --- a/app/data/8.8.html +++ /dev/null @@ -1,21323 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.8
-
-

Release Notes for Red Hat Enterprise Linux 8.8

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.8 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information about installing Red Hat Enterprise Linux, see Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 8.8

-
-
-
-

Installer and image creation

-

- Key highlights for image builder: -

-
-
    -
  • - Image builder on-prem now offers a new and improved way to create blueprints and images in - the image builder web console. -
    • -
  • - The RHEL for Edge Simplified Installer image type is now available in the image builder web - console. -
    • -
-
-

- For more information, see New features - Installer and image creation. -

-

RHEL for Edge

-

- RHEL for Edge introduces the following new feature in RHEL 8.8: -

-
-
    -
  • - Specifying a user in a blueprint for simplified-installer - images is now supported. -
    • -
-
-

- For more information, see New features - RHEL for Edge. -

-

Security

-

- Key security-related highlights: -

-
-
    -
  • - The FIPS mode settings in the kernel - have been adjusted to conform to the Federal Information Processing Standard (FIPS) 140-3. - This change introduces stricter settings to many cryptographic algorithms, functions, and - cipher suites. -
    • -
  • - The Libreswan IPsec implementation was - rebased to version 4.9. -
    • -
  • - With the fapolicyd software framework, you can now - filter the RPM database. -
    • -
  • - The OpenSCAP security compliance utility - was rebased to version 1.3.7. -
    • -
  • - Rsyslog TLS-encrypted logging now - supports multiple CA files. -
    • -
  • - The systemd-socket-proxyd service now runs in its own SELinux - domain due to an update to the SELinux policy. -
    • -
-
-

- See New features - Security - for more information. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following Application Streams are now available: -

-
-
    -
  • - Python 3.11 -
    • -
  • - nginx 1.22 -
    • -
  • - PostgreSQL 15 -
    • -
-
-

- The following components have been upgraded: -

-
-
    -
  • - Git to version 2.39.1 -
    • -
  • - Git LFS to version 3.2.0 -
    • -
-
-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-
Updated performance tools and debuggers
-

- The following performance tools and debuggers have been updated in RHEL 8.8: -

-
-
    -
  • - Valgrind 3.19 -
    • -
  • - SystemTap 4.8 -
    • -
  • - elfutils 0.188 -
    • -
-
-
Updated performance monitoring tools
-

- The following performance monitoring tools have been updated in RHEL 8.8: -

-
-
    -
  • - PCP 5.3.7 -
    • -
  • - Grafana 7.5.15 -
    • -
-
-
Updated compiler toolsets
-

- The following compiler toolsets have been updated in RHEL 8.8: -

-
-
    -
  • - GCC Toolset 12 -
    • -
  • - LLVM Toolset 15.0.7 -
    • -
  • - Rust Toolset 1.66 -
    • -
  • - Go Toolset 1.19.4 -
    • -
-
-

- See New features - Compilers and development tools - for more information. -

-
Java implementations in RHEL 8
-

- The RHEL 8 AppStream repository includes: -

-
-
    -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- The Red Hat build of OpenJDK packages share a single set of binaries between its portable Linux - releases, RHEL 8.8 and later releases. Because of this update, there is a change in the process of - rebuilding the OpenJDK packages on RHEL from the source RPM. For more information about the new - rebuilding process, see the README.md file which is available in the - SRPM package of the Red Hat build of OpenJDK and is also installed by the java-*-openjdk-headless packages under the /usr/share/doc tree. -

-

- For more information, see OpenJDK - documentation. -

-

The web console

-

- The RHEL web console now performs additional steps for binding LUKS-encrypted root volumes to NBDE deployments. -

-

- You can also apply the following cryptographic - subpolicies through the graphical interface now: DEFAULT:SHA1, LEGACY:AD-SUPPORT, and FIPS:OSPP. -

-

- See New features - - The web console for more information. -

-

Containers

-

- Notable changes include: -

-
-
    -
  • - The podman RHEL System Role is now available. -
    • -
  • - Clients for sigstore signatures with Fulcio and Rekor are now available. -
    • -
  • - Skopeo now supports generating sigstore key pairs. -
    • -
  • - Podman now supports events for auditing. -
    • -
  • - The Container Tools packages have been updated. -
    • -
  • - The Aardvark and Netavark networks stack now supports custom DNS server selection. -
    • -
  • - Toolbox is now available. -
    • -
  • - Podman Quadlet is now available as a Technology Preview. -
    • -
  • - The container-tools:3.0 module stream has been deprecated. -
    • -
  • - The CNI network stack has been deprecated. -
    • -
-
-

- See New features - - Containers for more information. -

-
-
-
-
-
-

1.2. In-place upgrade and OS conversion

-
-
-
-

In-place upgrade from RHEL 7 to RHEL 8

-

- The possible in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.6 and RHEL 8.8 on the 64-bit Intel, IBM POWER 8 (little endian), and - IBM Z architectures -
    • -
  • - From RHEL 7.6 to RHEL 8.4 on architectures that require kernel version 4.14: IBM POWER 9 - (little endian) and IBM Z (Structure A). This is the final in-place upgrade path for these - architectures. -
    • -
  • - From RHEL 7.9 to RHEL 8.6 and RHEL 8.8 on systems with SAP HANA on the 64-bit Intel - architecture. -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- If you are upgrading to RHEL 8.8 with SAP HANA, ensure that the system is certified for SAP prior to - the upgrade. For instructions on performing an in-place upgrade on systems with SAP environments, - see How to in-place upgrade SAP - environments from RHEL 7 to RHEL 8. -

-
-
Note
-
-

- For the successful in-place upgrade of RHEL 7.6 for IBM POWER 9 (little endian) and IBM Z - (structure A) architectures, you must manually download the specific Leapp data. For more - information, see the Leapp - data snapshots for an in-place upgrade Knowledgebase article. -

-
-
-

- Notable enhancements include: -

-
-
    -
  • - The RHEL in-place upgrade path strategy has changed. For more information, see Supported in-place - upgrade paths for Red Hat Enterprise Linux. -
    • -
  • - The latest release of the leapp-upgrade-el7toel8 package now - contains all required data files. Customers no longer need to manually download these data - files. -
    • -
  • - In-place upgrades using an ISO image that contains the target version are now possible. -
    • -
  • - RPM signatures are now automatically checked during the in-place upgrade. To disable the - automatic check, use the --nogpgcheck option when performing - the upgrade. -
    • -
  • - Systems that are subscribed to RHSM are now automatically registered with Red Hat Insights. - To disable the automatic registration, set the LEAPP_NO_INSIGHTS_REGISTER environment variable to 1. -
    • -
  • - Red Hat now collects upgrade-related data, such as the upgrade start and end times and - whether the upgrade was successful, for utility usage analysis. To disable data collection, - set the LEAPP_NO_RHSM_FACTS environment variable to 1. -
    • -
-
-

In-place upgrade from RHEL 6 to RHEL 8

-

- To upgrade from RHEL 6.10 to RHEL 8, follow instructions in Upgrading - from RHEL 6 to RHEL 8. -

-

In-place upgrade from RHEL 8 to RHEL 9

-

- Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 using the Leapp utility are - provided by the document Upgrading - from RHEL 8 to RHEL 9. Major differences between RHEL 8 and RHEL 9 are documented in Considerations - in adopting RHEL 9. -

-

Conversion from a different Linux - distribution to RHEL

-

- If you are using CentOS Linux 8 or Oracle Linux 8, you can convert your operating system to RHEL 8 - using the Red Hat-supported Convert2RHEL utility. For more - information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using an earlier version of CentOS Linux or Oracle Linux, namely versions 6 or 7, you can - convert your operating system to RHEL and then perform an in-place upgrade to RHEL 8. Note that - CentOS Linux 6 and Oracle Linux 6 conversions use the unsupported Convert2RHEL utility. For more information on unsupported conversions, - see How to perform an unsupported - conversion from a RHEL-derived Linux distribution to RHEL. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, - see the Convert2RHEL Support Policy - document. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-
- -
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.8 is distributed with the kernel version 4.18.0-477.10, which provides - support for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of user - space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.8. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

A new and improved way to create blueprints and images in the image builder - web console

-

- With this enhancement, you have access to a unified version of the image builder tool and a - significant improvement in your user experience. -

-
-

- Notable enhancements in the image builder dashboard GUI include: -

-
-
    -
  • - You can now customize your blueprints with all the customizations previously supported only - in the CLI, such as kernel, file system, firewall, locale, and other customizations. -
    • -
  • - You can import blueprints by either uploading or dragging the blueprint in the .JSON or .TOML format and create - images from the imported blueprint. -
    • -
  • - You can also export or save your blueprints in the .JSON or - .TOML format. -
    • -
  • - Access to a blueprint list that you can sort, filter, and is case-sensitive. -
    • -
  • -

    - With the image builder dashboard, you can now access your blueprints, images, and - sources by navigating through the following tabs: -

    -
    -
      -
    • - Blueprint - Under the Blueprint tab, you can now import, export, or delete your - blueprints. -
      • -
    • -

      - Images - Under the Images tab, you can: -

      -
      -
        -
      • - Download images. -
        • -
      • - Download image logs. -
        • -
      • - Delete images. -
        • -
      -
      -
      • -
    • -

      - Sources - Under the Sources tab, you can: -

      -
      -
        -
      • - Download images. -
        • -
      • - Download image logs. -
        • -
      • - Create sources for images. -
        • -
      • - Delete images. -
        • -
      -
      -
      • -
    -
    -
    • -
-
-

- Jira:RHELPLAN-139448 -

-
-

Support for 64-bit ARM for .vhd images built - with image builder

-

- Previously, Microsoft Azure .vhd images created with the image - builder tool were not supported on 64-bit ARM architectures. This update adds support for 64-bit - ARM Microsoft Azure .vhd images and now you can build your .vhd images using image builder and upload them to the Microsoft - Azure cloud. -

-
-

- Jira:RHELPLAN-139424 -

-
-
-
-
-
-

4.2. RHEL for Edge

-
-
-
-
-

Ability to specify user in a blueprint for simplified-installer images

-

- Previously, when creating a blueprint for a simplified-installer image, you could not specify a - user in the blueprint customization, because the customization was not used and was discarded. - With this update, when you create an image from the blueprint, this blueprint creates a user - under the /usr/lib/passwd directory and a password under the /usr/etc/shadow directory during installation time. You can log in to - the device with the username and the password you created for the blueprint. Note that after you - access the system, you need to create users, for example, using the useradd command. -

-
-

- Jira:RHELPLAN-149091 -

-
-

Red Hat build of MicroShift enablement for RHEL for Edge images -

-

- With this enhancement, you can enable Red Hat build of MicroShift services in a RHEL for Edge - system. By using the [[customizations.firewalld.zones]] blueprint - customization, you can add support for firewalld sources in the - blueprint customization. For that, specify a name for the zone and a list of sources in that - specific zone. Sources can be of the form source[/mask]|MAC|ipset:ipset. -

-
-

- The following is a blueprint example on how to configure and customize support for Red Hat build of - MicroShift services in a RHEL for Edge system. -

- 
[[packages]]
-name = "microshift"
-version = "*"
-[customizations.services]
-enabled = ["microshift"]
-[[customizations.firewall.zones]]
-name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
-

- The Red Hat build of MicroShift installation requirements, such as firewall policies, MicroShift - RPM, systemd service, enable you to create a deployment ready for - production to achieve workload portability to a minimum field deployed edge device and by default - LVM device mapper enablement. -

-

- Jira:RHELPLAN-136489 -

-
-
-
-
-
-

4.3. Software management

-
-
-
-
-

New yum offline-upgrade command for offline - updates on RHEL

-

- With this enhancement, you can apply offline updates to RHEL by using the new yum offline-upgrade command from the YUM system-upgrade plug-in. -

-
-
-
Important
-
-

- The yum system-upgrade command included in the system-upgrade plug-in is not supported on RHEL. -

-
-
-

- Bugzilla:2054235 -

-
-

Applying advisory security filters to yum offline-upgrade is now supported

-

- With this enhancement, the new functionality for advisories filtering has been added. As a - result, you can now download packages and their dependencies only from the specified advisory by - using the yum offline-upgrade command with advisory security - filters (--advisory, --security, --bugfix, and other filters). -

-
-

- Bugzilla:2139324 -

-
-

The unload_plugins function is now available - for the YUM API

-

- With this enhancement, a new unload_plugins function has been added - to the YUM API to allow plug-ins unloading. -

-
-
-
Important
-
-

- Note that you must first run the init_plugins function, and - then run the unload_plugins function. -

-
-
-

- Bugzilla:2047251 -

-
-

New --nocompression option for rpm2archive

-

- With this enhancement, the --nocompression option has been added to - the rpm2archive utility. You can use this option to avoid - compression when directly unpacking an RPM package. -

-
-

- Bugzilla:2129345 -

-
-
-
-
-
-

4.4. Shells and command-line tools

-
-
-
-
-

ReaR is now fully supported also on the 64-bit IBM Z architecture -

-

- Basic Relax and Recover (ReaR) functionality, previously available on the 64-bit IBM Z - architecture as a Technology Preview, is fully supported with the rear package version 2.6-9.el8 or later. You can create a ReaR rescue - image on the IBM Z architecture in the z/VM environment only. Backing up and recovering logical - partitions (LPARs) is not supported at the moment. ReaR supports saving and restoring disk - layout only on Extended Count Key Data (ECKD) direct access storage devices (DASDs). Fixed Block - Access (FBA) DASDs and SCSI disks attached through Fibre Channel Protocol (FCP) are not - supported for this purpose. The only output method currently available is Initial Program Load - (IPL), which produces a kernel and an initial ramdisk (initrd) compatible with the zIPL bootloader. -

-
-

- For more information see Using - a ReaR rescue image on the 64-bit IBM Z architecture. -

-

- Bugzilla:2130206, - Bugzilla:1868421 -

-
-
-
-
-
-

4.5. Infrastructure services

-
-
-
-
-

New synce4l package for frequency - synchronization is now available

-

- SyncE (Synchronous Ethernet) is a hardware feature that enables PTP clocks to achieve precise - synchronization of frequency at the physical layer. SyncE is supported in certain network - interface cards (NICs) and network switches. -

-
-

- With this enhancement, the new synce4l package is now available, which - provides support for SyncE. As a result, Telco Radio Access Network (RAN) applications can now - achieve more efficient communication due to more accurate time synchronization. -

-

- Bugzilla:2019751 -

-
-

powertop rebased to version 2.15

-

- The powertop package for improving the energy efficiency has been - updated to version 2.15. Notable changes and enhancements include: -

-
-
-
    -
  • - Several Valgrind errors and possible buffer overrun have been fixed to improve the powertop tool stability. -
    • -
  • - Improved compatibility with Ryzen processors and Kaby Lake platforms. -
    • -
  • - Enabled Lake Field, Alder Lake N, and Raptor Lake platforms support. -
    • -
  • - Enabled Ice Lake NNPI and Meteor Lake mobile and desktop support. -
    • -
-
-

- Bugzilla:2040070 -

-
-

tuned rebased to version 2.20.0

-

- The TuneD utility for optimizing the performance of applications and workloads has been updated - to version 2.20.0. Notable changes and enhancements over version 2.19.0 include: -

-
-
-
    -
  • - An extension of API enables you to move devices between plug-in instances at runtime. -
    • -
  • -

    - The plugin_cpu module, which provides fine-tuning of - CPU-related performance settings, introduces the following enhancements: -

    -
    -
      -
    • - The pm_qos_resume_latency_us feature enables you to - limit the maximum time allowed for each CPU to transition from an idle state to - an active state. -
      • -
    • - TuneD adds support for the intel_pstate scaling - driver, which provides scaling algorithms to tune the systems’ power management - based on different usage scenarios. -
      • -
    -
    -
    • -
  • - The socket API to control TuneD through a Unix domain socket is now available as a - Technology Preview. See Socket API for TuneD - available as a Technology Preview for more information. -
    • -
-
-

- Bugzilla:2133814, Bugzilla:2113925, Bugzilla:2118786, Bugzilla:2095829, Bugzilla:2113900 -

-
-
-
-
-
-

4.6. Security

-
-
-
-
-

FIPS mode now has more secure settings that target FIPS 140-3

-

- The FIPS mode settings in the kernel have been adjusted to conform to the Federal Information - Processing Standard (FIPS) 140-3. This change introduces stricter settings to many cryptographic - algorithms, functions, and cipher suites. Most notably: -

-
-
-
    -
  • - The Triple Data Encryption Standard (3DES), Elliptic-curve Diffie-Hellman (ECDH), and - Finite-Field Diffie-Hellman (FFDH) algorithms are now disabled. This change affects - Bluetooth, DH-related operations in the kernel keyring, and Intel QuickAssist Technology - (QAT) cryptographic accelerators. -
    • -
  • - The hash-based message authentication code (HMAC) key now cannot be shorter than 112 bits. - The minimum key length is set to 2048 bits for Rivest-Shamir-Adleman (RSA) algorithms. -
    • -
  • - Drivers that used the xts_check_key() function have been - updated to use the xts_verify_key() function instead. -
    • -
  • - The following Deterministic Random Bit Generator (DRBG) hash functions are now disabled: - SHA-224, SHA-384, SHA512-224, SHA512-256, SHA3-224, and SHA3-384. -
    • -
-
-
-
Note
-
-

- Even though the RHEL 8.6 (and newer) kernel in FIPS mode is designed to be compliant with - FIPS 140-3, it is not yet certified by the National Institute of Standards and Technology - (NIST) Cryptographic Module Validation Program (CMVP). The latest certified kernel module is - the updated RHEL 8.5 kernel after the RHSA-2021:4356 advisory update. That certification - applies to the FIPS 140-2 standard. You cannot choose whether a cryptographic module - conforms to FIPS 140-2 or 140-3. For more information, see the Compliance - Activities and Government Standards: FIPS 140-2 and FIPS 140-3 Knowledgebase - article. -

-
-
-

- Bugzilla:2107595, Bugzilla:2158893, Bugzilla:2175234, Bugzilla:2166715, Bugzilla:2129392, Bugzilla:2152133 -

-
-

Libreswan rebased to 4.9

-

- The libreswan packages have been upgraded to version 4.9. Notable - changes over the previous version include: -

-
-
-
    -
  • - Added support for {left,right}pubkey= to the addconn and whack utilities -
    • -
  • - Added key derivation function (KDF) self-tests -
    • -
  • - Updated list of allowed system calls for the seccomp filter -
    • -
  • -

    - Show host’s authentication key (showhostkey): -

    -
    -
      -
    • - Added support for Elliptic Curve Digital Signature Algorithm (ECDSA) pubkeys -
      • -
    • - Added the --pem option to print Privacy-Enhanced - Mail (PEM)-encoded public key -
      • -
    -
    -
    • -
  • -

    - The Internet Key Exchange Protocol Version 2 (IKEv2): -

    -
    -
      -
    • - Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) support -
      • -
    • - EAP-only authentication support -
      • -
    • - Labeled IPsec improvements -
      • -
    -
    -
    • -
  • -

    - The pluto Internet Key Exchange (IKE) daemon: -

    -
    -
      -
    • - Support for maxbytes and maxpacket counters -
      • -
    • - Changed default value of replay-window from 32 to - 128 -
      • -
    • - Changed the default value of esn= to either and preferred value to yes -
      • -
    • - Disabled esn when replay-window= is set to 0 -
      • -
    • - Dropped obsolete debug options such as crypto-low -
      • -
    -
    -
    • -
-
-

- Bugzilla:2128672 -

-
-

SELinux now confines udftools

-

- With this update of the selinux-policy packages, SELinux confines - the udftools service. -

-
-

- Bugzilla:1972230 -

-
-

New SELinux policy for systemd-socket-proxyd

-

- Because the systemd-socket-proxyd service requires particular - resources usage, a new policy with the required rules was added to the selinux-policy packages. As a result, the service runs in its SELinux - domain. -

-
-

- Bugzilla:2088441 -

-
-

OpenSCAP rebased to 1.3.7

-

- The OpenSCAP packages have been rebased to upstream version 1.3.7. This version provides various - bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Fixed error when processing OVAL filters (rhbz#2126882) -
    • -
  • - OpenSCAP no longer emits invalid empty xmlfilecontent items if - XPath does not match (rhbz#2139060) -
    • -
  • - Prevented Failed to check available memory errors - (rhbz#2111040) -
    • -
-
-

- Bugzilla:2159290 -

-
-

scap-security-guide rules for Rsyslog log - files are compatible with RainerScript

-

- Rules in scap-security-guide for checking and remediating - ownership, group ownership, and permissions of Rsyslog log files are now also compatible with - log files defined by using the RainerScript syntax. Modern systems already use the RainerScript - syntax in Rsyslog configuration files and the respective rules were not able to recognize this - syntax. As a result, scap-security-guide rules can now check and - remediate ownership, group ownership, and permissions of Rsyslog log files in both available - syntaxes. -

-
-

- Bugzilla:2072444 -

-
-

STIG security profile updated to version V1R9

-

- The DISA STIG for Red Hat Enterprise Linux 8 profile in the SCAP - Security Guide has been updated to align with the latest version V1R9. This release also includes changes published in V1R8. -

-
-

- Use only the current version of this profile because previous versions are no longer valid. -

-

- The following STIG IDs have been updated: -

-
-
    -
  • -

    - V1R9 -

    -
    -
      -
    • - RHEL-08-010359 - Selected rule aide_build_database -
      • -
    • - RHEL-08-010510 - Removed rule sshd_disable_compresssion -
      • -
    • - RHEL-08-020040 - New rule to configure tmux keybinding -
      • -
    • - RHEL-08-020041 - New rule to configure starting tmux instead of exec tmux -
      • -
    -
    -
    • -
  • -

    - V1R8 -

    -
    -
      -
    • - Multiple STIG IDs - The sshd and sysctl rules can identify and remove duplicate or - conflicting configurations. -
      • -
    • - RHEL-08-010200 - SSHD ClientAliveCountMax is configured with value 1. -
      • -
    • - RHEL-08-020352 - Check and remediations now ignore .bash_history. -
      • -
    • - RHEL-08-040137 - Check updated to examine both /etc/fapolicyd/fapolicyd.rules and /etc/fapolicyd/complied.rules. -
      • -
    -
    -
    • -
-
-
-
Warning
-
-

- Automatic remediation might make the system non-functional. Run the remediation in a test - environment first. -

-
-
-

- Bugzilla:2152658 -

-
-

RHEL 8 STIG profiles are better aligned with the benchmark

-

- Four existing rules that satisfy RHEL 8 STIG requirements were part of the data stream but were - previously not included in the STIG profiles (stig and stig_gui). With this update, the following rules are now included in - the profiles: -

-
-
-
    -
  • - accounts_passwords_pam_faillock_dir -
    • -
  • - accounts_passwords_pam_faillock_silent -
    • -
  • - account_password_selinux_faillock_dir -
    • -
  • - fapolicy_default_deny -
    • -
-
-

- As a result, the RHEL 8 STIG profiles have a higher coverage. -

-

- Bugzilla:2156192 -

-
-

SCAP Security Guide rebased to 0.1.66

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.66. This - version provides various enhancements and bug fixes, most notably: -

-
-
-
    -
  • - Updated RHEL 8 STIG profiles -
    • -
  • - Deprecated rule account_passwords_pam_faillock_audit in favor - of accounts_passwords_pam_faillock_audit -
    • -
-
-

- Bugzilla:2158404 -

-
-

OpenSSL driver can now use certificate chains in Rsyslog

-

- The NetstreamDriverCaExtraFiles directive allows configuring - multiple additional certificate authority (CA) files. With this update, you can specify multiple - CA files and the OpenSSL library can validate them, which is necessary for SSL certificate - chains. As a result, you can use certificate chains in Rsyslog with the OpenSSL driver. -

-
-

- Bugzilla:2124934 -

-
-

opencryptoki rebased to 3.19.0

-

- The opencryptoki package has been rebased to version 3.19.0, which - provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features: -

-
-
-
    -
  • - IBM-specific Dilithium keys -
    • -
  • - Dual-function cryptographic functions -
    • -
  • - Cancelling active session-based operations by using the new C_SessionCancel function, as described in the PKCS #11 - Cryptographic Token Interface Base Specification v3.0 -
    • -
  • - Schnorr signatures through the CKM_IBM_ECDSA_OTHER mechanism -
    • -
  • - Bitcoin key derivation through the CKM_IBM_BTC_DERIVE mechanism -
    • -
  • - EP11 tokens in IBM z16 systems -
    • -
-
-

- Bugzilla:2110315 -

-
-

New SCAP rule for idle session termination

-

- New SCAP rule logind_session_timeout has been added to the scap-security-guide package in ANSSI-BP-028 profiles for Enhanced and - High levels. This rule uses a new feature of the systemd service - manager and terminates idle user sessions after a certain time. This rule provides automatic - configuration of a robust idle session termination mechanism which is required by multiple - security policies. As a result, OpenSCAP can automatically check the security requirement - related to terminating idle user sessions and, if necessary, remediate it. -

-
-

- Bugzilla:2122322 -

-
-

fapolicyd now provides filtering of the RPM database

-

- With the new configuration file /etc/fapolicyd/rpm-filter.conf, you - can customize the list of RPM-database files that the fapolicyd - software framework stores in the trust database. This way, you can block certain applications - installed by RPM or allow an application denied by the default configuration filter. -

-
-

- Bugzilla:2165645 -

-
-
-
-
-
-

4.7. Networking

-
-
-
-
-

The default MPTCP subflow limit is 2

-

- A subflow is a single TCP connection that is part of a Multipath TCP (MPTCP) connection. A - subflow limit in MPTCP refers to the maximum number of additional connections that can be - created between two MPTCP endpoints. You can use the limit to restrict the number of additional - parallel subflows that can be created between the endpoints, to avoid overloading the network - and the endpoints. For example the value of 0 allows only the initial subflow. -

-
-

- With this enhancement, the default MPTCP subflow limit has been increased from 0 to 2. This enables - you by default to create multiple additional subflows. If you need a different value, you can create - a Systemd oneshot unit. The unit should execute the ip mptcp limits set subflows <YOUR_VALUE> command after your - network (network.target) is operational during every boot process. -

-

- Bugzilla:2127136 -

-
-

The kernel now logs the listening address in SYN flood messages -

-

- This enhancement adds the listening IP address to SYN flood messages: -

-
- 
Possible SYN flooding on port <ip_address>:<port>.
-

- As a result, if many processes are bound to the same port on different IP addresses, administrators - can now clearly identify the affected socket. -

-

- Bugzilla:2143849 -

-
-

The nm-initrd-generator profiles now have - lower priority than autoconnect profiles

-

- The nm-initrd-generator early boot NetworkManager configuration - generator utility generates and configures connection profiles by using the NetworkManager - instance running in the boot loader’s initialized initrd RAM disk. - The nm-initrd-generator utility generated profiles now have a lower - autoconnect priority than the default connection autoconnect priority. This enables generated - network profiles in initrd to coexist with user configuration in - default root account. -

-
-
-
Note
-
-

- After switching from initrd root account to default root, the - same profile stays activated and no new autoconnect happens. -

-
-
-

- Bugzilla:2089707 -

-
-

nispor rebased to version 1.2.10

-

- The nispor packages have been upgraded to upstream version 1.2.10, - which provides a number of enhancements and bug fixes over the previous version: -

-
-
-
    -
  • - Added support for NetStateFilter to use the kernel filter on - network routes and interfaces. -
    • -
  • - Single Root Input and Output Virtualization (SR-IOV) interfaces can query SR-IOV Virtual - Function (SR-IOV VF) information per (VF). -
    • -
  • - Newly supported bonding options: lacp_active, arp_missed_max, and ns_ip6_target. -
    • -
-
-

- Bugzilla:2153166 -

-
-

NetworkManager rebased to version 1.40.16

-

- The NetworkManager packages have been upgraded to upstream version - 1.40.16, which provides a number of bug fixes over the previous version: -

-
-
-
    -
  • - The nm-cloud-setup utility preserves externally added - addresses. -
    • -
  • - A race condition was fixed that prevented the automatic activation of MACsec connections at - boot. -
    • -
  • - NetworkManager now correctly calculates expiration times for items configured from IPv6 - neighbor discovery messages. -
    • -
  • - NetworkManager now automatically updates the /etc/resolv.conf - file when the configuration changes. -
    • -
  • - NetworkManager no longer sets non-existent interfaces as primary when activating a bond. -
    • -
  • - Setting a primary interface in a bond now always works, even if the interface does not exist - when you active the bond. -
    • -
  • - The NetworkManager --print-config command no longer prints - duplicate entries. -
    • -
  • - The ifcfg-rh plug-in can now read InfiniBand P-Key connection - profiles without an explicit interface name. -
    • -
  • - The nmcli utility can now remove a bond port connection profile - from a bond. -
    • -
  • - A race condition was fixed that could occur during the activation of veth profiles if the peer already existed. -
    • -
  • - NetworkManager now rejects DHCPv6 leases if all addresses fail IPv6 duplicate address - detection (DAD). -
    • -
  • - NetworkManager now waits until interfaces are connected before trying to resolve the system - hostname on these interfaces from DNS. -
    • -
  • - Profiles created by the nm-initrd-generator utility now have a - lower-than-default priority. -
    • -
-
-

- For further information about notable changes, read the upstream - release notes. -

-

- Bugzilla:2134907 -

-
-
-
-
-
-

4.8. Kernel

-
-
-
-
-

Kernel version in RHEL 8.8

-

- Red Hat Enterprise Linux 8.8 is distributed with the kernel version 4.18.0-477.10. -

-
-

- Bugzilla:2177769 -

-
-

Secure Execution guest dump encryption with customer keys

-

- This new feature allows Secure Execution guests to use hypervisor-initiated dumps to collect - kernel crash information from KVM when the kdump utility does not - work. Note that hypervisor-initiated dumps for Secure Execution are designed for the IBM Z - Series z16 and LinuxONE Emperor 4 hardware. -

-
-

- Bugzilla:2043833 -

-
-

The sfc driver has split into sfc and sfc_siena

-

- Following the changes in the upstream driver, the sfc NIC driver is - now split into 2 different drivers: sfc and sfc_siena. sfc_siena supports the - deprecated Siena family devices. -

-
-

- Note that custom configurations of the kernel module parameters and udev rules applied to sfc do not affect - sfc_siena as they are now independent drivers. To customize both - drivers, replicate the configuration options for sfc_siena. -

-

- Bugzilla:2136107 -

-
-

The stmmac driver is now fully - supported

-

- Red Hat now fully supports the stmmac driver for Intel® Elkhart - Lake systems on a chip (SoCs). -

-
-

- Bugzilla:1905243 -

-
-

The rtla meta-tool adds the osnoise and timerlat tracers for - improved tracer capabilities

-

- The Real-Time Linux Analysis (rtla) is a meta-tool that includes a - set of commands that analyze the real-time properties of Linux. rtla leverages kernel tracing capabilities to provide accurate - information about the properties and root causes of unexpected system results. rtla currently adds support for osnoise - and timerlat tracer commands. The osnoise tracer reports a kernel thread per CPU. The timerlat tracer periodically prints the timer latency at the timer - IRQ handler and the thread handler. -

-
-

- Note that to use the timerlat feature of rtla, you must disable admission control by using the sysctl -w kernel.sched_rt_runtime_us=-1 script. -

-

- Bugzilla:2075203 -

-
-

The output format for cgroups and irqs has been improved to provide better readability

-

- With this enhancement, the tuna show_threads command output for the - cgroup utility is now structured based on the terminal size. You - can also configure additional spacing to the cgroups output by - adding the new -z or --spaced option - to the show_threads command. As a result, you can now view the - cgroups output in an improved readable format that is adaptable to - your terminal size. -

-
-

- Bugzilla:2121518 -

-
-

The rteval command output now includes the - program loads and measurement threads information

-

- The rteval command now displays a report summary with the number of - program loads, measurement threads, and the corresponding CPU that ran these threads. This - information helps to evaluate the performance of a real-time kernel under load on specific - hardware platforms. -

-
-

- The rteval report is written to an XML file along with the boot log for - the system and saved to the rteval-<date>-N-tar.bz2 compressed - file. The date specifies the report generation date and N is the counter for the Nth run. -

-

- To generate an rteval report, enter the following command: -

- 
# rteval --summarize rteval-<date>-N.tar.bz2
-

- Bugzilla:2082260 -

-
-

The -W and --bucket-width options have been added to the oslat program to measure latency

-

- With this enhancement, you can specify a latency range for a single bucket at nanosecond - accuracy. Widths that are not multiples of 1000 nanoseconds indicate nanosecond precision. By - using the new options, -W or --bucket-width, you can modify the latency interval between buckets - to measure latency within sub-microseconds delay time. -

-
-

- For example to set a latency bucket width of 100 nanoseconds for 32 buckets over a duration of 10 - seconds to run on CPU range of 1-4 and omit zero bucket size, run the following command: -

- 
# oslat -b 32 -D 10s -W 100 -z -c 1-4
-

- Note that before using the option, you must determine what level of precision is significant in - relation to the error measurement. -

-

- Bugzilla:2122374 -

-
-

The Ethernet Port Configuration Tool (EPCT) utility support enabled in - E810 with Intel ice driver

-

- With this enhancement, the devlink port split command now supports - the Intel ice driver. The Ethernet Port Configuration Tool (EPCT) is a command line utility that - allows you to change the link type of a device. The devlink - utility, which displays device information and resources of devices, is dependent on EPCT. As a - result of this enhancement, the ice driver implements support for EPCT, which enables you to - list and view the configurable devices using Intel ice drivers. -

-
-

- Bugzilla:2009705 -

-
-

The Intel ice driver rebased to version - 6.0.0

-

- The Intel ice driver has been upgraded to upstream version 6.0.0, - which provides a number of enhancements and bug fixes over previous versions. The notable - enhancements include: -

-
-
-
    -
  • - Point-to-Point Protocol over Ethernet (PPPoE) protocol hardware - offload -
    • -
  • - Inter-Integrated Circuit (I2C) protocol write command -
    • -
  • - VLAN Tag Protocol Identifier (TPID) filters in the Ethernet - switch device driver model (switchdev) -
    • -
  • - Double VLAN tagging in switchdev -
    • -
-
-

- Bugzilla:2103946 -

-
-

Hosting Secure Boot certificates for IBM zSystems

-

- Starting with IBM z16 A02/AGZ and LinuxONE Rockhopper 4 LA2/AGL, you can manage certificates - used to validate Linux kernels when starting the system with Secure Boot enabled on the Hardware - Management Console (HMC). Notably: -

-
-
-
    -
  • - You can load certificates in a system certificate store using the HMC in DPM and classic - mode from an FTP server that can be accessed by the HMC. It is also possible to load - certificates from a USB device attached to the HMC. -
    • -
  • - You can associate certificates stored in the certificate store with an LPAR partition. - Multiple certificates can be associated with a partition and a certificate can be associated - with multiple partitions. -
    • -
  • - You can de-associate certificates in the certificate store from a partition by using HMC - interfaces. -
    • -
  • - You can remove certificates from the certificate store. -
    • -
  • - You can associate up to 20 certificates with a partition. -
    • -
-
-

- The built-in firmware certificates are still available. In particular, as soon as you use the - user-managed certificate store, the built-in certificates will no longer be available. -

-

- Certificate files loaded into the certificate store must meet the following requirements: -

-
-
    -
  • - They have the PEM- or DER-encoded X.509v3 format and one of the following filename - extensions: .pem, .cer, .crt, or .der. -
    • -
  • - They are not expired. -
    • -
  • - The key usage attribute must be Digital Signature. -
    • -
  • - The extended key usage attribute must contain Code - Signing. -
    • -
-
-

- A firmware interface allows a Linux kernel running in a logical partition to load the certificates - associated with this partition. Linux on IBM Z stores these certificates in the .platform keyring, allowing the Linux kernel to verify kexec kernels and third party kernel modules to be verified using - certificates associated with that partition. -

-

- It is the responsibility of the operator to only upload verified certificates and to remove - certificates that have been revoked. -

-
-
Note
-
-

- The Red Hat Secureboot 302 certificate that you need to load - into the HMC is available at Product Signing Keys. -

-
-
-

- Bugzilla:2183445 -

-
-

zipl support for Secure Boot IPL and dump on - 64-bit IBM Z

-

- With this update, the zipl utility supports List-Directed IPL and - List-Directed dump from Extended Count Key Data (ECKD) Direct Access Storage Devices (DASD) on - the 64-bit IBM Z architecture. As a result, Secure Boot for RHEL on IBM Z also works with the - ECKD type of DASDs. -

-
-

- Bugzilla:2043852 -

-
-
-
-
-
-

4.9. High availability and clusters

-
-
-
-
-

New enable-authfile Booth configuration - option

-

- When you create a Booth configuration to use the Booth ticket manager in a cluster - configuration, the pcs booth setup command now enables the new - enable-authfile Booth configuration option by default. You can - enable this option on an existing cluster with the pcs booth enable-authfile command. Additionally, the pcs status and pcs booth status commands - now display warnings when they detect a possible enable-authfile - misconfiguration. -

-
-

- Bugzilla:2132582 -

-
-

pcs can now run the validate-all action of resource and stonith agents

-

- When creating or updating a resource or a STONITH device, you can now specify the --agent-validation option. With this option, pcs uses an agent’s validate-all action, - when it is available, in addition to the validation done by pcs - based on the agent’s metadata. -

-
-

- Bugzilla:1816852, Bugzilla:2159455 -

-
-
-
-
-
-

4.10. Dynamic programming languages, web and database servers

-
-
-
-
-

Python 3.11 available in RHEL 8

-

- RHEL 8.8 introduces Python 3.11, provided by the new package python3.11 and a suite of packages built for it, as well as the ubi8/python-311 container image. -

-
-

- Notable enhancements compared to the previously released Python 3.9 include: -

-
-
    -
  • - Significantly improved performance. -
    • -
  • - Structural Pattern Matching using the new match keyword - (similar to switch in other languages). -
    • -
  • - Improved error messages, for example, indicating unclosed parentheses or brackets. -
    • -
  • - Exact line numbers for debugging and other use cases. -
    • -
  • - Support for defining context managers across multiple lines by enclosing the definitions in - parentheses. -
    • -
  • - Various new features related to type hints and the typing - module, such as the new X | Y type union operator, variadic - generics, and the new Self type. -
    • -
  • - Precise error locations in tracebacks pointing to the expression that caused the error. -
    • -
  • - A new tomllib standard library module which supports parsing - TOML. -
    • -
  • - An ability to raise and handle multiple unrelated exceptions simultaneously using Exception - Groups and the new except* syntax. -
    • -
-
-

- Python 3.11 and packages built for it can be installed in parallel with Python 3.9, Python 3.8, and - Python 3.6 on the same system. -

-

- Note that, unlike the previous versions, Python 3.11 is distributed as standard RPM packages instead - of a module. -

-

- To install packages from the python3.11 stack, use, for example: -

- 
# yum install python3.11
-# yum install python3.11-pip
-

- To run the interpreter, use, for example: -

- 
$ python3.11
-$ python3.11 -m pip --help
-

- See Installing - and using Python for more information. -

-

- Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8. - Similarly to Python 3.9, Python 3.11 will have a shorter life cycle; see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2137139 -

-
-

nodejs:18 rebased to version 18.14 with npm rebased to version 9 -

-

- Node.js 18.14, released in RHSA-2023:1583, includes a SemVer - major upgrade of npm from version 8 to version 9. This update was - necessary due to maintenance reasons and may require you to adjust your npm configuration. -

-
-

- Notably, auth-related settings that are not scoped to a specific registry are no longer supported. - This change was made for security reasons. If you used unscoped authentication configurations, the - supplied token was sent to every registry listed in the .npmrc file. -

-

- If you use unscoped authentication tokens, generate and supply registry-scoped tokens in your .npmrc file. -

-

- If you have configuration lines using _auth, such as //registry.npmjs.org/:_auth in your .npmrc - files, replace them with //registry.npmjs.org/:_authToken=${NPM_TOKEN} - and supply the scoped token that you generated. -

-

- For a complete list of changes, see the upstream changelog. -

-

- Bugzilla:2178087 -

-
-

git rebased to version 2.39.1

-

- The Git version control system has been updated to version 2.39.1, - which provides bug fixes, enhancements, and performance improvements over the previously - released version 2.31. -

-
-

- Notable enhancements include: -

-
-
    -
  • - The git log command now supports a format placeholder for the - git describe output: git log --format=%(describe) -
    • -
  • -

    - The git commit command now supports the --fixup<commit> option which enables you to fix the - content of the commit without changing the log message. With this update, you can also - use: -

    -
    -
      -
    • - The --fixup=amend:<commit> option to change - both the message and the content. -
      • -
    • - The --fixup=reword:<commit> option to update - only the commit message. -
      • -
    -
    -
    • -
  • - You can use the new --reject-shallow option with the git clone command to disable cloning from a shallow repository. -
    • -
  • - The git branch command now supports the --recurse-submodules option. -
    • -
  • -

    - You can now use the git merge-tree command to: -

    -
    -
      -
    • - Test if two branches can merge. -
      • -
    • - Compute a tree that would result in the merge commit if the branches were - merged. -
      • -
    -
    -
    • -
  • - You can use the new safe.bareRepository configuration variable - to filter out bare repositories. -
    • -
-
-

- Bugzilla:2139378 -

-
-

git-lfs rebased to version 3.2.0

-

- The Git Large File Storage (LFS) extension has been updated to - version 3.2.0, which provides bug fixes, enhancements, and performance improvements over the - previously released version 2.13. -

-
-

- Notable changes include: -

-
-
    -
  • - Git LFS introduces a pure SSH-based transport protocol. -
    • -
  • - Git LFS now provides a merge driver. -
    • -
  • - The git lfs fsck utility now additionally checks that pointers - are canonical and that expected LFS files have the correct format. -
    • -
  • - Support for the NT LAN Manager (NTLM) authentication protocol has been removed. Use Kerberos - or Basic authentication instead. -
    • -
-
-

- Bugzilla:2139382 -

-
-

A new module stream: nginx:1.22

-

- The nginx 1.22 web and proxy server is now available as the nginx:1.22 module stream. This update provides a number of bug fixes, - security fixes, new features, and enhancements over the previously released version 1.20. -

-
-

- New features: -

-
-
    -
  • -

    - nginx now supports: -

    -
    -
      -
    • - OpenSSL 3.0 and the SSL_sendfile() function when - using OpenSSL 3.0. -
      • -
    • - The PCRE2 library. -
      • -
    • - POP3 and IMAP pipelining in the mail proxy module. -
      • -
    -
    -
    • -
  • - nginx now passes the Auth-SSL-Protocol and Auth-SSL-Cipher header lines to the mail proxy authentication - server. -
    • -
-
-

- Enhanced directives: -

-
-
    -
  • - Multiple new directives are now available, such as ssl_conf_command and ssl_reject_handshake. -
    • -
  • - The proxy_cookie_flags directive now supports variables. -
    • -
  • - nginx now supports variables in the following directives: proxy_ssl_certificate, proxy_ssl_certificate_key, grpc_ssl_certificate, grpc_ssl_certificate_key, uwsgi_ssl_certificate, and uwsgi_ssl_certificate_key. -
    • -
  • - The listen directive in the stream module now supports a new - fastopen parameter, which enables TCP Fast Open mode for listening sockets. -
    • -
  • - A new max_errors directive has been added to the mail proxy module. -
    • -
-
-

- Other changes: -

-
-
    -
  • -

    - nginx now always returns an error if: -

    -
    -
      -
    • - The CONNECT method is used. -
      • -
    • - Both Content-Length and Transfer-Encoding headers are specified in the - request. -
      • -
    • - The request header name contains spaces or control characters. -
      • -
    • - The Host request header line contains spaces or - control characters. -
      • -
    -
    -
    • -
  • - nginx now blocks all HTTP/1.0 requests that include the Transfer-Encoding header. -
    • -
  • - nginx now establishes HTTP/2 connections using the Application - Layer Protocol Negotiation (ALPN) and no longer supports the Next Protocol Negotiation (NPN) - protocol. -
    • -
-
-

- To install the nginx:1.22 stream, use: -

- 
# yum module install nginx:1.22
-

- If you want to upgrade from the nginx:1.20 stream, see Switching - to a later stream. -

-

- For more information, see Setting - up and configuring NGINX. -

-

- For information about the length of support for the nginx module - streams, see the Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2112345 -

-
-

mod_security rebased to version 2.9.6 -

-

- The mod_security module for the Apache HTTP Server has been updated - to version 2.9.6, which provides new features, bug fixes, and security fixes over the previously - available version 2.9.2. -

-
-

- Notable enhancements include: -

-
-
    -
  • - Adjusted parser activation rules in the modsecurity.conf-recommended file. -
    • -
  • - Enhancements to the way mod_security parses HTTP multipart - requests. -
    • -
  • - Added a new MULTIPART_PART_HEADERS collection. -
    • -
  • - Added microsec timestamp resolution to the formatted log timestamp. -
    • -
  • - Added missing Geo Countries. -
    • -
-
-

- Bugzilla:2143207 -

-
-

New packages: tomcat

-

- RHEL 8.8 introduces the Apache Tomcat server version 9. Tomcat is the servlet container that is - used in the official Reference Implementation for the Java Servlet and JavaServer Pages - technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under - the Java Community Process. Tomcat is developed in an open and participatory environment and - released under the Apache Software License version 2.0. -

-
-

- Bugzilla:2160455 -

-
-

A new module stream: postgresql:15 -

-

- RHEL 8.8 introduces PostgreSQL 15, which provides a number of new - features and enhancements over version 13. Notable changes include: -

-
-
-
    -
  • -

    - You can now access PostgreSQL JSON data by using - subscripts. Example query: -

    - 
    SELECT ('{ "postgres": { "release": 15 }}'::jsonb)['postgres']['release'];
    -
    • -
  • - PostgreSQL now supports multirange data types and extends the - range_agg function to aggregate multirange data types. -
    • -
  • -

    - PostgreSQL improves monitoring and observability: -

    -
    -
      -
    • - You can now track progress of the COPY commands and - Write-ahead-log (WAL) activity. -
      • -
    • - PostgreSQL now provides statistics on replication - slots. -
      • -
    • - By enabling the compute_query_id parameter, you can - now uniquely track a query through several PostgreSQL features, including pg_stat_activity or EXPLAIN VERBOSE. -
      • -
    -
    -
    • -
  • -

    - PostgreSQL improves support for query parallelism by the - following: -

    -
    -
      -
    • - Improved performance of parallel sequential scans. -
      • -
    • - The ability of SQL Procedural Language (PL/pgSQL) - to execute parallel queries when using the RETURN QUERY command. -
      • -
    • - Enabled parallelism in the REFRESH MATERIALIZED VIEW command. -
      • -
    -
    -
    • -
  • - PostgreSQL now includes the SQL standard MERGE command. You can use MERGE to - write conditional SQL statements that can include the INSERT, - UPDATE, and DELETE actions in a - single statement. -
    • -
  • - PostgreSQL provides the following new functions for using - regular expressions to inspect strings: regexp_count(), regexp_instr(), regexp_like(), and - regexp_substr(). -
    • -
  • - PostgreSQL adds the security_invoker parameter, which you can use to query data with - the permissions of the view caller, not the view creator. This helps you ensure that view - callers have the correct permissions for working with the underlying data. -
    • -
  • - PostgreSQL improves performance, namely in its archiving and - backup facilities. -
    • -
  • - PostgreSQL adds support for the LZ4 and Zstandard (zstd) lossless compression algorithms. -
    • -
  • - PostgreSQL improves its in-memory and on-disk sorting - algorithms. -
    • -
  • - The updated postgresql.service systemd unit file now ensures - that the postgresql service is started after the network is up. -
    • -
-
-

- The following changes are backwards incompatible: -

-
-
    -
  • -

    - The default permissions of the public schema have been modified. Newly created users - need to grant permission explicitly by using the GRANT ALL ON SCHEMA public TO myuser; command. For example: -

    - 
    postgres=# CREATE USER mydbuser;
-postgres=# GRANT ALL ON SCHEMA public TO mydbuser;
-postgres=# \c postgres mydbuser
-postgres=$ CREATE TABLE mytable (id int);
    -
    • -
  • - The libpq PQsendQuery() function - is no longer supported in pipeline mode. Modify affected applications to use the PQsendQueryParams() function instead. -
    • -
-
-

- See also Using - PostgreSQL. -

-

- To install the postgresql:15 stream, use: -

- 
# yum module install postgresql:15
-

- If you want to upgrade from an earlier postgresql stream within RHEL 8, - follow the procedure described in Switching - to a later stream and then migrate your PostgreSQL data as - described in Migrating - to a RHEL 8 version of PostgreSQL. -

-

- For information about the length of support for the postgresql module - streams, see the Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2128241 -

-
-
-
-
-
-

4.11. Compilers and development tools

-
-
-
-
-

A new module stream: swig:4.1

-

- RHEL 8.8 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.1, available - as a new module stream, swig:4.1. -

-
-

- Compared to SWIG 4.0 released in RHEL 8.4, SWIG 4.1: -

-
-
    -
  • - Adds support for Node.js versions 12 to 18 and removes support - for Node.js versions earlier than 6. -
    • -
  • - Adds support for PHP 8. -
    • -
  • - Handles PHP wrapping entirely through PHP C API and no longer generates a .php wrapper by default. -
    • -
  • - Supports only Perl 5.8.0 and later versions. -
    • -
  • - Adds support for Python versions 3.9 to 3.11. -
    • -
  • - Supports only Python 3.3 and later Python 3 versions, and Python 2.7. -
    • -
  • - Provides fixes for various memory leaks in Python-generated - code. -
    • -
  • - Improves support for the C99, C++11, C++14, and C++17 standards and starts implementing the - C++20 standard. -
    • -
  • - Adds support for the C++ std::unique_ptr pointer class. -
    • -
  • - Includes several minor improvements in C++ template handling. -
    • -
  • - Fixes C++ declaration usage in various cases. -
    • -
-
-

- To install the swig:4.1 module stream, use: -

- 
# yum module install swig:4.1
-

- If you want to upgrade from an earlier swig module stream, see Switching - to a later stream. -

-

- For information about the length of support for the swig module - streams, see the Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2139076 -

-
-

A new module stream: jaxb:4

-

- RHEL 8.8 introduces Jakarta XML Binding (JAXB) 4 as the new jaxb:4 - module stream. JAXB is a framework that enables developers to map Java classes to and from XML - representations. -

-
-

- To install the jaxb:4 module stream, use: -

- 
# yum module install jaxb:4
-

- Bugzilla:2055539 -

-
-

Updated GCC Toolset 12

-

- GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- Notable changes introduced in RHEL 8.8 include: -

-
-
    -
  • - The GCC compiler has been updated to version 12.2.1, which provides many bug fixes and - enhancements that are available in upstream GCC. -
    • -
  • - annobin has been updated to version 11.08. -
    • -
-
-

- The following tools and versions are provided by GCC Toolset 12: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 12.2.1 -

-
-

- GDB -

- 		-

- 11.2 -

-
-

- binutils -

- 		-

- 2.38 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- annobin -

- 		-

- 11.08 -

-
-
-

- To install GCC Toolset 12, run the following command as root: -

- 
# yum install gcc-toolset-12
-

- To run a tool from GCC Toolset 12: -

- 
$ scl enable gcc-toolset-12 tool
-

- To run a shell session where tool versions from GCC Toolset 12 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-12 bash
-

- For more information, see GCC - Toolset 12. -

-

- Bugzilla:2110582 -

-
-

Security improvements added for glibc -

-

- The SafeLinking feature has been added to glibc. As a result, it improves protection for the malloc family of functions against certain single-linked list - corruption including the allocator’s thread-local cache. -

-
-

- Bugzilla:1871383 -

-
-

Improved glibc dynamic loader - algorithm

-

- The glibc dynamic loader’s O(n3) algorithm for - processing shared objects could result in slower application startup and shutdown times when - shared object dependencies are deeply nested. With this update, the dynamic loader’s algorithm - has been improved to use a depth-first search (DFS). As a result, application startup and - shutdown times are greatly improved in cases where shared object dependencies are deeply nested. -

-
-

- You can select the dynamic loader’s O(n3) algorithm by using the glibc runtime tunable glibc.rtld.dynamic_sort. The default value of the tunable is 2, - representing the new DFS algorithm. To select the previous O(n3) algorithm for - compatibility, set the tunable to 1: -

- 
# GLIBC_TUNABLES=glibc.rtld.dynamic_sort=1
-# export GLIBC_TUNABLES
-

- Bugzilla:1159809 -

-
-

LLVM Toolset rebased to version 15.0.7

-

- LLVM Toolset has been updated to version 15.0.7. Notable changes include: -

-
-
-
    -
  • - The -Wimplicit-function-declaration and -Wimplicit-int warnings are enabled by default in C99 and newer. - These warnings will become errors by default in Clang 16 and beyond. -
    • -
-
-

- Bugzilla:2118568 -

-
-

Rust Toolset rebased to version 1.66.1

-

- Rust Toolset has been updated to version 1.66.1. Notable changes include: -

-
-
-
    -
  • - The thread::scope API creates a lexical scope in which local - variables can be safely borrowed by newly spawned threads, and those threads are all - guaranteed to exit before the scope ends. -
    • -
  • - The hint::black_box API adds a barrier to compiler - optimization, which is useful for preserving behavior in benchmarks that might otherwise be - optimized away. -
    • -
  • - The .await keyword now makes conversions with the IntoFuture trait, similar to the relationship between for and IntoIterator. -
    • -
  • - Generic associated types (GATs) allow traits to include type aliases with generic - parameters, enabling new abstractions over both types and lifetimes. -
    • -
  • - A new let-else statement allows - binding local variables with conditional pattern matching, executing a divergent else block when the pattern does not match. -
    • -
  • - Labeled blocks allow break statements to jump to the end of the - block, optionally including an expression value. -
    • -
  • - rust-analyzer is a new implementation of the Language Server - Protocol, enabling Rust support in many editors. This replaces the former rls package, but you might need to adjust your editor - configuration to migrate to rust-analyzer . -
    • -
  • - Cargo has a new cargo remove subcommand for removing - dependencies from Cargo.toml. -
    • -
-
-

- Bugzilla:2123899 -

-
-

Go Toolset rebased to version 1.19.4

-

- Go Toolset has been updated to version 1.19.4. Notable changes include: -

-
-
-
    -
  • -

    - Security fixes to the following packages: -

    -
    -
      -
    • - crypto/tls -
      • -
    • - mime/multipart -
      • -
    • - net/http -
      • -
    • - path/filepath -
      • -
    -
    -
    • -
  • -

    - Bug fixes to: -

    -
    -
      -
    • - The go command -
      • -
    • - The linker -
      • -
    • - The runtime -
      • -
    • - The crypto/x509 package -
      • -
    • - The net/http package -
      • -
    • - The time package -
      • -
    -
    -
    • -
-
-

- Bugzilla:2174430 -

-
-

The tzdata package now includes the /usr/share/zoneinfo/leap-seconds.list file

-

- Previously, the tzdata package only shipped the /usr/share/zoneinfo/leapseconds file. Some applications rely on the - alternate format provided by the /usr/share/zoneinfo/leap-seconds.list file and, as a consequence, - would experience errors. -

-
-

- With this update, the tzdata package now includes both files, - supporting applications that rely on either format. -

-

- Bugzilla:2154109 -

-
-
-
-
-
-

4.12. Identity Management

-
-
-
-
-

SSSD support for converting home directories to lowercase

-

- With this enhancement, you can now configure SSSD to convert user home directories to lowercase. - This helps to integrate better with the case-sensitive nature of the RHEL environment. The override_homedir option in the [nss] - section of the /etc/sssd/sssd.conf file now recognizes the %h template value. If you use %h as part - of the override_homedir definition, SSSD replaces %h with the user’s home directory in lowercase. -

-
-

- Jira:RHELPLAN-139430 -

-
-

The ipapwpolicy ansible-freeipa module now supports new password policy - options

-

- With this update, the ipapwpolicy module included in the ansible-freeipa package supports additional libpwquality library options: -

-
-
-
-
maxrepeat
-
- Specifies the maximum number of the same character in sequence. -
-
maxsequence
-
- Specifies the maximum length of monotonic character sequences (abcd). -
-
dictcheck
-
- Checks if the password is a dictionary word. -
-
usercheck
-
- Checks if the password contains the username. -
-
-
-

- If any of the new password policy options are set, the minimum length of passwords is 6 characters. - The new password policy settings are applied only to new passwords. -

-

- In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced - only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM - client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password - policy requirements set by the system administrator do not apply. To ensure consistent behavior, - upgrade all servers to RHEL 8.4 and later. -

-

- Jira:RHELPLAN-137416 -

-
-

IdM now supports the ipanetgroup Ansible - management module

-

- As an Identity Management (IdM) system administrator, you can integrate IdM with NIS domains and - netgroups. Using the ipanetgroup ansible-freeipa module, you can achieve the following: -

-
-
-
    -
  • - You can ensure that an existing IdM netgroup contains specific IdM users, groups, hosts and - host groups and nested IdM netgroups. -
    • -
  • - You can ensure that specific IdM users, groups, hosts and host groups and nested IdM - netgroups are absent from an existing IdM netgroup. -
    • -
  • - You can ensure that a specific netgroup is present or absent in IdM. -
    • -
-
-

- Jira:RHELPLAN-137411 -

-
-

New ipaclient_configure_dns_resolver and ipaclient_dns_servers Ansible ipaclient role variables specifying the client’s DNS - resolver  

-

- Previously, when using the ansible-freeipa ipaclient role to install an Identity Management (IdM) client, it was - not possible to specify the DNS resolver during the installation process. You had to configure - the DNS resolver before the installation.    -

-
-

- With this enhancement, you can specify the DNS resolver when using the ipaclient role to install an IdM client with the ipaclient_configure_dns_resolver and ipaclient_dns_servers variables. Consequently, the ipaclient role modifies the resolv.conf file - and the NetworkManager and systemd-resolved utilities to configure the DNS resolver on the client in - a similar way that the ansible-freeipa ipaserver role does on the IdM server. As a result, configuring DNS when - using the ipaclient role to install an IdM client is now more - efficient. -

-
-
Note
-
-

- Using the ipa-client-install command-line installer to install - an IdM client still requires configuring the DNS resolver before the installation. -

-
-
-

- Jira:RHELPLAN-137406 -

-
-

Using the ipaclient role to install an IdM - client with an OTP requires no prior modification of the Ansible controller

-

- Previously, the kinit command on the Ansible controller was a - prerequisite for obtaining a one-time-password (OTP) for Identity Management (IdM) client - deployment. The need to obtain the OTP on the controller was a problem for Red Hat Ansible - Automation Platform (AAP), where the krb5-workstation package was - not installed by default. -

-
-

- With this update, the request for the administrator’s TGT is now delegated to the first specified or - discovered IdM server. As a result, you can now use an OTP to authorize the installation of an IdM - client with no additional modification of the Ansible controller. This simplifies using the ipaclient role with AAP. -

-

- Jira:RHELPLAN-137403 -

-
-

SSSD now supports changing LDAP user passwords with the shadow password policy

-

- With this enhancement, if you set ldap_pwd_policy to shadow in the /etc/sssd/sssd.conf file, - LDAP users can now change their password stored in LDAP. Previously, password changes were - rejected if ldap_pwd_policy was set to shadow as it was not clear if the corresponding shadow LDAP attributes were being updated. -

-
-

- Additionally, if the LDAP server cannot update the shadow attributes - automatically, set the ldap_chpass_update_last_change option to True in the /etc/sssd/sssd.conf file to - indicate to SSSD to update the attribute. -

-

- Bugzilla:2144519 -

-
-

Configure pam_pwhistory using a configuration - file

-

- With this update, you can configure the pam_pwhistory module in the - /etc/security/pwhistory.conf configuration file. The pam_pwhistory module saves the last password for each user in order - to manage password change history. Support has also been added in authselect which allows you to add the pam_pwhistory module to the PAM stack. -

-
-

- Bugzilla:2068461, Bugzilla:2063379 -

-
-

getcert add-scep-ca now checks if - user-provided SCEP CA certificates are in a valid PEM format

-

- To add a SCEP CA to certmonger using the getcert add-scep-ca command, the provided certificate must be in a - valid PEM format. Previously, the command did not check the user-provided certificate and did - not return an error in case of an incorrect format. With this update, getcert add-scep-ca now checks the user-provided certificate and - returns an error if the certificate is not in the valid PEM format. -

-
-

- Bugzilla:2150025 -

-
-

IdM now supports new Active Directory certificate mapping - templates

-

- Active Directory (AD) domain administrators can manually map certificates to a user in AD using - the altSecurityIdentities attribute. There are six supported values - for this attribute, though three mappings are now considered insecure. As part of May - 10,2022 security update, once this update is installed on a domain controller, all - devices are in compatibility mode. If a certificate is weakly mapped to a user, authentication - occurs as expected but a warning message is logged identifying the certificates that are not - compatible with full enforcement mode. As of November 14, 2023 or later, all devices will be - updated to full enforcement mode and if a certificate fails the strong mapping criteria, - authentication will be denied. -

-
-

- IdM now supports the new mapping templates, making it easier for an AD administrator to use the new - rules and not maintain both. IdM now supports the following new mapping templates : -

-
-
    -
  • - Serial Number: LDAPU1:(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<SR>{serial_number!hex_ur}) -
    • -
  • - Subject Key Id: LDAPU1:(altSecurityIdentities=X509:<SKI>{subject_key_id!hex_u}) -
    • -
  • - User SID: LDAPU1:(objectsid={sid}) -
    • -
-
-

- If you do not want to reissue certificates with the new SID extension, you can create a manual - mapping by adding the appropriate mapping string to a user’s altSecurityIdentities attribute in AD. -

-

- Bugzilla:2087247 -

-
-

samba rebased to version 4.17.5

-

- The samba packages have been upgraded to upstream version 4.17.5, - which provides bug fixes and enhancements over the previous version. The most notable changes: -

-
-
-
    -
  • - Security improvements in previous releases impacted the performance of the Server Message - Block (SMB) server for high meta data workloads. This update improves he performance in this - scenario. -
    • -
  • - The --json option was added to the smbstatus utility to display detailed status information in JSON - format. -
    • -
  • - The samba.smb.conf and samba.samba3.smb.conf modules have been added to the smbconf Python API. You can use them in Python programs to read - and, optionally, write the Samba configuration natively. -
    • -
-
-

- Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will - be removed in a future release. -

-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Red Hat does not support - downgrading tdb database files. -

-

- After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- Bugzilla:2132051 -

-
-

ipa-client-install now supports authentication - with PKINIT

-

- Previously, the ipa-client-install supported only password based - authentication. This update provides support to ipa-client-install - for authentication with PKINIT. -

-
-

- For example: -

- 
ipa-client-install --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem --pkinit-anchor=FILE:/path/to/cacerts.pem
-

- To use the PKINIT authentication, you must establish trust between IdM and the CA chain of the - PKINIT certificate. For more information see the ipa-cacert-manage(1) - man page. Also, the certificate identity mapping rules must map the PKINIT certificate of the host - to a principal that has permission to add or modify a host record. For more information see the - ipa certmaprule-add man page. -

-

- Bugzilla:2075452 -

-
-

Directory server now supports ECDSA private keys for TLS

-

- Previously, you could not use cryptographic algorithms that are stronger than RSA to secure - Directory Server connections. With this enhancement, Directory Server now supports both ECDSA - and RSA keys. -

-
-

- Bugzilla:2096795 -

-
-

New pamModuleIsThreadSafe configuration option - is now available

-

- When a PAM module is thread-safe, you can improve the PAM authentication throughput and response - time of that specific module, by setting the new pamModuleIsThreadSafe configuration option to yes: -

-
- 
`pamModuleIsThreadSafe: yes`
-

- This configuration applies on the PAM module configuration entry (child of cn=PAM Pass Through Auth,cn=plugins,cn=config). -

-

- Use pamModuleIsThreadSafe option in the dse.ldif configuration file or the ldapmodify command. Note that the ldapmodify - command requires you to restart the server. -

-

- Bugzilla:2142639 -

-
-

New nsslapd-auditlog-display-attrs - configuration parameter for the Directory Server audit log

-

- Previously, the distinguished name (DN) was the only way to identify the target entry in the - audit log event. With the new nsslapd-auditlog-display-attrs - parameter, you can configure Directory Server to display additional attributes in the audit log, - providing more details about the modified entry.. -

-
-

- For example, if you set the nsslapd-auditlog-display-attrs parameter to - cn, the audit log displays the entry cn - attribute in the output. To include all attributes of a modified entry, use an asterisk (*) as the parameter value. -

-

- For more information, see nsslapd-auditlog-display-attrs. -

-

- Bugzilla:2136610 -

-
-
-
-
-
-

4.13. Desktop

-
-
-
-
-

The inkscape1 package replaces inkscape

-

- With this release, the new, non-modular inkscape1 package replaces - the legacy, modular inkscape package. This also upgrades the - Inkscape application from version 0.92 to version 1.0. -

-
-

- Inkscape 1.0 no longer depends on the Python 2 runtime and instead uses Python 3. -

-

- For the complete list of changes in Inkscape 1.0, see the upstream release notes: https://inkscape.org/release/inkscape-1.0/. -

-

- Jira:RHELPLAN-121672 -

-
-

Kiosk mode supports an on-screen keyboard

-

- You can now use the GNOME on-screen keyboard (OSK) in the kiosk mode session. -

-
-

- To enable the OSK, select the Kiosk (with on-screen - keyboard) option from the gear menu at the login screen. -

-

- Note that kiosk mode in RHEL 8 is based on the X11 protocol, which causes certain known issues with - the OSK. Notably, you cannot type accented characters, such as é or - ü, on the OSK. See BZ#1916470 for details. -

-

- Bugzilla:2070976 -

-
-

Support for NTLMv2 in libsoup and Evolution

-

- The libsoup library can now authenticate with the Microsoft - Exchange Server using the NT LAN Manager version 2 (NTLMv2) protocol. Previously, libsoup supported only the NTLMv1 protocol, which might be disabled - in certain configurations due to security issues. -

-
-

- As a result, Evolution and other applications that internally use libsoup can also authenticate with the Microsoft Exchange Server using - NTLMv2. -

-

- Bugzilla:1938011 -

-
-

Custom right-click menu on the desktop

-

- You can now customize the menu that opens when you right-click the desktop background. You can - create custom entries in the menu that run arbitrary commands. -

-
-

- To customize the menu, see Customizing the right-click menu on the - desktop. -

-

- Bugzilla:2033572 -

-
-

Disable swipe to switch workspaces

-

- Previously, swiping up or down with three fingers always switched the workspace on a touch - screen. With this release, you can disable the workspace switching. -

-
-

- For details, see Disabling swipe - to switch workspaces. -

-

- Bugzilla:2138109 -

-
-
-
-
-
-

4.14. The web console

-
-
-
-
-

The web console now performs additional steps for binding LUKS-encrypted - root volumes to NBDE

-

- With this update, the RHEL web console performs additional steps required for binding - LUKS-encrypted root volumes to Network-Bound Disk Encryption (NBDE) deployments. After you - select an encrypted root file system and a Tang server, you can skip adding the rd.neednet=1 parameter to the kernel command line, installing the - clevis-dracut package, and regenerating an initial ramdisk (initrd). For non-root file systems, the web console now enables the - remote-cryptsetup.target and clevis-luks-akspass.path systemd units, - installs the clevis-systemd package, and adds the _netdev parameter to the fstab and crypttab configuration files. As a result, you can now use the - graphical interface for all Clevis-client configuration steps when creating NBDE deployments for - automated unlocking of LUKS-encrypted root volumes. -

-
-

- Jira:RHELPLAN-139125 -

-
-

Certain cryptographic subpolicies are now available in the web - console

-

- This update of the RHEL web console extends the options in the Change crypto policy dialog. Besides the four system-wide - cryptographic policies, you can also apply the following subpolicies through the graphical - interface now: -

-
-
-
    -
  • - DEFAULT:SHA1 is the DEFAULT policy - with the SHA-1 algorithm enabled. -
    • -
  • - LEGACY:AD-SUPPORT is the LEGACY - policy with less secure settings that improve interoperability for Active Directory - services. -
    • -
  • - FIPS:OSPP is the FIPS policy with - further restrictions inspired by the Common Criteria for Information Technology Security - Evaluation standard. -
    • -
-
-

- Jira:RHELPLAN-137505 -

-
-
-
-
-
-

4.15. Red Hat Enterprise Linux system roles

-
-
-
-
-

New IPsec customization parameters for the vpn - RHEL system role

-

- Because certain network devices require IPsec customization to work correctly, the following - parameters have been added to the vpn RHEL system role: -

-
-
-
Important
-
-

- Do not change the following parameters without advanced knowledge. Most scenarios do not - require their customization. -

-

- Furthermore, for security reasons, encrypt a value of the shared_key_content parameter by using Ansible Vault. -

-
-
-
-
    -
  • -

    - Tunnel parameters: -

    -
    -
      -
    • - shared_key_content -
      • -
    • - ike -
      • -
    • - esp -
      • -
    • - ikelifetime -
      • -
    • - salifetime -
      • -
    • - retransmit_timeout -
      • -
    • - dpddelay -
      • -
    • - dpdtimeout -
      • -
    • - dpdaction -
      • -
    • - leftupdown -
      • -
    -
    -
    • -
  • - Per-host parameters: -
    • -
  • - leftid -
    • -
  • - rightid -
    • -
-
-

- As a result, you can use the vpn role to configure IPsec connectivity - to a wide range of network devices. -

-

- Bugzilla:2119600 -

-
-

The ha_cluster system role now supports - automated execution of the firewall, selinux, and certificate system - roles

-

- The ha_cluster RHEL system role now supports the following features: -

-
-
-
-
Using the firewall and selinux system roles to manage port access
-
- To configure the ports of a cluster to run the firewalld and - selinux services, you can set the new role variables ha_cluster_manage_firewall and ha_cluster_manage_selinux to true. - This configures the cluster to use the firewall and selinux system roles, automating and performing these operations - within the ha_cluster system role. If these variables are set - to their default value of false, the roles are not performed. - With this release, the firewall is no longer configured by default, because it is configured - only when ha_cluster_manage_firewall is set to true. -
-
Using the certificate system role to create - a pcsd private key and certificate pair
-
- The ha_cluster system role now supports the ha_cluster_pcsd_certificates role variable. Setting this variable - passes on its value to the certificate_requests variable of the - certificate system role. This provides an alternative method - for creating the private key and certificate pair for pcsd. -
-
-
-

- Bugzilla:2130019 -

-
-

The ha_cluster system role now supports quorum - device configuration

-

- A quorum device acts as a third-party arbitration device for a cluster. A quorum device is - recommended for clusters with an even number of nodes. With two-node clusters, the use of a - quorum device can better determine which node survives in a split-brain situation. You can now - configure a quorum device with the ha_cluster system role, both - qdevice for a cluster and qnetd for an - arbitration node. -

-
-

- Bugzilla:2143814 -

-
-

The metrics system role does not work with - disabled fact gathering

-

- Ansible fact gathering might be disabled in your environment for performance or other reasons. - In such configurations, it is not currently possible to use the metrics system role. To work around this problem, enable fact - caching, or do not use the metrics system role if it is not - possible to use fact gathering. -

-
-

- Bugzilla:2079009 -

-
-

The postfix RHEL system role can now use the - firewall and selinux RHEL system - roles to manage port access

-

- With this enhancement, you can automate managing port access by using the new role variables - postfix_manage_firewall and postfix_manage_selinux: -

-
-
-
    -
  • - If they are set to true, each role is used to manage the port - access. -
    • -
  • - If they are set to false, which is default, the roles do not - engage. -
    • -
-
-

- Bugzilla:2130332 -

-
-

The vpn RHEL system role can now use the firewall and selinux roles to manage - port access

-

- With this enhancement, you can automate managing port access in the vpn RHEL system role through the firewall and selinux roles. If you set - the new role variables vpn_manage_firewall and vpn_manage_selinux to true, the roles - manage port access. -

-
-

- Bugzilla:2130345 -

-
-

The metrics RHEL system role now can use the - firewall role and the selinux role - to manage port access

-

- With this enhancement, you can control access to ports. If you set the new role variables metrics_manage_firewall and metrics_manage_firewall to true, the - roles will manage port access. You can now automate and perform these operations directly by - using the metrics role. -

-
-

- Bugzilla:2133532 -

-
-

The nbde_server RHEL system role now can use - the firewall and selinux roles to - manage port access

-

- With this enhancement, you can use the firewall and selinux roles to manage ports access. If you set the new role - variables nbde_server_manage_firewall and nbde_server_manage_selinux to true, the - roles manage port access. You can now automate these operations directly by using the nbde_server role. -

-
-

- Bugzilla:2133931 -

-
-

The initscripts network provider supports - route metric configuration of the default gateway

-

- With this update, you can use the initscripts network provider in - the rhel-system-roles.network RHEL system role to configure the - route metric of the default gateway. -

-
-

- The reasons for such a configuration could be: -

-
-
    -
  • - Distributing the traffic load across the different paths -
    • -
  • - Specifying primary routes and backup routes -
    • -
  • - Leveraging routing policies to send traffic to specific destinations through specific paths -
    • -
-
-

- Bugzilla:2134201 -

-
-

The network system role supports setting a DNS - priority value

-

- This enhancement adds the dns_priority parameter to the RHEL network system role. You can set this parameter to a value from -2147483648 to 2147483647. The default - value is 0. Lower values have a higher priority. Note that negative - values cause the system role to exclude other configurations with a greater numeric priority - value. Consequently, in presence of at least one negative priority value, the system role uses - only DNS servers from connection profiles with the lowest priority value. -

-
-

- As a result, you can use the network system role to define the order of - DNS servers in different connection profiles. -

-

- Bugzilla:2133856 -

-
-

Added support for the cloned MAC address

-

- Cloned MAC address is the MAC address of the device WAN port which is the same as the MAC - address of the machine. With this update, users can specify the bonding or bridge interface with - the MAC address or the strategy such as random or preserve to get the default MAC address for the bonding or bridge - interface. -

-
-

- Bugzilla:2143458 -

-
-

The cockpit RHEL system role integration with - the firewall, selinux, and certificate roles

-

- This enhancement enables you to integrate the cockpit role with the - firewall role and the selinux role to - manage port access and the certificate role to generate - certificates. -

-
-

- To control the port access, use the new cockpit_manage_firewall and - cockpit_manage_selinux variables. Both variables are set to false by default and are not executed. Set them to true to allow the firewall and selinux roles to manage the RHEL web console service port access. The - operations will then be executed within the cockpit role. -

-

- Note that you are responsible for managing port access for firewall and SELinux. -

-

- To generate certificates, use the new cockpit_certificates variable. - The variable is set to false by default and is not executed. You can - use this variable the same way you would use the certificate_request - variable in the certificate role. The cockpit role will then use the certificate - role to manage the RHEL web console certificates. -

-

- Bugzilla:2137667 -

-
-

The selinux RHEL system role now supports the - local parameter

-

- This update of the selinux RHEL system role introduces support for - the local parameter. By using this parameter, you can remove only - your local policy modifications and preserve the built-in SELinux policy. -

-
-

- Bugzilla:2143385 -

-
-

New RHEL system role for direct integration with Active Directory -

-

- The new rhel-system-roles.ad_integration RHEL system role was added - to the rhel-system-roles package. As a result, administrators can - now automate direct integration of a RHEL system with an Active Directory domain. -

-
-

- Bugzilla:2144876 -

-
-

New Ansible Role for Red Hat Insights and subscription management -

-

- The rhel-system-roles package now includes the remote host - configuration (rhc) system role. This role enables administrators - to easily register RHEL systems to Red Hat Subscription Management (RHSM) and Satellite servers. - By default, when you register a system by using the rhc system - role, the system connects to Red Hat Insights. With the new rhc - system role, administrators can now automate the following tasks on the managed nodes: -

-
-
-
    -
  • - Configure the connection to Red Hat Insights, including automatic update, remediations, and - tags for the system. -
    • -
  • - Enable and disable repositories. -
    • -
  • - Configure the proxy to use for the connection. -
    • -
  • - Set the release of the system. -
    • -
-
-

- For more information about how to automate these tasks, see Using - the RHC system role to register the system. -

-

- Bugzilla:2144877 -

-
-

Microsoft SQL Server Ansible role supports asynchronous high availability - replicas

-

- Previously, Microsoft SQL Server Ansible role supported only primary, synchronous, and witness - high availability replicas. Now, you can set the mssql_ha_replica_type variable to asynchronous to configure it with asynchronous replica type for a new - or existing replica. -

-
-

- Bugzilla:2144820 -

-
-

Microsoft SQL Server Ansible role supports the read-scale cluster - type

-

- Previously, Microsoft SQL Ansible role supported only the external cluster type. Now, you can - configure the role with a new variable mssql_ha_ag_cluster_type. - The default value is external, use it to configure the cluster with - Pacemaker. To configure the cluster without Pacemaker, use the value none for that variable. -

-
-

- Bugzilla:2144821 -

-
-

Microsoft SQL Server Ansible role can generate TLS certificates -

-

- Previously, you needed to generate a TLS certificate and a private key on the nodes manually - before configuring the Microsoft SQL Ansible role. With this update, the Microsoft SQL Server - Ansible role can use the redhat.rhel_system_roles.certificate role - for that purpose. Now, you can set the mssql_tls_certificates - variable in the format of the certificate_requests variable of the - certificate role to generate a TLS certificate and a private key on - the node. -

-
-

- Bugzilla:2144852 -

-
-

Microsoft SQL Server Ansible role supports configuring SQL Server version - 2022

-

- Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and - version 2019. This update provides you with the support for SQL Server version 2022 for - Microsoft SQL Ansible role. Now, you can set mssql_version value to - 2022 for configuring a new SQL Server 2022 or upgrading SQL Server - from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to - version 2022 is unavailable. -

-
-

- Bugzilla:2153428 -

-
-

Microsoft SQL Server Ansible role supports configuration of the Active - Directory authentication

-

- With this update, the Microsoft SQL Ansible role supports configuration of the Active Directory - authentication for an SQL Server. Now, you can configure the Active Directory authentication by - setting variables with the mssql_ad_ prefix. -

-
-

- Bugzilla:2163696 -

-
-

The logging RHEL system role integration with - the firewall, selinux, and certificate roles

-

- This enhancement enables you to integrate the logging role with the - firewall role and the selinux role to - manage port access and the certificate role to generate - certificates. -

-
-

- To control the port access, use the new logging_manage_firewall and - logging_manage_selinux variables. Both variables are set to false by default and are not executed. Set them to true to execute the roles within the logging - role. -

-

- Note that you are responsible for managing port access for firewall and SELinux. -

-

- To generate certificates, use the new logging_certificates variable. - The variable is set to false by default and the certificate role is not executed. You can use this variable the same way - you would use the certificate_request variable in the certificate role. The logging role will then - use the certificate role to manage the certificates. -

-

- Bugzilla:2130362 -

-
-

Routing rule is able to look up a route table by its name

-

- With this update, the rhel-system-roles.network RHEL system role - supports looking up a route table by its name when you define a routing rule. This feature - provides quick navigation for complex network configurations where you need to have different - routing rules for different network segments. -

-
-

- Bugzilla:2129620 -

-
-

Microsoft SQL Server Ansible role supports configuring SQL Server version - 2022

-

- Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and - version 2019. This update provides you with the support for SQL Server version 2022 for - Microsoft SQL Ansible role. Now, you can set mssql_version value to - 2022 for configuring a new SQL Server 2022 or upgrading SQL Server - from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to - version 2022 is unavailable. -

-
-

- Bugzilla:2153427 -

-
-

The journald RHEL system role is now - available

-

- The journald service collects and stores log data in a centralized - database. With this enhancement, you can use the journald system - role variables to automate the configuration of the systemd - journal, and configure persistent logging by using the Red Hat Ansible Automation Platform. -

-
-

- Bugzilla:2165176 -

-
-

The sshd RHEL system role can now use the - firewall and selinux RHEL system - roles to manage port access

-

- With this enhancement, you can automate managing port access by using the new role variables - sshd_manage_firewall and sshd_manage_selinux. If they are set to true, each role is used to manage the port access. If they are set to - false, which is default, the roles do not engage. -

-
-

- Bugzilla:2149683 -

-
-
-
-
-
-

4.16. Virtualization

-
-
-
-
-

Hardware cryptographic devices can now be automatically - hot-plugged

-

- Previously, it was only possible to define cryptographic devices for passthrough if they were - present on the host before the mediated device was started. Now, you can define a mediated - device matrix that lists all the cryptographic devices that you want to pass through to your - virtual machine (VM). As a result, the specified cryptographic devices are automatically passed - through to the running VM if they become available later. Also, if the devices become - unavailable, they are removed from the VM, but the guest operating system keeps running - normally. -

-
-

- Bugzilla:1660908 -

-
-

Improved performance for PCI passthrough devices on IBM Z

-

- With this update, the PCI passthrough implementation on IBM Z hardware has been enhanced through - multiple improvements to I/O handling. As a result, PCI devices passed through to KVM virtual - machines (VMs) on IBM Z hosts now have significantly better performance. -

-
-

- In addition, ISM devices can now be assigned to VMs on IBM Z hosts. -

-

- Bugzilla:1664379 -

-
-

RHEL 8 guests now support SEV-SNP

-

- On virtual machines (VMs) that use RHEL 8 as a guest operating system, you can now use AMD - Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. Among other - benefits, SNP enhances SEV by improving its memory integrity protection, which helps prevent - hypervisor-based attacks such as data replay or memory re-mapping. Note that for SEV-SNP to work - on a RHEL 8 VM, the host running the VM must support SEV-SNP as well. -

-
-

- Bugzilla:2087262 -

-
-

zPCI device assignment

-

- It is now possible to attach zPCI devices as pass-through devices to virtual machines (VMs) - hosted on RHEL running on IBM Z hardware. For example, thís enables the use of NVMe flash drives - in VMs. -

-
-

- Jira:RHELPLAN-59528 -

-
-
-
-
-
-

4.17. Supportability

-
-
-
-
-

The sos utility is moving to a 4-week update - cadence

-

- Instead of releasing sos updates with RHEL minor releases, the - sos utility release cadence is changing from 6 months to 4 weeks. - You can find details about the updates for the sos package in the - RPM changelog every 4 weeks or you can read a summary of sos - updates in the RHEL Release Notes every 6 months. -

-
-

- Bugzilla:2164987 -

-
-

The sos clean command now obfuscates IPv6 - addresses

-

- Previously, the sos clean command did not obfuscate IPv6 addresses, - leaving some customer-sensitive data in the collected sos report. - With this update, sos clean detects and obfuscates IPv6 addresses - as expected. -

-
-

- Bugzilla:2134906 -

-
-
-
-
-
-

4.18. Containers

-
-
-
-
-

New podman RHEL System Role is now - available

-

- Beginning with Podman 4.2, you can use the podman System Role to - manage Podman configuration, containers, and systemd services that - run Podman containers. -

-
-

- Jira:RHELPLAN-118698 -

-
-

Podman now supports events for auditing

-

- Beginning with Podman v4.4, you can gather all relevant information about a container directly - from a single event and journald entry. To enable Podman auditing, - modify the container.conf configuration file and add the events_container_create_inspect_data=true option to the [engine] section. The data is in JSON format, the same as from the - podman container inspect command. For more information, see How to - use new container events and auditing features in Podman 4.4. -

-
-

- Jira:RHELPLAN-136601 -

-
-

The Container Tools packages have been updated

-

- The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc - tools, are now available. This update applies a series of bug fixes and enhancements over the - previous version. -

-
-

- Notable changes in Podman v4.4 include: -

-
-
    -
  • - Introduce Quadlet, a new systemd-generator that easily creates and maintains systemd - services using Podman. -
    • -
  • - A new command, podman network update, has been added, which - updates networks for containers and pods. -
    • -
  • - A new command, podman buildx version, has been added, which - shows the buildah version. -
    • -
  • - Containers can now have startup healthchecks, allowing a command to be run to ensure the - container is fully started before the regular healthcheck is activated. -
    • -
  • - Support a custom DNS server selection using the podman --dns - command. -
    • -
  • - Creating and verifying sigstore signatures using Fulcio and Rekor is now available. -
    • -
  • - Improved compatibility with Docker (new options and aliases). -
    • -
  • - Improved Podman’s Kubernetes integration - the commands podman kube generate and podman kube play are now available and replace the podman generate kube and podman play kube commands. The podman generate kube and podman play kube commands are still available but it is - recommended to use the new podman kube commands. -
    • -
  • - Systemd-managed pods created by the podman kube play command - now integrate with sd-notify, using the io.containers.sdnotify - annotation (or io.containers.sdnotify/$name for specific - containers). -
    • -
  • - Systemd-managed pods created by podman kube play can now be - auto-updated, using the io.containers.auto-update annotation - (or io.containers.auto-update/$name for specific containers). -
    • -
-
-

- Podman has been upgraded to version 4.4, for further information about notable changes, see upstream - release notes. -

-

- Jira:RHELPLAN-136608 -

-
-

Aardvark and Netavark now support custom DNS server selection

-

- The Aardvark and Netavark network stack now support custom DNS server selection for containers - instead of the default DNS servers on the host. You have two options for specifying the custom - DNS server: -

-
-
-
    -
  • - Add the dns_servers field in the containers.conf configuration file. -
    • -
  • - Use the new --dns Podman option to specify an IP address of the - DNS server. -
    • -
-
-

- The --dns option overrides the values in the container.conf file. -

-

- Jira:RHELPLAN-138025 -

-
-

Skopeo now supports generating sigstore key pairs

-

- You can use the skopeo generate-sigstore-key command to generate a - sigstore public/private key pair. For more information, see skopeo-generate-sigstore-key man page. -

-
-

- Jira:RHELPLAN-151481 -

-
-

Toolbox is now available

-

- With the toolbox utility, you can use the containerized - command-line environment without installing troubleshooting tools directly on your system. - Toolbox is built on top of Podman and other standard container technologies from OCI. For more - information, see toolbx. -

-
-

- Jira:RHELPLAN-150266 -

-
-

The capability for multiple trusted GPG keys for signing images is - available

-

- The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted - keys. Because of this, the container images signed with Red Hat’s General Availability and Beta - GPG keys are now accepted in the default configuration. -

-
-

- For example: -

- 
"registry.redhat.io": [
-        {
-            "type": "signedBy",
-            "keyType": "GPGKeys",
-            "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
-        }
-]
-

- Jira:RHELPLAN-118470 -

-
-

RHEL 8 Extended Update Support

-

- The RHEL Container Tools are now supported in RHEL 8 Extended Update Support (EUS) releases. - More information on Red Hat Enterprise Linux EUS is available in Container Tools - AppStream - Content Availability, Red Hat Enterprise Linux (RHEL) Extended - Update Support (EUS) Overview. -

-
-

- Jira:RHELPLAN-151121 -

-
-

The sigstore signatures are now available

-

- Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The - sigstore signatures are stored in the container registry together with the container image - without the need to have a separate signature server to store image signatures. -

-
-

- Jira:RHELPLAN-75165 -

-
-

Podman now supports the pre-execution hooks

-

- The root-owned plugin scripts located in the /usr/libexec/podman/pre-exec-hooks and /etc/containers/pre-exec-hooks directories define a fine-control over - container operations, especially blocking unauthorized actions. -

-
-

- The /etc/containers/podman_preexec_hooks.txt file must be created by an - administrator and can be empty. If /etc/containers/podman_preexec_hooks.txt does not exist, the plugin - scripts will not be executed. If all plugin scripts return zero value, then the podman command is executed, otherwise, the podman command exits with the inherited exit code. -

-

- Red Hat recommends using the following naming convention to execute the scripts in the correct - order: DDD-plugin_name.lang, - for example 010-check-group.py. Note that the plugin scripts are valid - at the time of creation. Containers created before plugin scripts are not affected. -

-

- Bugzilla:2119200 -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel shipped - with Red Hat Enterprise Linux 8.8. These changes could include for example added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
nomodeset
-
-

- With this kernel parameter, you can disable kernel mode setting. DRM drivers will not - perform display-mode changes or accelerated rendering. Only the system frame buffer will be - available for use if this was set-up by the firmware or boot loader. -

-

- nomodeset is useful as fallback, or for testing and debugging. -

-
-
sev=option[,option…​] [X86-64]
-
- For more information, see Documentation/x86/x86_64/boot-options.rst. -
-
amd_pstate=[X86]
-
-
-
    -
  • - disable: Do not enable amd_pstate as the default - scaling driver for the supported processors. -
    • -
  • - passive: Use amd_pstate as a scaling driver. The driver - requests a desired performance on this abstract scale and the power management - firmware translates the requests into actual hardware states, such as core - frequency, data fabric and memory clocks and so on. -
    • -
-
-
-
retbleed=ibpb,nosmt
-
- This parameter is similar to ibpb and is an alternative for systems - which do not have STIBP. With this parameter you can disable SMT when STIBP is not available. -
-
-
-

Updated kernel parameters

-
-
-
amd_iommu=[HW,X86-64]
-
-

- With this kernel parameter, you can pass parameters to the AMD IOMMU driver in the system. - Possible values are: -

-
-
    -
  • - fullflush: Deprecated, equivalent to iommu.strict=1. -
    • -
  • - off: do not initialize any AMD IOMMU found in the system. -
    • -
  • -

    - force_isolation: Force device isolation for all devices. The IOMMU driver is not - allowed anymore to lift isolation requirements as needed. -

    -
    -
      -
    • - This option does not override iommu=pt. -
      • -
    -
    -
    • -
  • -

    - force_enable: Force enable the IOMMU on platforms known to be buggy with IOMMU - enabled. -

    -
    -
      -
    • - Use this option with care. -
      • -
    -
    -
    • -
-
-
-
crashkernel=size[KMG][@offset[KMG]]
-
-

- [KNL] Using kexec, Linux can switch to a crash kernel upon - panic. This parameter reserves the physical memory region [offset, offset + size] for that - kernel image. If @offset is omitted, then a suitable offset is - selected automatically. -

-

- [KNL, X86-64, ARM64] Select a region under 4G first, and fall back to reserve region above - 4G when @offset has not been specified. -

-

- For more details, see Documentation/admin-guide/kdump/kdump.rst. -

-
-
crashkernel=size[KMG],low
-
-
-
    -
  • -

    - [KNL, X86-64, ARM64] With this parameter, you can specify low range under 4G for - the second kernel. When crashkernel=X,high is - passed, that require some amount of low memory, for example swiotlb requires at least 64M+32K low memory, also - enough extra low memory is needed to make sure DMA buffers for 32-bit devices - will not run out. Kernel would try to allocate default size of memory below 4G - automatically. The default size is platform dependent. -

    -
    -
      -
    • - x86: max(swiotlb_size_or_default() + 8MiB, 256MiB) -
      • -
    • -

      - arm64: 128MiB -

      -

      - 0: to disable low allocation. -

      -

      - This parameter will be ignored when crashkernel=X,high is not used or memory - reserved is below 4G. -

      -
      • -
    -
    -
    • -
  • -

    - [KNL, ARM64] With this parameter, you can specify a low range in the DMA zone - for the crash dump kernel. -

    -

    - This paramete will be ignored when crashkernel=X,high is not used. -

    -
    • -
-
-
-
intel_iommu=[DMAR]
-
-

- The kernel parameter for setting the Intel IOMMU driver (DMAR) option. -

-
-
    -
  • - on: Enable intel iommu driver. -
    • -
  • - off: Disable intel iommu driver. -
    • -
  • - igfx_off [Default Off]: By default, gfx is mapped as normal device. If a gfx device - has a dedicated DMAR unit, the DMAR unit is bypassed by not enabling DMAR with this - option. In this case, the gfx device will use physical - address for DMA. -
    • -
  • - strict [Default Off]: Deprecated, equivalent to iommu.strict=1. -
    • -
  • - sp_off [Default Off]: By default, super page will be supported if Intel IOMMU has - the capability. With this option, super page will not be supported. -
    • -
  • - sm_on [Default Off]: By default, scalable mode will be disabled even if the hardware - advertises that it has support for the scalable mode translation. With this option - set, scalable mode will be used on hardware which claims to support it. -
    • -
  • -

    - tboot_noforce [Default Off]: Do not force the Intel IOMMU enabled under tboot. By default, tboot - will force Intel IOMMU on, which could harm performance of some high-throughput - devices like 40GBit network cards, even if identity mapping is enabled. -

    -
    -
    Note
    -
    -

    - Using this option lowers the security provided by tboot because it makes the system vulnerable - to DMA attacks. -

    -
    -
    -
    • -
-
-
-
iommu.strict=[ARM64,X86]
-
-

- With this kernel parameter, you can configure TLB invalidation behavior. -

-

- Format: { "0" | "1" } -

-
-
    -
  • - 0 - Lazy mode. Request that DMA unmap operations use deferred invalidation of - hardware TLBs, for increased throughput at the cost of reduced device isolation. - Will fall back to strict mode if not supported by the relevant IOMMU driver. -
    • -
  • - 1 - Strict mode. DMA unmap operations invalidate IOMMU hardware TLBs synchronously. -
    • -
  • -

    - unset - Use value of CONFIG_IOMMU_DEFAULT_DMA_{LAZY,STRICT}. -

    -
    -
    Note
    -
    -

    - On x86, strict mode specified via one of the legacy driver-specific - options takes precedence. -

    -
    -
    -
    • -
-
-
-
mem_encrypt=[X86-64]
-
-

- The kernel parameter for setting the AMD Secure Memory Encryption (SME) control. -

-

- Valid arguments: on, off -

-

- Default depends on the kernel configuration option: -

-
-
    -
  • - on (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) -
    • -
  • - off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n) -
    • -
  • - mem_encrypt=on: Activate SME -
    • -
  • -

    - mem_encrypt=off: Do not activate SME -

    -

    - Refer to Documentation/virt/kvm/x86/amd-memory-encryption.rst - for details on when memory encryption can be activated. -

    -
    • -
-
-
-
retbleed=[X86]
-
-

- With this kernel parameter, you can control mitigation of RETBleed (Arbitrary Speculative - Code Execution with Return Instructions) vulnerability. -

-

- AMD-based UNRET and IBPB mitigations alone do not stop sibling threads from influencing the - predictions of other sibling threads. For that reason, STIBP is used on processors that - support it, and mitigate SMT on processors that do not. -

-
-
    -
  • - off - no mitigation -
    • -
  • - auto - automatically select a migitation -
    • -
  • - auto,nosmt - automatically select a mitigation, disabling SMT if necessary for the - full mitigation (only on Zen1 and older without STIBP). -
    • -
  • - ibpb - On AMD, mitigate short speculation windows on basic block boundaries too. - Safe, highest performance impact. It also enables STIBP if present. Not suitable on - Intel. -
    • -
  • - unret - Force enable untrained return thunks, only effective on AMD f15h-f17h based - systems. -
    • -
  • - unret,nosmt - Like unret, but will disable SMT when STIBP is not available. This is - the alternative for systems which do not have STIBP. -
    • -
-
-
-
swiotlb=[ARM,IA-64,PPC,MIPS,X86]
-
-

- With this kernel parameter, you can configure the behavior of I/O TLB slabs. -

-

- Format: { <int> [,<int>] | force | noforce } -

-
-
    -
  • - <int> - Number of I/O TLB slabs -
    • -
  • - <int> - Second integer after comma. Number of swiotlb areas with their own - lock. Must be power of 2. -
    • -
  • - force - force using of bounce buffers even if they would not be automatically used - by the kernel -
    • -
  • - noforce - Never use bounce buffers (for debugging) -
    • -
-
-
-
-
-

New sysctl parameters

-
-
-
page_lock_unfairness
-
- This value determines the number of times that the page lock can be stolen from under a waiter. - After the lock is stolen the number of times specified in this file (the default is 5), the fair lock - handoff semantics will apply, and the waiter will only be awakened if the - lock can be taken. -
-
rps_default_mask
-
- The default RPS CPU mask used on newly created network devices. An empty mask means RPS disabled - by default. -
-
-
-
-
-
-
-
-

Chapter 6. Device Drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - Solarflare Siena network driver (sfc-siena), only in IBM Power - Systems, Little Endian and AMD and Intel 64-bit architectures -
    • -
  • - Nvidia sn2201 platform driver (nvsw-sn2201), only in AMD and - Intel 64-bit architectures -
    • -
  • - AMD SEV Guest Driver (sev-guest), only in AMD and Intel 64-bit - architectures -
    • -
  • - TDX Guest Driver (tdx-guest), only in AMD and Intel 64-bit - architectures -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - ACPI Video Driver (video), only in 64-bit ARM architecture -
    • -
  • - DRM Buddy Allocator (drm_buddy), only in 64-bit ARM - architecture and IBM Power Systems, Little Endian -
    • -
  • - DRM display adapter helper (drm_display_helper), only in 64-bit - ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures -
    • -
  • - Intel® GVT-g for KVM (kvmgt), only in AMD and Intel 64-bit - architectures -
    • -
  • - HP® iLO/iLO2 management processor (hpilo), only in 64-bit ARM - architecture -
    • -
  • - HPE watchdog driver (hpwdt), only in 64-bit ARM architecture -
    • -
  • - AMD HSMP Platform Interface Driver (amd_hsmp.), only in AMD and - Intel 64-bit architectures -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Network drivers

-
-
    -
  • - Intel® 10 Gigabit PCI Express Network Driver (ixgbe) has been - updated to version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf) has - been updated to version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, - Little Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Intel® 2.5G Ethernet Linux Driver (igc.) has been updated to - version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and - AMD and Intel 64-bit architectures). -
    • -
  • - Intel® Ethernet Adaptive Virtual Function Network Driver (iavf) - has been updated to version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, - Little Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Intel® Ethernet Connection XL710 Network Driver (i40e) has been - updated to version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Intel® Ethernet Switch Host Interface Driver (fm10k) has been - updated to version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Intel® Gigabit Ethernet Network Driver (igb) has been updated - to version 4.18.0-477. (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, - and AMD and Intel 64-bit architectures). -
    • -
  • - Intel® Gigabit Virtual Function Network Driver (igbvf) has been - updated to version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Intel® PRO/1000 Network Driver (e1000e) has been updated to - version 4.18.0-477 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and - AMD and Intel 64-bit architectures). -
    • -
  • - Mellanox 5th generation network adapters (ConnectX series) core driver (mlx5_core) has been updated to version 4.18.0-477. -
    • -
  • - The Netronome Flow Processor (NFP) driver (nfp) has been - updated to version 4.18.0-477. -
    • -
-
-

Storage drivers

-
-
    -
  • - Driver for Microchip Smart Family Controller version (smartpqi) - has been updated to version 2.1.20-035 (only in 64-bit ARM architecture, IBM Power Systems, - Little Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc) has been - updated to version 14.0.0.18 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas) has been updated - to version 43.100.00.00 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, - and AMD and Intel 64-bit architectures). -
    • -
  • - MPI3 Storage Controller Device Driver (mpi3mr) has been updated - to version 8.2.0.3.0 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and - AMD and Intel 64-bit architectures). -
    • -
  • - QLogic Fibre Channel HBA Driver(qla2xxx) has been updated to - version 10.02.07.900-k (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, - and AMD and Intel 64-bit architectures). -
    • -
  • - SCSI debug adapter driver (scsi_debug) has been updated to - version 0191. -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Available BPF Features

-
-
-
-

- This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel of this minor version of Red Hat - Enterprise Linux 8. The tables include the lists of: -

-
- -
-

- This chapter contains automatically generated output of the bpftool feature - command. -

-
-

Table 7.1. System configuration and other options

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionValue
-

- unprivileged_bpf_disabled -

- 		-

- 1 (bpf() syscall restricted to privileged users, without recovery) -

-
-

- JIT compiler -

- 		-

- 1 (enabled) -

-
-

- JIT compiler hardening -

- 		-

- 1 (enabled for unprivileged users) -

-
-

- JIT compiler kallsyms exports -

- 		-

- 1 (enabled for root) -

-
-

- Memory limit for JIT for unprivileged users -

- 		-

- 264241152 -

-
-

- CONFIG_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_SYSCALL -

- 		-

- y -

-
-

- CONFIG_HAVE_EBPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT_ALWAYS_ON -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF_MODULES -

- 		-

- n -

-
-

- CONFIG_CGROUPS -

- 		-

- y -

-
-

- CONFIG_CGROUP_BPF -

- 		-

- y -

-
-

- CONFIG_CGROUP_NET_CLASSID -

- 		-

- y -

-
-

- CONFIG_SOCK_CGROUP_DATA -

- 		-

- y -

-
-

- CONFIG_BPF_EVENTS -

- 		-

- y -

-
-

- CONFIG_KPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_UPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_TRACING -

- 		-

- y -

-
-

- CONFIG_FTRACE_SYSCALLS -

- 		-

- y -

-
-

- CONFIG_FUNCTION_ERROR_INJECTION -

- 		-

- y -

-
-

- CONFIG_BPF_KPROBE_OVERRIDE -

- 		-

- y -

-
-

- CONFIG_NET -

- 		-

- y -

-
-

- CONFIG_XDP_SOCKETS -

- 		-

- y -

-
-

- CONFIG_LWTUNNEL_BPF -

- 		-

- y -

-
-

- CONFIG_NET_ACT_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_ACT -

- 		-

- y -

-
-

- CONFIG_NET_SCH_INGRESS -

- 		-

- m -

-
-

- CONFIG_XFRM -

- 		-

- y -

-
-

- CONFIG_IP_ROUTE_CLASSID -

- 		-

- y -

-
-

- CONFIG_IPV6_SEG6_BPF -

- 		-

- n -

-
-

- CONFIG_BPF_LIRC_MODE2 -

- 		-

- n -

-
-

- CONFIG_BPF_STREAM_PARSER -

- 		-

- y -

-
-

- CONFIG_NETFILTER_XT_MATCH_BPF -

- 		-

- m -

-
-

- CONFIG_BPFILTER -

- 		-

- n -

-
-

- CONFIG_BPFILTER_UMH -

- 		-

- n -

-
-

- CONFIG_TEST_BPF -

- 		-

- m -

-
-

- CONFIG_HZ -

- 		-

- 1000 -

-
-

- bpf() syscall -

- 		-

- available -

-
-

- Large program size limit -

- 		-

- available -

-
-
-
-
-

Table 7.2. Available program types and supported helpers

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Program typeAvailable helpers
-

- socket_filter -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- kprobe -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_override_return, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_cls -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_act -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- xdp -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, bpf_redirect, - bpf_perf_event_output, bpf_csum_diff, bpf_get_current_task, - bpf_get_numa_node_id, bpf_xdp_adjust_head, bpf_redirect_map, - bpf_xdp_adjust_meta, bpf_xdp_adjust_tail, bpf_fib_lookup, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- perf_event -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_get_task_stack, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, - bpf_snprintf -

-
-

- cgroup_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_skb_cgroup_id, bpf_get_local_storage, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, - bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_sk_cgroup_id, - bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_current_cgroup_id, - bpf_get_local_storage, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_in -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_push_encap, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_out -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_xmit -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, - bpf_csum_diff, bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid, - bpf_get_numa_node_id, bpf_skb_change_head, bpf_lwt_push_encap, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sock_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_setsockopt, bpf_sock_map_update, bpf_getsockopt, - bpf_sock_ops_cb_flags_set, bpf_sock_hash_update, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_tail_call, bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_adjust_room, bpf_sk_redirect_map, bpf_sk_redirect_hash, - bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, - bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, - bpf_skc_lookup_tcp, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_device -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_msg -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_cgroup_classid, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_msg_redirect_hash, bpf_get_current_cgroup_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_msg_push_data, - bpf_msg_pop_data, bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock_addr -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_setsockopt, bpf_getsockopt, - bpf_bind, bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_seg6local -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lirc_mode2 -

- 		-

- not supported -

-
-

- sk_reuseport -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_skb_load_bytes_relative, bpf_sk_select_reuseport, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- flow_dissector -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sysctl -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_sysctl_get_name, bpf_sysctl_get_current_value, - bpf_sysctl_get_new_value, bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint_writable -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sockopt -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracing -

- 		-

- not supported -

-
-

- struct_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, - bpf_skb_store_bytes, bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, - bpf_clone_redirect, bpf_get_current_pid_tgid, bpf_get_current_uid_gid, - bpf_get_current_comm, bpf_get_cgroup_classid, bpf_skb_vlan_push, - bpf_skb_vlan_pop, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_perf_event_read, bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_get_stackid, bpf_csum_diff, bpf_skb_get_tunnel_opt, - bpf_skb_set_tunnel_opt, bpf_skb_change_proto, bpf_skb_change_type, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_current_task_under_cgroup, bpf_skb_change_tail, bpf_skb_pull_data, - bpf_csum_update, bpf_set_hash_invalid, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_xdp_adjust_head, bpf_probe_read_str, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_setsockopt, - bpf_skb_adjust_room, bpf_redirect_map, bpf_sk_redirect_map, bpf_sock_map_update, - bpf_xdp_adjust_meta, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_getsockopt, bpf_override_return, bpf_sock_ops_cb_flags_set, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_bind, bpf_xdp_adjust_tail, bpf_skb_get_xfrm_state, - bpf_get_stack, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_sock_hash_update, bpf_msg_redirect_hash, bpf_sk_redirect_hash, - bpf_lwt_push_encap, bpf_lwt_seg6_store_bytes, bpf_lwt_seg6_adjust_srh, - bpf_lwt_seg6_action, bpf_rc_repeat, bpf_rc_keydown, bpf_skb_cgroup_id, - bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_select_reuseport, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_msg_push_data, bpf_msg_pop_data, bpf_rc_pointer_rel, bpf_spin_lock, - bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, bpf_skb_ecn_set_ce, - bpf_get_listener_sock, bpf_skc_lookup_tcp, bpf_tcp_check_syncookie, - bpf_sysctl_get_name, bpf_sysctl_get_current_value, bpf_sysctl_get_new_value, - bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_send_signal, bpf_tcp_gen_syncookie, bpf_skb_output, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_tcp_send_ack, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_xdp_output, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_seq_printf, bpf_seq_write, - bpf_sk_cgroup_id, bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, - bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, - bpf_get_task_stack, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_inode_storage_get, bpf_inode_storage_delete, bpf_d_path, bpf_copy_from_user, - bpf_snprintf_btf, bpf_seq_printf_btf, bpf_skb_cgroup_classid, - bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_redirect_peer, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_bprm_opts_set, bpf_ktime_get_coarse_ns, bpf_ima_inode_hash, - bpf_sock_from_file, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_sys_bpf, bpf_btf_find_by_name_kind, bpf_sys_close -

-
-

- ext -

- 		-

- not supported -

-
-

- lsm -

- 		-

- not supported -

-
-

- sk_lookup -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-
-
-
-

Table 7.3. Available map types

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Map typeAvailable
-

- hash -

- 		-

- yes -

-
-

- array -

- 		-

- yes -

-
-

- prog_array -

- 		-

- yes -

-
-

- perf_event_array -

- 		-

- yes -

-
-

- percpu_hash -

- 		-

- yes -

-
-

- percpu_array -

- 		-

- yes -

-
-

- stack_trace -

- 		-

- yes -

-
-

- cgroup_array -

- 		-

- yes -

-
-

- lru_hash -

- 		-

- yes -

-
-

- lru_percpu_hash -

- 		-

- yes -

-
-

- lpm_trie -

- 		-

- yes -

-
-

- array_of_maps -

- 		-

- yes -

-
-

- hash_of_maps -

- 		-

- yes -

-
-

- devmap -

- 		-

- yes -

-
-

- sockmap -

- 		-

- yes -

-
-

- cpumap -

- 		-

- yes -

-
-

- xskmap -

- 		-

- yes -

-
-

- sockhash -

- 		-

- yes -

-
-

- cgroup_storage -

- 		-

- yes -

-
-

- reuseport_sockarray -

- 		-

- yes -

-
-

- percpu_cgroup_storage -

- 		-

- yes -

-
-

- queue -

- 		-

- yes -

-
-

- stack -

- 		-

- yes -

-
-

- sk_storage -

- 		-

- yes -

-
-

- devmap_hash -

- 		-

- yes -

-
-

- struct_ops -

- 		-

- no -

-
-

- ringbuf -

- 		-

- yes -

-
-

- inode_storage -

- 		-

- yes -

-
-

- task_storage -

- 		-

- no -

-
-
-
-
-
-
-
-
-

Chapter 8. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.8 that have a significant impact on users. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

Installer now lists all PPC PreP Boot or BIOS Boot partitions during custom partitioning

-

- Previously, when adding multiple PPC PreP Boot or BIOS Boot partitions during custom partitioning, the Custom - Partitioning screen displayed only one partition of a related type. As a consequence, the Custom - Partitioning screen did not reflect the real state of the intended partitioning layout, making - the partitioning process difficult and non-transparent. -

-
-

- With this update, the Custom Partitioning screen correctly displays all PPC PreP Boot or BIOS Boot partitions in the - partitions list. As a result, users can now better understand and manage the intended partitioning - layout. -

-

- Bugzilla:1913035 -

-
-

The installer now adds configuration options correctly into the yum repo - files

-

- Previously, the installer did not add configuration options correctly into yum repo files while - including and excluding packages from additional installation repositories. With this update, - yum repo files are created correctly. As a result, using the --excludepkgs= or --includepkgs= options - in the repo kickstart command now excludes or includes the - specified packages during installation as expected. -

-
-

- Bugzilla:2014103 -

-
-

Using the filename DHCP option no longer - blocks downloading the kickstart file for installation -

-

- Previously, when building a path for getting the kickstart file from an NFS server, the - installer did not consider the filename DHCP option. As a - consequence, the installer did not download the kickstart file and was blocking the installation - process. With this update, the filename DHCP option correctly - constructs a path to the kickstart file. As a result, the kickstart file is downloaded properly, - and the installation process starts correctly. -

-
-

- Bugzilla:1991516 -

-
-

The installer now creates a new GPT disk layout while custom - partitioning

-

- Previously, the installer did not change the disk layout to GPT when inst.gpt was specified on the kernel command line, and the user - removed all partitions from a disk with the MBR disk layout on the custom partitioning spoke. As - a consequence, the MBR disk layout remained on the disk. -

-
-

- With this update, the installer creates a new GPT disk layout on the disk if inst.gpt is specified on the kernel command line, and all partitions are - removed from a disk on the custom partitioning spoke. -

-

- Bugzilla:2094977 -

-
-

The --size parameter of the composer-cli compose start command now treats its values as - MiB

-

- Previously, when using the composer-cli compose start --size size_value blueprint_name image_type - command, the composer-cli tool treated the --size parameter values as byte units. This update fixes the issue, - and the --size parameter values are now correctly used in the MiB - format. -

-
-

- Bugzilla:2033192 -

-
-
-
-
-
-

8.2. Software management

-
-
-
-
-

RPM no longer hangs during a transaction involving the fapolicyd service restart

-

- Previously, if you tried to update a package that caused the fapolicyd service to be restarted, for example, systemd, the RPM transaction stopped responding because the fapolicyd plug-in failed to communicate with the fapolicyd daemon. -

-
-

- With this update, the fapolicyd plug-in now correctly communicates with - the fapolicyd daemon. As a result, RPM no longer hangs during a - transaction which involves the fapolicyd service restart. -

-

- Bugzilla:2110787 -

-
-

Security YUM upgrade is now possible for packages that change their - architecture through the upgrade

-

- Patch for BZ#2088149 introduced with RHBA-2022:7711 - caused a regression where YUM upgrade using security filters skipped packages that changed their - architecture from or to noarch through the upgrade. Consequently, - the missing security upgrades for these packages could leave the system in a vulnerable state. -

-
-

- With this update, the issue has been fixed, and security YUM upgrade no longer skips packages that - change architecture from or to noarch. -

-

- Bugzilla:2124483 -

-
-

Reverting a YUM upgrade transaction is now possible for a package group or - environment

-

- Previously, the yum history rollback command failed when attempting - to revert an upgrade transaction for a package group or an environment. -

-
-

- With this update, the issue has been fixed, and you can now revert the YUM upgrade transaction for a - package group or environment. -

-

- Bugzilla:2016070 -

-
-
-
-
-
-

8.3. Shells and command-line tools

-
-
-
-
-

wsmancli handles HTTP 401 Unauthorized - statuses correctly

-

- The wsmancli utility for managing systems using Web Services - Management protocol now handles authentication to better conform to RFC 2616. -

-
-

- Previously, when connecting to a service that requires authentication, the wsmancli command returned the error message Authentication failed, please retry immediately after receiving an HTTP - 401 Unauthorized response, for example, because of incomplete credentials. To proceed, wsmancli prompted you to provide both the username and the password, even - in situations where you had already provided a part of your credentials. -

-

- With this update, wsmancli requires only credentials that were not - previously provided. As a result, the first authentication attempt does not display any error - message. An error message is displayed only after you provide the complete credentials and - authentication fails. -

-

- Bugzilla:2105316 -

-
-

The translator.sty LaTeX style document has - been added

-

- Previously, the translator.sty LaTeX style document, which is - necessary for certain tools that depend on texlive-beamer, was - missing. As a consequence, these tools failed with a LaTeX Error: File `translator.sty' not found. error. This update adds - the missing texlive-translator package that contains the translator.sty LaTeX style document. As a result, tools that depend - on texlive-beamer work correctly. -

-
-

- Bugzilla:2150727 -

-
-

ReaR handles excluded DASDs on the IBM Z architecture correctly -

-

- Previously on the IBM Z architecture, ReaR reformatted all connected Direct Access Storage - Devices (DASD) during the recovery process, including those DASDs that users excluded from the - saved layout and did not intend to restore their content. As a consequence, if you excluded some - DASDs from the saved layout, their data were lost during system recovery. With this update, ReaR - no longer formats excluded DASDs during system recovery, including the device from which the - ReaR rescue system was booted (using the zIPL bootloader). You are also prompted to confirm the - DASD formatting script before ReaR reformats DASDs. This ensures that the data on excluded DASDs - survive a system recovery. -

-
-

- Bugzilla:2172605 -

-
-

ReaR no longer fails to restore non-LVM XFS filesystems

-

- Previously, when you used ReaR to restore a non-LVM XFS filesystems with certain settings and - disk mapping, ReaR created the file system with the default settings instead of the specified - settings. -

-
-

- For example, if you had a file system with the sunit and swidth parameters set to non-zero values and you restored the file system - using ReaR with disk mapping, the file system would be created with default sunit and swidth parameters ignoring the - specified values. -

-

- As a consequence, ReaR failed during mounting the filesystem with specific XFS options. With this - update, ReaR correctly restores the file system with the specified settings. -

-

- Bugzilla:2131946 -

-
-
-
-
-
-

8.4. Infrastructure services

-
-
-
-
-

rsync no longer fails while using regular - expressions for extended attributes

-

- Previously, the rsync utility for transferring and synchronizing - files was not able to handle extended attributes in RHEL 8 correctly. For example, if you passed - the --delete option together with the --filter '-x string.*' option - for extended attributes to the rsync command, and a file on your - system satisfied the regular expression, this resulted in an error message stating protocol - incompatibilities. With this update, the rsync utility handles - extended attributes correctly and you can use regular expressions for these attributes. -

-
-

- Bugzilla:2139118 -

-
-
-
-
-
-

8.5. Security

-
-
-
-
-

Scans and remediations correctly ignore SCAP Audit rules Audit key -

-

- Previously, Audit watch rules that were defined without an Audit key (-k or -F key) encountered the following - problems: -

-
-
-
    -
  • - The rules were marked as non-compliant even if other parts of the rule were correct. -
    • -
  • - Bash remediation fixed the path and permissions of the watch rule, but it did not add the - Audit key correctly. -
    • -
  • - Remediation sometimes did not fix the missing key, returning an error instead of a fixed value. -
    • -
-
-

- This affected the following rules: -

-
-
    -
  • - audit_rules_login_events -
    • -
  • - audit_rules_login_events_faillock -
    • -
  • - audit_rules_login_events_lastlog -
    • -
  • - audit_rules_login_events_tallylog -
    • -
  • - audit_rules_usergroup_modification -
    • -
  • - audit_rules_usergroup_modification_group -
    • -
  • - audit_rules_usergroup_modification_gshadow -
    • -
  • - audit_rules_usergroup_modification_opasswd -
    • -
  • - audit_rules_usergroup_modification_passwd -
    • -
  • - audit_rules_usergroup_modification_shadow -
    • -
  • - audit_rules_time_watch_localtime -
    • -
  • - audit_rules_mac_modification -
    • -
  • - audit_rules_networkconfig_modification -
    • -
  • - audit_rules_sysadmin_actions -
    • -
  • - audit_rules_session_events -
    • -
  • - audit_rules_sudoers -
    • -
  • - audit_rules_sudoers_d -
    • -
-
-

- With this update, the Audit key has been removed from checks and from Bash and Ansible remediations. - As a result, inconsistencies caused by the key field during checking and remediating no longer - occur, and auditors can choose these keys arbitrarily to make searching Audit logs easier. -

-

- Bugzilla:2119356 -

-
-

crypto-policies no longer creates unnecessary - symlink

-

- During system installation, the crypto-policies scriptlet creates - symlinks from the /usr/share/crypto-policies/DEFAULT file or /usr/share/crypto-policies/FIPS in FIPS mode and saves them in the - /etc/crypto-policies/back-ends directory. Previously, crypto-policies incorrectly included directories, and created a /etc/crypto-policies/back-ends/.config symlink that pointed to the - /usr/share/crypto-policies/DEFAULT or /usr/share/crypto-policies/FIPS directories. With this update, crypto-policies does not create symlinks from directories, and - therefore does not create this unnecessary symlink. -

-
-

- Bugzilla:1921646 -

-
-

crypto-policies now disable NSEC3DSA for BIND

-

- Previously, the system-wide cryptographic policies did not control the NSEC3DSA algorithm in the BIND configuration. Consequently, NSEC3DSA, which does not meet current security requirements, was not - disabled on DNS servers. With this update, all cryptographic policies disable NSEC3DSA in the BIND configuration by default. -

-
-

- Bugzilla:2071981 -

-
-

Libreswan no longer rejects SHA-1 signature verification in the FUTURE and FIPS cryptographic - policies

-

- Previously, from update to 4.9, Libreswan rejected SHA-1 signature verification in the FUTURE and FIPS cryptographic policies, - and peer authentication failed when authby=rsasig or authby=rsa-sha1 connection options were used. This update reverts - this behavior by relaxing how Libreswan handles the crypto-policies - settings. As a consequence, you can now use the authby=rsasig and - authby=rsa-sha1 connection options using SHA-1 signature - verification. -

-
-

- Bugzilla:2176248 -

-
-

crontab bash scripts no longer execute in - incorrect context

-

- Previously, a bug fix published in erratum RHBA-2022:7691 used too general - transition rule. Consequently, a bash script executed from the crontab file was executed in the rpm_script_t context instead of the system_cronjob_t context. With this update, bash scripts are now - executed in the correct context. -

-
-

- Bugzilla:2154242 -

-
-

selinux-policy supports service execution in - SAP Host Agent

-

- Previously, the SELinux policy did not support the insights-client - service interacting with SAP Host Agent and other services. As a consequence, some commands did - not work correctly when started from Red Hat Insights. With this update, the SELinux policy - supports SAP service execution. As a result, SAP services started from Insights run - successfully. -

-
-

- Bugzilla:2134125 -

-
-

selinux-policy now allows pmcd to execute its private memfd: - objects

-

- Previously, the SELinux policy did not allow the pmcd process from - the Performance Co-Pilot (PCP) framework to execute its private memory file-system objects - (memfd:). Consequently, SELinux denied the Performance Metric - Domain Agent (PMDA) BPF Compiler Collection (BCC) service to execute memfd: objects. In this update, the SELinux policy contains new rules - for pcmd. As a result, pmcd can now - execute memfd: objects with SELinux in enforcing mode. -

-
-

- Bugzilla:2090711 -

-
-

SELinux policy allows sysadm_r to use subscription-manager

-

- Previously, users in the sysadm_r SELinux role were not allowed to - execute some subcommands of the subscription-manager utility. - Consequently, the subcommands failed to read the memory device. This update adds a new rule to - the SELinux policy that allows the sysadm_t type to read /dev/mem. As a consequence, the subscription-manager subcommands do not fail. -

-
-

- Bugzilla:2101341 -

-
-

samba-dcerpcd process now works correctly with - nscd

-

- Previously, the samba-dcerpcd process could not communicate with - the nscd process because of the SELinux policy. Consequently, the - samba-dcerpcd service did not work properly when the nscd service was enabled. With this update, the SELinux policy has - been updated with new rules for samba-dcerpcd. -

-
-

- Bugzilla:2121709 -

-
-

vlock now works properly for confined - users

-

- Previously, the confined user could not use vlock due to SELinux - policy. Consequently, the vlock command did not work properly for - confined users. With this update, the SELinux policy has been updated with new rules for - confined users. -

-
-

- Bugzilla:2122838 -

-
-

Confined users now can log in without a reported denial

-

- Previously, SELinux policy did not allow all permissions needed to log in a SELinux confined - user using GUI. Consequently, AVC denials were audited and some services like dbus or pulseaudio did not work - properly. With this update, the SELinux policy has been updated with new rules for confined - users. -

-
-

- Bugzilla:2124388 -

-
-

insights-client now has additional permissions - in the SELinux policy

-

- The updated insights-client service requires additional - permissions, which were not included in the previous versions of the selinux-policy packages. As a consequence, certain components of - insights-client did not work correctly with SELinux in enforcing - mode, and the system reported access vector cache (AVC) error messages. This update adds the - missing permissions to the SELinux policy. As a result, insights-client now works correctly without reporting AVC errors. -

-
-

- Bugzilla:2125008 -

-
-

The SELinux policy allows smb access to user - shares

-

- Previously, the samba-dcerpcd process was separated from the smb service, but did not have access to user shares. As a - consequence, smb clients could not access files on user smb shares. This update adds rules to the SELinux policy for managing - user home content for the samba-dcerpcd binary when the samba_enable_home_dirs boolean is enabled. As a result, samba-dcerpcd can access user shares when samba_enable_home_dirs is on. -

-
-

- Bugzilla:2143696 -

-
-

The SELinux policy now allows confined administrators to access ipmi devices when IPMItool runs

-

- Previously, the SELinux policy did not allow confined administrators to read and write ipmi devices when the IPMItool utility is run. As a consequence, when - a confined administrator ran ipmitool, it failed. This update adds - allow rules to selinux-policy for administrators assigned to the - sysadm_r SELinux role. As a result, if a confined administrator - runs ipmitool it works correctly. -

-
-

- Bugzilla:2148561 -

-
-

SCAP Security Guide rule file_permissions_sshd_private_key is aligned with STIG - configuration RHEL-08-010490

-

- Previously, the implementation of rule file_permissions_sshd_private_key allowed private SSH keys to be - readable by the ssh_keys group with mode 0644, while DISA STIG version RHEL-08-010490 required private SSH - keys to have mode 0600. As a consequence, evaluation with DISA’s - automated STIG benchmark failed for configuration RHEL-08-010490. -

-
-

- For this update, we worked with DISA to align the expected permissions for private SSH keys, and now - private keys are expected to have mode 0644 or less permissive. As a - result, the rule file_permissions_sshd_private_key and configuration - RHEL-08-010490 are now aligned. -

-

- Bugzilla:2115343 -

-
-

The sudo_require_reauthentication SCAP - Security Guide rule accepts correct spacing in sudoers -

-

- Previously, a bug in the checking of the xccdf_org.ssgproject.content_rule_sudo_require_reauthentication rule - caused it to require specific spacing between the timestamp_timeout - key and its value in the /etc/sudoers file and the /etc/sudoers.d directory. Consequently, valid and compliant syntax - caused the rule to fail incorrectly. With this update, the check for xccdf_org.ssgproject.content_rule_sudo_require_reauthentication has - been updated to accept blank spaces around the equal sign. As a result, the rule accepts correct - and compliant definitions of timestamp_timeout with any of the - following spacing formats: -

-
-
-
    -
  • - Defaults timestamp_timeout = 5 -
    • -
  • - Defaults timestamp_timeout= 5 -
    • -
  • - Defaults timestamp_timeout =5 -
    • -
  • - Defaults timestamp_timeout=5 -
    • -
-
-

- Bugzilla:2152208 -

-
-

Old Kerberos rules changed to notapplicable in - new versions of RHEL

-

- Previously, some Kerberos-related rules failed while scanning against the DISA STIG profile on - RHEL 8.8 and later systems in FIPS mode, even though the system should have been compliant. This - was caused by the following rules: -

-
-
-
    -
  • - xccdf_org.ssgproject.content_rule_package_krb5-server_removed -
    • -
  • - xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed -
    • -
  • - xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab -
    • -
-
-

- This update makes these rules not applicable for RHEL versions 8.8 and later. As a result, the scan - correctly returns the notapplicable result for these rules. -

-

- Bugzilla:2099394 -

-
-

scap-security-guide STIG profiles no longer - require specific text in /etc/audit/rules.d/11-loginuid.rules

-

- Previously, the SCAP rule audit_immutable_login_uids used in RHEL 8 - profiles stig and stig_gui passed only - if file /etc/audit/rules.d/11-loginuid.rules contained exact text. - This is, however, not necessary to fulfill the STIG requirement (RHEL-08-030122). With this - update, the new rule audit_rules_immutable_login_uids replaces - audit_immutable_login_uids in RHEL 8 stig and stig_gui profiles. As a result, - you can now specify the --loginuid-immutable parameter that - fulfills the rule in any file with the .rules extension within the - /etc/audit/rules.d directory or in the /etc/audit/audit.rules file, depending on usage of auditctl or augen-rules. -

-
-

- Bugzilla:2151553 -

-
-

Rules for CIS profiles in scap-security-guide - are better aligned

-

- Previously, some rules were incorrectly assigned to certain Center for Internet Security (CIS) - profiles (cis, cis_server_l1, cis_workstation_1, and cis_workstation_l2). As a consequence, scanning according to some CIS - profiles could skip rules from the CIS benchmark or check for unnecessary rules. -

-
-

- The following rules were assigned to incorrect profiles: -

-
-
    -
  • - Rules kernel_module_udf_disabled, sudo_require_authentication and kernel_module_squashfs_disabled were incorrectly placed in CIS - Server Level 1 and CIS Workstation Level 1. -
    • -
  • - Rules package_libselinux_installed, grub2_enable_selinux, selinux_policytype, selinux_confinement_of_daemons, rsyslog_nolisten, service_systemd-journald_enabled were missing from CIS Server - Level 1 and CIS Workstation Level 1 profiles. -
    • -
  • - Rules package_setroubleshoot_removed and package_mcstrans_removed were missing from the CIS Server Level 1 - profile. -
    • -
-
-

- This update assigns the misaligned rules to the correct CIS profiles, but does not introduce new - rules or entirely removes any rules. As a result, SCAP CIS profiles are better aligned with the - original CIS benchmark. -

-

- Bugzilla:2162803 -

-
-

Clevis ignores commented devices in crypttab

-

- Previously, Clevis tried to unlock commented devices in the crypttab file, causing the clevis-luks-askpass service to run even if the device was not valid. - This caused unnecessary service runs and made it difficult to troubleshoot. -

-
-

- With this fix, Clevis ignores commented devices. Now, if an invalid device is commented, Clevis does - not attempt to unlock it and clevis-luks-askpass.service finishes - appropriately. This makes it easier to troubleshoot and reduces unnecessary service runs. -

-

- Bugzilla:2159440 -

-
-

Clevis no longer requests too much entropy from pwmake

-

- Previously, the pwmake password generation utility displayed - unwanted warnings when Clevis used pwmake to create passwords for - storing data in LUKS metadata, which caused Clevis to use lower - entropy. With this update, Clevis is limited to 256 entropy bits provided to pwmake, which eliminates an unwanted warning and uses the correct - amount of entropy. -

-
-

- Bugzilla:2159736 -

-
-

logrotate no longer incorrectly signals - Rsyslog in log rotation

-

- Previously, the argument order was incorrectly set in the logrotate - script, which caused a syntax error. This resulted in logrotate not - correctly signaling Rsyslog during log rotation. -

-
-

- With this update, the order of the arguments in logrotate is fixed and - logrotate signals Rsyslog correctly after log rotation even when the - POSIXLY_CORRECT environment variable is set. -

-

- Bugzilla:2070496 -

-
-

Rsyslog no longer crashes due to a bug in imklog

-

- Previously, Rsyslog could encounter a segmentation fault if the imklog module was enabled and a free() - call using an invalid object was freed during use. With this update, the freed object is - correctly deallocated at the correct place. As a result, the segmentation fault no longer - occurs. -

-
-

- Bugzilla:2157658 -

-
-

USBGuard no longer causes a confusing warning

-

- Previously, a race condition could happen in USBGuard when a parent process finished sooner than - the first child process. As a consequence, systemd reported that a - process was present with a wrongly identified parent PID (PPID). With this update, a parent - process waits for the first child process to finish in working mode. As a result, systemd no longer reports such warnings. -

-
-

- Bugzilla:2159409 -

-
-

The usbguard service file did not define OOMScore

-

- Previously, the usbguard service file did not define the OOMScoreAdjust option. Consequently, the process could be identified - as a candidate for killing before unprivileged processes when the system resources are closed to - running out. With this update, the new OOMScoreAdjust setting was - introduced to the usbguard.service file, to disable OOM killing - processes of the usbguard unit. -

-
-

- Bugzilla:2159411 -

-
-

USBGuard saves rules even if RuleFile is not defined

-

- Previously, if the RuleFile configuration directive in USBGuard was - set but RuleFolder was not, the rule set could not be changed. With - this update, you can now change the rule set even if RuleFolder is set but RuleFile is not. As a - result, you can modify the permanent policy in USBGuard to permanently save newly added rules. -

-
-

- Bugzilla:2159413 -

-
-
-
-
-
-

8.6. Networking

-
-
-
-
-

xdp-tools rebased to version 1.2.10

-

- The xdp-tools packages have been upgraded to upstream version - 1.2.10, which provides a number of bug fixes over the previous version. -

-
-

- Bugzilla:2160069 -

-
-

conntrackd functions properly even if HashSize and HashLimit are not set - manually

-

- Previously, the conntrackd service did not set default values for - the HashSize and HashLimit - configuration variables. Consequently, conntrackd could become - unstable or stop functioning entirely if you did not specify those values. The problem has been - fixed by making the configuration reader set the default values for HashSize and HashLimit before conntrackd parses the configuration file. As a result, conntrackd now functions correctly even if you do not specify the - values. -

-
-

- Bugzilla:2126736 -

-
-

The nm-cloud-setup service no longer removes - routes and manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Previously, - administrators had to disable nm-cloud-setup to manually configure - routes and secondary IP addresses on interfaces to avoid that the service removes them. This - update adds a flag to the Reapply() function to preserve externally - added addresses and routes. As a result, administrators no longer need to disable the nm-cloud-setup service in the mentioned scenario. -

-
-

- Bugzilla:2132754 -

-
-
-
-
-
-

8.7. Kernel

-
-
-
-
-

kpatch-patch works correctly on systems with - an idle isolated CPU

-

- Previously, when you attempted to install kpatch-patch CVE - mitigation packages on systems with the kernel CPU isolation feature, the kpatch-patch RPMs did install, but failed to load their CVE - mitigation kernel module. With this fix, the two features co-exist, and you can now successfully - deploy kpatch CVE fixes when CPU isolation is in place. -

-
-

- Bugzilla:2134931 -

-
-

Enabling VMD works again

-

- Previously, the operating system would fail to boot if Volume Management Device (VMD) was - enabled. This update provides numerous bug fixes essential for VMD to work as expected. -

-
-

- Bugzilla:2127028 -

-
-
-
-
-
-

8.8. File systems and storage

-
-
-
-
-

System works correctly without the soft lockup while starting a VDO - volume

-

- Due to fixing a Kernel Application Binary Interface (kABI) bug in the pv_mmu_ops structure, RHEL 8.7 systems with kernel version 4.18.0-425.10.1.el8_7, that is RHEL-8.7.0.2-BaseOS, hung or - encountered a kernel panic due to soft lockup while starting a Virtual Data Optimizer (VDO) - volume. -

-
-

- With this update, the kmod-kvdo package was rebuilt any time a new - kernel was available that is no longer kABI compatible with the current version of kmod-kvdo. As a result, the system works correctly while starting a VDO - volume. -

-

- Bugzilla:2119819 -

-
-

VDO driver bug no longer causing device freezes through journal - blocks

-

- Previously, a bug in the VDO driver caused the system to mark some journal blocks as waiting for - metadata updates. This problem was triggered when increasing the size of the VDO pool or the - logical volume on top of it, or when using the pvmove and lvchange operations on LVM tools managed VDO devices. The bug was - caused by incomplete resets that left some journal pages unavailable for use, and an incorrect - notion of how many slots in the recovery journal were available to be filled. As a result, the - device would freeze. -

-
-

- This issue has now been fixed with the latest version of the kernel modules for the virtual data - optimizer kmod-kvdo-6.2.8.1-87.el8. Currently, - all incomplete metadata blocks are saved in each section of the code in phases, while also updating - in-memory data structures and resetting state on resume if needed. With this fix, users should no - longer experience device freezes due to this issue. -

-

- Bugzilla:2109047 -

-
-
-
-
-
-

8.9. High availability and clusters

-
-
-
-
-

pcs no longer allows you to modify cluster - properties that should not be changed

-

- Previously, the pcs command line interface allowed you to modify - cluster properties that should not be changed or for which change does not take effect. With - this fix, pcs no longer allows you to modify these cluster - properties: cluster-infrastructure, cluster-name, dc-version, have-watchdog, and last-lrm-refresh. -

-
-

- Bugzilla:2112263 -

-
-

pcs now displays cluster properties that are - not explicitly configured

-

- Previously, a pcs command to display the value of a specific - cluster property did not list values that are not explicitly configured in the CIB. With this - fix, if a cluster property is not set pcs displays the default - value for the property. -

-
-

- Bugzilla:2112267 -

-
-

Cluster resources that call crm_mon now stop - cleanly at shutdown

-

- Previously, the crm_mon utility returned a nonzero exit status - while Pacemaker was in the process of shutting down. Resource agents that called crm_mon in their monitor action, such as ocf:heartbeat:pqsql, could incorrectly return a failure at cluster - shutdown. With this fix, crm_mon returns success even if the - cluster is in the process of shutting down. Resources that call crm_mon now stop cleanly at cluster shutdown. -

-
-

- Bugzilla:2133497 -

-
-

OCF resource agent metadata actions can now call crm_node without causing unexpected fencing

-

- As of RHEL 8.5, OCF resource agent metadata actions blocked the controller and crm_node queries performed controller requests. As a result, if an - agent’s metadata action called crm_node, it blocked the controller - for 30 seconds until the action timed out. This could cause other actions to fail and the node - to be fenced. -

-
-

- With this fix, the controller now performs metadata actions asynchronously. An OCF resource agent - metadata action can now call crm_node without issue. -

-

- Bugzilla:2121852 -

-
-

Enabling a single resource and monitoring operation no longer enables - monitoring operations for all resources in a resource group

-

- Previously, after unmanaging all resources and monitoring operations in a resource group, - managing one of the resources in that group along with its monitoring operation re-enabled the - monitoring operations for all resources in the resource group. This could trigger unexpected - cluster behavior. -

-
-

- With this fix, managing a resource and re-enabling its monitoring operation re-enables the - monitoring operation for that resource only and not for the other resources in a resource group. -

-

- Bugzilla:1918527 -

-
-

Pacemaker now rechecks resource assignments immediately when resource order - changes

-

- As of RHEL 8.7, Pacemaker did not recheck resource assignments when the order of resources in - the CIB changed with no changes to the resource definition. If configuration reordering would - cause resources to move, that would not take place until the next natural transition, up to the - value of cluster-recheck-interval-property. This could cause issues - if resource stickiness is not configured for a resource. -

-
-

- With this change, Pacemaker rechecks resource assignments when the order of the resources in the CIB - changes, as it did for earlier Pacemaker releases. The cluster now responds immediately to these - changes, if needed. -

-

- Bugzilla:2122806 -

-
-
-
-
-
-

8.10. Compilers and development tools

-
-
-
-
-

You can install SciPy using pip on all - architectures

-

- Previously, the openblas-devel package did not contain a pkg-config - file for the OpenBLAS library. As a consequence, in certain scenarios, it was impossible to - determine the compiler and linker flags using the pkgconf utility - while compiling with OpenBLAS. For example, this caused a failure of the pip install scipy command on the 64-bit IBM Z and IBM Power Systems, - Little Endian architectures. -

-
-

- This update adds the openblas.pc file to the openblas-devel package on all supported architectures. As a result, you - can install the SciPy library using the pip package installer. -

-

- Bugzilla:2115722 -

-
-

Functions in go no longer cause memory - leak

-

- Previously, the EVP_PKEY_sign_raw and EVP_PKEY_verify_raw functions did not call free to clean the memory. - Consequently, the memory leaked and has not been recovered. With this updated, the EVP_PKEY_sign_raw and EVP_PKEY_verify_raw functions now call free and memory is not - leaking. -

-
-

- Bugzilla:2132767 -

-
-

golang now supports 4096 bit keys in x509 FIPS - mode

-

- Previously, golang did not support the 4096 bit keys in x509 FIPS - mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, - golang now supports 4096 bit keys in x509 FIPS mode. -

-
-

- Bugzilla:2132694 -

-
-

libffi can now probe for executable memory - with SELinux enabled

-

- By default, libffi does not probe for executable memory when - SELinux is enabled. As a consequence, programs which use libffi - closures and fork() without immediately executing some other - processes terminate unexpectedly when SELinux is enabled. With this update, libffi looks for a /etc/sysconfig/libffi-force-shared-memory-check-first file and, if it - exists, probes for executable memory regardless of if SELinux is enabled. As a result, programs - using libffi can safely fork() without - crashing with SELinux enabled. -

-
-

- Bugzilla:2014228 -

-
-

Implemented big endian support in OpenSSL - bindings for golang

-

- Previously, the OpenSSL bindings for golang did not have support for big-endian, leading to potential - issues with the conversion of BigInt values. As a result, the - crypto routines were unable to perform this conversion. To fix this issue, big-endian support - was implemented in the OpenSSL bindings for golang. As a result, conversions from BigInt are now successful, and the tests pass as expected. -

-
-

- Bugzilla:2132419 -

-
-
-
-
-
-

8.11. Identity Management

-
-
-
-
-

Authentication to external IdPs that require a client secret is now - possible

-

- Previously, SSSD did not properly pass client secrets to external identity providers (IdPs). - Consequently, authentication failed against external IdPs that you previously configured with - the ipa idp-add --secret command to require a client secret. With - this update, SSSD passes the client secret to the IdP and users can authenticate. -

-
-

- Jira:RHELPLAN-148303 -

-
-

IdM now supports setting hostmasks for sudo - rules using Ansible

-

- Previously, the ipa sudorule-add-host command allowed setting a - hostmask to be used by the sudo rule, but this option was not - present in the ansible-freeipa package. With this update, you can - now use the ansible-freeipa hostmask - variable to define a list of hostmasks to which a particular sudo - rule, defined in Identity Management (IdM), applies. -

-
-

- As a result, you can now automate setting host masks for IdM sudo rules - with Ansible. -

-

- Bugzilla:2127912 -

-
-

The scheduled time of the changelog compaction now works correctly -

-

- Previously, when you configured a custom scheduled time for the changelog compaction, the server - did not apply the new setting, and the changelog compaction could start during peak times. With - this release, the server now correctly applies the custom time of the changelog compaction. -

-
-

- Bugzilla:2130276 -

-
-

IdM clients correctly retrieve information for trusted AD users when their - names contain mixed case characters

-

- Previously, if you attempted a user lookup or authentication of a user, and that trusted Active - Directory (AD) user contained mixed case characters in their names and they were configured with - overrides in IdM, an error was returned preventing users from accessing IdM resources. -

-
-

- With the release of RHBA-2023:4525, a case-sensitive - comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a - result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain - mixed case characters and they are configured with overrides in IdM. -

-

- Jira:SSSD-6096 -

-
-
-
-
-
-

8.12. Graphics infrastructure

-
-
-
-
-

Matrox G200e now works correctly with a VGA display

-

- Previously, your display might have shown no graphical output if you used the following system - configuration: -

-
-
-
    -
  • - The Matrox G200e GPU -
    • -
  • - A display connected over the VGA controller -
    • -
-
-

- As a consequence, you could not use or install RHEL on this configuration. -

-

- With this release, the problem has been fixed. As a result, RHEL boots and shows graphical output as - expected. -

-

- Bugzilla:2130159 -

-
-
-
-
-
-

8.13. The web console

-
-
-
-
-

The web console NBDE binding steps now work also on volume groups with a - root file system

-

- In RHEL 8.8.0, due to a bug in the code for determining whether or not the user was adding a - Tang key to the root file system, the binding process in the web console crashed when there was - no file system on the LUKS container at all. Because the web console displayed the error message - TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key - dialog, you had to perform all the required steps in the command-line interface in the described - scenario. -

-
-

- With the release of the RHBA-2023:3829 advisory, the web - console correctly handles additions of Tang keys to root file systems. As a result, the web console - finishes all binding steps required for the automated unlocking of LUKS-encrypted volumes using - Network-Bound Disk Encryption (NBDE) in various scenarios. -

-

- Bugzilla:2212371 -

-
-
-
-
-
-

8.14. Red Hat Enterprise Linux system roles

-
-
-
-
-

The nbde_client system role now correctly - handles different names of clevis-luks-askpass

-

- The nbde_client system role has been updated to handle the systems - on which the clevis-luks-askpass systemd unit has a different name. The role now correctly works with - different names of clevis-luks-askpass on managed nodes, which - requires unlocking also LUKS-encrypted volumes that mount late in the boot process. -

-
-

- Bugzilla:2126960 -

-
-

The ha_cluster system role logs no longer - display unencrypted passwords and secrets

-

- The ha_cluster system role accepts parameters that can be passwords - or other secrets. Previously, some of the tasks would log their inputs and outputs. As a result, - the role logs could contain unencrypted passwords and other secrets. -

-
-

- With this update, the tasks have been changed to use the Ansible no_log: true directive and the task output is no longer displayed in the - role logs. The ha_cluster system role logs no longer contain passwords - and other secrets. While this update protects secure information, the role logs now provide less - information that you can use when debugging your configuration. -

-

- Bugzilla:2127497 -

-
-

Clusters configured with ha_cluster system - role to use SBD and not start on boot now work correctly

-

- Previously, if a user configured a cluster using the ha_cluster - system role to use SBD and not start on boot, then the SBD service was disabled and SBD did not - start. With this fix, the SBD service is always enabled if a cluster is set to use SBD whether - or not the cluster is configured to start on boot. -

-
-

- Bugzilla:2153081 -

-
-

Setting stonith-watchdog-timeout property with - the ha_cluster system role now works in a stopped - cluster

-

- Previously, when you set the stonith-watchdog-timeout property with - the ha_cluster system role in a stopped cluster, the property - reverted to its previous value and the role failed. With this fix, configuring the stonith-watchdog-timeout property by using the ha_cluster system role works properly. -

-
-

- Bugzilla:2167941 -

-
-

Enabling implicit files provider to fix rhel-system-roles SSSD configuration

-

- A disabled SSSD implicit files provider caused the rhel-system-roles modules to create an invalid System Security - Services Daemon (SSSD) configuration. This update unconditionally enables the files provider and - as a result, the SSSD configuration created by rhel-system-roles - now works as expected. -

-
-

- Bugzilla:2153080 -

-
-

Network traffic is now directed through the intended network interface when - using initscripts with the networking RHEL system role

-

- Previously, when using the initscripts provider, the routing - configuration for network connections did not specify the output device that the traffic should - go through. Consequently, the kernel could use a different output device than the user intended. - Now, if the network interface name is specified in the playbook for the connection, it is used - as the output device in the route configuration file. This aligns the behavior with - NetworkManager, which configures the output device in routes when activating profiles on - devices. As a result, the users can ensure that the traffic is directed through the intended - network interface. -

-
-

- Bugzilla:2168733 -

-
-

The nbde_client_clevis role no longer reports - traceback to users

-

- Previously, the nbde_client_clevis role sometimes failed in - exception, causing a traceback and reporting sensitive data, such as the encryption_password field, back to the user. With this update, the - role no longer reports sensitive data, only the appropriate error messages. -

-
-

- Bugzilla:2162782 -

-
-
-
-
-
-

8.15. Virtualization

-
-
-
-
-

System time on nested VMs now works reliably

-

- Previously, system time on nested virtual machines (VMs) in some cases desynchronised from the - Level 0 and level 1 hosts. This also sometimes caused the nested VM to become unresponsive or - terminate unexpectedly. -

-
-

- With this update, the time handling code in the KVM host kernel code has been fixed, which prevents - the described errors from occurring. -

-

- Bugzilla:2151854 -

-
-

Network traffic performance in virtual machines is no longer - reduced

-

- Previously, RHEL virtual machines had, in some cases, decreased performance when handling high - levels of network traffic. The underlying code has been fixed and the network traffic - performance is not affected anymore. -

-
-

- Bugzilla:2069047 -

-
-

Virtual machines using memfd run as - expected

-

- Previously, virtual machines (VMs) running on the 64-bit IBM Z processor architecture that used - memfd to back memory with hugepages failed to run. With this - update, the problem has been fixed and VMs using memfd can now be - defined on the 64-bit IBM Z processor architecture. As a result, you can now run VMs which use - memfd to back the memory with hugepages. -

-
-

- Bugzilla:2117149 -

-
-

System time in VMs now synchronizes correctly with the host

-

- Previously, the KVM module performed the real-time clock (RTC) synchronization less frequently - than intended. As a consequence, the system time in VMs hosted on RHEL 8 sometimes did not - correctly reflect the system time on the host. This update fixes the RTC scheduling in KVM, - which prevents the described problem from occurring. -

-
-

- Bugzilla:2135417 -

-
-
-
-
-
-
-

Chapter 9. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.8. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

9.1. Infrastructure services

-
-
-
-
-

Socket API for TuneD available as a Technology Preview

-

- The socket API for controlling TuneD through Unix domain socket is now available as a Technology - Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative - communication method for cases where D-Bus is not available. By using the socket API, you can - control the TuneD daemon to optimize the performance, and change the values of various tuning - parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file. -

-
-

- Bugzilla:2113900 -

-
-
-
-
-
-

9.2. Networking

-
-
-
-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It - accompanies XDP and grants efficient redirection of - programmatically selected packets to user space applications for further processing. -

-
-

- Bugzilla:1633143 -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
-
    -
  • - Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the libxdp library is not available for architectures other than AMD - and Intel 64-bit. -
    • -
  • - The XDP hardware offloading. -
    • -
-
-

- Bugzilla:1889737 -

-
-

Multi-protocol Label Switching for TC available as a Technology - Preview

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route - traffic flow across enterprise networks. In an MPLS network, the router that receives packets - decides the further route of the packets based on the labels attached to the packet. With the - usage of labels, the MPLS network has the ability to handle packets with particular - characteristics. For example, you can add tc filters for managing - packets received from specific ports or carrying specific types of traffic, in a consistent way. -

-
-

- After packets enter the enterprise network, MPLS routers perform multiple operations on the packets, - such as push to add a label, swap to - update a label, and pop to remove a label. MPLS allows defining actions - locally based on one or multiple labels in RHEL. You can configure routers and set traffic control - (tc) filters to take appropriate actions on the packets based on the - MPLS label stack entry (lse) elements, such as label, traffic class, bottom of stack, and time to live. -

-

- For example, the following command adds a filter to the enp0s1 network interface to match incoming packets having the - first label 12323 and the second label 45832. On matching packets, the following actions are taken: -

-
-
    -
  • - the first MPLS TTL is decremented (packet is dropped if TTL reaches 0) -
    • -
  • - the first MPLS label is changed to 549386 -
    • -
  • -

    - the resulting packet is transmitted over enp0s2, - with destination MAC address 00:00:5E:00:53:01 - and source MAC address 00:00:5E:00:53:02 -

    - 
    # tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
-action mpls dec_ttl pipe \
-action mpls modify label 549386 pipe \
-action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
-action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
-action mirred egress redirect dev enp0s2
    -
    • -
-
-

- Bugzilla:1814836, Bugzilla:1856415 -

-
-

act_mpls module available as a Technology - Preview

-

- The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows - the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) - filters, for example, push and pop MPLS label stack entries with TC filters. The module also - allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set - independently. -

-
-

- Bugzilla:1839311 -

-
-

The systemd-resolved service is now available - as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, a Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- Bugzilla:1906489 -

-
-

KTLS available as a Technology Preview

-

- RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. KTLS also includes the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that provides this functionality. -

-
-

- Bugzilla:1570255 -

-
-
-
-
-
-

9.3. Kernel

-
-
-
-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that - implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains - two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL - 8. -

-
-

- Bugzilla:1605216 -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space, in the restricted - sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which enables - creating various types of maps, and also allows to load programs in a special assembly-like code. - The code is then loaded to the kernel and translated to the native machine code with just-in-time - compilation. Note that the bpf() syscall can be successfully used only - by a user with the CAP_SYS_ADMIN capability, such as the root user. See - the bpf(2) manual page for more information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase. All components are available as a Technology Preview, unless a specific - component is indicated as supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space - for applications that prioritize packet processing performance. -
    • -
-
-

- Bugzilla:1559616 -

-
-

The kexec fast reboot feature is available as - a Technology Preview

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. The kexec fast reboot significantly speeds the - boot process as you can boot directly into the second kernel without passing through the Basic - Input/Output System (BIOS) or firmware first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
-
-

- Note that the kexec fast reboot capability is available with a limited - scope of support on RHEL 9 and later releases. -

-

- Bugzilla:1769727 -

-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes a shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- Bugzilla:1837187 -

-
-

The accel-config package available as a - Technology Preview

-

- The accel-config package is now available on Intel EM64T and AMD64 architectures as a - Technology Preview. This package helps in controlling and configuring data-streaming accelerator - (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the - json format. -

-
-

- Bugzilla:1843266 -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using - the Flexible Launch Control mechanism to use - the SGX technology. Version 2 adds Enclave Dynamic Memory - Management (EDMM). Notable features include: -

-
-
-
    -
  • - Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave. -
    • -
  • - Dynamic addition of regular enclave pages to an initialized enclave. -
    • -
  • - Expanding an initialized enclave to accommodate more threads. -
    • -
  • - Removing regular and TCS pages from an initialized enclave. -
    • -
-
-

- Bugzilla:1660337 -

-
-
-
-
-
-

9.4. File systems and storage

-
-
-
-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address space. To - use DAX, a system must have some form of persistent memory available, usually in the form of one - or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the - capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with - the dax mount option. Then, a mmap of - a file on the dax-mounted file system results in a direct mapping of storage into the - application’s address space. -

-
-

- Bugzilla:1627455 -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top of - another. Changes are recorded in the upper file system, while the lower file system remains - unmodified. This allows multiple users to share a file-system image, such as a container or a - DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings - when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other specialized - use cases, such as squashed kdump initramfs. Its use is - supported primarily for container COW content, not for persistent storage. You must place - any persistent storage on non-OverlayFS volumes. You can use only the default container - engine configuration: one level of overlay, one lowerdir, and both lower and upper levels - are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change - in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped with - MAP_SHARED are inconsistent with subsequent - modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on RHEL - 8, but you can enable full POSIX compliance for them with a module option or - mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and index=on options to improve POSIX compliance. - These two options make the format of the upper layer incompatible with an - overlay without these options. That is, you might get unexpected results or - errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, use - the following command and see if the ftype=1 option is - enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel - documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- Bugzilla:1690207 -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager, which provides managed file systems on top of pools of - storage with additional features. It is provided as a Technology Preview. -

-
-

- With Stratis, you can perform the following storage tasks: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. For more - information, see the Setting - up Stratis file systems documentation. -

-

- RHEL 8.5 updated Stratis to version 2.4.2. For more information, see the Stratis 2.4.2 Release - Notes. -

-

- Jira:RHELPLAN-1212 -

-
-

NVMe/TCP host is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) - and its corresponding nvme_tcp.ko kernel module has been added as a - Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included - only for testing purposes and is not currently planned for full support. -

-
-

- Bugzilla:1696451 -

-
-

Setting up a Samba server on an IdM domain member is provided as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the same-named - package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For - example, the utility creates the /etc/samba/smb.conf with the ID - mapping configuration for the sss ID mapping back end. As a result, - administrators can now set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts - cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support - resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) - protocols. As a consequence, AD users can only access the Samba shares and printers from IdM - clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- Jira:RHELPLAN-13195 -

-
-
-
-
-
-

9.5. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on Podman, with the container bundle feature being available - as a Technology Preview. There is one exception to this feature being Technology Preview: Red - Hat fully supports the use of Pacemaker bundles for Red Hat OpenStack. -

-
-

- Bugzilla:1619620 -

-
-

Heuristics in corosync-qdevice available as a - Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is zero), - heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which - partition should be quorate. -

-
-

- Bugzilla:1784200 -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off - action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent - the agent that does the actual fencing from fencing a node under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make sense - for a node to fence the peer if it can know beforehand that it would not be able to take over the - services properly. For example, it might not make sense for a node to take over services if it has - problems reaching the networking uplink, making the services unreachable to clients, a situation - which a ping to a router might detect in that case. -

-

- Bugzilla:1775847 -

-
-
-
-
-
-

9.6. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- Bugzilla:1664719 -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- Bugzilla:1664718 -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- Bugzilla:1628987 -

-
-

sssd-idp sub-package available as a Technology Preview

-

- The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which - are client-side components that perform OAuth2 authentication against Identity Management (IdM) - servers. This feature is available only with IdM servers on RHEL 8.7 and later. -

-
-

- Bugzilla:2065692 -

-
-

SSSD internal krb5 idp plugin available as a Technology Preview -

-

- The SSSD krb5 idp plugin allows you to authenticate against an - external identity provider (IdP) using the OAuth2 protocol. This feature is available only with - IdM servers on RHEL 8.7 and later. -

-
-

- Bugzilla:2056483 -

-
-

RHEL IdM allows delegating user authentication to external identity - providers as a Technology Preview

-

- As a Technology Preview in RHEL IdM, you can now associate users with external identity - providers (IdP) that support the OAuth 2 device authorization flow. When these users - authenticate with the SSSD version available in RHEL 8.7 or later, they receive RHEL IdM single - sign-on capabilities with Kerberos tickets after performing authentication and authorization at - the external IdP. -

-
-

- Notable features include: -

-
-
    -
  • - Adding, modifying, and deleting references to external IdPs with ipa idp-* commands -
    • -
  • - Enabling IdP authentication for users with the ipa user-mod --user-auth-type=idp command -
    • -
-
-

- For additional information, see Using - external identity providers to authenticate to IdM. -

-

- Bugzilla:2101770 -

-
-
-
-
-
-

9.7. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology - Preview. -

-
-

- You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can - manage the server using graphical applications. -

-

- A limited set of graphical applications is available on 64-bit ARM. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27394, Bugzilla:1667225, Bugzilla:1724302, - Bugzilla:1667516 -

-
-

GNOME for the IBM Z architecture available as a Technology Preview -

-

- The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview. -

-
-

- You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage - the server using graphical applications. -

-

- A limited set of graphical applications is available on IBM Z. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27737 -

-
-
-
-
-
-

9.8. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available - as a Technology Preview. Note that the rest of the graphics stack is currently unverified for - the 64-bit ARM architecture. -

-
-

- Bugzilla:1698565 -

-
-

Intel Arc A-Series graphics available as a Technology Preview

-

- Intel Arc A-Series graphics, also known as Alchemist or DG2, are now available as a Technology - Preview. -

-
-

- To enable hardware acceleration with Intel Arc A-Series graphics, add the following option on the - kernel command line: -

- 
i915.force_probe=pci-id
-

- In this option, replace pci-id - with either of the following: -

-
-
    -
  • - The PCI ID of your Intel GPU. -
    • -
  • - The * character to enable the i915 driver with all - alpha-quality hardware. -
    • -
-
-

- Bugzilla:2041686 -

-
-
-
-
-
-

9.9. Virtualization

-
-
-
-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines -

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a - Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel and AMD systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following - Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- Bugzilla:1519039 -

-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- Bugzilla:1501618, Bugzilla:1501607, Jira:RHELPLAN-7677 -

-
-

Intel vGPU

-

- As a Technology Preview, it is now possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. -

-

- In addition, it is possible to enable a VNC console operated by Intel vGPU. By enabling it, users - can connect to a VNC console of the VM and see the VM’s desktop hosted by Intel vGPU. However, this - currently only works for RHEL guest operating systems. -

-

- Bugzilla:1528684 -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a - RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its - own VMs. -

-
-

- Jira:RHELPLAN-14047, Jira:RHELPLAN-24437 -

-
-

Technology Preview: Select Intel network adapters now provide SR-IOV in - RHEL guests on Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V - hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network - adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions - are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently provided with Microsoft Windows Server 2016 and later. -

-

- Bugzilla:1348508 -

-
-

Intel TDX in RHEL guests

-

- As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL - 8.8 guest operating systems. If the host system supports TDX, you can deploy hardware-isolated - RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently - does not work with kdump, and enabling TDX will cause kdump to fail on the VM. -

-
-

- Bugzilla:1836977 -

-
-

Sharing files between hosts and VMs using virtiofs

-

- As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can - efficiently share files between your host system and its virtual machines (VM). -

-
-

- Bugzilla:1741615 -

-
-
-
-
-
-

9.10. RHEL in cloud environments

-
-
-
-
-

RHEL confidential VMs are now available on Azure as a Technology - Preview

-

- With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on - Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL - confidential VM images during boot on Azure. -

-
-

- Jira:RHELPLAN-122316 -

-
-
-
-
-
-

9.11. Containers

-
-
-
-
-

Clients for sigstore signatures with Fulcio and Rekor are now available as - a Technology Preview

-

- With Fulcio and Rekor servers, you can now create signatures by using short-term certificates - based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private - key. Clients for sigstore signatures with Fulcio and Rekor are now available as a Technology - Preview. This added functionality is the client side support only, and does not include either - the Fulcio or Rekor servers. -

-
-

- Add the fulcio section in the policy.json - file. To sign container images, use the podman push --sign-by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml - commands, where file.yml is the - sigstore signing parameter file. -

-

- To verify signatures, add the fulcio section and the rekorPublicKeyPath or rekorPublicKeyData - fields in the policy.json file. For more information, see containers-policy.json man page. -

-

- Jira:RHELPLAN-136610 -

-
-

Quadlet in Podman is now available as a Technology Preview

-

- Beginning with Podman v4.4, you can use Quadlet to automatically generate a systemd service file from the container description as a Technology - Preview. The container description is in the systemd unit file - format. The description focuses on the relevant container details and hides the technical - complexity of running containers under systemd. The Quadlets are - easier to write and maintain than the systemd unit files. -

-
-

- For more details, see the upstream - documentation and Make - systemd better for Podman with Quadlet. -

-

- Jira:RHELPLAN-148394 -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- Jira:RHELDOCS-16861 -

-
-
-
-
-
-
-

Chapter 10. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in the - logs: -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still available - and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- Bugzilla:1642765 -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you modify - your Kickstart file to remove the option. -

-
-

- Bugzilla:1637872 -

-
-

The Kickstart autostep command has been - deprecated

-

- The autostep command has been deprecated. The related section about - this command has been removed from the RHEL - 8 documentation. -

-
-

- Bugzilla:1904251 -

-
-
-
-
-
-

10.2. Subscription management

-
-
-
-
-

The --token option of the subscription-manager command is deprecated

-

- The --token=<TOKEN> option of the subscription-manager register command is an authentication method - that helps register your system to Red Hat. This option depends on capabilities offered by the - entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this - capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with - the following error message: -

-
- 
Token authentication not supported by the entitlement server
-

- You can continue registering your system using other authorization methods, such as including paired - options --username / --password and --org / --activationkey of the subscription-manager register command. -

-

- Bugzilla:2170082 -

-
-
-
-
-
-

10.3. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- The rpmbuild --sign command is deprecated since RHEL 8.1. Using - this command in future releases of Red Hat Enterprise Linux can result in an error. It is - recommended that you use the rpmsign command instead. -

-
-

- Bugzilla:1688849 -

-
-
-
-
-
-

10.4. Shells and command-line tools

-
-
-
-
-

The OpenEXR component has been - deprecated

-

- The OpenEXR component has been deprecated. Hence, the support for - the EXR image format has been dropped from the imagecodecs module. -

-
-

- Bugzilla:1886310 -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type - of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- Bugzilla:1997366 -

-
-

The hidepid=n mount option is not supported in - RHEL 8 systemd

-

- The mount option hidepid=n, which controls who can access - information in /proc/[pid] directories, is not compatible with - systemd infrastructure provided in RHEL 8. -

-
-

- In addition, using this option might cause certain services started by systemd to produce SELinux AVC denial messages and prevent other - operations from completing. -

-

- For more information, see the related Knowledgebase solution Is mounting /proc with "hidepid=2" - recommended with RHEL7 and RHEL8?. -

-

- Bugzilla:2038929 -

-
-

The /usr/lib/udev/rename_device utility has - been deprecated

-

- The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been - deprecated. -

-
-

- Bugzilla:1875485 -

-
-

The ABRT tool has been deprecated

-

- The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been - deprecated in RHEL 8. As a replacement, use the systemd-coredump - tool to log and store core dumps, which are automatically generated files after a program - crashes. -

-
-

- Bugzilla:2055826 -

-
-

The ReaR crontab has been deprecated

-

- The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available - in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened. -

-
-

- If you require this functionality, after an upgrade to RHEL 9, configure periodic runs of ReaR - manually. -

-

- Bugzilla:2083301 -

-
-

The SQLite database backend in Bacula has been deprecated

-

- The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. - The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. - As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the - SQLite backend in new deployments. -

-
-

- Bugzilla:2089399 -

-
-

The raw command has been deprecated -

-

- The raw (/usr/bin/raw) command has - been deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in - an error. -

-
-

- Jira:RHELPLAN-133171 -

-
-
-
-
-
-

10.5. Security

-
-
-
-
-

NSS SEED ciphers are deprecated

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends - enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- Bugzilla:1817533 -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal - and the update-crypto-policies(8) man page. -

-

- Bugzilla:1660839 -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. - Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note - that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- Bugzilla:1646541 -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- Bugzilla:2054741 -

-
-

SSL2 Client Hello - has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and earlier - allow to start a negotiation with a Client Hello message formatted - in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature - may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- Bugzilla:1645153 -

-
-

Runtime disabling SELinux using /etc/selinux/config is now deprecated

-

- Runtime disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config file has been deprecated. In RHEL 9, when you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. -

-
-

- If your scenario really requires to completely disable SELinux, Red Hat recommends disabling SELinux - by adding the selinux=0 parameter to the kernel command line as - described in the Changing - SELinux modes at boot time section of the Using - SELinux title. -

-

- Bugzilla:1932222 -

-
-

The ipa SELinux module removed from selinux-policy

-

- The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The - functionality is now included in the ipa-selinux subpackage. -

-
-

- If your scenario requires the use of types or interfaces from the ipa - module in a local SELinux policy, install the ipa-selinux package. -

-

- Bugzilla:1461914 -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard was updated to version 2.0 in - 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with - the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major - release. -

-
-

- Bugzilla:1657927 -

-
-

crypto-policies derived properties are now - deprecated

-

- With the introduction of scopes for crypto-policies directives in - custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as - well. See the crypto-policies(7) man page for recommended - replacements. -

-
-

- Bugzilla:2011208 -

-
-
-
-
-
-

10.6. Networking

-
-
-
-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by - default. The basic installation provides a new version of the ifup - and ifdown scripts which call the NetworkManager service through - the nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts - are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
# yum install network-scripts
-

- The ifup and ifdown scripts link to the - installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- Bugzilla:1647725 -

-
-

The dropwatch tool is deprecated

-

- The dropwatch tool has been deprecated. The tool will not be - supported in future releases, thus it is not recommended for new deployments. As a replacement - of this package, Red Hat recommends to use the perf - command line tool. -

-
-

- For more information on using the perf command line tool, - see the Getting - started with Perf section on the Red Hat customer portal or the perf man page. -

-

- Bugzilla:1929173 -

-
-

The xinetd service has been - deprecated

-

- The xinetd service has been deprecated and will be removed in RHEL - 9. As a replacement, use systemd. For further details, see How to convert xinetd - service to systemd. -

-
-

- Bugzilla:2009113 -

-
-

The cgdcbxd package is deprecated

-

- Control group data center bridging exchange daemon (cgdcbxd) is a - service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major - RHEL release. -

-
-

- Bugzilla:2006665 -

-
-

The WEP Wi-Fi connection method is deprecated

-

- The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8 and - will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 - (WPA3) or WPA2 connection methods. -

-
-

- Bugzilla:2029338 -

-
-

The unsupported xt_u32 module is now - deprecated

-

- Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. - Since RHEL 8.6, the xt_u32 module is deprecated and will be removed - in RHEL 9. -

-
-

- If you use xt_u32, migrate to the nftables - packet filtering framework. For example, first change your firewall to use iptables with native matches to incrementally replace individual rules, - and later use the iptables-translate and accompanying utilities to - migrate to nftables. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) - man page. -

-

- Bugzilla:2061288 -

-
-

The term slaves is deprecated in the nmstate API

-

- Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl. -

-
-

- (Jira:RHELDOCS-17641) -

-
-
-
-
-
-

10.7. Kernel

-
-
-
-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is - a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is - available as an unsupported Technology Preview. However, due to stability issues, this feature - has been deprecated and will be removed in RHEL 9. -

-
-

- Bugzilla:1878207 -

-
-

The Linux firewire sub-system and its - associated user-space components are deprecated in RHEL 8

-

- The firewire sub-system provides interfaces to use and maintain any - resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer - be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as - well. -

-
-

- Bugzilla:1871863 -

-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system through the network. While - convenient, diskless boot is prone to introducing network latency in real-time workloads. With a - future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be - supported. -

-
-

- Bugzilla:1748980 -

-
-

Kernel live patching now covers all RHEL minor releases

-

- Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of - RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important - Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently - covered kernels and use cases, the support window for each live patch has been decreased from 12 - to 6 months for every minor, major, and zStream version of the kernel. It means that on the day - a kernel live patch is released, it will cover every minor release and scheduled errata kernel - delivered in the past 6 months. -

-
-

- For more information about this feature, see Applying - patches with kernel live patching. -

-

- For details about available kernel live patches, see Kernel Live Patch life cycles. -

-

- Bugzilla:1958250 -

-
-

The crash-ptdump-command package is - deprecated

-

- The crash-ptdump-command package, which is a ptdump extension module for the crash utility, is deprecated and - might not be available in future RHEL releases. The ptdump command - fails to retrieve the log buffer when working in the Single Range Output mode and only works in - the Table of Physical Addresses (ToPA) mode. crash-ptdump-command - is currently not maintained upstream -

-
-

- Bugzilla:1838927 -

-
-
-
-
-
-

10.8. Boot loader

-
-
-
-
-

The kernelopts environment variable has been - deprecated

-

- In RHEL 8, the kernel command-line parameters for systems using the GRUB bootloader were defined - in the kernelopts environment variable. The variable was stored in - the /boot/grub2/grubenv file for each kernel boot entry. However, - storing the kernel command-line parameters using kernelopts was not - robust. Therefore, with a future major update of RHEL, kernelopts - will be removed and the kernel command-line parameters will be stored in the Boot Loader - Specification (BLS) snippet instead. -

-
-

- Bugzilla:2060759 -

-
-
-
-
-
-

10.9. File systems and storage

-
-
-
-
-

The elevator kernel command line parameter is - deprecated

-

- The elevator kernel command line parameter was used in earlier RHEL - releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is typically - the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the TuneD service to configure it. Match the selected - devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- Bugzilla:1665295 -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. - This change affects only NFS version 3 because version 4 requires the Transmission Control - Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- Bugzilla:1592011 -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured storage - events. It helps you investigate storage issues. -

-

- Bugzilla:1871953 -

-
-

VDO write modes other than async are - deprecated

-

- VDO supports several write modes in RHEL 8: -

-
-
-
    -
  • - sync -
    • -
  • - async -
    • -
  • - async-unsafe -
    • -
  • - auto -
    • -
-
-

- Starting with RHEL 8.4, the following write modes are deprecated: -

-
-
-
sync
-
- Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the - devices cannot take advantage of the VDO sync mode. -
-
async-unsafe
-
- VDO added this write mode as a workaround for the reduced performance of async mode, which complies to Atomicity, Consistency, Isolation, - and Durability (ACID). Red Hat does not recommend async-unsafe - for most use cases and is not aware of any users who rely on it. -
-
auto
-
- This write mode only selects one of the other write modes. It is no longer necessary when - VDO supports only a single write mode. -
-
-
-

- These write modes will be removed in a future major RHEL release. -

-

- The recommended VDO write mode is now async. -

-

- For more information on VDO write modes, see Selecting - a VDO write mode. -

-

- Jira:RHELPLAN-70700 -

-
-

VDO manager has been deprecated

-

- The python-based VDO management software has been deprecated and will be removed from RHEL 9. In - RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create - VDO volumes using the lvcreate command. -

-
-

- The existing volumes created using the VDO management software can be converted using the /usr/sbin/lvm_import_vdo script, provided by the lvm2 package. For more information on the LVM-VDO implementation, see Deduplicating - and compressing logical volumes on RHEL. -

-

- Bugzilla:1949163 -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution. -

-
-

- Bugzilla:1794513 -

-
-
-
-
-
-

10.10. High availability and clusters

-
-
-
-
-

pcs commands that support the clufter tool have been deprecated

-

- The pcs commands that support the clufter tool for analyzing cluster configuration formats have been - deprecated. These commands now print a warning that the command has been deprecated and sections - related to these commands have been removed from the pcs help - display and the pcs(8) man page. -

-
-

- The following commands have been deprecated: -

-
-
    -
  • - pcs config import-cman for importing CMAN / RHEL6 HA cluster - configuration -
    • -
  • - pcs config export for exporting cluster configuration to a list - of pcs commands which recreate the same cluster -
    • -
-
-

- Bugzilla:1851335 -

-
-
-
-
-
-

10.11. Dynamic programming languages, web and database servers

-
-
-
-
-

The mod_php module provided with PHP for use - with the Apache HTTP Server has been deprecated

-

- The mod_php module provided with PHP for use with the Apache HTTP - Server in RHEL 8 is available but not enabled in the default configuration. The module is no - longer available in RHEL 9. -

-
-

- Since RHEL 8, PHP scripts are run using the FastCGI Process Manager (php-fpm) by default. For more information, see Using - PHP with the Apache HTTP Server. -

-

- Bugzilla:2225332 -

-
-
-
-
-
-

10.12. Compilers and development tools

-
-
-
-
-

The gdb.i686 packages are deprecated -

-

- In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another - package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions - of GDB, gdb.x86_64, are fully capable of debugging 32-bit - applications. -

-
-

- If you use gdb.i686, note the following important issues: -

-
-
    -
  • - The gdb.i686 packages will no longer be updated. Users must - install gdb.x86_64 instead. -
    • -
  • - If you have gdb.i686 installed, installing gdb.x86_64 will cause yum to report - package gdb-8.2-14.el8.x86_64 obsoletes gdb < 8.2-14.el8 provided by gdb-8.2-12.el8.i686. - This is expected. Either uninstall gdb.i686 or pass dnf the --allowerasing option to - remove gdb.i686 and install gdb.x8_64. -
    • -
  • - Users will no longer be able to install the gdb.i686 packages - on 64-bit systems, that is, those with the libc.so.6()(64-bit) - packages. -
    • -
-
-

- Bugzilla:1853140 -

-
-

libdwarf has been deprecated

-

- The libdwarf library has been deprecated in RHEL 8. The library - will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for - applications that wish to process ELF/DWARF files. -

-
-

- Alternatives for the libdwarf-tools dwarfdump program are the binutils readelf program or the elfutils eu-readelf program, both used by passing the --debug-dump flag. -

-

- Bugzilla:1920624 -

-
-
-
-
-
-

10.13. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, which - integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, if - available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, - enable the ssh responder by adding ssh to - the services option in the sssd.conf file. - See the sssd.conf(5) man page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- Bugzilla:1871025 -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and - disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) - and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might experience - service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions on - re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, set - supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes, and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from the - previous step, remove them and upgrade. You do not need those settings after upgrading to - the latest Kerberos packages. -
    5. -
-
-

- Bugzilla:1877991 -

-
-

The SSSD version of libwbclient has been - removed

-

- The SSSD implementation of the libwbclient package was deprecated - in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of - libwbclient has now been removed. -

-
-

- Bugzilla:1947671 -

-
-

Standalone use of the ctdb service has been - deprecated

-

- Since RHEL 8.4, customers are advised to use the ctdb clustered - Samba service only when both of the following conditions apply: -

-
-
-
    -
  • - The ctdb service is managed as a pacemaker resource with the resource-agent ctdb. -
    • -
  • - The ctdb service uses storage volumes that contain either a - GlusterFS file system provided by the Red Hat Gluster Storage product or a GFS2 file system. -
    • -
-
-

- The stand-alone use case of the ctdb service has been deprecated and - will not be included in a next major release of Red Hat Enterprise Linux. For further information on - support policies for Samba, see the Knowledgebase article Support Policies for RHEL Resilient Storage - - ctdb General Policies. -

-

- Bugzilla:1916296 -

-
-

Indirect AD integration with IdM via WinSync has been deprecated -

-

- WinSync is no longer actively developed in RHEL 8 due to several functional limitations: -

-
-
-
    -
  • - WinSync supports only one Active Directory (AD) domain. -
    • -
  • - Password synchronization requires installing additional software on AD Domain Controllers. -
    • -
-
-

- For a more robust solution with better resource and security separation, Red Hat recommends using a - cross-forest trust for indirect integration with - Active Directory. See the Indirect - integration documentation. -

-

- Jira:RHELPLAN-100400 -

-
-

The SSSD implicit files provider domain is disabled by default

-

- The default value of the enable_files_domain setting in the /etc/sssd/sssd.conf configuration file has been changed from true to false. This means that the SSSD - implicit files provider domain, which retrieves user and group - information from local files /etc/passwd and /etc/group, is now disabled by default. -

-
-

- The default glibc files module, instead of - SSSD, serves local users. SSSD does not start automatically, unless you have defined a domain in the - sssd.conf file. -

-

- The implementation of the SSSD files provider is still available for - explicit configuration for specific use cases, such as smart card authentication of local users. -

-

- Jira:RHELPLAN-139456 -

-
-

Running Samba as a PDC or BDC is deprecated

-

- The classic domain controller mode that enabled administrators to run Samba as an NT4-like - primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and - settings to configure these modes will be removed in a future Samba release. -

-
-

- As long as the Samba version in RHEL 8 provides the PDC and BDC modes, Red Hat supports these modes - only in existing installations with Windows versions which support NT4 domains. Red Hat recommends - not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and - Windows Server 2008 R2 do not support NT4 domains. -

-

- If you use the PDC to authenticate only Linux users, Red Hat suggests migrating to Red Hat Identity Management - (IdM) that is included in RHEL subscriptions. However, you cannot join Windows systems to an - IdM domain. Note that Red Hat continues supporting the PDC functionality IdM uses in the background. -

-

- Red Hat does not support running Samba as an AD domain controller (DC). -

-

- Bugzilla:1926114 -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612 -

-
-

Limited support for FreeRADIUS

-

- In RHEL 8, the following external authentication modules are deprecated as part of the - FreeRADIUS offering: -

-
-
-
    -
  • - The MySQL, PostgreSQL, SQlite, and unixODBC database connectors -
    • -
  • - The Perl language module -
    • -
  • - The REST API module -
    • -
-
-
-
Note
-
-

- The PAM authentication module and other authentication modules that are provided as part of - the base package are not affected. -

-
-
-

- You can find replacements for the deprecated modules in community-supported packages, for example in - the Fedora project. -

-

- In addition, the scope of support for the freeradius package will be - limited to the following use cases in future RHEL releases: -

-
-
    -
  • - Using FreeRADIUS as an authentication provider with Identity Management (IdM) as the backend - source of authentication. The authentication occurs through the krb5 and LDAP authentication packages or as PAM authentication in - the main FreeRADIUS package. -
    • -
  • - Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the Python - 3 authentication package. -
    • -
-
-

- In contrast to these deprecations, Red Hat will strengthen the support of the following external - authentication modules with FreeRADIUS: -

-
-
    -
  • - Authentication based on krb5 and LDAP -
    • -
  • - Python 3 authentication -
    • -
-
-

- The focus on these integration options is in close alignment with the strategic direction of Red Hat - IdM. -

-

- Jira:RHELDOCS-17573 -

-
-
-
-
-
-

10.14. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of the - libsecret library, as libgnome-keyring - is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. - The new libsecret library is the replacement that follows the - necessary security standards. -

-
-

- Bugzilla:1607766 -

-
-
-
-
-
-

10.15. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement. -

-
-

- Bugzilla:1569610 -

-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- Jira:RHELPLAN-98983 -

-
-
-
-
-
-

10.16. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- Bugzilla:1666722 -

-
-
-
-
-
-

10.17. Red Hat Enterprise Linux system roles

-
-
-
-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and it - also downloads proprietary content. Therefore, the geoipupdate - package has been deprecated, and will be removed in the next major RHEL version. -

-
-

- Bugzilla:1874892 -

-
-

The network system role displays a deprecation - warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL system role on an RHEL 8 control node to configure a - network team on RHEL 9 nodes, shows a warning about the deprecation. -

-
-

- Bugzilla:2021685 -

-
-

Ansible Engine has been deprecated

-

- Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited - scope of support, to enable supported RHEL Automation use cases, such as RHEL system roles and - Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no - support after September 29, 2023. For more details on the supported use cases, see Scope of support for the - Ansible Core package included in the RHEL 9 AppStream. -

-
-

- Users must manually migrate their systems from Ansible Engine to Ansible Core. For that, follow the - steps: -

-
-

Procedure

-
    -
  1. -

    - Check if the system is running RHEL 8.7 or a later release: -

    - 
    # cat /etc/redhat-release
    -
    2. -
  2. -

    - Uninstall Ansible Engine 2.9: -

    - 
    # yum remove ansible
    -
    3. -
  3. -

    - Disable the ansible-2-for-rhel-8-x86_64-rpms repository: -

    - 
    # subscription-manager repos --disable
-ansible-2-for-rhel-8-x86_64-rpms
    -
    4. -
  4. -

    - Install the Ansible Core package from the RHEL 8 AppStream repository: -

    - 
    # yum install ansible-core
    -
    5. -
-
-

- For more details, see: Using - Ansible in RHEL 8.6 and later. -

-

- Bugzilla:2006081 -

-
-
-
-
-
-

10.18. Virtualization

-
-
-
-
-

virsh iface-* commands have become - deprecated

-

- The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a - future major version of RHEL. In addition, these commands frequently fail due to configuration - dependencies. -

-
-

- Therefore, it is recommended not to use virsh iface-* commands for - configuring and managing host network connections. Instead, use the NetworkManager program and its - related management applications, such as nmcli. -

-

- Bugzilla:1664592 -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available in the RHEL web console. -

-
-

- Jira:RHELPLAN-10304 -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. -

-

- Bugzilla:1686057 -

-
-

The Cirrus VGA virtual - GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- Bugzilla:1651994 -

-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. As a result, SPICE will remain - supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display - streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Note that the QXL graphics device, which is used - by SPICE, has become deprecated as well. -

-

- Bugzilla:1849563 -

-
-

KVM on IBM POWER has been deprecated

-

- Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM - POWER is still supported in RHEL 8, but will become unsupported in a future major release of - RHEL. -

-
-

- Jira:RHELPLAN-71200 -

-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- Bugzilla:1935497 -

-
-

Using SPICE to attach smart card readers to virtual machines has been - deprecated

-

- The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way - to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage - of smart cards in VMs has also become deprecated in RHEL 8. -

-
-

- In a future major version of RHEL, the functionality of attaching smart card readers to VMs will - only be supported by third party remote visualization solutions. -

-

- Bugzilla:2059626 -

-
-

RDMA-based live migration is deprecated

-

- With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) - has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this - feature will become unsupported in a future major release of RHEL. -

-
-

- Jira:RHELPLAN-153267 -

-
-
-
-
-
-

10.19. Containers

-
-
-
-
-

The Podman varlink-based API v1.0 has been removed

-

- The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 - introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API - v1.0 has been completely removed. -

-
-

- Jira:RHELPLAN-45858 -

-
-

container-tools:1.0 has been - deprecated

-

- The container-tools:1.0 module has been deprecated and will no - longer receive security updates. It is recommended to use a newer supported stable module - stream, such as container-tools:2.0 or container-tools:3.0. -

-
-

- Jira:RHELPLAN-59825 -

-
-

The container-tools:2.0 module has been - deprecated

-

- The container-tools:2.0 module has been deprecated and will no longer receive security updates. - It is recommended to use a newer supported stable module stream, such as container-tools:3.0. -

-
-

- Jira:RHELPLAN-85066 -

-
-

Flatpak images except GIMP has been deprecated

-

- The rhel8/firefox-flatpak, rhel8/thunderbird-flatpak, rhel8/inkscape-flatpak, and rhel8/libreoffice-flatpak RHEL 8 Flatpak Applications have been - deprecated and replaced by the RHEL 9 versions. The rhel8/gimp-flatpak Flatpak Application is not deprecated because - there is no replacement yet in RHEL 9. -

-
-

- Bugzilla:2142499 -

-
-

The CNI network stack has been deprecated

-

- The Container Network Interface (CNI) network stack will be deprecated in a future minor - version. Previously, containers connected to the single Container Network Interface (CNI) plugin - only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark - network stack with Podman and other Open Container Initiative (OCI) container management - applications. The Netavark network stack for Podman is also compatible with advanced Docker - functionalities. Containers in multiple networks can access containers on any of those networks. -

-
-

- For more information, see Switching - the network stack from CNI to Netavark. -

-

- Jira:RHELPLAN-145958 -

-
-

container-tools:3.0 has been - deprecated

-

- The container-tools:3.0 module has been deprecated and will no - longer receive security updates. To continue to build and run Linux Containers on RHEL, use a - newer, stable, and supported module stream, such as container-tools:4.0. -

-
-

- For instructions on switching to a later stream, see Switching - to a later stream. -

-

- Jira:RHELPLAN-146398 -

-
-
-
-
-
-

10.20. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 7 and RHEL 8, see Changes - to packages in the Considerations in adopting RHEL 8 - document. -

-
-
Important
-
-

- The support status of deprecated packages remains unchanged within RHEL 8. For more - information about the length of support, see Red Hat Enterprise Linux - Life Cycle and Red - Hat Enterprise Linux Application Streams Life Cycle. -

-
-
-

- The following packages have been deprecated in RHEL 8: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - abrt -
    • -
  • - abrt-addon-ccpp -
    • -
  • - abrt-addon-kerneloops -
    • -
  • - abrt-addon-pstoreoops -
    • -
  • - abrt-addon-vmcore -
    • -
  • - abrt-addon-xorg -
    • -
  • - abrt-cli -
    • -
  • - abrt-console-notification -
    • -
  • - abrt-dbus -
    • -
  • - abrt-desktop -
    • -
  • - abrt-gui -
    • -
  • - abrt-gui-libs -
    • -
  • - abrt-libs -
    • -
  • - abrt-tui -
    • -
  • - adobe-source-sans-pro-fonts -
    • -
  • - adwaita-qt -
    • -
  • - alsa-plugins-pulseaudio -
    • -
  • - amanda -
    • -
  • - amanda-client -
    • -
  • - amanda-libs -
    • -
  • - amanda-server -
    • -
  • - ant-contrib -
    • -
  • - antlr3 -
    • -
  • - antlr32 -
    • -
  • - aopalliance -
    • -
  • - apache-commons-collections -
    • -
  • - apache-commons-compress -
    • -
  • - apache-commons-exec -
    • -
  • - apache-commons-jxpath -
    • -
  • - apache-commons-parent -
    • -
  • - apache-ivy -
    • -
  • - apache-parent -
    • -
  • - apache-resource-bundles -
    • -
  • - apache-sshd -
    • -
  • - apiguardian -
    • -
  • - aspnetcore-runtime-3.0 -
    • -
  • - aspnetcore-runtime-3.1 -
    • -
  • - aspnetcore-runtime-5.0 -
    • -
  • - aspnetcore-targeting-pack-3.0 -
    • -
  • - aspnetcore-targeting-pack-3.1 -
    • -
  • - aspnetcore-targeting-pack-5.0 -
    • -
  • - assertj-core -
    • -
  • - authd -
    • -
  • - auto -
    • -
  • - autoconf213 -
    • -
  • - autogen -
    • -
  • - autogen-libopts -
    • -
  • - awscli -
    • -
  • - base64coder -
    • -
  • - batik -
    • -
  • - batik-css -
    • -
  • - batik-util -
    • -
  • - bea-stax -
    • -
  • - bea-stax-api -
    • -
  • - bind-export-devel -
    • -
  • - bind-export-libs -
    • -
  • - bind-libs-lite -
    • -
  • - bind-pkcs11 -
    • -
  • - bind-pkcs11-devel -
    • -
  • - bind-pkcs11-libs -
    • -
  • - bind-pkcs11-utils -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb-chroot -
    • -
  • - bluez-hid2hci -
    • -
  • - boost-jam -
    • -
  • - boost-signals -
    • -
  • - bouncycastle -
    • -
  • - bpg-algeti-fonts -
    • -
  • - bpg-chveulebrivi-fonts -
    • -
  • - bpg-classic-fonts -
    • -
  • - bpg-courier-fonts -
    • -
  • - bpg-courier-s-fonts -
    • -
  • - bpg-dedaena-block-fonts -
    • -
  • - bpg-dejavu-sans-fonts -
    • -
  • - bpg-elite-fonts -
    • -
  • - bpg-excelsior-caps-fonts -
    • -
  • - bpg-excelsior-condenced-fonts -
    • -
  • - bpg-excelsior-fonts -
    • -
  • - bpg-fonts-common -
    • -
  • - bpg-glaho-fonts -
    • -
  • - bpg-gorda-fonts -
    • -
  • - bpg-ingiri-fonts -
    • -
  • - bpg-irubaqidze-fonts -
    • -
  • - bpg-mikhail-stephan-fonts -
    • -
  • - bpg-mrgvlovani-caps-fonts -
    • -
  • - bpg-mrgvlovani-fonts -
    • -
  • - bpg-nateli-caps-fonts -
    • -
  • - bpg-nateli-condenced-fonts -
    • -
  • - bpg-nateli-fonts -
    • -
  • - bpg-nino-medium-cond-fonts -
    • -
  • - bpg-nino-medium-fonts -
    • -
  • - bpg-sans-fonts -
    • -
  • - bpg-sans-medium-fonts -
    • -
  • - bpg-sans-modern-fonts -
    • -
  • - bpg-sans-regular-fonts -
    • -
  • - bpg-serif-fonts -
    • -
  • - bpg-serif-modern-fonts -
    • -
  • - bpg-ucnobi-fonts -
    • -
  • - brlapi-java -
    • -
  • - bsh -
    • -
  • - buildnumber-maven-plugin -
    • -
  • - byaccj -
    • -
  • - cal10n -
    • -
  • - cbi-plugins -
    • -
  • - cdparanoia -
    • -
  • - cdparanoia-devel -
    • -
  • - cdparanoia-libs -
    • -
  • - cdrdao -
    • -
  • - cmirror -
    • -
  • - codehaus-parent -
    • -
  • - codemodel -
    • -
  • - compat-exiv2-026 -
    • -
  • - compat-guile18 -
    • -
  • - compat-hwloc1 -
    • -
  • - compat-libpthread-nonshared -
    • -
  • - compat-libtiff3 -
    • -
  • - compat-openssl10 -
    • -
  • - compat-sap-c++-11 -
    • -
  • - compat-sap-c++-10 -
    • -
  • - compat-sap-c++-9 -
    • -
  • - createrepo_c-devel -
    • -
  • - ctags -
    • -
  • - ctags-etags -
    • -
  • - custodia -
    • -
  • - cyrus-imapd-vzic -
    • -
  • - dbus-c++ -
    • -
  • - dbus-c++-devel -
    • -
  • - dbus-c++-glib -
    • -
  • - dbxtool -
    • -
  • - dhcp-libs -
    • -
  • - directory-maven-plugin -
    • -
  • - directory-maven-plugin-javadoc -
    • -
  • - dirsplit -
    • -
  • - dleyna-connector-dbus -
    • -
  • - dleyna-core -
    • -
  • - dleyna-renderer -
    • -
  • - dleyna-server -
    • -
  • - dnssec-trigger -
    • -
  • - dnssec-trigger-panel -
    • -
  • - dotnet-apphost-pack-3.0 -
    • -
  • - dotnet-apphost-pack-3.1 -
    • -
  • - dotnet-apphost-pack-5.0 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-hostfxr-3.0 -
    • -
  • - dotnet-hostfxr-3.1 -
    • -
  • - dotnet-hostfxr-5.0 -
    • -
  • - dotnet-runtime-2.1 -
    • -
  • - dotnet-runtime-3.0 -
    • -
  • - dotnet-runtime-3.1 -
    • -
  • - dotnet-runtime-5.0 -
    • -
  • - dotnet-sdk-2.1 -
    • -
  • - dotnet-sdk-2.1.5xx -
    • -
  • - dotnet-sdk-3.0 -
    • -
  • - dotnet-sdk-3.1 -
    • -
  • - dotnet-sdk-5.0 -
    • -
  • - dotnet-targeting-pack-3.0 -
    • -
  • - dotnet-targeting-pack-3.1 -
    • -
  • - dotnet-targeting-pack-5.0 -
    • -
  • - dotnet-templates-3.0 -
    • -
  • - dotnet-templates-3.1 -
    • -
  • - dotnet-templates-5.0 -
    • -
  • - dotnet5.0-build-reference-packages -
    • -
  • - dptfxtract -
    • -
  • - drpm -
    • -
  • - drpm-devel -
    • -
  • - dump -
    • -
  • - dvd+rw-tools -
    • -
  • - dyninst-static -
    • -
  • - eclipse-ecf -
    • -
  • - eclipse-ecf-core -
    • -
  • - eclipse-ecf-runtime -
    • -
  • - eclipse-emf -
    • -
  • - eclipse-emf-core -
    • -
  • - eclipse-emf-runtime -
    • -
  • - eclipse-emf-xsd -
    • -
  • - eclipse-equinox-osgi -
    • -
  • - eclipse-jdt -
    • -
  • - eclipse-license -
    • -
  • - eclipse-p2-discovery -
    • -
  • - eclipse-pde -
    • -
  • - eclipse-platform -
    • -
  • - eclipse-swt -
    • -
  • - ed25519-java -
    • -
  • - ee4j-parent -
    • -
  • - elfutils-devel-static -
    • -
  • - elfutils-libelf-devel-static -
    • -
  • - enca -
    • -
  • - enca-devel -
    • -
  • - environment-modules-compat -
    • -
  • - evince-browser-plugin -
    • -
  • - exec-maven-plugin -
    • -
  • - farstream02 -
    • -
  • - felix-gogo-command -
    • -
  • - felix-gogo-runtime -
    • -
  • - felix-gogo-shell -
    • -
  • - felix-scr -
    • -
  • - felix-osgi-compendium -
    • -
  • - felix-osgi-core -
    • -
  • - felix-osgi-foundation -
    • -
  • - felix-parent -
    • -
  • - file-roller -
    • -
  • - fipscheck -
    • -
  • - fipscheck-devel -
    • -
  • - fipscheck-lib -
    • -
  • - firewire -
    • -
  • - fonts-tweak-tool -
    • -
  • - forge-parent -
    • -
  • - freeradius-mysql -
    • -
  • - freeradius-perl -
    • -
  • - freeradius-postgresql -
    • -
  • - freeradius-rest -
    • -
  • - freeradius-sqlite -
    • -
  • - freeradius-unixODBC -
    • -
  • - fuse-sshfs -
    • -
  • - fusesource-pom -
    • -
  • - future -
    • -
  • - gamin -
    • -
  • - gamin-devel -
    • -
  • - gavl -
    • -
  • - gcc-toolset-10 -
    • -
  • - gcc-toolset-10-annobin -
    • -
  • - gcc-toolset-10-binutils -
    • -
  • - gcc-toolset-10-binutils-devel -
    • -
  • - gcc-toolset-10-build -
    • -
  • - gcc-toolset-10-dwz -
    • -
  • - gcc-toolset-10-dyninst -
    • -
  • - gcc-toolset-10-dyninst-devel -
    • -
  • - gcc-toolset-10-elfutils -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client-devel -
    • -
  • - gcc-toolset-10-elfutils-devel -
    • -
  • - gcc-toolset-10-elfutils-libelf -
    • -
  • - gcc-toolset-10-elfutils-libelf-devel -
    • -
  • - gcc-toolset-10-elfutils-libs -
    • -
  • - gcc-toolset-10-gcc -
    • -
  • - gcc-toolset-10-gcc-c++ -
    • -
  • - gcc-toolset-10-gcc-gdb-plugin -
    • -
  • - gcc-toolset-10-gcc-gfortran -
    • -
  • - gcc-toolset-10-gdb -
    • -
  • - gcc-toolset-10-gdb-doc -
    • -
  • - gcc-toolset-10-gdb-gdbserver -
    • -
  • - gcc-toolset-10-libasan-devel -
    • -
  • - gcc-toolset-10-libatomic-devel -
    • -
  • - gcc-toolset-10-libitm-devel -
    • -
  • - gcc-toolset-10-liblsan-devel -
    • -
  • - gcc-toolset-10-libquadmath-devel -
    • -
  • - gcc-toolset-10-libstdc++-devel -
    • -
  • - gcc-toolset-10-libstdc++-docs -
    • -
  • - gcc-toolset-10-libtsan-devel -
    • -
  • - gcc-toolset-10-libubsan-devel -
    • -
  • - gcc-toolset-10-ltrace -
    • -
  • - gcc-toolset-10-make -
    • -
  • - gcc-toolset-10-make-devel -
    • -
  • - gcc-toolset-10-perftools -
    • -
  • - gcc-toolset-10-runtime -
    • -
  • - gcc-toolset-10-strace -
    • -
  • - gcc-toolset-10-systemtap -
    • -
  • - gcc-toolset-10-systemtap-client -
    • -
  • - gcc-toolset-10-systemtap-devel -
    • -
  • - gcc-toolset-10-systemtap-initscript -
    • -
  • - gcc-toolset-10-systemtap-runtime -
    • -
  • - gcc-toolset-10-systemtap-sdt-devel -
    • -
  • - gcc-toolset-10-systemtap-server -
    • -
  • - gcc-toolset-10-toolchain -
    • -
  • - gcc-toolset-10-valgrind -
    • -
  • - gcc-toolset-10-valgrind-devel -
    • -
  • - gcc-toolset-9 -
    • -
  • - gcc-toolset-9-annobin -
    • -
  • - gcc-toolset-9-build -
    • -
  • - gcc-toolset-9-perftools -
    • -
  • - gcc-toolset-9-runtime -
    • -
  • - gcc-toolset-9-toolchain -
    • -
  • - gcc-toolset-11-make-devel -
    • -
  • - GConf2 -
    • -
  • - GConf2-devel -
    • -
  • - gegl -
    • -
  • - genisoimage -
    • -
  • - genwqe-tools -
    • -
  • - genwqe-vpd -
    • -
  • - genwqe-zlib -
    • -
  • - genwqe-zlib-devel -
    • -
  • - geoipupdate -
    • -
  • - geronimo-annotation -
    • -
  • - geronimo-jms -
    • -
  • - geronimo-jpa -
    • -
  • - geronimo-parent-poms -
    • -
  • - gfbgraph -
    • -
  • - gflags -
    • -
  • - gflags-devel -
    • -
  • - glassfish-annotation-api -
    • -
  • - glassfish-el -
    • -
  • - glassfish-fastinfoset -
    • -
  • - glassfish-jaxb-core -
    • -
  • - glassfish-jaxb-txw2 -
    • -
  • - glassfish-jsp -
    • -
  • - glassfish-jsp-api -
    • -
  • - glassfish-legal -
    • -
  • - glassfish-master-pom -
    • -
  • - glassfish-servlet-api -
    • -
  • - glew-devel -
    • -
  • - glib2-fam -
    • -
  • - glog -
    • -
  • - glog-devel -
    • -
  • - gmock -
    • -
  • - gmock-devel -
    • -
  • - gnome-abrt -
    • -
  • - gnome-boxes -
    • -
  • - gnome-menus-devel -
    • -
  • - gnome-online-miners -
    • -
  • - gnome-shell-extension-disable-screenshield -
    • -
  • - gnome-shell-extension-horizontal-workspaces -
    • -
  • - gnome-shell-extension-no-hot-corner -
    • -
  • - gnome-shell-extension-window-grouper -
    • -
  • - gnome-themes-standard -
    • -
  • - gnu-free-fonts-common -
    • -
  • - gnu-free-mono-fonts -
    • -
  • - gnu-free-sans-fonts -
    • -
  • - gnu-free-serif-fonts -
    • -
  • - gnupg2-smime -
    • -
  • - gnuplot -
    • -
  • - gnuplot-common -
    • -
  • - gobject-introspection-devel -
    • -
  • - google-gson -
    • -
  • - google-noto-sans-syriac-eastern-fonts -
    • -
  • - google-noto-sans-syriac-estrangela-fonts -
    • -
  • - google-noto-sans-syriac-western-fonts -
    • -
  • - google-noto-sans-tibetan-fonts -
    • -
  • - google-noto-sans-ui-fonts -
    • -
  • - gphoto2 -
    • -
  • - gsl-devel -
    • -
  • - gssntlmssp -
    • -
  • - gtest -
    • -
  • - gtest-devel -
    • -
  • - gtkmm24 -
    • -
  • - gtkmm24-devel -
    • -
  • - gtkmm24-docs -
    • -
  • - gtksourceview3 -
    • -
  • - gtksourceview3-devel -
    • -
  • - gtkspell -
    • -
  • - gtkspell-devel -
    • -
  • - gtkspell3 -
    • -
  • - guile -
    • -
  • - gutenprint-gimp -
    • -
  • - gutenprint-libs-ui -
    • -
  • - gvfs-afc -
    • -
  • - gvfs-afp -
    • -
  • - gvfs-archive -
    • -
  • - hamcrest-core -
    • -
  • - hawtjni -
    • -
  • - hawtjni -
    • -
  • - hawtjni-runtime -
    • -
  • - HdrHistogram -
    • -
  • - HdrHistogram-javadoc -
    • -
  • - highlight-gui -
    • -
  • - hivex-devel -
    • -
  • - hostname -
    • -
  • - hplip-gui -
    • -
  • - httpcomponents-project -
    • -
  • - hwloc-plugins -
    • -
  • - hyphen-fo -
    • -
  • - hyphen-grc -
    • -
  • - hyphen-hsb -
    • -
  • - hyphen-ia -
    • -
  • - hyphen-is -
    • -
  • - hyphen-ku -
    • -
  • - hyphen-mi -
    • -
  • - hyphen-mn -
    • -
  • - hyphen-sa -
    • -
  • - hyphen-tk -
    • -
  • - ibus-sayura -
    • -
  • - icedax -
    • -
  • - icu4j -
    • -
  • - idm-console-framework -
    • -
  • - inkscape -
    • -
  • - inkscape-docs -
    • -
  • - inkscape-view -
    • -
  • - iptables -
    • -
  • - ipython -
    • -
  • - isl -
    • -
  • - isl-devel -
    • -
  • - isorelax -
    • -
  • - istack-commons-runtime -
    • -
  • - istack-commons-tools -
    • -
  • - iwl3945-firmware -
    • -
  • - iwl4965-firmware -
    • -
  • - iwl6000-firmware -
    • -
  • - jacoco -
    • -
  • - jaf -
    • -
  • - jaf-javadoc -
    • -
  • - jakarta-oro -
    • -
  • - janino -
    • -
  • - jansi-native -
    • -
  • - jarjar -
    • -
  • - java-1.8.0-ibm -
    • -
  • - java-1.8.0-ibm-demo -
    • -
  • - java-1.8.0-ibm-devel -
    • -
  • - java-1.8.0-ibm-headless -
    • -
  • - java-1.8.0-ibm-jdbc -
    • -
  • - java-1.8.0-ibm-plugin -
    • -
  • - java-1.8.0-ibm-src -
    • -
  • - java-1.8.0-ibm-webstart -
    • -
  • - java-1.8.0-openjdk-accessibility -
    • -
  • - java-1.8.0-openjdk-accessibility-slowdebug -
    • -
  • - java_cup -
    • -
  • - java-atk-wrapper -
    • -
  • - javacc -
    • -
  • - javacc-maven-plugin -
    • -
  • - javaewah -
    • -
  • - javaparser -
    • -
  • - javapoet -
    • -
  • - javassist -
    • -
  • - javassist-javadoc -
    • -
  • - jaxen -
    • -
  • - jboss-annotations-1.2-api -
    • -
  • - jboss-interceptors-1.2-api -
    • -
  • - jboss-logmanager -
    • -
  • - jboss-parent -
    • -
  • - jctools -
    • -
  • - jdepend -
    • -
  • - jdependency -
    • -
  • - jdom -
    • -
  • - jdom2 -
    • -
  • - jetty -
    • -
  • - jetty-continuation -
    • -
  • - jetty-http -
    • -
  • - jetty-io -
    • -
  • - jetty-security -
    • -
  • - jetty-server -
    • -
  • - jetty-servlet -
    • -
  • - jetty-util -
    • -
  • - jffi -
    • -
  • - jflex -
    • -
  • - jgit -
    • -
  • - jline -
    • -
  • - jmc -
    • -
  • - jnr-netdb -
    • -
  • - jolokia-jvm-agent -
    • -
  • - js-uglify -
    • -
  • - jsch -
    • -
  • - json_simple -
    • -
  • - jss-javadoc -
    • -
  • - jtidy -
    • -
  • - junit5 -
    • -
  • - jvnet-parent -
    • -
  • - jzlib -
    • -
  • - kernel-cross-headers -
    • -
  • - ksc -
    • -
  • - kurdit-unikurd-web-fonts -
    • -
  • - kyotocabinet-libs -
    • -
  • - ldapjdk-javadoc -
    • -
  • - lensfun -
    • -
  • - lensfun-devel -
    • -
  • - lftp-scripts -
    • -
  • - libaec -
    • -
  • - libaec-devel -
    • -
  • - libappindicator-gtk3 -
    • -
  • - libappindicator-gtk3-devel -
    • -
  • - libatomic-static -
    • -
  • - libavc1394 -
    • -
  • - libblocksruntime -
    • -
  • - libcacard -
    • -
  • - libcacard-devel -
    • -
  • - libcgroup -
    • -
  • - libcgroup-tools -
    • -
  • - libchamplain -
    • -
  • - libchamplain-devel -
    • -
  • - libchamplain-gtk -
    • -
  • - libcroco -
    • -
  • - libcroco-devel -
    • -
  • - libcxl -
    • -
  • - libcxl-devel -
    • -
  • - libdap -
    • -
  • - libdap-devel -
    • -
  • - libdazzle-devel -
    • -
  • - libdbusmenu -
    • -
  • - libdbusmenu-devel -
    • -
  • - libdbusmenu-doc -
    • -
  • - libdbusmenu-gtk3 -
    • -
  • - libdbusmenu-gtk3-devel -
    • -
  • - libdc1394 -
    • -
  • - libdnet -
    • -
  • - libdnet-devel -
    • -
  • - libdv -
    • -
  • - libdwarf -
    • -
  • - libdwarf-devel -
    • -
  • - libdwarf-static -
    • -
  • - libdwarf-tools -
    • -
  • - libeasyfc -
    • -
  • - libeasyfc-gobject -
    • -
  • - libepubgen-devel -
    • -
  • - libertas-sd8686-firmware -
    • -
  • - libertas-usb8388-firmware -
    • -
  • - libertas-usb8388-olpc-firmware -
    • -
  • - libgdither -
    • -
  • - libGLEW -
    • -
  • - libgovirt -
    • -
  • - libguestfs-benchmarking -
    • -
  • - libguestfs-devel -
    • -
  • - libguestfs-gfs2 -
    • -
  • - libguestfs-gobject -
    • -
  • - libguestfs-gobject-devel -
    • -
  • - libguestfs-java -
    • -
  • - libguestfs-java-devel -
    • -
  • - libguestfs-javadoc -
    • -
  • - libguestfs-man-pages-ja -
    • -
  • - libguestfs-man-pages-uk -
    • -
  • - libguestfs-tools -
    • -
  • - libguestfs-tools-c -
    • -
  • - libhugetlbfs -
    • -
  • - libhugetlbfs-devel -
    • -
  • - libhugetlbfs-utils -
    • -
  • - libIDL -
    • -
  • - libIDL-devel -
    • -
  • - libidn -
    • -
  • - libiec61883 -
    • -
  • - libindicator-gtk3 -
    • -
  • - libindicator-gtk3-devel -
    • -
  • - libiscsi-devel -
    • -
  • - libjose-devel -
    • -
  • - libkkc -
    • -
  • - libkkc-common -
    • -
  • - libkkc-data -
    • -
  • - libldb-devel -
    • -
  • - liblogging -
    • -
  • - libluksmeta-devel -
    • -
  • - libmalaga -
    • -
  • - libmcpp -
    • -
  • - libmemcached -
    • -
  • - libmemcached-libs -
    • -
  • - libmetalink -
    • -
  • - libmodulemd1 -
    • -
  • - libmongocrypt -
    • -
  • - libmtp-devel -
    • -
  • - libmusicbrainz5 -
    • -
  • - libmusicbrainz5-devel -
    • -
  • - libnbd-devel -
    • -
  • - liboauth -
    • -
  • - liboauth-devel -
    • -
  • - libpfm-static -
    • -
  • - libpng12 -
    • -
  • - libpurple -
    • -
  • - libpurple-devel -
    • -
  • - libraw1394 -
    • -
  • - libreport-plugin-mailx -
    • -
  • - libreport-plugin-rhtsupport -
    • -
  • - libreport-plugin-ureport -
    • -
  • - libreport-rhel -
    • -
  • - libreport-rhel-bugzilla -
    • -
  • - librpmem -
    • -
  • - librpmem-debug -
    • -
  • - librpmem-devel -
    • -
  • - libsass -
    • -
  • - libsass-devel -
    • -
  • - libselinux-python -
    • -
  • - libsqlite3x -
    • -
  • - libtalloc-devel -
    • -
  • - libtar -
    • -
  • - libtdb-devel -
    • -
  • - libtevent-devel -
    • -
  • - libtpms-devel -
    • -
  • - libunwind -
    • -
  • - libusal -
    • -
  • - libvarlink -
    • -
  • - libverto-libevent -
    • -
  • - libvirt-admin -
    • -
  • - libvirt-bash-completion -
    • -
  • - libvirt-daemon-driver-storage-gluster -
    • -
  • - libvirt-daemon-driver-storage-iscsi-direct -
    • -
  • - libvirt-devel -
    • -
  • - libvirt-docs -
    • -
  • - libvirt-gconfig -
    • -
  • - libvirt-gobject -
    • -
  • - libvirt-lock-sanlock -
    • -
  • - libvirt-wireshark -
    • -
  • - libvmem -
    • -
  • - libvmem-debug -
    • -
  • - libvmem-devel -
    • -
  • - libvmmalloc -
    • -
  • - libvmmalloc-debug -
    • -
  • - libvmmalloc-devel -
    • -
  • - libvncserver -
    • -
  • - libwinpr-devel -
    • -
  • - libwmf -
    • -
  • - libwmf-devel -
    • -
  • - libwmf-lite -
    • -
  • - libXNVCtrl -
    • -
  • - libyami -
    • -
  • - log4j12 -
    • -
  • - log4j12-javadoc -
    • -
  • - lohit-malayalam-fonts -
    • -
  • - lohit-nepali-fonts -
    • -
  • - lorax-composer -
    • -
  • - lua-guestfs -
    • -
  • - lucene -
    • -
  • - lucene-analysis -
    • -
  • - lucene-analyzers-smartcn -
    • -
  • - lucene-queries -
    • -
  • - lucene-queryparser -
    • -
  • - lucene-sandbox -
    • -
  • - lz4-java -
    • -
  • - lz4-java-javadoc -
    • -
  • - mailman -
    • -
  • - mailx -
    • -
  • - make-devel -
    • -
  • - malaga -
    • -
  • - malaga-suomi-voikko -
    • -
  • - marisa -
    • -
  • - maven-antrun-plugin -
    • -
  • - maven-assembly-plugin -
    • -
  • - maven-clean-plugin -
    • -
  • - maven-dependency-analyzer -
    • -
  • - maven-dependency-plugin -
    • -
  • - maven-doxia -
    • -
  • - maven-doxia-sitetools -
    • -
  • - maven-install-plugin -
    • -
  • - maven-invoker -
    • -
  • - maven-invoker-plugin -
    • -
  • - maven-parent -
    • -
  • - maven-plugins-pom -
    • -
  • - maven-reporting-api -
    • -
  • - maven-reporting-impl -
    • -
  • - maven-resolver-api -
    • -
  • - maven-resolver-connector-basic -
    • -
  • - maven-resolver-impl -
    • -
  • - maven-resolver-spi -
    • -
  • - maven-resolver-transport-wagon -
    • -
  • - maven-resolver-util -
    • -
  • - maven-scm -
    • -
  • - maven-script-interpreter -
    • -
  • - maven-shade-plugin -
    • -
  • - maven-shared -
    • -
  • - maven-verifier -
    • -
  • - maven-wagon-file -
    • -
  • - maven-wagon-http -
    • -
  • - maven-wagon-http-shared -
    • -
  • - maven-wagon-provider-api -
    • -
  • - maven2 -
    • -
  • - meanwhile -
    • -
  • - mercurial -
    • -
  • - mercurial-hgk -
    • -
  • - metis -
    • -
  • - metis-devel -
    • -
  • - mingw32-bzip2 -
    • -
  • - mingw32-bzip2-static -
    • -
  • - mingw32-cairo -
    • -
  • - mingw32-expat -
    • -
  • - mingw32-fontconfig -
    • -
  • - mingw32-freetype -
    • -
  • - mingw32-freetype-static -
    • -
  • - mingw32-gstreamer1 -
    • -
  • - mingw32-harfbuzz -
    • -
  • - mingw32-harfbuzz-static -
    • -
  • - mingw32-icu -
    • -
  • - mingw32-libjpeg-turbo -
    • -
  • - mingw32-libjpeg-turbo-static -
    • -
  • - mingw32-libpng -
    • -
  • - mingw32-libpng-static -
    • -
  • - mingw32-libtiff -
    • -
  • - mingw32-libtiff-static -
    • -
  • - mingw32-openssl -
    • -
  • - mingw32-readline -
    • -
  • - mingw32-sqlite -
    • -
  • - mingw32-sqlite-static -
    • -
  • - mingw64-adwaita-icon-theme -
    • -
  • - mingw64-bzip2 -
    • -
  • - mingw64-bzip2-static -
    • -
  • - mingw64-cairo -
    • -
  • - mingw64-expat -
    • -
  • - mingw64-fontconfig -
    • -
  • - mingw64-freetype -
    • -
  • - mingw64-freetype-static -
    • -
  • - mingw64-gstreamer1 -
    • -
  • - mingw64-harfbuzz -
    • -
  • - mingw64-harfbuzz-static -
    • -
  • - mingw64-icu -
    • -
  • - mingw64-libjpeg-turbo -
    • -
  • - mingw64-libjpeg-turbo-static -
    • -
  • - mingw64-libpng -
    • -
  • - mingw64-libpng-static -
    • -
  • - mingw64-libtiff -
    • -
  • - mingw64-libtiff-static -
    • -
  • - mingw64-nettle -
    • -
  • - mingw64-openssl -
    • -
  • - mingw64-readline -
    • -
  • - mingw64-sqlite -
    • -
  • - mingw64-sqlite-static -
    • -
  • - modello -
    • -
  • - mojo-parent -
    • -
  • - mongo-c-driver -
    • -
  • - mousetweaks -
    • -
  • - mozjs52 -
    • -
  • - mozjs52-devel -
    • -
  • - mozjs60 -
    • -
  • - mozjs60-devel -
    • -
  • - mozvoikko -
    • -
  • - msv-javadoc -
    • -
  • - msv-manual -
    • -
  • - munge-maven-plugin -
    • -
  • - mythes-mi -
    • -
  • - mythes-ne -
    • -
  • - nafees-web-naskh-fonts -
    • -
  • - nbd -
    • -
  • - nbdkit-devel -
    • -
  • - nbdkit-example-plugins -
    • -
  • - nbdkit-gzip-plugin -
    • -
  • - nbdkit-plugin-python-common -
    • -
  • - nbdkit-plugin-vddk -
    • -
  • - ncompress -
    • -
  • - ncurses-compat-libs -
    • -
  • - net-tools -
    • -
  • - netcf -
    • -
  • - netcf-devel -
    • -
  • - netcf-libs -
    • -
  • - network-scripts -
    • -
  • - network-scripts-ppp -
    • -
  • - nkf -
    • -
  • - nodejs-devel -
    • -
  • - nodejs-packaging -
    • -
  • - nss_nis -
    • -
  • - nss-pam-ldapd -
    • -
  • - objectweb-asm -
    • -
  • - objectweb-asm-javadoc -
    • -
  • - objectweb-pom -
    • -
  • - ocaml-bisect-ppx -
    • -
  • - ocaml-camlp4 -
    • -
  • - ocaml-camlp4-devel -
    • -
  • - ocaml-lwt -
    • -
  • - ocaml-mmap -
    • -
  • - ocaml-ocplib-endian -
    • -
  • - ocaml-ounit -
    • -
  • - ocaml-result -
    • -
  • - ocaml-seq -
    • -
  • - opencryptoki-tpmtok -
    • -
  • - opencv-contrib -
    • -
  • - opencv-core -
    • -
  • - opencv-devel -
    • -
  • - openhpi -
    • -
  • - openhpi-libs -
    • -
  • - OpenIPMI-perl -
    • -
  • - openssh-cavs -
    • -
  • - openssh-ldap -
    • -
  • - openssl-ibmpkcs11 -
    • -
  • - opentest4j -
    • -
  • - os-maven-plugin -
    • -
  • - pakchois -
    • -
  • - pandoc -
    • -
  • - paps-libs -
    • -
  • - paranamer -
    • -
  • - parfait -
    • -
  • - parfait-examples -
    • -
  • - parfait-javadoc -
    • -
  • - pcp-parfait-agent -
    • -
  • - pcp-pmda-rpm -
    • -
  • - pcp-pmda-vmware -
    • -
  • - pcsc-lite-doc -
    • -
  • - peripety -
    • -
  • - perl-B-Debug -
    • -
  • - perl-B-Lint -
    • -
  • - perl-Class-Factory-Util -
    • -
  • - perl-Class-ISA -
    • -
  • - perl-DateTime-Format-HTTP -
    • -
  • - perl-DateTime-Format-Mail -
    • -
  • - perl-File-CheckTree -
    • -
  • - perl-homedir -
    • -
  • - perl-libxml-perl -
    • -
  • - perl-Locale-Codes -
    • -
  • - perl-Mozilla-LDAP -
    • -
  • - perl-NKF -
    • -
  • - perl-Object-HashBase-tools -
    • -
  • - perl-Package-DeprecationManager -
    • -
  • - perl-Pod-LaTeX -
    • -
  • - perl-Pod-Plainer -
    • -
  • - perl-prefork -
    • -
  • - perl-String-CRC32 -
    • -
  • - perl-SUPER -
    • -
  • - perl-Sys-Virt -
    • -
  • - perl-tests -
    • -
  • - perl-YAML-Syck -
    • -
  • - phodav -
    • -
  • - php-recode -
    • -
  • - php-xmlrpc -
    • -
  • - pidgin -
    • -
  • - pidgin-devel -
    • -
  • - pidgin-sipe -
    • -
  • - pinentry-emacs -
    • -
  • - pinentry-gtk -
    • -
  • - pipewire0.2-devel -
    • -
  • - pipewire0.2-libs -
    • -
  • - platform-python-coverage -
    • -
  • - plexus-ant-factory -
    • -
  • - plexus-bsh-factory -
    • -
  • - plexus-cli -
    • -
  • - plexus-component-api -
    • -
  • - plexus-component-factories-pom -
    • -
  • - plexus-components-pom -
    • -
  • - plexus-i18n -
    • -
  • - plexus-interactivity -
    • -
  • - plexus-pom -
    • -
  • - plexus-velocity -
    • -
  • - plymouth-plugin-throbgress -
    • -
  • - pmreorder -
    • -
  • - postgresql-test-rpm-macros -
    • -
  • - powermock -
    • -
  • - prometheus-jmx-exporter -
    • -
  • - prometheus-jmx-exporter-openjdk11 -
    • -
  • - ptscotch-mpich -
    • -
  • - ptscotch-mpich-devel -
    • -
  • - ptscotch-mpich-devel-parmetis -
    • -
  • - ptscotch-openmpi -
    • -
  • - ptscotch-openmpi-devel -
    • -
  • - purple-sipe -
    • -
  • - pygobject2-doc -
    • -
  • - pygtk2 -
    • -
  • - pygtk2-codegen -
    • -
  • - pygtk2-devel -
    • -
  • - pygtk2-doc -
    • -
  • - python-nose-docs -
    • -
  • - python-nss-doc -
    • -
  • - python-podman-api -
    • -
  • - python-psycopg2-doc -
    • -
  • - python-pymongo-doc -
    • -
  • - python-redis -
    • -
  • - python-schedutils -
    • -
  • - python-slip -
    • -
  • - python-sqlalchemy-doc -
    • -
  • - python-varlink -
    • -
  • - python-virtualenv-doc -
    • -
  • - python2-backports -
    • -
  • - python2-backports-ssl_match_hostname -
    • -
  • - python2-bson -
    • -
  • - python2-coverage -
    • -
  • - python2-docs -
    • -
  • - python2-docs-info -
    • -
  • - python2-funcsigs -
    • -
  • - python2-ipaddress -
    • -
  • - python2-mock -
    • -
  • - python2-nose -
    • -
  • - python2-numpy-doc -
    • -
  • - python2-psycopg2-debug -
    • -
  • - python2-psycopg2-tests -
    • -
  • - python2-pymongo -
    • -
  • - python2-pymongo-gridfs -
    • -
  • - python2-pytest-mock -
    • -
  • - python2-sqlalchemy -
    • -
  • - python2-tools -
    • -
  • - python2-virtualenv -
    • -
  • - python3-bson -
    • -
  • - python3-click -
    • -
  • - python3-coverage -
    • -
  • - python3-cpio -
    • -
  • - python3-custodia -
    • -
  • - python3-docs -
    • -
  • - python3-flask -
    • -
  • - python3-gevent -
    • -
  • - python3-gobject-base -
    • -
  • - python3-hivex -
    • -
  • - python3-html5lib -
    • -
  • - python3-hypothesis -
    • -
  • - python3-ipatests -
    • -
  • - python3-itsdangerous -
    • -
  • - python3-jwt -
    • -
  • - python3-libguestfs -
    • -
  • - python3-mock -
    • -
  • - python3-networkx-core -
    • -
  • - python3-nose -
    • -
  • - python3-nss -
    • -
  • - python3-openipmi -
    • -
  • - python3-pillow -
    • -
  • - python3-ptyprocess -
    • -
  • - python3-pydbus -
    • -
  • - python3-pymongo -
    • -
  • - python3-pymongo-gridfs -
    • -
  • - python3-pyOpenSSL -
    • -
  • - python3-pytoml -
    • -
  • - python3-reportlab -
    • -
  • - python3-schedutils -
    • -
  • - python3-scons -
    • -
  • - python3-semantic_version -
    • -
  • - python3-slip -
    • -
  • - python3-slip-dbus -
    • -
  • - python3-sqlalchemy -
    • -
  • - python3-syspurpose -
    • -
  • - python3-virtualenv -
    • -
  • - python3-webencodings -
    • -
  • - python3-werkzeug -
    • -
  • - python38-asn1crypto -
    • -
  • - python38-numpy-doc -
    • -
  • - python38-psycopg2-doc -
    • -
  • - python38-psycopg2-tests -
    • -
  • - python39-numpy-doc -
    • -
  • - python39-psycopg2-doc -
    • -
  • - python39-psycopg2-tests -
    • -
  • - qemu-kvm-block-gluster -
    • -
  • - qemu-kvm-block-iscsi -
    • -
  • - qemu-kvm-block-ssh -
    • -
  • - qemu-kvm-hw-usbredir -
    • -
  • - qemu-kvm-device-display-virtio-gpu-gl -
    • -
  • - qemu-kvm-device-display-virtio-gpu-pci-gl -
    • -
  • - qemu-kvm-device-display-virtio-vga-gl -
    • -
  • - qemu-kvm-tests -
    • -
  • - qpdf -
    • -
  • - qpdf-doc -
    • -
  • - qpid-proton -
    • -
  • - qrencode -
    • -
  • - qrencode-devel -
    • -
  • - qrencode-libs -
    • -
  • - qt5-qtcanvas3d -
    • -
  • - qt5-qtcanvas3d-examples -
    • -
  • - rarian -
    • -
  • - rarian-compat -
    • -
  • - re2c -
    • -
  • - recode -
    • -
  • - redhat-lsb -
    • -
  • - redhat-lsb-core -
    • -
  • - redhat-lsb-cxx -
    • -
  • - redhat-lsb-desktop -
    • -
  • - redhat-lsb-languages -
    • -
  • - redhat-lsb-printing -
    • -
  • - redhat-lsb-submod-multimedia -
    • -
  • - redhat-lsb-submod-security -
    • -
  • - redhat-lsb-supplemental -
    • -
  • - redhat-lsb-trialuse -
    • -
  • - redhat-menus -
    • -
  • - redhat-support-lib-python -
    • -
  • - redhat-support-tool -
    • -
  • - reflections -
    • -
  • - regexp -
    • -
  • - relaxngDatatype -
    • -
  • - rhsm-gtk -
    • -
  • - rpm-plugin-prioreset -
    • -
  • - rpmemd -
    • -
  • - rsyslog-udpspoof -
    • -
  • - ruby-hivex -
    • -
  • - ruby-libguestfs -
    • -
  • - rubygem-abrt -
    • -
  • - rubygem-abrt-doc -
    • -
  • - rubygem-bson -
    • -
  • - rubygem-bson-doc -
    • -
  • - rubygem-bundler-doc -
    • -
  • - rubygem-mongo -
    • -
  • - rubygem-mongo-doc -
    • -
  • - rubygem-net-telnet -
    • -
  • - rubygem-xmlrpc -
    • -
  • - s390utils-cmsfs -
    • -
  • - samba-pidl -
    • -
  • - samba-test -
    • -
  • - samba-test-libs -
    • -
  • - samyak-devanagari-fonts -
    • -
  • - samyak-fonts-common -
    • -
  • - samyak-gujarati-fonts -
    • -
  • - samyak-malayalam-fonts -
    • -
  • - samyak-odia-fonts -
    • -
  • - samyak-tamil-fonts -
    • -
  • - sane-frontends -
    • -
  • - sanlk-reset -
    • -
  • - sat4j -
    • -
  • - scala -
    • -
  • - scotch -
    • -
  • - scotch-devel -
    • -
  • - SDL_sound -
    • -
  • - selinux-policy-minimum -
    • -
  • - sendmail -
    • -
  • - sgabios -
    • -
  • - sgabios-bin -
    • -
  • - shrinkwrap -
    • -
  • - sisu-inject -
    • -
  • - sisu-mojos -
    • -
  • - sisu-plexus -
    • -
  • - skkdic -
    • -
  • - SLOF -
    • -
  • - smc-anjalioldlipi-fonts -
    • -
  • - smc-dyuthi-fonts -
    • -
  • - smc-fonts-common -
    • -
  • - smc-kalyani-fonts -
    • -
  • - smc-raghumalayalam-fonts -
    • -
  • - smc-suruma-fonts -
    • -
  • - softhsm-devel -
    • -
  • - sonatype-oss-parent -
    • -
  • - sonatype-plugins-parent -
    • -
  • - sos-collector -
    • -
  • - sparsehash-devel -
    • -
  • - spax -
    • -
  • - spec-version-maven-plugin -
    • -
  • - spice -
    • -
  • - spice-client-win-x64 -
    • -
  • - spice-client-win-x86 -
    • -
  • - spice-glib -
    • -
  • - spice-glib-devel -
    • -
  • - spice-gtk -
    • -
  • - spice-gtk-tools -
    • -
  • - spice-gtk3 -
    • -
  • - spice-gtk3-devel -
    • -
  • - spice-gtk3-vala -
    • -
  • - spice-parent -
    • -
  • - spice-protocol -
    • -
  • - spice-qxl-wddm-dod -
    • -
  • - spice-server -
    • -
  • - spice-server-devel -
    • -
  • - spice-qxl-xddm -
    • -
  • - spice-server -
    • -
  • - spice-streaming-agent -
    • -
  • - spice-vdagent-win-x64 -
    • -
  • - spice-vdagent-win-x86 -
    • -
  • - sssd-libwbclient -
    • -
  • - star -
    • -
  • - stax-ex -
    • -
  • - stax2-api -
    • -
  • - stringtemplate -
    • -
  • - stringtemplate4 -
    • -
  • - subscription-manager-initial-setup-addon -
    • -
  • - subscription-manager-migration -
    • -
  • - subscription-manager-migration-data -
    • -
  • - subversion-javahl -
    • -
  • - SuperLU -
    • -
  • - SuperLU-devel -
    • -
  • - supermin-devel -
    • -
  • - swig -
    • -
  • - swig-doc -
    • -
  • - swig-gdb -
    • -
  • - swtpm-devel -
    • -
  • - swtpm-tools-pkcs11 -
    • -
  • - system-storage-manager -
    • -
  • - tcl-brlapi -
    • -
  • - testng -
    • -
  • - tibetan-machine-uni-fonts -
    • -
  • - timedatex -
    • -
  • - tpm-quote-tools -
    • -
  • - tpm-tools -
    • -
  • - tpm-tools-pkcs11 -
    • -
  • - treelayout -
    • -
  • - trousers -
    • -
  • - trousers-lib -
    • -
  • - tuned-profiles-compat -
    • -
  • - tuned-profiles-nfv-host-bin -
    • -
  • - tuned-utils-systemtap -
    • -
  • - tycho -
    • -
  • - uglify-js -
    • -
  • - unbound-devel -
    • -
  • - univocity-output-tester -
    • -
  • - univocity-parsers -
    • -
  • - usbguard-notifier -
    • -
  • - usbredir-devel -
    • -
  • - utf8cpp -
    • -
  • - uthash -
    • -
  • - velocity -
    • -
  • - vinagre -
    • -
  • - vino -
    • -
  • - virt-dib -
    • -
  • - virt-p2v-maker -
    • -
  • - vm-dump-metrics-devel -
    • -
  • - weld-parent -
    • -
  • - wodim -
    • -
  • - woodstox-core -
    • -
  • - wqy-microhei-fonts -
    • -
  • - wqy-unibit-fonts -
    • -
  • - xdelta -
    • -
  • - xmlgraphics-commons -
    • -
  • - xmlstreambuffer -
    • -
  • - xinetd -
    • -
  • - xorg-x11-apps -
    • -
  • - xorg-x11-drv-qxl -
    • -
  • - xorg-x11-server-Xspice -
    • -
  • - xpp3 -
    • -
  • - xsane-gimp -
    • -
  • - xsom -
    • -
  • - xz-java -
    • -
  • - xz-java-javadoc -
    • -
  • - yajl-devel -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-

10.21. Deprecated and unmaintained devices

-
-
-
-

- This section lists devices (drivers, adapters) that -

-
-
    -
  • - continue to be supported until the end of life of RHEL 8 but will likely not be supported in - future major releases of this product and are not recommended for new deployments. Support - for devices other than those listed remains unchanged. These are deprecated devices. -
    • -
  • - are available but are no longer being tested or updated on a routine basis in RHEL 8. Red - Hat may fix serious bugs, including security bugs, at its discretion. These devices should - no longer be used in production, and it is likely they will be disabled in the next major - release. These are unmaintained devices. -
    • -
-
-

- PCI device IDs are in the format of vendor:device:subvendor:subdevice. If no device ID is listed, - all devices associated with the corresponding driver have been deprecated. To check the PCI IDs of - the hardware on your system, run the lspci -nn command. -

-
-

Table 10.1. Deprecated devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- bnx2 -

- 		-

- QLogic BCM5706/5708/5709/5716 Driver -

-
  -

- hpsa -

- 		-

- Hewlett-Packard Company: Smart Array Controllers -

-
-

- 0x10df:0x0724 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: OneConnect FCoE Initiator (Skyhawk) -

-
-

- 0x10df:0xe200 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe15000/LPe16000 Series 8Gb/16Gb Fibre Channel Adapter -

-
-

- 0x10df:0xf011 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf015 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf100 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe12000 Series 8Gb Fibre Channel Adapter -

-
-

- 0x10df:0xfc40 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn-X: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xe220 -

- 		-

- be2net -

- 		-

- Emulex Corporation: OneConnect NIC (Lancer) -

-
-

- 0x1000:0x005b -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2208 [Thunderbolt] -

-
-

- 0x1000:0x006E -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0080 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0081 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0082 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0083 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0084 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0085 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0086 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0087 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
  -

- myri10ge -

- 		-

- Myricom 10G driver (10GbE) -

-
  -

- netxen_nic -

- 		-

- QLogic/NetXen (1/10) GbE Intelligent Ethernet Driver -

-
-

- 0x1077:0x2031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP8324-based 16Gb Fibre Channel to PCI Express Adapter -

-
-

- 0x1077:0x2532 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP2532-based 8Gb Fibre Channel to PCI Express HBA -

-
-

- 0x1077:0x8031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: 8300 Series 10GbE Converged Network Adapter (FCoE) -

-
  -

- qla3xxx -

- 		-

- QLogic ISP3XXX Network Driver v2.03.00-k5 -

-
-

- 0x1924:0x0803 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFC9020 10G Ethernet Controller -

-
-

- 0x1924:0x0813 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFL9021 10GBASE-T Ethernet Controller -

-
  -

- Soft-RoCE (rdma_rxe) -

- 		 
  -

- HNS-RoCE -

- 		-

- HNS GE/10GE/25GE/50GE/100GE RDMA Network Controller -

-
  -

- liquidio -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Driver -

-
  -

- liquidio_vf -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Virtual Function Driver -

-
-
-
-
-

Table 10.2. Unmaintained devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- e1000 -

- 		-

- Intel® PRO/1000 Network Driver -

-
  -

- mptbase -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptsas -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptscsih -

- 		-

- Fusion MPT SCSI Host driver -

-
  -

- mptspi -

- 		-

- Fusion MPT SAS Host driver -

-
-

- 0x1000:0x0071 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MR SAS HBA 2004 -

-
-

- 0x1000:0x0073 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2008 [Falcon] -

-
-

- 0x1000:0x0079 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2108 [Liberator] -

-
  -

- nvmet_tcp -

- 		-

- NVMe/TCP target driver -

-
-
-
[a] - Disabled in RHEL 8.0, re-enabled in RHEL 8.4 due to customer requests. -
-
-
-
-
-
-
-
-
-
-
-

Chapter 11. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.8. -

-
-
-
-
-

11.1. Installer and image creation

-
-
-
-
-

During RHEL installation on IBM Z, udev does - not assign predictable interface names to RoCE cards enumerated by FID

-

- If you start a RHEL 8.7 or later installation with the net.naming-scheme=rhel-8.7 kernel command-line option, the udev device manager on the RHEL installation media ignores this - setting for RoCE cards enumerated by the function identifier (FID). As a consequence, udev assigns unpredictable interface names to these devices. There is - no workaround during the installation, but you can configure the feature after the installation. - For further details, see Determining - a predictable RoCE device name on the IBM Z platform. -

-
-

- (JIRA:RHEL-11397) -

-
-

Installation fails on IBM Power 10 systems with LPAR and secure boot - enabled

-

- RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. - Consequently, when logical partition (LPAR) is enabled with the secure boot option, the - installation fails with the error, Unable to proceed with RHEL-x.x Installation. -

-
-

- To work around this problem, install RHEL without enabling secure boot. After booting the system: -

-
-
    -
  1. - Copy the signed Kernel into the PReP partition using the dd - command. -
    2. -
  2. - Restart the system and enable secure boot. -
    3. -
-
-

- Once the firmware verifies the bootloader and the kernel, the system boots up successfully. -

-

- For more information, see https://www.ibm.com/support/pages/node/6528884 -

-

- Bugzilla:2025814 -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. To work around this problem, do not run Anaconda on the production - system and execute it in a temporary virtual machine. So that the SELinux policy on a production - system is not modified. Running anaconda as part of the system installation process such as - installing from boot.iso or dvd.iso is - not affected by this issue. -

-
-

- Bugzilla:2050140 -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- Bugzilla:1640697 -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- Bugzilla:1697896 -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- Bugzilla:1914955 -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation sources. - However, network access is not enabled by default, and as a result, these features cannot be - used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a repository - located on the network using boot options also resolves the problem. As a result, the network-based - installation features can be used. -

-

- Bugzilla:1757877 -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- Bugzilla:1929105 -

-
-

IBM Power systems with HASH MMU mode fail to - boot with memory allocation failures

-

- IBM Power Systems with HASH memory allocation unit (MMU) mode - support kdump up to a maximum of 192 cores. Consequently, the - system fails to boot with memory allocation failures if kdump is - enabled on more than 192 cores. This limitation is due to RMA memory allocations during early - boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled - instead of using kdump. -

-
-

- Bugzilla:2028361 -

-
-

RHEL for Edge installer image fails to create mount points when installing - an rpm-ostree payload

-

- When deploying rpm-ostree payloads, used for example in a RHEL for - Edge installer image, the installer does not properly create some mount points for custom - partitions. As a consequence, the installation is aborted with the following error: -

-
- 
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
-

- To work around this issue: -

-
-
    -
  • - Use an automatic partitioning scheme and do not add any mount points manually. -
    • -
  • - Manually assign mount points only inside /var directory. For - example, /var/my-mount-point), and - the following standard directories: /, /boot, /var. -
    • -
-
-

- As a result, the installation process finishes successfully. -

-

- Bugzilla:2126506 -

-
-
-
-
-
-

11.2. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the subscription-manager attach --auto output

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose - command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect - the output of running the subscription-manager attach --auto - command. Users who attempt to set values to the addons argument - will not observe any effect on the subscriptions that are auto-attached. -

-
-

- Bugzilla:1687900 -

-
-
-
-
-
-

11.3. Software management

-
-
-
-
-

cr_compress_file_with_stat() can cause a - memory leak

-

- The createrepo_c C library has the API cr_compress_file_with_stat() function. This function is declared with - char **dst as a second parameter. Depending on its other - parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. - This unpredictable behavior can cause a memory leak, because it does not inform the user when to - free dst contents. -

-
-

- To work around this problem, a new API cr_compress_file_with_stat_v2 - function has been added, which uses the dst parameter only as an input. - It is declared as char *dst. This prevents memory leak. -

-

- Note that the cr_compress_file_with_stat_v2 function is temporary and - will be present only in RHEL 8. Later, cr_compress_file_with_stat() - will be fixed instead. -

-

- Bugzilla:1973588 -

-
-

YUM transactions reported as successful when a scriptlet fails

-

- Since RPM version 4.6, post-install scriptlets are allowed to fail without being fatal to the - transaction. This behavior propagates up to YUM as well. This results in scriptlets which might - occasionally fail while the overall package transaction reports as successful. -

-
-

- There is no workaround available at the moment. -

-

- Note that this is expected behavior that remains consistent between RPM and YUM. Any issues in - scriptlets should be addressed at the package level. -

-

- Bugzilla:1986657 -

-
-
-
-
-
-

11.4. Shells and command-line tools

-
-
-
-
-

ipmitool is incompatible with certain server - platforms

-

- The ipmitool utility serves for monitoring, configuring, and - managing devices that support the Intelligent Platform Management Interface (IPMI). The current - version of ipmitool uses Cipher Suite 17 by default instead of the - previous Cipher Suite 3. Consequently, ipmitool fails to - communicate with certain bare metal nodes that announced support for Cipher Suite 17 during - negotiation, but do not actually support this cipher suite. As a result, ipmitool aborts with the no matching cipher suite error message. -

-
-

- For more details, see the related Knowledgebase article. -

-

- To solve this problem, update your baseboard management controller (BMC) firmware to use the Cipher - Suite 17. -

-

- Optionally, if the BMC firmware update is not available, you can work around this problem by forcing - ipmitool to use a certain cipher suite. When invoking a managing task - with ipmitool, add the -C option to the - ipmitool command together with the number of the cipher suite you want to use. See the following - example: -

- 
# ipmitool -I lanplus -H myserver.example.com -P mypass -C 3 chassis power status
-

- Bugzilla:1873614 -

-
-

ReaR fails to recreate a volume group when you do not use clean disks for - restoring

-

- ReaR fails to perform recovery when you want to restore to disks that contain existing data. -

-
-

- To work around this problem, wipe the disks manually before restoring to them if they have been - previously used. To wipe the disks in the rescue environment, use one of the following commands - before running the rear recover command: -

-
-
    -
  • - The dd command to overwrite the disks. -
    • -
  • - The wipefs command with the -a - flag to erase all available metadata. -
    • -
-
-

- See the following example of wiping metadata from the /dev/sda disk: -

- 
# wipefs -a /dev/sda[1-9] /dev/sda
-

- This command wipes the metadata from the partitions on /dev/sda first, - and then the partition table itself. -

-

- Bugzilla:1925531 -

-
-

coreutils might report misleading EPERM error - codes

-

- GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter - returns an EPERM error code for unknown system calls, coreutils - might consequently report misleading EPERM error codes because EPERM can not be distinguished - from the actual Operation not permitted error returned by - a working statx() syscall. -

-
-

- To work around this problem, update the seccomp filter to either permit - the statx() syscall, or to return an ENOSYS error code for syscalls it - does not know. -

-

- Bugzilla:2030661 -

-
-
-
-
-
-

11.5. Infrastructure services

-
-
-
-
-

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to - SHA-256

-

- By default in RHEL 8, postfix uses MD5 fingerprints with the TLS - for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, - which may cause TLS to incorrectly function in the default postfix configuration. To workaround - this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration - file. -

-
-

- For more details, see the related Knowledgebase article Fix postfix TLS in the FIPS mode by switching - to SHA-256 instead of MD5. -

-

- Bugzilla:1711885 -

-
-

The brltty package is not multilib - compatible

-

- It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is - recommended. -

-
-

- Bugzilla:2008197 -

-
-
-
-
-
-

11.6. Security

-
-
-
-
-

tangd-keygen does not handle non-default umask correctly

-

- The tangd-keygen script does not change file permissions for - generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returns the error message Internal Error 500 instead of displaying the keys. -

-
-

- To work around the problem, use the chmod o+r *.jwk command to change - permissions on the files in the /var/db/tang directory. -

-

- Bugzilla:2188743 -

-
-

sshd -T provides inaccurate information about - Ciphers, MACs and KeX algorithms

-

- The output of the sshd -T command does not contain the system-wide - crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did - not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. - Crypto policies are applied as command-line arguments to the sshd - executable in the sshd.service unit during the service’s start by - using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy - as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX - algorithms differ from sshd -T to what is provided by current - crypto policy level. As a result, the output from sshd -T - matches the currently configured crypto policy. -

-
-

- Bugzilla:2044354 -

-
-

RHV hypervisor may not work correctly when hardening the system during - installation

-

- When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise - Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and - remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work - around the problem, install the RHV-H system without applying any profile hardening, and after - the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV - hypervisor works correctly. -

-
-

- Bugzilla:2075508 -

-
-

CVE OVAL feeds are now only in the compressed format, and data streams are - not in the SCAP 1.3 standard

-

- Red Hat provides CVE OVAL feeds in the bzip2-compressed format and are no longer available in - the XML file format. Because referencing compressed content is not standardized in the Security - Content Automation Protocol (SCAP) 1.3 specification, third-party SCAP scanners can have - problems scanning rules that use the feed. -

-
-

- Bugzilla:2028428 -

-
-

Certain Rsyslog priority strings do not work correctly

-

- Support for the GnuTLS priority string for imtcp that allows - fine-grained control over encryption is not complete. Consequently, the following priority - strings do not work properly in the Rsyslog remote logging application: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- Bugzilla:1679512 -

-
-

Server with GUI and Workstation installations are not possible with CIS Server - profiles

-

- The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software - selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not - possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either - of these software selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- If you need to align systems with the Server with GUI or Workstation software selections according to CIS benchmarks, use the CIS - Workstation Level 1 or Level 2 profiles instead. -

-

- Bugzilla:1843932 -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on - as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary to - keep compatibility with Red Hat Enterprise Linux 7. -

-
-

- Bugzilla:1665082 -

-
-

libvirt overrides xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding -

-

- The libvirt virtualization framework enables IPv4 forwarding - whenever a virtual network with a forward mode of route or nat is started. This overrides the configuration by the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - rule, and subsequent compliance scans report the fail result when - assessing this rule. -

-
-

- Apply one of these scenarios to work around the problem: -

-
-
    -
  • - Uninstall the libvirt packages if your scenario does not - require them. -
    • -
  • - Change the forwarding mode of virtual networks created by libvirt. -
    • -
  • - Remove the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - rule by tailoring your profile. -
    • -
-
-

- Bugzilla:2118758 -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, TLS clients that use OpenSSL return a bad dh value - error and abort TLS connections to servers that use manually generated parameters. This is - because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with - Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, - and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL - ignore all other parameters and instead select known parameters of similar size. To work around - this problem, use only the compliant groups. -

-
-

- Bugzilla:1810911 -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic level - name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide - crypto policies only when you disable them through the workaround. -

-

- Bugzilla:1919155 -

-
-

OpenSC might not detect CardOS V5.3 card objects correctly

-

- The OpenSC toolkit does not correctly detect serial numbers of smart cards using the CardOS V5.3 - system. Consequently, the pkcs11-tool utility might not list card - objects. -

-
-

- To work around the problem, turn off file caching by setting the`use_file_caching = false` option in - the /etc/opensc.conf file. -

-

- Bugzilla:2176973 -

-
-

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

-

- The file_caching option is enabled in the default OpenSC - configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning - process through OpenSC fails. -

-
-

- To work around the problem, add the following snippet to the /etc/opensc.conf file: -

- 
app pkcs15-init {
-        framework pkcs15 {
-                use_file_caching = false;
-        }
-}
-

- The smart-card provisioning through pkcs15-init only works if you apply - the previously described workaround. -

-

- Bugzilla:1947025 -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. -

-
-

- To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger - hash, or switch to the LEGACY policy. -

-

- Bugzilla:1628553 -

-
-

libselinux-python is available only through - its module

-

- The libselinux-python package contains only Python 2 bindings for - developing SELinux applications and it is used for backward compatibility. For this reason, - libselinux-python is no longer available in the default RHEL 8 - repositories through the yum install libselinux-python command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# yum module enable libselinux-python
-# yum install libselinux-python
-

- Alternatively, install libselinux-python using its install profile with - a single command: -

- 
# yum module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- Bugzilla:1666328 -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. - This prevents the udica tool from analyzing a container JavaScript - Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you - use the described workaround. -

-

- Bugzilla:1763210 -

-
-

Negative effects of the default logging setup on performance

-

- The default logging environment setup might consume 4 GB of memory or even more and adjustments - of rate-limit values are complex when systemd-journald is running - with rsyslog. -

-
-

- See the Negative effects of the - RHEL default logging setup on performance and their mitigations Knowledgebase article for - more information. -

-

- Jira:RHELPLAN-10431 -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots - with SELinux enabled and switches to disabled mode later in the boot process. This might cause - memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- Jira:RHELPLAN-34199 -

-
-

IKE over TCP connections do not work on custom TCP ports

-

- The tcp-remoteport Libreswan configuration option does not work - properly. Consequently, an IKE over TCP connection cannot be established when a scenario - requires specifying a non-default TCP port. -

-
-

- Bugzilla:1989050 -

-
-

scap-security-guide cannot configure - termination of idle sessions

-

- Even though the sshd_set_idle_timeout rule still exists in the data - stream, the former method for idle session timeout of configuring sshd is no longer available. Therefore, the rule is marked as not applicable and cannot harden anything. Other methods for - configuring idle session termination, such as systemd (Logind), are - also not available. As a consequence, scap-security-guide cannot - configure the system to reliably disconnect idle sessions after a certain amount of time. -

-
-

- You can work around this problem in one of the following ways, which might fulfill the security - requirement: -

-
-
    -
  • - Configuring the accounts_tmout rule. However, this variable - could be overridden by using the exec command. -
    • -
  • - Configuring the configure_tmux_lock_after_time and configure_bashrc_exec_tmux rules. This requires installing the - tmux package. -
    • -
  • - Upgrading to RHEL 8.7 or later where the systemd feature is - already implemented together with the proper SCAP rule. -
    • -
-
-

- Bugzilla:2167373 -

-
-

The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical - installation

-

- The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security - profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take - tailoring into account by default when installing from archives or RPM packages. Consequently, - the installation displays the following error message instead of fetching an OSCAP tailored - profile: -

-
- 
There was an unexpected problem with the supplied content.
-

- To work around this problem, you must specify paths in the %addon org_fedora_oscap section of your Kickstart file, for example: -

- 
xccdf-path = /usr/share/xml/scap/sc_tailoring/ds-combined.xml
-tailoring-path = /usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml
-

- As a result, you can use the graphical installation for OSCAP tailored profiles only with the - corresponding Kickstart specifications. -

-

- Bugzilla:2165948 -

-
-

The automatic screen lock does not work when a smart-card reader is - removed

-

- The opensc packages incorrectly handle removing USB smart-card - readers. Consequently, the system remains unlocked even when the GNOME Display Manager (GDM) is - configured to lock the screen when a smart card is removed. Furthermore, after you reconnect the - USB reader, the screen also does not lock after removing the smart card. -

-
-

- To work around this problem, perform one of the following actions: -

-
-
    -
  • - Always remove only a smart card, not a smart-card reader. -
    • -
  • - When using hardware tokens that integrate a reader and a card in one package, upgrade to - RHEL 9. -
    • -
-
-

- Bugzilla:2097048 -

-
-

OpenSCAP memory-consumption problems

-

- On systems with limited memory, the OpenSCAP scanner might terminate prematurely or it might not - generate the results files. To work around this problem, you can customize the scanning profile - to deselect rules that involve recursion over the entire / file - system: -

-
-
-
    -
  • - rpm_verify_hashes -
    • -
  • - rpm_verify_permissions -
    • -
  • - rpm_verify_ownership -
    • -
  • - file_permissions_unauthorized_world_writable -
    • -
  • - no_files_unowned_by_user -
    • -
  • - dir_perms_world_writable_system_owned -
    • -
  • - file_permissions_unauthorized_suid -
    • -
  • - file_permissions_unauthorized_sgid -
    • -
  • - file_permissions_ungroupowned -
    • -
  • - dir_perms_world_writable_sticky_bits -
    • -
-
-

- For more details and more workarounds, see the related Knowledgebase article. -

-

- Bugzilla:2161499 -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- Bugzilla:1834716 -

-
-
-
-
-
-

11.7. Networking

-
-
-
-
-

Systems with the IPv6_rpfilter option enabled - experience low network throughput

-

- Systems with the IPv6_rpfilter option enabled in the firewalld.conf file currently experience suboptimal performance and - low network throughput in high traffic scenarios, such as 100 Gbps links. To work around the - problem, disable the IPv6_rpfilter option. To do so, add the - following line in the /etc/firewalld/firewalld.conf file. -

-
- 
IPv6_rpfilter=no
-

- As a result, the system performs better, but also has reduced security. -

-

- Bugzilla:1871860 -

-
-
-
-
-
-

11.8. Kernel

-
-
-
-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define - a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus - device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff - memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism - (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration - space over the 256 byte offset with the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- Bugzilla:1868526 -

-
-

The tuned-adm profile powersave command causes - the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system matches - the mentioned specifications. -

-
-

- Bugzilla:1609288 -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is not - able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI to - the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI - handler for both these situations calls the kernel panic() function and - if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called and - vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, - use the virtual Power button to reset or power - cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated - System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even - smaller frequency. -

-

- Bugzilla:1602962 -

-
-

Reloading an identical crash extension may cause segmentation - faults

-

- When you load a copy of an already loaded crash extension file, it might trigger a segmentation - fault. Currently, the crash utility detects if an original file has been loaded. Consequently, - due to two identical files co-existing in the crash utility, a namespace collision occurs, which - triggers the crash utility to cause a segmentation fault. -

-
-

- You can work around the problem by loading the crash extension file only once. As a result, - segmentation faults no longer occur in the described scenario. -

-

- Bugzilla:1906482 -

-
-

Connections fail when attaching a virtual function to virtual - machine

-

- Pensando network cards that use the ionic device driver silently - accept VLAN tag configuration requests and attempt configuring network connections while - attaching network virtual functions (VF) to a virtual machine - (VM). Such network connections fail as this feature is not yet - supported by the card’s firmware. -

-
-

- Bugzilla:1930576 -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication - X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x - series deprecated openib Byte Transfer Layer (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous - cluster (same hardware and software configuration), UCX still uses openib BTL for MPI one-sided operations. As a consequence, this may - trigger execution errors. To work around this problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer over - UCX. -

-

- Bugzilla:1866402 -

-
-

vmcore capture fails after memory hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating the - device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. - The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel crash - is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after hot-plug - or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described scenario. -

-

- Bugzilla:1793389 -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit ARM - architecture that run on the Amazon Web Services Graviton 1 processor, causes vmcore generation to fail when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory upon a kernel crash. To work around this - problem: -

-
-
-
    -
  1. -

    - Append irqpoll to KDUMP_COMMANDLINE_REMOVE variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet log_buf_len swiotlb"
    -
    2. -
  2. -

    - Remove irqpoll from KDUMP_COMMANDLINE_APPEND variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory udev.children-max=2 panic=10 swiotlb=noforce novmcoredd"
    -
    3. -
  3. -

    - Restart the kdump service: -

    - 
    # systemctl restart kdump
    -
    4. -
-
-

- As a result, the first kernel boots correctly and the vmcore file is - expected to be captured upon the kernel crash. -

-

- Note that the Amazon Web Services Graviton 2 and Amazon Web Services Graviton 3 processors do not - require you to manually remove the irqpoll parameter in the /etc/sysconfig/kdump file. -

-

- The kdump service can use a significant amount of crash kernel memory - to dump the vmcore file. Ensure that the capture kernel has sufficient - memory available for the kdump service. -

-

- For related information on this Known Issue, see The irqpoll kernel command line parameter - might cause vmcore generation failure article. -

-

- Bugzilla:1654962 -

-
-

Debug kernel fails to boot in crash capture environment on RHEL 8 -

-

- Due to the memory-intensive nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel and a stack trace is generated instead. To work around this problem, - increase the crash kernel memory as required. As a result, the debug kernel boots successfully - in the crash capture environment. -

-
-

- Bugzilla:1659609 -

-
-

Allocating crash kernel memory fails at boot time

-

- On some Ampere Altra systems, allocating the crash kernel memory during boot fails when the - 32-bit region is disabled in BIOS settings. Consequently, the kdump - service fails to start. This is caused by memory fragmentation in the region below 4 GB with no - fragment being large enough to contain the crash kernel memory. -

-
-

- To work around this problem, enable the 32-bit memory region in BIOS as follows: -

-
-
    -
  1. - Open the BIOS settings on your system. -
    2. -
  2. - Open the Chipset menu. -
    3. -
  3. - Under Memory Configuration, enable the - Slave 32-bit option. -
    4. -
-
-

- As a result, crash kernel memory allocation within the 32-bit region succeeds and the kdump service works as expected. -

-

- Bugzilla:1940674 -

-
-

RoCE interfaces on IBM Z lose their IP settings due to an unexpected change - of the network interface name

-

- In RHEL 8.6 and earlier, the udev device manager assigns on the IBM - Z platform unpredictable device names to RoCE interfaces that are enumerated by a unique - identifier (UID). However, in RHEL 8.7 and later, udev assigns - predictable device names with the eno prefix to these interfaces. -

-
-

- If you update from RHEL 8.6 or earlier to 8.7 or later, these UID-enumerated interfaces have new - names and no longer match the device names in NetworkManager connection profiles. Consequently, - these interfaces have no IP configuration after the update. -

-

- For workarounds you can apply before the update and a fix if you have already updated the system, - see RoCE interfaces on IBM Z lose - their IP settings after updating to RHEL 8.7 or later. -

-

- Bugzilla:2169382 -

-
-

The QAT manager leaves no spare device for LKCF

-

- The Intel® QuickAssist Technology (QAT) manager (qatmgr) is a user - space process, which by default uses all QAT devices in the system. As a consequence, there are - no QAT devices left for the Linux Kernel Cryptographic Framework (LKCF). There is no need to - work around this situation, as this behavior is expected and a majority of users will use - acceleration from the user space. -

-
-

- Bugzilla:1920086 -

-
-

The Solarflare fails to create maximum number of virtual functions - (VFs)

-

- The Solarflare NICs fail to create a maximum number of VFs due to insufficient resources. You - can check the maximum number of VFs that a PCIe device can create in the /sys/bus/pci/devices/PCI_ID/sriov_totalvfs file. To workaround this - problem, you can either adjust the number of VFs or the VF MSI interrupt value to a lower value, - either from Solarflare Boot Manager on startup, or using Solarflare - sfboot utility. The default VF MSI interrupt value is 8. -

-
-
-
    -
  • - To adjust the VF MSI interrupt value using sfboot: -
    • -
-
- 
# sfboot vf-msix-limit=2
-
-
Note
-
-

- Adjusting VF MSI interrupt value affects the VF performance. -

-
-
-

- For more information about parameters to be adjusted accordingly, see the Solarflare Server Adapter user guide. -

-

- Bugzilla:1971506 -

-
-

Using page_poison=1 can cause a kernel - crash

-

- When using page_poison=1 as the kernel parameter on firmware with - faulty EFI implementation, the operating system can cause the kernel to crash. By default, this - option is disabled and it is not recommended to enable it, especially in production systems. -

-
-

- Bugzilla:2050411 -

-
-

The iwl7260-firmware breaks Wi-Fi on Intel - Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

-

- After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 8.7 and later, - the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, - Intel Wifi 6 cards may not work and display the error message: -

-
- 
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110
-kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms)
-kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
-

- An unconfirmed work around is to power off the system and back on again. Do not reboot. -

-

- Bugzilla:2106341 -

-
-

Secure boot on IBM Power Systems does not support migration

-

- Currently, on IBM Power Systems, logical partition (LPAR) does not boot after successful - physical volume (PV) migration. As a result, any type of automated migration with secure boot - enabled on a partition fails. -

-
-

- Bugzilla:2126777 -

-
-

weak-modules from kmod fails to work with module inter-dependencies

-

- The weak-modules script provided by the kmod package determines which modules are kABI-compatible with - installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to - lower release of the kernel for which they were built. As a consequence, modules with - inter-dependencies built against different kernel releases might be interpreted as - non-compatible, and therefore the weak-modules script fails to work - in this scenario. -

-
-

- To work around the problem, build or put the extra modules against the latest stock kernel before - you install the new kernel. -

-

- Bugzilla:2103605 -

-
-

kdump in Ampere Altra servers enters the OOM - state

-

- The firmware in Ampere Altra and Altra Max servers currently causes the kernel to allocate too - many event, interrupt and command queues, which consumes too much memory. As a consequence, the - kdump kernel enters the Out of memory (OOM) state. -

-
-

- To work around this problem, reserve extra memory for kdump by - increasing the value of the crashkernel= kernel option to 640M. -

-

- Bugzilla:2111855 -

-
-

Hardware certification of the real-time kernel on systems with large - core-counts might require passing the skew-tick=1 boot - parameter to avoid lock contentions

-

- Large or moderate sized systems with numerous sockets and large core-counts can experience - latency spikes due to lock contentions on xtime_lock, which is used - in the timekeeping system. As a consequence, latency spikes and delays in hardware - certifications might occur on multiprocessing systems. As a workaround, you can offset the timer - tick per CPU to start at a different time by adding the skew_tick=1 - boot parameter. -

-
-

- To avoid lock conflicts, enable skew_tick=1: -

-
-
    -
  1. -

    - Enable the skew_tick=1 parameter with grubby. -

    - 
    # grubby --update-kernel=ALL --args="skew_tick=1"
    -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
  3. - Verify the new settings by running the cat /proc/cmdline - command. -
    4. -
-
-

- Note that enabling skew_tick=1 causes a significant increase in power - consumption and, therefore, it must be enabled only if you are running latency sensitive real-time - workloads. -

-

- Bugzilla:2214508 -

-
-
-
-
-
-

11.9. Boot loader

-
-
-
-
-

The behavior of grubby diverges from its - documentation

-

- When you add a new kernel using the grubby tool and do not specify - any arguments, grubby passes the default arguments to the new - entry. This behavior occurs even without passing the --copy-default - argument. Using --args and --copy-default options ensures those arguments are appended to the - default arguments as stated in the grubby documentation. -

-
-

- However, when you add additional arguments, such as $tuned_params, the - grubby tool does not pass these arguments unless the --copy-default option is invoked. -

-

- In this situation, two workarounds are available: -

-
-
    -
  • -

    - Either set the root= argument and leave --args empty: -

    - 
    # grubby --add-kernel /boot/my_kernel --initrd /boot/my_initrd --args "root=/dev/mapper/rhel-root" --title "entry_with_root_set"
    -
    • -
  • -

    - Or set the root= argument and the specified arguments, but - not the default ones: -

    - 
    # grubby --add-kernel /boot/my_kernel --initrd /boot/my_initrd --args "root=/dev/mapper/rhel-root some_args and_some_more" --title "entry_with_root_set_and_other_args_too"
    -
    • -
-
-

- Bugzilla:1900829 -

-
-
-
-
-
-

11.10. File systems and storage

-
-
-
-
-

LVM mirror devices that store a LUKS volume - sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject - all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of - raid1 instead of mirror if you need to - stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 device. -

-

- Bugzilla:1730502 -

-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical volume. - This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) for - system boot entries. This specification requires that the /boot - file system is readable by the platform firmware. On EFI systems, the platform firmware can - read only the /boot configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does - not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- Bugzilla:1496229 -

-
-

LVM no longer allows creating volume groups with mixed block sizes -

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the - physical volumes (PVs) have different logical block sizes. LVM has adopted this change because - file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a - different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- Bugzilla:1768536 -

-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following limitations, - which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in combination - with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- Jira:RHELPLAN-27987, Bugzilla:1798631, - Bugzilla:1808012 -

-
-

Device-mapper multipath is not supported when using NVMe/TCP - driver.

-

- The use of device-mapper multipath on top of NVMe/TCP devices can cause reduced performance and - error handling. To avoid this problem, use native NVMe multipath instead of DM multipath tools. - For RHEL 8, you can add the option nvme_core.multipath=Y to the - kernel command line. -

-
-

- Bugzilla:2022359 -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- Bugzilla:2011699 -

-
-

XFS quota warnings are triggered too often

-

- Using the quota timer results in quota warnings triggering too often, which causes soft quotas - to be enforced faster than they should. To work around this problem, do not use soft quotas, - which will prevent triggering warnings. As a result, the amount of warning messages will not - enforce soft quota limit anymore, respecting the configured timeout. -

-
-

- Bugzilla:2059262 -

-
-
-
-
-
-

11.11. Dynamic programming languages, web and database servers

-
-
-
-
-

Creating virtual Python 3.11 environments fails when using the virtualenv utility

-

- The virtualenv utility in RHEL 8, provided by the python3-virtualenv package, is not compatible with Python 3.11. An - attempt to create a virtual environment by using virtualenv will - fail with the following error message: -

-
- 
$ virtualenv -p python3.11 venv3.11
-Running virtualenv with interpreter /usr/bin/python3.11
-ERROR: Virtual environments created by virtualenv < 20 are not compatible with Python 3.11.
-ERROR: Use `python3.11 -m venv` instead.
-

- To create Python 3.11 virtual environments, use the python3.11 -m venv - command instead, which uses the venv module from the standard library. -

-

- Bugzilla:2165702 -

-
-

python3.11-lxml does not provide the lxml.isoschematron submodule

-

- The python3.11-lxml package is distributed without the lxml.isoschematron submodule because it is not under an open source - license. The submodule implements ISO Schematron support. As an alternative, pre-ISO-Schematron - validation is available in the lxml.etree.Schematron class. The - remaining content of the python3.11-lxml package is unaffected. -

-
-

- Bugzilla:2157673 -

-
-

PAM plug-in version 1.0 does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) - plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 - and 2.0, version 2.0 is the default. -

-
-

- The MariaDB PAM plug-in version 1.0 does not work in RHEL 8. To work - around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5 module stream. -

-

- Bugzilla:1942330 -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

-

- When both the libldap and libldap_r - libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts - between these libraries might occur. Consequently, Apache httpd - child processes using the PHP ldap extension might terminate - unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration. -

-
-

- Since the RHEL 8.3 update to the Apache Portable Runtime (APR) library, you can work around the - problem by setting the APR_DEEPBIND environment variable, which enables - the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- Bugzilla:1819607 -

-
-

getpwnam() might fail when called by a 32-bit - application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- Bugzilla:1803161 -

-
-
-
-
-
-

11.12. Identity Management

-
-
-
-
-

Actions required when running Samba as a print server and updating from - RHEL 8.4 and earlier

-

- With this update, the samba package no longer creates the /var/spool/samba/ directory. If you use Samba as a print server and - use /var/spool/samba/ in the [printers] share to spool print jobs, SELinux prevents Samba users - from creating files in this directory. Consequently, print jobs fail and the auditd service logs a denied message in - /var/log/audit/audit.log. To avoid this problem after updating your - system from 8.4 and earlier: -

-
-
-
    -
  1. - Search the [printers] share in the /etc/samba/smb.conf file. -
    2. -
  2. - If the share definition contains path = /var/spool/samba/, - update the setting and set the path parameter to /var/tmp/. -
    3. -
  3. -

    - Restart the smbd service: -

    - 
    # systemctl restart smbd
    -
    4. -
-
-

- If you newly installed Samba on RHEL 8.5 or later, no action is required. The default /etc/samba/smb.conf file provided by the samba-common package in this case already uses the /var/tmp/ directory to spool print jobs. -

-

- Bugzilla:2009213 -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System -

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual steps - are required to recover the system. -

-
-

- Bugzilla:1729215 -

-
-

FIPS mode does not support using a shared secret to establish a - cross-forest trust

-

- Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP - authentication is not FIPS-compliant. To work around this problem, authenticate with an Active - Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS - mode enabled and an AD domain. -

-
-

- Bugzilla:1924707 -

-
-

Downgrading authselect after the rebase to - version 1.2.2 breaks system authentication

-

- The authselect package has been rebased to the latest upstream - version 1.2.2. Downgrading authselect - is not supported and breaks system authentication for all users, including root. -

-
-

- If you downgraded the authselect package to 1.2.1 or earlier, perform the following steps to work around this - problem: -

-
-
    -
  1. - At the GRUB boot screen, select Red Hat Enterprise Linux with - the version of the kernel that you want to boot and press e to - edit the entry. -
    2. -
  2. - Type single as a separate word at the end of the line that - starts with linux and press Ctrl+X - to start the boot process. -
    3. -
  3. - Upon booting in single-user mode, enter the root password. -
    4. -
  4. -

    - Restore authselect configuration using the following command: -

    - 
    # authselect select sssd --force
    -
    5. -
-
-

- Bugzilla:1892761 -

-
-

IdM to AD cross-realm TGS requests fail

-

- The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with - AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). -

-
-

- Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with - the following error: -

- 
Generic error (see e-text) while getting credentials for <service principal>
-

- Bugzilla:2125182 -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- Jira:RHELPLAN-155168 -

-
-

The default keyword for enabled ciphers in the - NSS does not work in conjunction with other ciphers

-

- In Directory Server you can use the default keyword to refer to the - default ciphers enabled in the network security services (NSS). However, if you want to enable - the default ciphers and additional ones using the command line or web console, Directory Server - fails to resolve the default keyword. As a consequence, the server - enables only the additionally specified ciphers and logs an error similar to the following: -

-
- 
Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+cipher_name>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)
-

- As a workaround, specify all ciphers that are enabled by default in NSS including the ones you want - to additionally enable. -

-

- Bugzilla:1817505 -

-
-

pki-core-debuginfo update from RHEL 8.6 to - RHEL 8.7 or later fails

-

- Updating the pki-core-debuginfo package from RHEL 8.6 to RHEL 8.7 - or later fails. To work around this problem, run the following commands: -

-
-
-
    -
  1. - yum remove pki-core-debuginfo -
    2. -
  2. - yum update -y -
    3. -
  3. - yum install pki-core-debuginfo -
    4. -
  4. - yum install idm-pki-symkey-debuginfo idm-pki-tools-debuginfo -
    5. -
-
-

- Bugzilla:2134093 -

-
-

Migrated IdM users might be unable to log in due to mismatching domain - SIDs

-

- If you have used the ipa migrate-ds script to migrate users from - one IdM deployment to another, those users might have problems using IdM services because their - previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM - environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, - see the following Knowledgebase article: Migrated IdM users unable to log in due - to mismatching domain SIDs. -

-
-

- Jira:RHELPLAN-109613 -

-
-

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a - two-way cross-forest trust

-

- Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management - (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support - Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the - RC4 NTLM hash that the AD domain controller uses when attempting to authenticate. -

-
-

- Bugzilla:2120572 -

-
-

IdM Vault encryption and decryption fails in FIPS mode

-

- The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, - Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 - padding for wrapping the session key with the transport certificate. -

-
-

- Bugzilla:2122919 -

-
-

Incorrect warning when setting expiration dates for a Kerberos - principal

-

- If you set a password expiration date for a Kerberos principal, the current timestamp is - compared to the expiration timestamp using a 32-bit signed integer variable. If the expiration - date is more than 68 years in the future, it causes an integer variable overflow resulting in - the following warning message being displayed: -

-
- 
Warning: Your password will expire in less than one hour on [expiration date]
-

- You can ignore this message, the password will expire correctly at the configured date and time. -

-

- Bugzilla:2125318 -

-
-
-
-
-
-

11.13. Desktop

-
-
-
-
-

Disabling flatpak repositories from Software - Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- Bugzilla:1668760 -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft - Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. - In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use - Hyper-V Server 2019 or later as the host. -

-

- Bugzilla:1583445 -

-
-

Drag-and-drop does not work between desktop and applications

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. Support - for this feature will be added back in a future release. -

-
-

- Bugzilla:1717947 -

-
-
-
-
-
-

11.14. Graphics infrastructures

-
-
-
-
-

The radeon driver fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in the - kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the system and kdump. After starting kdump, the force_rebuild 1 line might be - removed from the configuration file. -

-

- Note that in this scenario, no graphics is available during the dump process, but kdump works correctly. -

-

- Bugzilla:1694705 -

-
-

Multiple HDR displays on a single MST topology may not power on -

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, using - a DisplayPort hub (such as a laptop dock) with multiple monitors - which support HDR plugged into it may result in failure to turn on. This is due to the system - erroneously thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- Bugzilla:1812577 -

-
-

GUI in ESXi might crash due to low video memory

-

- The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 - hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect - multiple consoles or high-resolution monitors to the VM, the GUI requires at least 16 MB of - video memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly. -

-
-

- To work around the problem, configure the hypervisor to assign at least 16 MB of video memory to the - VM. As a result, the GUI on the VM no longer crashes. -

-

- If you encounter this issue, Red Hat recommends that you report it to VMware. -

-

- See also the following VMware article: VMs with high resolution VM console may experience - a crash on ESXi 7.0.1 (83194). -

-

- Bugzilla:1910358 -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z - server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 option - with -depth 24 in the Xvnc configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the server. -

-

- Bugzilla:1886147 -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the application - fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority - file to use regular user credentials for authentication. -

-
-

- To work around this problem, use the sudo -E command to run graphical - applications as a root user. -

-

- Bugzilla:1673073 -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit - ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- Jira:RHELPLAN-57914 -

-
-

The installer freezes on servers with ASPEED 2600

-

- When you start the graphical RHEL 8.8 installer on a server with the ASPEED 2600 On System - Management Chipset, the installer becomes unresponsive with a black screen. Consequently, you - cannot install RHEL 8.8 on the server. -

-
-

- To work around the issue, add either of the following options on the kernel command line when - booting the installer: -

-
-
    -
  • - nomodeset -
    • -
  • - drm_kms_helper.edid_firmware=edid/1024x768.bin -
    • -
-
-

- As a result, the installation proceeds as expected. -

-

- Bugzilla:2189645 -

-
-
-
-
-
-

11.15. The web console

-
-
-
-
-

VNC console works incorrectly at certain resolutions

-

- When using the Virtual Network Computing (VNC) console under certain display resolutions, you - might experience a mouse offset issue or you might see only a part of the interface. - Consequently, using the VNC console might not be possible. To work around this issue, you can - try expanding the size of the VNC console or use the Desktop Viewer in the console tab to launch - the remote viewer instead. -

-
-

- Bugzilla:2030836 -

-
-
-
-
-
-

11.16. Red Hat Enterprise Linux system roles

-
-
-
-
-

Using the RHEL system role with Ansible 2.9 can display a warning about - using dnf with the command - module

-

- Since RHEL 8.8, the RHEL system roles no longer use the warn - parameter in with the dnf module because this parameter was removed - in Ansible Core 2.14. However, if you use the latest rhel-system-roles package still with Ansible 2.9 and a role installs - a package, one of the following warnings can be displayed: -

-
- 
[WARNING]: Consider using the dnf module rather than running 'dnf'. If you need to use command because dnf is insufficient you can add 'warn: false' to
-this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
- 
[WARNING]: Consider using the yum, dnf or zypper module rather than running 'rpm'. If you need to use command because yum, dnf or zypper is insufficient
-you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
-

- If you want to hide these warnings, add the command_warnings = False - setting to the [Defaults] section of the ansible.cfg file. However, note that this setting disables all warnings - in Ansible. -

-

- Jira:RHELDOCS-17954 -

-
-

Unable to manage localhost by using the localhost hostname in the playbook or inventory

-

- With the inclusion of the ansible-core 2.13 package in RHEL, if you - are running Ansible on the same host you manage your nodes, you cannot do it by using the localhost hostname in your playbook or inventory. This happens - because ansible-core 2.13 uses the python38 module, and many of the libraries are missing, for example, - blivet for the storage role, gobject for the network role. To - workaround this problem, if you are already using the localhost - hostname in your playbook or inventory, you can add a connection, by using ansible_connection=local, or by creating an inventory file that lists - localhost with the ansible_connection=local option. With that, you are able to manage - resources on localhost. For more details, see the article RHEL system roles playbooks - fail when run on localhost. -

-
-

- Bugzilla:2041997 -

-
-

If firewalld.service is masked, using the - firewall RHEL system role fails

-

- If firewalld.service is masked on a RHEL system, the firewall RHEL system role fails. To work around this problem, unmask - the firewalld.service: -

-
- 
systemctl unmask firewalld.service
-

- Bugzilla:2123859 -

-
-

The rhc system role fails on already - registered systems when rhc_auth contains activation - keys

-

- Executing playbook files on already registered systems fails if activation keys are specified - for the rhc_auth parameter. To workaround this issue, do not - specify activation keys when executing the playbook file on the already registered system. -

-
-

- Bugzilla:2186908 -

-
-
-
-
-
-

11.17. Virtualization

-
-
-
-
-

Using a large number of queues might cause Windows virtual machines to - fail

-

- Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device - is enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- Bugzilla:2020133 -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the Milan CPU type might not be available - on these systems. In addition, VM live migration between Milan hosts with different feature flag - settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- Bugzilla:2077770 -

-
-

SMT CPU topology is not detected by VMs when using host passthrough mode on - AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the - TOPOEXT CPU feature flag is not present. Consequently, the VM is - not able to detect a virtual CPU topology with multiple threads per core. To work around this - problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- Bugzilla:1740002 -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible - on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a - physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they should - be configured with the device='disk' option rather than device='lun'. -

-

- Bugzilla:1777138 -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of - interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, - and displays a dracut-initqueue[392]: Warning: Could not boot - error. -

-
-

- Bugzilla:1719687 -

-
-

Virtual machines with iommu_platform=on fail - to start on IBM POWER

-

- RHEL 8 currently does not support the iommu_platform=on parameter - for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this - parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process. -

-
-

- Bugzilla:1910848 -

-
-

IBM POWER hosts now work correctly when using the ibmvfc driver

-

- When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors could previously - occur due to problems with the ibmvfc driver. As a consequence, a - kernel panic triggered on the host under certain circumstances, such as: -

-
-
-
    -
  • - Using the Live Partition Mobility (LPM) feature -
    • -
  • - Resetting a host adapter -
    • -
  • - Using SCSI error handling (SCSI EH) functions -
    • -
-
-

- With this update, the handling of ibmvfc has been fixed, and the - described kernel panics no longer occur. -

-

- Bugzilla:1961722 -

-
-

Using perf kvm record on IBM POWER Systems can - cause the VM to crash

-

- When using a RHEL 8 host on the little-endian variant of IBM POWER hardware, using the perf kvm record command to collect trace event samples for a KVM - virtual machine (VM) in some cases results in the VM becoming unresponsive. This situation - occurs when: -

-
-
-
    -
  • - The perf utility is used by an unprivileged user, and the -p option is used to identify the VM - for example perf kvm record -e trace_cycles -p 12345. -
    • -
  • - The VM was started using the virsh shell. -
    • -
-
-

- To work around this problem, use the perf kvm utility with the -i option to monitor VMs that were created using the virsh shell. For example: -

- 
# perf kvm record -e trace_imc/trace_cycles/  -p <guest pid> -i
-

- Note that when using the -i option, child tasks do not inherit - counters, and threads will therefore not be monitored. -

-

- Bugzilla:1924016 -

-
-

Windows Server 2016 virtual machines with Hyper-V enabled fail to boot when - using certain CPU models

-

- Currently, it is not possible to boot a virtual machine (VM) that uses Windows Server 2016 as - the guest operating system, has the Hyper-V role enabled, and uses one of the following CPU - models: -

-
-
-
    -
  • - EPYC-IBPB -
    • -
  • - EPYC -
    • -
-
-

- To work around this problem, use the EPYC-v3 CPU - model, or manually enable the xsaves CPU flag - for the VM. -

-

- Bugzilla:1942888 -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails -

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes - unresponsive with a Migration status: active status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- Bugzilla:1741436 -

-
-

Using virt-customize sometimes causes guestfs-firstboot to fail

-

- After modifying a virtual machine (VM) disk image using the virt-customize utility, the guestfs-firstboot service in some cases fails due to incorrect - SELinux permissions. This causes a variety of problems during VM startup, such as failing user - creation or system registration. -

-
-

- To avoid this problem, use the virt-customize command with the --selinux-relabel option. -

-

- Bugzilla:1554735 -

-
-

Deleting a forward interface from a macvtap virtual network resets all - connection counts of this network

-

- Currently, deleting a forward interface from a macvtap virtual - network with multiple forward interfaces also resets the connection status of the other forward - interfaces of the network. As a consequence, the connection information in the live network XML - is incorrect. Note, however, that this does not affect the functionality of the virtual network. - To work around the issue, restart the libvirtd service on your - host. -

-
-

- Bugzilla:1332758 -

-
-

Virtual machines with SLOF fail to boot in netcat interfaces

-

- When using a netcat (nc) interface to access the console of a - virtual machine (VM) that is currently waiting at the Slimline Open Firmware (SLOF) prompt, the - user input is ignored and VM stays unresponsive. To work around this problem, use the nc -C option when connecting to the VM, or use a telnet interface - instead. -

-
-

- Bugzilla:1974622 -

-
-

Attaching mediated devices to virtual machines in virt-manager in some cases fails

-

- The virt-manager application is currently able to detect mediated - devices, but cannot recognize whether the device is active. As a consequence, attempting to - attach an inactive mediated device to a running virtual machine (VM) using virt-manager fails. Similarly, attempting to create a new VM that - uses an inactive mediated device fails with a device not found - error. -

-
-

- To work around this issue, use the virsh nodedev-start or mdevctl start commands to activate the mediated device before using it in - virt-manager. -

-

- Bugzilla:2026985 -

-
-

RHEL 9 virtual machines fail to boot in POWER8 compatibility mode -

-

- Currently, booting a virtual machine (VM) that runs RHEL 9 as its guest operating system fails - if the VM also uses CPU configuration similar to the following: -

-
- 
  <cpu mode="host-model">
-    <model>power8</model>
-  </cpu>
-

- To work around this problem, do not use POWER8 compatibility mode in RHEL 9 VMs. -

-

- In addition, note that running RHEL 9 VMs is not possible on POWER8 hosts. -

-

- Bugzilla:2035158 -

-
-

SUID and SGID are not cleared automatically on virtiofs

-

- When you run the virtiofsd service with the killpriv_v2 feature, your system may not automatically clear the SUID - and SGID permissions after performing some file-system operations. Consequently, not clearing - the permissions might cause a potential security threat. To work around this issue, disable the - killpriv_v2 feature by entering the following command: -

-
- 
# virtiofsd -o no_killpriv_v2
-

- Bugzilla:1966475 -

-
-

Restarting the OVS service on a host might block network connectivity on - its running VMs

-

- When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that - are running on this host cannot recover the state of the networking device. As a consequence, - VMs might be completely unable to receive packets. -

-
-

- This problem only affects systems that use the packed virtqueue format in their virtio networking stack. -

-

- To work around this problem, use the packed=off parameter in the virtio networking device definition to disable packed virtqueue. With - packed virtqueue disabled, the state of the networking device can, in some situations, be recovered - from RAM. -

-

- Bugzilla:1792683 -

-
-

NFS failure during VM migration causes migration failure and source VM - coredump

-

- Currently, if the NFS service or server is shut down during virtual machine (VM) migration, the - source VM’s QEMU is unable to reconnect to the NFS server when it starts running again. As a - result, the migration fails and a coredump is initiated on the source VM. Currently, there is no - workaround available. -

-
-

- Bugzilla:2177957 -

-
-

Hotplugging a Watchdog card to a virtual machine fails

-

- Currently, if there are no PCI slots available, adding a Watchdog card to a running virtual - machine (VM) fails with the following error: -

-
- 
Failed to configure watchdog
-ERROR Error attempting device hotplug: internal error: No more available PCI slots
-

- To work around this problem, shut down the VM before adding the Watchdog card. -

-

- Bugzilla:2173584 -

-
-
-
-
-
-

11.18. RHEL in cloud environments

-
-
-
-
-

Setting static IP in a RHEL virtual machine on a VMware host does not - work

-

- Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- To work around this issue, see the VNware knowledgebase. -

-

- Bugzilla:1750862 -

-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting - the kdump kernel in some cases fails when post-exec notifiers are - enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- Bugzilla:1865745 -

-
-

The SCSI host address sometimes changes when booting a Hyper-V VM with - multiple guest disks

-

- Currently, when booting a RHEL 8 virtual machine (VM) on the Hyper-V hypervisor, the host - portion of the Host, Bus, Target, Lun (HBTL) SCSI address - in some cases changes. As a consequence, automated tasks set up with the HBTL SCSI - identification or device node in the VM do not work consistently. This occurs if the VM has more - than one disk or if the disks have different sizes. -

-
-

- To work around the problem, modify your kickstart files, using one of the following methods: -

-

- Method 1: Use persistent identifiers for SCSI - devices. -

-

- You can use for example the following powershell script to determine the specific device - identifiers: -

- 
# Output what the /dev/disk/by-id/<value> for the specified hyper-v virtual disk.
-# Takes a single parameter which is the virtual disk file.
-# Note: kickstart syntax works with and without the /dev/ prefix.
-param (
-    [Parameter(Mandatory=$true)][string]$virtualdisk
-)
-
-$what = Get-VHD -Path $virtualdisk
-$part = $what.DiskIdentifier.ToLower().split('-')
-
-$p = $part[0]
-$s0 = $p[6] + $p[7] + $p[4] + $p[5] + $p[2] + $p[3] + $p[0] + $p[1]
-
-$p = $part[1]
-$s1 =  $p[2] + $p[3] + $p[0] + $p[1]
-
-[string]::format("/dev/disk/by-id/wwn-0x60022480{0}{1}{2}", $s0, $s1, $part[4])
-

- You can use this script on the hyper-v host, for example as follows: -

- 
PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_8.vhdx
-/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_9.vhdx
-/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-

- Afterwards, the disk values can be used in the kickstart file, for example as follows: -

- 
part / --fstype=xfs --grow --asprimary --size=8192 --ondisk=/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-part /home --fstype="xfs" --grow --ondisk=/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-

- As these values are specific for each virtual disk, the configuration needs to be done for each VM - instance. It may, therefore, be useful to use the %include syntax to - place the disk information into a separate file. -

-

- Method 2: Set up device selection by size. -

-

- A kickstart file that configures disk selection based on size must include lines similar to the - following: -

- 
...
-
-# Disk partitioning information is supplied in a file to kick start
-%include /tmp/disks
-
-...
-
-# Partition information is created during install using the %pre section
-%pre --interpreter /bin/bash --log /tmp/ks_pre.log
-
-	# Dump whole SCSI/IDE disks out sorted from smallest to largest ouputting
-	# just the name
-	disks=(`lsblk -n -o NAME -l -b -x SIZE -d -I 8,3`) || exit 1
-
-	# We are assuming we have 3 disks which will be used
-	# and we will create some variables to represent
-	d0=${disks[0]}
-	d1=${disks[1]}
-	d2=${disks[2]}
-
-	echo "part /home --fstype="xfs" --ondisk=$d2 --grow" >> /tmp/disks
-	echo "part swap --fstype="swap" --ondisk=$d0 --size=4096" >> /tmp/disks
-	echo "part / --fstype="xfs" --ondisk=$d1 --grow" >> /tmp/disks
-	echo "part /boot --fstype="xfs" --ondisk=$d1 --size=1024" >> /tmp/disks
-
-%end
-

- Bugzilla:1906870 -

-
-

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

-

- Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if - the VM was provisioned by the cloud-init tool and the guest - operating system of the VM has an NFSv3 mount entry in the /etc/fstab file. -

-
-

- Bugzilla:2081114 -

-
-
-
-
-
-

11.19. Supportability

-
-
-
-
-

The getattachment command fails to download - multiple attachments at once

-

- The redhat-support-tool command offers the getattachment subcommand for downloading attachments. However, getattachment is currently only able to download a single attachment - and fails to download multiple attachments. -

-
-

- As a workaround, you can download multiple attachments one by one by passing the case number and - UUID for each attachment in the getattachment subcommand. -

-

- Bugzilla:2064575 -

-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet the - requirements by the FUTURE system-wide cryptographic policy, the - redhat-support-tool utility does not work with this policy level at - the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- Bugzilla:1802026 -

-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- Bugzilla:2011413 -

-
-
-
-
-
-

11.20. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- Jira:RHELPLAN-96940 -

-
-
-
-
-
-
-

Chapter 12. Internationalization

-
-
-
-
-
-
-
-

12.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

12.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA tickets are listed in this document for reference. The links lead to the release notes - in this document that describe the tickets. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- Bugzilla:2136610, - Bugzilla:2096795, - Bugzilla:2142639, - Bugzilla:2130276, - Bugzilla:1817505 -

-
-

- NetworkManager -

- 		-

- Bugzilla:2089707, - Bugzilla:2134907, Bugzilla:2132754 -

-
-

- SLOF -

- 		-

- Bugzilla:1910848 -

-
-

- accel-config -

- 		-

- Bugzilla:1843266 -

-
-

- anaconda -

- 		-

- Bugzilla:1913035, - Bugzilla:2014103, - Bugzilla:1991516, - Bugzilla:2094977, - Bugzilla:2050140, - Bugzilla:1914955, - Bugzilla:1929105, - Bugzilla:2126506 -

-
-

- ansible-collection-microsoft-sql -

- 		-

- Bugzilla:2144820, - Bugzilla:2144821, - Bugzilla:2144852, - Bugzilla:2153428, - Bugzilla:2163696, - Bugzilla:2153427 -

-
-

- ansible-freeipa -

- 		-

- Bugzilla:2127912 -

-
-

- apr -

- 		-

- Bugzilla:1819607 -

-
-

- authselect -

- 		-

- Bugzilla:1892761 -

-
-

- bacula -

- 		-

- Bugzilla:2089399 -

-
-

- brltty -

- 		-

- Bugzilla:2008197 -

-
-

- certmonger -

- 		-

- Bugzilla:2150025 -

-
-

- clevis -

- 		-

- Bugzilla:2159440, Bugzilla:2159736 -

-
-

- cloud-init -

- 		-

- Bugzilla:1750862 -

-
-

- cockpit -

- 		-

- Bugzilla:2212371, - Bugzilla:1666722 -

-
-

- cockpit-appstream -

- 		-

- Bugzilla:2030836 -

-
-

- cockpit-machines -

- 		-

- Bugzilla:2173584 -

-
-

- conntrack-tools -

- 		-

- Bugzilla:2126736 -

-
-

- coreutils -

- 		-

- Bugzilla:2030661 -

-
-

- corosync-qdevice -

- 		-

- Bugzilla:1784200 -

-
-

- crash -

- 		-

- Bugzilla:1906482 -

-
-

- crash-ptdump-command -

- 		-

- Bugzilla:1838927 -

-
-

- createrepo_c -

- 		-

- Bugzilla:1973588 -

-
-

- crypto-policies -

- 		-

- Bugzilla:1921646, - Bugzilla:2071981, Bugzilla:1919155, - Bugzilla:1660839 -

-
-

- device-mapper-multipath -

- 		-

- Bugzilla:2022359, - Bugzilla:2011699 -

-
-

- distribution -

- 		-

- Bugzilla:1657927 -

-
-

- dnf -

- 		-

- Bugzilla:2054235, - Bugzilla:2047251, - Bugzilla:2016070, - Bugzilla:1986657 -

-
-

- dnf-plugins-core -

- 		-

- Bugzilla:2139324 -

-
-

- edk2 -

- 		-

- Bugzilla:1741615, - Bugzilla:1935497 -

-
-

- fapolicyd -

- 		-

- Bugzilla:2165645, - Bugzilla:2054741 -

-
-

- fence-agents -

- 		-

- Bugzilla:1775847 -

-
-

- firewalld -

- 		-

- Bugzilla:1871860 -

-
-

- gcc -

- 		-

- Bugzilla:2110582 -

-
-

- gdb -

- 		-

- Bugzilla:1853140 -

-
-

- git -

- 		-

- Bugzilla:2139378 -

-
-

- git-lfs -

- 		-

- Bugzilla:2139382 -

-
-

- glassfish-jaxb -

- 		-

- Bugzilla:2055539 -

-
-

- glibc -

- 		-

- Bugzilla:1871383, Bugzilla:1159809 -

-
-

- gnome-session -

- 		-

- Bugzilla:2070976 -

-
-

- gnome-shell-extensions -

- 		-

- Bugzilla:2033572, Bugzilla:2138109, Bugzilla:1717947 -

-
-

- gnome-software -

- 		-

- Bugzilla:1668760 -

-
-

- gnutls -

- 		-

- Bugzilla:1628553 -

-
-

- golang -

- 		-

- Bugzilla:2174430, Bugzilla:2132767, Bugzilla:2132694, - Bugzilla:2132419 -

-
-

- grub2 -

- 		-

- Bugzilla:1583445 -

-
-

- grubby -

- 		-

- Bugzilla:1900829 -

-
-

- initscripts -

- 		-

- Bugzilla:1875485 -

-
-

- ipa -

- 		-

- Bugzilla:2075452, - Bugzilla:1924707, - Bugzilla:2120572, - Bugzilla:2122919, - Bugzilla:1664719, - Bugzilla:1664718, Bugzilla:2101770 -

-
-

- ipmitool -

- 		-

- Bugzilla:1873614 -

-
-

- kernel -

- 		-

- Bugzilla:2107595, - Bugzilla:1660908, - Bugzilla:1664379, - Bugzilla:2136107, Bugzilla:2127136, Bugzilla:2143849, - Bugzilla:1905243, Bugzilla:2009705, - Bugzilla:2103946, Bugzilla:2087262, Bugzilla:2151854, Bugzilla:2134931, - Bugzilla:2069047, - Bugzilla:2135417, - Bugzilla:1868526, - Bugzilla:1694705, - Bugzilla:1730502, - Bugzilla:1609288, - Bugzilla:1602962, - Bugzilla:1865745, - Bugzilla:1906870, - Bugzilla:1924016, - Bugzilla:1942888, - Bugzilla:1812577, - Bugzilla:1910358, Bugzilla:1930576, - Bugzilla:1793389, - Bugzilla:1654962, Bugzilla:1940674, - Bugzilla:2169382, - Bugzilla:1920086, Bugzilla:1971506, - Bugzilla:2059262, Bugzilla:2050411, Bugzilla:2106341, - Bugzilla:2127028, Bugzilla:2130159, - Bugzilla:2189645, - Bugzilla:1605216, Bugzilla:1519039, - Bugzilla:1627455, - Bugzilla:1501618, Bugzilla:1633143, Bugzilla:1814836, - Bugzilla:1839311, - Bugzilla:1570255, Bugzilla:1696451, - Bugzilla:1348508, - Bugzilla:1837187, - Bugzilla:1660337, Bugzilla:2041686, - Bugzilla:1836977, Bugzilla:1878207, Bugzilla:1665295, - Bugzilla:1871863, - Bugzilla:1569610, Bugzilla:1794513 -

-
-

- kexec-tools -

- 		-

- Bugzilla:2111855 -

-
-

- kmod -

- 		-

- Bugzilla:2103605 -

-
-

- kmod-kvdo -

- 		-

- Bugzilla:2119819, - Bugzilla:2109047 -

-
-

- krb5 -

- 		-

- Bugzilla:2125182, Bugzilla:2125318, - Bugzilla:1877991 -

-
-

- libdnf -

- 		-

- Bugzilla:2124483 -

-
-

- libffi -

- 		-

- Bugzilla:2014228 -

-
-

- libgnome-keyring -

- 		-

- Bugzilla:1607766 -

-
-

- libguestfs -

- 		-

- Bugzilla:1554735 -

-
-

- libreswan -

- 		-

- Bugzilla:2128672, Bugzilla:2176248, - Bugzilla:1989050 -

-
-

- libselinux-python-2.8-module -

- 		-

- Bugzilla:1666328 -

-
-

- libsoup -

- 		-

- Bugzilla:1938011 -

-
-

- libvirt -

- 		-

- Bugzilla:1664592, Bugzilla:1332758, - Bugzilla:1528684 -

-
-

- llvm-toolset -

- 		-

- Bugzilla:2118568 -

-
-

- lvm2 -

- 		-

- Bugzilla:1496229, Bugzilla:1768536 -

-
-

- mariadb -

- 		-

- Bugzilla:1942330 -

-
-

- mesa -

- 		-

- Bugzilla:1886147 -

-
-

- mod_security -

- 		-

- Bugzilla:2143207 -

-
-

- nfs-utils -

- 		-

- Bugzilla:2081114, - Bugzilla:1592011 -

-
-

- nginx -

- 		-

- Bugzilla:2112345 -

-
-

- nispor -

- 		-

- Bugzilla:2153166 -

-
-

- nodejs -

- 		-

- Bugzilla:2178087 -

-
-

- nss -

- 		-

- Bugzilla:1817533, Bugzilla:1645153 -

-
-

- nss_nis -

- 		-

- Bugzilla:1803161 -

-
-

- openblas -

- 		-

- Bugzilla:2115722 -

-
-

- opencryptoki -

- 		-

- Bugzilla:2110315 -

-
-

- opencv -

- 		-

- Bugzilla:1886310 -

-
-

- openmpi -

- 		-

- Bugzilla:1866402 -

-
-

- opensc -

- 		-

- Bugzilla:2176973, - Bugzilla:1947025, - Bugzilla:2097048 -

-
-

- openscap -

- 		-

- Bugzilla:2159290, Bugzilla:2161499 -

-
-

- openssh -

- 		-

- Bugzilla:2044354 -

-
-

- openssl -

- 		-

- Bugzilla:1810911 -

-
-

- oscap-anaconda-addon -

- 		-

- Bugzilla:2075508, - Bugzilla:1843932, - Bugzilla:1665082, - Bugzilla:2165948 -

-
-

- pacemaker -

- 		-

- Bugzilla:2133497, - Bugzilla:2121852, - Bugzilla:2122806 -

-
-

- pam -

- 		-

- Bugzilla:2068461 -

-
-

- pcs -

- 		-

- Bugzilla:2132582, Bugzilla:1816852, - Bugzilla:2112263, - Bugzilla:2112267, - Bugzilla:1918527, - Bugzilla:1619620, - Bugzilla:1851335 -

-
-

- pki-core -

- 		-

- Bugzilla:1729215, - Bugzilla:2134093, - Bugzilla:1628987 -

-
-

- podman -

- 		-

- Jira:RHELPLAN-136601, Jira:RHELPLAN-136608, - Bugzilla:2119200, Jira:RHELPLAN-136610 -

-
-

- postfix -

- 		-

- Bugzilla:1711885 -

-
-

- postgresql -

- 		-

- Bugzilla:2128241 -

-
-

- powertop -

- 		-

- Bugzilla:2040070 -

-
-

- pykickstart -

- 		-

- Bugzilla:1637872 -

-
-

- python3.11 -

- 		-

- Bugzilla:2137139 -

-
-

- python3.11-lxml -

- 		-

- Bugzilla:2157673 -

-
-

- python36-3.6-module -

- 		-

- Bugzilla:2165702 -

-
-

- qemu-kvm -

- 		-

- Bugzilla:2117149, Bugzilla:2020133, - Bugzilla:1740002, - Bugzilla:1719687, - Bugzilla:1966475, - Bugzilla:1792683, - Bugzilla:2177957, - Bugzilla:1651994 -

-
-

- rear -

- 		-

- Bugzilla:2130206, - Bugzilla:2172605, - Bugzilla:2131946, - Bugzilla:1925531, - Bugzilla:2083301 -

-
-

- redhat-support-tool -

- 		-

- Bugzilla:2064575, - Bugzilla:1802026 -

-
-

- restore -

- 		-

- Bugzilla:1997366 -

-
-

- rhel-system-roles -

- 		-

- Bugzilla:2119600, - Bugzilla:2130019, - Bugzilla:2143814, - Bugzilla:2079009, - Bugzilla:2130332, - Bugzilla:2130345, - Bugzilla:2133532, - Bugzilla:2133931, - Bugzilla:2134201, - Bugzilla:2133856, - Bugzilla:2143458, Bugzilla:2137667, - Bugzilla:2143385, - Bugzilla:2144876, - Bugzilla:2144877, - Bugzilla:2130362, - Bugzilla:2129620, - Bugzilla:2165176, Bugzilla:2149683, - Bugzilla:2126960, - Bugzilla:2127497, - Bugzilla:2153081, - Bugzilla:2167941, - Bugzilla:2153080, - Bugzilla:2168733, - Bugzilla:2162782, - Bugzilla:2123859, - Bugzilla:2186908, - Bugzilla:2021685, - Bugzilla:2006081 -

-
-

- rpm -

- 		-

- Bugzilla:2129345, Bugzilla:2110787, - Bugzilla:1688849 -

-
-

- rsync -

- 		-

- Bugzilla:2139118 -

-
-

- rsyslog -

- 		-

- Bugzilla:2124934, - Bugzilla:2070496, - Bugzilla:2157658, - Bugzilla:1679512, - Jira:RHELPLAN-10431 -

-
-

- rt-tests -

- 		-

- Bugzilla:2122374 -

-
-

- rteval -

- 		-

- Bugzilla:2082260 -

-
-

- rtla -

- 		-

- Bugzilla:2075203 -

-
-

- rust-toolset -

- 		-

- Bugzilla:2123899 -

-
-

- s390utils -

- 		-

- Bugzilla:2043833 -

-
-

- samba -

- 		-

- Bugzilla:2132051, Bugzilla:2009213, - Jira:RHELPLAN-13195, - Jira:RHELDOCS-16612 -

-
-

- scap-security-guide -

- 		-

- Bugzilla:2072444, - Bugzilla:2152658, Bugzilla:2156192, - Bugzilla:2158404, Bugzilla:2119356, - Bugzilla:2122322, Bugzilla:2115343, - Bugzilla:2152208, - Bugzilla:2099394, - Bugzilla:2151553, - Bugzilla:2162803, - Bugzilla:2028428, - Bugzilla:2118758, - Bugzilla:2167373 -

-
-

- selinux-policy -

- 		-

- Bugzilla:1972230, Bugzilla:2088441, Bugzilla:2154242, - Bugzilla:2134125, - Bugzilla:2090711, - Bugzilla:2101341, - Bugzilla:2121709, - Bugzilla:2122838, Bugzilla:2124388, - Bugzilla:2125008, - Bugzilla:2143696, - Bugzilla:2148561, - Bugzilla:1461914 -

-
-

- sos -

- 		-

- Bugzilla:2164987, - Bugzilla:2134906, - Bugzilla:2011413 -

-
-

- spice -

- 		-

- Bugzilla:1849563 -

-
-

- sssd -

- 		-

- Bugzilla:2144519, - Bugzilla:2087247, - Bugzilla:2065692, - Bugzilla:2056483, - Bugzilla:1947671 -

-
-

- subscription-manager -

- 		-

- Bugzilla:2170082 -

-
-

- swig -

- 		-

- Bugzilla:2139076 -

-
-

- synce4l -

- 		-

- Bugzilla:2019751 -

-
-

- tang -

- 		-

- Bugzilla:2188743 -

-
-

- texlive -

- 		-

- Bugzilla:2150727 -

-
-

- tomcat -

- 		-

- Bugzilla:2160455 -

-
-

- tuna -

- 		-

- Bugzilla:2121518 -

-
-

- tuned -

- 		-

- Bugzilla:2133814, Bugzilla:2113900 -

-
-

- tzdata -

- 		-

- Bugzilla:2154109 -

-
-

- udica -

- 		-

- Bugzilla:1763210 -

-
-

- usbguard -

- 		-

- Bugzilla:2159409, Bugzilla:2159411, - Bugzilla:2159413 -

-
-

- vdo -

- 		-

- Bugzilla:1949163 -

-
-

- virt-manager -

- 		-

- Bugzilla:2026985 -

-
-

- wayland -

- 		-

- Bugzilla:1673073 -

-
-

- weldr-client -

- 		-

- Bugzilla:2033192 -

-
-

- wsmancli -

- 		-

- Bugzilla:2105316 -

-
-

- xdp-tools -

- 		-

- Bugzilla:2160069 -

-
-

- xorg-x11-server -

- 		-

- Bugzilla:1698565 -

-
-

- other -

- 		-

- Bugzilla:2177769, Jira:RHELPLAN-139125, - Jira:RHELPLAN-137505, - Jira:RHELPLAN-139430, - Jira:RHELPLAN-137416, - Jira:RHELPLAN-137411, - Jira:RHELPLAN-137406, - Jira:RHELPLAN-137403, - Jira:RHELPLAN-139448, - Jira:RHELPLAN-151481, - Jira:RHELPLAN-150266, Jira:RHELPLAN-151121, Jira:RHELPLAN-149091, - Jira:RHELPLAN-139424, - Jira:RHELPLAN-136489, - Bugzilla:2183445, - Jira:RHELPLAN-59528, Jira:RHELPLAN-148303, - Bugzilla:2025814, - Bugzilla:2077770, - Bugzilla:1777138, - Bugzilla:1640697, - Bugzilla:1697896, - Bugzilla:1961722, - Bugzilla:1659609, - Bugzilla:1687900, - Bugzilla:1757877, - Bugzilla:1741436, - Jira:RHELPLAN-27987, Jira:RHELPLAN-34199, - Jira:RHELPLAN-57914, - Jira:RHELPLAN-96940, - Bugzilla:1974622, - Bugzilla:2028361, - Bugzilla:2041997, - Bugzilla:2035158, - Jira:RHELPLAN-109613, - Bugzilla:2126777, - Bugzilla:1690207, Bugzilla:1559616, Bugzilla:1889737, - Bugzilla:1906489, - Bugzilla:1769727, - Jira:RHELPLAN-27394, - Jira:RHELPLAN-27737, - Jira:RHELPLAN-148394, - Bugzilla:1642765, - Bugzilla:1646541, Bugzilla:1647725, Bugzilla:1932222, - Bugzilla:1686057, Bugzilla:1748980, - Jira:RHELPLAN-71200, Jira:RHELPLAN-45858, - Bugzilla:1871025, Bugzilla:1871953, Bugzilla:1874892, Bugzilla:1916296, - Jira:RHELPLAN-100400, - Bugzilla:1926114, Bugzilla:1904251, - Bugzilla:2011208, - Jira:RHELPLAN-59825, Bugzilla:1920624, Jira:RHELPLAN-70700, - Bugzilla:1929173, Jira:RHELPLAN-85066, - Jira:RHELPLAN-98983, Bugzilla:2009113, Bugzilla:1958250, - Bugzilla:2038929, - Bugzilla:2006665, Bugzilla:2029338, Bugzilla:2061288, Bugzilla:2060759, - Bugzilla:2055826, Bugzilla:2059626, - Jira:RHELPLAN-133171, Bugzilla:2142499, Jira:RHELPLAN-145958, Jira:RHELPLAN-146398, Jira:RHELPLAN-153267 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.2-4
-
-

- Fri August 9 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added a Known Issue RHEL-11397 - (Installer and image creation) -
    • -
-
-
-
0.2-3
-
-

- Fri June 7 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Updated a Known Issue in Jira:RHELDOCS-17954 - (Red Hat Enterprise Linux System Roles). -
    • -
-
-
-
0.2-2
-
-

- Fri May 10 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.2-1
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.1-10
-
-

- Thu Apr 25 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2136610 - (Identity Management). -
    • -
-
-
-
0.1-9
-
-

- Mon Mar 04 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.1-8
-
-

- Thu Feb 29 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-7
-
-

- Tue Feb 13 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.1-6
-
-

- Fri Feb 2 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#1834716 - (Security). -
    • -
  • - Updated text for BZ#2183445 - (Kernel). -
    • -
-
-
-
0.1-5
-
-

- Thu Dec 7 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a new feature BZ#2043852 - (Kernel). -
    • -
-
-
-
0.1-4
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.1-3
-
-

- Tue Oct 17 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Update doc text of DF JIRA-RHELDOCS-16755 (Containers). -
    • -
-
-
-
0.1-2
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-1
-
-

- October 9 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#2169382 - (kernel). -
    • -
-
-
-
0.1-0
-
-

- September 8 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-9
-
-

- August 24 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2214508 - (Kernel). -
    • -
-
-
-
0.0-8
-
-

- August 4 2023, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.0-7
-
-

- August 3 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-6
-
-

- August 1 2023, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added deprecated functionality BZ#2225332. -
    • -
  • - Improved abstract. -
    • -
-
-
-
0.0-5
-
-

- July 31 2023, Mirek Jahoda (mjahoda@redhat.com) -

-
-
    -
  • - The known issue BZ#2203361 changed to a bug fix BZ#2212371. -
    • -
-
-
-
0.0-4
-
-

- July 13 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-3
-
-

- June 27 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2087247 - (Identity Management). -
    • -
  • - Moved BZ#2176248 - to Bug Fixes (Security). -
    • -
  • - Added a known issue BZ#2176973 - (Security). -
    • -
  • - Updated Technology Preview BZ#1769727 - (Kernel). -
    • -
-
-
-
0.0-2
-
-

- Jun 6 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2177957 - (Virtualization). -
    • -
  • - Other small updates. -
    • -
-
-
-
0.0-1
-
-

- May 17 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.8 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Mar 29 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.8 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/8.9.html b/app/data/8.9.html deleted file mode 100644 index 9427502..0000000 --- a/app/data/8.9.html +++ /dev/null @@ -1,21622 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 8.9
-
-

Release Notes for Red Hat Enterprise Linux 8.9

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 8.9 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information about installing Red Hat Enterprise Linux, see Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 8.9

-
-
-
-

Installer and image creation

-

- Key highlights for image builder: -

-
-
    -
  • - Enhancement to the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, - in addition to the legacy BIOS boot. -
    • -
-
-

- For more information, see New features - Installer and image creation. -

-

Security

-

- Key security-related highlights: -

-
-
    -
  • - OpenSCAP was rebased to version 1.3.8. -
    • -
  • - ANSSI-BP-028 SCAP security profiles were - updated to version 2.0. -
    • -
  • - SCAP Security Guide now contains - improved rules to provide more consistent interactive user configuration and the DISA STIG - profile supports audit_rules_login_events_faillock. -
    • -
-
-

- See New features - Security - for more information. -

-

Dynamic programming languages, web and - database servers

-

- Node.js 20 is now available as a new module - stream. -

-

- See New Features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-
Updated performance tools and debuggers
-

- The following performance tools and debuggers have been updated in RHEL 8.9: -

-
-
    -
  • - Valgrind 3.21 -
    • -
  • - SystemTap 4.9 -
    • -
  • - elfutils 0.189 -
    • -
-
-
Updated performance monitoring tools
-

- The following performance monitoring tools have been updated in RHEL 8.9: -

-
-
    -
  • - Grafana 9.2.10 -
    • -
  • - grafana-pcp 5.1.1 -
    • -
-
-
Updated compiler toolsets
-

- The following compiler toolsets have been updated in RHEL 8.9: -

-
-
    -
  • - GCC Toolset 13 (new) -
    • -
  • - LLVM Toolset 16.0.6 -
    • -
  • - Rust Toolset 1.71.1 -
    • -
  • - Go Toolset 1.20.10 -
    • -
-
-

- See New features - Compilers and development tools - for more information. -

-
Java implementations in RHEL 8
-

- The RHEL 8 AppStream repository includes: -

-
-
    -
  • - The java-21-openjdk packages, which provide the OpenJDK 21 Java - Runtime Environment and the OpenJDK 21 Java Software Development Kit. -
    • -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- The Red Hat build of OpenJDK packages share a single set of binaries between its portable Linux - releases, RHEL 8.9 and later releases. Because of this update, there is a change in the process of - rebuilding the OpenJDK packages on RHEL from the source RPM. For more information about the new - rebuilding process, see the README.md file which is available in the - SRPM package of the Red Hat build of OpenJDK and is also installed by the java-*-openjdk-headless packages under the /usr/share/doc tree. -

-

- For more information, see OpenJDK - documentation. -

-
-
-
-
-
-

1.2. In-place upgrade and OS conversion

-
-
-
-

In-place upgrade from RHEL 7 to RHEL 8

-

- The possible in-place upgrade paths currently are: -

-
-
    -
  • - From RHEL 7.9 to RHEL 8.6 RHEL 8.8 and RHEL 8.9 on the 64-bit Intel, IBM POWER 8 (little - endian), and IBM Z architectures -
    • -
  • - From RHEL 7.9 to RHEL 8.6 and RHEL 8.8 on systems with SAP HANA on the 64-bit Intel - architecture. -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 7 to RHEL 8. -

-

- For instructions on performing an in-place upgrade on systems with SAP environments, see How to in-place upgrade SAP - environments from RHEL 7 to RHEL 8. -

-

- Notable enhancements include: -

-
-
    -
  • - Requirements on disk space have been significantly reduced on systems with XFS filesystems - formatted with ftype=0. -
    • -
  • - Disk images created during the upgrade process for upgrade purposes now have dynamic sizes. - The LEAPP_OVL_SIZE environment variable is not needed anymore. -
    • -
  • - Issues with the calculation of the required free space on existing disk partitions have been - fixed. The missing free disk space is now correctly detected before the required reboot of - the system, and the report correctly displays file systems that do not have enough free - space to proceed the upgrade RPM transaction. -
    • -
  • - Third-party drivers can now be managed during the in-place upgrade process using custom - leapp actors. -
    • -
  • - An overview of the pre-upgrade and upgrade reports is now printed in the terminal. -
    • -
  • - Upgrades of RHEL Real Time and RHEL Real Time for Network Functions Virtualization (NFV) in - Red Hat OpenStack Platform are now supported. -
    • -
-
-

In-place upgrade from RHEL 6 to RHEL 8

-

- It is not possible to perform an in-place upgrade directly from RHEL 6 to RHEL 8. However, you can - perform an in-place upgrade from RHEL 6 to RHEL 7 and then perform a second in-place upgrade to RHEL - 8. For more information, see Upgrading - from RHEL 6 to RHEL 7. -

-

In-place upgrade from RHEL 8 to RHEL 9

-

- Instructions on how to perform an in-place upgrade from RHEL 8 to RHEL 9 using the Leapp utility are - provided by the document Upgrading - from RHEL 8 to RHEL 9. Major differences between RHEL 8 and RHEL 9 are documented in Considerations - in adopting RHEL 9. -

-

Conversion from a different Linux - distribution to RHEL

-

- If you are using Alma Linux 8, CentOS Linux 8, Oracle Linux 8, or Rocky Linux 8, you can convert - your operating system to RHEL 8 using the Red Hat-supported Convert2RHEL utility. For more information, see Converting - from an RPM-based Linux distribution to RHEL. -

-

- If you are using an earlier version of CentOS Linux or Oracle Linux, namely versions 6 or 7, you can - convert your operating system to RHEL and then perform an in-place upgrade to RHEL 8. Note that - CentOS Linux 6 and Oracle Linux 6 conversions use the unsupported Convert2RHEL utility. For more information on unsupported conversions, - see How to perform an unsupported - conversion from a RHEL-derived Linux distribution to RHEL. -

-

- For information regarding how Red Hat supports conversions from other Linux distributions to RHEL, - see the Convert2RHEL Support Policy - document. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-
- -
-
-
Note
-
-

- Release notes include links to access the original tracking tickets. Private tickets have no - links and instead feature this footnote.[1] -

-
-
-

-
-
-
[1] - - Release notes include links to access the original tracking tickets. Private tickets have no - links and instead feature this footnote. -
-
-
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 8.9 is distributed with the kernel version 4.18.0-513.5.1, which provides - support for the following architectures: -

-
-
    -
  • - AMD and Intel 64-bit architectures -
    • -
  • - The 64-bit ARM architecture -
    • -
  • - IBM Power Systems, Little Endian -
    • -
  • - 64-bit IBM Z -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. For a list of available - subscriptions, see Subscription - Utilization on the Customer Portal. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 8

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 8 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Binary DVD ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Binary DVD ISO image. -
    • -
-
-

- See the Performing - a standard RHEL 8 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 8 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 8 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For a list - of packages distributed through BaseOS, see the Package - manifest. -

-

- Content in the Application Stream repository includes additional user space applications, runtime - languages, and databases in support of the varied workloads and use cases. Application Streams are - available in the familiar RPM format, as an extension to the RPM format called modules, or as Software Collections. For a list of packages - available in AppStream, see the Package - manifest. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 8 repositories, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Red Hat Enterprise Linux 8 introduces the concept of Application Streams. Multiple versions of - user-space components are now delivered and updated more frequently than the core operating system - packages. This provides greater flexibility to customize Red Hat Enterprise Linux without impacting - the underlying stability of the platform or specific deployments. -

-

- Components made available as Application Streams can be packaged as modules or RPM packages and are - delivered through the AppStream repository in RHEL 8. Each Application Stream component has a given - life cycle, either the same as RHEL 8 or shorter. For details, see Red Hat Enterprise Linux Life - Cycle. -

-

- Modules are collections of packages representing a logical unit: an application, a language stack, a - database, or a set of tools. These packages are built, tested, and released together. -

-

- Module streams represent versions of the Application Stream components. For example, several streams - (versions) of the PostgreSQL database server are available in the postgresql module with the default postgresql:10 stream. Only one module stream can be installed on the - system. Different versions can be used in separate containers. -

-

- Detailed module commands are described in the Installing, - managing, and removing user-space components document. For a list of modules available in - AppStream, see the Package - manifest. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- On Red Hat Enterprise Linux 8, installing software is ensured by the YUM tool, which is based on the DNF technology. We deliberately adhere to usage of - the yum term for consistency with previous major versions of RHEL. - However, if you type dnf instead of yum, - the command works as expected because yum is an alias to dnf for compatibility. -

-

- For more details, see the following documentation: -

-
- -
-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.9. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Support to both legacy and UEFI boot for AWS EC2 images

-

- Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with - support only for the legacy boot type. As a consequence, it was not possible to take advantage - of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the - AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the - legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which - require booting the image with UEFI. -

-
-

- Jira:RHELDOCS-16339[1] -

-
-

New boot option inst.wait_for_disks= to add - wait time for loading a kickstart file or the kernel drivers

-

- Sometimes, it may take a few seconds to load a kickstart file or the kernel drivers from the - device with the OEMDRV label during the boot process. To adjust the - wait time, you can now use the new boot option, inst.wait_for_disks=. Using this option, you can specify how many - seconds to wait before the installation. The default time is set to 5 seconds, however, you can use 0 - seconds to minimize the delay. For more information about this option, see Storage - boot options. -

-
-

- Bugzilla:1770969 -

-
-

New network kickstart options to control DNS - handling

-

- You can now control DNS handling using the network kickstart - command with the following new options. Use these new options with the --device option. -

-
-
-
    -
  • -

    - The --ipv4-dns-search and --ipv6-dns-search options allow you to set DNS search domains - manually. These options mirror their respective NetworkManager properties, for example: -

    - 
    network --device ens3 --ipv4-dns-search domain1.example.com,domain2.example.com
    -
    • -
  • - The --ipv4-ignore-auto-dns and --ipv6-ignore-auto-dns options allow you to ignore DNS settings - from DHCP. They do not require any arguments. -
    • -
-
-

- Bugzilla:1656662[1] -

-
-
-
-
-
-

4.2. Security

-
-
-
-
-

opencryptoki rebased to 3.21.0

-

- The opencryptoki package has been rebased to version 3.21.0, which - provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features: -

-
-
-
    -
  • - Concurrent hardware security module (HSM) master key changes -
    • -
  • - The protected-key option to transform a chosen key into a - protected key -
    • -
  • - Additional key types, such as DH, DSA, and generic secret key types -
    • -
  • - EP11 host library version 4 -
    • -
  • - AES-XTS key type -
    • -
  • - IBM-specific Kyber key type and mechanism -
    • -
  • - Additional IBM-specific Dilithium key round 2 and 3 variants -
    • -
-
-

- Additionally, pkcsslotd slot manager no longer runs as root and opencryptoki offers further hardening. With this update, you can also use - the following set of new commands: -

-
-
-
p11sak set-key-attr
-
- To modify keys -
-
p11sak copy-key
-
- To copy keys -
-
p11sak import-key
-
- To import keys -
-
p11sak export-key
-
- To export keys -
-
-
-

- Bugzilla:2159697[1] -

-
-

fapolicyd now provides rule numbers for - troubleshooting

-

- With this enhancement, new kernel and Audit components allow the fapolicyd service to send the number of the rule that causes a denial - to the fanotify API. As a result, you can troubleshoot problems - related to fapolicyd more precisely. -

-
-

- Jira:RHEL-628 -

-
-

ANSSI-BP-028 security profiles updated to version 2.0

-

- The following French National Agency for the Security of Information Systems (ANSSI) BP-028 - profiles in the SCAP Security Guide were updated to be aligned with version 2.0: -

-
-
-
    -
  • - ANSSI-BP-028 Minimal Level -
    • -
  • - ANSSI-BP-028 Intermediary Level -
    • -
  • - ANSSI-BP-028 Enhanced Level -
    • -
  • - ANSSI-BP-028 High Level -
    • -
-
-

- Bugzilla:2155789 -

-
-

Better definition of interactive users

-

- The rules in the scap-security-guide package were improved to - provide more consistent interactive user configuration. Previously, some rules used different - approaches for identifying interactive and non-interactive users. With this update, we have - unified the definitions of interactive users. User accounts with UID greater than or equal to - 1000 are now considered interactive, with the exception of the nobody and nfsnobody accounts and with - the exception of accounts that use /sbin/nologin as the login - shell. -

-
-

- This change affects the following rules: -

-
-
    -
  • - accounts_umask_interactive_users -
    • -
  • - accounts_user_dot_user_ownership -
    • -
  • - accounts_user_dot_group_ownership -
    • -
  • - accounts_user_dot_no_world_writable_programs -
    • -
  • - accounts_user_interactive_home_directory_defined -
    • -
  • - accounts_user_interactive_home_directory_exists -
    • -
  • - accounts_users_home_files_groupownership -
    • -
  • - accounts_users_home_files_ownership -
    • -
  • - accounts_users_home_files_permissions -
    • -
  • - file_groupownership_home_directories -
    • -
  • - file_ownership_home_directories -
    • -
  • - file_permissions_home_directories -
    • -
  • - file_permissions_home_dirs -
    • -
  • - no_forward_files -
    • -
-
-

- Bugzilla:2157877, Bugzilla:2178740 -

-
-

The DISA STIG profile now supports audit_rules_login_events_faillock

-

- With this enhancement, the SCAP Security Guide audit_rules_login_events_faillock rule, which references STIG ID - RHEL-08-030590, has been added to the DISA STIG profile for RHEL 8. This rule checks if the - Audit daemon is configured to record any attempts to modify login event logs stored in the /var/log/faillock directory. -

-
-

- Bugzilla:2167999 -

-
-

OpenSCAP rebased to 1.3.8

-

- The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various - bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Fixed systemd probes to not ignore some systemd units -
    • -
  • - Added offline capabilities to the shadow OVAL probe -
    • -
  • - Added offline capabilities to the sysctl OVAL probe -
    • -
  • - Added auristorfs to the list of network filesystems -
    • -
  • - Created a workaround for issues with tailoring files produced by the autotailor utility -
    • -
-
-

- Bugzilla:2217441 -

-
-

SCAP Security Guide rebased to version 0.1.69

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This - version provides various enhancements and bug fixes, most notably three new SCAP profiles for - RHEL 9 which are aligned with three levels of the CCN-STIC-610A22 Guide issued by the National - Cryptologic Center of Spain in 2022-10: -

-
-
-
    -
  • - CCN Red Hat Enterprise Linux 9 - Basic -
    • -
  • - CCN Red Hat Enterprise Linux 9 - Intermediate -
    • -
  • - CCN Red Hat Enterprise Linux 9 - Advanced -
    • -
-
-

- Bugzilla:2221695 -

-
-

FIPS-enabled in-place upgrades from RHEL 8.8 and later to RHEL 9.2 and - later are supported

-

- With the release of the RHBA-2023:3824 advisory, you can - perform an in-place upgrade of a RHEL 8.8 and later system to a RHEL 9.2 and later system with - FIPS mode enabled. -

-
-

- Bugzilla:2097003 -

-
-

crypto-policies permitted_enctypes no longer break replications in FIPS - mode

-

- Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service - ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes krb5 configuration - broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode. -

-
-

- With this update, the values of the permitted_enctypes krb5 configuration option depend on the mac - and cipher crypto-policy values. That - allows the prioritization of the interoperable encryption types by default. -

-

- As additional results of this update, the arcfour-hmac-md5 option is - available only in the LEGACY:AD-SUPPORT subpolicy and the aes256-cts-hmac-sha1-96 is no longer available in the FUTURE policy. -

-
-
Note
-
-

- If you use Kerberos, verify the order of the values of permitted_enctypes in the /etc/crypto-policies/back-ends/krb5.config file. If your scenario - requires a different order, apply a custom cryptographic subpolicy. -

-
-
-

- Bugzilla:2219912 -

-
-

Audit now supports FANOTIFY record - fields

-

- This update of the audit packages introduces support for FANOTIFY Audit record fields. The Audit subsystem now logs additional - information in the AUDIT_FANOTIFY record, notably: -

-
-
-
    -
  • - fan_type to specify the type of a FANOTIFY event -
    • -
  • - fan_info to specify additional context information -
    • -
  • - sub_trust and obj_trust to - indicate trust levels for a subject and an object involved in an event -
    • -
-
-

- As a result, you can better understand why the Audit system denied access in certain cases. This can - help you write policies for tools such as the fapolicyd framework. -

-

- Bugzilla:2216666 -

-
-

New SELinux boolean to allow QEMU Guest Agent executing confined - commands

-

- Previously, commands that were supposed to execute in a confined context through the QEMU Guest - Agent daemon program, such as mount, failed with an Access Vector - Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the virt_qemu_ga_unconfined_t domain. -

-
-

- Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined that allows guest-agent to make the transition to virt_qemu_ga_unconfined_t for executables located in any of the following - directories: -

-
-
    -
  • - /etc/qemu-ga/fsfreeze-hook.d/ -
    • -
  • - /usr/libexec/qemu-ga/fsfreeze-hook.d/ -
    • -
  • - /var/run/qemu-ga/fsfreeze-hook.d/ -
    • -
-
-

- In addition, the necessary rules for transitions for the qemu-ga daemon - have been added to the SELinux policy boolean. -

-

- As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials - by enabling the virt_qemu_ga_run_unconfined boolean. -

-

- Bugzilla:2093355 -

-
-
-
-
-
-

4.3. Infrastructure services

-
-
-
-
-

Postfix now supports SRV lookups

-

- With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to - automatically configure mail clients and balance load of servers. Additionally, you can prevent - mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using - the following SRV-related options in your Postfix configuration: -

-
-
-
-
use_srv_lookup
-
- You can enable discovery for the specified service by using DNS SRV records. -
-
allow_srv_lookup_fallback
-
- You can use a cascading approach to locating a service. -
-
ignore_srv_lookup_error
-
- You can ensure that the service discovery remains functional even if SRV records are not - available or encounter errors. -
-
-
-

- Bugzilla:1787010 -

-
-

You can now specify TLS 1.3 cipher suites in vsftpd

-

- With this enhancement, you can use the new ssl_ciphersuites option - to configure which cipher suites vsftpd uses. As a result, you can - specify TLS 1.3 cipher suites that differ from the previous TLS versions. To specify multiple - cipher suites, separate entries with colons (:). -

-
-

- Bugzilla:2069733 -

-
-

Generic LF-to-CRLF driver is available in cups-filters

-

- With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF - characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage - return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, - by using this driver, you can send an LF character terminated file from your application to a - printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of - the text-only driver from RHEL 7. The new name reflects its actual - functionality. -

-
-

- Bugzilla:2118406[1] -

-
-
-
-
-
-

4.4. Networking

-
-
-
-
-

iproute rebased to version 6.2.0

-

- The iproute packages have been upgraded to upstream version 6.2.0, - which provides a number of enhancements and bug fixes over the previous version. The most - notable changes are: -

-
-
-
    -
  • - The new ip stats command manages and shows interface - statistics. By default, the ip stats show command displays - statistics for all network devices, including bridges and bonds. You can filter the output - by using the dev and group - options. For further details, see the ip-stats(8) man page. -
    • -
  • - The ss utility now provides the -T - (--threads) option to display thread information, which extends - the -p (--processes) option. For - further details, see the ss(8) man page. -
    • -
  • - You can use the new bridge fdb flush command to remove specific - forwarding database (fdb) entries which match a supplied option. For further details, see - the bridge(8) man page. -
    • -
-
-

- Jira:RHEL-424[1] -

-
-

Security improvement of the default nftables - service configuration

-

- This enhancement adds the do_masquerade chain to the default nftables service configuration in the /etc/sysconfig/nftables/nat.nft file. This reduces the risk of a port - shadow attack, which is described in CVE-2021-3773. The first - rule in the do_masquerade chain detects suitable packets and - enforces source port randomization to reduce the risk of port shadow attacks. -

-
-

- Bugzilla:2061942 -

-
-

NetworkManager supports the no-aaaa DNS option

-

- You can now use the no-aaaa option to configure DNS settings on - managed nodes by suppressing AAAA queries generated by the stub resolver. Previously, there was - no option to suppress AAAA queries generated by the stub resolver, including AAAA lookups - triggered by NSS-based interfaces such as getaddrinfo; only DNS - lookups were affected. With this enhancement, you can disable IPv6 resolution by using the nmcli utility. After a restart of the NetworkManager service, the no-aaaa - setting gets reflected in the /etc/resolv.conf file, with - additional control over DNS lookups. -

-
-

- Bugzilla:2144521 -

-
-

The nm-cloud-setup utility now supports IMDSv2 - configuration

-

- Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service - Version 2 (IMDSv2) with the nm-cloud-setup utility. To comply with - improved security that restricts unauthorized access to EC2 metadata and new features, - integration between AWS and Red Hat services is necessary to provide advanced features. This - enhancement enables the nm-cloud-setup utility to fetch and save - the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available - interfaces and IP configuration by using the secured IMDSv2 tokens. -

-
-

- Bugzilla:2151987 -

-
-

The libnftnl package rebased to version - 1.2.2

-

- The Netlink API to the in-kernel nf_tables subsystem (libnftnl) package has been rebased. Notable changes and enhancements - include: -

-
-
-
    -
  • -

    - Added features: -

    -
    -
      -
    • - Nesting of the udata attribute -
      • -
    • - Resetting TCP options with the exthdr expression -
      • -
    • - The sdif and sdifname - meta keywords -
      • -
    • - Support for a new attribute NFTNL_CHAIN_FLAGS in - the nftnl_chain struct, to communicate flags - between the kernel and user space. -
      • -
    • - Support for the nftnl_set struct nftables sets - backend to add expressions to sets and set elements. -
      • -
    • - Comments to sets, tables, objects, and chains -
      • -
    • - The nftnl_table struct now has an NFTNL_TABLE_OWNER attribute. Set this attribute to - enable the kernel to communicate the owner to the user space. -
      • -
    • - Readiness for incremental updates to flowtable device -
      • -
    • - The typeof keyword related nftnl_set udata definitions -
      • -
    • - The chain ID attribute -
      • -
    • - The function to remove expressions from a rule -
      • -
    • - A new last expression -
      • -
    -
    -
    • -
  • -

    - Improved bitwise expressions: -

    -
    -
      -
    • - Newly added op and data attributes -
      • -
    • - Left and right shifts -
      • -
    • - Aligned with debug output of other expressions -
      • -
    -
    -
    • -
  • -

    - Improved socket expressions: -

    -
    -
      -
    • - Added the wildcard attribute -
      • -
    • - Support for cgroups v2 -
      • -
    -
    -
    • -
  • -

    - Improved debug output: -

    -
    -
      -
    • - Included the key_end data register in set elements -
      • -
    • - Dropped unused registers from masq and nat - expressions -
      • -
    • - Applied fix for verdict map elements -
      • -
    • - Removed leftovers from dropped XML formatting -
      • -
    • - Support for payload offset of inner header -
      • -
    -
    -
    • -
-
-

- Bugzilla:2211096 -

-
-
-
-
-
-

4.5. Kernel

-
-
-
-
-

Kernel version in RHEL 8.9

-

- Red Hat Enterprise Linux 8.9 is distributed with the kernel version 4.18.0-513.5.1. -

-
-

- Bugzilla:2232558 -

-
-

The RHEL kernel now supports AutoIBRS

-

- Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD - EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation - for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability. -

-
-

- Bugzilla:1989283[1] -

-
-

The Intel® QAT kernel driver rebased to upstream version 6.2

-

- The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® - QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression - performance, and other CPU intensive tasks. -

-
-

- The rebase includes many bug fixes and enhancements. The most notable enhancement is the support - available for following hardware accelerator devices for QAT GEN4: -

-
-
    -
  • - Intel Quick Assist Technology 401xx devices -
    • -
  • - Intel Quick Assist Technology 402xx devices -
    • -
-
-

- Bugzilla:2144529[1] -

-
-

makedumpfile rebased to version 1.7.2 -

-

- The makedumpfile tool, which makes the crash dump file small by - compressing pages or excluding memory pages that are not required, has been rebased to version - 1.7.2. The rebase includes many bug fixes and enhancements. -

-
-

- The most notable change is the added 5-level paging mode for standalone dump (sadump) mechanism on AMD and Intel 64-bit architectures. The 5-level - paging mode extends the processor’s linear address width to allow applications access larger amounts - of memory. 5-level paging extends the size of virtual addresses from 48 to 57 bits and the physical - addresses from 46 to 52 bits. -

-

- Bugzilla:2173791 -

-
-
-
-
-
-

4.6. File systems and storage

-
-
-
-
-

Support for specifying a UUID when creating a GFS2 file system

-

- The mkfs.gfs2 command now supports the new -U option, which makes it possible to specify the file system UUID - for the file system you create. If you omit this option, the file system’s UUID is generated - randomly. -

-
-

- Bugzilla:2180782 -

-
-

fuse3 now allows invalidating a directory - entry without triggering umount

-

- With this update, a new mechanism has been added to fuse3 package, - that allows invalidating a directory entry without automatically triggering the umount of any mounts that exists on the entry. -

-
-

- Bugzilla:2171095[1] -

-
-
-
-
-
-

4.7. High availability and clusters

-
-
-
-
-

Pacemaker’s scheduler now tries to satisfy all mandatory colocation - constraints before trying to satisfy optional colocation constraints

-

- Previously, colocation constraints were considered one by one regardless of whether they were - mandatory or optional. This meant that certain resources could be unable to run even though a - node assignment was possible. Pacemaker’s scheduler now tries to satisfy all mandatory - colocation constraints, including the implicit constraints between group members, before trying - to satisfy optional colocation constraints. As a result, resources with a mix of optional and - mandatory colocation constraints are now more likely to be able to run. -

-
-

- Bugzilla:1876173 -

-
-

IPaddr2 and IPsrcaddr cluster resource agents now support policy-based - routing

-

- The IPaddr2 and IPsrcaddr cluster - resource agents now support policy-based routing, which enables you to configure complex routing - scenarios. Policy-based routing requires that you configure the resource agent’s table parameter. -

-
-

- Bugzilla:2040110 -

-
-

The Filesystem resource agent now supports the - EFS file system type

-

- The ocf:heartbeat:Filesystem cluster resource agent now supports - the Amazon Elastic File System (EFS). You can now specify fstype=efs when configuring a Filesystem - resource. -

-
-

- Bugzilla:2049319 -

-
-

The alert_snmp.sh.sample alert agent now - supports SNMPv3

-

- The alert_snmp.sh.sample alert agent, which is the sample alert - agent provided with Pacemaker, now supports the SNMPv3 protocol as well as SNMPv2. With this - update, you can copy the alert_snmp.sh.sample agent without - modification to use SNMPv3 with Pacemaker alerts. -

-
-

- Bugzilla:2160206 -

-
-

New enabled alert meta option to disable a - Pacemaker alert

-

- Pacemaker alerts and alert recipients now support an enabled meta - option. -

-
-
-
    -
  • - Setting the enabled meta option to false for an alert disables the alert. -
    • -
  • - Setting the enabled meta option to true for an alert and false for a - particular recipient disables the alert for that recipient. -
    • -
-
-

- The default value for the enabled meta option is true. You can use this option to temporarily disable an alert for any - reason, such as planned maintenance. -

-

- Bugzilla:2078611 -

-
-

Pacemaker Remote nodes now preserve transient node attributes after a brief - connection outage

-

- Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its - transient node attributes. This was unnecessary if the connection was quickly recoverable and - the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now preserve - transient node attributes after a brief, recoverable connection outage. -

-
-

- Bugzilla:2030869 -

-
-

Enhancements to the pcs property - command

-

- The pcs property command now supports the following enhancements: -

-
-
-
    -
  • -

    - The pcs property config --output-format= option -

    -
    -
      -
    • - Specify --output-format=cmd to display the pcs property set command created from the current - cluster properties configuration. You can use this command to re-create - configured cluster properties on a different system. -
      • -
    • - Specify --output-format=json to display the - configured cluster properties in JSON format. -
      • -
    • - Specify output-format=text to display the - configured cluster properties in plain text format, which is the default value - for this option. -
      • -
    -
    -
    • -
  • - The pcs property defaults command, which replaces the - deprecated pcs property --defaults option -
    • -
  • - The pcs property describe command, which describes the meaning - of cluster properties. -
    • -
-
-

- Bugzilla:2166289 -

-
-
-
-
-
-

4.8. Dynamic programming languages, web and database servers

-
-
-
-
-

A new nodejs:20 module stream is fully - supported

-

- A new module stream, nodejs:20, previously available as a - Technology Preview, is fully supported with the release of the RHEA-2023:7249 advisory. The - nodejs:20 module stream now provides Node.js 20.9, which is a Long Term Support (LTS) version. -

-
-

- Node.js 20 included in RHEL 8.9 provides numerous new features, bug - fixes, security fixes, and performance improvements over Node.js 18 - available since RHEL 8.7. -

-

- Notable changes include: -

-
-
    -
  • - The V8 JavaScript engine has been upgraded to version 11.3. -
    • -
  • - The npm package manager has been upgraded to version 9.8.0. -
    • -
  • - Node.js introduces a new experimental Permission Model. -
    • -
  • - Node.js introduces a new experimental Single Executable - Application (SEA) feature. -
    • -
  • - Node.js provides improvements to the Experimental ECMAScript - modules (ESM) loader. -
    • -
  • - The native test runner, introduced as an experimental node:test - module in Node.js 18, is now considered stable. -
    • -
-
-

- To install the nodejs:20 module stream, use: -

- 
# yum module install nodejs:20
-

- If you want to upgrade from the nodejs:18 stream, see Switching - to a later stream. -

-

- For information about the length of support for the nodejs Application - Streams, see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2186718 -

-
-

A new filter argument to the Python tarfile extraction functions

-

- To mitigate CVE-2007-4559, Python adds a - filter argument to the tarfile - extraction functions. The argument allows turning tar features off - for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a - filter is not specified, the 'data' filter, which is the safest but - most limited, is used by default in RHEL. In addition, Python emits a warning when your - application has been affected. -

-
-

- For more information, including instructions to hide the warning, see the Knowledgebase article Mitigation of directory traversal - attack in the Python tarfile library (CVE-2007-4559). -

-

- Jira:RHELDOCS-16405[1] -

-
-

The HTTP::Tiny Perl module now verifies TLS - certificates by default

-

- The default value for the verify_SSL option in the HTTP::Tiny Perl module has been changed from 0 to 1 to verify TLS certificates when - using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny and CVE-2023-31484 for the CPAN - Perl module. -

-
-

- To make support for TLS verification available, this update adds the following dependencies to the - perl-HTTP-Tiny package: -

-
-
    -
  • - perl-IO-Socket-SSL -
    • -
  • - perl-Mozilla-CA -
    • -
  • - perl-Net-SSLeay -
    • -
-
-

- Bugzilla:2228409[1] -

-
-

A new environment variable in Python to control parsing of email - addresses

-

- To mitigate CVE-2023-27043, a backward - incompatible change to ensure stricter parsing of email addresses was introduced in Python 3. -

-
-

- The update in RHSA-2024:0256 introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you - set this variable to true, the previous, less strict parsing behavior - is the default for the entire system: -

- 
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
-

- However, individual calls to the affected functions can still enable stricter behavior. -

-

- You can achieve the same result by creating the /etc/python/email.cfg - configuration file with the following content: -

- 
[email_addr_parsing]
-PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
-

- For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing - stricter parsing of email addresses in Python. -

-

- Jira:RHELDOCS-17369[1] -

-
-
-
-
-
-

4.9. Compilers and development tools

-
-
-
-
-

Improved string and memory routine performance on Intel® Xeon® v5-based - hardware in glibc

-

- Previously, the default amount of cache used by glibc for string - and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based - systems. With this update, the amount of cache to use has been tuned to improve performance. -

-
-

- Bugzilla:2180462 -

-
-

GCC now supports preserving register arguments

-

- With this update, you can now store argument register content to the stack and generate proper - Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting - performance. -

-
-

- Bugzilla:2168205[1] -

-
-

New GCC Toolset 13

-

- GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream - repository. -

-
-

- The GCC compiler has been updated to version 13.1.1, which provides many bug fixes and enhancements - that are available in upstream GCC. -

-

- The following tools and versions are provided by GCC Toolset 13: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 13.1.1 -

-
-

- GDB -

- 		-

- 12.1 -

-
-

- binutils -

- 		-

- 2.40 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- annobin -

- 		-

- 12.20 -

-
-
-

- To install GCC Toolset 13, run the following command as root: -

- 
# yum install gcc-toolset-13
-

- To run a tool from GCC Toolset 13: -

- 
$ scl enable gcc-toolset-13 tool
-

- To run a shell session where tool versions from GCC Toolset 13 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-13 bash
-

- For more information, - seehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/developing_c_and_cpp_applications_in_rhel_8/additional-toolsets-for-development_developing-applications#gcc-toolset-13_assembly_additional-toolsets-for-development[GCC - Toolset 13] and Using - GCC Toolset. -

-

- Bugzilla:2171898[1], Bugzilla:2171928, Bugzilla:2188490 -

-
-

GCC Toolset 13: GCC rebased to version 13.1.1

-

- In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable - changes include: -

-
-

- General improvements -

-
-
    -
  • -

    - OpenMP: -

    -
    -
      -
    • - OpenMP 5.0: Fortran now supports some non-rectangular loop nests. Such support - was added for C/C++ in GCC 11. -
      • -
    • - Many OpenMP 5.1 features have been added. -
      • -
    • - Initial support for OpenMP 5.2 features has been added. -
      • -
    -
    -
    • -
  • - A new debug info compression option value, -gz=zstd, is now - available. -
    • -
  • - The -Ofast, -ffast-math, and -funsafe-math-optimizations options no longer add startup code to - alter the floating-point environment when producing a shared object with the -shared option. -
    • -
  • - GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a - JSON-based format suited for capturing the results of static analysis tools (like GCC’s - -fanalyzer). You can also use SARIF to capture other GCC - warnings and errors in a machine-readable format. -
    • -
  • - Link-time optimization improvements have been implemented. -
    • -
-
-

- New languages and language-specific improvements -

-

- C family: -

-
-
    -
  • - A new -Wxor-used-as-pow option warns about uses of the - exclusive or (^) operator where the user might have meant - exponentiation. -
    • -
  • -

    - Three new function attributes have been added for documenting int arguments that are file descriptors: -

    -
    -
      -
    • - attribute((fd_arg(N))) -
      • -
    • - attribute((fd_arg_read(N))) -
      • -
    • - attribute((fd_arg_write(N))) -
      • -
    -
    -

    - These attributes are also used by -fanalyzer to detect - misuses of file descriptors. -

    -
    • -
  • - A new statement attribute, attribute((assume(EXPR)));, - has been added for C++23 portable assumptions. The attribute is supported also in C or - earlier C++. -
    • -
  • - GCC can now control when to treat the trailing array of a structure as a flexible array - member for the purpose of accessing the elements of such an array. By default, all trailing - arrays in aggregates are treated as flexible array members. Use the new command-line option - -fstrict-flex-arrays to control what array members are treated - as flexible arrays. -
    • -
-
-

- C: -

-
-
    -
  • -

    - Several C23 features have been implemented: -

    -
    -
      -
    • - Introduced the nullptr constant. -
      • -
    • - Enumerations enhanced to specify underlying types. -
      • -
    • - Requirements for variadic parameter lists have been relaxed. -
      • -
    • - Introduced the auto feature to enable type - inference for object definitions. -
      • -
    • - Introduced the constexpr specifier for object - definitions. -
      • -
    • - Introduced storage-class specifiers for compound literals. -
      • -
    • - Introduced the typeof object (previously supported - as an extension) and the typeof_unqual object. -
      • -
    • - Added new keywords: alignas, alignof, bool, false, static_assert, - thread_local, and true. -
      • -
    • - Added the [[noreturn]] attribute to specify that a - function does not return execution to its caller. -
      • -
    • - Added support for empty initializer braces. -
      • -
    • - Added support for STDC_VERSION_*_H - header version macros. -
      • -
    • - Removed the ATOMIC_VAR_INIT macro. -
      • -
    • - Added the unreachable macro for the <stddef.h> header. -
      • -
    • - Removed trigraphs. -
      • -
    • - Removed unprototyped functions. -
      • -
    • - Added printf and scanf - format checking through the -Wformat option for the - %wN and %wfN format - length modifiers. -
      • -
    • - Added support for identifier syntax of Unicode Standard Annex (UAX) 31. -
      • -
    • - Existing features adopted in C23 have been adjusted to follow C23 requirements - and are not diagnosed using the -std=c2x -Wpedantic - option. -
      • -
    -
    -
    • -
  • - A new -Wenum-int-mismatch option warns about mismatches between - an enumerated type and an integer type. -
    • -
-
-

- C++: -

-
-
    -
  • -

    - Implemented excess precision support through the -fexcess-precision option. It is enabled by default in strict - standard modes like -std=c++17, where it defaults to -fexcess-precision=standard. In GNU standard modes like -std=gnu++20, it defaults to -fexcess-precision=fast, which restores previous behavior. -

    -

    - The -fexcess-precision option affects the following - architectures: -

    -
    -
      -
    • - Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where - float and double - expressions are evaluated in long double precision. -
      • -
    • - 64-bit IBM Z systems where float expressions are - evaluated in double precision. -
      • -
    • - Several architectures that support the std::float16_t or std::bfloat16_t types, where these types are - evaluated in float precision. -
      • -
    -
    -
    • -
  • -

    - Improved experimental support for C++23, including: -

    -
    -
      -
    • - Added support for labels at the end of compound statements. -
      • -
    • - Added a type trait to detect reference binding to a temporary. -
      • -
    • - Reintroduced support for volatile compound operations. -
      • -
    • - Added support for the #warning directive. -
      • -
    • - Added support for delimited escape sequences. -
      • -
    • - Added support for named universal character escapes. -
      • -
    • - Added a compatibility and portability fix for the char8_t type. -
      • -
    • - Added static operator() function objects. -
      • -
    • - Simplified implicit moves. -
      • -
    • - Rewriting equality in expressions is now less of a breaking change. -
      • -
    • - Removed non-encodable wide character literals and wide multicharacter literals. -
      • -
    • - Relaxed some constexpr function restrictions. -
      • -
    • - Extended floating-point types and standard names. -
      • -
    • - Implemented portable assumptions. -
      • -
    • - Added support for UTF-8 as a portable source file encoding standard. -
      • -
    • - Added support for static operator[] subscripts. -
      • -
    -
    -
    • -
  • -

    - New warnings: -

    -
    -
      -
    • - -Wself-move warns when a value is moved to itself - with std::move. -
      • -
    • - -Wdangling-reference warns when a reference is - bound to a temporary whose lifetime has ended. -
      • -
    • - The -Wpessimizing-move and -Wredundant-move warnings have been extended to warn - in more contexts. -
      • -
    -
    -
    • -
  • - The new -nostdlib++ option enables linking with g++ without implicitly linking in the C++ standard library. -
    • -
-
-

- Changes in the libstdc++ runtime - library -

-
-
    -
  • -

    - Improved experimental support for C++20, including: -

    -
    -
      -
    • - Added the <format> header and the std::format function. -
      • -
    • - Added support in the <chrono> header for the - std::chrono::utc_clock clock, other clocks, time - zones, and the std::format function. -
      • -
    -
    -
    • -
  • -

    - Improved experimental support for C++23, including: -

    -
    -
      -
    • - Additions to the <ranges> header: views::zip, views::zip_transform, views::adjacent, views::adjacent_transform, views::pairwise, views::slide, views::chunk, views::chunk_by, views::repeat, views::chunk_by, views::cartesian_product, views::as_rvalue, views::enumerate, views::as_const. -
      • -
    • - Additions to the <algorithm> header: ranges::contains, ranges::contains_subrange, ranges::iota, ranges::find_last, ranges::find_last_if, ranges::find_last_if_not, ranges::fold_left, ranges::fold_left_first, ranges::fold_right, ranges::fold_right_last, ranges::fold_left_with_iter, ranges::fold_left_first_with_iter. -
      • -
    • - Support for monadic operations for the std::expected class template. -
      • -
    • - Added constexpr modifiers to the std::bitset, std::to_chars and std::from_chars functions. -
      • -
    • - Added library support for extended floating-point types. -
      • -
    -
    -
    • -
  • - Added support for the <experimental/scope> header from - version 3 of the Library Fundamentals Technical Specification (TS). -
    • -
  • - Added support for the <experimental/synchronized_value> - header from version 2 of the Concurrency TS. -
    • -
  • -

    - Added support for many previously unavailable features in freestanding mode. For - example: -

    -
    -
      -
    • - The std::tuple class template is now available for - freestanding compilation. -
      • -
    • - The libstdc++ library adds components to the - freestanding subset, such as std::array and std::string_view. -
      • -
    • - The libstdc++ library now respects the -ffreestanding compiler option, so it is no longer - necessary to build a separate freestanding installation of the libstdc++ library. Compiling with -ffreestanding will restrict the available features - to the freestanding subset, even if the libstdc++ - library was built as a full, hosted implementation. -
      • -
    -
    -
    • -
-
-

- New targets and target-specific Improvements -

-

- The 64-bit ARM architecture: -

-
-
    -
  • - Added support for the armv9.1-a, armv9.2-a, and armv9.3-a arguments - for the -march= option. -
    • -
-
-

- The 32- and 64-bit AMD and Intel architectures: -

-
-
    -
  • - For both C and C++, the __bf16 type is supported on systems - with Streaming SIMD Extensions 2 and above enabled. -
    • -
  • - The real __bf16 type is now used for AVX512BF16 instruction intrinsics. Previously, __bfloat16, a typedef of short, was used. Adjust your AVX512BF16 related source code when upgrading GCC 12 to GCC 13. -
    • -
  • -

    - Added new Instruction Set Architecture (ISA) extensions to support the following Intel - instructions: -

    -
    -
      -
    • - AVX-IFMA whose instruction intrinsics are available - through the -mavxifma compiler switch. -
      • -
    • - AVX-VNNI-INT8 whose instruction intrinsics are - available through the -mavxvnniint8 compiler - switch. -
      • -
    • - AVX-NE-CONVERT whose instruction intrinsics are - available through the -mavxneconvert compiler - switch. -
      • -
    • - CMPccXADD whose instruction intrinsics are - available through the -mcmpccxadd compiler switch. -
      • -
    • - AMX-FP16 whose instruction intrinsics are available - through the -mamx-fp16 compiler switch. -
      • -
    • - PREFETCHI whose instruction intrinsics are - available through the -mprefetchi compiler switch. -
      • -
    • - RAO-INT whose instruction intrinsics are available - through the -mraoint compiler switch. -
      • -
    • - AMX-COMPLEX whose instruction intrinsics are - available through the -mamx-complex compiler - switch. -
      • -
    -
    -
    • -
  • - GCC now supports AMD CPUs based on the znver4 core through the - -march=znver4 compiler switch. The switch makes GCC consider - using 512-bit vectors when auto-vectorizing. -
    • -
-
-

- Improvements to the static analyzer -

-
-
    -
  • -

    - The static analyzer has gained 20 new warnings: -

    -
    -
      -
    • - -Wanalyzer-allocation-size -
      • -
    • - -Wanalyzer-deref-before-check -
      • -
    • - -Wanalyzer-exposure-through-uninit-copy -
      • -
    • - -Wanalyzer-imprecise-fp-arithmetic -
      • -
    • - -Wanalyzer-infinite-recursion -
      • -
    • - -Wanalyzer-jump-through-null -
      • -
    • - -Wanalyzer-out-of-bounds -
      • -
    • - -Wanalyzer-putenv-of-auto-var -
      • -
    • - -Wanalyzer-tainted-assertion -
      • -
    • -

      - Seven new warnings relating to misuse of file descriptors: -

      -
      -
        -
      • - -Wanalyzer-fd-access-mode-mismatch -
        • -
      • - -Wanalyzer-fd-double-close -
        • -
      • - -Wanalyzer-fd-leak -
        • -
      • - -Wanalyzer-fd-phase-mismatch (for - example, calling accept on a socket - before calling listen on it) -
        • -
      • - -Wanalyzer-fd-type-mismatch (for - example, using a stream socket operation on a datagram socket) -
        • -
      • - -Wanalyzer-fd-use-after-close -
        • -
      • -

        - -Wanalyzer-fd-use-without-check -

        -
        -
          -
        • - Also implemented special-casing handling of the behavior - of the open, close, creat, dup, dup2, dup3, pipe, pipe2, read, and write functions. -
          • -
        -
        -
        • -
      -
      -
      • -
    • -

      - Four new warnings for misuses of the <stdarg.h> header: -

      -
      -
        -
      • - -Wanalyzer-va-list-leak warns about - missing a va_end macro after a va_start or va_copy macro. -
        • -
      • - -Wanalyzer-va-list-use-after-va-end - warns about a va_arg or va_copy macro used on a va_list object type that has had the - va_end macro called on it. -
        • -
      • - -Wanalyzer-va-arg-type-mismatch - type-checks va_arg macro usage in - interprocedural execution paths against the types of the parameters - that were actually passed to the variadic call. -
        • -
      • - -Wanalyzer-va-list-exhausted warns if a - va_arg macro is used too many times on - a va_list object type in - interprocedural execution paths. -
        • -
      -
      -
      • -
    -
    -
    • -
  • - Numerous other improvements. -
    • -
-
-

- Backwards incompatible changes -

-

- For C++, construction of global iostream objects such as std::cout, - std::cin is now done inside the standard library, instead of in every - source file that includes the <iostream> header. This change - improves the startup performance of C++ programs, but it means that code compiled with GCC 13.1 will - crash if the correct version of libstdc++.so is not used at runtime. - See the documentation - about using the correct libstdc++.so at runtime. Future GCC releases - will mitigate the problem so that the program cannot be run at all with an earlier incompatible - libstdc++.so. -

-

- Bugzilla:2172091[1] -

-
-

GCC Toolset 13: annobin rebased to version - 12.20

-

- GCC Toolset 13 provides the annobin package version 12.20. Notable - enhancements include: -

-
-
-
    -
  • - Added support for moving annobin notes into a separate debug - info file. This results in reduced executable binary size. -
    • -
  • - Added support for a new smaller note format reduces the size of the separate debuginfo files - and the time taken to create these files. -
    • -
-
-

- Bugzilla:2171923[1] -

-
-

GCC Toolset 13: GDB rebased to version 12.1

-

- GCC Toolset 13 provides GDB version 12.1. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - GDB now styles source code and disassembler by default. If styling interferes with - automation or scripting of GDB, you can disable it by using the maint set gnu-source-highlight enabled off and maint set style disassembler enabled off commands. -
    • -
  • - GDB now displays backtraces whenever it encounters an internal error. If this affects - scripts or automation, you can use the maint set backtrace-on-fatal-signal off command to disable this - feature. -
    • -
-
-

- C/C++ improvements: -

-
-
    -
  • - GDB now treats functions or types involving C++ templates similarly to function overloads. - You can omit parameter lists to set breakpoints on families of template functions, including - types or functions composed of multiple template types. Tab completion has gained similar improvements. -
    • -
-
-

- Terminal user interface (TUI): -

-
-
    -
  • -

    - tui layout -

    -

    - tui focus -

    -

    - tui refresh -

    -

    - tui window height
    These are the new names for the old - layout, focus, refresh, and winheight TUI - commands respectively. The old names still exist as aliases to these new commands. -

    -
    • -
  • -

    - tui window width -

    -

    - winwidth -

    -

    - Use the new tui window width command, or the winwidth alias, to adjust the width of a TUI window when - windows are laid out in horizontal mode. -

    -
    • -
  • -

    - info win -

    -

    - This command now includes information about the width of the TUI windows in its output. -

    -
    • -
-
-

- Machine Interface (MI) changes: -

-
-
    -
  • - The default version of the MI interpreter is now 4 (-i=mi4). -
    • -
  • - The -add-inferior command with no flag now inherits the - connection of the current inferior. This restores the behavior of GDB prior to version 10. -
    • -
  • - The -add-inferior command now accepts a --no-connection flag that causes the new inferior to start - without a connection. -
    • -
  • -

    - The script field in breakpoint output (which is - syntactically incorrect in MI 3 and earlier) has become a list in MI 4. This affects the - following commands and events: -

    -
    -
      -
    • - -break-insert -
      • -
    • - -break-info -
      • -
    • - =breakpoint-created -
      • -
    • -

      - =breakpoint-modified -

      -

      - Use the -fix-breakpoint-script-output command - to enable the new behavior with earlier MI versions. -

      -
      • -
    -
    -
    • -
-
-

- New commands: -

-
-
    -
  • -

    - maint set internal-error backtrace [on|off] -

    -

    - maint show internal-error backtrace -

    -

    - maint set internal-warning backtrace [on|off] -

    -

    - maint show internal-warning backtrace -

    -

    - GDB can now print a backtrace of itself when it encounters internal error or internal - warning. This is enabled by default for internal errors and disabled by default for - internal warnings. -

    -
    • -
  • -

    - exit -

    -

    - You can exit GDB using the new exit command in addition to - the existing quit command. -

    -
    • -
  • -

    - maint set gnu-source-highlight enabled [on|off] -

    -

    - maint show gnu-source-highlight enabled
    Enables or - disables the GNU Source Highlight library for adding styling to source code. When - disabled, the library is not used even if it is available. When the GNU Source Highlight - library is not used the Python Pygments library is used instead. -

    -
    • -
  • -

    - set suppress-cli-notifications [on|off] -

    -

    - show suppress-cli-notifications -

    -

    - Controls if printing the notifications is suppressed for CLI or not. CLI notifications - occur when you change the selected context (such as the current inferior, thread, or - frame), or when the program being debugged stops (for example: because of hitting a - breakpoint, completing source-stepping, or an interrupt). -

    -
    • -
  • -

    - set style disassembler enabled [on|off] -

    -

    - show style disassembler enabled -

    -

    - When enabled, the command applies styling to disassembler output if GDB is compiled with - Python support and the Python Pygments package is available. -

    -
    • -
-
-

- Changed commands: -

-
-
    -
  • -

    - set logging [on|off] -

    -

    - Deprecated and replaced by the set logging enabled [on|off] - command. -

    -
    • -
  • -

    - print -

    -

    - Printing of floating-point values with base-modifying formats like /x has been changed to display the underlying bytes of the - value in the desired base. -

    -
    • -
  • -

    - clone-inferior -

    -

    - The clone-inferior command now ensures that the TTY, CMD, and ARGs settings are copied from the original inferior to the - new one. All modifications to the environment variables done using the set environment or unset environment commands are also copied to the new - inferior. -

    -
    • -
-
-

- Python API: -

-
-
    -
  • - The new gdb.add_history() function takes a gdb.Value object and adds the value it represents to GDB’s - history list. The function returns an integer, which is the index of the new item in the - history list. -
    • -
  • - The new gdb.history_count() function returns the number of - values in GDB’s value history. -
    • -
  • - The new gdb.events.gdb_exiting event is called with a gdb.GdbExitingEvent object that has the read-only attribute exit_code containing the value of the GDB exit code. This event - is triggered prior to GDB’s exit before GDB starts to clean up its internal state. -
    • -
  • - The new gdb.architecture_names() function returns a list - containing all of the possible Architecture.name() values. Each - entry is a string. -
    • -
  • - The new gdb.Architecture.integer_type() function returns an - integer type given a size and a signed-ness. -
    • -
  • - The new gdb.TargetConnection object type represents a - connection (as displayed by the info connections command). A - sub-class, gdb.RemoteTargetConnection, represents remote and extended-remote - connections. -
    • -
  • - The gdb.Inferior type now has a connection property that is an instance of the gdb.TargetConnection object, the connection used by this - inferior. This can be None if the inferior has no connection. -
    • -
  • - The new gdb.events.connection_removed event registry emits a - gdb.ConnectionEvent event when a connection is removed from - GDB. This event has a connection property, a gdb.TargetConnection object for the connection being removed. -
    • -
  • - The new gdb.connections() function returns a list of all - currently active connections. -
    • -
  • - The new gdb.RemoteTargetConnection.send_packet(PACKET) method - is equivalent to the existing maint packet CLI command. You can - use it to send a specified packet to the remote target. -
    • -
  • - The new gdb.host_charset() function returns the name of the - current host character set as a string. -
    • -
  • - The new gdb.set_parameter(NAME, VALUE) - function sets the GDB parameter NAME to VALUE. -
    • -
  • - The new gdb.with_parameter(NAME, VALUE) - function returns a context manager that temporarily sets the GDB parameter NAME to VALUE and then resets it - when the context is exited. -
    • -
  • - The gdb.Value.format_string method now takes a styling argument, which is a boolean. When true, the returned string can include escape sequences to apply - styling. The styling is present only if styling is turned on in GDB (see help set styling). When false, which - is the default if the styling argument is not given, no styling - is applied to the returned string. -
    • -
  • - The new read-only attribute gdb.InferiorThread.details is - either a string containing additional target-specific thread-state information, or None if there is no such additional information. -
    • -
  • - The new read-only attribute gdb.Type.is_scalar is True for scalar types, and False for - all other types. -
    • -
  • - The new read-only attribute gdb.Type.is_signed should only be - read when Type.is_scalar is True, - and will be True for signed types and False for all other types. Attempting to read this attribute for - non-scalar types will raise a ValueError. -
    • -
  • - You can now add GDB and MI commands implemented in Python. -
    • -
-
-

- For more information see the upstream release notes: -

-

- What - has changed in GDB? -

-

- Bugzilla:2172095[1] -

-
-

GCC Toolset 13: bintuils rebased to version - 2.40

-

- GCC Toolset 13 provides the binutils package version 2.40. Notable - enhancements include: -

-
-

- Linkers: -

-
-
    -
  • - The new -w (--no-warnings) - command-line option for the linker suppresses the generation of any warning or error - messages. This is useful in case you need to create a known non-working binary. -
    • -
  • -

    - The ELF linker now generates a warning message if: -

    -
    -
      -
    • - The stack is made executable -
      • -
    • - It creates a memory resident segment with all three of the Read, Write and eXecute permissions set -
      • -
    • -

      - It creates a thread local data segment with the eXecute permission set. -

      -

      - You can disable these warnings by using the --no-warn-exec-stack or --no-warn-rwx-segments options. -

      -
      • -
    -
    -
    • -
  • - The linker can now insert arbitrary JSON-format metadata into binaries that it creates. -
    • -
-
-

- Other tools: -

-
-
    -
  • - A new the objdump tool’s --private - option to display fields in the file header and section headers for Portable Executable (PE) - format files. -
    • -
  • - A new --strip-section-headers command-line option for the objcopy and strip utilities to - remove the ELF section header from ELF files. -
    • -
  • - A new --show-all-symbols command-line option for the objdump utility to display all symbols that match a given address - when disassembling, as opposed to the default function of displaying only the first symbol - that matches an address. -
    • -
  • - A new -W (--no-weak) option to the - nm utility to make it ignore weak symbols. -
    • -
  • -

    - The objdump utility now supports syntax highlighting of - disassembler output for some architectures. Use the --disassembler-color=MODE - command-line option, with MODE being one of the - following: -

    -
    -
      -
    • - off -
      • -
    • - color - This option is supported by all terminal - emulators. -
      • -
    • - extended-color - This option uses 8-bit colors not - supported by all terminal emulators. -
      • -
    -
    -
    • -
-
-

- Bugzilla:2171924[1] -

-
-

GCC Toolset 13: annobin rebased to version - 12.20

-

- GCC Toolset 13 provides the annobin package version 12.20. Notable - enhancements include: -

-
-
-
    -
  • - Added support for moving annobin notes into a separate debug - info file. This results in reduced executable binary size. -
    • -
  • - Added support for a new smaller note format, which reduces the size of the separate - debuginfo files and the time taken to create these files. -
    • -
-
-

- Bugzilla:2171921[1] -

-
-

Valgrind rebased to version 3.21.0

-

- Valgrind has been updated to version 3.21.0. Notable enhancements include: -

-
-
-
    -
  • - A new abexit value for the --vgdb-stop-at=event1,event2,…​ - option notifies the gdbserver utility when your program exits - abnormally, such as with a non-zero exit code. -
    • -
  • -

    - A new --enable-debuginfod=[yes|no] option instructs - Valgrind to use the debuginfod servers listed in the DEBUGINFOD_URLS environment variable to fetch any missing - DWARF debuginfo information for the program running under Valgrind. The default value - for this option is yes. -

    -
    -
    Note
    -
    -

    - The DEBUGINFOD_URLS environment variable is not set - by default. -

    -
    -
    -
    • -
  • - The vgdb utility now supports the extended remote protocol when - invoked with the --multi option. The GDB run command is supported in this mode and, as a result, you can - run GDB and Valgrind from a single terminal. -
    • -
  • - You can use the --realloc-zero-bytes-frees=[yes|no] option to - change the behavior of the realloc() function with a size of - zero for tools that intercept the malloc() call. -
    • -
  • - The memcheck tool now performs checks for the use of the realloc() function with a size of zero. Use the new --show-realloc-size-zero=[yes|no] switch to disable this feature. -
    • -
  • - You can use the new --history-backtrace-size=value - option for the helgrind tool to configure the number of entries - to record in the stack traces of earlier accesses. -
    • -
  • - The --cache-sim=[yes|no] cachegrind option now defaults to no - and, as a result, only instruction cache read events are gathered by default. -
    • -
  • - The source code for the cg_annotate, cg_diff, and cg_merge cachegrind utilities has been rewritten and, as a result, the - utilities have more flexible command line option handling. For example, they now support the - --show-percs and --no-show-percs - options as well as the existing --show-percs=yes and --show-percs=no options. -
    • -
  • - The cg_annotate cachegrind utility - now supports diffing (using the --diff, --mod-filename, and --mod-funcname - options) and merging (by passing multiple data files). In addition, cg_annotate now provides more information at the file and - function level. -
    • -
  • - A new user-request for the DHAT tool allows you to override the - 1024 byte limit on access count histograms for blocks of memory. -
    • -
-
-

- The following new architecture-specific instruction sets are now supported: -

-
-
    -
  • -

    - 64-bit ARM: -

    -
    -
      -
    • - v8.2 scalar and vector Floating-point Absolute Difference (FABD), Floating-point - Absolute Compare Greater than or Equal (FACGE), Floating-point Absolute Compare - Greater Than (FACGT), and Floating-point Add (FADD) instructions. -
      • -
    • - v8.2 Floating-point (FP) compare and conditional compare instructions. -
      • -
    • - Zero variants of v8.2 Floating-point (FP) compare instructions. -
      • -
    -
    -
    • -
  • -

    - 64-bit IBM Z: -

    -
    -
      -
    • - Support for the miscellaneous-instruction-extensions facility 3 and - the vector-enhancements facility 2. This enables - programs compiled with the -march=arch13 or -march=z15 options to be executed under Valgrind. -
      • -
    -
    -
    • -
  • -

    - IBM Power: -

    -
    -
      -
    • - ISA 3.1 support is now complete. -
      • -
    • - ISA 3.0 now supports the deliver a random number (darn) instruction. -
      • -
    • - ISA 3.0 now supports the System Call Vectored (scv) instruction. -
      • -
    • - ISA 3.0 now supports the copy, paste, and cpabort instructions. -
      • -
    -
    -
    • -
-
-

- Bugzilla:2124345 -

-
-

systemtap rebased to version 4.9

-

- The systemtap package has been upgraded to version 4.9. Notable - changes include: -

-
-
-
    -
  • - A new Language-Server-Protocol (LSP) backend for easier interactive drafting of systemtap scripts on LSP-capable editors. -
    • -
  • - Access to a Python/Jupyter interactive notebook frontend. -
    • -
  • - Improved handling of DWARF 5 bitfields. -
    • -
-
-

- Bugzilla:2186932 -

-
-

elfutils rebased to version 0.189

-

- The elfutils package has been updated to version 0.189. Notable - improvements and bug fixes include: -

-
-
-
-
libelf
-
- The elf_compress tool now supports the ELFCOMPRESS_ZSTD ELF compression type. -
-
libdwfl
-
- The dwfl_module_return_value_location function now returns 0 - (no return type) for DWARF Information Entries (DIEs) that point to a DW_TAG_unspecified_type type tag. -
-
eu-elfcompress
-
- The -t and --type= options now - support the Zstandard (zstd) compression format via the zstd argument. -
-
-
-

- Bugzilla:2182060 -

-
-

libpfm rebased to version 4.13

-

- The libpfm package has been updated to version 4.13. With this - update, libpfm can now access performance monitoring hardware - native events for the following processor microarchitectures: -

-
-
-
    -
  • - AMD Zen 4 -
    • -
  • - ARM Neoverse N1 -
    • -
  • - ARM Neoverse N2 -
    • -
  • - ARM Neoverse V1 -
    • -
  • - ARM Neoverse V2 -
    • -
  • - 4th Generation Intel® Xeon® Scalable Processors -
    • -
  • - IBM z16 -
    • -
-
-

- Bugzilla:2185653, - Bugzilla:2111987, Bugzilla:2111966, Bugzilla:2111973, Bugzilla:2109907, Bugzilla:2111981, - Bugzilla:2047725 -

-
-

papi supports new processor - microarchitectures

-

- With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures: -

-
-
-
    -
  • - ARM Neoverse N1 -
    • -
  • - ARM Neoverse N2 -
    • -
  • - ARM Neoverse V1 -
    • -
  • - ARM Neoverse V2 -
    • -
-
-

- Bugzilla:2111982[1], Bugzilla:2111988 -

-
-

papi now supports fast performance event count - read operations for 64-bit ARM

-

- Previously on 64-bit ARM processors, all performance event counter read operations required the - use of a resource-intensive system call. papi has been updated for - 64-bit ARM to let processes monitoring themselves with the performance counters use a faster - user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access parameter to 1 reduces the average - number of clock cycles for papi to read 2 counters from 724 cycles - to 29 cycles. -

-
-

- Bugzilla:2161146[1] -

-
-

LLVM Toolset rebased to version 16.0.6

-

- LLVM Toolset has been updated to version 16.0.6. -

-
-

- Notable enhancements include: -

-
-
    -
  • - Improvements to optimization -
    • -
  • - Support for new CPU extensions -
    • -
  • - Improved support for new C++ versions. -
    • -
-
-

- Notable backwards incompatible changes include: -

-
-
    -
  • - Clang’s default C++ standard is now gnu++17 instead of gnu++14. -
    • -
  • - The -Wimplicit-function-declaration, -Wimplicit-int and -Wincompatible-function-pointer-types options now default to - error for C code. This might affect the behavior of configure scripts. -
    • -
-
-

- By default, Clang 16 uses the libstdc++ library version 13 and binutils 2.40 provided by GCC Toolset 13. -

-

- For more information, see the LLVM release notes and Clang - release notes. -

-

- Bugzilla:2178806 -

-
-

Rust Toolset rebased to version 1.71.1

-

- Rust Toolset has been updated to version 1.71.1. Notable changes include: -

-
-
-
    -
  • - A new implementation of multiple producer, single consumer (mpsc) channels to improve - performance -
    • -
  • - A new Cargo sparse index protocol for more efficient use of the - crates.io registry -
    • -
  • - New OnceCell and OnceLock types - for one-time value initialization -
    • -
  • - A new C-unwind ABI string to enable usage of forced unwinding - across Foreign Function Interface (FFI) boundaries -
    • -
-
-

- For more details, see the series of upstream release announcements: -

-
- -
-

- Bugzilla:2191740 -

-
-

The Rust profiler_builtins runtime component - is now available

-

- With this enhancement, the Rust profile_builtins runtime component - is now available. This runtime component enables the following compiler options: -

-
-
-
-
-C instrument-coverage
-
- Enables coverage profiling -
-
-C profile-generate
-
- Enables profile-guided optimization -
-
-
-

- Bugzilla:2213875[1] -

-
-

Go Toolset rebased to version 1.20.10

-

- Go Toolset has been updated to version 1.20.10. -

-
-

- Notable enhancements include: -

-
-
    -
  • - New functions added in the unsafe package to handle slices and - strings without depending on the internal representation. -
    • -
  • - Comparable types can now satisfy comparable constraints. -
    • -
  • - A new crypto/ecdh package. -
    • -
  • - The go build and go test commands - no longer accept the -i flag. -
    • -
  • - The go generate and go test - commands now accept the -skip pattern option. -
    • -
  • - The go build, go install, and - other build-related commands now support the -pgo and -cover flags. -
    • -
  • - The go command now disables cgo by - default on systems without a C toolchain. -
    • -
  • - The go version -m command now supports reading more Go binaries - types. -
    • -
  • - The go command now disables cgo by - default on systems without a C toolchain. -
    • -
  • - Added support for collecting code coverage profiles from applications and integration tests - instead of collecting them only from unit tests. -
    • -
-
-

- Bugzilla:2185260[1] -

-
-

grafana rebased to version 9.2.10

-

- The grafana package has been updated to version 9.2.10. Notable - changes include: -

-
-
-
    -
  • - The time series panel is now the default visualization option, replacing the graph panel. -
    • -
  • - Grafana provides a new Prometheus and Loki query builder. -
    • -
  • - Grafana now includes multiple UI/UX and performance improvements. -
    • -
  • - The license has changed from Apache 2.0 to GNU Affero General Public License (AGPL). -
    • -
  • - The heatmap panel is now used throughout Grafana. -
    • -
  • - Geomaps can now measure both distance and area. -
    • -
  • - The Alertmanager is now based on Prometheus - Alertmanager version 0.24. -
    • -
  • - Grafana Alerting rules now return an Error state by default on - execution error or timeout. -
    • -
  • - Expressions can now be used on public dashboards. -
    • -
  • - The join transformation now supports inner joins. -
    • -
  • - Public dashboards now allow sharing Grafana dashboards. -
    • -
  • - A new Prometheus streaming parser is now available as an opt-in feature. -
    • -
-
-

- For more information, see the upstream release notes: -

-
- -
-

- Bugzilla:2193250 -

-
-

grafana-pcp rebased to version 5.1.1 -

-

- The grafana-pcp package, which provides the Performance Co-Pilot - Grafana Plugin, has been updated to version 5.1.1. Notable changes include: -

-
-
-
    -
  • - Query editor: Added buttons to disable rate conversation and time utilization conversation -
    • -
  • -

    - Redis datasource: -

    -
    -
      -
    • - Removed the deprecated label_values(metric, label) - function -
      • -
    • - Fixed the network error for metrics with many series (requires Performance - Co-Pilot version 6 and later) -
      • -
    -
    -
    • -
  • - Set the pmproxy API timeout to 1 minute -
    • -
-
-

- Bugzilla:2193270 -

-
-

.NET 8.0 is available

-

- Red Hat Enterprise Linux 8.9 is distributed with .NET version 8.0. Notable improvements include: -

-
-
-
    -
  • - Added support for the C#12 and F#8 language versions. -
    • -
  • - Added support for building container images using the .NET Software Development Kit - directly. -
    • -
  • - Many performance improvements to the garbage collector (GC), Just-In-Time (JIT) compiler, - and the base libraries. -
    • -
-
-

- Jira:RHELPLAN-164398[1] -

-
-
-
-
-
-

4.10. Identity Management

-
-
-
-
-

samba rebased to version 4.18.4

-

- The samba packages have been upgraded to upstream version 4.18.4, - which provides bug fixes and enhancements over the previous version. The most notable changes: -

-
-
-
    -
  • - Security improvements in previous releases impacted the performance of the Server Message - Block (SMB) server for high metadata workloads. This update improves the performance in this - scenario. -
    • -
  • - The new wbinfo --change-secret-at=<domain_controller> - command enforces the change of the trust account password on the specified domain - controller. -
    • -
  • - By default, Samba stores access control lists (ACLs) in the security.NTACL extended attribute of files. You can now customize - the attribute name with the acl_xattr:<security_acl_name> - setting in the /etc/samba/smb.conf file. Note that a custom - extended attribute name is not a protected location as security.NTACL. Consequently, users with local access to the - server can be able to modify the custom attribute’s content and compromise the ACL. -
    • -
-
-

- Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 - and will be removed in a future release. -

-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Red Hat does not support - downgrading tdb database files. -

-

- After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file. -

-

- Bugzilla:2190417 -

-
-

ipa rebased to version 4.9.12

-

- The ipa package has been upgraded to version 4.9.12. For more - information, see the upstream FreeIPA release notes. -

-
-

- Bugzilla:2196425 -

-
-

Multiple IdM groups and services can now be managed in a single Ansible - task

-

- With this enhancement in ansible-freeipa, you can add, modify, and - delete multiple Identity Management (IdM) user groups and services by using a single Ansible - task. For that, use the groups and services options of the ipagroup and - ipaservice modules. -

-
-

- Using the groups option available in ipagroup, you can specify multiple group variables that only apply to a - particular group. This group is defined by the name variable, which is - the only mandatory variable for the groups option. -

-

- Similarly, using the services option available in ipaservice, you can specify multiple service variables that only apply to - a particular service. This service is defined by the name variable, - which is the only mandatory variable for the services option. -

-

- Jira:RHELDOCS-16474[1] -

-
-

ansible-freeipa ipaserver role now supports Random Serial Numbers

-

- With this update, you can use the ipaserver_random_serial_numbers=true option with the ansible-freeipa ipaserver role. This - way, you can generate fully random serial numbers for certificates and requests in PKI when - installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range - management in large IdM installations and prevent common collisions when reinstalling IdM. -

-
-
-
Important
-
-

- RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 - on all PKI services. -

-
-
-

- Jira:RHELDOCS-16462[1] -

-
-

The ipaserver_remove_on_server and ipaserver_ignore_topology_disconnect options are now available in - the ipaserver role

-

- If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain option of the ipaserver ansible-freeipa role leads to - a disconnected topology, you must now specify which part of the domain you want to preserve. - Specifically, you must do the following: -

-
-
-
    -
  • - Specify the ipaserver_remove_on_server value to identify which - part of the topology you want to preserve. -
    • -
  • - Set ipaserver_ignore_topology_disconnect to True. -
    • -
-
-

- Note that if removing a replica from IdM by using the remove_server_from_domain option preserves a connected topology, neither - of these options is required. -

-

- Bugzilla:2127901 -

-
-

The ipaclient role now allows configuring user - subID ranges on the IdM level

-

- With this update, the ipaclient role provides the ipaclient_subid option, using which you can configure subID ranges on - the Identity Management (IdM) level. Without the new option set explicitly to true, the ipaclient role keeps the - default behavior and installs the client without subID ranges configured for IdM users. -

-
-

- Previously, the role configured the sssd authselect profile that in turn customized the /etc/nsswitch.conf file. The subID database did not use IdM and relied - only on the local files of /etc/subuid and /etc/subgid. -

-

- Bugzilla:2175766 -

-
-

You can now manage IdM certificates using the ipacert Ansible module

-

- You can now use the ansible-freeipa ipacert module to request or retrieve SSL certificates for Identity - Management (IdM) users, hosts and services. The users, hosts and services can then use these - certificates to authenticate to IdM. You can also revoke the certificates, as well as restore - certificates that have been put on hold. -

-
-

- Bugzilla:2127906 -

-
-

MIT Kerberos now supports the Extended KDC MS-PAC signature

-

- With this update, MIT Kerberos, which is used by Red Hat, implements support for one of the two - types of the Privilege Attribute Certificate (PAC) signatures introduced by Microsoft in - response to recent CVEs. Specifically, MIT Kerberos in RHEL 8 supports the Extended KDC - signature that was released in KB5020805 - and that addresses CVE-2022-37967. -

-
-

- Note that because of ABI stability constraints, - MIT Kerberos on RHEL8 cannot support the other PAC signature type, that is Ticket signature as - defined in KB4598347. -

-

- To troubleshoot problems related to this enhancement, see the following Knowledgebase resources: -

-
- -
-

- See also BZ#2211387 - and BZ#2176406. -

-

- Bugzilla:2211390 -

-
-

RHEL 8.9 provides 389-ds-base - 1.4.3.37

-

- RHEL 8.9 is distributed with the 389-ds-base package version - 1.4.3.37. -

-
-

- Bugzilla:2188628 -

-
-

New passwordAdminSkipInfoUpdate: on/off - configuration option is now available

-

- You can add a new passwordAdminSkipInfoUpdate: on/off setting under - the cn=config entry to provide a fine grained control over password - updates performed by password administrators. When you enable this setting, password updates do - not update certain attributes, for example, passwordHistory,passwordExpirationTime,passwordRetryCount, pwdReset, and passwordExpWarned. -

-
-

- Bugzilla:2166332 -

-
-
-
-
-
-

4.11. Graphics infrastructures

-
-
-
-
-

Intel Arc A-Series graphics is now fully supported

-

- The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology - Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware - acceleration, mostly used in PC gaming. -

-
-

- With this release, you no longer have to set the i915.force_probe - kernel option, and full support for these GPUs is enabled by default. -

-

- Bugzilla:2041686[1] -

-
-
-
-
-
-

4.12. The web console

-
-
-
-
-

Podman health check action is now available

-

- You can select one of the following Podman health check actions when creating a new container: -

-
-
-
    -
  • - No action (default): Take no action. -
    • -
  • - Restart: Restart the container. -
    • -
  • - Stop: Stop the container. -
    • -
  • - Force stop: Force stops the container, it does not wait for the container to exit. -
    • -
-
-

- Jira:RHELDOCS-16247[1] -

-
-

Accounts page updates for the web console

-

- This update introduces the following updates to the Accounts page: -

-
-
-
    -
  • - It is now possible to add custom user ID and define home directory and shell during the - account creation process. -
    • -
  • - When creating an account, password validation actively performs a check on every keystroke. - Additionally, weak passwords are now shown with a warning. -
    • -
  • - Account detail pages now show the home directory and shell for an account. -
    • -
  • - It is possible to change shell from the account details page. -
    • -
-
-

- Jira:RHELDOCS-16367[1] -

-
-
-
-
-
-

4.13. Red Hat Enterprise Linux system roles

-
-
-
-
-

The postgresql RHEL system role is now - available

-

- The new postgresql RHEL system role installs, configures, manages, - and starts the PostgreSQL server. The role also optimizes the - database server settings to improve performance. -

-
-

- The role supports the currently released and supported versions of PostgreSQL on RHEL 8 and RHEL 9 managed nodes. -

-

- For more information, see Installing - and configuring PostgreSQL by using the postgresql RHEL system role. -

-

- Bugzilla:2151371 -

-
-

keylime_server RHEL system role

-

- With the new keylime_server RHEL system role, you can use Ansible - playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime - is a remote machine attestation tool that uses the trusted platform module (TPM) technology. -

-
-

- Bugzilla:2224387 -

-
-

Support for new ha_cluster system role - features

-

- The ha_cluster system role now supports the following features: -

-
-
-
    -
  • - Configuration of resource and resource operation defaults, including multiple sets of - defaults with rules. -
    • -
  • - Loading and blocking of SBD watchdog kernel modules. This makes installed hardware watchdogs - available to the cluster. -
    • -
  • - Assignment of distinct passwords to the cluster hosts and the quorum device. With that, you - can configure a deployment where the same quorum hosts are joined to multiple, separate - clusters, and the passwords of the hacluster user on these - clusters are different. -
    • -
-
-

- For information about the parameters you configure to implement these features, see Configuring - a high-availability cluster by using the ha_cluster RHEL system - role. -

-

- Bugzilla:2190483, Bugzilla:2190478, Bugzilla:2216485 -

-
-

storage system role supports configuring the - stripe size for RAID LVM volumes

-

- With this update, you can now specify a custom stripe size when creating RAID LVM devices. For - better performance, use the custom stripe size for SAP HANA. The recommended stripe size for - RAID LVM volumes is 64 KB. -

-
-

- Bugzilla:2141961 -

-
-

podman RHEL system role now supports Quadlets, - healthchecks, and secrets

-

- Starting with Podman 4.6, you can use the podman_quadlet_specs - variable in the podman RHEL system role. You can define a Quadlet - by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. - Types of a unit can be the following: container, kube, network, and volume. Note that Quadlets work only with root containers on RHEL 8. - Quadlets work with rootless containers on RHEL 9. -

-
-

- The healthchecks are supported only for Quadlet Container types. In the [Container] section, specify the HealthCmd - field to define the healthcheck command and HealthOnFailure field to - define the action when a container is unhealthy. Possible options are none, kill, restart, and stop. -

-

- You can use the podman_secrets variable to manage secrets. For details, - see upstream documentation. -

-

- Jira:RHELPLAN-154440[1] -

-
-

RHEL system roles now have new volume options for mount point - customization

-

- With this update, you can now specify mount_user, mount_group, and mount_permissions - parameters for your mount directory. -

-
-

- Bugzilla:2181661 -

-
-

kdump RHEL system role updates

-

- The kdump RHEL system role has been updated to a newer version, - which brings the following notable enhancements: -

-
-
-
    -
  • - After installing kexec-tools, the utility suite no longer - generates the /etc/sysconfig/kdump file because you do not need - to manage this file anymore. -
    • -
  • - The role supports the auto_reset_crashkernel and dracut_args variables. -
    • -
-
-

- For more details, see resources in the /usr/share/doc/rhel-system-roles/kdump/ directory. -

-

- Bugzilla:2211272 -

-
-

The ad_integration RHEL system role can now - rejoin an AD domain

-

- With this update, you can now use the ad_integration RHEL system - role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin variable to true. If the realm_list output shows - that host is already in an AD domain, it will leave the existing domain before rejoining it. -

-
-

- Bugzilla:2211723 -

-
-

The rhc system role now supports setting a - proxy server type

-

- The newly introduced attribute scheme under the rhc_proxy parameter enables you to configure the proxy server type by - using the rhc system role. You can set two values: http, the default and https. -

-
-

- Bugzilla:2211778 -

-
-

New option in the ssh role to disable - configuration backups

-

- You can now prevent old configuration files from being backed up before they are overwritten by - setting the new ssh_backup option to false. Previously, backup configuration files were created - automatically, which might be unnecessary. The default value of the ssh_backup option is true, which - preserves the original behavior. -

-
-

- Bugzilla:2216759 -

-
-

The certificate RHEL system role now allows - changing certificate file mode when using certmonger -

-

- Previously, certificates created by the certificate RHEL system - role with the certmonger provider used a default file mode. - However, in some use-cases you might require a more restrictive mode. With this update, you can - now set a different certificate and a key file mode using the mode - parameter. -

-
-

- Bugzilla:2218204 -

-
-

New RHEL system role for managing systemd - units

-

- The rhel-system-role package now contains the systemd RHEL system role. You can use this role to deploy unit files - and manage systemd units on multiple systems. You can automate - systemd functionality by providing systemd unit files and templates, and by specifying the state of - those units, such as started, stopped, masked and other. -

-
-

- Bugzilla:2224388 -

-
-

The network RHEL system role supports the - no-aaaa DNS option

-

- You can now use the no-aaaa option to configure DNS settings on - managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub - resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, - you can now suppress AAAA queries generated by the stub resolver. -

-
-

- Bugzilla:2218595 -

-
-

The network RHEL system role supports the - auto-dns option to control automatic DNS record - updates

-

- This enhancement provides support for defined name servers and search domains. You can now use - only the name servers and search domains specified in dns and dns_search properties while disabling automatically configured name - servers and search domains such as dns record from DHCP. With this - enhancement, you can disable automatically auto dns record by changing the auto-dns settings. -

-
-

- Bugzilla:2211273 -

-
-

firewall RHEL system role supports variables - related to ipsets

-

- With this update of the firewall RHEL system role, you can define, - modify, and delete ipsets. Also, you can add and remove those ipsets from firewall zones. Alternatively, you can use those ipsets when defining firewall rich rules. -

-
-

- You can manage ipsets with the firewall - RHEL system role using the following variables: -

-
-
    -
  • - ipset -
    • -
  • - ipset_type -
    • -
  • - ipset_entries -
    • -
  • - short -
    • -
  • - description -
    • -
  • - state: present or state: absent -
    • -
  • - permanent: true -
    • -
-
-

- The following are some notable benefits of this enhancement: -

-
-
    -
  • - You can reduce the complexity of the rich rules that define rules for many IP addresses. -
    • -
  • - You can add or remove IP addresses from sets as needed without modifying multiple rules. -
    • -
-
-

- For more details, see resources in the /usr/share/doc/rhel-system-roles/firewall/ directory. -

-

- Bugzilla:2140880 -

-
-

Improved performance of the selinux system - role with restorecon -T 0

-

- The selinux system role now uses the -T 0 option with the restorecon command - in all applicable cases. This improves the performance of tasks that restore default SELinux - security contexts on files. -

-
-

- Bugzilla:2192343 -

-
-

The firewall RHEL system role has an option to - disable conflicting services, and it no longer fails if firewalld is masked

-

- Previously, the firewall system role failed when the firewalld service was masked on the role run or in the presence of - conflicting services. This update brings two notable enhancements: -

-
-

- The linux-system-roles.firewall role always attempts to install, - unmask, and enable the firewalld service on role run. You can now add a - new variable firewall_disable_conflicting_services to your playbook to - disable known conflicting services, for example, iptables.service, - nftables.service, and ufw.service. The - firewall_disable_conflicting_services variable is set to false by default. To disable conflicting services, set the variable to - true. -

-

- Bugzilla:2222809 -

-
-

The podman RHEL system role now uses getsubids to get subuids and subgids

-

- The podman RHEL system role now uses the getsubids command to get the subuid and subgid ranges for a user and - group, respectively. The podman RHEL system role also uses this - command to verify users and groups to work with identity management. -

-
-

- Jira:RHEL-866[1] -

-
-

The podman_kube_specs variable now supports - pull_image and continue_if_pull_fails fields

-

- The podman_kube_specs variable now supports new fields: -

-
-
-
    -
  • - pull_image: ensures the image is pulled before use. The default - value is true. Use false if you - have some other mechanism to ensure the images are present on the system and you do not want - to pull the images. -
    • -
  • - continue_if_pull_fails: If pulling image fails, it is not - treated as a fatal error, and continues with the role. The default is false. Use true if you have some - other mechanism to ensure the correct images are present on the system. -
    • -
-
-

- Jira:RHEL-858[1] -

-
-

Resetting the firewall RHEL system role - configuration now requires minimal downtime

-

- Previously, when you reset the firewall role configuration by using - the previous: replaced variable, the firewalld service restarted. Restarting adds downtime and prolongs - the period of an open connection in which firewalld does not block - traffic from active connections. With this enhancement, the firewalld service completes the configuration reset by reloading - instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass - firewall rules. As a result, using the previous: replaced variable - to reset the firewall role configuration now requires minimal - downtime. -

-
-

- Bugzilla:2224648 -

-
-
-
-
-
-

4.14. RHEL in cloud environments

-
-
-
-
-

cloud-init supports NetworkManager keyfiles

-

- With this update, the cloud-init utility can use a NetworkManager - (NM) keyfile to configure the network of the created cloud instance. -

-
-

- Note that by default, cloud-init still uses the sysconfig method for network setup. To configure cloud-init to use a NM keyfile instead, edit the /etc/cloud/cloud.cfg and set network-manager - as the primary network renderer: -

- 
# cat /etc/cloud/cloud.cfg
-
-   network:
-      renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']
-

- Bugzilla:2219528[1] -

-
-

cloud-init now uses VMware datasources by - default on ESXi

-

- When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such - as the VMware vSphere cloud platform. This improves the performance and stability of creating an - ESXi instance of RHEL by using cloud-init. Note, however, that ESXi - is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF - datasource if a VMware one is not available. -

-
-

- Bugzilla:2230777[1] -

-
-
-
-
-
-

4.15. Supportability

-
-
-
-
-

sos rebased to version 4.6

-

- The sos utility, for collecting configuration, diagnostic, and - troubleshooting data, has been rebased to version 4.6. This update provides the following - enhancements: -

-
-
-
    -
  • - sos reports now include the contents of both /boot/grub2/custom.cfg and /boot/grub2/user.cfg files that might contain critical - information for troubleshooting boot issues. (BZ#2213951) -
    • -
  • - The sos plugin for OVN-Kubernetes collects additional logs for - the interconnect environment. With this update, sos also - collects logs from the ovnkube-controller container when both - ovnkube-node and ovnkube-controller containers are merged into one. -
    • -
-
-

- In addition, notable bug fixes include: -

-
-
    -
  • - sos now correctly gathers cgroup - data in the OpenShift Container Platform 4 environment (BZ#2186361). -
    • -
  • - While collecting sos reports with the sudo plugin enabled, sos now removes - the bindpw option properly. (BZ#2143272) -
    • -
  • - The subscription_manager plugin no longer collects proxy - usernames and passwords from the /var/lib/rhsm/ path. - (BZ#2177282) -
    • -
  • - The virsh plugin no longer collects the SPICE remote-display - passwords in virt-manager logs, which prevents sos from - disclosing passwords in its reports. (BZ#2184062) -
    • -
  • -

    - sos now masks usernames and passwords previously displayed - in the /var/lib/iscsi/nodes/<IQN>/<PortalIP>/default - file. -

    -
    -
    Important
    -
    -

    - The generated archive might contain data considered sensitive. Thus, you should - always review the content before passing it to any third party. -

    -
    -
    -

    - (BZ#2187859) -

    -
    • -
  • - sos completes the tailed log collection even when the size of - the log file is exceeded and when a plugin times out. (BZ#2203141) -
    • -
  • - When entering the sos collect command on a Pacemaker cluster - node, sos collects an sos report from the same cluster node. - (BZ#2186460) -
    • -
  • - When collecting data from a host in the OpenShift Container Platform 4 environment, sos now uses the sysroot path, which - ensures that only the correct data are assembled. (BZ#2075720) -
    • -
  • - The sos report --clean command obfuscates all MAC addresses as - intended. (BZ#2207562) -
    • -
  • - Disabling the hpssm plugin no longer raises exceptions. - (BZ#2216608) -
    • -
  • - The sos clean command follows permissions of sanitized files. - (BZ#2218279) -
    • -
-
-

- For details on each release of sos, see upstream release notes. -

-

- Jira:RHELPLAN-156196[1] -

-
-
-
-
-
-

4.16. Containers

-
-
-
-
-

Podman supports pulling and pushing images compressed with zstd -

-

- You can pull and push images compressed with the zstd format. The - zstd compression is more efficient and faster than gzip. It can reduce the amount of network - traffic and storage involved in pulling and pushing the image. -

-
-

- Jira:RHELPLAN-154313[1] -

-
-

Quadlet in Podman is now available

-

- Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd service file from a container description. The Quadlets might - be easier to use than the podman generate systemd command because - the description focuses on the relevant container details and without the technical complexity - of running containers under systemd. Note that Quadlets work only - with rootful containers. -

-
-

- For more details, see the Quadlet - upstream documentation and the Make systemd better for Podman with - Quadlet article. -

-

- Jira:RHELPLAN-154431[1] -

-
-

The Container Tools packages have been updated

-

- The updated Container Tools packages, which contain the Podman, Buildah, Skopeo, crun, and runc - tools, are now available. This update applies a series of bug fixes and enhancements over the - previous version. -

-
-

- Notable changes in Podman v4.6 include: -

-
-
    -
  • - The podman kube play command now supports the --configmap=<path> - option to provide Kubernetes YAML file with environment variables used within the containers - of the pod. -
    • -
  • - The podman kube play command now supports multiple Kubernetes - YAML files for the --configmap option. -
    • -
  • - The podman kube play command now supports containerPort names - and port numbers within liveness probes. -
    • -
  • - The podman kube play command now adds the ctrName as an alias - to the pod network. -
    • -
  • - The podman kube play and podman kube generate commands now support SELinux filetype labels - and ulimit annotations. -
    • -
  • - A new command, podman secret exists, has been added, which - verifies if a secret with the given name exists. -
    • -
  • - The podman create, podman run, - podman pod create, and podman pod clone commands now support a new option, --shm-size-systemd, which allows limiting tmpfs sizes for - systemd-specific mounts. -
    • -
  • - The podman create and podman run commands now support a new - option, --security-opt label=nested, which allows SELinux - labeling within a confined container. -
    • -
  • - Podman now supports auto updates for containers running inside a pod. -
    • -
  • - Podman can now use an SQLite database as a backend for increased stability. The default - remains the BoltDB database. You can select the database by setting the database_backend field in the containers.conf file. -
    • -
  • - Podman now supports Quadlets to automatically generate a systemd service file from the container description. The - description focuses on the relevant container details and hides the technical complexity of - running containers under systemd. -
    • -
-
-

- For further information about notable changes, see upstream release - notes. -

-

- Jira:RHELPLAN-154443[1] -

-
-

Podman now supports a Podmansh login shell

-

- Beginning with Podman v4.6, you can use the Podmansh login shell to - manage user access and control. To switch to CGroups v2, add systemd.unified_cgroup_hierarchy=1 to the kernel command line. - Configure the settings for a user to use the /usr/bin/podmansh - command as a login shell instead of a standard shell command, for example, /usr/bin/bash. When a user logs into a system setup, the podmansh command runs the user’s session in a Podman container named - podmansh. Containers into which users log in are defined using the - Quadlet files, which are created in the /etc/containers/systemd/users/ directory. In these files, set the - ContainerName field in the [Container] - section to podmansh. Systemd automatically starts podmansh when the user session starts and continues running until all - user sessions exit. -

-
-

- For more information, see Podman - v4.6.0 Introduces Podmansh: A Revolutionary Login Shell. -

-

- Jira:RHELPLAN-163002[1] -

-
-

Clients for sigstore signatures with Fulcio and Rekor are now - available

-

- With Fulcio and Rekor servers, you can now create signatures by using short-term certificates - based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private - key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology - Preview, are now fully supported. This added functionality is the client side support only, and - does not include either the Fulcio or Rekor servers. -

-
-

- Add the fulcio section in the policy.json - file. To sign container images, use the podman push --sign-by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml - commands, where file.yml is the - sigstore signing parameter file. -

-

- To verify signatures, add the fulcio section and the rekorPublicKeyPath or rekorPublicKeyData - fields in the policy.json file. For more information, see containers-policy.json man page. -

-

- Jira:RHELPLAN-160659[1] -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel shipped - with Red Hat Enterprise Linux 8.9. These changes could include for example added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
gather_data_sampling=[X86,INTEL]
-
-

- With this kernel parameter, you can control the Gather Data Sampling (GDS) mitigation. -

-

- (GDS) is a hardware vulnerability that allows unprivileged speculative access to data that - was previously stored in vector registers. -

-

- This issue is mitigated by default in updated microcode. The mitigation might have a - performance impact but can be disabled. On systems without the microcode mitigation - disabling AVX serves as a mitigation. Available values include: -

-
-
    -
  • - force: Disable AVX to mitigate systems without - microcode mitigation. No effect if the microcode mitigation is present. Known to - cause crashes in userspace with buggy AVX enumeration. -
    • -
  • - off: Disable GDS mitigation. -
    • -
-
-
-
rdrand=[X86]
-
-

- With this kernel parameter, you can hide the advertisement of RDRAND support. This affects - certain AMD processors because of buggy BIOS support, specifically around the suspend or - resume path. -

-
-
    -
  • - force: Override the decision by the kernel to hide the - advertisement of RDRAND support. -
    • -
-
-
-
-
-

Updated kernel parameters

-
-
-
intel_pstate=[X86]
-
-

- You can use this kernel parameter for CPU performance scaling. Available values include: -

-
-
    -
  • - disable - Do not enable intel_pstate as the default scaling driver for the - supported processors. -
    • -
  • - [NEW] active - Use intel_pstate - driver to bypass the scaling governors layer of cpufreq - and provides it own algorithms for p-state selection. There are two P-state - selection algorithms provided by intel_pstate in the - active mode: powersave and performance. The way they both operate depends on whether - or not the hardware managed P-states (HWP) feature has been enabled in the processor - and possibly on the processor model. -
    • -
  • - passive - Use intel_pstate - as a scaling driver, but configure it to work with generic cpufreq governors (instead of enabling its internal - governor). This mode cannot be used along with the hardware-managed P-states (HWP) - feature. -
    • -
  • - force - Enable intel_pstate on systems that prohibit it by default in - favor of acpi-cpufreq. Forcing the intel_pstate driver instead of acpi-cpufreq might disable platform features, such as - thermal controls and power capping, that rely on ACPI P-States information being - indicated to OSPM and therefore should be used with caution. This option does not - work with processors that are not supported by the intel_pstate driver or on platforms that use pcc-cpufreq instead of acpi-cpufreq. -
    • -
  • - no_hwp - Do not enable hardware P state control (HWP) - if available. -
    • -
  • - hwp_only - Only load intel_pstate on systems that support hardware P state - control (HWP) if available. -
    • -
  • - support_acpi_ppc - Enforce ACPI _PPC performance limits. If the Fixed ACPI - Description Table specifies preferred power management profile as "Enterprise - Server" or "Performance Server", then this feature is turned on by default. -
    • -
  • - per_cpu_perf_limits - Allow per-logical-CPU P-State - performance control limits using the cpufreq sysfs - interface. -
    • -
-
-
-
rdt=[HW,X86,RDT]
-
-

- With this kernel parameter, you can turn on or off individual RDT features. The list - includes: cmt, mbmtotal, mbmlocal, l3cat, l3cdp, l2cat, l2cdp, mba, [NEW] smba, - [NEW] bmec. -

-

- For example, to turn on cmt and turn off mba use: -

- 
rdt=cmt,!mba
-
-
tsc=[x86]
-
-

- With this kernel parameter, you can disable clocksource stability checks for TSC. This - parameter takes the format of: <string>. -

-
-
    -
  • - reliable: mark tsc clocksource as reliable, this - disables clocksource verification at runtime, as well as the stability checks done - at bootup. Used to enable high-resolution timer mode on older hardware, and in - virtualized environment. -
    • -
  • - noirqtime: Do not use TSC to do irq accounting. Used to run time disable IRQ_TIME_ACCOUNTING on any platforms where RDTSC is slow - and this accounting can add overhead. -
    • -
  • - unstable: mark the TSC clocksource as unstable, this - marks the TSC unconditionally unstable at bootup and avoids any further wobbles once - the TSC watchdog notices. -
    • -
  • - nowatchdog: disable clocksource watchdog. Used in - situations with strict latency requirements (where interruptions from clocksource - watchdog are not acceptable). -
    • -
  • - recalibrate: force recalibration against a HW timer - (HPET or PM timer) on systems whose TSC frequency was obtained from HW or FW using - either an MSR or CPUID(0x15). Warn if the difference is more than 500 ppm. -
    • -
-
-
-
-
-

New sysctl parameters

-
-
-
nmi_wd_lpm_factor=(PPC only)
-
-

- Factor to apply to the NMI watchdog timeout (only when nmi_watchdog is set to 1). This - factor represents the percentage added to watchdog_thresh when - calculating the NMI watchdog timeout during an LPM. The soft lockup timeout is not impacted. -

-
-
    -
  • - A value of 0 means no change. -
    • -
  • - The default value is 200 meaning the NMI watchdog is - set to 30s (based on watchdog_thresh equal to 10). -
    • -
-
-
-
txrehash
-
-

- With this kernel parameter, you can control default hash rethink behaviour on socket. -

-
-
    -
  • - If set to 1 (default), hash rethink is performed on - listening socket. -
    • -
  • - If set to 0, hash rethink is not performed. -
    • -
-
-
-
-
-
-
-
-
-
-

Chapter 6. Device Drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - Thunderbolt/USB4 network driver (thunderbolt_net) -
    • -
  • - Broadcom 802.11 wireless LAN fullmac driver (brcmfmac) (only in - 64-bit ARM architecture) -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - Bluetooth support for MediaTek devices ver 0.1 (btmtk), only in - IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures -
    • -
  • - DRM Buddy Allocator (drm_buddy), only in 64-bit IBM Z - architecture -
    • -
  • - DRM display adapter helper ( drm_display_helper), only in - 64-bit IBM Z architecture -
    • -
  • - Microsoft Azure Network Adapter IB driver (mana_ib), only in - AMD and Intel 64-bit architectures -
    • -
  • - The Linux USB Video Class driver (uvc), (only in IBM Power - Systems, Little Endian and AMD and Intel 64-bit architectures -
    • -
  • - Intel Meteor Lake PCH pinctrl/GPIO driver (pinctrl-meteorlake), - only in AMD and Intel 64-bit architectures -
    • -
  • - Intel In Field Scan (IFS) device (intel_ifs), only in AMD and - Intel 64-bit architectures -
    • -
  • - Intel Uncore Frequency Common Module (intel-uncore-frequency-common), only in AMD and Intel 64-bit - architectures -
    • -
  • - Intel Uncore Frequency Limits Driver (intel-uncore-frequency), - only in AMD and Intel 64-bit architectures -
    • -
  • - AMD SoundWire driver (soundwire-amd), only in AMD and Intel - 64-bit architectures -
    • -
  • - DisplayPort Alternate Mode (typec_displayport), only in 64-bit - ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures -
    • -
  • - Virtio-mem driver (virtio_mem), only in AMD and Intel 64-bit - architectures -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Network driver updates

-
-
    -
  • - Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (r8152) - have been updated to version v1.12.13 (only in 64-bit ARM architecture, IBM Power Systems, - Little Endian, and AMD and Intel 64-bit architectures) -
    • -
-
-

- The following drivers have been updated to 4.18.0-513.5.1 kernel - version: -

-
-
    -
  • - Intel® 10 Gigabit PCI Express Network Driver (ixgbe), only in - 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit - architectures -
    • -
  • - Intel® 10 Gigabit Virtual Function Network Driver (ixgbevf), - only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit - architectures -
    • -
  • - Intel® 2.5G Ethernet Linux Driver (igc), only in 64-bit ARM - architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures -
    • -
  • - Intel® Ethernet Adaptive Virtual Function Network Driver (iavf), only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures -
    • -
  • - Intel® Ethernet Connection XL710 Network Driver (i40e), only in - 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit - architectures -
    • -
  • - Intel® Ethernet Switch Host Interface Driver (fm10k), only in - 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit - architectures -
    • -
  • - Intel® Gigabit Ethernet Network Driver (igb), only in 64-bit - ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures -
    • -
  • - Intel® Gigabit Virtual Function Network Driver (igbvf), only in - 64-bit ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit - architectures -
    • -
  • - Intel® PRO/1000 Network Driver (e1000e), only in 64-bit ARM - architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures -
    • -
  • - Mellanox 5th generation network adapters (ConnectX series) core driver (mlx5_core) -
    • -
  • - The Netronome Flow Processor (NFP) driver (nfp) -
    • -
-
-

Graphics, storage, and miscellaneous driver - updates

-
-
    -
  • - Broadcom MegaRAID SAS Driver (megaraid_sas) has been updated to - version 07.725.01.00-rc1, (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures) -
    • -
  • - Driver for Microchip Smart Family Controller version (smartpqi) - has been updated to version 2.1.22-040 (only in 64-bit ARM architecture, IBM Power Systems, - Little Endian, and AMD and Intel 64-bit architectures) -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc) has been - updated to version 0:14.0.0.21 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures) -
    • -
  • - MPI3 Storage Controller Device Driver (mpi3mr) has been updated - to version 8.4.1.0.0 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, and - AMD and Intel 64-bit architectures) -
    • -
  • - QLogic Fibre Channel HBA Driver (qla2xxx) has been updated to - version 10.02.08.200-k (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, - and AMD and Intel 64-bit architectures) -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Available BPF Features

-
-
-
-

- This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel of this minor version of Red Hat - Enterprise Linux 8. The tables include the lists of: -

-
- -
-

- This chapter contains automatically generated output of the bpftool feature - command. -

-
-

Table 7.1. System configuration and other options

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionValue
-

- unprivileged_bpf_disabled -

- 		-

- 1 (bpf() syscall restricted to privileged users, without recovery) -

-
-

- JIT compiler -

- 		-

- 1 (enabled) -

-
-

- JIT compiler hardening -

- 		-

- 1 (enabled for unprivileged users) -

-
-

- JIT compiler kallsyms exports -

- 		-

- 1 (enabled for root) -

-
-

- Memory limit for JIT for unprivileged users -

- 		-

- 264241152 -

-
-

- CONFIG_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_SYSCALL -

- 		-

- y -

-
-

- CONFIG_HAVE_EBPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT_ALWAYS_ON -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF_MODULES -

- 		-

- n -

-
-

- CONFIG_CGROUPS -

- 		-

- y -

-
-

- CONFIG_CGROUP_BPF -

- 		-

- y -

-
-

- CONFIG_CGROUP_NET_CLASSID -

- 		-

- y -

-
-

- CONFIG_SOCK_CGROUP_DATA -

- 		-

- y -

-
-

- CONFIG_BPF_EVENTS -

- 		-

- y -

-
-

- CONFIG_KPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_UPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_TRACING -

- 		-

- y -

-
-

- CONFIG_FTRACE_SYSCALLS -

- 		-

- y -

-
-

- CONFIG_FUNCTION_ERROR_INJECTION -

- 		-

- y -

-
-

- CONFIG_BPF_KPROBE_OVERRIDE -

- 		-

- y -

-
-

- CONFIG_NET -

- 		-

- y -

-
-

- CONFIG_XDP_SOCKETS -

- 		-

- y -

-
-

- CONFIG_LWTUNNEL_BPF -

- 		-

- y -

-
-

- CONFIG_NET_ACT_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_ACT -

- 		-

- y -

-
-

- CONFIG_NET_SCH_INGRESS -

- 		-

- m -

-
-

- CONFIG_XFRM -

- 		-

- y -

-
-

- CONFIG_IP_ROUTE_CLASSID -

- 		-

- y -

-
-

- CONFIG_IPV6_SEG6_BPF -

- 		-

- n -

-
-

- CONFIG_BPF_LIRC_MODE2 -

- 		-

- n -

-
-

- CONFIG_BPF_STREAM_PARSER -

- 		-

- y -

-
-

- CONFIG_NETFILTER_XT_MATCH_BPF -

- 		-

- m -

-
-

- CONFIG_BPFILTER -

- 		-

- n -

-
-

- CONFIG_BPFILTER_UMH -

- 		-

- n -

-
-

- CONFIG_TEST_BPF -

- 		-

- m -

-
-

- CONFIG_HZ -

- 		-

- 1000 -

-
-

- bpf() syscall -

- 		-

- available -

-
-

- Large program size limit -

- 		-

- available -

-
-
-
-
-

Table 7.2. Available program types and supported helpers

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Program typeAvailable helpers
-

- socket_filter -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- kprobe -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_override_return, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_cls -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sched_act -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- xdp -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, bpf_redirect, - bpf_perf_event_output, bpf_csum_diff, bpf_get_current_task, - bpf_get_numa_node_id, bpf_xdp_adjust_head, bpf_redirect_map, - bpf_xdp_adjust_meta, bpf_xdp_adjust_tail, bpf_fib_lookup, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- perf_event -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_get_task_stack, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, - bpf_snprintf -

-
-

- cgroup_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_skb_cgroup_id, bpf_get_local_storage, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, - bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_sk_cgroup_id, - bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_current_cgroup_id, - bpf_get_local_storage, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_in -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_push_encap, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_out -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_xmit -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, - bpf_csum_diff, bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid, - bpf_get_numa_node_id, bpf_skb_change_head, bpf_lwt_push_encap, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sock_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_setsockopt, bpf_sock_map_update, bpf_getsockopt, - bpf_sock_ops_cb_flags_set, bpf_sock_hash_update, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_tail_call, bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_adjust_room, bpf_sk_redirect_map, bpf_sk_redirect_hash, - bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, - bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, - bpf_skc_lookup_tcp, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_device -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- sk_msg -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_cgroup_classid, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_msg_redirect_hash, bpf_get_current_cgroup_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_msg_push_data, - bpf_msg_pop_data, bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sock_addr -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_setsockopt, bpf_getsockopt, - bpf_bind, bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lwt_seg6local -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- lirc_mode2 -

- 		-

- not supported -

-
-

- sk_reuseport -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_skb_load_bytes_relative, bpf_sk_select_reuseport, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- flow_dissector -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sysctl -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_sysctl_get_name, bpf_sysctl_get_current_value, - bpf_sysctl_get_new_value, bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- raw_tracepoint_writable -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- cgroup_sockopt -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf -

-
-

- tracing -

- 		-

- not supported -

-
-

- struct_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, - bpf_skb_store_bytes, bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, - bpf_clone_redirect, bpf_get_current_pid_tgid, bpf_get_current_uid_gid, - bpf_get_current_comm, bpf_get_cgroup_classid, bpf_skb_vlan_push, - bpf_skb_vlan_pop, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_perf_event_read, bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_get_stackid, bpf_csum_diff, bpf_skb_get_tunnel_opt, - bpf_skb_set_tunnel_opt, bpf_skb_change_proto, bpf_skb_change_type, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_current_task_under_cgroup, bpf_skb_change_tail, bpf_skb_pull_data, - bpf_csum_update, bpf_set_hash_invalid, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_xdp_adjust_head, bpf_probe_read_str, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_setsockopt, - bpf_skb_adjust_room, bpf_redirect_map, bpf_sk_redirect_map, bpf_sock_map_update, - bpf_xdp_adjust_meta, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_getsockopt, bpf_override_return, bpf_sock_ops_cb_flags_set, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_bind, bpf_xdp_adjust_tail, bpf_skb_get_xfrm_state, - bpf_get_stack, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_sock_hash_update, bpf_msg_redirect_hash, bpf_sk_redirect_hash, - bpf_lwt_push_encap, bpf_lwt_seg6_store_bytes, bpf_lwt_seg6_adjust_srh, - bpf_lwt_seg6_action, bpf_rc_repeat, bpf_rc_keydown, bpf_skb_cgroup_id, - bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_select_reuseport, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_msg_push_data, bpf_msg_pop_data, bpf_rc_pointer_rel, bpf_spin_lock, - bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, bpf_skb_ecn_set_ce, - bpf_get_listener_sock, bpf_skc_lookup_tcp, bpf_tcp_check_syncookie, - bpf_sysctl_get_name, bpf_sysctl_get_current_value, bpf_sysctl_get_new_value, - bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_send_signal, bpf_tcp_gen_syncookie, bpf_skb_output, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_tcp_send_ack, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_xdp_output, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_seq_printf, bpf_seq_write, - bpf_sk_cgroup_id, bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, - bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, - bpf_get_task_stack, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_inode_storage_get, bpf_inode_storage_delete, bpf_d_path, bpf_copy_from_user, - bpf_snprintf_btf, bpf_seq_printf_btf, bpf_skb_cgroup_classid, - bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_redirect_peer, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_bprm_opts_set, bpf_ktime_get_coarse_ns, bpf_ima_inode_hash, - bpf_sock_from_file, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_sys_bpf, bpf_btf_find_by_name_kind, bpf_sys_close -

-
-

- ext -

- 		-

- not supported -

-
-

- lsm -

- 		-

- not supported -

-
-

- sk_lookup -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf -

-
-
-
-
-

Table 7.3. Available map types

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Map typeAvailable
-

- hash -

- 		-

- yes -

-
-

- array -

- 		-

- yes -

-
-

- prog_array -

- 		-

- yes -

-
-

- perf_event_array -

- 		-

- yes -

-
-

- percpu_hash -

- 		-

- yes -

-
-

- percpu_array -

- 		-

- yes -

-
-

- stack_trace -

- 		-

- yes -

-
-

- cgroup_array -

- 		-

- yes -

-
-

- lru_hash -

- 		-

- yes -

-
-

- lru_percpu_hash -

- 		-

- yes -

-
-

- lpm_trie -

- 		-

- yes -

-
-

- array_of_maps -

- 		-

- yes -

-
-

- hash_of_maps -

- 		-

- yes -

-
-

- devmap -

- 		-

- yes -

-
-

- sockmap -

- 		-

- yes -

-
-

- cpumap -

- 		-

- yes -

-
-

- xskmap -

- 		-

- yes -

-
-

- sockhash -

- 		-

- yes -

-
-

- cgroup_storage -

- 		-

- yes -

-
-

- reuseport_sockarray -

- 		-

- yes -

-
-

- percpu_cgroup_storage -

- 		-

- yes -

-
-

- queue -

- 		-

- yes -

-
-

- stack -

- 		-

- yes -

-
-

- sk_storage -

- 		-

- yes -

-
-

- devmap_hash -

- 		-

- yes -

-
-

- struct_ops -

- 		-

- no -

-
-

- ringbuf -

- 		-

- yes -

-
-

- inode_storage -

- 		-

- yes -

-
-

- task_storage -

- 		-

- no -

-
-
-
-
-
-
-
-
-

Chapter 8. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 8.9 that have a significant impact on users. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

The --noverifyssl option for liveimg no longer checks the server’s certificate for images - downloaded using HTTPS

-

- Previously, the installer ignored the --noverifyssl option from the - liveimg kickstart command. Consequently, if the server’s - certificate could not be validated for images downloaded using the HTTPS protocol, the - installation process failed. With this update, this issue has been fixed, and the --noverifyssl option of the liveimg - kickstart command works as expected. -

-
-

- Bugzilla:1886985 -

-
-
-
-
-
-

8.2. Security

-
-
-
-
-

Booting from an NFS filesystem now works with SELinux set to enforcing - mode

-

- Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the - server, causing boot failures when SELinux was set to enforcing mode. -

-
-

- With this fix, SELinux has been fixed to correctly flag NFS mounts created before the initial - SELinux policy load as supporting security labels. As a result, the NFS mount now forwards SELinux - labels between the server and the client and the boot can succeed with SELinux set to enforcing - mode. -

-

- Bugzilla:1753646[1] -

-
-

The automatic screen lock now works correctly even when a USB smart-card - reader is removed

-

- Before RHEL 8.9, the opensc packages incorrectly handled removing - USB smart-card readers. Consequently, the system remained unlocked even if the GNOME Display - Manager (GDM) was configured to lock the screen when a smart card was removed. Furthermore, - after reconnecting the USB reader, the screen also did not lock after removing the smart card. - In this release, the code for handling removals of USB smart-card readers has been fixed. As a - result, the screen is correctly locked even when a smart card or a USB smart-card reader is - removed. -

-
-

- Bugzilla:2097048 -

-
-

The SCAP enable_fips_mode rule now checks only - fips=1 on 64-bit IBM Z architecture

-

- Previously, the SCAP Security Guide rule enable_fips_mode did check - the contents of the /boot/grub2/grubenv file. Consequently, the - 64-bit IBM Z architecture did not use /boot/grub2/grubenv file for - FIPS mode. With this update, the OVAL rule enable_fips_mode now - test if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf file on 64-bit IBM Z architecture. -

-
-

- Bugzilla:2129100 -

-
-

SCAP journald rules no longer remediate to - invalid configuration

-

- Previously, the SCAP Security Guide rules journald_compress, journald_forward_to_syslog, and journald_storage contained a bug in the remediation script which - added extra quotes to the respective options within the /etc/systemd/journald.conf configuration file. Consequently, the - journald service failed to parse the configuration options and - ignored them. Therefore, the configuration options were not effective and OpenSCAP reported - false pass results. With this update, the rules and remediations scripts have been fixed to not - add the extra quotes. The rule now create a valid configuration for journald. -

-
-

- Bugzilla:2169857 -

-
-

Images can now be configured with security profiles

-

- SCAP Security Guide rules that configure mount point options have been reworked, and you can now - use them also for hardening images when building an operating system image in image builder. As - a result, you can now build images with partition configuration aligned with a specific security - profile. -

-
-

- Bugzilla:2130185 -

-
-

Removed strict requirements from SSG rules related to AIDE - configuration

-

- Previously, the SCAP Security Guide (SSG) rule aide_build_database - required the existence of both /var/lib/aide/aide.db.new.gz and - /var/lib/aide/aide.db.gz files to pass. Because the AIDE utility does not require the /var/lib/aide/aide.db.new.gz file, this update removed the - corresponding requirement from the aide_build_database rule. As a - result, the rule requires only the /var/lib/aide/aide.db.gz file to - pass. -

-
-

- In addition, the SCAP Security Guide rule aide_periodic_cron_checking - is now less strict on entries in /etc/cron.daily and /etc/cron.weekly files. You can now schedule the aide --check command with additional wrappers while staying compliant - with the rule. -

-

- Bugzilla:2175684 -

-
-

SCAP rules related to pam_faillock have - correct descriptions

-

- Previously, the SCAP Security Guide rules related to the pam_faillock contained descriptions that were misaligned with some - profile values. Consequently, the descriptions were not correct. With this update, the rules - descriptions are now using XCCDF variables. -

-
-

- This change affects the following rules: -

-
-
    -
  • - accounts_passwords_pam_faillock_deny -
    • -
  • - accounts_passwords_pam_faillock_interval -
    • -
  • - accounts_passwords_pam_faillock_dir -
    • -
  • - accounts_passwords_pam_faillock_unlock_time -
    • -
-
-

- Bugzilla:2175882 -

-
-

The file_permissions_efi_user_cfg SCAP rule no - longer fails when /boot/efi is mounted

-

- Previously, the default permissions of UEFI files were not accepted. Therefore, it was not - possible to change the permissions with the chmod command when the - /boot/efi partition used a virtual file allocation table (VFAT) - file system. Consequently, the file_permissions_efi_user_cfg rule - failed. This update changes the default permissions from 0600 to - 0700. Because the 0700 permission is - also accepted by CIS, the assessment and remediation are now better aligned with CIS profiles. -

-
-

- Bugzilla:2184487 -

-
-

SSG remediations are now aligned with configure_openssl_cryptopolicy

-

- Previously, the SCAP Security Guide (SSG) remediation added the = - character to the opensslcnf.config file. This syntax dit not match - the description of the configure_openssl_cryptopolicy rule. - Consequently, compliance checks might fail after remediations that inserted .include = instead of .include to opensslcnf.config. With this release, the remediation scripts are - aligned with the rule description, and SSG remediations that use configure_openssl_cryptopolicy no longer fail due to additional =. -

-
-

- Bugzilla:2192893 -

-
-

The postfix_prevent_unrestricted_relay rule - now accepts white spaces around the = sign

-

- Previously, the OVAL check of the SCAP rule xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay - was too strict and it did not account for postconf configuration - assignment statements which contained white spaces around the = - sign. As a consequence, the final report reported this rule as failing even for configurations - that technically met the rule’s requirements. With this update, the rule was modified so that - the check accepts statements with white spaces around the = sign. - As a result, the final report rule now marks this rule as passing for correct configuration - statements. -

-
-

- Bugzilla:2170530 -

-
-

SCAP rules now correctly evaluate whether the /var/log and /var/log/audit - partitions exist

-

- Previously, some SCAP rules relevant to the /var/log and /var/log/audit partitions were evaluated and remediated even when the - appropriate disk partition did not exist. This affected the following rules: -

-
-
-
    -
  • - mount_option_var_log_audit_nodev -
    • -
  • - mount_option_var_log_audit_noexec -
    • -
  • - mount_option_var_log_audit_nosuid -
    • -
  • - mount_option_var_log_nodev -
    • -
  • - mount_option_var_log_noexec -
    • -
  • - mount_option_var_log_nosuid -
    • -
-
-

- As a consequence, these rules were evaluated and incorrectly reported as failing in the final report - even when the directories /var/log or /var/log/audit were not mount points for individual partitions. This - update adds an applicability check to determine whether /var/log or - /var/log/audit are mount points for individual partitions. As a - consequence, the rules are not evaluated in configurations when the directories are not mount points - for individual partitions and the rules are marked as notapplicable in - the final report. -

-

- Bugzilla:2176008 -

-
-

The SCAP rule accounts_passwords_pam_faillock_interval now covers new STIG - IDs

-

- Previously, the SCAP Security Guide rule accounts_passwords_pam_faillock_interval did not cover RHEL-08-020012 - and RHEL-08-020013. Consequently, the rule accounts_passwords_pam_faillock_interval checked for faillock configuration in all of these three files: /etc/pam.d/password-auth, /etc/pam.d/system-auth, and /etc/security/faillock.conf. With this update, the rule now covers - STIG IDs RHEL-08-020012 and RHEL-08-020013. -

-
-

- Bugzilla:2209073 -

-
-

Red Hat CVE feeds have been updated

-

- The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at https://access.redhat.com/security/data/oval/ - has been sunset and replaced by version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/. -

-
-

- Consequently, the links in SCAP source data streams provided by the scap-security-guide package have been updated to link to the new version - of the Red Hat CVE feeds. -

-

- Bugzilla:2222583 -

-
-

The wget utility no longer fails TLS handshake - when accessing restricted resources

-

- Previously, when ticket-based session resumption was enabled in TLS, the wget utility expected a TLS session to be resumed even when the - server requested the client to re-authenticate to access restricted resources. This behavior - caused wget to fail the second TLS handshake. With this update, - wget properly initiates a new handshake and the access to - restricted resources no longer fails. -

-
-

- Bugzilla:2089817 -

-
-

Settings from pam_cap are correctly applied on - SELinux-enabled systems

-

- Previously, the SELinux policy did not contain rules for using the pam_cap module. As a consequence, granting login capabilities - controlled by pam_cap to users in the /etc/security/capability.conf configuration file did not work when - the users logged in by using ssh or the console. This update adds a - new rule to the policy. As a result, granting capabilities in /etc/security/capability.conf now works, and user capabilities - configured with pam_cap are taken into account when logging in. -

-
-

- Bugzilla:2172541 -

-
-

The systemd-fsck-root service is now correctly - labeled on SELinux-enabled systems

-

- Previously, the /run/fsck directory was created by the systemd-fsck-root service or the fsck - command but the SELinux policy did not contain rules for proper labeling of the directory. As a - consequence, the systemd-fsck-root service did not work correctly. - With this update, the correct label and file transition for /run/fsck were added to the policy. As a result, the systemd-fsck-root service works without reporting errors. -

-
-

- Bugzilla:2184348[1] -

-
-

SELinux policy now allows bidirectional communication on D-Bus

-

- Previously, the SELinux policy contained rules to allow only one-way communication between two - domains on the D-Bus message bus system. However, such communication must be allowed in both - directions. This occurred also when the Pacemaker high-availability cluster resource manager - executed the hostnamectl or timedatectl commands. As a consequence, these commands executed by - Pacemaker timed out without receiving a response on D-Bus because SELinux blocked it. This - update to the SELinux policy allows bidirectional communication on D-Bus. As a result, commands - that require bidirectional communication on D-Bus executed by Pacemaker finish successfully. -

-
-

- Bugzilla:2196524 -

-
-

tangd-keygen now handles non-default umask correctly

-

- Previously, the tangd-keygen script did not change file permissions - for generated key files. Consequently, on systems with a default user file-creation mode mask - (umask) that prevents reading keys to other users, the tang-show-keys command returned the error message Internal Error 500 instead of displaying the keys. With this update, - tangd-keygen sets file permissions for generated key files, and - therefore the script now works correctly on systems with non-default umask. -

-
-

- Bugzilla:2188743 -

-
-

Clevis now handles SHA-256 thumbprints

-

- Before this update, the Clevis client did not recognize SHA-256 thumbprints specified through - the thp configuration option. Consequently, clients did not bind to - Tang servers that used SHA-256 thumbprints, and every corresponding clevis encrypt tang command reported an error. With this update, - Clevis recognizes thumbprints using SHA-256 and handles them correctly. As a result, Clevis - clients can bind not only to Tang servers using SHA-1 but also SHA-256 thumbprints. -

-
-

- Bugzilla:2209058 -

-
-

Rsyslog can start even without capabilities

-

- When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog process has no capabilities. Consequently, Rsyslog in this - scenario could not drop capabilities and exited at startup. With this update, the process no - longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start - even when it has no capabilities. -

-
-

- Jira:RHELPLAN-160541[1] -

-
-

fapolicyd service no longer runs programs that - are removed from the trusted database

-

- Previously, the fapolicyd service incorrectly handled a program as - trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update command had no effect, and the program could - be executed even after being removed. With this update, the fapolicyd-cli --update command correctly updates the trusted programs - database, and removed programs can no longer be executed. -

-
-

- Jira:RHEL-630 -

-
-

fapolicyd service now creates RPM database - files with correct ownership

-

- Previously, the fapolicyd service created and owned RPM database - files in the /var/lib/rpm/ directory. As a result, other programs - were unable to access the files, which resulted in availability control errors. With this - update, fapolicyd creates the files with correct ownership, and the - errors no longer occur. -

-
-

- Jira:RHEL-829 -

-
-
-
-
-
-

8.3. Software management

-
-
-
-
-

The yum needs-restarting -s command now - correctly displays the list of systemd services

-

- Previously, when you used the needs-restarting command with the - -s or --services option, an error - occurred when a non-systemd or malfunctioning process was detected. With this update, the yum needs-restarting -s command ignores such processes and displays a - warning instead with the list of affected systemd services. -

-
-

- Bugzilla:2122587 -

-
-

The dnf-automatic command now correctly - reports the exit status of transactions

-

- Previously, the dnf-automatic command returned a successful exit - code of a transaction even if some actions during this transaction were not successfully - completed. This could cause a security risk on machines that use dnf-automatic for automatic deployment of errata. With this update, - the issue has been fixed, and dnf-automatic now reports every - problem with packages during the transaction. -

-
-

- Bugzilla:2170093 -

-
-

YUM now handles proxy=_none_ - correctly

-

- You can use the YUM proxy=_none_ configuration option to prohibit - changing proxy settings. Previously, if you set proxy=_none_ in the - main configuration file, YUM detected an error. This update fixes the bug, and YUM now handles - proxy=_none_ correctly. -

-
-
-
Note
-
-

- The RHEL 8 YUM proxy=_none_ configuration is compatible with - the YUM configuration in RHEL 7. -

-
-
-

- Bugzilla:2155713 -

-
-

The needs-restarting plug-in now correctly - requires the system restart when a file owned by dbus is - updated by zlib

-

- Previously, when you ran the YUM needs-restarting plug-in, it did - not prompt to restart the system when a file owned by the dbus - package was updated by the dependent zlib package. With this - update, the issue has been fixed, and the needs-restarting plug-in - now displays a message that you must restart dbus when zlib is updated. -

-
-

- Bugzilla:2092033 -

-
-
-
-
-
-

8.4. Shells and command-line tools

-
-
-
-
-

The which command no longer fails for a long - path

-

- Previously, when you executed the which command in a directory with - a path longer than 256 characters, the command failed with the Can’t get current working directory error message. With this fix, the - which command now uses the PATH_MAX - value for the path length limit. As a result, the command no longer fails. -

-
-

- Bugzilla:2140566 -

-
-

ReaR now supports UEFI Secure Boot with OUTPUT=USB

-

- Previously, the OUTPUT=USB ReaR output method, which stores the - rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER setting. Consequently, on systems with UEFI - Secure Boot enabled, the disk with the rescue image would not boot because the bootloader was - not signed. -

-
-

- With this fix, the OUTPUT=USB ReaR output method now uses the - bootloader that you specify in the SECURE_BOOT_BOOTLOADER setting when - creating the rescue disk. To use the signed UEFI shim bootloader, change the following setting in - the /etc/rear/local.conf file: -

- 
SECURE_BOOT_BOOTLOADER=/boot/efi/EFI/redhat/shimx64.efi
-

- As a result, the rescue disk is bootable when UEFI Secure Boot is enabled. It is safe to set the - variable to this value on all systems with UEFI, even when Secure Boot is not enabled. It is even - recommended for consistency. For details about the UEFI boot procedure and the shim bootloader, see - UEFI: what happens when booting - the system. -

-

- Bugzilla:2233526 -

-
-

ipmievd now recognizes SEL response correctly - when a SEL request times out

-

- The ipmievd service sends System Event Log (SEL) requests through - the /dev/ipmi0 device. Previously, due to a missing ID check of the - returned IPMI message, a timed-out request led to incorrect processing of the next request. For - example, if the Baseboard Management Controller (BMC) was reset, the SEL request from the ipmievd service timed out due to no SEL response. Consequently, ipmievd did not work correctly due to a non-corresponding SEL - response. As a result, you did not get the correct hardware state, and a large amount of wrong - hardware information was output to /var/log/messages. With this - fix, ipmitool and ipmievd now check - the ID of the returned IPMI message against the ID of the request and skip non-corresponding SEL - requests. ipmevd no longer logs incorrect hardware information. -

-
-

- Bugzilla:2224567[1] -

-
-
-
-
-
-

8.5. Networking

-
-
-
-
-

Intel Corporation I350 Gigabit Fiber Network Connection now provides a link - after kernel update

-

- Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules - without External Thermal Sensor (ETS) caused the igb driver to - erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, - connections did not obtain links. With this bug fix, the igb driver - only initializes I2C when SFP with ETS is available. As a result, connections obtain links. -

-
-

- Bugzilla:2130727[1] -

-
-
-
-
-
-

8.6. Boot loader

-
-
-
-
-

grubby now passes arguments to a new kernel - correctly

-

- When you add a new kernel using the grubby tool and do not specify - any arguments, or leave the arguments blank, grubby will not pass - any arguments to the new kernel and root will not be set. Using the - --args and --copy-default options - ensures new arguments are appended to the default arguments. -

-
-

- Bugzilla:1900829 -

-
-
-
-
-
-

8.7. File systems and storage

-
-
-
-
-

multipathd adds the persistent reservation - registration key to all paths

-

- Previously, when the multipathd daemon started and it recognized a - registration key for the persistent reservations on one path of an existing multipath device, - not all paths of that device had the registration key. As a consequence, if new paths appeared - to a multipath device with persistent reservations while multipathd - was stopped, persistent reservations were not set up on those. This allowed IO processing on the - paths, even if they were supposed to be forbidden by the reservation key. -

-
-

- With this fix, if multipathd finds a persistent reservation - registration key on any device path, it adds the key to all active paths. As a result, multipath - devices now have persistent reservations set up correctly on all the paths, even if path devices - first appear while multipathd is not running. -

-

- Bugzilla:2164871 -

-
-

LUNs are now visible during the OS installation

-

- Previously, the system was not using the authentication information from firmware sources, - specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake - Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a - consequence, the iSCSI login failed during installation. -

-
-

- With the fix in the udisks2-2.9.4-9.el9 firmware authentication, this - issue is now resolved and LUNs are visible during the installation and initial boot. -

-

- Bugzilla:2213193[1] -

-
-
-
-
-
-

8.8. High availability and clusters

-
-
-
-
-

Pacemaker Designated Controller elections no longer finalized until all - pending actions are complete

-

- When a cluster elects a new Designated Controller (DC), all nodes send their current history to - the new DC, which saves it to the CIB. As a consequence, if actions were already in progress - when a new DC is elected, and the actions finish after the nodes send their current history to - the new DC, the actions' results could be lost. With this fix, DC elections are not finalized - until all pending actions are complete and no action results are lost. -

-
-

- Bugzilla:2010084 -

-
-

The fence_scsi agent is now able to - auto-detect shared lvmlockd devices

-

- Previously, the fence_scsi agent did not auto-detect shared lvmlockd devices. With this update, fence_scsi is able to auto-detect lvmlockd devices when the devices - attribute is not set. -

-
-

- Bugzilla:2187329 -

-
-

Resource stickiness now properly compares against colocation - scores

-

- Chained resource colocations are resources colocated with the resource that is colocated with - the resource being assigned. Previously, if the original colocation had a finite negative score, - and the chained colocation was mandatory, the original resource being assigned could be banned - from its node even if resource-stickiness was set to INFINITY. With - this fix, chained colocations are now taken into account proportionally and stickiness properly - compares against colocation scores. -

-
-

- Bugzilla:1632951[1] -

-
-

The crm_resource command now allows banning or - moving a bundle with only a single active replica

-

- Previously, when the crm_resource command checked where a bundle - with a single replica was active, the command counted both the node where the container was - active and the guest node that was created for the container itself. As a result, the crm_resource command would not ban or move a bundle with a single - active replica. With this fix, the crm_resource command now only - counts nodes where a bundle’s containers are active when determining the number of active - replicas. -

-
-

- Bugzilla:1578820 -

-
-

The mysql resource agent now works correctly - with promotable clone resources

-

- Previously, the mysql resource agent moved cloned resources that - were operating in a Master role between nodes, due to promotion scores changing between promoted - and non-promoted values. With this fix, a promoted node stays promoted. -

-
-

- Bugzilla:2039692 -

-
-

Unpromoted clone instances no longer restart unnecessarily

-

- Previously, promotable clone instances were assigned in numerical order, with promoted instances - first. As a result, if a promoted clone instance needed to start, an unpromoted instance in some - cases restarted unexpectedly, because the instance numbers changed. With this fix, roles are - considered when assigning instance numbers to nodes and as a result no unnecessary restarts - occur. -

-
-

- Bugzilla:1931023 -

-
-

A fence watchdog configured as a second fencing device now fences a node - when the first device times out

-

- Previously, when a watchdog fencing device was configured as the second device in a fencing - topology, the watchdog timeout would not be considered when calculating the timeout for the - fencing operation. As a result, if the first device timed out the fencing operation would time - out even though the watchdog would fence the node. With this fix, the watchdog timeout is - included in the fencing operation timeout and the fencing operation succeeds if the first device - times out. -

-
-

- Bugzilla:2168633 -

-
-

Location constraints with rules no longer displayed when listing is grouped - by nodes

-

- Location constraints with rules cannot have a node assigned. Previously, when you grouped the - listing by nodes, location constraints with rules were displayed under an empty node. With this - fix, the location constraints with rules are no longer displayed and a warning is given - indicating that constraints with rules are not displayed. -

-
-

- Bugzilla:2166294 -

-
-

pcs command to update multipath SCSI devices - now works correctly

-

- Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices command stopped working as designed, - causing an unwanted restart of some cluster resources. With this fix, this command works - correctly and updates SCSI devices without requiring a restart of other cluster resources - running on the same node. -

-
-

- Bugzilla:2179010 -

-
-

Memory footprint of pcsd-ruby daemon now - reduced when pscd Web UI is open

-

- Previously, when the pcsd Web UI was open, memory usage of the - pcsd-ruby daemon increased steadily over the course of several - hours. With this fix, the web server that runs in the pcsd-ruby - daemon now periodically performs a graceful restart. This frees the allocated memory and reduces - the memory footprint. -

-
-

- Bugzilla:2189958[1] -

-
-

The azure-events-az resource agent no longer - produces an error with Pacemaker 2.1 and later

-

- The azure-events-az resource agent executes the crm_simulate -Ls command and parses the output. With Pacemaker 2.1 - and later, the output of the crm_simulate command no longer - contains the text Transition Summary:, which resulted in an error. - With this fix, the agent no longer yields an error when this text is missing. -

-
-

- Bugzilla:2181019 -

-
-
-
-
-
-

8.9. Compilers and development tools

-
-
-
-
-

systemtap scripts using guru mode now compile - more quickly

-

- The systemtap guru mode liveness analysis uses the dyninst library to parse binaries. Newer kernels enable mitigation - code with CONFIG_RETPOLINE=y, replacing traditional RET - instructions, with jumps to a thunk. As a consequence, binary analysis took a much longer time - due to the liveness analysis needing to examine all additional edges of the control flow graph - introduced by the jumps to the thunk. -

-
-

- With this update, systemtap disables liveness analysis when the kernel - code is using thunks and, as a result, systemtap scripts using guru - mode compile more quickly. -

-

- Bugzilla:2126805 -

-
-

eu-addr2line -C now correctly recognizes other - arguments

-

- Previously, when you used the -C argument in eu-addr2line command from elfutils, the - following single character argument disappeared. Consequently, the eu-addr2line -Ci command behaved the same way as eu-addr2line -C while eu-addr2line -iC - worked as expected. This bug has been fixed, and eu-addr2line -Ci - now recognizes both arguments. -

-
-

- Bugzilla:2236183 -

-
-

eu-addr2line -i now correctly handles code - compiled with GCC link-time optimization

-

- Previously, the dwarf_getscopes function from the libdw library included in elfutils was - unable to find an abstract origin definition of a function that was compiled with GCC link-time - optimization. Consequently, when you used the -i argument in the - eu-addr2line command, eu-addr2line was - unable to show inline functions for code compiled with gcc -flto. - With this update, the libdw dwarf_getscopes function looks in the - correct compile unit for the inlined scope, and eu-addr2line -i - works as expected. -

-
-

- Bugzilla:2162495 -

-
-
-
-
-
-

8.10. Identity Management

-
-
-
-
-

SSSD now uses sAMAccountName when evaluating - GPO-based access control

-

- Previously, if ldap_user_name was set to a value other than sAMAccountName on an AD client, GPO-based access control failed. With - this update, SSSD now always uses sAMAccountName when evaluating - GPO-based access control. Even if ldap_user_name is set to a value - different from sAMAccountName on an AD client, GPO-based access - control now works correctly. -

-
-

- Jira:SSSD-6107 -

-
-

SSSD now handles duplicate attributes in the user_attributes option when retrieving users

-

- Previously, if sssd.conf contained duplicate attributes in the - user_attributes option, SSSD did not handle these duplicates - correctly. As a consequence, users with those attributes could not be retrieved. With this - update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can - now be retrieved. -

-
-

- Jira:SSSD-6177 -

-
-

Changing a security parameter now works correctly

-

- Previously, when you changed a security parameter by using the dsconf instance_name security set - command, the operation failed with the error: -

-
- 
Name 'log' is not defined
-

- With this update, the security parameter change works as expected. -

-

- Bugzilla:2166284 -

-
-

Directory Server now calculates the dtablesize - based on the maximum number of opened descriptors

-

- Previously, an administrator could set the connection table size manually by using the nsslapd-conntablesize configuration parameter. Consequently, when the - connection table size was set too low, it affected the number of connections the server was able - to support. With this update, Directory Server now calculates the size of the connection table - dynamically effectively resolving the issue with too small connection table size. In addition, - you no longer need to manually change the connection table size. -

-
-

- Bugzilla:2210491 -

-
-

The dsctl healthcheck command now uses the - password storage scheme PBKDF2-SHA512 by default

-

- Previously, the dsctl healthcheck command used SSHA512 password storage scheme by default. Consequently, the command - reported a warning because it did not detect the new password storage scheme PBKDF2-SHA512. With this update, the dsctl healthcheck command now uses PBKDF2-SHA512 password storage scheme by default and no warnings - occur. -

-
-

- Bugzilla:2220890 -

-
-

Paged searches from a regular user now do not impact performance -

-

- Previously, when Directory Server was under the search load, paged searches from a regular user - could impact the server performance because a lock conflicted with the thread that polls for - network events. In addition, if a network issue occurred while sending the page search, the - whole server was unresponsive until the nsslapd-iotimeout parameter - expired. With this update, the lock was split into several parts to avoid the contention with - the network events. As a result, no performance impact during paged searches from a regular - user. -

-
-

- Bugzilla:2224505 -

-
-

You can now enable and disable ciphers in Directory Server as - expected

-

- Previously, when you tried to enable or disable specific ciphers in addition to default ciphers - by using the web console, the server enabled or disabled only the specific ciphers and logged an - error similar to the following: -

-
- 
Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+cipher_name>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error)
-

- Currently, the network security services (NSS) do not support handling default ciphers and specific - ciphers at the same time. As a result, Directory Server can enable or disable either specific - ciphers or default ciphers. With this update, when you set the default ciphers, the web console now - prompts that Allow Specific Ciphers and Deny Specific Ciphers fields will be cleared. -

-

- Bugzilla:1817505 -

-
-

Deleting the IdM admin user is now no longer - permitted

-

- Previously, nothing prevented you from deleting the Identity Management (IdM) admin user if you were a member of the admins group. The absence of the admin - user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With - this update, you can no longer delete the admin user. As a result, - the IdM-AD trust works correctly. -

-
-

- Bugzilla:1821181 -

-
-

IdM clients correctly retrieve information for trusted AD users when their - names contain mixed case characters

-

- Previously, if you attempted a user lookup or authentication of a user, and that trusted Active - Directory (AD) user contained mixed case characters in their names and they were configured with - overrides in IdM, an error was returned preventing users from accessing IdM resources. -

-
-

- With the release of RHBA-2023:4525, a case-sensitive - comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a - result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain - mixed case characters and they are configured with overrides in IdM. -

-

- Jira:SSSD-6096 -

-
-
-
-
-
-

8.11. Graphics infrastructures

-
-
-
-
-

The installer no longer freezes on servers with ASPEED 2600

-

- Previously, the graphical RHEL 8.8 installer became unresponsive with a black screen when you - started the installer on a server with the ASPEED 2600 On System Management Chipset. - Consequently, you could not install RHEL 8.8 on the server. -

-
-

- With this release, the problem has been fixed. As a result, the installation now proceeds as - expected with ASPEED 2600. -

-

- Bugzilla:2189645[1] -

-
-
-
-
-
-

8.12. The web console

-
-
-
-
-

The web console NBDE binding steps now work also on volume groups with a - root file system

-

- In RHEL 8.8, due to a bug in the code for determining whether or not the user was adding a Tang - key to the root file system, the binding process in the web console crashed when there was no - file system on the LUKS container at all. Because the web console displayed the error message - TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key - dialog, you had to perform all the required steps in the command-line interface in the described - scenario. -

-
-

- With this update, the web console correctly handles additions of Tang keys to root file systems. As - a result, the web console finishes all binding steps required for the automated unlocking of - LUKS-encrypted volumes using Network-Bound Disk Encryption (NBDE) in various scenarios. -

-

- Bugzilla:2212350 -

-
-

VNC console now works at most resolutions

-

- Previously, when using the Virtual Network Computing (VNC) console under certain display - resolutions, a mouse offset problem was present or only a part of the interface was visible. - Consequently, using the VNC console was not possible. -

-
-

- With this update, the problem has been fixed and the VNC console works correctly at most - resolutions, with the exception of ultra high resolutions, such as 3840x2160. -

-

- Note that a small offset between the recorded and displayed positions of the cursor might still be - present. However, this does not significantly impact the usability of the VNC console. -

-

- Bugzilla:2030836 -

-
-
-
-
-
-

8.13. Red Hat Enterprise Linux system roles

-
-
-
-
-

The storage role can now resize the mounted - file systems without unmounting

-

- Previously, the storage role was unable to resize mounted devices, - even if the file system supported online resizing. As a consequence, the storage role unmounted all file systems prior to resizing, which - failed for file systems that were in use, for example, while resizing the / directory of the running system. -

-
-

- With this update, the storage role now supports resizing mounted file - systems that support online resizing such as XFS and Ext4. As a result, the mounted file systems can - now be resized without unmounting them. -

-

- Bugzilla:2168738 -

-
-

The certificate RHEL system role now checks - for the certificate key size when determining whether to perform a new certificate - request

-

- Previously, the certificate RHEL system role did not check the key - size of a certificate when evaluating whether to request a new certificate. As a consequence, - the role sometimes did not issue new certificate requests in cases where it should. With this - update, certificate now checks the key_size parameter to determine if a new certificate request should - be performed. -

-
-

- Bugzilla:2186057 -

-
-

Insights tags created by using the rhc role - are now applied correctly

-

- Previously, when you created Insights tags by using the rhc role, - tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a - result they were not applied to the systems in the Insights inventory. -

-
-

- With this fix, tags are stored correctly and applied to the systems present in the Insights - inventory. -

-

- Bugzilla:2209441 -

-
-

The firewall RHEL system role on RHEL 7 no - longer attempts to install non-existent Python packages

-

- Previously, when the firewall role on RHEL 7 was called from - another role, and that role was using python3, the firewall role attempted to install the python3-firewall library for that version of Python. However, that - library is not available in RHEL 7. Consequently, the python3-firewall library was not found, and you received the - following error message: -

-
- 
No package matching 'python3-firewall' found available, installed or updated
-

- With this update, the firewall role does not attempt to install the - python-firewall or python3-firewall - library. As a result, the firewall role does not fail on RHEL 7 when - python3 is installed on the managed node. -

-

- Bugzilla:2216521 -

-
-

Failure to remove data from member disks before creation no longer - persists

-

- Previously, when creating RAID volumes, the system did not effectively eliminate existing data - from member disks before forming the RAID volume. With this update, RAID volumes remove any - per-existing data from member disks as needed. -

-
-

- Bugzilla:2224094 -

-
-

The podman_registries_conf variable now - configures unqualified-search-registries field - correctly

-

- Previously, after configuring the podman_registries_conf variable, - the podman RHEL system role failed. Consequently, unqualified-search-registries = ["registry.access.redhat.com"] - setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf file. With this - update, this problem has been fixed. -

-
-

- Bugzilla:2226077 -

-
-

raid_chunk_size parameter no longer returns an - error message

-

- Previously, raid_chunk_size attribute was not allowed for RAID - pools and volumes. With this update, you can now configure the raid_chunk_size attribute for RAID pools and volumes without - encountering any restrictions. -

-
-

- Bugzilla:2193057 -

-
-

Running the firewall RHEL system role in check - mode with non-existent services no longer fails

-

- Previously, running the firewall role in check mode with - non-existent services would fail. This fix implements better compliance with Ansible best - practices for check mode. As a result, non-existent services being enabled or disabled no longer - fails the role in check mode. Instead, a warning prompts you to confirm that the service is - defined in a previous playbook. -

-
-

- Bugzilla:2222433 -

-
-

The kdump role adds authorized_keys idempotently

-

- Previously, the task to add authorized_key added an extra newline - character every time. Consequently the role was not acting idempotent. With this fix, adding a - new authorized_key works correctly and adds only a single key value - idempotently. -

-
-

- Bugzilla:2232391 -

-
-

The kdump system role does not fail if authorized_keys are missing

-

- Previously, the kdump system role failed to add SSH authorized keys if the user defined in the kdump_ssh_user variable did not have access to the .ssh directory in the home directory or - an empty .ssh/authorized_keys file. With this fix, the kdump system role now correctly adds authorized keys to the SSH configuration. As a result, the key based authentication works - reliably in the described scenario. -

-
-

- Bugzilla:2232392 -

-
-

The firewall RHEL system role correctly - reports changes when using previous: replaced in check - mode

-

- Previously, the firewall role was not checking whether any files - would be changed when using the previous: replaced parameter in - check mode. As a consequence, the role gave an error about undefined variables. This fix adds - new check variables to the check mode to assess whether any files would be changed by the previous: replaced parameter. The check for the firewalld.conf file assesses the rpm - database to determine whether the file has been changed from the version shipped in the package. - As a result, the firewall role now correctly reports changes when - using the previous: replaced parameter. -

-
-

- Jira:RHEL-899[1] -

-
-

Enabling kdump for system role requires using - the failure_action configuration parameter on RHEL 9 and later - versions

-

- Previously, using the default option during kdump configuration was not successful and printed the following - warning in logs: -

-
- 
kdump: warning: option 'default' was renamed 'failure_action' and will be removed in the future.
-please update /etc/kdump.conf to use option 'failure_action' instead.
-

- Consequently, the role did not enable kdump successfully if default option was used. This update fixes the problem and you can - configure kernel dump parameters on multiple systems by using the failure_action parameter. As a result, enabling kdump works successfully in the described scenario. -

-

- Jira:RHEL-907[1] -

-
-

The firewall RHEL system role correctly - reports changes when assigning zones to Network Manager interfaces

-

- Previously, the Network Manager interface assignment reported changes when no changes were - present. With this fix, the try_set_zone_of_interface module in the - file library/firewall_lib.py returns a second value, which denotes - whether the interface’s zone was changed. As a result, the module now correctly reports changes - when assigning zones to interfaces handled by Network Manager. -

-
-

- Jira:RHEL-918[1] -

-
-

The kdump role successfully updates .ssh/authorized_keys for kdump_ssh_server authentication

-

- Previously, the .ssh directory was not accessible by the kdump role to securely authenticate users to log into kdump_ssh_server. As a consequence, the kdump role did not update the .ssh/authorized_keys file and the SSH mechanism to verify the kdump_ssh_server failed. This update fixes the problem. As a result - the kdump_ssh_user authentication on kdump_ssh_server works reliably. -

-
-

- Jira:RHEL-1398[1] -

-
-

The previous: replaced parameter of the firewall system role now overrides the previous configuration - without deleting it

-

- Previously, if you added the previous: replaced parameter to the - variable list, the firewall system role removed all existing - user-defined settings and reset firewalld to the default settings. - This fix uses the fallback configuration in firewalld, which was - introduced in the EL7 release, to retain the previous configuration. As a result, when you use - the previous: replaced parameter in the variable list, the firewall.conf configuration file is not deleted on reset, but the - file and comments in the file are retained. -

-
-

- Jira:RHEL-1496[1] -

-
-

The kdump role adds multiple keys to authorized_keys idempotently

-

- Previously, adding multiple SSH keys to the authorized_keys file at - the same time replaced the key value of one host by another. This update fixes the problem by - using the lineinfile module to manage the authorized_keys file. lineinfile - iterates the tasks in sequence, checking for an existing key and writing the new key in one - atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts - works correctly, and does not replace the key value from another host. -

-
-

- Note: Use the serial: 1 play serial keyword at play level to control - the number of hosts executing at one time. -

-

- Jira:RHEL-1500[1] -

-
-
-
-
-
-

8.14. Virtualization

-
-
-
-
-

Hot plugging a Watchdog card to a virtual machine no longer fails -

-

- Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine - (VM) failed with the following error: -

-
- 
Failed to configure watchdog
-ERROR Error attempting device hotplug: internal error: No more available PCI slots
-

- With this update, the problem has been fixed and adding a Watchdog card to a running VM now works as - expected. -

-

- Bugzilla:2173584 -

-
-
-
-
-
-
-

Chapter 9. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 8.9. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

9.1. Infrastructure services

-
-
-
-
-

Socket API for TuneD available as a Technology Preview

-

- The socket API for controlling TuneD through a UNIX domain socket is now available as a - Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an - alternative communication method for cases where D-Bus is not available. By using the socket - API, you can control the TuneD daemon to optimize the performance, and change the values of - various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file. -

-
-

- Bugzilla:2113900 -

-
-
-
-
-
-

9.2. Networking

-
-
-
-
-

AF_XDP available as a Technology - Preview

-

- Address Family eXpress Data Path (AF_XDP) socket is designed for high-performance packet processing. It - accompanies XDP and grants efficient redirection of - programmatically selected packets to user space applications for further processing. -

-
-

- Bugzilla:1633143[1] -

-
-

XDP features that are available as Technology Preview

-

- Red Hat provides the usage of the following eXpress Data Path (XDP) features as unsupported - Technology Preview: -

-
-
-
    -
  • - Loading XDP programs on architectures other than AMD and Intel 64-bit. Note that the libxdp library is not available for architectures other than AMD - and Intel 64-bit. -
    • -
  • - The XDP hardware offloading. -
    • -
-
-

- Bugzilla:1889737 -

-
-

Multi-protocol Label Switching for TC available as a Technology - Preview

-

- The Multi-protocol Label Switching (MPLS) is an in-kernel data-forwarding mechanism to route - traffic flow across enterprise networks. In an MPLS network, the router that receives packets - decides the further route of the packets based on the labels attached to the packet. With the - usage of labels, the MPLS network has the ability to handle packets with particular - characteristics. For example, you can add tc filters for managing - packets received from specific ports or carrying specific types of traffic, in a consistent way. -

-
-

- After packets enter the enterprise network, MPLS routers perform multiple operations on the packets, - such as push to add a label, swap to - update a label, and pop to remove a label. MPLS allows defining actions - locally based on one or multiple labels in RHEL. You can configure routers and set traffic control - (tc) filters to take appropriate actions on the packets based on the - MPLS label stack entry (lse) elements, such as label, traffic class, bottom of stack, and time to live. -

-

- For example, the following command adds a filter to the enp0s1 network interface to match incoming packets having the - first label 12323 and the second label 45832. On matching packets, the following actions are taken: -

-
-
    -
  • - the first MPLS TTL is decremented (packet is dropped if TTL reaches 0) -
    • -
  • - the first MPLS label is changed to 549386 -
    • -
  • -

    - the resulting packet is transmitted over enp0s2, - with destination MAC address 00:00:5E:00:53:01 - and source MAC address 00:00:5E:00:53:02 -

    - 
    # tc filter add dev enp0s1 ingress protocol mpls_uc flower mpls lse depth 1 label 12323 lse depth 2 label 45832 \
-action mpls dec_ttl pipe \
-action mpls modify label 549386 pipe \
-action pedit ex munge eth dst set 00:00:5E:00:53:01 pipe \
-action pedit ex munge eth src set 00:00:5E:00:53:02 pipe \
-action mirred egress redirect dev enp0s2
    -
    • -
-
-

- Bugzilla:1814836[1], Bugzilla:1856415 -

-
-

act_mpls module available as a Technology - Preview

-

- The act_mpls module is now available in the kernel-modules-extra rpm as a Technology Preview. The module allows - the application of Multiprotocol Label Switching (MPLS) actions with Traffic Control (TC) - filters, for example, push and pop MPLS label stack entries with TC filters. The module also - allows the Label, Traffic Class, Bottom of Stack, and Time to Live fields to be set - independently. -

-
-

- Bugzilla:1839311[1] -

-
-

The systemd-resolved service is now available - as a Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, a Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that, even if the systemd package provides systemd-resolved, this service is an unsupported Technology Preview. -

-

- Bugzilla:1906489 -

-
-
-
-
-
-

9.3. Kernel

-
-
-
-
-

Soft-RoCE available as a Technology Preview

-

- Remote Direct Memory Access (RDMA) over Converged Ethernet (RoCE) is a network protocol that - implements RDMA over Ethernet. Soft-RoCE is the software implementation of RoCE which maintains - two protocol versions, RoCE v1 and RoCE v2. The Soft-RoCE driver, rdma_rxe, is available as an unsupported Technology Preview in RHEL - 8. -

-
-

- Bugzilla:1605216[1] -

-
-

eBPF available as a - Technology Preview

-

- Extended Berkeley Packet Filter (eBPF) is an - in-kernel virtual machine that allows code execution in the kernel space, in the restricted - sandbox environment with access to a limited set of functions. -

-
-

- The virtual machine includes a new system call bpf(), which enables - creating various types of maps, and also allows to load programs in a special assembly-like code. - The code is then loaded to the kernel and translated to the native machine code with just-in-time - compilation. Note that the bpf() syscall can be successfully used only - by a user with the CAP_SYS_ADMIN capability, such as the root user. See - the bpf(2) manual page for more information. -

-

- The loaded programs can be attached onto a variety of points (sockets, tracepoints, packet - reception) to receive and process data. -

-

- There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a - different development phase. All components are available as a Technology Preview, unless a specific - component is indicated as supported. -

-

- The following notable eBPF components are - currently available as a Technology Preview: -

-
-
    -
  • - AF_XDP, a socket for connecting the eXpress Data Path (XDP) path to user space - for applications that prioritize packet processing performance. -
    • -
-
-

- Bugzilla:1559616[1] -

-
-

The kexec fast reboot feature is available as - a Technology Preview

-

- The kexec fast reboot feature continues to be available as a - Technology Preview. The kexec fast reboot significantly speeds the - boot process as you can boot directly into the second kernel without passing through the Basic - Input/Output System (BIOS) or firmware first. To use this feature: -

-
-
-
    -
  1. - Load the kexec kernel manually. -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
-
-

- Note that the kexec fast reboot capability is available with a limited - scope of support on RHEL 9 and later releases. -

-

- Bugzilla:1769727 -

-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes a shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- Bugzilla:1837187[1] -

-
-

The accel-config package available as a - Technology Preview

-

- The accel-config package is now available on Intel EM64T and AMD64 architectures as a - Technology Preview. This package helps in controlling and configuring data-streaming accelerator - (DSA) sub-system in the Linux Kernel. Also, it configures devices through sysfs (pseudo-filesystem), saves and loads the configuration in the - json format. -

-
-

- Bugzilla:1843266[1] -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using - the Flexible Launch Control mechanism to use - the SGX technology. Version 2 adds Enclave Dynamic Memory - Management (EDMM). Notable features include: -

-
-
-
    -
  • - Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave. -
    • -
  • - Dynamic addition of regular enclave pages to an initialized enclave. -
    • -
  • - Expanding an initialized enclave to accommodate more threads. -
    • -
  • - Removing regular and TCS pages from an initialized enclave. -
    • -
-
-

- Bugzilla:1660337[1] -

-
-
-
-
-
-

9.4. File systems and storage

-
-
-
-
-

File system DAX is now available for ext4 and XFS as a Technology - Preview

-

- In Red Hat Enterprise Linux 8, the file system DAX is available as a Technology Preview. DAX - provides a means for an application to directly map persistent memory into its address space. To - use DAX, a system must have some form of persistent memory available, usually in the form of one - or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that provides the - capability of DAX must be created on the NVDIMM(s). Also, the file system must be mounted with - the dax mount option. Then, a mmap of - a file on the dax-mounted file system results in a direct mapping of storage into the - application’s address space. -

-
-

- Bugzilla:1627455[1] -

-
-

OverlayFS

-

- OverlayFS is a type of union file system. It enables you to overlay one file system on top of - another. Changes are recorded in the upper file system, while the lower file system remains - unmodified. This allows multiple users to share a file-system image, such as a container or a - DVD-ROM, where the base image is on read-only media. -

-
-

- OverlayFS remains a Technology Preview under most circumstances. As such, the kernel logs warnings - when this technology is activated. -

-

- Full support is available for OverlayFS when used with supported container engines (podman, cri-o, or buildah) under the following restrictions: -

-
-
    -
  • - OverlayFS is supported for use only as a container engine graph driver or other specialized - use cases, such as squashed kdump initramfs. Its use is - supported primarily for container COW content, not for persistent storage. You must place - any persistent storage on non-OverlayFS volumes. You can use only the default container - engine configuration: one level of overlay, one lowerdir, and both lower and upper levels - are on the same file system. -
    • -
  • - Only XFS is currently supported for use as a lower layer file system. -
    • -
-
-

- Additionally, the following rules and limitations apply to using OverlayFS: -

-
-
    -
  • - The OverlayFS kernel ABI and user-space behavior are not considered stable, and might change - in future updates. -
    • -
  • -

    - OverlayFS provides a restricted set of the POSIX standards. Test your application - thoroughly before deploying it with OverlayFS. The following cases are not - POSIX-compliant: -

    -
    -
      -
    • - Lower files opened with O_RDONLY do not receive - st_atime updates when the files are read. -
      • -
    • - Lower files opened with O_RDONLY, then mapped with - MAP_SHARED are inconsistent with subsequent - modification. -
      • -
    • -

      - Fully compliant st_ino or d_ino values are not enabled by default on RHEL - 8, but you can enable full POSIX compliance for them with a module option or - mount option. -

      -

      - To get consistent inode numbering, use the xino=on mount option. -

      -

      - You can also use the redirect_dir=on and index=on options to improve POSIX compliance. - These two options make the format of the upper layer incompatible with an - overlay without these options. That is, you might get unexpected results or - errors if you create an overlay with redirect_dir=on or index=on, unmount the overlay, then mount the - overlay without these options. -

      -
      • -
    -
    -
    • -
  • -

    - To determine whether an existing XFS file system is eligible for use as an overlay, use - the following command and see if the ftype=1 option is - enabled: -

    - 
    # xfs_info /mount-point | grep ftype
    -
    • -
  • - SELinux security labels are enabled by default in all supported container engines with - OverlayFS. -
    • -
  • - Several known issues are associated with OverlayFS in this release. For details, see Non-standard behavior in the Linux kernel - documentation. -
    • -
-
-

- For more information about OverlayFS, see the Linux kernel - documentation. -

-

- Bugzilla:1690207[1] -

-
-

Stratis is now available as a Technology Preview

-

- Stratis is a new local storage manager, which provides managed file systems on top of pools of - storage with additional features. It is provided as a Technology Preview. -

-
-

- With Stratis, you can perform the following storage tasks: -

-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. For more - information, see the Setting - up Stratis file systems documentation. -

-

- RHEL 8.5 updated Stratis to version 2.4.2. For more information, see the Stratis 2.4.2 Release - Notes. -

-

- Jira:RHELPLAN-1212[1] -

-
-

NVMe/TCP host is available as a Technology Preview

-

- Accessing and sharing Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) - and its corresponding nvme_tcp.ko kernel module has been added as a - Technology Preview. The use of NVMe/TCP as a host is manageable with tools provided by the nvme-cli package. The NVMe/TCP host Technology Preview is included - only for testing purposes and is not currently planned for full support. -

-
-

- Bugzilla:1696451[1] -

-
-

Setting up a Samba server on an IdM domain member is provided as a - Technology Preview

-

- With this update, you can now set up a Samba server on an Identity Management (IdM) domain - member. The new ipa-client-samba utility provided by the same-named - package adds a Samba-specific Kerberos service principal to IdM and prepares the IdM client. For - example, the utility creates the /etc/samba/smb.conf with the ID - mapping configuration for the sss ID mapping back end. As a result, - administrators can now set up Samba on an IdM domain member. -

-
-

- Due to IdM Trust Controllers not supporting the Global Catalog Service, AD-enrolled Windows hosts - cannot find IdM users and groups in Windows. Additionally, IdM Trust Controllers do not support - resolving IdM groups using the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) - protocols. As a consequence, AD users can only access the Samba shares and printers from IdM - clients. -

-

- For details, see Setting - up Samba on an IdM domain member. -

-

- Jira:RHELPLAN-13195[1] -

-
-
-
-
-
-

9.5. High availability and clusters

-
-
-
-
-

Pacemaker podman bundles available as a - Technology Preview

-

- Pacemaker container bundles now run on Podman, with the container bundle feature being available - as a Technology Preview. There is one exception to this feature being Technology Preview: Red - Hat fully supports the use of Pacemaker bundles for Red Hat OpenStack. -

-
-

- Bugzilla:1619620[1] -

-
-

Heuristics in corosync-qdevice available as a - Technology Preview

-

- Heuristics are a set of commands executed locally on startup, cluster membership change, - successful connect to corosync-qnetd, and, optionally, on a - periodic basis. When all commands finish successfully on time (their return error code is zero), - heuristics have passed; otherwise, they have failed. The heuristics result is sent to corosync-qnetd where it is used in calculations to determine which - partition should be quorate. -

-
-

- Bugzilla:1784200 -

-
-

New fence-agents-heuristics-ping fence - agent

-

- As a Technology Preview, Pacemaker now provides the fence_heuristics_ping agent. This agent aims to open a class of - experimental fence agents that do no actual fencing by themselves but instead exploit the - behavior of fencing levels in a new way. -

-
-

- If the heuristics agent is configured on the same fencing level as the fence agent that does the - actual fencing but is configured before that agent in sequence, fencing issues an off action on the heuristics agent before it attempts to do so on the - agent that does the fencing. If the heuristics agent gives a negative result for the off action it is already clear that the fencing level is not going to - succeed, causing Pacemaker fencing to skip the step of issuing the off - action on the agent that does the fencing. A heuristics agent can exploit this behavior to prevent - the agent that does the actual fencing from fencing a node under certain conditions. -

-

- A user might want to use this agent, especially in a two-node cluster, when it would not make sense - for a node to fence the peer if it can know beforehand that it would not be able to take over the - services properly. For example, it might not make sense for a node to take over services if it has - problems reaching the networking uplink, making the services unreachable to clients, a situation - which a ping to a router might detect in that case. -

-

- Bugzilla:1775847[1] -

-
-
-
-
-
-

9.6. Identity Management

-
-
-
-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- Bugzilla:1664719 -

-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- Bugzilla:1664718 -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- Bugzilla:1628987[1] -

-
-

sssd-idp sub-package available as a Technology Preview

-

- The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which - are client-side components that perform OAuth2 authentication against Identity Management (IdM) - servers. This feature is available only with IdM servers on RHEL 8.7 and later. -

-
-

- Bugzilla:2065692 -

-
-

SSSD internal krb5 idp plugin available as a Technology Preview -

-

- The SSSD krb5 idp plugin allows you to authenticate against an - external identity provider (IdP) using the OAuth2 protocol. This feature is available only with - IdM servers on RHEL 8.7 and later. -

-
-

- Bugzilla:2056483 -

-
-

RHEL IdM allows delegating user authentication to external identity - providers as a Technology Preview

-

- As a Technology Preview in RHEL IdM, you can now associate users with external identity - providers (IdP) that support the OAuth 2 device authorization flow. When these users - authenticate with the SSSD version available in RHEL 8.7 or later, they receive RHEL IdM single - sign-on capabilities with Kerberos tickets after performing authentication and authorization at - the external IdP. -

-
-

- Notable features include: -

-
-
    -
  • - Adding, modifying, and deleting references to external IdPs with ipa idp-* commands -
    • -
  • - Enabling IdP authentication for users with the ipa user-mod --user-auth-type=idp command -
    • -
-
-

- For additional information, see Using - external identity providers to authenticate to IdM. -

-

- Bugzilla:2101770 -

-
-
-
-
-
-

9.7. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology - Preview. -

-
-

- You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can - manage the server using graphical applications. -

-

- A limited set of graphical applications is available on 64-bit ARM. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27394[1], Bugzilla:1667225, Bugzilla:1724302, - Bugzilla:1667516 -

-
-

GNOME for the IBM Z architecture available as a Technology Preview -

-

- The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview. -

-
-

- You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage - the server using graphical applications. -

-

- A limited set of graphical applications is available on IBM Z. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27737[1] -

-
-
-
-
-
-

9.8. Graphics infrastructures

-
-
-
-
-

VNC remote console available as a Technology Preview for the 64-bit ARM - architecture

-

- On the 64-bit ARM architecture, the Virtual Network Computing (VNC) remote console is available - as a Technology Preview. Note that the rest of the graphics stack is currently unverified for - the 64-bit ARM architecture. -

-
-

- Bugzilla:1698565[1] -

-
-
-
-
-
-

9.9. Virtualization

-
-
-
-
-

KVM virtualization is usable in RHEL 8 Hyper-V virtual machines -

-

- As a Technology Preview, nested KVM virtualization can now be used on the Microsoft Hyper-V - hypervisor. As a result, you can create virtual machines on a RHEL 8 guest system running on a - Hyper-V host. -

-
-

- Note that currently, this feature only works on Intel and AMD systems. In addition, nested - virtualization is in some cases not enabled by default on Hyper-V. To enable it, see the following - Microsoft documentation: -

-

- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization -

-

- Bugzilla:1519039[1] -

-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 8 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 8 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- Bugzilla:1501618[1], Jira:RHELPLAN-7677, Bugzilla:1501607 -

-
-

Intel vGPU available as a Technology Preview

-

- As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that only selected Intel GPUs are compatible with the vGPU feature. -

-

- In addition, it is possible to enable a VNC console operated by Intel vGPU. By enabling it, users - can connect to a VNC console of the VM and see the VM’s desktop hosted by Intel vGPU. However, this - currently only works for RHEL guest operating systems. -

-

- Note that this feature is deprecated and will be removed entirely in a future RHEL major release. -

-

- Bugzilla:1528684[1] -

-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, IBM POWER, and IBM Z systems hosts with RHEL 8. With this feature, a - RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its - own VMs. -

-
-

- Jira:RHELPLAN-14047[1], Jira:RHELPLAN-24437 -

-
-

Technology Preview: Select Intel network adapters now provide SR-IOV in - RHEL guests on Hyper-V

-

- As a Technology Preview, Red Hat Enterprise Linux guest operating systems running on a Hyper-V - hypervisor can now use the single-root I/O virtualization (SR-IOV) feature for Intel network - adapters that are supported by the ixgbevf and iavf drivers. This feature is enabled when the following conditions - are met: -

-
-
-
    -
  • - SR-IOV support is enabled for the network interface controller (NIC) -
    • -
  • - SR-IOV support is enabled for the virtual NIC -
    • -
  • - SR-IOV support is enabled for the virtual switch -
    • -
  • - The virtual function (VF) from the NIC is attached to the virtual machine -
    • -
-
-

- The feature is currently provided with Microsoft Windows Server 2016 and later. -

-

- Bugzilla:1348508[1] -

-
-

Intel TDX in RHEL guests

-

- As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL - 8.8 and later guest operating systems. If the host system supports TDX, you can deploy - hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that - TDX currently does not work with kdump, and enabling TDX will cause - kdump to fail on the VM. -

-
-

- Bugzilla:1836977[1] -

-
-

Sharing files between hosts and VMs using virtiofs

-

- As a Technology Preview, RHEL 8 now provides the virtio file system (virtiofs). Using virtiofs, you can - efficiently share files between your host system and its virtual machines (VM). -

-
-

- Bugzilla:1741615[1] -

-
-
-
-
-
-

9.10. RHEL in cloud environments

-
-
-
-
-

RHEL confidential VMs are now available on Azure as a Technology - Preview

-

- With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on - Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL - confidential VM images during boot on Azure. -

-
-

- Jira:RHELPLAN-122316[1] -

-
-
-
-
-
-

9.11. Containers

-
-
-
-
-

SQLite database backend for Podman is available as a Technology - Preview

-

- Beginning with Podman v4.6, the SQLite database backend for Podman is available as a Technology - Preview. To set the database backend to SQLite, add the database_backend = "sqlite" option in the /etc/containers/containers.conf configuration file. Run the podman system reset command to reset storage back to the initial - state before you switch to the SQLite database backend. Note that you have to recreate all - containers and pods. The SQLite database guarantees good stability and consistency. Other - databases in the containers stack will be moved to SQLite as well. The BoltDB remains the - default database backend. -

-
-

- Jira:RHELPLAN-154428[1] -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- Jira:RHELDOCS-16861[1] -

-
-
-
-
-
-
-

Chapter 10. Deprecated functionality

-
-
-
-

- This part provides an overview of functionality that has been deprecated in Red Hat Enterprise Linux 8. -

-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 8. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 7 but has been removed in RHEL 8, see Considerations - in adopting RHEL 8. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

Several Kickstart commands and options have been deprecated

-

- Using the following commands and options in RHEL 8 Kickstart files will print a warning in the - logs: -

-
-
-
    -
  • - auth or authconfig -
    • -
  • - device -
    • -
  • - deviceprobe -
    • -
  • - dmraid -
    • -
  • - install -
    • -
  • - lilo -
    • -
  • - lilocheck -
    • -
  • - mouse -
    • -
  • - multipath -
    • -
  • - bootloader --upgrade -
    • -
  • - ignoredisk --interactive -
    • -
  • - partition --active -
    • -
  • - reboot --kexec -
    • -
-
-

- Where only specific options are listed, the base command and its other options are still available - and not deprecated. -

-

- For more details and related changes in Kickstart, see the Kickstart - changes section of the Considerations in adopting RHEL - 8 document. -

-

- Bugzilla:1642765[1] -

-
-

The --interactive option of the ignoredisk Kickstart command has been deprecated

-

- Using the --interactive option in future releases of Red Hat - Enterprise Linux will result in a fatal installation error. It is recommended that you modify - your Kickstart file to remove the option. -

-
-

- Bugzilla:1637872[1] -

-
-

The Kickstart autostep command has been - deprecated

-

- The autostep command has been deprecated. The related section about - this command has been removed from the RHEL - 8 documentation. -

-
-

- Bugzilla:1904251[1] -

-
-
-
-
-
-

10.2. Security

-
-
-
-
-

NSS SEED ciphers are deprecated

-

- The Mozilla Network Security Services (NSS) library will not - support TLS cipher suites that use a SEED cipher in a future release. To ensure smooth - transition of deployments that rely on SEED ciphers when NSS removes support, Red Hat recommends - enabling support for other cipher suites. -

-
-

- Note that SEED ciphers are already disabled by default in RHEL. -

-

- Bugzilla:1817533 -

-
-

TLS 1.0 and TLS 1.1 are deprecated

-

- The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT - system-wide cryptographic policy level. If your scenario, for example, a video conferencing - application in the Firefox web browser, requires using the deprecated protocols, switch the - system-wide cryptographic policy to the LEGACY level: -

-
- 
# update-crypto-policies --set LEGACY
-

- For more information, see the Strong crypto defaults in RHEL 8 and - deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal - and the update-crypto-policies(8) man page. -

-

- Bugzilla:1660839 -

-
-

DSA is deprecated in RHEL 8

-

- The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. - Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note - that OpenSSH clients do not accept DSA host keys even in the LEGACY system-wide cryptographic policy level. -

-
-

- Bugzilla:1646541[1] -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- Bugzilla:2054741 -

-
-

SSL2 Client Hello - has been deprecated in NSS

-

- The Transport Layer Security (TLS) protocol version 1.2 and earlier - allow to start a negotiation with a Client Hello message formatted - in a way that is backward compatible with the Secure Sockets Layer (SSL) protocol version 2. Support for this feature in the Network - Security Services (NSS) library has been deprecated and it is - disabled by default. -

-
-

- Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO API to enable it. Support for this feature - may be removed completely in future releases of Red Hat Enterprise Linux 8. -

-

- Bugzilla:1645153[1] -

-
-

NTLM and Krb4 are deprecated in Cyrus SASL

-

- The NTLM and Kerberos 4 authentication protocols have been deprecated and might be removed in a - future major version of RHEL. These protocols are no longer considered secure and have already - been removed from upstream implementations. -

-
-

- Jira:RHELDOCS-17380[1] -

-
-

Runtime disabling SELinux using /etc/selinux/config is now deprecated

-

- Runtime disabling SELinux using the SELINUX=disabled option in the - /etc/selinux/config file has been deprecated. In RHEL 9, when you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. -

-
-

- If your scenario really requires to completely disable SELinux, Red Hat recommends disabling SELinux - by adding the selinux=0 parameter to the kernel command line as - described in the Changing - SELinux modes at boot time section of the Using - SELinux title. -

-

- Bugzilla:1932222 -

-
-

The ipa SELinux module removed from selinux-policy

-

- The ipa SELinux module has been removed from the selinux-policy package because it is no longer maintained. The - functionality is now included in the ipa-selinux subpackage. -

-
-

- If your scenario requires the use of types or interfaces from the ipa - module in a local SELinux policy, install the ipa-selinux package. -

-

- Bugzilla:1461914[1] -

-
-

TPM 1.2 is deprecated

-

- The Trusted Platform Module (TPM) secure cryptoprocessor standard was updated to version 2.0 in - 2016. TPM 2.0 provides many improvements over TPM 1.2, and it is not backward compatible with - the previous version. TPM 1.2 is deprecated in RHEL 8, and it might be removed in the next major - release. -

-
-

- Bugzilla:1657927[1] -

-
-

crypto-policies derived properties are now - deprecated

-

- With the introduction of scopes for crypto-policies directives in - custom policies, the following derived properties have been deprecated: tls_cipher, ssh_cipher, ssh_group, ike_protocol, and sha1_in_dnssec. Additionally, the use of the protocol property without specifying a scope is now deprecated as - well. See the crypto-policies(7) man page for recommended - replacements. -

-
-

- Bugzilla:2011208 -

-
-
-
-
-
-

10.3. Subscription management

-
-
-
-
-

The --token option of the subscription-manager command is deprecated

-

- The --token=<TOKEN> option of the subscription-manager register command is an authentication method - that helps register your system to Red Hat. This option depends on capabilities offered by the - entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this - capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with - the following error message: -

-
- 
Token authentication not supported by the entitlement server
-

- You can continue registering your system using other authorization methods, such as including paired - options --username / --password and --org / --activationkey of the subscription-manager register command. -

-

- Bugzilla:2170082 -

-
-
-
-
-
-

10.4. Software management

-
-
-
-
-

rpmbuild --sign is deprecated

-

- The rpmbuild --sign command is deprecated since RHEL 8.1. Using - this command in future releases of Red Hat Enterprise Linux can result in an error. It is - recommended that you use the rpmsign command instead. -

-
-

- Bugzilla:1688849 -

-
-
-
-
-
-

10.5. Shells and command-line tools

-
-
-
-
-

The OpenEXR component has been - deprecated

-

- The OpenEXR component has been deprecated. Hence, the support for - the EXR image format has been dropped from the imagecodecs module. -

-
-

- Bugzilla:1886310 -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type - of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- Bugzilla:1997366[1] -

-
-

The hidepid=n mount option is not supported in - RHEL 8 systemd

-

- The mount option hidepid=n, which controls who can access - information in /proc/[pid] directories, is not compatible with - systemd infrastructure provided in RHEL 8. -

-
-

- In addition, using this option might cause certain services started by systemd to produce SELinux AVC denial messages and prevent other - operations from completing. -

-

- For more information, see the related Knowledgebase solution Is mounting /proc with "hidepid=2" - recommended with RHEL7 and RHEL8?. -

-

- Bugzilla:2038929 -

-
-

The /usr/lib/udev/rename_device utility has - been deprecated

-

- The udev helper utility /usr/lib/udev/rename_device for renaming network interfaces has been - deprecated. -

-
-

- Bugzilla:1875485 -

-
-

The ABRT tool has been deprecated

-

- The Automatic Bug Reporting Tool (ABRT) for detecting and reporting application crashes has been - deprecated in RHEL 8. As a replacement, use the systemd-coredump - tool to log and store core dumps, which are automatically generated files after a program - crashes. -

-
-

- Bugzilla:2055826[1] -

-
-

The ReaR crontab has been deprecated

-

- The /etc/cron.d/rear crontab from the rear package has been deprecated in RHEL 8 and will not be available - in RHEL 9. The crontab checks every night whether the disk layout has changed, and runs rear mkrescue command if a change happened. -

-
-

- If you require this functionality, after an upgrade to RHEL 9, configure periodic runs of ReaR - manually. -

-

- Bugzilla:2083301 -

-
-

The SQLite database backend in Bacula has been deprecated

-

- The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. - The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. - As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the - SQLite backend in new deployments. -

-
-

- Jira:RHEL-6859 -

-
-

The raw command has been deprecated -

-

- The raw (/usr/bin/raw) command has - been deprecated. Using this command in future releases of Red Hat Enterprise Linux can result in - an error. -

-
-

- Jira:RHELPLAN-133171[1] -

-
-
-
-
-
-

10.6. Networking

-
-
-
-
-

The PF_KEYv2 kernel API is deprecated -

-

- Applications can configure the kernel’s IPsec implementation by using the PV_KEYv2 and the newer netlink API. - PV_KEYv2 is not actively maintained upstream and misses important - security features, such as modern ciphers, offload, and extended sequence number support. As a - result, starting with RHEL 8.9, the PV_KEYv2 API is deprecated. If - you use this kernel API in your application, migrate it to use the modern netlink API as an alternative. -

-
-

- Jira:RHEL-1257[1] -

-
-

Network scripts are deprecated in RHEL 8

-

- Network scripts are deprecated in Red Hat Enterprise Linux 8 and they are no longer provided by - default. The basic installation provides a new version of the ifup - and ifdown scripts which call the NetworkManager service through - the nmcli tool. In Red Hat Enterprise Linux - 8, to run the ifup and the ifdown - scripts, NetworkManager must be running. -

-
-

- Note that custom commands in /sbin/ifup-local, ifdown-pre-local and ifdown-local scripts - are not executed. -

-

- If any of these scripts are required, the installation of the deprecated network scripts in the - system is still possible with the following command: -

- 
# yum install network-scripts
-

- The ifup and ifdown scripts link to the - installed legacy network scripts. -

-

- Calling the legacy network scripts shows a warning about their deprecation. -

-

- Bugzilla:1647725[1] -

-
-

The dropwatch tool is deprecated

-

- The dropwatch tool has been deprecated. The tool will not be - supported in future releases, thus it is not recommended for new deployments. As a replacement - of this package, Red Hat recommends to use the perf - command line tool. -

-
-

- For more information on using the perf command line tool, - see the Getting - started with Perf section on the Red Hat customer portal or the perf man page. -

-

- Bugzilla:1929173 -

-
-

The xinetd service has been - deprecated

-

- The xinetd service has been deprecated and will be removed in RHEL - 9. As a replacement, use systemd. For further details, see How to convert xinetd - service to systemd. -

-
-

- Bugzilla:2009113[1] -

-
-

The cgdcbxd package is deprecated

-

- Control group data center bridging exchange daemon (cgdcbxd) is a - service to monitor data center bridging (DCB) netlink events and manage the net_prio control group subsystem. Starting with RHEL 8.5, the cgdcbxd package is deprecated and will be removed in the next major - RHEL release. -

-
-

- Bugzilla:2006665 -

-
-

The WEP Wi-Fi connection method is deprecated

-

- The insecure wired equivalent privacy (WEP) Wi-Fi connection method is deprecated in RHEL 8 and - will be removed in RHEL 9.0. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 - (WPA3) or WPA2 connection methods. -

-
-

- Bugzilla:2029338 -

-
-

The unsupported xt_u32 module is now - deprecated

-

- Using the unsupported xt_u32 module, users of iptables can match arbitrary 32 bits in the packet header or payload. - Since RHEL 8.6, the xt_u32 module is deprecated and will be removed - in RHEL 9. -

-
-

- If you use xt_u32, migrate to the nftables - packet filtering framework. For example, first change your firewall to use iptables with native matches to incrementally replace individual rules, - and later use the iptables-translate and accompanying utilities to - migrate to nftables. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) - man page. -

-

- Bugzilla:2061288 -

-
-

The term slaves is deprecated in the nmstate API

-

- Red Hat is committed to using conscious language. Therefore the slaves term is deprecated in the Nmstate API. Use the term port when you use nmstatectl. -

-
-

- Jira:RHELDOCS-17641 -

-
-
-
-
-
-

10.7. Kernel

-
-
-
-
-

The rdma_rxe Soft-RoCE driver is - deprecated

-

- Software Remote Direct Memory Access over Converged Ethernet (Soft-RoCE), also known as RXE, is - a feature that emulates Remote Direct Memory Access (RDMA). In RHEL 8, the Soft-RoCE feature is - available as an unsupported Technology Preview. However, due to stability issues, this feature - has been deprecated and will be removed in RHEL 9. -

-
-

- Bugzilla:1878207[1] -

-
-

The Linux firewire sub-system and its - associated user-space components are deprecated in RHEL 8

-

- The firewire sub-system provides interfaces to use and maintain any - resources on the IEEE 1394 bus. In RHEL 9, firewire will no longer - be supported in the kernel package. Note that firewire contains several user-space components provided by the libavc1394, libdc1394, libraw1394 packages. These packages are subject to the deprecation as - well. -

-
-

- Bugzilla:1871863[1] -

-
-

Installing RHEL for Real Time 8 using diskless boot is now - deprecated

-

- Diskless booting allows multiple systems to share a root file system through the network. While - convenient, diskless boot is prone to introducing network latency in real-time workloads. With a - future minor update of RHEL for Real Time 8, the diskless booting feature will no longer be - supported. -

-
-

- Bugzilla:1748980 -

-
-

Kernel live patching now covers all RHEL minor releases

-

- Since RHEL 8.1, kernel live patches have been provided for selected minor release streams of - RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important - Common Vulnerabilities and Exposures (CVEs). To accommodate the maximum number of concurrently - covered kernels and use cases, the support window for each live patch has been decreased from 12 - to 6 months for every minor, major, and zStream version of the kernel. It means that on the day - a kernel live patch is released, it will cover every minor release and scheduled errata kernel - delivered in the past 6 months. -

-
-

- For more information about this feature, see Applying - patches with kernel live patching. -

-

- For details about available kernel live patches, see Kernel Live Patch life cycles. -

-

- Bugzilla:1958250 -

-
-

The crash-ptdump-command package is - deprecated

-

- The crash-ptdump-command package, which is a ptdump extension module for the crash utility, is deprecated and - might not be available in future RHEL releases. The ptdump command - fails to retrieve the log buffer when working in the Single Range Output mode and only works in - the Table of Physical Addresses (ToPA) mode. crash-ptdump-command - is currently not maintained upstream -

-
-

- Bugzilla:1838927[1] -

-
-
-
-
-
-

10.8. Boot loader

-
-
-
-
-

The kernelopts environment variable has been - deprecated

-

- In RHEL 8, the kernel command-line parameters for systems using the GRUB bootloader were defined - in the kernelopts environment variable. The variable was stored in - the /boot/grub2/grubenv file for each kernel boot entry. However, - storing the kernel command-line parameters using kernelopts was not - robust. Therefore, with a future major update of RHEL, kernelopts - will be removed and the kernel command-line parameters will be stored in the Boot Loader - Specification (BLS) snippet instead. -

-
-

- Bugzilla:2060759 -

-
-
-
-
-
-

10.9. File systems and storage

-
-
-
-
-

The elevator kernel command line parameter is - deprecated

-

- The elevator kernel command line parameter was used in earlier RHEL - releases to set the disk scheduler for all devices. In RHEL 8, the parameter is deprecated. -

-
-

- The upstream Linux kernel has removed support for the elevator - parameter, but it is still available in RHEL 8 for compatibility reasons. -

-

- Note that the kernel selects a default disk scheduler based on the type of device. This is typically - the optimal setting. If you require a different scheduler, Red Hat recommends that you use udev rules or the TuneD service to configure it. Match the selected - devices and switch the scheduler only for those devices. -

-

- For more information, see Setting - the disk scheduler. -

-

- Bugzilla:1665295[1] -

-
-

NFSv3 over UDP has been disabled

-

- The NFS server no longer opens or listens on a User Datagram Protocol (UDP) socket by default. - This change affects only NFS version 3 because version 4 requires the Transmission Control - Protocol (TCP). -

-
-

- NFS over UDP is no longer supported in RHEL 8. -

-

- Bugzilla:1592011[1] -

-
-

peripety is deprecated

-

- The peripety package is deprecated since RHEL 8.3. -

-
-

- The Peripety storage event notification daemon parses system storage logs into structured storage - events. It helps you investigate storage issues. -

-

- Bugzilla:1871953 -

-
-

VDO write modes other than async are - deprecated

-

- VDO supports several write modes in RHEL 8: -

-
-
-
    -
  • - sync -
    • -
  • - async -
    • -
  • - async-unsafe -
    • -
  • - auto -
    • -
-
-

- Starting with RHEL 8.4, the following write modes are deprecated: -

-
-
-
sync
-
- Devices above the VDO layer cannot recognize if VDO is synchronous, and consequently, the - devices cannot take advantage of the VDO sync mode. -
-
async-unsafe
-
- VDO added this write mode as a workaround for the reduced performance of async mode, which complies to Atomicity, Consistency, Isolation, - and Durability (ACID). Red Hat does not recommend async-unsafe - for most use cases and is not aware of any users who rely on it. -
-
auto
-
- This write mode only selects one of the other write modes. It is no longer necessary when - VDO supports only a single write mode. -
-
-
-

- These write modes will be removed in a future major RHEL release. -

-

- The recommended VDO write mode is now async. -

-

- For more information on VDO write modes, see Selecting - a VDO write mode. -

-

- Jira:RHELPLAN-70700[1] -

-
-

VDO manager has been deprecated

-

- The python-based VDO management software has been deprecated and will be removed from RHEL 9. In - RHEL 9, it will be replaced by the LVM-VDO integration. Therefore, it is recommended to create - VDO volumes using the lvcreate command. -

-
-

- The existing volumes created using the VDO management software can be converted using the /usr/sbin/lvm_import_vdo script, provided by the lvm2 package. For more information on the LVM-VDO implementation, see Deduplicating - and compressing logical volumes on RHEL. -

-

- Bugzilla:1949163 -

-
-

cramfs has been deprecated

-

- Due to lack of users, the cramfs kernel module is deprecated. squashfs is recommended as an alternative solution. -

-
-

- Bugzilla:1794513[1] -

-
-
-
-
-
-

10.10. High availability and clusters

-
-
-
-
-

pcs commands that support the clufter tool have been deprecated

-

- The pcs commands that support the clufter tool for analyzing cluster configuration formats have been - deprecated. These commands now print a warning that the command has been deprecated and sections - related to these commands have been removed from the pcs help - display and the pcs(8) man page. -

-
-

- The following commands have been deprecated: -

-
-
    -
  • - pcs config import-cman for importing CMAN / RHEL6 HA cluster - configuration -
    • -
  • - pcs config export for exporting cluster configuration to a list - of pcs commands which recreate the same cluster -
    • -
-
-

- Bugzilla:1851335[1] -

-
-
-
-
-
-

10.11. Dynamic programming languages, web and database servers

-
-
-
-
-

The mod_php module provided with PHP for use - with the Apache HTTP Server has been deprecated

-

- The mod_php module provided with PHP for use with the Apache HTTP - Server in RHEL 8 is available but not enabled in the default configuration. The module is no - longer available in RHEL 9. -

-
-

- Since RHEL 8, PHP scripts are run using the FastCGI Process Manager (php-fpm) by default. For more information, see Using - PHP with the Apache HTTP Server. -

-

- Bugzilla:2225332 -

-
-
-
-
-
-

10.12. Compilers and development tools

-
-
-
-
-

The gdb.i686 packages are deprecated -

-

- In RHEL 8.1, the 32-bit versions of the GNU Debugger (GDB), gdb.i686, were shipped due to a dependency problem in another - package. Because RHEL 8 does not support 32-bit hardware, the gdb.i686 packages are deprecated since RHEL 8.4. The 64-bit versions - of GDB, gdb.x86_64, are fully capable of debugging 32-bit - applications. -

-
-

- If you use gdb.i686, note the following important issues: -

-
-
    -
  • - The gdb.i686 packages will no longer be updated. Users must - install gdb.x86_64 instead. -
    • -
  • - If you have gdb.i686 installed, installing gdb.x86_64 will cause yum to report - package gdb-8.2-14.el8.x86_64 obsoletes gdb < 8.2-14.el8 provided by gdb-8.2-12.el8.i686. - This is expected. Either uninstall gdb.i686 or pass dnf the --allowerasing option to - remove gdb.i686 and install gdb.x8_64. -
    • -
  • - Users will no longer be able to install the gdb.i686 packages - on 64-bit systems, that is, those with the libc.so.6()(64-bit) - packages. -
    • -
-
-

- Bugzilla:1853140[1] -

-
-

libdwarf has been deprecated

-

- The libdwarf library has been deprecated in RHEL 8. The library - will likely not be supported in future major releases. Instead, use the elfutils and libdw libraries for - applications that wish to process ELF/DWARF files. -

-
-

- Alternatives for the libdwarf-tools dwarfdump program are the binutils readelf program or the elfutils eu-readelf program, both used by passing the --debug-dump flag. -

-

- Bugzilla:1920624 -

-
-
-
-
-
-

10.13. Identity Management

-
-
-
-
-

openssh-ldap has been deprecated

-

- The openssh-ldap subpackage has been deprecated in Red Hat - Enterprise Linux 8 and will be removed in RHEL 9. As the openssh-ldap subpackage is not maintained upstream, Red Hat - recommends using SSSD and the sss_ssh_authorizedkeys helper, which - integrate better with other IdM solutions and are more secure. -

-
-

- By default, the SSSD ldap and ipa - providers read the sshPublicKey LDAP attribute of the user object, if - available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from - Active Directory (AD), since AD does not have a default LDAP attribute to store a public key. -

-

- To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, - enable the ssh responder by adding ssh to - the services option in the sssd.conf file. - See the sssd.conf(5) man page for details. -

-

- To allow sshd to use sss_ssh_authorizedkeys, add the AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys and AuthorizedKeysCommandUser nobody options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page. -

-

- Bugzilla:1871025 -

-
-

DES and 3DES encryption types have been removed

-

- Due to security reasons, the Data Encryption Standard (DES) algorithm has been deprecated and - disabled by default since RHEL 7. With the recent rebase of Kerberos packages, single-DES (DES) - and triple-DES (3DES) encryption types have been removed from RHEL 8. -

-
-

- If you have configured services or users to only use DES or 3DES encryption, you might experience - service interruptions such as: -

-
-
    -
  • - Kerberos authentication errors -
    • -
  • - unknown enctype encryption errors -
    • -
  • - Kerberos Distribution Centers (KDCs) with DES-encrypted Database Master Keys (K/M) fail to start -
    • -
-
-

- Perform the following actions to prepare for the upgrade: -

-
-
    -
  1. - Check if your KDC uses DES or 3DES encryption with the krb5check open source Python scripts. See krb5check on GitHub. -
    2. -
  2. - If you are using DES or 3DES encryption with any Kerberos principals, re-key them with a - supported encryption type, such as Advanced Encryption Standard (AES). For instructions on - re-keying, see Retiring - DES from MIT Kerberos Documentation. -
    3. -
  3. -

    - Test independence from DES and 3DES by temporarily setting the following Kerberos - options before upgrading: -

    -
    -
      -
    1. - In /var/kerberos/krb5kdc/kdc.conf on the KDC, set - supported_enctypes and do not include des or des3. -
      2. -
    2. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set allow_weak_crypto to false. It is false by default. -
      3. -
    3. - For every host, in /etc/krb5.conf and any files in - /etc/krb5.conf.d, set permitted_enctypes, default_tgs_enctypes, and default_tkt_enctypes, and do not include des or des3. -
      4. -
    -
    -
    4. -
  4. - If you do not experience any service interruptions with the test Kerberos settings from the - previous step, remove them and upgrade. You do not need those settings after upgrading to - the latest Kerberos packages. -
    5. -
-
-

- Bugzilla:1877991 -

-
-

The SSSD version of libwbclient has been - removed

-

- The SSSD implementation of the libwbclient package was deprecated - in RHEL 8.4. As it cannot be used with recent versions of Samba, the SSSD implementation of - libwbclient has now been removed. -

-
-

- Bugzilla:1947671 -

-
-

Standalone use of the ctdb service has been - deprecated

-

- Since RHEL 8.4, customers are advised to use the ctdb clustered - Samba service only when both of the following conditions apply: -

-
-
-
    -
  • - The ctdb service is managed as a pacemaker resource with the resource-agent ctdb. -
    • -
  • - The ctdb service uses storage volumes that contain either a - GlusterFS file system provided by the Red Hat Gluster Storage product or a GFS2 file system. -
    • -
-
-

- The stand-alone use case of the ctdb service has been deprecated and - will not be included in a next major release of Red Hat Enterprise Linux. For further information on - support policies for Samba, see the Knowledgebase article Support Policies for RHEL Resilient Storage - - ctdb General Policies. -

-

- Bugzilla:1916296[1] -

-
-

Indirect AD integration with IdM via WinSync has been deprecated -

-

- WinSync is no longer actively developed in RHEL 8 due to several functional limitations: -

-
-
-
    -
  • - WinSync supports only one Active Directory (AD) domain. -
    • -
  • - Password synchronization requires installing additional software on AD Domain Controllers. -
    • -
-
-

- For a more robust solution with better resource and security separation, Red Hat recommends using a - cross-forest trust for indirect integration with - Active Directory. See the Indirect - integration documentation. -

-

- Jira:RHELPLAN-100400[1] -

-
-

Running Samba as a PDC or BDC is deprecated

-

- The classic domain controller mode that enabled administrators to run Samba as an NT4-like - primary domain controller (PDC) and backup domain controller (BDC) is deprecated. The code and - settings to configure these modes will be removed in a future Samba release. -

-
-

- As long as the Samba version in RHEL 8 provides the PDC and BDC modes, Red Hat supports these modes - only in existing installations with Windows versions which support NT4 domains. Red Hat recommends - not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and - Windows Server 2008 R2 do not support NT4 domains. -

-

- If you use the PDC to authenticate only Linux users, Red Hat suggests migrating to Red Hat Identity Management - (IdM) that is included in RHEL subscriptions. However, you cannot join Windows systems to an - IdM domain. Note that Red Hat continues supporting the PDC functionality IdM uses in the background. -

-

- Red Hat does not support running Samba as an AD domain controller (DC). -

-

- Bugzilla:1926114 -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612[1] -

-
-

Limited support for FreeRADIUS

-

- In RHEL 8, the following external authentication modules are deprecated as part of the - FreeRADIUS offering: -

-
-
-
    -
  • - The MySQL, PostgreSQL, SQlite, and unixODBC database connectors -
    • -
  • - The Perl language module -
    • -
  • - The REST API module -
    • -
-
-
-
Note
-
-

- The PAM authentication module and other authentication modules that are provided as part of - the base package are not affected. -

-
-
-

- You can find replacements for the deprecated modules in community-supported packages, for example in - the Fedora project. -

-

- In addition, the scope of support for the freeradius package will be - limited to the following use cases in future RHEL releases: -

-
-
    -
  • - Using FreeRADIUS as an authentication provider with Identity Management (IdM) as the backend - source of authentication. The authentication occurs through the krb5 and LDAP authentication packages or as PAM authentication in - the main FreeRADIUS package. -
    • -
  • - Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the Python - 3 authentication package. -
    • -
-
-

- In contrast to these deprecations, Red Hat will strengthen the support of the following external - authentication modules with FreeRADIUS: -

-
-
    -
  • - Authentication based on krb5 and LDAP -
    • -
  • - Python 3 authentication -
    • -
-
-

- The focus on these integration options is in close alignment with the strategic direction of Red Hat - IdM. -

-

- Jira:RHELDOCS-17573[1] -

-
-
-
-
-
-

10.14. Desktop

-
-
-
-
-

The libgnome-keyring library has been - deprecated

-

- The libgnome-keyring library has been deprecated in favor of the - libsecret library, as libgnome-keyring - is not maintained upstream, and does not follow the necessary cryptographic policies for RHEL. - The new libsecret library is the replacement that follows the - necessary security standards. -

-
-

- Bugzilla:1607766[1] -

-
-

LibreOffice is deprecated

-

- The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL - release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, - and 9. -

-
-

- As a replacement for the RPM packages, Red Hat recommends that you install LibreOffice from either - of the following sources provided by The Document Foundation: -

-
- -
-

- Jira:RHELDOCS-16300[1] -

-
-
-
-
-
-

10.15. Graphics infrastructures

-
-
-
-
-

AGP graphics cards are no longer supported

-

- Graphics cards using the Accelerated Graphics Port (AGP) bus are not supported in Red Hat - Enterprise Linux 8. Use the graphics cards with PCI-Express bus as the recommended replacement. -

-
-

- Bugzilla:1569610[1] -

-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- Jira:RHELPLAN-98983[1] -

-
-
-
-
-
-

10.16. The web console

-
-
-
-
-

The web console no longer supports incomplete translations

-

- The RHEL web console no longer provides translations for languages that have translations - available for less than 50 % of the Console’s translatable strings. If the browser requests - translation to such a language, the user interface will be in English instead. -

-
-

- Bugzilla:1666722 -

-
-

The remotectl command is deprecated -

-

- The remotectl command has been deprecated and will not be available - in future releases of RHEL. You can use the cockpit-certificate-ensure command as a replacement. However, note - that cockpit-certificate-ensure does not have feature parity with - remotectl. It does not support bundled certificates and keychain - files and requires them to be split out. -

-
-

- Jira:RHELPLAN-147538[1] -

-
-
-
-
-
-

10.17. Red Hat Enterprise Linux system roles

-
-
-
-
-

The geoipupdate package has been - deprecated

-

- The geoipupdate package requires a third-party subscription and it - also downloads proprietary content. Therefore, the geoipupdate - package has been deprecated, and will be removed in the next major RHEL version. -

-
-

- Bugzilla:1874892[1] -

-
-

The network system role displays a deprecation - warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL system role on an RHEL 8 control node to configure a - network team on RHEL 9 nodes, shows a warning about the deprecation. -

-
-

- Bugzilla:2021685 -

-
-

Ansible Engine has been deprecated

-

- Previous versions of RHEL 8 provided access to an Ansible Engine repository, with a limited - scope of support, to enable supported RHEL Automation use cases, such as RHEL system roles and - Insights remedations. Ansible Engine has been deprecated, and Ansible Engine 2.9 will have no - support after September 29, 2023. For more details on the supported use cases, see Scope of support for the - Ansible Core package included in the RHEL 9 AppStream. -

-
-

- Users must manually migrate their systems from Ansible Engine to Ansible Core. For that, follow the - steps: -

-
-

Procedure

-
    -
  1. -

    - Check if the system is running RHEL 8.7 or a later release: -

    - 
    # cat /etc/redhat-release
    -
    2. -
  2. -

    - Uninstall Ansible Engine 2.9: -

    - 
    # yum remove ansible
    -
    3. -
  3. -

    - Disable the ansible-2-for-rhel-8-x86_64-rpms repository: -

    - 
    # subscription-manager repos --disable
-ansible-2-for-rhel-8-x86_64-rpms
    -
    4. -
  4. -

    - Install the Ansible Core package from the RHEL 8 AppStream repository: -

    - 
    # yum install ansible-core
    -
    5. -
-
-

- For more details, see: Using - Ansible in RHEL 8.6 and later. -

-

- Bugzilla:2006081 -

-
-
-
-
-
-

10.18. Virtualization

-
-
-
-
-

virsh iface-* commands have become - deprecated

-

- The virsh iface-* commands, such as virsh iface-start and virsh iface-destroy, are now deprecated, and will be removed in a - future major version of RHEL. In addition, these commands frequently fail due to configuration - dependencies. -

-
-

- Therefore, it is recommended not to use virsh iface-* commands for - configuring and managing host network connections. Instead, use the NetworkManager program and its - related management applications, such as nmcli. -

-

- Bugzilla:1664592[1] -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager might not be yet - available in the RHEL web console. -

-
-

- Jira:RHELPLAN-10304[1] -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. -

-

- Bugzilla:1686057 -

-
-

The Cirrus VGA virtual - GPU type has been deprecated

-

- With a future major update of Red Hat Enterprise Linux, the Cirrus VGA GPU device will no longer be - supported in KVM virtual machines. Therefore, Red Hat recommends using the stdvga or virtio-vga devices instead of Cirrus VGA. -

-
-

- Bugzilla:1651994[1] -

-
-

SPICE has been deprecated

-

- The SPICE remote display protocol has become deprecated. As a result, SPICE will remain - supported in RHEL 8, but Red Hat recommends using alternate solutions for remote display - streaming: -

-
-
-
    -
  • - For remote console access, use the VNC protocol. -
    • -
  • - For advanced remote display functions, use third party tools such as RDP, HP RGS, or - Mechdyne TGX. -
    • -
-
-

- Note that the QXL graphics device, which is used - by SPICE, has become deprecated as well. -

-

- Bugzilla:1849563[1] -

-
-

KVM on IBM POWER has been deprecated

-

- Using KVM virtualization on IBM POWER hardware has become deprecated. As a result, KVM on IBM - POWER is still supported in RHEL 8, but will become unsupported in a future major release of - RHEL. -

-
-

- Jira:RHELPLAN-71200[1] -

-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- Bugzilla:1935497[1] -

-
-

Using SPICE to attach smart card readers to virtual machines has been - deprecated

-

- The SPICE remote display protocol has been deprecated in RHEL 8. Since the only recommended way - to attach smart card readers to virtual machines (VMs) depends on the SPICE protocol, the usage - of smart cards in VMs has also become deprecated in RHEL 8. -

-
-

- In a future major version of RHEL, the functionality of attaching smart card readers to VMs will - only be supported by third party remote visualization solutions. -

-

- Bugzilla:2059626 -

-
-

RDMA-based live migration is deprecated

-

- With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) - has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this - feature will become unsupported in a future major release of RHEL. -

-
-

- Jira:RHELPLAN-153267[1] -

-
-
-
-
-
-

10.19. Containers

-
-
-
-
-

The Podman varlink-based API v1.0 has been removed

-

- The Podman varlink-based API v1.0 was deprecated in a previous release of RHEL 8. Podman v2.0 - introduced a new Podman v2.0 RESTful API. With the release of Podman v3.0, the varlink-based API - v1.0 has been completely removed. -

-
-

- Jira:RHELPLAN-45858[1] -

-
-

container-tools:1.0 has been - deprecated

-

- The container-tools:1.0 module has been deprecated and will no - longer receive security updates. It is recommended to use a newer supported stable module - stream, such as container-tools:2.0 or container-tools:3.0. -

-
-

- Jira:RHELPLAN-59825[1] -

-
-

The container-tools:2.0 module has been - deprecated

-

- The container-tools:2.0 module has been deprecated and will no longer receive security updates. - It is recommended to use a newer supported stable module stream, such as container-tools:3.0. -

-
-

- Jira:RHELPLAN-85066[1] -

-
-

Flatpak images except GIMP has been deprecated

-

- The rhel8/firefox-flatpak, rhel8/thunderbird-flatpak, rhel8/inkscape-flatpak, and rhel8/libreoffice-flatpak RHEL 8 Flatpak Applications have been - deprecated and replaced by the RHEL 9 versions. The rhel8/gimp-flatpak Flatpak Application is not deprecated because - there is no replacement yet in RHEL 9. -

-
-

- Bugzilla:2142499 -

-
-

The CNI network stack has been deprecated

-

- The Container Network Interface (CNI) network stack is deprecated and will be removed from - Podman in a future minor release of RHEL. Previously, containers connected to the single - Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark - network stack. You can use the Netavark network stack with Podman and other Open Container - Initiative (OCI) container management applications. The Netavark network stack for Podman is - also compatible with advanced Docker functionalities. Containers in multiple networks can access - containers on any of those networks. -

-
-

- For more information, see Switching - the network stack from CNI to Netavark. -

-

- Jira:RHELDOCS-16755[1] -

-
-

container-tools:3.0 has been - deprecated

-

- The container-tools:3.0 module has been deprecated and will no - longer receive security updates. To continue to build and run Linux Containers on RHEL, use a - newer, stable, and supported module stream, such as container-tools:4.0. -

-
-

- For instructions on switching to a later stream, see Switching - to a later stream. -

-

- Jira:RHELPLAN-146398[1] -

-
-

The Inkscape and LibreOffice Flatpak images are deprecated

-

- The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as - Technology Previews, have been deprecated. -

-
-

- Red Hat recommends the following alternatives to these images: -

-
- -
-

- Jira:RHELDOCS-17102[1] -

-
-
-
-
-
-

10.20. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 7 and RHEL 8, see Changes - to packages in the Considerations in adopting RHEL 8 - document. -

-
-
Important
-
-

- The support status of deprecated packages remains unchanged within RHEL 8. For more - information about the length of support, see Red Hat Enterprise Linux - Life Cycle and Red - Hat Enterprise Linux Application Streams Life Cycle. -

-
-
-

- The following packages have been deprecated in RHEL 8: -

-
-
    -
  • - 389-ds-base-legacy-tools -
    • -
  • - abrt -
    • -
  • - abrt-addon-ccpp -
    • -
  • - abrt-addon-kerneloops -
    • -
  • - abrt-addon-pstoreoops -
    • -
  • - abrt-addon-vmcore -
    • -
  • - abrt-addon-xorg -
    • -
  • - abrt-cli -
    • -
  • - abrt-console-notification -
    • -
  • - abrt-dbus -
    • -
  • - abrt-desktop -
    • -
  • - abrt-gui -
    • -
  • - abrt-gui-libs -
    • -
  • - abrt-libs -
    • -
  • - abrt-tui -
    • -
  • - adobe-source-sans-pro-fonts -
    • -
  • - adwaita-qt -
    • -
  • - alsa-plugins-pulseaudio -
    • -
  • - amanda -
    • -
  • - amanda-client -
    • -
  • - amanda-libs -
    • -
  • - amanda-server -
    • -
  • - ant-contrib -
    • -
  • - antlr3 -
    • -
  • - antlr32 -
    • -
  • - aopalliance -
    • -
  • - apache-commons-collections -
    • -
  • - apache-commons-compress -
    • -
  • - apache-commons-exec -
    • -
  • - apache-commons-jxpath -
    • -
  • - apache-commons-parent -
    • -
  • - apache-ivy -
    • -
  • - apache-parent -
    • -
  • - apache-resource-bundles -
    • -
  • - apache-sshd -
    • -
  • - apiguardian -
    • -
  • - aspnetcore-runtime-3.0 -
    • -
  • - aspnetcore-runtime-3.1 -
    • -
  • - aspnetcore-runtime-5.0 -
    • -
  • - aspnetcore-targeting-pack-3.0 -
    • -
  • - aspnetcore-targeting-pack-3.1 -
    • -
  • - aspnetcore-targeting-pack-5.0 -
    • -
  • - assertj-core -
    • -
  • - authd -
    • -
  • - auto -
    • -
  • - autoconf213 -
    • -
  • - autogen -
    • -
  • - autogen-libopts -
    • -
  • - awscli -
    • -
  • - base64coder -
    • -
  • - batik -
    • -
  • - batik-css -
    • -
  • - batik-util -
    • -
  • - bea-stax -
    • -
  • - bea-stax-api -
    • -
  • - bind-export-devel -
    • -
  • - bind-export-libs -
    • -
  • - bind-libs-lite -
    • -
  • - bind-pkcs11 -
    • -
  • - bind-pkcs11-devel -
    • -
  • - bind-pkcs11-libs -
    • -
  • - bind-pkcs11-utils -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb -
    • -
  • - bind-sdb-chroot -
    • -
  • - bluez-hid2hci -
    • -
  • - boost-jam -
    • -
  • - boost-signals -
    • -
  • - bouncycastle -
    • -
  • - bpg-algeti-fonts -
    • -
  • - bpg-chveulebrivi-fonts -
    • -
  • - bpg-classic-fonts -
    • -
  • - bpg-courier-fonts -
    • -
  • - bpg-courier-s-fonts -
    • -
  • - bpg-dedaena-block-fonts -
    • -
  • - bpg-dejavu-sans-fonts -
    • -
  • - bpg-elite-fonts -
    • -
  • - bpg-excelsior-caps-fonts -
    • -
  • - bpg-excelsior-condenced-fonts -
    • -
  • - bpg-excelsior-fonts -
    • -
  • - bpg-fonts-common -
    • -
  • - bpg-glaho-fonts -
    • -
  • - bpg-gorda-fonts -
    • -
  • - bpg-ingiri-fonts -
    • -
  • - bpg-irubaqidze-fonts -
    • -
  • - bpg-mikhail-stephan-fonts -
    • -
  • - bpg-mrgvlovani-caps-fonts -
    • -
  • - bpg-mrgvlovani-fonts -
    • -
  • - bpg-nateli-caps-fonts -
    • -
  • - bpg-nateli-condenced-fonts -
    • -
  • - bpg-nateli-fonts -
    • -
  • - bpg-nino-medium-cond-fonts -
    • -
  • - bpg-nino-medium-fonts -
    • -
  • - bpg-sans-fonts -
    • -
  • - bpg-sans-medium-fonts -
    • -
  • - bpg-sans-modern-fonts -
    • -
  • - bpg-sans-regular-fonts -
    • -
  • - bpg-serif-fonts -
    • -
  • - bpg-serif-modern-fonts -
    • -
  • - bpg-ucnobi-fonts -
    • -
  • - brlapi-java -
    • -
  • - bsh -
    • -
  • - buildnumber-maven-plugin -
    • -
  • - byaccj -
    • -
  • - cal10n -
    • -
  • - cbi-plugins -
    • -
  • - cdparanoia -
    • -
  • - cdparanoia-devel -
    • -
  • - cdparanoia-libs -
    • -
  • - cdrdao -
    • -
  • - cmirror -
    • -
  • - codehaus-parent -
    • -
  • - codemodel -
    • -
  • - compat-exiv2-026 -
    • -
  • - compat-guile18 -
    • -
  • - compat-hwloc1 -
    • -
  • - compat-libpthread-nonshared -
    • -
  • - compat-libtiff3 -
    • -
  • - compat-openssl10 -
    • -
  • - compat-sap-c++-11 -
    • -
  • - compat-sap-c++-10 -
    • -
  • - compat-sap-c++-9 -
    • -
  • - createrepo_c-devel -
    • -
  • - ctags -
    • -
  • - ctags-etags -
    • -
  • - custodia -
    • -
  • - cyrus-imapd-vzic -
    • -
  • - dbus-c++ -
    • -
  • - dbus-c++-devel -
    • -
  • - dbus-c++-glib -
    • -
  • - dbxtool -
    • -
  • - dhcp-libs -
    • -
  • - directory-maven-plugin -
    • -
  • - directory-maven-plugin-javadoc -
    • -
  • - dirsplit -
    • -
  • - dleyna-connector-dbus -
    • -
  • - dleyna-core -
    • -
  • - dleyna-renderer -
    • -
  • - dleyna-server -
    • -
  • - dnssec-trigger -
    • -
  • - dnssec-trigger-panel -
    • -
  • - dotnet-apphost-pack-3.0 -
    • -
  • - dotnet-apphost-pack-3.1 -
    • -
  • - dotnet-apphost-pack-5.0 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-host-fxr-2.1 -
    • -
  • - dotnet-hostfxr-3.0 -
    • -
  • - dotnet-hostfxr-3.1 -
    • -
  • - dotnet-hostfxr-5.0 -
    • -
  • - dotnet-runtime-2.1 -
    • -
  • - dotnet-runtime-3.0 -
    • -
  • - dotnet-runtime-3.1 -
    • -
  • - dotnet-runtime-5.0 -
    • -
  • - dotnet-sdk-2.1 -
    • -
  • - dotnet-sdk-2.1.5xx -
    • -
  • - dotnet-sdk-3.0 -
    • -
  • - dotnet-sdk-3.1 -
    • -
  • - dotnet-sdk-5.0 -
    • -
  • - dotnet-targeting-pack-3.0 -
    • -
  • - dotnet-targeting-pack-3.1 -
    • -
  • - dotnet-targeting-pack-5.0 -
    • -
  • - dotnet-templates-3.0 -
    • -
  • - dotnet-templates-3.1 -
    • -
  • - dotnet-templates-5.0 -
    • -
  • - dotnet5.0-build-reference-packages -
    • -
  • - dptfxtract -
    • -
  • - drpm -
    • -
  • - drpm-devel -
    • -
  • - dump -
    • -
  • - dvd+rw-tools -
    • -
  • - dyninst-static -
    • -
  • - eclipse-ecf -
    • -
  • - eclipse-ecf-core -
    • -
  • - eclipse-ecf-runtime -
    • -
  • - eclipse-emf -
    • -
  • - eclipse-emf-core -
    • -
  • - eclipse-emf-runtime -
    • -
  • - eclipse-emf-xsd -
    • -
  • - eclipse-equinox-osgi -
    • -
  • - eclipse-jdt -
    • -
  • - eclipse-license -
    • -
  • - eclipse-p2-discovery -
    • -
  • - eclipse-pde -
    • -
  • - eclipse-platform -
    • -
  • - eclipse-swt -
    • -
  • - ed25519-java -
    • -
  • - ee4j-parent -
    • -
  • - elfutils-devel-static -
    • -
  • - elfutils-libelf-devel-static -
    • -
  • - enca -
    • -
  • - enca-devel -
    • -
  • - environment-modules-compat -
    • -
  • - evince-browser-plugin -
    • -
  • - exec-maven-plugin -
    • -
  • - farstream02 -
    • -
  • - felix-gogo-command -
    • -
  • - felix-gogo-runtime -
    • -
  • - felix-gogo-shell -
    • -
  • - felix-scr -
    • -
  • - felix-osgi-compendium -
    • -
  • - felix-osgi-core -
    • -
  • - felix-osgi-foundation -
    • -
  • - felix-parent -
    • -
  • - file-roller -
    • -
  • - fipscheck -
    • -
  • - fipscheck-devel -
    • -
  • - fipscheck-lib -
    • -
  • - firewire -
    • -
  • - fonts-tweak-tool -
    • -
  • - forge-parent -
    • -
  • - freeradius-mysql -
    • -
  • - freeradius-perl -
    • -
  • - freeradius-postgresql -
    • -
  • - freeradius-rest -
    • -
  • - freeradius-sqlite -
    • -
  • - freeradius-unixODBC -
    • -
  • - fuse-sshfs -
    • -
  • - fusesource-pom -
    • -
  • - future -
    • -
  • - gamin -
    • -
  • - gamin-devel -
    • -
  • - gavl -
    • -
  • - gcc-toolset-9 -
    • -
  • - gcc-toolset-9-annobin -
    • -
  • - gcc-toolset-9-build -
    • -
  • - gcc-toolset-9-perftools -
    • -
  • - gcc-toolset-9-runtime -
    • -
  • - gcc-toolset-9-toolchain -
    • -
  • - gcc-toolset-10 -
    • -
  • - gcc-toolset-10-annobin -
    • -
  • - gcc-toolset-10-binutils -
    • -
  • - gcc-toolset-10-binutils-devel -
    • -
  • - gcc-toolset-10-build -
    • -
  • - gcc-toolset-10-dwz -
    • -
  • - gcc-toolset-10-dyninst -
    • -
  • - gcc-toolset-10-dyninst-devel -
    • -
  • - gcc-toolset-10-elfutils -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client -
    • -
  • - gcc-toolset-10-elfutils-debuginfod-client-devel -
    • -
  • - gcc-toolset-10-elfutils-devel -
    • -
  • - gcc-toolset-10-elfutils-libelf -
    • -
  • - gcc-toolset-10-elfutils-libelf-devel -
    • -
  • - gcc-toolset-10-elfutils-libs -
    • -
  • - gcc-toolset-10-gcc -
    • -
  • - gcc-toolset-10-gcc-c++ -
    • -
  • - gcc-toolset-10-gcc-gdb-plugin -
    • -
  • - gcc-toolset-10-gcc-gfortran -
    • -
  • - gcc-toolset-10-gdb -
    • -
  • - gcc-toolset-10-gdb-doc -
    • -
  • - gcc-toolset-10-gdb-gdbserver -
    • -
  • - gcc-toolset-10-libasan-devel -
    • -
  • - gcc-toolset-10-libatomic-devel -
    • -
  • - gcc-toolset-10-libitm-devel -
    • -
  • - gcc-toolset-10-liblsan-devel -
    • -
  • - gcc-toolset-10-libquadmath-devel -
    • -
  • - gcc-toolset-10-libstdc++-devel -
    • -
  • - gcc-toolset-10-libstdc++-docs -
    • -
  • - gcc-toolset-10-libtsan-devel -
    • -
  • - gcc-toolset-10-libubsan-devel -
    • -
  • - gcc-toolset-10-ltrace -
    • -
  • - gcc-toolset-10-make -
    • -
  • - gcc-toolset-10-make-devel -
    • -
  • - gcc-toolset-10-perftools -
    • -
  • - gcc-toolset-10-runtime -
    • -
  • - gcc-toolset-10-strace -
    • -
  • - gcc-toolset-10-systemtap -
    • -
  • - gcc-toolset-10-systemtap-client -
    • -
  • - gcc-toolset-10-systemtap-devel -
    • -
  • - gcc-toolset-10-systemtap-initscript -
    • -
  • - gcc-toolset-10-systemtap-runtime -
    • -
  • - gcc-toolset-10-systemtap-sdt-devel -
    • -
  • - gcc-toolset-10-systemtap-server -
    • -
  • - gcc-toolset-10-toolchain -
    • -
  • - gcc-toolset-10-valgrind -
    • -
  • - gcc-toolset-10-valgrind-devel -
    • -
  • - gcc-toolset-11-make-devel -
    • -
  • - GConf2 -
    • -
  • - GConf2-devel -
    • -
  • - gegl -
    • -
  • - genisoimage -
    • -
  • - genwqe-tools -
    • -
  • - genwqe-vpd -
    • -
  • - genwqe-zlib -
    • -
  • - genwqe-zlib-devel -
    • -
  • - geoipupdate -
    • -
  • - geronimo-annotation -
    • -
  • - geronimo-jms -
    • -
  • - geronimo-jpa -
    • -
  • - geronimo-parent-poms -
    • -
  • - gfbgraph -
    • -
  • - gflags -
    • -
  • - gflags-devel -
    • -
  • - glassfish-annotation-api -
    • -
  • - glassfish-el -
    • -
  • - glassfish-fastinfoset -
    • -
  • - glassfish-jaxb-core -
    • -
  • - glassfish-jaxb-txw2 -
    • -
  • - glassfish-jsp -
    • -
  • - glassfish-jsp-api -
    • -
  • - glassfish-legal -
    • -
  • - glassfish-master-pom -
    • -
  • - glassfish-servlet-api -
    • -
  • - glew-devel -
    • -
  • - glib2-fam -
    • -
  • - glog -
    • -
  • - glog-devel -
    • -
  • - gmock -
    • -
  • - gmock-devel -
    • -
  • - gnome-abrt -
    • -
  • - gnome-boxes -
    • -
  • - gnome-menus-devel -
    • -
  • - gnome-online-miners -
    • -
  • - gnome-shell-extension-disable-screenshield -
    • -
  • - gnome-shell-extension-horizontal-workspaces -
    • -
  • - gnome-shell-extension-no-hot-corner -
    • -
  • - gnome-shell-extension-window-grouper -
    • -
  • - gnome-themes-standard -
    • -
  • - gnu-free-fonts-common -
    • -
  • - gnu-free-mono-fonts -
    • -
  • - gnu-free-sans-fonts -
    • -
  • - gnu-free-serif-fonts -
    • -
  • - gnupg2-smime -
    • -
  • - gnuplot -
    • -
  • - gnuplot-common -
    • -
  • - gobject-introspection-devel -
    • -
  • - google-gson -
    • -
  • - google-noto-sans-syriac-eastern-fonts -
    • -
  • - google-noto-sans-syriac-estrangela-fonts -
    • -
  • - google-noto-sans-syriac-western-fonts -
    • -
  • - google-noto-sans-tibetan-fonts -
    • -
  • - google-noto-sans-ui-fonts -
    • -
  • - gphoto2 -
    • -
  • - gsl-devel -
    • -
  • - gssntlmssp -
    • -
  • - gtest -
    • -
  • - gtest-devel -
    • -
  • - gtkmm24 -
    • -
  • - gtkmm24-devel -
    • -
  • - gtkmm24-docs -
    • -
  • - gtksourceview3 -
    • -
  • - gtksourceview3-devel -
    • -
  • - gtkspell -
    • -
  • - gtkspell-devel -
    • -
  • - gtkspell3 -
    • -
  • - guile -
    • -
  • - gutenprint-gimp -
    • -
  • - gutenprint-libs-ui -
    • -
  • - gvfs-afc -
    • -
  • - gvfs-afp -
    • -
  • - gvfs-archive -
    • -
  • - hamcrest-core -
    • -
  • - hawtjni -
    • -
  • - hawtjni -
    • -
  • - hawtjni-runtime -
    • -
  • - HdrHistogram -
    • -
  • - HdrHistogram-javadoc -
    • -
  • - highlight-gui -
    • -
  • - hivex-devel -
    • -
  • - hostname -
    • -
  • - hplip-gui -
    • -
  • - httpcomponents-project -
    • -
  • - hwloc-plugins -
    • -
  • - hyphen-fo -
    • -
  • - hyphen-grc -
    • -
  • - hyphen-hsb -
    • -
  • - hyphen-ia -
    • -
  • - hyphen-is -
    • -
  • - hyphen-ku -
    • -
  • - hyphen-mi -
    • -
  • - hyphen-mn -
    • -
  • - hyphen-sa -
    • -
  • - hyphen-tk -
    • -
  • - ibus-sayura -
    • -
  • - icedax -
    • -
  • - icu4j -
    • -
  • - idm-console-framework -
    • -
  • - inkscape -
    • -
  • - inkscape-docs -
    • -
  • - inkscape-view -
    • -
  • - iptables -
    • -
  • - ipython -
    • -
  • - isl -
    • -
  • - isl-devel -
    • -
  • - isorelax -
    • -
  • - istack-commons-runtime -
    • -
  • - istack-commons-tools -
    • -
  • - iwl3945-firmware -
    • -
  • - iwl4965-firmware -
    • -
  • - iwl6000-firmware -
    • -
  • - jacoco -
    • -
  • - jaf -
    • -
  • - jaf-javadoc -
    • -
  • - jakarta-oro -
    • -
  • - janino -
    • -
  • - jansi-native -
    • -
  • - jarjar -
    • -
  • - java-1.8.0-ibm -
    • -
  • - java-1.8.0-ibm-demo -
    • -
  • - java-1.8.0-ibm-devel -
    • -
  • - java-1.8.0-ibm-headless -
    • -
  • - java-1.8.0-ibm-jdbc -
    • -
  • - java-1.8.0-ibm-plugin -
    • -
  • - java-1.8.0-ibm-src -
    • -
  • - java-1.8.0-ibm-webstart -
    • -
  • - java-1.8.0-openjdk-accessibility -
    • -
  • - java-1.8.0-openjdk-accessibility-slowdebug -
    • -
  • - java_cup -
    • -
  • - java-atk-wrapper -
    • -
  • - javacc -
    • -
  • - javacc-maven-plugin -
    • -
  • - javaewah -
    • -
  • - javaparser -
    • -
  • - javapoet -
    • -
  • - javassist -
    • -
  • - javassist-javadoc -
    • -
  • - jaxen -
    • -
  • - jboss-annotations-1.2-api -
    • -
  • - jboss-interceptors-1.2-api -
    • -
  • - jboss-logmanager -
    • -
  • - jboss-parent -
    • -
  • - jctools -
    • -
  • - jdepend -
    • -
  • - jdependency -
    • -
  • - jdom -
    • -
  • - jdom2 -
    • -
  • - jetty -
    • -
  • - jetty-continuation -
    • -
  • - jetty-http -
    • -
  • - jetty-io -
    • -
  • - jetty-security -
    • -
  • - jetty-server -
    • -
  • - jetty-servlet -
    • -
  • - jetty-util -
    • -
  • - jffi -
    • -
  • - jflex -
    • -
  • - jgit -
    • -
  • - jline -
    • -
  • - jmc -
    • -
  • - jnr-netdb -
    • -
  • - jolokia-jvm-agent -
    • -
  • - js-uglify -
    • -
  • - jsch -
    • -
  • - json_simple -
    • -
  • - jss-javadoc -
    • -
  • - jtidy -
    • -
  • - junit5 -
    • -
  • - jvnet-parent -
    • -
  • - jzlib -
    • -
  • - kernel-cross-headers -
    • -
  • - ksc -
    • -
  • - kurdit-unikurd-web-fonts -
    • -
  • - kyotocabinet-libs -
    • -
  • - ldapjdk-javadoc -
    • -
  • - lensfun -
    • -
  • - lensfun-devel -
    • -
  • - lftp-scripts -
    • -
  • - libaec -
    • -
  • - libaec-devel -
    • -
  • - libappindicator-gtk3 -
    • -
  • - libappindicator-gtk3-devel -
    • -
  • - libatomic-static -
    • -
  • - libavc1394 -
    • -
  • - libblocksruntime -
    • -
  • - libcacard -
    • -
  • - libcacard-devel -
    • -
  • - libcgroup -
    • -
  • - libcgroup-tools -
    • -
  • - libchamplain -
    • -
  • - libchamplain-devel -
    • -
  • - libchamplain-gtk -
    • -
  • - libcroco -
    • -
  • - libcroco-devel -
    • -
  • - libcxl -
    • -
  • - libcxl-devel -
    • -
  • - libdap -
    • -
  • - libdap-devel -
    • -
  • - libdazzle-devel -
    • -
  • - libdbusmenu -
    • -
  • - libdbusmenu-devel -
    • -
  • - libdbusmenu-doc -
    • -
  • - libdbusmenu-gtk3 -
    • -
  • - libdbusmenu-gtk3-devel -
    • -
  • - libdc1394 -
    • -
  • - libdnet -
    • -
  • - libdnet-devel -
    • -
  • - libdv -
    • -
  • - libdwarf -
    • -
  • - libdwarf-devel -
    • -
  • - libdwarf-static -
    • -
  • - libdwarf-tools -
    • -
  • - libeasyfc -
    • -
  • - libeasyfc-gobject -
    • -
  • - libepubgen-devel -
    • -
  • - libertas-sd8686-firmware -
    • -
  • - libertas-usb8388-firmware -
    • -
  • - libertas-usb8388-olpc-firmware -
    • -
  • - libgdither -
    • -
  • - libGLEW -
    • -
  • - libgovirt -
    • -
  • - libguestfs-benchmarking -
    • -
  • - libguestfs-devel -
    • -
  • - libguestfs-gfs2 -
    • -
  • - libguestfs-gobject -
    • -
  • - libguestfs-gobject-devel -
    • -
  • - libguestfs-java -
    • -
  • - libguestfs-java-devel -
    • -
  • - libguestfs-javadoc -
    • -
  • - libguestfs-man-pages-ja -
    • -
  • - libguestfs-man-pages-uk -
    • -
  • - libguestfs-tools -
    • -
  • - libguestfs-tools-c -
    • -
  • - libhugetlbfs -
    • -
  • - libhugetlbfs-devel -
    • -
  • - libhugetlbfs-utils -
    • -
  • - libIDL -
    • -
  • - libIDL-devel -
    • -
  • - libidn -
    • -
  • - libiec61883 -
    • -
  • - libindicator-gtk3 -
    • -
  • - libindicator-gtk3-devel -
    • -
  • - libiscsi-devel -
    • -
  • - libjose-devel -
    • -
  • - libkkc -
    • -
  • - libkkc-common -
    • -
  • - libkkc-data -
    • -
  • - libldb-devel -
    • -
  • - liblogging -
    • -
  • - libluksmeta-devel -
    • -
  • - libmalaga -
    • -
  • - libmcpp -
    • -
  • - libmemcached -
    • -
  • - libmemcached-libs -
    • -
  • - libmetalink -
    • -
  • - libmodulemd1 -
    • -
  • - libmongocrypt -
    • -
  • - libmtp-devel -
    • -
  • - libmusicbrainz5 -
    • -
  • - libmusicbrainz5-devel -
    • -
  • - libnbd-devel -
    • -
  • - liboauth -
    • -
  • - liboauth-devel -
    • -
  • - libpfm-static -
    • -
  • - libpng12 -
    • -
  • - libpurple -
    • -
  • - libpurple-devel -
    • -
  • - libraw1394 -
    • -
  • - libreport-plugin-mailx -
    • -
  • - libreport-plugin-rhtsupport -
    • -
  • - libreport-plugin-ureport -
    • -
  • - libreport-rhel -
    • -
  • - libreport-rhel-bugzilla -
    • -
  • - librpmem -
    • -
  • - librpmem-debug -
    • -
  • - librpmem-devel -
    • -
  • - libsass -
    • -
  • - libsass-devel -
    • -
  • - libselinux-python -
    • -
  • - libsqlite3x -
    • -
  • - libtalloc-devel -
    • -
  • - libtar -
    • -
  • - libtdb-devel -
    • -
  • - libtevent-devel -
    • -
  • - libtpms-devel -
    • -
  • - libunwind -
    • -
  • - libusal -
    • -
  • - libvarlink -
    • -
  • - libverto-libevent -
    • -
  • - libvirt-admin -
    • -
  • - libvirt-bash-completion -
    • -
  • - libvirt-daemon-driver-storage-gluster -
    • -
  • - libvirt-daemon-driver-storage-iscsi-direct -
    • -
  • - libvirt-devel -
    • -
  • - libvirt-docs -
    • -
  • - libvirt-gconfig -
    • -
  • - libvirt-gobject -
    • -
  • - libvirt-lock-sanlock -
    • -
  • - libvirt-wireshark -
    • -
  • - libvmem -
    • -
  • - libvmem-debug -
    • -
  • - libvmem-devel -
    • -
  • - libvmmalloc -
    • -
  • - libvmmalloc-debug -
    • -
  • - libvmmalloc-devel -
    • -
  • - libvncserver -
    • -
  • - libwinpr-devel -
    • -
  • - libwmf -
    • -
  • - libwmf-devel -
    • -
  • - libwmf-lite -
    • -
  • - libXNVCtrl -
    • -
  • - libyami -
    • -
  • - log4j12 -
    • -
  • - log4j12-javadoc -
    • -
  • - lohit-malayalam-fonts -
    • -
  • - lohit-nepali-fonts -
    • -
  • - lorax-composer -
    • -
  • - lua-guestfs -
    • -
  • - lucene -
    • -
  • - lucene-analysis -
    • -
  • - lucene-analyzers-smartcn -
    • -
  • - lucene-queries -
    • -
  • - lucene-queryparser -
    • -
  • - lucene-sandbox -
    • -
  • - lz4-java -
    • -
  • - lz4-java-javadoc -
    • -
  • - mailman -
    • -
  • - mailx -
    • -
  • - make-devel -
    • -
  • - malaga -
    • -
  • - malaga-suomi-voikko -
    • -
  • - marisa -
    • -
  • - maven-antrun-plugin -
    • -
  • - maven-assembly-plugin -
    • -
  • - maven-clean-plugin -
    • -
  • - maven-dependency-analyzer -
    • -
  • - maven-dependency-plugin -
    • -
  • - maven-doxia -
    • -
  • - maven-doxia-sitetools -
    • -
  • - maven-install-plugin -
    • -
  • - maven-invoker -
    • -
  • - maven-invoker-plugin -
    • -
  • - maven-parent -
    • -
  • - maven-plugins-pom -
    • -
  • - maven-reporting-api -
    • -
  • - maven-reporting-impl -
    • -
  • - maven-resolver-api -
    • -
  • - maven-resolver-connector-basic -
    • -
  • - maven-resolver-impl -
    • -
  • - maven-resolver-spi -
    • -
  • - maven-resolver-transport-wagon -
    • -
  • - maven-resolver-util -
    • -
  • - maven-scm -
    • -
  • - maven-script-interpreter -
    • -
  • - maven-shade-plugin -
    • -
  • - maven-shared -
    • -
  • - maven-verifier -
    • -
  • - maven-wagon-file -
    • -
  • - maven-wagon-http -
    • -
  • - maven-wagon-http-shared -
    • -
  • - maven-wagon-provider-api -
    • -
  • - maven2 -
    • -
  • - meanwhile -
    • -
  • - mercurial -
    • -
  • - mercurial-hgk -
    • -
  • - metis -
    • -
  • - metis-devel -
    • -
  • - mingw32-bzip2 -
    • -
  • - mingw32-bzip2-static -
    • -
  • - mingw32-cairo -
    • -
  • - mingw32-expat -
    • -
  • - mingw32-fontconfig -
    • -
  • - mingw32-freetype -
    • -
  • - mingw32-freetype-static -
    • -
  • - mingw32-gstreamer1 -
    • -
  • - mingw32-harfbuzz -
    • -
  • - mingw32-harfbuzz-static -
    • -
  • - mingw32-icu -
    • -
  • - mingw32-libjpeg-turbo -
    • -
  • - mingw32-libjpeg-turbo-static -
    • -
  • - mingw32-libpng -
    • -
  • - mingw32-libpng-static -
    • -
  • - mingw32-libtiff -
    • -
  • - mingw32-libtiff-static -
    • -
  • - mingw32-openssl -
    • -
  • - mingw32-readline -
    • -
  • - mingw32-sqlite -
    • -
  • - mingw32-sqlite-static -
    • -
  • - mingw64-adwaita-icon-theme -
    • -
  • - mingw64-bzip2 -
    • -
  • - mingw64-bzip2-static -
    • -
  • - mingw64-cairo -
    • -
  • - mingw64-expat -
    • -
  • - mingw64-fontconfig -
    • -
  • - mingw64-freetype -
    • -
  • - mingw64-freetype-static -
    • -
  • - mingw64-gstreamer1 -
    • -
  • - mingw64-harfbuzz -
    • -
  • - mingw64-harfbuzz-static -
    • -
  • - mingw64-icu -
    • -
  • - mingw64-libjpeg-turbo -
    • -
  • - mingw64-libjpeg-turbo-static -
    • -
  • - mingw64-libpng -
    • -
  • - mingw64-libpng-static -
    • -
  • - mingw64-libtiff -
    • -
  • - mingw64-libtiff-static -
    • -
  • - mingw64-nettle -
    • -
  • - mingw64-openssl -
    • -
  • - mingw64-readline -
    • -
  • - mingw64-sqlite -
    • -
  • - mingw64-sqlite-static -
    • -
  • - modello -
    • -
  • - mojo-parent -
    • -
  • - mongo-c-driver -
    • -
  • - mousetweaks -
    • -
  • - mozjs52 -
    • -
  • - mozjs52-devel -
    • -
  • - mozjs60 -
    • -
  • - mozjs60-devel -
    • -
  • - mozvoikko -
    • -
  • - msv-javadoc -
    • -
  • - msv-manual -
    • -
  • - munge-maven-plugin -
    • -
  • - mythes-mi -
    • -
  • - mythes-ne -
    • -
  • - nafees-web-naskh-fonts -
    • -
  • - nbd -
    • -
  • - nbdkit-devel -
    • -
  • - nbdkit-example-plugins -
    • -
  • - nbdkit-gzip-plugin -
    • -
  • - nbdkit-plugin-python-common -
    • -
  • - nbdkit-plugin-vddk -
    • -
  • - ncompress -
    • -
  • - ncurses-compat-libs -
    • -
  • - net-tools -
    • -
  • - netcf -
    • -
  • - netcf-devel -
    • -
  • - netcf-libs -
    • -
  • - network-scripts -
    • -
  • - network-scripts-ppp -
    • -
  • - nkf -
    • -
  • - nodejs-devel -
    • -
  • - nodejs-packaging -
    • -
  • - nss_nis -
    • -
  • - nss-pam-ldapd -
    • -
  • - objectweb-asm -
    • -
  • - objectweb-asm-javadoc -
    • -
  • - objectweb-pom -
    • -
  • - ocaml-bisect-ppx -
    • -
  • - ocaml-camlp4 -
    • -
  • - ocaml-camlp4-devel -
    • -
  • - ocaml-lwt -
    • -
  • - ocaml-mmap -
    • -
  • - ocaml-ocplib-endian -
    • -
  • - ocaml-ounit -
    • -
  • - ocaml-result -
    • -
  • - ocaml-seq -
    • -
  • - opencryptoki-tpmtok -
    • -
  • - opencv-contrib -
    • -
  • - opencv-core -
    • -
  • - opencv-devel -
    • -
  • - openhpi -
    • -
  • - openhpi-libs -
    • -
  • - OpenIPMI-perl -
    • -
  • - openssh-cavs -
    • -
  • - openssh-ldap -
    • -
  • - openssl-ibmpkcs11 -
    • -
  • - opentest4j -
    • -
  • - os-maven-plugin -
    • -
  • - pakchois -
    • -
  • - pandoc -
    • -
  • - paps-libs -
    • -
  • - paranamer -
    • -
  • - parfait -
    • -
  • - parfait-examples -
    • -
  • - parfait-javadoc -
    • -
  • - pcp-parfait-agent -
    • -
  • - pcp-pmda-rpm -
    • -
  • - pcp-pmda-vmware -
    • -
  • - pcsc-lite-doc -
    • -
  • - peripety -
    • -
  • - perl-B-Debug -
    • -
  • - perl-B-Lint -
    • -
  • - perl-Class-Factory-Util -
    • -
  • - perl-Class-ISA -
    • -
  • - perl-DateTime-Format-HTTP -
    • -
  • - perl-DateTime-Format-Mail -
    • -
  • - perl-File-CheckTree -
    • -
  • - perl-homedir -
    • -
  • - perl-libxml-perl -
    • -
  • - perl-Locale-Codes -
    • -
  • - perl-Mozilla-LDAP -
    • -
  • - perl-NKF -
    • -
  • - perl-Object-HashBase-tools -
    • -
  • - perl-Package-DeprecationManager -
    • -
  • - perl-Pod-LaTeX -
    • -
  • - perl-Pod-Plainer -
    • -
  • - perl-prefork -
    • -
  • - perl-String-CRC32 -
    • -
  • - perl-SUPER -
    • -
  • - perl-Sys-Virt -
    • -
  • - perl-tests -
    • -
  • - perl-YAML-Syck -
    • -
  • - phodav -
    • -
  • - php-recode -
    • -
  • - php-xmlrpc -
    • -
  • - pidgin -
    • -
  • - pidgin-devel -
    • -
  • - pidgin-sipe -
    • -
  • - pinentry-emacs -
    • -
  • - pinentry-gtk -
    • -
  • - pipewire0.2-devel -
    • -
  • - pipewire0.2-libs -
    • -
  • - platform-python-coverage -
    • -
  • - plexus-ant-factory -
    • -
  • - plexus-bsh-factory -
    • -
  • - plexus-cli -
    • -
  • - plexus-component-api -
    • -
  • - plexus-component-factories-pom -
    • -
  • - plexus-components-pom -
    • -
  • - plexus-i18n -
    • -
  • - plexus-interactivity -
    • -
  • - plexus-pom -
    • -
  • - plexus-velocity -
    • -
  • - plymouth-plugin-throbgress -
    • -
  • - pmreorder -
    • -
  • - postgresql-test-rpm-macros -
    • -
  • - powermock -
    • -
  • - prometheus-jmx-exporter -
    • -
  • - prometheus-jmx-exporter-openjdk11 -
    • -
  • - ptscotch-mpich -
    • -
  • - ptscotch-mpich-devel -
    • -
  • - ptscotch-mpich-devel-parmetis -
    • -
  • - ptscotch-openmpi -
    • -
  • - ptscotch-openmpi-devel -
    • -
  • - purple-sipe -
    • -
  • - pygobject2-doc -
    • -
  • - pygtk2 -
    • -
  • - pygtk2-codegen -
    • -
  • - pygtk2-devel -
    • -
  • - pygtk2-doc -
    • -
  • - python-nose-docs -
    • -
  • - python-nss-doc -
    • -
  • - python-podman-api -
    • -
  • - python-psycopg2-doc -
    • -
  • - python-pymongo-doc -
    • -
  • - python-redis -
    • -
  • - python-schedutils -
    • -
  • - python-slip -
    • -
  • - python-sqlalchemy-doc -
    • -
  • - python-varlink -
    • -
  • - python-virtualenv-doc -
    • -
  • - python2-backports -
    • -
  • - python2-backports-ssl_match_hostname -
    • -
  • - python2-bson -
    • -
  • - python2-coverage -
    • -
  • - python2-docs -
    • -
  • - python2-docs-info -
    • -
  • - python2-funcsigs -
    • -
  • - python2-ipaddress -
    • -
  • - python2-mock -
    • -
  • - python2-nose -
    • -
  • - python2-numpy-doc -
    • -
  • - python2-psycopg2-debug -
    • -
  • - python2-psycopg2-tests -
    • -
  • - python2-pymongo -
    • -
  • - python2-pymongo-gridfs -
    • -
  • - python2-pytest-mock -
    • -
  • - python2-sqlalchemy -
    • -
  • - python2-tools -
    • -
  • - python2-virtualenv -
    • -
  • - python3-bson -
    • -
  • - python3-click -
    • -
  • - python3-coverage -
    • -
  • - python3-cpio -
    • -
  • - python3-custodia -
    • -
  • - python3-docs -
    • -
  • - python3-flask -
    • -
  • - python3-gevent -
    • -
  • - python3-gobject-base -
    • -
  • - python3-hivex -
    • -
  • - python3-html5lib -
    • -
  • - python3-hypothesis -
    • -
  • - python3-ipatests -
    • -
  • - python3-itsdangerous -
    • -
  • - python3-jwt -
    • -
  • - python3-libguestfs -
    • -
  • - python3-mock -
    • -
  • - python3-networkx-core -
    • -
  • - python3-nose -
    • -
  • - python3-nss -
    • -
  • - python3-openipmi -
    • -
  • - python3-pillow -
    • -
  • - python3-ptyprocess -
    • -
  • - python3-pydbus -
    • -
  • - python3-pymongo -
    • -
  • - python3-pymongo-gridfs -
    • -
  • - python3-pyOpenSSL -
    • -
  • - python3-pytoml -
    • -
  • - python3-reportlab -
    • -
  • - python3-schedutils -
    • -
  • - python3-scons -
    • -
  • - python3-semantic_version -
    • -
  • - python3-slip -
    • -
  • - python3-slip-dbus -
    • -
  • - python3-sqlalchemy -
    • -
  • - python3-syspurpose -
    • -
  • - python3-virtualenv -
    • -
  • - python3-webencodings -
    • -
  • - python3-werkzeug -
    • -
  • - python38-asn1crypto -
    • -
  • - python38-numpy-doc -
    • -
  • - python38-psycopg2-doc -
    • -
  • - python38-psycopg2-tests -
    • -
  • - python39-numpy-doc -
    • -
  • - python39-psycopg2-doc -
    • -
  • - python39-psycopg2-tests -
    • -
  • - qemu-kvm-block-gluster -
    • -
  • - qemu-kvm-block-iscsi -
    • -
  • - qemu-kvm-block-ssh -
    • -
  • - qemu-kvm-hw-usbredir -
    • -
  • - qemu-kvm-device-display-virtio-gpu-gl -
    • -
  • - qemu-kvm-device-display-virtio-gpu-pci-gl -
    • -
  • - qemu-kvm-device-display-virtio-vga-gl -
    • -
  • - qemu-kvm-tests -
    • -
  • - qpdf -
    • -
  • - qpdf-doc -
    • -
  • - qpid-proton -
    • -
  • - qrencode -
    • -
  • - qrencode-devel -
    • -
  • - qrencode-libs -
    • -
  • - qt5-qtcanvas3d -
    • -
  • - qt5-qtcanvas3d-examples -
    • -
  • - rarian -
    • -
  • - rarian-compat -
    • -
  • - re2c -
    • -
  • - recode -
    • -
  • - redhat-lsb -
    • -
  • - redhat-lsb-core -
    • -
  • - redhat-lsb-cxx -
    • -
  • - redhat-lsb-desktop -
    • -
  • - redhat-lsb-languages -
    • -
  • - redhat-lsb-printing -
    • -
  • - redhat-lsb-submod-multimedia -
    • -
  • - redhat-lsb-submod-security -
    • -
  • - redhat-lsb-supplemental -
    • -
  • - redhat-lsb-trialuse -
    • -
  • - redhat-menus -
    • -
  • - redhat-support-lib-python -
    • -
  • - redhat-support-tool -
    • -
  • - reflections -
    • -
  • - regexp -
    • -
  • - relaxngDatatype -
    • -
  • - rhsm-gtk -
    • -
  • - rpm-plugin-prioreset -
    • -
  • - rpmemd -
    • -
  • - rsyslog-udpspoof -
    • -
  • - ruby-hivex -
    • -
  • - ruby-libguestfs -
    • -
  • - rubygem-abrt -
    • -
  • - rubygem-abrt-doc -
    • -
  • - rubygem-bson -
    • -
  • - rubygem-bson-doc -
    • -
  • - rubygem-bundler-doc -
    • -
  • - rubygem-mongo -
    • -
  • - rubygem-mongo-doc -
    • -
  • - rubygem-net-telnet -
    • -
  • - rubygem-xmlrpc -
    • -
  • - s390utils-cmsfs -
    • -
  • - samba-pidl -
    • -
  • - samba-test -
    • -
  • - samba-test-libs -
    • -
  • - samyak-devanagari-fonts -
    • -
  • - samyak-fonts-common -
    • -
  • - samyak-gujarati-fonts -
    • -
  • - samyak-malayalam-fonts -
    • -
  • - samyak-odia-fonts -
    • -
  • - samyak-tamil-fonts -
    • -
  • - sane-frontends -
    • -
  • - sanlk-reset -
    • -
  • - sat4j -
    • -
  • - scala -
    • -
  • - scotch -
    • -
  • - scotch-devel -
    • -
  • - SDL_sound -
    • -
  • - selinux-policy-minimum -
    • -
  • - sendmail -
    • -
  • - sgabios -
    • -
  • - sgabios-bin -
    • -
  • - shrinkwrap -
    • -
  • - sisu-inject -
    • -
  • - sisu-mojos -
    • -
  • - sisu-plexus -
    • -
  • - skkdic -
    • -
  • - SLOF -
    • -
  • - smc-anjalioldlipi-fonts -
    • -
  • - smc-dyuthi-fonts -
    • -
  • - smc-fonts-common -
    • -
  • - smc-kalyani-fonts -
    • -
  • - smc-raghumalayalam-fonts -
    • -
  • - smc-suruma-fonts -
    • -
  • - softhsm-devel -
    • -
  • - sonatype-oss-parent -
    • -
  • - sonatype-plugins-parent -
    • -
  • - sos-collector -
    • -
  • - sparsehash-devel -
    • -
  • - spax -
    • -
  • - spec-version-maven-plugin -
    • -
  • - spice -
    • -
  • - spice-client-win-x64 -
    • -
  • - spice-client-win-x86 -
    • -
  • - spice-glib -
    • -
  • - spice-glib-devel -
    • -
  • - spice-gtk -
    • -
  • - spice-gtk-tools -
    • -
  • - spice-gtk3 -
    • -
  • - spice-gtk3-devel -
    • -
  • - spice-gtk3-vala -
    • -
  • - spice-parent -
    • -
  • - spice-protocol -
    • -
  • - spice-qxl-wddm-dod -
    • -
  • - spice-server -
    • -
  • - spice-server-devel -
    • -
  • - spice-qxl-xddm -
    • -
  • - spice-server -
    • -
  • - spice-streaming-agent -
    • -
  • - spice-vdagent-win-x64 -
    • -
  • - spice-vdagent-win-x86 -
    • -
  • - sssd-libwbclient -
    • -
  • - star -
    • -
  • - stax-ex -
    • -
  • - stax2-api -
    • -
  • - stringtemplate -
    • -
  • - stringtemplate4 -
    • -
  • - subscription-manager-initial-setup-addon -
    • -
  • - subscription-manager-migration -
    • -
  • - subscription-manager-migration-data -
    • -
  • - subversion-javahl -
    • -
  • - SuperLU -
    • -
  • - SuperLU-devel -
    • -
  • - supermin-devel -
    • -
  • - swig -
    • -
  • - swig-doc -
    • -
  • - swig-gdb -
    • -
  • - swtpm-devel -
    • -
  • - swtpm-tools-pkcs11 -
    • -
  • - system-storage-manager -
    • -
  • - tcl-brlapi -
    • -
  • - testng -
    • -
  • - tibetan-machine-uni-fonts -
    • -
  • - timedatex -
    • -
  • - tpm-quote-tools -
    • -
  • - tpm-tools -
    • -
  • - tpm-tools-pkcs11 -
    • -
  • - treelayout -
    • -
  • - trousers -
    • -
  • - trousers-lib -
    • -
  • - tuned-profiles-compat -
    • -
  • - tuned-profiles-nfv-host-bin -
    • -
  • - tuned-utils-systemtap -
    • -
  • - tycho -
    • -
  • - uglify-js -
    • -
  • - unbound-devel -
    • -
  • - univocity-output-tester -
    • -
  • - univocity-parsers -
    • -
  • - usbguard-notifier -
    • -
  • - usbredir-devel -
    • -
  • - utf8cpp -
    • -
  • - uthash -
    • -
  • - velocity -
    • -
  • - vinagre -
    • -
  • - vino -
    • -
  • - virt-dib -
    • -
  • - virt-p2v-maker -
    • -
  • - vm-dump-metrics-devel -
    • -
  • - weld-parent -
    • -
  • - wodim -
    • -
  • - woodstox-core -
    • -
  • - wqy-microhei-fonts -
    • -
  • - wqy-unibit-fonts -
    • -
  • - xdelta -
    • -
  • - xmlgraphics-commons -
    • -
  • - xmlstreambuffer -
    • -
  • - xinetd -
    • -
  • - xorg-x11-apps -
    • -
  • - xorg-x11-drv-qxl -
    • -
  • - xorg-x11-server-Xspice -
    • -
  • - xpp3 -
    • -
  • - xsane-gimp -
    • -
  • - xsom -
    • -
  • - xz-java -
    • -
  • - xz-java-javadoc -
    • -
  • - yajl-devel -
    • -
  • - yp-tools -
    • -
  • - ypbind -
    • -
  • - ypserv -
    • -
-
-
-
-
-
-
-

10.21. Deprecated and unmaintained devices

-
-
-
-

- This section lists devices (drivers, adapters) that -

-
-
    -
  • - continue to be supported until the end of life of RHEL 8 but will likely not be supported in - future major releases of this product and are not recommended for new deployments. Support - for devices other than those listed remains unchanged. These are deprecated devices. -
    • -
  • - are available but are no longer being tested or updated on a routine basis in RHEL 8. Red - Hat may fix serious bugs, including security bugs, at its discretion. These devices should - no longer be used in production, and it is likely they will be disabled in the next major - release. These are unmaintained devices. -
    • -
-
-

- PCI device IDs are in the format of vendor:device:subvendor:subdevice. If no device ID is listed, - all devices associated with the corresponding driver have been deprecated. To check the PCI IDs of - the hardware on your system, run the lspci -nn command. -

-
-

Table 10.1. Deprecated devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- bnx2 -

- 		-

- QLogic BCM5706/5708/5709/5716 Driver -

-
  -

- hpsa -

- 		-

- Hewlett-Packard Company: Smart Array Controllers -

-
-

- 0x10df:0x0724 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: OneConnect FCoE Initiator (Skyhawk) -

-
-

- 0x10df:0xe200 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe15000/LPe16000 Series 8Gb/16Gb Fibre Channel Adapter -

-
-

- 0x10df:0xf011 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf015 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xf100 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: LPe12000 Series 8Gb Fibre Channel Adapter -

-
-

- 0x10df:0xfc40 -

- 		-

- lpfc -

- 		-

- Emulex Corporation: Saturn-X: LightPulse Fibre Channel Host Adapter -

-
-

- 0x10df:0xe220 -

- 		-

- be2net -

- 		-

- Emulex Corporation: OneConnect NIC (Lancer) -

-
-

- 0x1000:0x005b -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2208 [Thunderbolt] -

-
-

- 0x1000:0x006E -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0080 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0081 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0082 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0083 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0084 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0085 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2208 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0086 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
-

- 0x1000:0x0087 -

- 		-

- mpt3sas -

- 		-

- Broadcom / LSI: SAS2308 PCI-Express Fusion-MPT SAS-2 -

-
  -

- myri10ge -

- 		-

- Myricom 10G driver (10GbE) -

-
  -

- netxen_nic -

- 		-

- QLogic/NetXen (1/10) GbE Intelligent Ethernet Driver -

-
-

- 0x1077:0x2031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP8324-based 16Gb Fibre Channel to PCI Express Adapter -

-
-

- 0x1077:0x2532 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: ISP2532-based 8Gb Fibre Channel to PCI Express HBA -

-
-

- 0x1077:0x8031 -

- 		-

- qla2xxx -

- 		-

- QLogic Corp.: 8300 Series 10GbE Converged Network Adapter (FCoE) -

-
  -

- qla3xxx -

- 		-

- QLogic ISP3XXX Network Driver v2.03.00-k5 -

-
-

- 0x1924:0x0803 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFC9020 10G Ethernet Controller -

-
-

- 0x1924:0x0813 -

- 		-

- sfc -

- 		-

- Solarflare Communications: SFL9021 10GBASE-T Ethernet Controller -

-
  -

- Soft-RoCE (rdma_rxe) -

- 		 
  -

- HNS-RoCE -

- 		-

- HNS GE/10GE/25GE/50GE/100GE RDMA Network Controller -

-
  -

- liquidio -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Driver -

-
  -

- liquidio_vf -

- 		-

- Cavium LiquidIO Intelligent Server Adapter Virtual Function Driver -

-
-
-
-
-

Table 10.2. Unmaintained devices

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Device IDDriverDevice name
  -

- e1000 -

- 		-

- Intel® PRO/1000 Network Driver -

-
  -

- mptbase -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptsas -

- 		-

- Fusion MPT SAS Host driver -

-
  -

- mptscsih -

- 		-

- Fusion MPT SCSI Host driver -

-
  -

- mptspi -

- 		-

- Fusion MPT SAS Host driver -

-
-

- 0x1000:0x0071 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MR SAS HBA 2004 -

-
-

- 0x1000:0x0073 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2008 [Falcon] -

-
-

- 0x1000:0x0079 [a] -

- 		-

- megaraid_sas -

- 		-

- Broadcom / LSI: MegaRAID SAS 2108 [Liberator] -

-
  -

- nvmet_tcp -

- 		-

- NVMe/TCP target driver -

-
  -

- nvmet-fc -

- 		-

- NVMe/Fabrics FC target driver -

-
-
-
[a] - Disabled in RHEL 8.0, re-enabled in RHEL 8.4 due to customer requests. -
-
-
-
-
-
-
-
-
-
-
-

Chapter 11. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 8.9. -

-
-
-
-
-

11.1. Installer and image creation

-
-
-
-
-

During RHEL installation on IBM Z, udev does - not assign predictable interface names to RoCE cards enumerated by FID

-

- If you start a RHEL 8.7 or later installation with the net.naming-scheme=rhel-8.7 kernel command-line option, the udev device manager on the RHEL installation media ignores this - setting for RoCE cards enumerated by the function identifier (FID). As a consequence, udev assigns unpredictable interface names to these devices. There is - no workaround during the installation, but you can configure the feature after the installation. - For further details, see Determining - a predictable RoCE device name on the IBM Z platform. -

-
-

- (JIRA:RHEL-11397) -

-
-

Installation fails on IBM Power 10 systems with LPAR and secure boot - enabled

-

- RHEL installer is not integrated with static key secure boot on IBM Power 10 systems. - Consequently, when logical partition (LPAR) is enabled with the secure boot option, the - installation fails with the error, Unable to proceed with RHEL-x.x Installation. -

-
-

- To work around this problem, install RHEL without enabling secure boot. After booting the system: -

-
-
    -
  1. - Copy the signed Kernel into the PReP partition using the dd - command. -
    2. -
  2. - Restart the system and enable secure boot. -
    3. -
-
-

- Once the firmware verifies the bootloader and the kernel, the system boots up successfully. -

-

- For more information, see https://www.ibm.com/support/pages/node/6528884 -

-

- Bugzilla:2025814[1] -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. -

-
-

- To work around this problem, do not run Anaconda on the production system. Instead, run Anaconda in - a temporary virtual machine to keep the SELinux policy unchanged on a production system. Running - anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this - issue. -

-

- Bugzilla:2050140 -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installation program or use the authselect Kickstart command during - installation. -

-

- Bugzilla:1640697[1] -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- Bugzilla:1697896[1] -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- Jira:RHEL-4707 -

-
-

Network access is not enabled by default in the installation - program

-

- Several installation features require network access, for example, registration of a system - using the Content Delivery Network (CDN), NTP server support, and network installation sources. - However, network access is not enabled by default, and as a result, these features cannot be - used until network access is enabled. -

-
-

- To work around this problem, add ip=dhcp to boot options to enable - network access when the installation starts. Optionally, passing a Kickstart file or a repository - located on the network using boot options also resolves the problem. As a result, the network-based - installation features can be used. -

-

- Bugzilla:1757877[1] -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the Kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- Jira:RHEL-4711 -

-
-

IBM Power systems with HASH MMU mode fail to - boot with memory allocation failures

-

- IBM Power Systems with HASH memory allocation unit (MMU) mode - support kdump up to a maximum of 192 cores. Consequently, the - system fails to boot with memory allocation failures if kdump is - enabled on more than 192 cores. This limitation is due to RMA memory allocations during early - boot in HASH MMU mode. To work around this problem, use the Radix MMU mode with fadump enabled - instead of using kdump. -

-
-

- Bugzilla:2028361[1] -

-
-

RHEL for Edge installer image fails to create mount points when installing - an rpm-ostree payload

-

- When deploying rpm-ostree payloads, used for example in a RHEL for - Edge installer image, the installer does not properly create some mount points for custom - partitions. As a consequence, the installation is aborted with the following error: -

-
- 
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
-

- To work around this issue: -

-
-
    -
  • - Use an automatic partitioning scheme and do not add any mount points manually. -
    • -
  • - Manually assign mount points only inside /var directory. For - example, /var/my-mount-point), and - the following standard directories: /, /boot, /var. -
    • -
-
-

- As a result, the installation process finishes successfully. -

-

- Jira:RHEL-4744 -

-
-

Images built with the stig profile remediation - fails to boot with FIPS error

-

- FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with - the xccdf_org.ssgproject.content_profile_stig profile remediation, - the system fails to boot with the following error: -

-
- 
Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist
-FATAL: FIPS integrity test failed
-Refusing to continue
-

- Enabling the FIPS policy manually after the system image installation with the fips-mode-setup --enable command does not work, because the /boot directory is on a different partition. System boots successfully if - FIPS is disabled. Currently, there is no workaround available. -

-
-
Note
-
-

- You can manually enable FIPS after installing the image by using the fips-mode-setup --enable command. -

-
-
-

- Jira:RHEL-4649 -

-
-
-
-
-
-

11.2. Security

-
-
-
-
-

sshd -T provides inaccurate information about - Ciphers, MACs and KeX algorithms

-

- The output of the sshd -T command does not contain the system-wide - crypto policy configuration or other options that could come from an environment file in /etc/sysconfig/sshd and that are applied as arguments on the sshd command. This occurs because the upstream OpenSSH project did - not support the Include directive to support Red-Hat-provided cryptographic defaults in RHEL 8. - Crypto policies are applied as command-line arguments to the sshd - executable in the sshd.service unit during the service’s start by - using an EnvironmentFile. To work around the problem, use the source command with the environment file and pass the crypto policy - as an argument to the sshd command, as in sshd -T $CRYPTO_POLICY. For additional information, see Ciphers, MACs or KeX - algorithms differ from sshd -T to what is provided by current - crypto policy level. As a result, the output from sshd -T - matches the currently configured crypto policy. -

-
-

- Bugzilla:2044354[1] -

-
-

RHV hypervisor may not work correctly when hardening the system during - installation

-

- When installing Red Hat Virtualization Hypervisor (RHV-H) and applying the Red Hat Enterprise - Linux 8 STIG profile, OSCAP Anaconda Add-on may harden the system as RHEL instead of RVH-H and - remove essential packages for RHV-H. Consequently, the RHV hypervisor may not work. To work - around the problem, install the RHV-H system without applying any profile hardening, and after - the installation is complete, apply the profile by using OpenSCAP. As a result, the RHV - hypervisor works correctly. -

-
-

- Jira:RHEL-1826 -

-
-

CVE OVAL feeds are now only in the compressed format, and data streams are - not in the SCAP 1.3 standard

-

- Red Hat provides CVE OVAL feeds in the bzip2-compressed format and are no longer available in - the XML file format. Because referencing compressed content is not standardized in the Security - Content Automation Protocol (SCAP) 1.3 specification, third-party SCAP scanners can have - problems scanning rules that use the feed. -

-
-

- Bugzilla:2028428 -

-
-

Certain Rsyslog priority strings do not work correctly

-

- Support for the GnuTLS priority string for imtcp that allows - fine-grained control over encryption is not complete. Consequently, the following priority - strings do not work properly in the Rsyslog remote logging application: -

-
- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+DHE-RSA:+AES-256-GCM:+SIGN-RSA-SHA384:+COMP-ALL:+GROUP-ALL
-

- To work around this problem, use only correctly working priority strings: -

- 
NONE:+VERS-ALL:-VERS-TLS1.3:+MAC-ALL:+ECDHE-RSA:+AES-128-CBC:+SIGN-RSA-SHA1:+COMP-ALL:+GROUP-ALL
-

- As a result, current configurations must be limited to the strings that work correctly. -

-

- Bugzilla:1679512 -

-
-

Server with GUI and Workstation installations are not possible with CIS Server - profiles

-

- The CIS Server Level 1 and Level 2 security profiles are not compatible with the Server with GUI and Workstation software - selections. As a consequence, a RHEL 8 installation with the Server with GUI software selection and CIS Server profiles is not - possible. An attempted installation using the CIS Server Level 1 or Level 2 profiles and either - of these software selections will generate the error message: -

-
- 
package xorg-x11-server-common has been added to the list of excluded packages, but it can't be removed from the current software selection without breaking the installation.
-

- If you need to align systems with the Server with GUI or Workstation software selections according to CIS benchmarks, use the CIS - Workstation Level 1 or Level 2 profiles instead. -

-

- Bugzilla:1843932 -

-
-

Kickstart uses org_fedora_oscap instead of - com_redhat_oscap in RHEL 8

-

- The Kickstart references the Open Security Content Automation Protocol (OSCAP) Anaconda add-on - as org_fedora_oscap instead of com_redhat_oscap, which might cause confusion. This is necessary to - keep compatibility with Red Hat Enterprise Linux 7. -

-
-

- Bugzilla:1665082[1] -

-
-

libvirt overrides xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding -

-

- The libvirt virtualization framework enables IPv4 forwarding - whenever a virtual network with a forward mode of route or nat is started. This overrides the configuration by the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - rule, and subsequent compliance scans report the fail result when - assessing this rule. -

-
-

- Apply one of these scenarios to work around the problem: -

-
-
    -
  • - Uninstall the libvirt packages if your scenario does not - require them. -
    • -
  • - Change the forwarding mode of virtual networks created by libvirt. -
    • -
  • - Remove the xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding - rule by tailoring your profile. -
    • -
-
-

- Bugzilla:2118758 -

-
-

The fapolicyd utility incorrectly allows - executing changed files

-

- Correctly, the IMA hash of a file should update after any change to the file, and fapolicyd should prevent execution of the changed file. However, this - does not happen due to differences in IMA policy setup and in file hashing by the evctml utility. As a result, the IMA hash is not updated in the - extended attribute of a changed file. Consequently, fapolicyd - incorrectly allows the execution of the changed file. -

-
-

- Jira:RHEL-520[1] -

-
-

OpenSSL in FIPS mode accepts only specific D-H parameters

-

- In FIPS mode, TLS clients that use OpenSSL return a bad dh value - error and abort TLS connections to servers that use manually generated parameters. This is - because OpenSSL, when configured to work in compliance with FIPS 140-2, works only with - Diffie-Hellman parameters compliant to NIST SP 800-56A rev3 Appendix D (groups 14, 15, 16, 17, - and 18 defined in RFC 3526 and with groups defined in RFC 7919). Also, servers that use OpenSSL - ignore all other parameters and instead select known parameters of similar size. To work around - this problem, use only the compliant groups. -

-
-

- Bugzilla:1810911[1] -

-
-

crypto-policies incorrectly allow Camellia - ciphers

-

- The RHEL 8 system-wide cryptographic policies should disable Camellia ciphers in all policy - levels, as stated in the product documentation. However, the Kerberos protocol enables the - ciphers by default. -

-
-

- To work around the problem, apply the NO-CAMELLIA subpolicy: -

- 
# update-crypto-policies --set DEFAULT:NO-CAMELLIA
-

- In the previous command, replace DEFAULT with the cryptographic level - name if you have switched from DEFAULT previously. -

-

- As a result, Camellia ciphers are correctly disallowed across all applications that use system-wide - crypto policies only when you disable them through the workaround. -

-

- Bugzilla:1919155 -

-
-

OpenSC might not detect CardOS V5.3 card objects correctly

-

- The OpenSC toolkit does not correctly read cache from different PKCS #15 file offsets used in - some CardOS V5.3 cards. Consequently, OpenSC might not be able to list card objects and prevent - using them from different applications. -

-
-

- To work around the problem, turn off file caching by setting the use_file_caching = false option in the /etc/opensc.conf file. -

-

- Jira:RHEL-4077 -

-
-

Smart-card provisioning process through OpenSC pkcs15-init does not work properly

-

- The file_caching option is enabled in the default OpenSC - configuration, and the file caching functionality does not handle some commands from the pkcs15-init tool properly. Consequently, the smart-card provisioning - process through OpenSC fails. -

-
-

- To work around the problem, add the following snippet to the /etc/opensc.conf file: -

- 
app pkcs15-init {
-        framework pkcs15 {
-                use_file_caching = false;
-        }
-}
-

- The smart-card provisioning through pkcs15-init only works if you apply - the previously described workaround. -

-

- Bugzilla:1947025 -

-
-

Connections to servers with SHA-1 signatures do not work with - GnuTLS

-

- SHA-1 signatures in certificates are rejected by the GnuTLS secure communications library as - insecure. Consequently, applications that use GnuTLS as a TLS backend cannot establish a TLS - connection to peers that offer such certificates. This behavior is inconsistent with other - system cryptographic libraries. -

-
-

- To work around this problem, upgrade the server to use certificates signed with SHA-256 or stronger - hash, or switch to the LEGACY policy. -

-

- Bugzilla:1628553[1] -

-
-

libselinux-python is available only through - its module

-

- The libselinux-python package contains only Python 2 bindings for - developing SELinux applications and it is used for backward compatibility. For this reason, - libselinux-python is no longer available in the default RHEL 8 - repositories through the yum install libselinux-python command. -

-
-

- To work around this problem, enable both the libselinux-python and - python27 modules, and install the libselinux-python package and its dependencies with the following - commands: -

- 
# yum module enable libselinux-python
-# yum install libselinux-python
-

- Alternatively, install libselinux-python using its install profile with - a single command: -

- 
# yum module install libselinux-python:2.8/common
-

- As a result, you can install libselinux-python using the respective - module. -

-

- Bugzilla:1666328[1] -

-
-

udica processes UBI 8 containers only when - started with --env container=podman

-

- The Red Hat Universal Base Image 8 (UBI 8) containers set the container environment variable to the oci value instead of the podman value. - This prevents the udica tool from analyzing a container JavaScript - Object Notation (JSON) file. -

-
-

- To work around this problem, start a UBI 8 container using a podman - command with the --env container=podman parameter. As a result, udica can generate an SELinux policy for a UBI 8 container only when you - use the described workaround. -

-

- Bugzilla:1763210 -

-
-

Negative effects of the default logging setup on performance

-

- The default logging environment setup might consume 4 GB of memory or even more and adjustments - of rate-limit values are complex when systemd-journald is running - with rsyslog. -

-
-

- See the Negative effects of the - RHEL default logging setup on performance and their mitigations Knowledgebase article for - more information. -

-

- Jira:RHELPLAN-10431[1] -

-
-

SELINUX=disabled in /etc/selinux/config does not work properly

-

- Disabling SELinux using the SELINUX=disabled option in the /etc/selinux/config results in a process in which the kernel boots - with SELinux enabled and switches to disabled mode later in the boot process. This might cause - memory leaks. -

-
-

- To work around this problem, disable SELinux by adding the selinux=0 - parameter to the kernel command line as described in the Changing - SELinux modes at boot time section of the Using - SELinux title if your scenario really requires to completely disable SELinux. -

-

- Jira:RHELPLAN-34199[1] -

-
-

IKE over TCP connections do not work on custom TCP ports

-

- The tcp-remoteport Libreswan configuration option does not work - properly. Consequently, an IKE over TCP connection cannot be established when a scenario - requires specifying a non-default TCP port. -

-
-

- Bugzilla:1989050 -

-
-

scap-security-guide cannot configure - termination of idle sessions

-

- Even though the sshd_set_idle_timeout rule still exists in the data - stream, the former method for idle session timeout of configuring sshd is no longer available. Therefore, the rule is marked as not applicable and cannot harden anything. Other methods for - configuring idle session termination, such as systemd (Logind), are - also not available. As a consequence, scap-security-guide cannot - configure the system to reliably disconnect idle sessions after a certain amount of time. -

-
-

- You can work around this problem in one of the following ways, which might fulfill the security - requirement: -

-
-
    -
  • - Configuring the accounts_tmout rule. However, this variable - could be overridden by using the exec command. -
    • -
  • - Configuring the configure_tmux_lock_after_time and configure_bashrc_exec_tmux rules. This requires installing the - tmux package. -
    • -
  • - Upgrading to RHEL 8.7 or later where the systemd feature is - already implemented together with the proper SCAP rule. -
    • -
-
-

- Jira:RHEL-1804 -

-
-

The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical - installation

-

- The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security - profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take - tailoring into account by default when installing from archives or RPM packages. Consequently, - the installation displays the following error message instead of fetching an OSCAP tailored - profile: -

-
- 
There was an unexpected problem with the supplied content.
-

- To work around this problem, you must specify paths in the %addon org_fedora_oscap section of your Kickstart file, for example: -

- 
xccdf-path = /usr/share/xml/scap/sc_tailoring/ds-combined.xml
-tailoring-path = /usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml
-

- As a result, you can use the graphical installation for OSCAP tailored profiles only with the - corresponding Kickstart specifications. -

-

- Jira:RHEL-1810 -

-
-

OpenSCAP memory-consumption problems

-

- On systems with limited memory, the OpenSCAP scanner might stop prematurely or it might not - generate the results files. To work around this problem, you can customize the scanning profile - to deselect rules that involve recursion over the entire / file - system: -

-
-
-
    -
  • - rpm_verify_hashes -
    • -
  • - rpm_verify_permissions -
    • -
  • - rpm_verify_ownership -
    • -
  • - file_permissions_unauthorized_world_writable -
    • -
  • - no_files_unowned_by_user -
    • -
  • - dir_perms_world_writable_system_owned -
    • -
  • - file_permissions_unauthorized_suid -
    • -
  • - file_permissions_unauthorized_sgid -
    • -
  • - file_permissions_ungroupowned -
    • -
  • - dir_perms_world_writable_sticky_bits -
    • -
-
-

- For more details and more workarounds, see the related Knowledgebase article. -

-

- Bugzilla:2161499 -

-
-

Rebuilding the rpm database assigns incorrect - SELinux labeling

-

- Rebuilding the rpm database with the rpmdb --rebuilddb command assigns incorrect SELinux labels to the - rpm database files. As a consequence, some services that use the - rpm database might not work correctly. To work around this problem - after rebuilding the database, relabel the database by using the restorecon -Rv /var/lib/rpm command. -

-
-

- Bugzilla:2166153 -

-
-

ANSSI BP28 HP SCAP rules for Audit are incorrectly used on the 64-bit ARM - architecture

-

- The ANSSI BP28 High profile in the SCAP Security Guide (SSG) contains the following security - content automation protocol (SCAP) rules that configure the Linux Audit subsystem but are - invalid on the 64-bit ARM architecture: -

-
-
-
    -
  • - audit_rules_unsuccessful_file_modification_creat -
    • -
  • - audit_rules_unsuccessful_file_modification_open -
    • -
  • - audit_rules_file_deletion_events_rename -
    • -
  • - audit_rules_file_deletion_events_rmdir -
    • -
  • - audit_rules_file_deletion_events_unlink -
    • -
  • - audit_rules_dac_modification_chmod -
    • -
  • - audit_rules_dac_modification_chown -
    • -
  • - audit_rules_dac_modification_lchown -
    • -
-
-

- If you configure your RHEL system running on a 64-bit ARM machine by using this profile, the Audit - daemon does not start due to the use of invalid system calls. -

-

- To work around the problem, either use profile tailoring to remove the previously mentioned rules - from the data stream or remove the -S <syscall> snippets by - editing files in the /etc/audit/rules.d directory. The files must not - contain the following system calls: -

-
-
    -
  • - creat -
    • -
  • - open -
    • -
  • - rename -
    • -
  • - rmdir -
    • -
  • - unlink -
    • -
  • - chmod -
    • -
  • - chown -
    • -
  • - lchown -
    • -
-
-

- As a result of any of the two described workarounds, the Audit daemon can start even after you use - the ANSSI BP28 High profile on a 64-bit ARM system. -

-

- Jira:RHEL-1897 -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- Bugzilla:1834716 -

-
-
-
-
-
-

11.3. Subscription management

-
-
-
-
-

syspurpose addons have no effect on the subscription-manager attach --auto output

-

- In Red Hat Enterprise Linux 8, four attributes of the syspurpose - command-line tool have been added: role,usage, service_level_agreement and addons. Currently, only role, usage and service_level_agreement affect - the output of running the subscription-manager attach --auto - command. Users who attempt to set values to the addons argument - will not observe any effect on the subscriptions that are auto-attached. -

-
-

- Bugzilla:1687900 -

-
-
-
-
-
-

11.4. Software management

-
-
-
-
-

cr_compress_file_with_stat() can cause a - memory leak

-

- The createrepo_c C library has the API cr_compress_file_with_stat() function. This function is declared with - char **dst as a second parameter. Depending on its other - parameters, cr_compress_file_with_stat() either uses dst as an input parameter, or uses it to return an allocated string. - This unpredictable behavior can cause a memory leak, because it does not inform the user when to - free dst contents. -

-
-

- To work around this problem, a new API cr_compress_file_with_stat_v2 - function has been added, which uses the dst parameter only as an input. - It is declared as char *dst. This prevents memory leak. -

-

- Note that the cr_compress_file_with_stat_v2 function is temporary and - will be present only in RHEL 8. Later, cr_compress_file_with_stat() - will be fixed instead. -

-

- Bugzilla:1973588[1] -

-
-

YUM transactions reported as successful when a scriptlet fails

-

- Since RPM version 4.6, post-install scriptlets are allowed to fail without being fatal to the - transaction. This behavior propagates up to YUM as well. This results in scriptlets which might - occasionally fail while the overall package transaction reports as successful. -

-
-

- There is no workaround available at the moment. -

-

- Note that this is expected behavior that remains consistent between RPM and YUM. Any issues in - scriptlets should be addressed at the package level. -

-

- Bugzilla:1986657 -

-
-
-
-
-
-

11.5. Shells and command-line tools

-
-
-
-
-

ipmitool is incompatible with certain server - platforms

-

- The ipmitool utility serves for monitoring, configuring, and - managing devices that support the Intelligent Platform Management Interface (IPMI). The current - version of ipmitool uses Cipher Suite 17 by default instead of the - previous Cipher Suite 3. Consequently, ipmitool fails to - communicate with certain bare metal nodes that announced support for Cipher Suite 17 during - negotiation, but do not actually support this cipher suite. As a result, ipmitool aborts with the no matching cipher suite error message. -

-
-

- For more details, see the related Knowledgebase article. -

-

- To solve this problem, update your baseboard management controller (BMC) firmware to use the Cipher - Suite 17. -

-

- Optionally, if the BMC firmware update is not available, you can work around this problem by forcing - ipmitool to use a certain cipher suite. When invoking a managing task - with ipmitool, add the -C option to the - ipmitool command together with the number of the cipher suite you want to use. See the following - example: -

- 
# ipmitool -I lanplus -H myserver.example.com -P mypass -C 3 chassis power status
-

- Jira:RHEL-6846 -

-
-

ReaR fails to recreate a volume group when you do not use clean disks for - restoring

-

- ReaR fails to perform recovery when you want to restore to disks that contain existing data. -

-
-

- To work around this problem, wipe the disks manually before restoring to them if they have been - previously used. To wipe the disks in the rescue environment, use one of the following commands - before running the rear recover command: -

-
-
    -
  • - The dd command to overwrite the disks. -
    • -
  • - The wipefs command with the -a - flag to erase all available metadata. -
    • -
-
-

- See the following example of wiping metadata from the /dev/sda disk: -

- 
# wipefs -a /dev/sda[1-9] /dev/sda
-

- This command wipes the metadata from the partitions on /dev/sda first, - and then the partition table itself. -

-

- Bugzilla:1925531 -

-
-

coreutils might report misleading EPERM error - codes

-

- GNU Core Utilities (coreutils) started using the statx() system call. If a seccomp filter - returns an EPERM error code for unknown system calls, coreutils - might consequently report misleading EPERM error codes because EPERM can not be distinguished - from the actual Operation not permitted error returned by - a working statx() syscall. -

-
-

- To work around this problem, update the seccomp filter to either permit - the statx() syscall, or to return an ENOSYS error code for syscalls it - does not know. -

-

- Bugzilla:2030661 -

-
-

The %vmeff metric from the sysstat package displays incorrect values

-

- The sysstat package provides the %vmeff metric to measure the page reclaim efficiency. The values of - the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions. To work around - this problem, you can calculate the %vmeff value manually from the - /proc/vmstat file. For details, see Why the sar(1) tool reports %vmeff values - beyond 100 % in RHEL 8 and RHEL 9? -

-
-

- Jira:RHEL-12008 -

-
-
-
-
-
-

11.6. Infrastructure services

-
-
-
-
-

Postfix TLS fingerprint algorithm in the FIPS mode needs to be changed to - SHA-256

-

- By default in RHEL 8, postfix uses MD5 fingerprints with the TLS - for backward compatibility. But in the FIPS mode, the MD5 hashing function is not available, - which may cause TLS to incorrectly function in the default postfix configuration. To work around - this problem, the hashing function needs to be changed to SHA-256 in the postfix configuration - file. -

-
-

- For more details, see the related Knowledgebase article Fix postfix TLS in the FIPS mode by switching - to SHA-256 instead of MD5. -

-

- Bugzilla:1711885 -

-
-

The brltty package is not multilib - compatible

-

- It is not possible to have both 32-bit and 64-bit versions of the brltty package installed. You can either install the 32-bit (brltty.i686) or the 64-bit (brltty.x86_64) version of the package. The 64-bit version is - recommended. -

-
-

- Bugzilla:2008197 -

-
-
-
-
-
-

11.7. Networking

-
-
-
-
-

RoCE interfaces lose their IP settings due to an unexpected change of the - network interface name

-

- The RDMA over Converged Ethernet (RoCE) interfaces lose their IP settings due to an unexpected - change of the network interface name if both conditions are met: -

-
-
-
    -
  • - User upgrades from a RHEL 8.6 system or earlier. -
    • -
  • - The RoCE card is enumerated by UID. -
    • -
-
-

- To work around this problem: -

-
-
    -
  1. -

    - Create the /etc/systemd/network/98-rhel87-s390x.link file - with the following content: -

    - 
    [Match]
-Architecture=s390x
-KernelCommandLine=!net.naming-scheme=rhel-8.7
-
-[Link]
-NamePolicy=kernel database slot path
-AlternativeNamesPolicy=database slot path
-MACAddressPolicy=persistent
    -
    2. -
  2. - Reboot the system for the changes to take effect. -
    3. -
  3. - Upgrade to RHEL 8.7 or newer. -
    4. -
-
-

- Note that RoCE interfaces that are enumerated by function ID (FID) and are non-unique, will still - use unpredictable interface names unless you set the net.naming-scheme=rhel-8.7 kernel parameter. In this case, the RoCE - interfaces will switch to predictable names with the ens prefix. -

-

- Jira:RHEL-11398[1] -

-
-

Systems with the IPv6_rpfilter option enabled - experience low network throughput

-

- Systems with the IPv6_rpfilter option enabled in the firewalld.conf file currently experience suboptimal performance and - low network throughput in high traffic scenarios, such as 100 Gbps links. To work around the - problem, disable the IPv6_rpfilter option. To do so, add the - following line in the /etc/firewalld/firewalld.conf file. -

-
- 
IPv6_rpfilter=no
-

- As a result, the system performs better, but also has reduced security. -

-

- Bugzilla:1871860[1] -

-
-
-
-
-
-

11.8. Kernel

-
-
-
-
-

The kernel ACPI driver reports it has no access to a PCIe ECAM memory - region

-

- The Advanced Configuration and Power Interface (ACPI) table provided by firmware does not define - a memory region on the PCI bus in the Current Resource Settings (_CRS) method for the PCI bus - device. Consequently, the following warning message occurs during the system boot: -

-
- 
[    2.817152] acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x30000000-0x31ffffff] not reserved in ACPI namespace
-[    2.827911] acpi PNP0A08:00: ECAM at [mem 0x30000000-0x31ffffff] for [bus 00-1f]
-

- However, the kernel is still able to access the 0x30000000-0x31ffffff - memory region, and can assign that memory region to the PCI Enhanced Configuration Access Mechanism - (ECAM) properly. You can verify that PCI ECAM works correctly by accessing the PCIe configuration - space over the 256 byte offset with the following output: -

- 
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN720 NVMe SSD (prog-if 02 [NVM Express])
- ...
-        Capabilities: [900 v1] L1 PM Substates
-                L1SubCap: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2+ ASPM_L1.1- L1_PM_Substates+
-                          PortCommonModeRestoreTime=255us PortTPowerOnTime=10us
-                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
-                           T_CommonMode=0us LTR1.2_Threshold=0ns
-                L1SubCtl2: T_PwrOn=10us
-

- As a result, you can ignore the warning message. -

-

- For more information about the problem, see the "Firmware Bug: ECAM area mem 0x30000000-0x31ffffff not reserved in ACPI namespace" appears - during system boot solution. -

-

- Bugzilla:1868526[1] -

-
-

The tuned-adm profile powersave command causes - the system to become unresponsive

-

- Executing the tuned-adm profile powersave command leads to an - unresponsive state of the Penguin Valkyrie 2000 2-socket systems with the older Thunderx - (CN88xx) processors. Consequently, reboot the system to resume working. To work around this - problem, avoid using the powersave profile if your system matches - the mentioned specifications. -

-
-

- Bugzilla:1609288[1] -

-
-

The HP NMI watchdog does not always generate a crash dump

-

- In certain cases, the hpwdt driver for the HP NMI watchdog is not - able to claim a non-maskable interrupt (NMI) generated by the HPE watchdog timer because the NMI - was instead consumed by the perfmon driver. -

-
-

- The missing NMI is initiated by one of two conditions: -

-
-
    -
  1. - The Generate NMI button on the - Integrated Lights-Out (iLO) server management software. This button is triggered by a user. -
    2. -
  2. - The hpwdt watchdog. The expiration by default sends an NMI to - the server. -
    3. -
-
-

- Both sequences typically occur when the system is unresponsive. Under normal circumstances, the NMI - handler for both these situations calls the kernel panic() function and - if configured, the kdump service generates a vmcore file. -

-

- Because of the missing NMI, however, kernel panic() is not called and - vmcore is not collected. -

-

- In the first case (1.), if the system was unresponsive, it remains so. To work around this scenario, - use the virtual Power button to reset or power - cycle the server. -

-

- In the second case (2.), the missing NMI is followed 9 seconds later by a reset from the Automated - System Recovery (ASR). -

-

- The HPE Gen9 Server line experiences this problem in single-digit percentages. The Gen10 at an even - smaller frequency. -

-

- Bugzilla:1602962[1] -

-
-

Reloading an identical crash extension may cause segmentation - faults

-

- When you load a copy of an already loaded crash extension file, it might trigger a segmentation - fault. Currently, the crash utility detects if an original file has been loaded. Consequently, - due to two identical files co-existing in the crash utility, a namespace collision occurs, which - triggers the crash utility to cause a segmentation fault. -

-
-

- You can work around the problem by loading the crash extension file only once. As a result, - segmentation faults no longer occur in the described scenario. -

-

- Bugzilla:1906482 -

-
-

Connections fail when attaching a virtual function to virtual - machine

-

- Pensando network cards that use the ionic device driver silently - accept VLAN tag configuration requests and attempt configuring network connections while - attaching network virtual functions (VF) to a virtual machine - (VM). Such network connections fail as this feature is not yet - supported by the card’s firmware. -

-
-

- Bugzilla:1930576[1] -

-
-

The OPEN MPI library may trigger run-time failures with default - PML

-

- In OPEN Message Passing Interface (OPEN MPI) implementation 4.0.x series, Unified Communication - X (UCX) is the default point-to-point communicator (PML). The later versions of OPEN MPI 4.0.x - series deprecated openib Byte Transfer Layer (BTL). -

-
-

- However, OPEN MPI, when run over a homogeneous - cluster (same hardware and software configuration), UCX still uses openib BTL for MPI one-sided operations. As a consequence, this may - trigger execution errors. To work around this problem: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca btl openib -mca pml ucx -x UCX_NET_DEVICES=mlx5_ib0
-

- where, -

-
-
    -
  • - The -mca btl openib parameter disables openib BTL -
    • -
  • - The -mca pml ucx parameter configures OPEN MPI to use ucx PML. -
    • -
  • - The x UCX_NET_DEVICES= parameter restricts UCX to use the - specified devices -
    • -
-
-

- The OPEN MPI, when run over a heterogeneous - cluster (different hardware and software configuration), it uses UCX as the default PML. As a - consequence, this may cause the OPEN MPI jobs to run with erratic performance, unresponsive - behavior, or crash failures. To work around this problem, set the UCX priority as: -

-
-
    -
  • - Run the mpirun command using following parameters: -
    • -
-
- 
-mca pml_ucx_priority 5
-

- As a result, the OPEN MPI library is able to choose an alternative available transport layer over - UCX. -

-

- Bugzilla:1866402[1] -

-
-

vmcore capture fails after memory hot-plug or unplug operation

-

- After performing the memory hot-plug or hot-unplug operation, the event comes after updating the - device tree which contains memory layout information. Thereby the makedumpfile utility tries to access a non-existent physical address. - The problem appears if all of the following conditions meet: -

-
-
-
    -
  • - A little-endian variant of IBM Power System runs RHEL 8. -
    • -
  • - The kdump or fadump service is - enabled on the system. -
    • -
-
-

- Consequently, the capture kernel fails to save vmcore if a kernel crash - is triggered after the memory hot-plug or hot-unplug operation. -

-

- To work around this problem, restart the kdump service after hot-plug - or hot-unplug: -

- 
# systemctl restart kdump.service
-

- As a result, vmcore is successfully saved in the described scenario. -

-

- Bugzilla:1793389[1] -

-
-

Using irqpoll causes vmcore generation failure

-

- Due to an existing problem with the nvme driver on the 64-bit ARM - architecture that run on the Amazon Web Services Graviton 1 processor, causes vmcore generation to fail when you provide the irqpoll kernel command line parameter to the first kernel. - Consequently, no vmcore file is dumped in the /var/crash/ directory upon a kernel crash. To work around this - problem: -

-
-
-
    -
  1. -

    - Append irqpoll to KDUMP_COMMANDLINE_REMOVE variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet log_buf_len swiotlb"
    -
    2. -
  2. -

    - Remove irqpoll from KDUMP_COMMANDLINE_APPEND variable in the /etc/sysconfig/kdump file. -

    - 
    # KDUMP_COMMANDLINE_APPEND="irqpoll nr_cpus=1 reset_devices cgroup_disable=memory udev.children-max=2 panic=10 swiotlb=noforce novmcoredd"
    -
    3. -
  3. -

    - Restart the kdump service: -

    - 
    # systemctl restart kdump
    -
    4. -
-
-

- As a result, the first kernel boots correctly and the vmcore file is - expected to be captured upon the kernel crash. -

-

- Note that the Amazon Web Services Graviton 2 and Amazon Web Services Graviton 3 processors do not - require you to manually remove the irqpoll parameter in the /etc/sysconfig/kdump file. -

-

- The kdump service can use a significant amount of crash kernel memory - to dump the vmcore file. Ensure that the capture kernel has sufficient - memory available for the kdump service. -

-

- For related information on this Known Issue, see The irqpoll kernel command line parameter - might cause vmcore generation failure article. -

-

- Bugzilla:1654962[1] -

-
-

Hardware certification of the real-time kernel on systems with large - core-counts might require passing the skew-tick=1 boot - parameter

-

- Large or moderate sized systems with numerous sockets and large core-counts can experience - latency spikes due to lock contentions on xtime_lock, which is used - in the timekeeping system. As a consequence, latency spikes and delays in hardware - certifications might occur on multiprocessing systems. As a workaround, you can offset the timer - tick per CPU to start at a different time by adding the skew_tick=1 - boot parameter. -

-
-

- To avoid lock conflicts, enable skew_tick=1: -

-
-
    -
  1. -

    - Enable the skew_tick=1 parameter with grubby. -

    - 
    # grubby --update-kernel=ALL --args="skew_tick=1"
    -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
  3. -

    - Verify the new settings by displaying the kernel parameters you pass during boot. -

    - 
    cat /proc/cmdline
    -
    4. -
-
-

- Note that enabling skew_tick=1 causes a significant increase in power - consumption and, therefore, it must be enabled only if you are running latency sensitive real-time - workloads. -

-

- Jira:RHEL-9318[1] -

-
-

Debug kernel fails to boot in crash capture environment on RHEL 8 -

-

- Due to the memory-intensive nature of the debug kernel, a problem occurs when the debug kernel - is in use and a kernel panic is triggered. As a consequence, the debug kernel is not able to - boot as the capture kernel and a stack trace is generated instead. To work around this problem, - increase the crash kernel memory as required. As a result, the debug kernel boots successfully - in the crash capture environment. -

-
-

- Bugzilla:1659609[1] -

-
-

Allocating crash kernel memory fails at boot time

-

- On some Ampere Altra systems, allocating the crash kernel memory during boot fails when the - 32-bit region is disabled in BIOS settings. Consequently, the kdump - service fails to start. This is caused by memory fragmentation in the region below 4 GB with no - fragment being large enough to contain the crash kernel memory. -

-
-

- To work around this problem, enable the 32-bit memory region in BIOS as follows: -

-
-
    -
  1. - Open the BIOS settings on your system. -
    2. -
  2. - Open the Chipset menu. -
    3. -
  3. - Under Memory Configuration, enable the - Slave 32-bit option. -
    4. -
-
-

- As a result, crash kernel memory allocation within the 32-bit region succeeds and the kdump service works as expected. -

-

- Bugzilla:1940674[1] -

-
-

The QAT manager leaves no spare device for LKCF

-

- The Intel® QuickAssist Technology (QAT) manager (qatmgr) is a user - space process, which by default uses all QAT devices in the system. As a consequence, there are - no QAT devices left for the Linux Kernel Cryptographic Framework (LKCF). There is no need to - work around this situation, as this behavior is expected and a majority of users will use - acceleration from the user space. -

-
-

- Bugzilla:1920086[1] -

-
-

The Solarflare fails to create maximum number of virtual functions - (VFs)

-

- The Solarflare NICs fail to create a maximum number of VFs due to insufficient resources. You - can check the maximum number of VFs that a PCIe device can create in the /sys/bus/pci/devices/PCI_ID/sriov_totalvfs file. To workaround this - problem, you can either adjust the number of VFs or the VF MSI interrupt value to a lower value, - either from Solarflare Boot Manager on startup, or using Solarflare - sfboot utility. The default VF MSI interrupt value is 8. -

-
-
-
    -
  • - To adjust the VF MSI interrupt value using sfboot: -
    • -
-
- 
# sfboot vf-msix-limit=2
-
-
Note
-
-

- Adjusting VF MSI interrupt value affects the VF performance. -

-
-
-

- For more information about parameters to be adjusted accordingly, see the Solarflare Server Adapter user guide. -

-

- Bugzilla:1971506[1] -

-
-

Using page_poison=1 can cause a kernel - crash

-

- When using page_poison=1 as the kernel parameter on firmware with - faulty EFI implementation, the operating system can cause the kernel to crash. By default, this - option is disabled and it is not recommended to enable it, especially in production systems. -

-
-

- Bugzilla:2050411[1] -

-
-

The iwl7260-firmware breaks Wi-Fi on Intel - Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

-

- After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 8.7 and later, - the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, - Intel Wifi 6 cards may not work and display the error message: -

-
- 
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110
-kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms)
-kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
-

- An unconfirmed work around is to power off the system and back on again. Do not reboot. -

-

- Bugzilla:2106341[1] -

-
-

Secure boot on IBM Power Systems does not support migration

-

- Currently, on IBM Power Systems, logical partition (LPAR) does not boot after successful - physical volume (PV) migration. As a result, any type of automated migration with secure boot - enabled on a partition fails. -

-
-

- Bugzilla:2126777[1] -

-
-

weak-modules from kmod fails to work with module inter-dependencies

-

- The weak-modules script provided by the kmod package determines which modules are kABI-compatible with - installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to - lower release of the kernel for which they were built. As a consequence, modules with - inter-dependencies built against different kernel releases might be interpreted as - non-compatible, and therefore the weak-modules script fails to work - in this scenario. -

-
-

- To work around the problem, build or put the extra modules against the latest stock kernel before - you install the new kernel. -

-

- Bugzilla:2103605[1] -

-
-

kdump in Ampere Altra servers enters the OOM - state

-

- The firmware in Ampere Altra and Altra Max servers currently causes the kernel to allocate too - many event, interrupt and command queues, which consumes too much memory. As a consequence, the - kdump kernel enters the Out of memory (OOM) state. -

-
-

- To work around this problem, reserve extra memory for kdump by - increasing the value of the crashkernel= kernel option to 640M. -

-

- Bugzilla:2111855[1] -

-
-
-
-
-
-

11.9. File systems and storage

-
-
-
-
-

LVM mirror devices that store a LUKS volume - sometimes become unresponsive

-

- Mirrored LVM devices with a segment type of mirror that store a - LUKS volume might become unresponsive under certain conditions. The unresponsive devices reject - all I/O operations. -

-
-

- To work around the issue, Red Hat recommends that you use LVM RAID 1 devices with a segment type of - raid1 instead of mirror if you need to - stack LUKS volumes on top of resilient software-defined storage. -

-

- The raid1 segment type is the default RAID configuration type and - replaces mirror as the recommended solution. -

-

- To convert mirror devices to raid1, see Converting - a mirrored LVM device to a RAID1 device. -

-

- Bugzilla:1730502[1] -

-
-

The /boot file system cannot be placed on - LVM

-

- You cannot place the /boot file system on an LVM logical volume. - This limitation exists for the following reasons: -

-
-
-
    -
  • - On EFI systems, the EFI System Partition - conventionally serves as the /boot file system. The uEFI - standard requires a specific GPT partition type and a specific file system type for this - partition. -
    • -
  • - RHEL 8 uses the Boot Loader Specification (BLS) for - system boot entries. This specification requires that the /boot - file system is readable by the platform firmware. On EFI systems, the platform firmware can - read only the /boot configuration defined by the uEFI standard. -
    • -
  • - The support for LVM logical volumes in the GRUB 2 boot loader is incomplete. Red Hat does - not plan to improve the support because the number of use cases for the feature is - decreasing due to standards such as uEFI and BLS. -
    • -
-
-

- Red Hat does not plan to support /boot on LVM. Instead, Red Hat - provides tools for managing system snapshots and rollback that do not need the /boot file system to be placed on an LVM logical volume. -

-

- Bugzilla:1496229[1] -

-
-

LVM no longer allows creating volume groups with mixed block sizes -

-

- LVM utilities such as vgcreate or vgextend no longer allow you to create volume groups (VGs) where the - physical volumes (PVs) have different logical block sizes. LVM has adopted this change because - file systems fail to mount if you extend the underlying logical volume (LV) with a PV of a - different block size. -

-
-

- To re-enable creating VGs with mixed block sizes, set the allow_mixed_block_sizes=1 option in the lvm.conf file. -

-

- Bugzilla:1768536 -

-
-

Limitations of LVM writecache

-

- The writecache LVM caching method has the following limitations, - which are not present in the cache method: -

-
-
-
    -
  • - You cannot name a writecache logical volume when using pvmove commands. -
    • -
  • - You cannot use logical volumes with writecache in combination - with thin pools or VDO. -
    • -
-
-

- The following limitation also applies to the cache method: -

-
-
    -
  • - You cannot resize a logical volume while cache or writecache is attached to it. -
    • -
-
-

- Jira:RHELPLAN-27987[1], Bugzilla:1808012, Bugzilla:1798631 -

-
-

Device-mapper multipath is not supported when using NVMe/TCP - driver.

-

- The use of device-mapper multipath on top of NVMe/TCP devices can cause reduced performance and - error handling. To avoid this problem, use native NVMe multipath instead of DM multipath tools. - For RHEL 8, you can add the option nvme_core.multipath=Y to the - kernel command line. -

-
-

- Bugzilla:2022359[1] -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- Bugzilla:2011699[1] -

-
-

XFS quota warnings are triggered too often

-

- Using the quota timer results in quota warnings triggering too often, which causes soft quotas - to be enforced faster than they should. To work around this problem, do not use soft quotas, - which will prevent triggering warnings. As a result, the amount of warning messages will not - enforce soft quota limit anymore, respecting the configured timeout. -

-
-

- Bugzilla:2059262[1] -

-
-
-
-
-
-

11.10. Dynamic programming languages, web and database servers

-
-
-
-
-

Creating virtual Python 3.11 environments fails when using the virtualenv utility

-

- The virtualenv utility in RHEL 8, provided by the python3-virtualenv package, is not compatible with Python 3.11. An - attempt to create a virtual environment by using virtualenv will - fail with the following error message: -

-
- 
$ virtualenv -p python3.11 venv3.11
-Running virtualenv with interpreter /usr/bin/python3.11
-ERROR: Virtual environments created by virtualenv < 20 are not compatible with Python 3.11.
-ERROR: Use `python3.11 -m venv` instead.
-

- To create Python 3.11 virtual environments, use the python3.11 -m venv - command instead, which uses the venv module from the standard library. -

-

- Bugzilla:2165702 -

-
-

python3.11-lxml does not provide the lxml.isoschematron submodule

-

- The python3.11-lxml package is distributed without the lxml.isoschematron submodule because it is not under an open source - license. The submodule implements ISO Schematron support. As an alternative, pre-ISO-Schematron - validation is available in the lxml.etree.Schematron class. The - remaining content of the python3.11-lxml package is unaffected. -

-
-

- Bugzilla:2157673 -

-
-

PAM plug-in version 1.0 does not work in MariaDB

-

- MariaDB 10.3 provides the Pluggable Authentication Modules (PAM) - plug-in version 1.0. MariaDB 10.5 provides the plug-in versions 1.0 - and 2.0, version 2.0 is the default. -

-
-

- The MariaDB PAM plug-in version 1.0 does not work in RHEL 8. To work - around this problem, use the PAM plug-in version 2.0 provided by the mariadb:10.5 module stream. -

-

- Bugzilla:1942330 -

-
-

Symbol conflicts between OpenLDAP libraries might cause crashes in httpd

-

- When both the libldap and libldap_r - libraries provided by OpenLDAP are loaded and used within a single process, symbol conflicts - between these libraries might occur. Consequently, Apache httpd - child processes using the PHP ldap extension might terminate - unexpectedly if the mod_security or mod_auth_openidc modules are also loaded by the httpd configuration. -

-
-

- Since the RHEL 8.3 update to the Apache Portable Runtime (APR) library, you can work around the - problem by setting the APR_DEEPBIND environment variable, which enables - the use of the RTLD_DEEPBIND dynamic linker option when loading httpd modules. When the APR_DEEPBIND - environment variable is enabled, crashes no longer occur in httpd - configurations that load conflicting libraries. -

-

- Bugzilla:1819607[1] -

-
-

getpwnam() might fail when called by a 32-bit - application

-

- When a user of NIS uses a 32-bit application that calls the getpwnam() function, the call fails if the nss_nis.i686 package is missing. To work around this problem, - manually install the missing package by using the yum install nss_nis.i686 command. -

-
-

- Bugzilla:1803161 -

-
-
-
-
-
-

11.11. Identity Management

-
-
-
-
-

Actions required when running Samba as a print server and updating from - RHEL 8.4 and earlier

-

- With this update, the samba package no longer creates the /var/spool/samba/ directory. If you use Samba as a print server and - use /var/spool/samba/ in the [printers] share to spool print jobs, SELinux prevents Samba users - from creating files in this directory. Consequently, print jobs fail and the auditd service logs a denied message in - /var/log/audit/audit.log. To avoid this problem after updating your - system from 8.4 and earlier: -

-
-
-
    -
  1. - Search the [printers] share in the /etc/samba/smb.conf file. -
    2. -
  2. - If the share definition contains path = /var/spool/samba/, - update the setting and set the path parameter to /var/tmp/. -
    3. -
  3. -

    - Restart the smbd service: -

    - 
    # systemctl restart smbd
    -
    4. -
-
-

- If you newly installed Samba on RHEL 8.5 or later, no action is required. The default /etc/samba/smb.conf file provided by the samba-common package in this case already uses the /var/tmp/ directory to spool print jobs. -

-

- Bugzilla:2009213[1] -

-
-

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System -

-

- Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of - Certificate System. As a consequence, Certificate System might become unstable and manual steps - are required to recover the system. -

-
-

- Bugzilla:1729215 -

-
-

FIPS mode does not support using a shared secret to establish a - cross-forest trust

-

- Establishing a cross-forest trust using a shared secret fails in FIPS mode because NTLMSSP - authentication is not FIPS-compliant. To work around this problem, authenticate with an Active - Directory (AD) administrative account when establishing a trust between an IdM domain with FIPS - mode enabled and an AD domain. -

-
-

- Jira:RHEL-4847 -

-
-

Downgrading authselect after the rebase to - version 1.2.2 breaks system authentication

-

- The authselect package has been rebased to the latest upstream - version 1.2.2. Downgrading authselect - is not supported and breaks system authentication for all users, including root. -

-
-

- If you downgraded the authselect package to 1.2.1 or earlier, perform the following steps to work around this - problem: -

-
-
    -
  1. - At the GRUB boot screen, select Red Hat Enterprise Linux with - the version of the kernel that you want to boot and press e to - edit the entry. -
    2. -
  2. - Type single as a separate word at the end of the line that - starts with linux and press Ctrl+X - to start the boot process. -
    3. -
  3. - Upon booting in single-user mode, enter the root password. -
    4. -
  4. -

    - Restore authselect configuration using the following command: -

    - 
    # authselect select sssd --force
    -
    5. -
-
-

- Bugzilla:1892761 -

-
-

IdM to AD cross-realm TGS requests fail

-

- The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with - AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). -

-
-

- Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with - the following error: -

- 
Generic error (see e-text) while getting credentials for <service principal>
-

- Jira:RHEL-4910 -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- Jira:RHELPLAN-155168[1] -

-
-

pki-core-debuginfo update from RHEL 8.6 to - RHEL 8.7 or later fails

-

- Updating the pki-core-debuginfo package from RHEL 8.6 to RHEL 8.7 - or later fails. To work around this problem, run the following commands: -

-
-
-
    -
  1. - yum remove pki-core-debuginfo -
    2. -
  2. - yum update -y -
    3. -
  3. - yum install pki-core-debuginfo -
    4. -
  4. - yum install idm-pki-symkey-debuginfo idm-pki-tools-debuginfo -
    5. -
-
-

- Jira:RHEL-13125[1] -

-
-

Migrated IdM users might be unable to log in due to mismatching domain - SIDs

-

- If you have used the ipa migrate-ds script to migrate users from - one IdM deployment to another, those users might have problems using IdM services because their - previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM - environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, - see the following Knowledgebase article: Migrated IdM users unable to log in due - to mismatching domain SIDs. -

-
-

- Jira:RHELPLAN-109613[1] -

-
-

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a - two-way cross-forest trust

-

- Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management - (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support - Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the - RC4 NTLM hash that the AD domain controller uses when attempting to authenticate. -

-
-

- Jira:RHEL-4898 -

-
-

IdM Vault encryption and decryption fails in FIPS mode

-

- The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, - Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 - padding for wrapping the session key with the transport certificate. -

-
-

- Jira:RHEL-12153[1] -

-
-

Incorrect warning when setting expiration dates for a Kerberos - principal

-

- If you set a password expiration date for a Kerberos principal, the current timestamp is - compared to the expiration timestamp using a 32-bit signed integer variable. If the expiration - date is more than 68 years in the future, it causes an integer variable overflow resulting in - the following warning message being displayed: -

-
- 
Warning: Your password will expire in less than one hour on [expiration date]
-

- You can ignore this message, the password will expire correctly at the configured date and time. -

-

- Bugzilla:2125318 -

-
-
-
-
-
-

11.12. Desktop

-
-
-
-
-

Disabling flatpak repositories from Software - Repositories is not possible

-

- Currently, it is not possible to disable or remove flatpak - repositories in the Software Repositories tool in the GNOME Software utility. -

-
-

- Bugzilla:1668760 -

-
-

Generation 2 RHEL 8 virtual machines sometimes fail to boot on Hyper-V - Server 2016 hosts

-

- When using RHEL 8 as the guest operating system on a virtual machine (VM) running on a Microsoft - Hyper-V Server 2016 host, the VM in some cases fails to boot and returns to the GRUB boot menu. - In addition, the following error is logged in the Hyper-V event log: -

-
- 
The guest operating system reported that it failed with the following error code: 0x1E
-

- This error occurs due to a UEFI firmware bug on the Hyper-V host. To work around this problem, use - Hyper-V Server 2019 or later as the host. -

-

- Bugzilla:1583445[1] -

-
-

Drag-and-drop does not work between desktop and applications

-

- Due to a bug in the gnome-shell-extensions package, the - drag-and-drop functionality does not currently work between desktop and applications. Support - for this feature will be added back in a future release. -

-
-

- Bugzilla:1717947 -

-
-

WebKitGTK fails to display web pages on IBM Z

-

- The WebKitGTK web browser engine fails when trying to display web pages on the IBM Z - architecture. The web page remains blank and the WebKitGTK process terminates unexpectedly. -

-
-

- As a consequence, you cannot use certain features of applications that use WebKitGTK to display web - pages, such as the following: -

-
-
    -
  • - The Evolution mail client -
    • -
  • - The GNOME Online Accounts settings -
    • -
  • - The GNOME Help application -
    • -
-
-

- Jira:RHEL-4158 -

-
-
-
-
-
-

11.13. Graphics infrastructures

-
-
-
-
-

The radeon driver fails to reset hardware - correctly

-

- The radeon kernel driver currently does not reset hardware in the - kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail. -

-
-

- To work around this problem, disable radeon in kdump by adding the following line to the /etc/kdump.conf file: -

- 
dracut_args --omit-drivers "radeon"
-force_rebuild 1
-

- Restart the system and kdump. After starting kdump, the force_rebuild 1 line might be - removed from the configuration file. -

-

- Note that in this scenario, no graphics is available during the dump process, but kdump works correctly. -

-

- Bugzilla:1694705[1] -

-
-

Multiple HDR displays on a single MST topology may not power on -

-

- On systems using NVIDIA Turing GPUs with the nouveau driver, using - a DisplayPort hub (such as a laptop dock) with multiple monitors - which support HDR plugged into it may result in failure to turn on. This is due to the system - erroneously thinking there is not enough bandwidth on the hub to support all of the displays. -

-
-

- Bugzilla:1812577[1] -

-
-

GUI in ESXi might crash due to low video memory

-

- The graphical user interface (GUI) on RHEL virtual machines (VMs) in the VMware ESXi 7.0.1 - hypervisor with vCenter Server 7.0.1 requires a certain amount of video memory. If you connect - multiple consoles or high-resolution monitors to the VM, the GUI requires at least 16 MB of - video memory. If you start the GUI with less video memory, the GUI might terminate unexpectedly. -

-
-

- To work around the problem, configure the hypervisor to assign at least 16 MB of video memory to the - VM. As a result, the GUI on the VM no longer crashes. -

-

- If you encounter this issue, Red Hat recommends that you report it to VMware. -

-

- See also the following VMware article: VMs with high resolution VM console may experience - a crash on ESXi 7.0.1 (83194). -

-

- Bugzilla:1910358[1] -

-
-

VNC Viewer displays wrong colors with the 16-bit color depth on IBM - Z

-

- The VNC Viewer application displays wrong colors when you connect to a VNC session on an IBM Z - server with the 16-bit color depth. -

-
-

- To work around the problem, set the 24-bit color depth on the VNC server. With the Xvnc server, replace the -depth 16 option - with -depth 24 in the Xvnc configuration. -

-

- As a result, VNC clients display the correct colors but use more network bandwidth with the server. -

-

- Bugzilla:1886147 -

-
-

Unable to run graphical applications using sudo command

-

- When trying to run graphical applications as a user with elevated privileges, the application - fails to open with an error message. The failure happens because Xwayland is restricted by the Xauthority - file to use regular user credentials for authentication. -

-
-

- To work around this problem, use the sudo -E command to run graphical - applications as a root user. -

-

- Bugzilla:1673073 -

-
-

Hardware acceleration is not supported on ARM

-

- Built-in graphics drivers do not support hardware acceleration or the Vulkan API on the 64-bit - ARM architecture. -

-
-

- To enable hardware acceleration or Vulkan on ARM, install the proprietary Nvidia driver. -

-

- Jira:RHELPLAN-57914[1] -

-
-
-
-
-
-

11.14. Red Hat Enterprise Linux system roles

-
-
-
-
-

Using the RHEL system role with Ansible 2.9 can display a warning about - using dnf with the command - module

-

- Since RHEL 8.8, the RHEL system roles no longer use the warn - parameter in with the dnf module because this parameter was removed - in Ansible Core 2.14. However, if you use the latest rhel-system-roles package still with Ansible 2.9 and a role installs - a package, one of the following warnings can be displayed: -

-
- 
[WARNING]: Consider using the dnf module rather than running 'dnf'. If you need to use command because dnf is insufficient you can add 'warn: false' to
-this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
- 
[WARNING]: Consider using the yum, dnf or zypper module rather than running 'rpm'. If you need to use command because yum, dnf or zypper is insufficient
-you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
-

- If you want to hide these warnings, add the command_warnings = False - setting to the [Defaults] section of the ansible.cfg file. However, note that this setting disables all warnings - in Ansible. -

-

- Jira:RHELDOCS-17954 -

-
-

Unable to manage localhost by using the localhost hostname in the playbook or inventory

-

- With the inclusion of the ansible-core 2.13 package in RHEL, if you - are running Ansible on the same host you manage your nodes, you cannot do it by using the localhost hostname in your playbook or inventory. This happens - because ansible-core 2.13 uses the python38 module, and many of the libraries are missing, for example, - blivet for the storage role, gobject for the network role. To - workaround this problem, if you are already using the localhost - hostname in your playbook or inventory, you can add a connection, by using ansible_connection=local, or by creating an inventory file that lists - localhost with the ansible_connection=local option. With that, you are able to manage - resources on localhost. For more details, see the article RHEL system roles playbooks - fail when run on localhost. -

-
-

- Bugzilla:2041997 -

-
-

The rhc system role fails on already - registered systems when rhc_auth contains activation - keys

-

- Executing playbook files on already registered systems fails if activation keys are specified - for the rhc_auth parameter. To workaround this issue, do not - specify activation keys when executing the playbook file on the already registered system. -

-
-

- Bugzilla:2186908 -

-
-
-
-
-
-

11.15. Virtualization

-
-
-
-
-

Using a large number of queues might cause Windows virtual machines to - fail

-

- Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device - is enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- Jira:RHEL-13336[1] -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the Milan CPU type might not be available - on these systems. In addition, VM live migration between Milan hosts with different feature flag - settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- Bugzilla:2077770[1] -

-
-

SMT CPU topology is not detected by VMs when using host passthrough mode on - AMD EPYC

-

- When a virtual machine (VM) boots with the CPU host passthrough mode on an AMD EPYC host, the - TOPOEXT CPU feature flag is not present. Consequently, the VM is - not able to detect a virtual CPU topology with multiple threads per core. To work around this - problem, boot the VM with the EPYC CPU model instead of host passthrough. -

-
-

- Bugzilla:1740002 -

-
-

Attaching LUN devices to virtual machines using virtio-blk does not - work

-

- The q35 machine type does not support transitional virtio 1.0 devices, and RHEL 8 therefore - lacks support for features that were deprecated in virtio 1.0. In particular, it is not possible - on a RHEL 8 host to send SCSI commands from virtio-blk devices. As a consequence, attaching a - physical disk as a LUN device to a virtual machine fails when using the virtio-blk controller. -

-
-

- Note that physical disks can still be passed through to the guest operating system, but they should - be configured with the device='disk' option rather than device='lun'. -

-

- Bugzilla:1777138[1] -

-
-

Virtual machines sometimes fail to start when using many virtio-blk - disks

-

- Adding a large number of virtio-blk devices to a virtual machine (VM) may exhaust the number of - interrupt vectors available in the platform. If this occurs, the VM’s guest OS fails to boot, - and displays a dracut-initqueue[392]: Warning: Could not boot - error. -

-
-

- Bugzilla:1719687 -

-
-

Virtual machines with iommu_platform=on fail - to start on IBM POWER

-

- RHEL 8 currently does not support the iommu_platform=on parameter - for virtual machines (VMs) on IBM POWER system. As a consequence, starting a VM with this - parameter on IBM POWER hardware results in the VM becoming unresponsive during the boot process. -

-
-

- Bugzilla:1910848 -

-
-

IBM POWER hosts now work correctly when using the ibmvfc driver

-

- When running RHEL 8 on a PowerVM logical partition (LPAR), a variety of errors could previously - occur due to problems with the ibmvfc driver. As a consequence, a - kernel panic triggered on the host under certain circumstances, such as: -

-
-
-
    -
  • - Using the Live Partition Mobility (LPM) feature -
    • -
  • - Resetting a host adapter -
    • -
  • - Using SCSI error handling (SCSI EH) functions -
    • -
-
-

- With this update, the handling of ibmvfc has been fixed, and the - described kernel panics no longer occur. -

-

- Bugzilla:1961722[1] -

-
-

Using perf kvm record on IBM POWER Systems can - cause the VM to crash

-

- When using a RHEL 8 host on the little-endian variant of IBM POWER hardware, using the perf kvm record command to collect trace event samples for a KVM - virtual machine (VM) in some cases results in the VM becoming unresponsive. This situation - occurs when: -

-
-
-
    -
  • - The perf utility is used by an unprivileged user, and the -p option is used to identify the VM - for example perf kvm record -e trace_cycles -p 12345. -
    • -
  • - The VM was started using the virsh shell. -
    • -
-
-

- To work around this problem, use the perf kvm utility with the -i option to monitor VMs that were created using the virsh shell. For example: -

- 
# perf kvm record -e trace_imc/trace_cycles/  -p <guest pid> -i
-

- Note that when using the -i option, child tasks do not inherit - counters, and threads will therefore not be monitored. -

-

- Bugzilla:1924016[1] -

-
-

Windows Server 2016 virtual machines with Hyper-V enabled fail to boot when - using certain CPU models

-

- Currently, it is not possible to boot a virtual machine (VM) that uses Windows Server 2016 as - the guest operating system, has the Hyper-V role enabled, and uses one of the following CPU - models: -

-
-
-
    -
  • - EPYC-IBPB -
    • -
  • - EPYC -
    • -
-
-

- To work around this problem, use the EPYC-v3 CPU - model, or manually enable the xsaves CPU flag - for the VM. -

-

- Bugzilla:1942888[1] -

-
-

Migrating a POWER9 guest from a RHEL 7-ALT host to RHEL 8 fails -

-

- Currently, migrating a POWER9 virtual machine from a RHEL 7-ALT host system to RHEL 8 becomes - unresponsive with a Migration status: active status. -

-
-

- To work around this problem, disable Transparent Huge Pages (THP) on the RHEL 7-ALT host, which - enables the migration to complete successfully. -

-

- Bugzilla:1741436[1] -

-
-

Using virt-customize sometimes causes guestfs-firstboot to fail

-

- After modifying a virtual machine (VM) disk image using the virt-customize utility, the guestfs-firstboot service in some cases fails due to incorrect - SELinux permissions. This causes a variety of problems during VM startup, such as failing user - creation or system registration. -

-
-

- To avoid this problem, use the virt-customize command with the --selinux-relabel option. -

-

- Bugzilla:1554735 -

-
-

Deleting a forward interface from a macvtap virtual network resets all - connection counts of this network

-

- Currently, deleting a forward interface from a macvtap virtual - network with multiple forward interfaces also resets the connection status of the other forward - interfaces of the network. As a consequence, the connection information in the live network XML - is incorrect. Note, however, that this does not affect the functionality of the virtual network. - To work around the issue, restart the libvirtd service on your - host. -

-
-

- Bugzilla:1332758 -

-
-

Virtual machines with SLOF fail to boot in netcat interfaces

-

- When using a netcat (nc) interface to access the console of a - virtual machine (VM) that is currently waiting at the Slimline Open Firmware (SLOF) prompt, the - user input is ignored and VM stays unresponsive. To work around this problem, use the nc -C option when connecting to the VM, or use a telnet interface - instead. -

-
-

- Bugzilla:1974622[1] -

-
-

Attaching mediated devices to virtual machines in virt-manager in some cases fails

-

- The virt-manager application is currently able to detect mediated - devices, but cannot recognize whether the device is active. As a consequence, attempting to - attach an inactive mediated device to a running virtual machine (VM) using virt-manager fails. Similarly, attempting to create a new VM that - uses an inactive mediated device fails with a device not found - error. -

-
-

- To work around this issue, use the virsh nodedev-start or mdevctl start commands to activate the mediated device before using it in - virt-manager. -

-

- Bugzilla:2026985 -

-
-

RHEL 9 virtual machines fail to boot in POWER8 compatibility mode -

-

- Currently, booting a virtual machine (VM) that runs RHEL 9 as its guest operating system fails - if the VM also uses CPU configuration similar to the following: -

-
- 
  <cpu mode="host-model">
-    <model>power8</model>
-  </cpu>
-

- To work around this problem, do not use POWER8 compatibility mode in RHEL 9 VMs. -

-

- In addition, note that running RHEL 9 VMs is not possible on POWER8 hosts. -

-

- Bugzilla:2035158 -

-
-

SUID and SGID are not cleared automatically on virtiofs

-

- When you run the virtiofsd service with the killpriv_v2 feature, your system may not automatically clear the SUID - and SGID permissions after performing some file-system operations. Consequently, not clearing - the permissions might cause a potential security threat. To work around this issue, disable the - killpriv_v2 feature by entering the following command: -

-
- 
# virtiofsd -o no_killpriv_v2
-

- Bugzilla:1966475[1] -

-
-

Restarting the OVS service on a host might block network connectivity on - its running VMs

-

- When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that - are running on this host cannot recover the state of the networking device. As a consequence, - VMs might be completely unable to receive packets. -

-
-

- This problem only affects systems that use the packed virtqueue format in their virtio networking stack. -

-

- To work around this problem, use the packed=off parameter in the virtio networking device definition to disable packed virtqueue. With - packed virtqueue disabled, the state of the networking device can, in some situations, be recovered - from RAM. -

-

- Bugzilla:1792683 -

-
-

NFS failure during VM migration causes migration failure and source VM - coredump

-

- Currently, if the NFS service or server is shut down during virtual machine (VM) migration, the - source VM’s QEMU is unable to reconnect to the NFS server when it starts running again. As a - result, the migration fails and a coredump is initiated on the source VM. Currently, there is no - workaround available. -

-
-

- Bugzilla:2177957 -

-
-

nodedev-dumpxml does not list attributes - correctly for certain mediated devices

-

- Currently, the nodedev-dumpxml does not list attributes correctly - for mediated devices that were created using the nodedev-create - command. To work around this problem, use the nodedev-define and - nodedev-start commands instead. -

-
-

- Bugzilla:2143160 -

-
-

Starting a VM with an NVIDIA A16 GPU sometimes causes the host GPU to stop - working

-

- Currently, if you start a VM that uses an NVIDIA A16 GPU passthrough device, the NVIDIA A16 GPU - physical device on the host system in some cases stops working. -

-
-

- To work around the problem, reboot the hypervisor and set the reset_method for the GPU device to bus: -

- 
# echo bus > /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method
-# cat /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method
-bus
-

- For details, see the Red Hat - Knowledgebase. -

-

- Jira:RHEL-2451[1] -

-
-
-
-
-
-

11.16. RHEL in cloud environments

-
-
-
-
-

Setting static IP in a RHEL virtual machine on a VMware host does not - work

-

- Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- To work around this issue, see the VMware Knowledge Base. -

-

- Jira:RHEL-12122 -

-
-

kdump sometimes does not start on Azure and Hyper-V

-

- On RHEL 8 guest operating systems hosted on the Microsoft Azure or Hyper-V hypervisors, starting - the kdump kernel in some cases fails when post-exec notifiers are - enabled. -

-
-

- To work around this problem, disable crash kexec post notifiers: -

- 
# echo N > /sys/module/kernel/parameters/crash_kexec_post_notifiers
-

- Bugzilla:1865745[1] -

-
-

The SCSI host address sometimes changes when booting a Hyper-V VM with - multiple guest disks

-

- Currently, when booting a RHEL 8 virtual machine (VM) on the Hyper-V hypervisor, the host - portion of the Host, Bus, Target, Lun (HBTL) SCSI address - in some cases changes. As a consequence, automated tasks set up with the HBTL SCSI - identification or device node in the VM do not work consistently. This occurs if the VM has more - than one disk or if the disks have different sizes. -

-
-

- To work around the problem, modify your kickstart files, using one of the following methods: -

-

- Method 1: Use persistent identifiers for SCSI - devices. -

-

- You can use for example the following powershell script to determine the specific device - identifiers: -

- 
# Output what the /dev/disk/by-id/<value> for the specified hyper-v virtual disk.
-# Takes a single parameter which is the virtual disk file.
-# Note: kickstart syntax works with and without the /dev/ prefix.
-param (
-    [Parameter(Mandatory=$true)][string]$virtualdisk
-)
-
-$what = Get-VHD -Path $virtualdisk
-$part = $what.DiskIdentifier.ToLower().split('-')
-
-$p = $part[0]
-$s0 = $p[6] + $p[7] + $p[4] + $p[5] + $p[2] + $p[3] + $p[0] + $p[1]
-
-$p = $part[1]
-$s1 =  $p[2] + $p[3] + $p[0] + $p[1]
-
-[string]::format("/dev/disk/by-id/wwn-0x60022480{0}{1}{2}", $s0, $s1, $part[4])
-

- You can use this script on the hyper-v host, for example as follows: -

- 
PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_8.vhdx
-/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-PS C:\Users\Public\Documents\Hyper-V\Virtual hard disks> .\by-id.ps1 .\Testing_8\disk_3_9.vhdx
-/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-

- Afterwards, the disk values can be used in the kickstart file, for example as follows: -

- 
part / --fstype=xfs --grow --asprimary --size=8192 --ondisk=/dev/disk/by-id/wwn-0x600224807270e09717645b1890f8a9a2
-part /home --fstype="xfs" --grow --ondisk=/dev/disk/by-id/wwn-0x60022480e00bc367d7fd902e8bf0d3b4
-

- As these values are specific for each virtual disk, the configuration needs to be done for each VM - instance. It may, therefore, be useful to use the %include syntax to - place the disk information into a separate file. -

-

- Method 2: Set up device selection by size. -

-

- A kickstart file that configures disk selection based on size must include lines similar to the - following: -

- 
...
-
-# Disk partitioning information is supplied in a file to kick start
-%include /tmp/disks
-
-...
-
-# Partition information is created during install using the %pre section
-%pre --interpreter /bin/bash --log /tmp/ks_pre.log
-
-	# Dump whole SCSI/IDE disks out sorted from smallest to largest ouputting
-	# just the name
-	disks=(`lsblk -n -o NAME -l -b -x SIZE -d -I 8,3`) || exit 1
-
-	# We are assuming we have 3 disks which will be used
-	# and we will create some variables to represent
-	d0=${disks[0]}
-	d1=${disks[1]}
-	d2=${disks[2]}
-
-	echo "part /home --fstype="xfs" --ondisk=$d2 --grow" >> /tmp/disks
-	echo "part swap --fstype="swap" --ondisk=$d0 --size=4096" >> /tmp/disks
-	echo "part / --fstype="xfs" --ondisk=$d1 --grow" >> /tmp/disks
-	echo "part /boot --fstype="xfs" --ondisk=$d1 --size=1024" >> /tmp/disks
-
-%end
-

- Bugzilla:1906870[1] -

-
-

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

-

- Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if - the VM was provisioned by the cloud-init tool and the guest - operating system of the VM has an NFSv3 mount entry in the /etc/fstab file. -

-
-

- Bugzilla:2081114[1] -

-
-
-
-
-
-

11.17. Supportability

-
-
-
-
-

The getattachment command fails to download - multiple attachments at once

-

- The redhat-support-tool command offers the getattachment subcommand for downloading attachments. However, getattachment is currently only able to download a single attachment - and fails to download multiple attachments. -

-
-

- As a workaround, you can download multiple attachments one by one by passing the case number and - UUID for each attachment in the getattachment subcommand. -

-

- Bugzilla:2064575 -

-
-

redhat-support-tool does not work with the - FUTURE crypto policy

-

- Because a cryptographic key used by a certificate on the Customer Portal API does not meet the - requirements by the FUTURE system-wide cryptographic policy, the - redhat-support-tool utility does not work with this policy level at - the moment. -

-
-

- To work around this problem, use the DEFAULT crypto policy while - connecting to the Customer Portal API. -

-

- Jira:RHEL-2345 -

-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- Bugzilla:2011413[1] -

-
-
-
-
-
-

11.18. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- Jira:RHELPLAN-96940[1] -

-
-
-
-
-
-
-

Chapter 12. Internationalization

-
-
-
-
-
-
-
-

12.1. Red Hat Enterprise Linux 8 international languages

-
-
-
-

- Red Hat Enterprise Linux 8 supports the installation of multiple languages and the changing of - languages based on your requirements. -

-
-
    -
  • - East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese. -
    • -
  • - European Languages - English, German, Spanish, French, Italian, Portuguese, and Russian. -
    • -
-
-

- The following table lists the fonts and input methods provided for various major languages. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LanguageDefault Font (Font - Package)Input Methods
-

- English -

- 		-

- dejavu-sans-fonts -

- 		 
-

- French -

- 		-

- dejavu-sans-fonts -

- 		 
-

- German -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Italian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Russian -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Spanish -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Portuguese -

- 		-

- dejavu-sans-fonts -

- 		 
-

- Simplified Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libpinyin, libpinyin -

-
-

- Traditional Chinese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-libzhuyin, libzhuyin -

-
-

- Japanese -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-kkc, libkkc -

-
-

- Korean -

- 		-

- google-noto-sans-cjk-ttc-fonts, google-noto-serif-cjk-ttc-fonts -

- 		-

- ibus-hangul, libhangul -

-
-
-
-
-
-
-
-

12.2. Notable changes to internationalization in RHEL 8

-
-
-
-

- RHEL 8 introduces the following changes to internationalization compared to RHEL 7: -

-
-
    -
  • - Support for the Unicode 11 computing - industry standard has been added. -
    • -
  • - Internationalization is distributed in multiple packages, which allows for smaller footprint - installations. For more information, see Using - langpacks. -
    • -
  • - A number of glibc locales have been synchronized with Unicode - Common Locale Data Repository (CLDR). -
    • -
-
-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA tickets are listed in this document for reference. The links lead to the release notes - in this document that describe the tickets. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- Bugzilla:2188628, Bugzilla:2166332, - Bugzilla:2166284, - Bugzilla:2210491, - Bugzilla:2220890, - Bugzilla:2224505, - Bugzilla:1817505 -

-
-

- NetworkManager -

- 		-

- Bugzilla:2144521, Bugzilla:2151987 -

-
-

- Release Notes -

- 		-

- Jira:RHELDOCS-16861, Jira:RHELDOCS-16755, Jira:RHELDOCS-16612, Jira:RHELDOCS-17102 -

-
-

- SLOF -

- 		-

- Bugzilla:1910848 -

-
-

- accel-config -

- 		-

- Bugzilla:1843266 -

-
-

- anaconda -

- 		-

- Bugzilla:1770969, - Bugzilla:1886985, - Bugzilla:1656662, - Bugzilla:2050140, - Jira:RHEL-4707, - Jira:RHEL-4711, - Jira:RHEL-4744 -

-
-

- ansible-freeipa -

- 		-

- Bugzilla:2127901, - Bugzilla:2175766, - Bugzilla:2127906 -

-
-

- apr -

- 		-

- Bugzilla:1819607 -

-
-

- audit -

- 		-

- Bugzilla:2216666 -

-
-

- authselect -

- 		-

- Bugzilla:1892761 -

-
-

- bacula -

- 		-

- Jira:RHEL-6859 -

-
-

- brltty -

- 		-

- Bugzilla:2008197 -

-
-

- clevis -

- 		-

- Bugzilla:2209058 -

-
-

- cloud-init -

- 		-

- Bugzilla:2219528, Bugzilla:2230777, - Jira:RHEL-12122 -

-
-

- cockpit -

- 		-

- Bugzilla:1666722 -

-
-

- cockpit-appstream -

- 		-

- Bugzilla:2212350, - Bugzilla:2030836 -

-
-

- cockpit-machines -

- 		-

- Bugzilla:2173584 -

-
-

- coreutils -

- 		-

- Bugzilla:2030661 -

-
-

- corosync-qdevice -

- 		-

- Bugzilla:1784200 -

-
-

- crash -

- 		-

- Bugzilla:1906482 -

-
-

- crash-ptdump-command -

- 		-

- Bugzilla:1838927 -

-
-

- createrepo_c -

- 		-

- Bugzilla:1973588 -

-
-

- crypto-policies -

- 		-

- Bugzilla:2219912, - Jira:RHEL-2345, - Bugzilla:1919155, - Bugzilla:1660839 -

-
-

- cups-filters -

- 		-

- Bugzilla:2118406 -

-
-

- device-mapper-multipath -

- 		-

- Bugzilla:2164871, - Bugzilla:2022359, - Bugzilla:2011699 -

-
-

- distribution -

- 		-

- Bugzilla:1657927 -

-
-

- dnf -

- 		-

- Bugzilla:2170093, - Bugzilla:1986657 -

-
-

- dnf-plugins-core -

- 		-

- Bugzilla:2122587, - Bugzilla:2092033 -

-
-

- edk2 -

- 		-

- Bugzilla:1741615, - Bugzilla:1935497 -

-
-

- elfutils -

- 		-

- Bugzilla:2182060, Bugzilla:2162495 -

-
-

- fapolicyd -

- 		-

- Jira:RHEL-628, - Jira:RHEL-630, - Jira:RHEL-829, - Jira:RHEL-520, - Bugzilla:2054741 -

-
-

- fence-agents -

- 		-

- Bugzilla:2187329, - Bugzilla:1775847 -

-
-

- firewalld -

- 		-

- Bugzilla:1871860 -

-
-

- fuse -

- 		-

- Bugzilla:2171095 -

-
-

- gcc -

- 		-

- Bugzilla:2168205 -

-
-

- gcc-toolset-12-gdb -

- 		-

- Bugzilla:2172095 -

-
-

- gcc-toolset-13 -

- 		-

- Bugzilla:2171898 -

-
-

- gcc-toolset-13-annobin -

- 		-

- Bugzilla:2171923, - Bugzilla:2171921 -

-
-

- gcc-toolset-13-binutils -

- 		-

- Bugzilla:2171924 -

-
-

- gcc-toolset-13-gcc -

- 		-

- Bugzilla:2172091 -

-
-

- gdb -

- 		-

- Bugzilla:1853140 -

-
-

- gfs2-utils -

- 		-

- Bugzilla:2180782 -

-
-

- glibc -

- 		-

- Bugzilla:2180462 -

-
-

- gnome-shell-extensions -

- 		-

- Bugzilla:1717947 -

-
-

- gnome-software -

- 		-

- Bugzilla:1668760 -

-
-

- gnutls -

- 		-

- Bugzilla:2089817, - Bugzilla:1628553 -

-
-

- golang -

- 		-

- Bugzilla:2185260 -

-
-

- grafana -

- 		-

- Bugzilla:2193250 -

-
-

- grafana-pcp -

- 		-

- Bugzilla:2193270 -

-
-

- grub2 -

- 		-

- Bugzilla:1583445 -

-
-

- grubby -

- 		-

- Bugzilla:1900829 -

-
-

- initscripts -

- 		-

- Bugzilla:1875485 -

-
-

- ipa -

- 		-

- Bugzilla:2196425, Bugzilla:1821181, - Jira:RHEL-4847, - Jira:RHEL-4898, - Jira:RHEL-12153, - Bugzilla:1664719, - Bugzilla:1664718, Bugzilla:2101770 -

-
-

- ipmitool -

- 		-

- Bugzilla:2224567, - Jira:RHEL-6846 -

-
-

- iproute -

- 		-

- Jira:RHEL-424 -

-
-

- kernel -

- 		-

- Bugzilla:1989283, Bugzilla:2144529, - Bugzilla:1753646, - Bugzilla:2130727, - Bugzilla:1868526, - Bugzilla:1694705, - Bugzilla:1730502, - Bugzilla:1609288, - Bugzilla:1602962, - Bugzilla:1865745, - Bugzilla:1906870, - Bugzilla:1924016, - Bugzilla:1942888, - Bugzilla:1812577, - Bugzilla:1910358, Bugzilla:1930576, - Bugzilla:1793389, - Bugzilla:1654962, Bugzilla:1940674, - Bugzilla:1920086, Bugzilla:1971506, - Bugzilla:2059262, Bugzilla:2050411, Bugzilla:2106341, - Bugzilla:2189645, - Bugzilla:1605216, Bugzilla:1519039, - Bugzilla:1627455, - Bugzilla:1501618, Bugzilla:1633143, Bugzilla:1814836, - Bugzilla:1839311, - Bugzilla:1696451, - Bugzilla:1348508, - Bugzilla:1837187, - Bugzilla:1660337, Bugzilla:2041686, - Bugzilla:1836977, Bugzilla:1878207, Bugzilla:1665295, - Bugzilla:1871863, - Bugzilla:1569610, Bugzilla:1794513 -

-
-

- kernel / Networking / IPSec -

- 		-

- Jira:RHEL-1257 -

-
-

- kernel / Networking / NIC Drivers -

- 		-

- Jira:RHEL-11398 -

-
-

- kernel / Virtualization / KVM -

- 		-

- Jira:RHEL-2451 -

-
-

- kernel-rt / Other -

- 		-

- Jira:RHEL-9318 -

-
-

- kexec-tools -

- 		-

- Bugzilla:2173791, Bugzilla:2111855 -

-
-

- kmod -

- 		-

- Bugzilla:2103605 -

-
-

- krb5 -

- 		-

- Bugzilla:2211390, - Jira:RHEL-4910, Bugzilla:2125318, - Bugzilla:1877991 -

-
-

- leapp-repository -

- 		-

- Bugzilla:2097003 -

-
-

- libdnf -

- 		-

- Bugzilla:2155713 -

-
-

- libgnome-keyring -

- 		-

- Bugzilla:1607766 -

-
-

- libguestfs -

- 		-

- Bugzilla:1554735 -

-
-

- libnftnl -

- 		-

- Bugzilla:2211096 -

-
-

- libpfm -

- 		-

- Bugzilla:2185653 -

-
-

- libreswan -

- 		-

- Bugzilla:1989050 -

-
-

- libselinux-python-2.8-module -

- 		-

- Bugzilla:1666328 -

-
-

- libvirt -

- 		-

- Bugzilla:1664592, Bugzilla:1332758, - Bugzilla:2143160, - Bugzilla:1528684 -

-
-

- llvm-toolset -

- 		-

- Bugzilla:2178806 -

-
-

- lvm2 -

- 		-

- Bugzilla:1496229, Bugzilla:1768536 -

-
-

- mariadb -

- 		-

- Bugzilla:1942330 -

-
-

- mesa -

- 		-

- Bugzilla:1886147 -

-
-

- nfs-utils -

- 		-

- Bugzilla:2081114, - Bugzilla:1592011 -

-
-

- nftables -

- 		-

- Bugzilla:2061942 -

-
-

- nodejs -

- 		-

- Bugzilla:2186718 -

-
-

- nss -

- 		-

- Bugzilla:1817533, Bugzilla:1645153 -

-
-

- nss_nis -

- 		-

- Bugzilla:1803161 -

-
-

- opencryptoki -

- 		-

- Bugzilla:2159697 -

-
-

- opencv -

- 		-

- Bugzilla:1886310 -

-
-

- openmpi -

- 		-

- Bugzilla:1866402 -

-
-

- opensc -

- 		-

- Bugzilla:2097048, - Jira:RHEL-4077, - Bugzilla:1947025 -

-
-

- openscap -

- 		-

- Bugzilla:2217441, Bugzilla:2161499 -

-
-

- openssh -

- 		-

- Bugzilla:2044354 -

-
-

- openssl -

- 		-

- Bugzilla:1810911 -

-
-

- osbuild-composer -

- 		-

- Jira:RHEL-4649 -

-
-

- oscap-anaconda-addon -

- 		-

- Jira:RHEL-1826, - Bugzilla:1843932, - Bugzilla:1665082, - Jira:RHEL-1810 -

-
-

- pacemaker -

- 		-

- Bugzilla:1876173, - Bugzilla:2160206, - Bugzilla:2078611, - Bugzilla:2030869, - Bugzilla:2010084, - Bugzilla:1632951, - Bugzilla:1578820, - Bugzilla:1931023, - Bugzilla:2168633 -

-
-

- papi -

- 		-

- Bugzilla:2111982, Bugzilla:2161146 -

-
-

- pcs -

- 		-

- Bugzilla:2166294, - Bugzilla:2179010, - Bugzilla:2189958, - Bugzilla:2166289, Bugzilla:1619620, - Bugzilla:1851335 -

-
-

- perl-HTTP-Tiny -

- 		-

- Bugzilla:2228409 -

-
-

- pki-core -

- 		-

- Bugzilla:1729215, - Jira:RHEL-13125, - Bugzilla:1628987 -

-
-

- podman -

- 		-

- Jira:RHELPLAN-154313, - Jira:RHELPLAN-154431, Jira:RHELPLAN-154440, - Jira:RHELPLAN-154443, - Jira:RHELPLAN-163002, Jira:RHELPLAN-160659, - Jira:RHELPLAN-154428 -

-
-

- postfix -

- 		-

- Bugzilla:1787010, Bugzilla:1711885 -

-
-

- pykickstart -

- 		-

- Bugzilla:1637872 -

-
-

- python3.11-lxml -

- 		-

- Bugzilla:2157673 -

-
-

- python36-3.6-module -

- 		-

- Bugzilla:2165702 -

-
-

- qemu-kvm -

- 		-

- Jira:RHEL-13336, - Bugzilla:1740002, - Bugzilla:1719687, - Bugzilla:1966475, - Bugzilla:1792683, - Bugzilla:2177957, - Bugzilla:1651994 -

-
-

- rear -

- 		-

- Bugzilla:2233526, - Bugzilla:1925531, - Bugzilla:2083301 -

-
-

- redhat-support-tool -

- 		-

- Bugzilla:2064575 -

-
-

- resource-agents -

- 		-

- Bugzilla:2040110, - Bugzilla:2049319, - Bugzilla:2039692, - Bugzilla:2181019 -

-
-

- restore -

- 		-

- Bugzilla:1997366 -

-
-

- rhel-system-roles -

- 		-

- Bugzilla:2151371, - Bugzilla:2224387, Bugzilla:2190483, Bugzilla:2141961, - Bugzilla:2181661, - Bugzilla:2211272, Bugzilla:2211723, - Bugzilla:2211778, - Bugzilla:2216759, - Bugzilla:2218204, - Bugzilla:2224388, Bugzilla:2218595, - Bugzilla:2211273, - Bugzilla:2140880, - Bugzilla:2192343, - Bugzilla:2222809, - Jira:RHEL-866, - Jira:RHEL-858, - Bugzilla:2168738, - Bugzilla:2186057, - Bugzilla:2209441, - Bugzilla:2216521, - Bugzilla:2224094, - Bugzilla:2224648, - Bugzilla:2226077, - Bugzilla:2193057, - Bugzilla:2222433, - Bugzilla:2232391, - Bugzilla:2232392, - Jira:RHEL-899, - Jira:RHEL-907, - Jira:RHEL-918, - Jira:RHEL-1398, - Jira:RHEL-1496, - Jira:RHEL-1500, - Bugzilla:2186908, - Bugzilla:2021685, - Bugzilla:2006081 -

-
-

- rpm -

- 		-

- Bugzilla:1688849 -

-
-

- rsyslog -

- 		-

- Jira:RHELPLAN-160541, Bugzilla:1679512, - Jira:RHELPLAN-10431 -

-
-

- rust-toolset -

- 		-

- Bugzilla:2191740, Bugzilla:2213875 -

-
-

- samba -

- 		-

- Bugzilla:2190417, Bugzilla:2009213, - Jira:RHELPLAN-13195 -

-
-

- scap-security-guide -

- 		-

- Bugzilla:2155789, - Bugzilla:2157877, Bugzilla:2167999, - Bugzilla:2221695, Bugzilla:2129100, - Bugzilla:2169857, - Bugzilla:2130185, - Bugzilla:2175684, - Bugzilla:2175882, - Bugzilla:2184487, - Bugzilla:2192893, - Bugzilla:2170530, - Bugzilla:2176008, - Bugzilla:2209073, - Bugzilla:2222583, Bugzilla:2028428, - Bugzilla:2118758, - Jira:RHEL-1804, - Jira:RHEL-1897 -

-
-

- selinux-policy -

- 		-

- Bugzilla:2172541, - Bugzilla:2184348, - Bugzilla:2196524, - Bugzilla:2166153, - Bugzilla:1461914 -

-
-

- sos -

- 		-

- Bugzilla:2011413 -

-
-

- spice -

- 		-

- Bugzilla:1849563 -

-
-

- sssd -

- 		-

- Bugzilla:2065692, - Bugzilla:2056483, - Bugzilla:1947671 -

-
-

- subscription-manager -

- 		-

- Bugzilla:2170082 -

-
-

- sysstat -

- 		-

- Jira:RHEL-12008 -

-
-

- systemtap -

- 		-

- Bugzilla:2186932, Bugzilla:2126805 -

-
-

- tang -

- 		-

- Bugzilla:2188743 -

-
-

- tuned -

- 		-

- Bugzilla:2113900 -

-
-

- udica -

- 		-

- Bugzilla:1763210 -

-
-

- udisks2 -

- 		-

- Bugzilla:2213193 -

-
-

- valgrind -

- 		-

- Bugzilla:2124345 -

-
-

- vdo -

- 		-

- Bugzilla:1949163 -

-
-

- virt-manager -

- 		-

- Bugzilla:2026985 -

-
-

- vsftpd -

- 		-

- Bugzilla:2069733 -

-
-

- wayland -

- 		-

- Bugzilla:1673073 -

-
-

- webkit2gtk3 -

- 		-

- Jira:RHEL-4158 -

-
-

- which -

- 		-

- Bugzilla:2140566 -

-
-

- xorg-x11-server -

- 		-

- Bugzilla:1698565 -

-
-

- other -

- 		-

- Jira:RHELDOCS-16405, - Bugzilla:2232558, Jira:RHELDOCS-16247, Jira:RHELDOCS-16474, - Jira:RHELDOCS-16462, - Jira:RHELPLAN-156196, Jira:RHELDOCS-16339, - Jira:RHELDOCS-16367, Jira:RHELDOCS-17369, - Bugzilla:2236183, - Bugzilla:2025814, - Bugzilla:2077770, - Bugzilla:1777138, - Bugzilla:1640697, - Bugzilla:1697896, - Bugzilla:1961722, - Bugzilla:1659609, - Bugzilla:1687900, - Bugzilla:1757877, - Bugzilla:1741436, - Jira:RHELPLAN-27987, Jira:RHELPLAN-34199, - Jira:RHELPLAN-57914, - Jira:RHELPLAN-96940, - Bugzilla:1974622, - Bugzilla:2028361, - Bugzilla:2041997, - Bugzilla:2035158, - Jira:RHELPLAN-109613, - Bugzilla:2126777, - Bugzilla:1690207, Bugzilla:1559616, Bugzilla:1889737, - Bugzilla:1906489, - Bugzilla:1769727, - Jira:RHELPLAN-27394, - Jira:RHELPLAN-27737, - Jira:RHELDOCS-16861, Bugzilla:1642765, - Bugzilla:1646541, Bugzilla:1647725, Jira:RHELDOCS-17380, Bugzilla:1932222, - Bugzilla:1686057, Bugzilla:1748980, - Jira:RHELPLAN-71200, Jira:RHELPLAN-45858, - Bugzilla:1871025, Bugzilla:1871953, Bugzilla:1874892, Bugzilla:1916296, - Jira:RHELPLAN-100400, - Bugzilla:1926114, Bugzilla:1904251, - Bugzilla:2011208, - Jira:RHELPLAN-59825, Bugzilla:1920624, Jira:RHELPLAN-70700, - Bugzilla:1929173, Jira:RHELPLAN-85066, - Jira:RHELPLAN-98983, Bugzilla:2009113, Bugzilla:1958250, - Bugzilla:2038929, - Bugzilla:2006665, Bugzilla:2029338, Bugzilla:2061288, Bugzilla:2060759, - Bugzilla:2055826, Bugzilla:2059626, - Jira:RHELPLAN-133171, Bugzilla:2142499, Jira:RHELDOCS-16755, Jira:RHELPLAN-146398, Jira:RHELPLAN-153267, Bugzilla:2225332, - Jira:RHELPLAN-147538, Jira:RHELDOCS-16612, Jira:RHELDOCS-17102, - Jira:RHELDOCS-16300 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.0-13
-
-

- Fri August 9 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added a Known Issue RHEL-11397 - (Installer and image creation) -
    • -
-
-
-
0.0-12
-
-

- Fri June 7 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Updated a Known Issue in Jira:RHELDOCS-17954 - (Red Hat Enterprise Linux System Roles). -
    • -
-
-
-
0.0-11
-
-

- Fri May 10 2024, Brian Angelica (bangelic@redhat.com) -

-
- -
-
-
0.0-10
-
-

- Thu May 9 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#1730502 - (Storage). -
    • -
-
-
-
0.0-9
-
-

- Mon April 29 2024, Gabriela Fialova (gfialova@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2093355 - (Security). -
    • -
-
-
-
0.0-8
-
-

- Mon March 4 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-7
-
-

- Thu February 29 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-6
-
-

- Tue February 13 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-5
-
-

- Fri February 2 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-4
-
-

- Fri January 19 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added an enhancement related to Python Jira:RHELDOCS-17369 - (Dynamic programming languages, web and database servers). -
    • -
  • - Added an enhancement Jira:RHELDOCS-16367 (The - web console). -
    • -
-
-
-
0.0-3
-
-

- Wed January 10 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
- -
-
-
0.0-2
-
-

- Thu November 16 2023, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Node.js 20 is now fully supported (BZ#2186718). -
    • -
-
-
-
0.0-1
-
-

- Wed November 15 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.9 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Wed September 27 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 8.9 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/9.0.html b/app/data/9.0.html deleted file mode 100644 index 95df69d..0000000 --- a/app/data/9.0.html +++ /dev/null @@ -1,16600 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 9.0
-
-

Release Notes for Red Hat Enterprise Linux 9.0

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 9.0 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information on how to install Red Hat Enterprise Linux, proceed to the Section 3.1, “Installation” section. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 9.0

-
-
-
-

Security

-

- The usage of the SHA-1 message digest for - cryptographic purposes has been deprecated in RHEL 9. The digest produced by SHA-1 is not considered - secure because of many documented successful attacks based on finding hash collisions. The RHEL core - crypto components no longer create signatures using SHA-1 by default. Applications in RHEL 9 have - been updated to avoid using SHA-1 in security-relevant use cases. -

-

- Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier - (UUID) values can still be created using SHA-1 because these use cases do not currently pose - security risks. SHA-1 can also be used in limited cases connected with important interoperability - and compatibility concerns, such as Kerberos and WPA-2. See the List - of RHEL applications using cryptography that is not compliant with FIPS 140-3 section for - more details. -

-

- For solutions of compatibility problems with systems that still require SHA-1, see the following KCS - articles: -

-
- -
-

- OpenSSL is now provided in version 3.0.1, which - adds a provider concept, a new versioning scheme, an improved HTTP(S) client, support for new - protocols, formats, and algorithms, and many other improvements. -

-

- The system-wide cryptographic policies have been - adjusted to provide up-to-date secure defaults. -

-

- OpenSSH is distributed in version 8.7p1, which - provides many enhancements, bug fixes, and security improvements as compared to version 8.0p1, which - is distributed in RHEL 8.5. -

-

- The SFTP protocol replaces the previously used SCP/RCP protocol in OpenSSH. SFTP offers more predictable filename - handling and does not require expansion of glob(3) patterns by the - shell on the remote side. -

-

- SELinux performance has been substantially - improved, including time to load SELinux policy into the kernel, memory overhead, and other - parameters. For additional information, see the Improving - the performance and space efficiency of SELinux blog post. -

-

- RHEL 9 provides the fapolicyd framework in the upstream version 1.1. - Among other improvements, you can now use the new rules.d/ and trust.d/ directories, the fagenrules script, - and new options for the fapolicyd-cli command. -

-

- The SCAP Security Guide (SSG) packages are provided in version 0.1.60, which introduces delta - tailoring, updated security profiles, and other improvements. -

-

- See Section 4.7, “Security” - for more information. -

-

- The use of SHA-1 for signatures is restricted in the DEFAULT crypto policy. Except for HMAC, SHA-1 - is no longer allowed in TLS, DTLS, SSH, IKEv2, DNSSEC, and Kerberos protocols. -

-

- If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic - signatures, you can enable it by entering the following command: -

- 
# update-crypto-policies --set DEFAULT:SHA1
-

- Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY also enables - many other algorithms that are not secure. -

-

- Cyrus SASL now uses GDBM instead of Berkeley DB, and the Network Security Services (NSS) libraries - no longer support the DBM file format for the trust database. -

-

- Support for disabling SELinux through the SELINUX=disabled option in - the /etc/selinux/config file has been removed from the kernel. When you - disable SELinux only through /etc/selinux/config, the system starts - with SELinux enabled but with no policy loaded. If your scenario requires disabling SELinux, add the - selinux=0 parameter to your kernel command line. -

-

- See the Security - section in the Considerations in adopting RHEL 9 document for - more information about security-related major differences between RHEL 9 and RHEL 8. -

-

Networking

-

- You can use the new MultiPath TCP daemon (mptcpd) to configure MultiPath TCP (MPTCP) endpoints - without using the iproute2 utility. To make MPTCP subflows and - endpoints persistent, use a NetworkManager dispatcher script. -

-

- By default, NetworkManager now uses the key files to store new connection profiles. Note that the - ifcfg format is still supported. -

-

- For more information about the features introduced in this release and changes in the existing - functionality, see New - features - Networking. -

-

- The WireGuard VPN technology is now available as an unsupported Technology Preview. For details, see - Technology Previews - - Networking. -

-

- The teamd service and the libteam library - are deprecated. As a replacement, configure a bond instead of a network team. -

-

- The iptables-nft and ipset are deprecated. - These packages include utilities, such as iptables, ip6tables, ebtables and arptables. Use the nftables framework to - configure firewall rules. -

-

- For more information about deprecated functionality, see Deprecated functionality - - Networking. -

-

- The network-scripts package has been removed. Use NetworkManager to - configure network connections. For more information about functionality that is no longer part of - RHEL, see the Networking - section in the Considerations in adopting RHEL 9 document. -

-

Dynamic programming languages, web and - database servers

-

- RHEL 9.0 provides the following dynamic programming languages: -

-
-
    -
  • - Node.js 16 -
    • -
  • - Perl 5.32 -
    • -
  • - PHP 8.0 -
    • -
  • - Python 3.9 -
    • -
  • - Ruby 3.0 -
    • -
-
-

- RHEL 9.0 includes the following version control systems: -

-
-
    -
  • - Git 2.31 -
    • -
  • - Subversion 1.14 -
    • -
-
-

- The following web servers are distributed with RHEL 9.0: -

-
-
    -
  • - Apache HTTP Server 2.4.51 -
    • -
  • - nginx 1.20 -
    • -
-
-

- The following proxy caching servers are available: -

-
-
    -
  • - Varnish Cache 6.6 -
    • -
  • - Squid 5.2 -
    • -
-
-

- RHEL 9.0 offers the following database servers: -

-
-
    -
  • - MariaDB 10.5 -
    • -
  • - MySQL 8.0 -
    • -
  • - PostgreSQL 13 -
    • -
  • - Redis 6.2 -
    • -
-
-

- See Section 4.13, “Dynamic - programming languages, web and database servers” for more information. -

-

Compilers and development tools

-
System toolchain
-

- The following system toolchain components are available with RHEL 9.0: -

-
-
    -
  • - GCC 11.2.1 -
    • -
  • - glibc 2.34 -
    • -
  • - binutils 2.35.2 -
    • -
-
-

- RHEL 9 system toolchain components include support for POWER10. -

-
Performance tools and debuggers
-

- The following performance tools and debuggers are available with RHEL 9.0: -

-
-
    -
  • - GDB 10.2 -
    • -
  • - Valgrind 3.18.1 -
    • -
  • - SystemTap 4.6 -
    • -
  • - Dyninst 11.0.0 -
    • -
  • - elfutils 0.186 -
    • -
-
-
Performance monitoring tools
-

- The following performance monitoring tools are available with RHEL 9.0: -

-
-
    -
  • - PCP 5.3.5 -
    • -
  • - Grafana 7.5.11 -
    • -
-
-
Compiler toolsets
-

- The following compiler toolsets are available with RHEL 9.0: -

-
-
    -
  • - LLVM Toolset 13.0.1 -
    • -
  • - Rust Toolset 1.58.1 -
    • -
  • - Go Toolset 1.17.7 -
    • -
-
-

- For detailed changes, see Section 4.14, “Compilers and development - tools”. -

-
Java implementations in RHEL 9
-

- The RHEL 9 AppStream repository includes: -

-
-
    -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- For more information, see OpenJDK - documentation. -

-
Java tools
-

- The following Java tools are available with RHEL 9.0: -

-
-
    -
  • - Maven 3.6 -
    • -
  • - Ant 1.10 -
    • -
-
-

- See Section 4.14, “Compilers and development - tools” for more information. -

-

Desktop

-

- The GNOME environment has been updated from GNOME 3.28 to GNOME 40 with many new features. -

-

- The X.org display server is deprecated, and will - be removed in a future major RHEL release. The default desktop session is now the Wayland session in most cases. -

-

- When using the NVIDIA drivers, the desktop session now selects the Wayland display protocol by - default, if the driver configuration supports Wayland. In previous RHEL releases, the NVIDIA drivers - always disabled Wayland. -

-

- The PipeWire service now manages all audio - output and input. PipeWire replaces the PulseAudio service in general use cases and the - JACK service in professional use cases. -

-

- See Section 4.16, “Desktop” - for more information. -

-

Virtualization

-

- In RHEL 9, the libvirt library uses modular daemons that handle - individual virtualization driver sets on your host. This makes it possible to fine-grain a variety - of tasks that involve virtualization drivers, such as resource load optimization and monitoring. -

-

- The QEMU emulator is now built using the Clang compiler. This enables the RHEL 9 KVM hypervisor to - use a number of advanced security and debugging features. One of these features is SafeStack, which - makes virtual machines (VMs) hosted on RHEL 9 significantly more secure against attacks based on - Return-Oriented Programming (ROP). -

-

- In addition, Virtual Trusted Platform Module (vTPM) is now fully supported. Using vTPM, you can add - a TPM virtual crypto-processor to a VM, which can then be used for generating, storing, and managing - cryptographic keys. -

-

- Finally, the virtiofs feature has been implemented, which you can use - to more efficiently share files between a RHEL 9 host and its VMs. -

-

- For more information about virtualization features introduced in this release, see Section 4.20, - “Virtualization”. -

-
-
-
-
-
-

1.2. In-place upgrade

-
-
-
-

In-place upgrade from RHEL 8 to RHEL 9

-
-
    -
  • -

    - From RHEL 8.6 to RHEL 9.0 on the following architectures: -

    -
    -
      -
    • - 64-bit Intel -
      • -
    • - 64-bit AMD -
      • -
    • - 64-bit ARM -
      • -
    • - IBM POWER 9 (little endian) -
      • -
    • - IBM Z architectures, excluding z13 -
      • -
    -
    -
    • -
  • - From RHEL 8.6 to RHEL 9.0 on systems with SAP HANA -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 8 to RHEL 9. -

-

- For instructions on performing an in-place upgrade on systems with SAP environments, see How - to in-place upgrade SAP environments from RHEL 8 to RHEL 9. -

-

In-place upgrade from RHEL 7 to RHEL 9

-

- It is not possible to perform an in-place upgrade directly from RHEL 7 to RHEL 9. However, you can - perform an in-place upgrade from RHEL 7 to RHEL 8 and then perform a second in-place upgrade to RHEL - 9. For more information, see Upgrading - from RHEL 7 to RHEL 8. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-

- Capabilities and limits of Red Hat Enterprise - Linux 9 as compared to other versions of the system are available in the Knowledgebase article Red Hat Enterprise Linux - technology capabilities and limits. -

-

- Information regarding the Red Hat Enterprise Linux life - cycle is provided in the Red Hat Enterprise Linux Life - Cycle document. -

-

- The Package - manifest document provides a package - listing for RHEL 9, including licenses and application compatibility levels. -

-

- Application compatibility levels are explained - in the Red Hat - Enterprise Linux 9: Application Compatibility Guide document. -

-

- Major differences between RHEL 8 and RHEL 9, - including removed functionality, are documented in Considerations - in adopting RHEL 9. -

-

- Instructions on how to perform an in-place upgrade from RHEL 8 - to RHEL 9 are provided by the document Upgrading - from RHEL 8 to RHEL 9. -

-

- The Red Hat Insights service, which enables you - to proactively identify, examine, and resolve known technical issues, is available with all RHEL - subscriptions. For instructions on how to install the Red Hat Insights client and register your - system to the service, see the Red Hat Insights Get - Started page. -

-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 9.0 is distributed with the kernel version 5.14.0, which provides support for - the following architectures at the minimum required version: -

-
-
    -
  • - AMD and Intel 64-bit architectures (x86-64-v2) -
    • -
  • - The 64-bit ARM architecture (ARMv8.0-A) -
    • -
  • - IBM Power Systems, Little Endian (POWER9) -
    • -
  • - 64-bit IBM Z (z14) -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 9

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 9 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Installation ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. On the Product - Downloads page, the Installation ISO is referred to - as Binary DVD. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Installation ISO image. You can also register to - Red Hat CDN or Satellite during the installation to use the latest BaseOS and AppStream - content from Red Hat CDN or Satellite. -
    • -
-
-

- See the Performing - a standard RHEL 9 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 9 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 9 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For more - information, see the Scope of Coverage - Details document. -

-

- Content in the AppStream repository includes additional user-space applications, runtime languages, - and databases in support of the varied workloads and use cases. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 9 repositories and the packages they provide, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Multiple versions of user-space components are delivered as Application Streams and updated more - frequently than the core operating system packages. This provides greater flexibility to customize - RHEL without impacting the underlying stability of the platform or specific deployments. -

-

- Application Streams are available in the familiar RPM format, as an extension to the RPM format - called modules, as Software Collections, or as Flatpaks. -

-

- Each Application Stream component has a given life cycle, either the same as RHEL 9 or shorter. For - RHEL life cycle information, see Red Hat Enterprise Linux Life - Cycle. -

-

- RHEL 9 improves the Application Streams experience by providing initial Application Stream versions - that can be installed as RPM packages using the traditional dnf install - command. -

-
-
Note
-
-

- Certain initial Application Streams in the RPM format have a shorter life cycle than Red Hat - Enterprise Linux 9. -

-
-
-

- Some additional Application Stream versions will be distributed as modules with a shorter life cycle - in future minor RHEL 9 releases. Modules are collections of packages representing a logical unit: an - application, a language stack, a database, or a set of tools. These packages are built, tested, and - released together. -

-

- Always determine what version of an Application Stream you want to install and make sure to review - the Red Hat - Enterprise Linux Application Stream Lifecycle first. -

-

- Content that needs rapid updating, such as alternate compilers and container tools, is available in - rolling streams that will not provide alternative versions in parallel. Rolling streams may be - packaged as RPMs or modules. -

-

- For information about Application Streams available in RHEL 9 and their application compatibility - level, see the Package - manifest. Application compatibility levels are explained in the Red Hat Enterprise Linux 9: - Application Compatibility Guide document. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- In Red Hat Enterprise Linux 9, software installation is ensured by DNF. Red Hat continues to support the usage of the - yum term for consistency with previous major versions of RHEL. If you - type dnf instead of yum, the command works - as expected because both are aliases for compatibility. -

-

- Although RHEL 8 and RHEL 9 are based on DNF, - they are compatible with YUM used in RHEL 7. -

-

- For more information, see Managing - software with the DNF tool. -

-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.0. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Anaconda supports rhsm for machine - provisioning through Kickstart installations for Satellite

-

- Previously, machine provisioning depended on a custom %post script - for Kickstart installation on Red Hat Satellite. This %post script - imported the custom Satellite self-signed certificate, registered the machine, attached a - subscription, and installed packages residing in repositories. -

-
-

- With RHEL 9, Satellite support has been added to the rhsm command for - machine provisioning. You can now use rhsm for all provisioning tasks - such as registering the system, attaching RHEL subscriptions, and installing from a Satellite - instance. -

-

- (BZ#1951709) -

-
-

RHEL supports localhost as a static - hostname

-

- Starting with RHEL 9, setting localhost as a static hostname in - /etc/hostname is valid. In this case, NetworkManager does not try - to obtain a transient hostname through DHCP or reverse DNS lookup. -

-
-

- (BZ#2190045) -

-
-

Licensing, system, and user setting configuration screens have been - disabled post standard installation

-

- Previously, RHEL users were configuring Licensing, System (Subscription manager), and User - Settings prior to the gnome-initial-setup and login screens. With - this update, the initial setup screens have been disabled by default to improve user experience. -

-
-

- If you must run the initial setup for user creation or license display, install the following - packages based on the requirements. -

-
-
    -
  1. -

    - Install initial setup packages. -

    - 
    # dnf install initial-setup initial-setup-gui
    -
    2. -
  2. -

    - Enable initial setup while next reboot of the system. -

    - 
    # systemctl enable initial-setup
    -
    3. -
  3. - Reboot the system to view initial setup. -
    4. -
-
-

- For Kickstart installations, add initial-setup-gui to the packages - section and enable the initial-setup service. -

- 
firstboot --enable
-%packages
-@^graphical-server-environment
-initial-setup-gui
-%end
-

- (BZ#1878583) -

-
-

Anaconda activates network automatically for interactive - installations

-

- Previously, when performing an interactive installation without having the network activated by - Kickstart or boot options, users had to activate the network manually in the network spoke. With - this update, Anaconda activates the network automatically, without requiring users to visit the - network spoke and activate it manually. -

-
-
-
Note
-
-

- This update does not change the installation experience for Kickstart installations and - installations using the ip= boot option. -

-
-
-

- (BZ#1978264) -

-
-

Image Builder now supports filesystem configuration

-

- With this enhancement, you can specify custom filesystem configuration in your blueprints and - you can create images with the desired disk layout. As a result, by having non-default layouts, - you can benefit from security benchmarks, consistency with existing setups, performance, and - protection against out-of-disk errors. -

-
-

- To customize the filesystem configuration in your blueprint, set the following customization: -

- 
[[customizations.filesystem]]
-mountpoint = "MOUNTPOINT"
-size = MINIMUM-PARTITION-SIZE
-
-
Note
-
-

- After you add a file system customization to your blueprint, the file system is converted to - a LVM partition. -

-
-
-

- (BZ#2011448) -

-
-

New options to Lock root account and Allow root SSH login with password

-

- The following new options have been added on the root password configuration screen in the RHEL - graphical installation: -

-
-
-
    -
  • - Lock root account: Use this option to lock the root access to the machine. -
    • -
  • - Allow root SSH login with password: Use this option to enable password-based SSH root - logins. -
    • -
-
-

- To enable password-based SSH root logins, add the following line to the - Kickstart file before you start the installation process. -

- 
%post
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/01-permitrootlogin.conf
-%end
-

- (BZ#1940653) -

-
-

Image Builder now supports creating bootable installer images

-

- With this enhancement, you can use Image Builder to create bootable ISO images that consist of a - tarball file, which contains a root file system. As a result, you - can use the bootable ISO image to install the tarball file system - to a bare metal system. -

-
-

- (BZ#2019318) -

-
-
-
-
-
-

4.2. RHEL for Edge

-
-
-
-
-

RHEL for Edge now supports Greenboot built-in - health checks by default

-

- With this update, RHEL for Edge Greenboot now includes built-in - health checks with watchdog feature to ensure that the hardware - does not hang or freeze while rebooting. With that, you can benefit from the following features: -

-
-
-
    -
  • - It makes it simple for watchdogs hardware users to adopt the - built-in health checks -
    • -
  • - A set of default health checks that provide value for built-in OS components -
    • -
  • - The watchdog is now present as default presets, which makes it - easy to enable or disable this feature -
    • -
  • - Ability to create custom health checks based on the already available health checks. -
    • -
-
-

- (BZ#2083036) -

-
-

RHEL 9 provides rpm-ostree v2022.2 -

-

- RHEL 9 is distributed with the rpm-ostree version v2022.2, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Kernel arguments can now be updated in an idempotent way, by using the new --append-if-missing and --delete-if-present kargs flags. -
    • -
  • - The Count Me feature from DNF is now fully disabled by default - in all repo queries and will only be triggered by the corresponding rpm-ostree-countme.timer and rpm-ostree-countme.service units. See countme. -
    • -
  • - The post-processing logic can now process the user.ima IMA - extended attribute. When an xattr extended attribute is found, - the system automatically translates it to security.ima in the - final OSTree package content. -
    • -
  • - The treefile file has a new repo-packages field. You can use it to pin a set of packages to a - specific repository. -
    • -
-
-

- (BZ#1961324) -

-
-

RHEL 9 provides OSTree v2021.2

-

- RHEL 9 is distributed with the OSTree package version v2021.2, - which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - New APIs for writing files, used in the new ostree-rs-ext project, to improve imports from - tarballs. -
    • -
  • - The rofiles-fuse command now handles xattrs extended attributes. Note: The rofiles-fuse is considered deprecated, see #2281. -
    • -
  • - Improvements to the introspection API and testing. -
    • -
-
-

- (BZ#1961254) -

-
-

The rpm-ostree rebase tool supports upgrade - from RHEL 8 to RHEL 9

-

- With this enhancement, you can upgrade your RHEL 8 system to RHEL 9 using the rpm-ostree rebase tool. It fully supports the default package set of - RHEL for Edge upgrades between the most recent updates of RHEL 8 to the most recent updates of - RHEL 9. -

-
-

- (BZ#2082306) -

-
-
-
-
-
-

4.3. Subscription management

-
-
-
-
-

Merged system purpose commands under subscription-manager syspurpose

-

- Previously, there were two different commands to set system purpose attributes; syspurpose and subscription-manager. To - unify all the system purpose attributes under one module, all the addons, role, service-level, and usage commands from - subscription-manager have been moved to the new submodule, subscription-manager syspurpose. -

-
-

- Existing subscription-manager commands outside the new submodule are - deprecated. The separate package (python3-syspurpose) that provides the - syspurpose command line tool has been removed in RHEL 9. -

-

- This update provides a consistent way to view, set, and update all system purpose attributes using a - single command of subscription-manager; this replaces all the existing system purpose commands with - their equivalent versions available as a new subcommand. For example, subscription-manager role --set SystemRole becomes subscription-manager syspurpose role --set SystemRole and so on. -

-

- For complete information about the new commands, options, and other attributes, see the SYSPURPOSE OPTIONS section in the subscription-manager man page. -

-

- (BZ#1898563) -

-
-
-
-
-
-

4.4. Software management

-
-
-
-
-

RHEL 9 provides RPM 4.16

-

- RHEL 9 is distributed with RPM version 4.16. Notable bug fixes and enhancements over version - 4.14 include: -

-
-
-
    -
  • -

    - New SPEC features, most notably: -

    -
    -
      -
    • - Fast macro-based dependency generators -
      • -
    • - The %generate_buildrequires section that allows for - generating dynamic build dependencies -
      • -
    • - Meta (unordered) dependencies -
      • -
    • - Increased parallelism in package builds -
      • -
    • - Native version comparison in expressions -
      • -
    • - Caret version operator, opposite of tilde -
      • -
    • - %elif, %elifos and - %elifarch statements -
      • -
    • - Optional automatic patch and source numbering -
      • -
    • - %autopatch now accepts patch ranges -
      • -
    • - %patchlist and %sourcelist sections -
      • -
    • - Enforced UTF-8 validation of header data at build-time -
      • -
    -
    -
    • -
  • - The rpm database is now based on the sqlite library. Read-only - support for BerkeleyDB databases has been retained for - migration and query purposes. -
    • -
  • - A new rpm-plugin-audit plug-in for issuing audit log events on - transactions, previously built into RPM itself -
    • -
-
-

- (JIRA:RHELPLAN-80734) -

-
-

New RPM plugin notifies fapolicyd about - changes during RPM transactions

-

- This update of the rpm packages introduces a new RPM plugin that - integrates the fapolicyd framework with the RPM database. The - plugin notifies fapolicyd about installed and changed files during - an RPM transaction. As a result, fapolicyd now supports integrity - checking. -

-
-

- Note that the RPM plugin replaces the DNF plugin because its functionality is not limited to DNF - transactions but covers also changes by RPM. -

-

- (BZ#1942549) -

-
-

RPM now supports the EdDSA public key algorithm

-

- With this enhancement, the rpm command supports signing keys using - the EdDSA public key algorithm. As a result, signing keys generated using EdDSA can now be used - for signing and verifying packages. -

-
-

- Note that, however signing keys using EdDSA are now supported, RSA continues to be the default - public key algorithm in GnuPG. -

-

- (BZ#1962234) -

-
-

RPM now supports the Zstandard (zstd) - compression algorithm

-

- With this enhancement, the default RPM compression algorithm has switched to Zstandard (zstd). As a result, users can benefit from faster package - installations, which can be especially noticeable during large transactions. -

-
-

- (JIRA:RHELPLAN-117903) -

-
-

New DNF options exclude_from_weak_autodetect - and exclude_from_weak

-

- With this enhancement, the default DNF behavior does not install unwanted weak dependencies. To - modify this behavior, use the following new options: -

-
-
-
    -
  • -

    - exclude_from_weak_autodetect -

    -

    - If enabled, the exclude_from_weak_autodetect option - autodetects unmet weak dependencies (Recommends: or Supplements:) of packages installed - on your system. As a result, providers of these weak dependencies are not installed as - weak dependencies, but, if pulled in, they are installed as regular dependencies. The - default value is true. -

    -
    • -
  • -

    - exclude_from_weak -

    -

    - If enabled, the exclude_from_weak option prevents - installing packages as weak dependencies (Recommends: or Supplements:). You can specify - packages either by a package name or a glob, and separate them by a comma. The default - value is []. -

    -
    • -
-
-

- (BZ#2005305) -

-
-

RHEL 9 provides libmodulemd 2.13.0 -

-

- RHEL 9 is distributed with the libmodulemd package version 2.13.0. - Notable bug fixes and enhancements over version 2.9.4 include: -

-
-
-
    -
  • - Added support for delisting demodularized packages from a module. -
    • -
  • - Added support for validating modulemd-packager-v3 documents - with a new --type option of the modulemd-validator tool. -
    • -
  • - Fortified parsing integers. -
    • -
  • - Fixed various modulemd-validator issues. -
    • -
-
-

- (BZ#1984403) -

-
-
-
-
-
-

4.5. Shells and command-line tools

-
-
-
-
-

Bracketed paste is now enabled in bash by - default

-

- The bash readline library version 8.1 is now available, which - enables bracketed paste mode by default. When you paste text to your terminal, bash highlights the text, and you must press enter to execute the pasted command. Bracketed paste mode is the - default setting to avoid accidentally executing malicious commands. -

-
-

- To disable the bracketed paste mode for a specific user, add the following line to ~/.inputrc: -

- 
set enable-bracketed-paste off
-

- To disable the bracketed paste mode for all users, add the following line to /etc/inputrc: -

- 
set enable-bracketed-paste off
-

- When you disable the bracketed paste mode, commands are directly executed on paste, and you do not - need to confirm them by pressing enter. -

-

- (BZ#2079078) -

-
-

RHEL 9 includes powerpc-utils 1.3.9 -

-

- RHEL 9 provides the powerpc-utils package version 1.3.9. Notable - bug fixes and enhancements over version 1.3.8 include: -

-
-
-
    -
  • - Increased the log size to 1 MB in drmgr. -
    • -
  • - Fixed the HCIND array size at the boot time. -
    • -
  • - Implemented autoconnect-slaves on HNV connections in hcnmgr. -
    • -
  • - Improved the HNV bond list connections in hcnmgr. -
    • -
  • - Use hexdump from util-linux in - hcnmgr. -
    • -
  • - The hcn-init.service starts with the NetworkManager. -
    • -
  • - Fixed OF to logical FC lookup for multipath in ofpathname. -
    • -
  • - Fixed OF to logical lookup with partitions in ofpathname. -
    • -
  • - Fixed bootlist for multipath devices with greater than 5 paths. -
    • -
  • - Added missing substring extraction of devpart in l2of_vd() of - ofpathname. -
    • -
  • - Introduced lpamumascore. -
    • -
  • - Fixed the remove by index operation in drmgr. -
    • -
  • - Moved the definition of SYS_PATH from l2of_vs() to l2of_scsi() in ofpathname. -
    • -
  • - Added -x option to enhance the security in partstat. -
    • -
  • - Fixed nroff warnings and errors in lparstat man page. -
    • -
  • - Implemented NUMA-based LMB removal in drmgr. -
    • -
  • - Fixed ofpathname race with udev - rename in hcnmgr. -
    • -
  • - Use NetworkManager nmcli to check - bonding interface status in hcnmgr. -
    • -
  • - Use NetworkManager nmcli to clean - the bond interface at the boot time when HNV does not exist. -
    • -
-
-

- (BZ#1873868) -

-
-

RHEL 9 is distributed with opal-prd 6.7.1

-

- The opal-prd package version 6.7.1 provides the following notable - bug fixes and enhancements over the previously available version 6.6.3: -

-
-
-
    -
  • - Fixed xscom error logging issues caused due to xscom OPAL call. -
    • -
  • - Fixed possible deadlock with the DEBUG build. -
    • -
  • - Fallback to full_reboot if fast-reboot fails in core/platform. -
    • -
  • - Fixed next_ungarded_primary in core/cpu. -
    • -
  • - Improved rate limit timer requests and the timer state in Self-Boot Engine (SBE). -
    • -
-
-

- (BZ#1869560) -

-
-

RHEL 9 provides lsvpd 1.7.12

-

- RHEL 9 is distributed with the lsvpd package version 1.7.12. - Notable bug fixes and enhancements over version 1.7.11 include: -

-
-
-
    -
  • - Added the UUID property in sysvpd. -
    • -
  • - Improved the NVMe firmware version. -
    • -
  • - Fixed PCI device manufacturer parsing logic. -
    • -
  • - Added recommends clause to the lsvpd configuration file. -
    • -
-
-

- (BZ#1869564) -

-
-

ppc64-diag version 2.7.7 available -

-

- The ppc64-diag package version 2.7.7 is provided in RHEL 9. Notable - bug fixes and enhancements over version 2.7.6 include: -

-
-
-
    -
  • - Improved unit test cases. -
    • -
  • - Added the UUID property in sysvpd. -
    • -
  • - rtas_errd service does not run in the Linux containers. -
    • -
  • - The obsolete logging options are no longer available in the systemd service files. -
    • -
-
-

- (BZ#1869567) -

-
-

RHEL 9 includes Fetchmail 6.4.24

-

- RHEL 9 is distributed with the fetchmail package version 6.4.24. - Fetchmail is a remote-mail retrieval and forwarding utility. -

-
-

- For more information, see: -

-
-
    -
  • - the /usr/share/doc/fetchmail/NEWS file, -
    • -
  • - the fetchmail(1) man page, -
    • -
  • - the /usr/share/doc/fetchmail/README.SSL file for SSL-related - information in case you need to change configuration. -
    • -
-
-

- (BZ#1999276) -

-
-

RHEL 9 includes Eigen 3.4

-

- RHEL 9 is distributed with the eigen3 package version 3.4. Eigen 3.4 is a C++ template library for linear algebra, which now - supports POWER10 matrix multiplication assist instructions. -

-
-

- As a result, users of Eigen 3.4 can perform optimized linear algebra - computation on POWER10 systems. -

-

- (BZ#2032423) -

-
-

RHEL 9 introduces the cdrskin package -

-

- RHEL 9 introduces the cdrskin package for burning data on CD, DVD, - or BD media. The cdrskin package provides a replacement for the - cdrecord executable from the wodim - package, which is not available in RHEL 9. -

-
-

- The cdrskin package includes: -

-
-
    -
  • - Blanking, formatting, and burning of data on optical media. -
    • -
  • - Multi session on CD. -
    • -
  • - Emulated ISO-9660 multi-session on overwriteable DVD+RW, DVD-RW, DVD-RAM, BD-RE. -
    • -
-
-

- The cdrskin package also provides cdrecord - command as a symbolic link to cdrskin binary, so you do not have to - make any changes in user scripts. See cdrskin(1) manual page for the - full set of features. -

-

- (BZ#2015861) -

-
-

The redhat.rhel_mgmt Ansible collection is - supported in the RHEL 9 release

-

- This update provides support to the Intelligent Platform Management Interface (IPMI) Ansible modules. IPMI is a - specification for a set of management interfaces to communicate with baseboard management - controller (BMC) devices. The IPMI modules - ipmi_power and ipmi_boot - are available - in the redhat.rhel_mgmt Collection, which you can access by - installing the ansible-collection-redhat-rhel_mgmt package. -

-
-

- (BZ#2023381) -

-
-

RHEL 9 introduces the util-linux-core - package

-

- In addition to the util-linux package, RHEL 9 provides the util-linux-core subpackage for scenarios where the size of installed - packages is a critical feature, for example buildroots, certain containers, and boot images. -

-
-

- The util-linux-core subpackage contains a limited subset of the util-linux utilities, which are necessary to boot the Linux system, for - example the mount utility. -

-

- The util-linux-core subpackage does not contain any external - dependencies. For example, login utilities are not available due to the dependence on a PAM library. -

-

- For standard use cases, like installations, use the standard util-linux - package. The util-linux package depends on util-linux-core, which means that if you install util-linux, util-linux-core is installed - automatically. -

-

- (BZ#2079313) -

-
-

Updated systemd-udevd assigns consistent - network device names to InfiniBand interfaces

-

- Introduced in RHEL 9, the new version of the systemd package - contains the updated systemd-udevd device manager. The device - manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd. -

-
-

- You can define custom naming rules for naming InfiniBand interfaces by following the Renaming - IPoIB devices procedure. -

-

- For more details of the naming scheme, see the systemd.net-naming-scheme(7) man page. -

-

- (BZ#2136937) -

-
-
-
-
-
-

4.6. Infrastructure services

-
-
-
-
-

s-nail replaces mailx

-

- The s-nail mail processing system has replaced the mailx utility. The s-nail utility is - compatible with mailx and adds numerous new features. The mailx package is no longer maintained in the upstream. -

-
-

- (BZ#1940863) -

-
-

TuneD 2.18 is available

-

- RHEL 9 is distributed with TuneD version 2.18. Notable changes over version 2.16 include: -

-
-
-
    -
  • - The net plugin: added support for txqueuelen tuning. -
    • -
  • - The disk plugin: added support for NVMe disk tuning. -
    • -
  • - tuned-gui bug fixes. -
    • -
-
-

- (BZ#2003838) -

-
-

RHEL 9 provides mod_security_crs 3.3 -

-

- RHEL 9 is distributed with the mod_security_crs package version - 3.3. Notable bug fixes and enhancements include: -

-
-
-
    -
  • - Introduced libinjection. -
    • -
  • - Blocked backup files ending with ~ in filenames. -
    • -
  • - Added new LDAP injection and HTTP - splitting rules. -
    • -
  • - Added .swp to restricted extensions. -
    • -
  • - Added Common Attack Pattern Enumeration and Classification (CAPEC) tags for attack - classification. -
    • -
  • - Added support to detect Nuclei , WFuzz, and ffuf vulnerability - scanners. -
    • -
  • - Improved variable to lowercase (modsec3 behavior fix) -
    • -
  • - Added support to detect Unix RCE bypass techniques through uninitialized variables, string - concatenations, and globbing patterns. -
    • -
  • - Removed outdated rule tags: WASCTC, OWASP_TOP_10, OWASP_AppSensor/RE1, - and OWASP_CRS/FOO/BAR. OWASP_CRS - and attack-type are still included in the mod_security_crs package. -
    • -
  • - The format of crs-setup.conf variable tx.allowed_request_content_type has been changed to be in line - with the other variables. In case the variable is overridden, please see the example in - crs-setup.conf file for the new separator. -
    • -
-
-

- (BZ#1947962) -

-
-

RHEL 9 provides chrony 4.1

-

- RHEL 9 is distributed with chrony version 4.1. Notable bug fixes - and enhancements over version 3.5 include: -

-
-
-
    -
  • - Support for Network Time Security (NTS) authentication has been added. For more information, - see Overview - of Network Time Security (NTS) in chrony. -
    • -
  • - By default, the Authenticated Network Time Protocol (NTP) sources are trusted over - non-authenticated NTP sources. To restore the original behavior, add the autselectmode ignore argument in the chrony.conf file. -
    • -
  • - Support for authentication with RIPEMD keys - RMD128, RMD160, RMD256, RMD320 - is no longer - available. -
    • -
  • - Support for long non-standard MACs in NTPv4 packets is no longer available. If you are using - chrony 2.x, non-MD5/SHA1 keys, you - need to configure chrony with the version 3 option. -
    • -
-
-

- In addition, the following differs from the RHEL 8 version of chrony: -

-
-
    -
  • - The seccomp filter is enabled by default (-F 2 is set in /etc/sysconfig/chronyd). The seccomp - filter conflicts with the mailonchange directive. If you have - the mailonchange directive in /etc/chrony.conf, remove the -F 2 - setting from /etc/sysconfig/chronyd. -
    • -
-
-

- (BZ#1961131) -

-
-
-
-
-
-

4.7. Security

-
-
-
-
-

System-wide crypto-policies are now more - secure

-

- With this update, the system-wide cryptographic policies have been adjusted to provide - up-to-date secure defaults: -

-
-
-
    -
  • - Disabled TLS 1.0, TLS 1.1, DTLS 1.0, RC4, Camellia, DSA, 3DES, and FFDHE-1024 in all - policies. -
    • -
  • - Increased minimum RSA key size and minimum Diffie-Hellman parameter size in LEGACY. -
    • -
  • - Disabled TLS and SSH algorithms using SHA-1, with an exception of SHA-1 usage in Hash-based - Message Authentication Codes (HMACs). -
    • -
-
-

- If your scenario requires enabling some of the disabled algorithms and ciphers, use custom policies - or subpolicies. -

-

- (BZ#1937651) -

-
-

RHEL 9 provides OpenSSL 3.0.1

-

- RHEL 9 provides openssl packages in upstream version 3.0.1, which - includes many improvements and bug fixes over the previous version. The most notable changes - include: -

-
-
-
    -
  • - Added the new Provider concept. Providers are collections of algorithms, and you can choose - different providers for different applications. -
    • -
  • - Introduced the new versioning scheme in the following format: <major>.<minor>.<patch>. -
    • -
  • - Added support for the Certificate Management Protocol (CMP, RFC 4210), the Certificate - Request Message Format (CRMF), and HTTP transfer (RFC 6712). -
    • -
  • - Introduced an HTTP(S) client that supports GET and POST, redirection, plain and - ASN.1-encoded contents, proxies, and timeouts. -
    • -
  • - Added new Key Derivation Function API (EVP_KDF) and Message Authentication Code API - (EVP_MAC). -
    • -
  • - Added support for Linux Kernel TLS (KTLS) through compiling with the enable-ktls configuration option. -
    • -
  • - Added CAdES-BES signature verification support. -
    • -
  • - Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. -
    • -
  • -

    - Added support for new algorithms, for example: -

    -
    -
      -
    • - KDF algorithms "SINGLE STEP" and "SSH". -
      • -
    • - MAC algorithms "GMAC" and "KMAC". -
      • -
    • - KEM algorithm "RSASVE". -
      • -
    • - Cipher algorithm "AES-SIV" -
      • -
    -
    -
    • -
  • - Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM. -
    • -
  • - The default algorithms for PKCS #12 creation with the PKCS12_create() function changed to more modern PBKDF2 and - AES-based algorithms. -
    • -
  • - Added a new generic trace API. -
    • -
-
-

- (BZ#1990814) -

-
-

OpenSSL now includes providers

-

- The OpenSSL toolkit in version 3.0.1, which is included in RHEL 9, added the concept of - providers. Providers are collections of algorithms, and you can choose different providers for - different applications. OpenSSL currently includes the following providers: base, default, fips, legacy, and null. -

-
-

- By default, OpenSSL loads and activates the default provider, which - includes commonly used algorithms such as RSA, DSA, DH, CAMELLIA, SHA-1, and SHA-2. -

-

- When the FIPS flag is set in the kernel, OpenSSL automatically loads the FIPS provider and uses only - FIPS-approved algorithms. As a result, you do not have to manually switch OpenSSL to FIPS mode. -

-

- To change to a different provider on the system level, edit the openssl.cnf configuration file. For example, if your scenario requires - using the legacy provider, uncomment the corresponding section. -

-
-
Warning
-
-

- Explicitly activating a provider overrides the implicit activation of the default provider - and may make the system remotely inaccessible, for example by the OpenSSH suite. -

-
-
-

- For information on the algorithms included in each provider, see the relevant man pages. For - example, the OSSL_PROVIDER-legacy(7) man page for the legacy provider. -

-

- (BZ#2010291) -

-
-

OpenSSL random bit generator now supports CPACF

-

- This release of the openssl packages introduces support for the CP - Assist for Cryptographic Functions (CPACF) in the OpenSSL NIST SP800-90A-compliant AES-based - deterministic random bit generator (DRBG). -

-
-

- (BZ#1871147) -

-
-

openssl-spkac can now create SPKAC files - signed with SHA-1 and SHA-256

-

- The openssl-spkac utility can now create Netscape signed public key - and challenge (SPKAC) files signed with hashes different than MD5. You can now create and verify - also SPKAC files signed with SHA-1 and SHA-256 hashes. -

-
-

- (BZ#1970388) -

-
-

RHEL 9 provides openCryptoki 3.17.0 -

-

- RHEL 9 is distributed with openCryptoki version 3.17.0. Notable bug - fixes and enhancements over version 3.16.0 include: -

-
-
-
    -
  • - The p11sak utility adds a new function for listing keys. -
    • -
  • -

    - openCryptoki now supports: -

    -
    -
      -
    • - OpenSSL 3.0. -
      • -
    • - Event notifications. -
      • -
    • - Software fallbacks in ICA tokens. -
      • -
    -
    -
    • -
  • - The WebSphere Application Server no longer fails to start when the hardware crypto adapter - is enabled. -
    • -
-
-

- RHEL 9 includes OpenSSL with additional patches, which are specific to RHEL. If the system is in - Federal Information Processing Standards (FIPS) mode, OpenSSL automatically loads the FIPS provider - and base provider and forces the applications to use the FIPS provider. Therefore, the behavior of - openCryptoki on RHEL 9 differs from the upstream: -

-
-
    -
  • - Tokens that rely on OpenSSL’s implementation of the crypto operations (soft tokens and ICA - tokens software fallbacks) now support only FIPS-approved mechanisms, even though unapproved - mechanisms are still listed as available. -
    • -
  • -

    - openCryptoki supports two different token data formats: the - old data format, which uses non-FIPS-approved algorithms (such as DES and SHA1), and the - new data format, which uses FIPS-approved algorithms only. -

    -

    - The old data format no longer works because the FIPS provider allows the use of only - FIPS-approved algorithms. -

    -
    -
    Important
    -
    -

    - To make openCryptoki work on RHEL 9, migrate the - tokens to use the new data format before enabling FIPS mode on the system. This - is necessary because the old data format is still the default in openCryptoki 3.17. Existing openCryptoki installations that use the old token - data format will no longer function when the system is changed to FIPS-enabled. -

    -

    - You can migrate the tokens to the new data format by using the pkcstok_migrate utility, which is provided with openCryptoki. Note that pkcstok_migrate uses non-FIPS-approved algorithms - during the migration. Therefore, use this tool before enabling FIPS mode on the - system. For additional information, see Migrating - to FIPS compliance - pkcstok_migrate utility. -

    -
    -
    -
    • -
-
-

- (BZ#1869533) -

-
-

GnuTLS provided in version 3.7.3

-

- In RHEL 9, the gnutls packages are provided in upstream version - 3.7.3. This provides many improvements and bug fixes over previous versions, most notably: -

-
-
-
    -
  • - Introduced API for FIPS 140-3 explicit indicators. -
    • -
  • - Hardened defaults for exporting PKCS#12 files. -
    • -
  • - Fixed timing of the early data (zero round trip data, 0-RTT) exchange. -
    • -
  • - The certutil tool no longer inherits the Certificate Revocation - List (CRL) distribution point from the certificate authority (CA) when signing a certificate - signing request (CSR). -
    • -
-
-

- (BZ#2033220) -

-
-

RHEL 9 provides NSS 3.71

-

- RHEL 9 is distributed with the Network Security Services (NSS) libraries version 3.71. Notable - changes include: -

-
-
-
    -
  • - Support for the legacy DBM database format has been completely removed. NSS support only the - SQLite database format in RHEL 9. -
    • -
  • - The PKCS #12 encryption ciphers now use the AES-128-CBC with PBKDF2 and SHA-256 algorithms - instead of PBE-SHA1-RC2-40 and PBE-SHA1-2DES. -
    • -
-
-

- (BZ#2008320) -

-
-

NSS no longer support RSA keys shorter than 1023 bits

-

- The update of the Network Security Services (NSS) libraries changes the minimum key size for all - RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following - functions: -

-
-
-
    -
  • - Generate RSA keys shorter than 1023 bits. -
    • -
  • - Sign or verify RSA signatures with RSA keys shorter than 1023 bits. -
    • -
  • - Encrypt or decrypt values with RSA key shorter than 1023 bits. -
    • -
-
-

- (BZ#2099438) -

-
-

Minimal RSA key bit length option in OpenSSH

-

- Accidentally using short RSA keys might make the system more vulnerable to attacks. With this - update, you can set RSA key minimal bit lengths for OpenSSH servers and clients. To define the - minimal RSA key length, use the new RSAMinSize option in the /etc/ssh/sshd_config file for OpenSSH servers, and in the /etc/ssh/ssh_config file for OpenSSH clients. -

-
-

- (BZ#2119694) -

-
-

OpenSSH distributed in 8.7p1

-

- RHEL 9 includes OpenSSH in version 8.7p1. - This version provides many enhancements and bug fixes over OpenSSH version 8.0p1, which is distributed in - RHEL 8.5, most notably: -

-
-

- New Features -

-
-
    -
  • -

    - Support for transfers using the SFTP protocol as a replacement for the previously used - SCP/RCP protocol. SFTP offers more predictable filename handling and does not require - expansion of glob(3) patterns by the shell on the remote side. -

    -

    - SFTP support is enabled by default. If SFTP is unavailable or incompatible in your - scenario, you can use the -O flag to force use of the - original SCP/RCP protocol. -

    -
    • -
  • - The LogVerbose configuration directive that allows forcing - maximum debug logging by file/function/line pattern lists. -
    • -
  • - Client address-based rate-limiting with the new sshd_config - PerSourceMaxStartups, and PerSourceNetBlockSize directives. This provides finer control - than the global MaxStartups limit. -
    • -
  • - The HostbasedAcceptedAlgorithms keyword now filters based on - the signature algorithm instead of filtering by key type. -
    • -
  • - The Include sshd_config keyword in - the sshd daemon that allows including additional configuration - files by using glob patterns. -
    • -
  • - Support for Universal 2nd Factor (U2F) hardware authenticators specified by the FIDO - Alliance. U2F/FIDO are open standards for inexpensive two-factor authentication hardware - that are widely used for website authentication. In OpenSSH, FIDO devices are supported by new - public key types ecdsa-sk and ed25519-sk and by the corresponding certificate types. -
    • -
  • - Support for FIDO keys that require a PIN for each use. You can generate these keys by using - ssh-keygen with the new verify-required option. When a PIN-required key is used, the user - will be prompted for a PIN to complete the signature operation. -
    • -
  • - The authorized_keys file now supports a new verify-required option. This option requires FIDO signatures to - assert token verification of the user’s presence before making the signature. The FIDO - protocol supports multiple methods for user verification, OpenSSH currently supports only - PIN verification. -
    • -
  • - Added support for verifying FIDO webauthn signatures. webauthn is a standard for using FIDO keys in web browsers. These - signatures are a slightly different format to plain FIDO signatures and therefore require - explicit support. -
    • -
-
-

- Bug fixes -

-
-
    -
  • - Clarified semantics of the ClientAliveCountMax=0 keyword. Now, - it entirely disables connection killing instead of the previous behavior of instantly - killing the connection after the first liveness test regardless of its success. -
    • -
-
-

- Security -

-
-
    -
  • - Fixed an exploitable integer overflow bug in the private key parsing code for the XMSS key - type. This key type is still experimental and support for it is not compiled by default. No - user-facing autoconf option exists in portable OpenSSH to enable it. -
    • -
  • - Added protection for private keys at rest in RAM against speculation and memory side-channel - attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they - are not in use with a symmetric key that is derived from a relatively large “prekey” - consisting of random data (currently 16 KB). -
    • -
-
-

- (BZ#1952957) -

-
-

Locale forwarding disabled by default in OpenSSH

-

- Using the C.UTF-8 locale in small images, such as containers and - virtual machines, reduces size and improves performance over using the traditional en_US.UTF-8 locale. -

-
-

- Most distributions send locale environment variables by default and accept them on the server side. - However, this meant that logging in through SSH from clients that used locales other than C or C.UTF-8 to servers that did not have - the glibc-langpack-en or glibc-all-langpacks package installed resulted in degraded user - experience. Specifically, output in the UTF-8 format was broken and some tools did not work or sent - frequent warning messages. -

-

- With this update, locale forwarding is switched off by default in OpenSSH. This keeps the locale - viable even if clients connect to servers with minimal installations that support only a small set - of locales. -

-

- (BZ#2002734) -

-
-

OpenSSH supports U2F/FIDO security keys

-

- Previously, the OpenSSH keys stored in hardware were only supported through the PKCS #11 - standard, which limited the use of other security keys in SSH. Support for U2F/FIDO security - keys was developed upstream and is now implemented in RHEL 9. This results in an improved - usability of security keys within SSH independent of the PKCS #11 interface. -

-
-

- (BZ#1821501) -

-
-

Libreswan provided in version 4.6

-

- In RHEL 9, Libreswan is provided in upstream version 4.6. This version provides many bug fixes - and enhancements, most notably improvements on labeled IPsec used with Internet Key Exchange - version 2 (IKEv2). -

-
-

- (BZ#2017355) -

-
-

Libreswan does not accept IKEv1 packages by default

-

- Because the Internet Key Exchange v2 (IKEv2) protocol is now widely deployed, Libreswan no - longer supports IKEv1 packets by default. IKEv2 provides a more secure environment and more - resilience against attacks. If your scenario requires the use of IKEv1, you can enable it by - adding the ikev1-policy=accept option to the /etc/ipsec.conf configuration file. -

-
-

- (BZ#2039877) -

-
-

RHEL 9 provides stunnel 5.62

-

- RHEL 9 is distributed with the stunnel package version 5.62. - Notable bug fixes and enhancements include: -

-
-
-
    -
  • - On systems in FIPS mode, stunnel now always uses FIPS mode. -
    • -
  • - The NO_TLSv1.1, NO_TLSv1.2, and - NO_TLSv1.3 options have been renamed to NO_TLSv1_1, NO_TLSv1_2, and NO_TLSv1_3 respectively. -
    • -
  • - The new service-level sessionResume option enables and disables - session resumption. -
    • -
  • - LDAP is now supported in stunnel clients using the protocol option. -
    • -
  • - A Bash-completion script is now available. -
    • -
-
-

- (BZ#2039299) -

-
-

RHEL 9 provides nettle 3.7.3

-

- RHEL 9 provides the nettle package 3.7.3 version with multiple bug - fixes and enhancements. Notable changes are the following: -

-
-
-
    -
  • - Supports new algorithms and modes, for example, Ed448, SHAKE256, AES-XTS, SIV-CMAC. -
    • -
  • - Adds architecture-specific optimizations for existing algorithms. -
    • -
-
-

- (BZ#1986712) -

-
-

RHEL 9 provides p11-kit 0.24

-

- RHEL 9 provides p11-kit package with 0.24 version. This version - provides multiple bug fixes and enhancements. Notably, the subdirectory for storing distrusted - Certificate Authorities has been renamed to blocklist. -

-
-

- (BZ#1966680) -

-
-

cyrus-sasl now uses GDBM instead of Berkeley - DB

-

- The cyrus-sasl package is now built without the libdb dependency, and the sasldb plugin - uses the GDBM database format instead of Berkeley DB. To migrate your existing Simple - Authentication and Security Layer (SASL) databases stored in the old Berkeley DB format, use the - cyrusbdb2current tool with the following syntax: -

-
- 
cyrusbdb2current <sasldb_path> <new_path>
-

- (BZ#1947971) -

-
-

SELinux policy in RHEL 9 is up-to-date with the current kernel

-

- The SELinux policy includes new permissions, classes, and capabilities that are also part of the - kernel. Therefore, SELinux can utilize the full potential provided by the kernel. Specifically, - SELinux has better granularity for granting permissions, which has subsequent security benefits. - This also enables running systems with the MLS SELinux policy because the MLS policy would - prevent some systems from starting if the system contained permissions unknown to the policy. -

-
-

- (BZ#1941810, BZ#1954145) -

-
-

Default SELinux policy disallows commands with text relocation - libraries

-

- The selinuxuser_execmod boolean is now off by default to improve - the security footprint of installed systems. As a result, SELinux users cannot enter commands - using libraries that require text relocation, unless the library files have the textrel_shlib_t label. -

-
-

- (BZ#2055822) -

-
-

OpenSCAP is provided in version 1.3.6

-

- RHEL 9 includes OpenSCAP in version 1.3.6, which provides bug fixes and improvements, most - notably: -

-
-
-
    -
  • - You can provide local copies of remote SCAP source data stream components instead of - downloading them during the scan by using the --local-files - option -
    • -
  • - OpenSCAP accepts multiple --rule arguments to select multiple - rules on the command line. -
    • -
  • - You can skip evaluation of some rules using the --skip-rule - option. -
    • -
  • - You can restrict memory consumed by OpenSCAP probes by using the OSCAP_PROBE_MEMORY_USAGE_RATIO environment variable. -
    • -
  • - OpenSCAP now supports the OSBuild Blueprint as a remediation type. -
    • -
-
-

- (BZ#2041782) -

-
-

OSCAP Anaconda Add-on now supports a new add-on name

-

- With this enhancement, you can use the new com_redhat_oscap add-on - name as opposed to the legacy org_fedora_oscap add-on name in the - Kickstart file for the OSCAP Anaconda Add-on - plugin. For example, the Kickstart section can be structured as follows: -

-
- 
%addon com_redhat_oscap
-content-type = scap-security-guide
-%end
-

- OSCAP Anaconda Add-on is currently compatibile with the legacy add-on name, but support for the - legacy add-on name will be removed in a future major RHEL version. -

-

- (BZ#1893753) -

-
-

CVE OVAL feeds now compressed

-

- With this update, Red Hat provides CVE OVAL feeds in a compressed form. They are no longer - available as XML files, but are in the bzip2 format instead. The - location of the feeds for RHEL9 has also been updated to reflect this change. Note that - third-party SCAP scanners might have problems with scanning rules that use a compressed feed - because referencing compressed content is not standardized. -

-
-

- (BZ#2028435) -

-
-

SCAP Security Guide provided in version 0.1.60

-

- RHEL 9 includes the scap-security-guide packages in version 0.1.60. - This version provides bug fixes and enhancements, most notably: -

-
-
-
    -
  • - The rules hardening the PAM stack now use authselect as the - configuration tool. -
    • -
  • - SCAP Security Guide now provides a delta tailoring file for the STIG profile. This tailoring - file defines a profile that represents the differences between DISA’s automated STIG and SSG - automated content. -
    • -
-
-

- (BZ#2014561) -

-
-

SCAP Security Guide profiles supported in RHEL 9.0

-

- With the SCAP Security Guide compliance profiles included in RHEL 9.0, you can harden the system - to the recommendations from the issuing organizations. As a result, you can configure and - automate compliance of your RHEL 9 systems according to your required hardening level by using - the associated remediations and SCAP profiles. -

-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Profile nameProfile IDPolicy version
-

- French National Agency for the Security of Information Systems (ANSSI) BP-028 - Enhanced Level -

- 		-

- xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced -

- 		-

- 1.2 -

-
-

- French National Agency for the Security of Information Systems (ANSSI) BP-028 - High Level -

- 		-

- xccdf_org.ssgproject.content_profile_anssi_bp28_high -

- 		-

- 1.2 -

-
-

- French National Agency for the Security of Information Systems (ANSSI) BP-028 - Intermediary Level -

- 		-

- xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary -

- 		-

- 1.2 -

-
-

- French National Agency for the Security of Information Systems (ANSSI) BP-028 - Minimal Level -

- 		-

- xccdf_org.ssgproject.content_profile_anssi_bp28_minimal -

- 		-

- 1.2 -

-
-

- [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server -

- 		-

- xccdf_org.ssgproject.content_profile_cis -

- 		-

- DRAFT[a] -

-
-

- [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server -

- 		-

- xccdf_org.ssgproject.content_profile_cis_server_l1 -

- 		-

- DRAFT[a] -

-
-

- [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation -

- 		-

- xccdf_org.ssgproject.content_profile_cis_workstation_l1 -

- 		-

- DRAFT[a] -

-
-

- [DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation -

- 		-

- xccdf_org.ssgproject.content_profile_cis_workstation_l2 -

- 		-

- DRAFT[a] -

-
-

- [DRAFT] Unclassified Information in Non-federal Information Systems and - Organizations (NIST 800-171) -

- 		-

- xccdf_org.ssgproject.content_profile_cui -

- 		-

- r2 -

-
-

- Australian Cyber Security Centre (ACSC) Essential Eight -

- 		-

- xccdf_org.ssgproject.content_profile_e8 -

- 		-

- not versioned -

-
-

- Health Insurance Portability and Accountability Act (HIPAA) -

- 		-

- xccdf_org.ssgproject.content_profile_hipaa -

- 		-

- not versioned -

-
-

- Australian Cyber Security Centre (ACSC) ISM Official -

- 		-

- xccdf_org.ssgproject.content_profile_ism_o -

- 		-

- not versioned -

-
-

- [DRAFT] Protection Profile for General Purpose Operating Systems -

- 		-

- xccdf_org.ssgproject.content_profile_ospp -

- 		-

- 4.2.1 -

-
-

- PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9 -

- 		-

- xccdf_org.ssgproject.content_profile_pci-dss -

- 		-

- 3.2.1 -

-
-

- [DRAFT] DISA STIG for Red Hat Enterprise Linux 9 -

- 		-

- xccdf_org.ssgproject.content_profile_stig -

- 		-

- DRAFT[b] -

-
-

- [DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9 -

- 		-

- xccdf_org.ssgproject.content_profile_stig_gui -

- 		-

- DRAFT[b] -

-
-
-
[a] - - CIS has not yet published an official benchmark for RHEL 9 -
-
-
-
[b] - - DISA has not yet published an official benchmark for RHEL 9 -
-
-
-
-
-
Warning
-
-

- Automatic remediation might render the system non-functional. Run the remediation in a test - environment first. -

-
-
-

- (BZ#2045341, BZ#2045349, BZ#2045361, BZ#2045368, BZ#2045374, BZ#2045381, BZ#2045386, BZ#2045393, BZ#2045403) -

-
-

RHEL 9 provides fapolicyd 1.1

-

- RHEL 9 is distributed with the fapolicyd package version 1.1. Most - notable enhancements include the following: -

-
-
-
    -
  • - The /etc/fapolicyd/rules.d/ directory for files containing - allow and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. See the - new fagenrules(8) man page for more details. -
    • -
  • - In addition to the /etc/fapolicyd/fapolicyd.trust file for - marking files outside of the RPM database as trusted, you can now use the new /etc/fapolicyd/trust.d directory, which supports separating a - list of trusted files into more files. You can also add an entry for a file by using the - fapolicyd-cli -f subcommand with the --trust-file directive to these files. See the fapolicyd-cli(1) and fapolicyd.trust(13) man pages for more information. -
    • -
  • - The fapolicyd trust database now supports white spaces in file - names. -
    • -
  • - fapolicyd now stores the correct path to an executable file - when it adds the file to the trust database. -
    • -
-
-

- (BZ#2032408) -

-
-

Rsyslog includes the mmfields module for - higher-performance operations and CEF

-

- Rsyslog now includes the rsyslog-mmfields subpackage which provides - the mmfields module. This is an alternative to using the property - replacer field extraction, but in contrast to the property replacer, all fields are extracted at - once and stored inside the structured data part. As a result, you can use mmfields particularly for processing field-based log formats, for - example Common Event Format (CEF), and if you need a large number of fields or reuse specific - fields. In these cases, mmfields has better performance than - existing Rsyslog features. -

-
-

- (BZ#2027971) -

-
-

logrotate included in a separate rsyslog-logrotate package

-

- The logrotate config was separated from the main rsyslog package into the new rsyslog-logrotate package. This is useful in certain minimal - environments, for example where log rotation is not needed, to prevent installing unnecessary - dependencies. -

-
-

- (BZ#1992155) -

-
-

sudo supports Python plugins

-

- With the sudo program version 1.9, which is included in RHEL 9, you - can write sudo plugins in Python. This makes it easier to enhance - sudo to more precisely suit specific scenarios. -

-
-

- For additional information, see the sudo_plugin_python(8) man page. -

-

- (BZ#1981278) -

-
-

libseccomp provided in version 2.5.2 -

-

- RHEL 9.0 provides the libseccomp packages in upstream version - 2.5.2. This version provides many bug fixes and enhancements over previous versions, most - notably: -

-
-
-
    -
  • - Updated the syscall table for Linux to version v5.14-rc7. -
    • -
  • - Added the get_notify_fd() function to the Python bindings to - get the notification file descriptor. -
    • -
  • - Consolidated multiplexed syscall handling for all architectures into one location. -
    • -
  • - Added multiplexed syscall support to the PowerPC (PPC) and MIPS architectures. -
    • -
  • - Changed the meaning of the SECCOMP_IOCTL_NOTIF_ID_VALID - operation within the kernel. -
    • -
  • - Changed the libseccomp file descriptor notification logic to - support the kernel’s previous and new usage of SECCOMP_IOCTL_NOTIF_ID_VALID. -
    • -
  • - Fixed a bug where seccomp_load() could only be called once. -
    • -
  • - Changed the notification fd handling to only request a - notification fd if the filter has a _NOTIFY action. -
    • -
  • - Added documentation about SCMP_ACT_NOTIFY to the seccomp_add_rule(3) manpage. -
    • -
  • - Clarified the maintainers’ GPG keys. -
    • -
-
-

- (BZ#2019887) -

-
-

Clevis now supports SHA-256

-

- With this enhancement, the Clevis framework supports the SHA-256 - algorithm as the default hash for JSON Web Key (JWK) thumbprints as recommended by RFC 7638. Because the older thumbprints (SHA-1) are still supported, - you can still decrypt the previously encrypted data. -

-
-

- (BZ#1956760) -

-
-
-
-
-
-

4.8. Networking

-
-
-
-
-

The diag modules are now available in the - kernel

-

- The diag modules are now included with the kernel image. With this - update, the diag modules no longer need to be dynamically loaded - when the ss command is used. This allows better debugging of - networking issues regardless of the customer policy on kernel modules. Modules included in the - kernel: -

-
- 
CONFIG_INET_DIAG
-CONFIG_INET_RAW_DIAG
-CONFIG_INET_TCP_DIAG
-CONFIG_INET_UDP_DIAG
-CONFIG_INET_MPTCP_DIAG
-CONFIG_NETLINK_DIAG
-CONFIG_PACKET_DIAG
-CONFIG_UNIX_DIAG
-

- (BZ#1948340) -

-
-

New core and IPv4-related networking sysctl - kernel parameters

-

- The RHEL 9.0 kernel provides the following new core and IPv4 networking sysctl parameters compared to previous RHEL versions: -

-
-
-
    -
  • - net.core.devconf_inherit_init_net -
    • -
  • - net.core.gro_normal_batch -
    • -
  • - net.core.high_order_alloc_disable -
    • -
  • - net.core.netdev_unregister_timeout_secs -
    • -
  • - net.ipv4.fib_multipath_hash_fields -
    • -
  • - net.ipv4.fib_notify_on_flag_change -
    • -
  • - net.ipv4.fib_sync_mem -
    • -
  • - net.ipv4.icmp_echo_enable_probe -
    • -
  • - net.ipv4.ip_autobind_reuse -
    • -
  • - net.ipv4.nexthop_compat_mode -
    • -
  • - net.ipv4.raw_l3mdev_accept -
    • -
  • - net.ipv4.tcp_comp_sack_slack_ns -
    • -
  • - net.ipv4.tcp_migrate_req -
    • -
  • - net.ipv4.tcp_mtu_probe_floor -
    • -
  • - net.ipv4.tcp_no_ssthresh_metrics_save -
    • -
  • - net.ipv4.tcp_reflect_tos -
    • -
-
-

- For details about these parameters, install the kernel-doc package and - see the following files: -

-
-
    -
  • - /usr/share/doc/kernel-doc-<version>/Documentation/admin-guide/sysctl/net.rst -
    • -
  • - /usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.rst -
    • -
-
-

- (BZ#2068532) -

-
-

Changed behavior in firewalld when - transmitting packets between zones

-

- In zone-based firewalls, packets enter only one zone. Implicit packet transmission is the - concept violation and can allow traffic or services unexpectedly. In Red Hat Enterprise Linux 9 - the firewalld service no longer allows implicit packet transmission - between two different zones. -

-
-

- For more information about this change, see Changed behavior in firewalld when transmitting packets between zones Knowledge - Article. -

-

- (BZ#2029211) -

-
-

Intra-zone forwarding has been enabled by default

-

- The firewalld intra-zone forwarding feature allows forwarding - traffic between interfaces or sources within a firewalld zone. Starting with RHEL 9.0, this - feature has been enabled by default. Use the --add-forward option - of the firewall-cmd utility to enable intra-zone forwarding for a - particular zone. The firewall-cmd --list-all command displays - whether intra-zone forwarding is enabled or disabled for a zone: -

-
- 
# firewall-cmd --list-all
-public (active)
-...
-forward: no
-

- (BZ#2089193) -

-
-

Making Nmstate more inclusive

-

- Red Hat is committed to using conscious language. Therefore the slave term in the nmstate API has been - replaced by the term port. -

-
-

- (BZ#1969941) -

-
-

NetworkManager supports interface names set in the rd.znet_ifname kernel option on IBM Z

-

- With this enhancement, on the IBM Z platform, NetworkManager now interprets the rd.znet and rd.znet_ifname kernel - command-line options when installing or booting Red Hat Enterprise Linux from the network. As a - result, it is possible to specify a name of a network interface identified by the subchannels - instead of the default one. -

-
-

- (BZ#1980387) -

-
-

The hostapd package has been added to RHEL - 9.0

-

- With this release, RHEL provides the hostapd package. However, Red - Hat supports hostapd only to set up a RHEL host as an 802.1X - authenticator in Ethernet networks. Other scenarios, such as Wi-Fi access points or - authenticators in Wi-Fi networks, are not supported. -

-
-

- For details about configuring RHEL as an 802.1X authenticator with a FreeRADIUS back end, see Setting - up an 802.1x network authentication service for LAN clients using hostapd with FreeRADIUS - backend. -

-

- (BZ#2019830) -

-
-

ModemManager provided in version 1.18.2

-

- RHEL 9.0 provides the ModemManager packages in upstream version - 1.18.2. This version includes bug fixes and enhancements over the previous version, most - notably: -

-
-
-
    -
  • - Improved capabilities and modes handling for devices with 5G capabilities -
    • -
  • - Additional devices support -
    • -
-
-

- (BZ#1996716) -

-
-

NetworkManager allows to change queue_id of - bond port

-

- NetworkManager ports in a bond now supports the queue_id parameter. - Assuming eth1 is a port of bond interface, you can enable queue_id for a bond port with: -

-
- 
# nmcli connection modify eth1 bond-port.queue-id 1
-# nmcli connection up eth1
-

- Any network interface that needs to use this option should configure it with multiple calls until - proper priorities are set for all interfaces. For more information, see /usr/share/docs/kernel-doc-_<version>/Documentation/networking/bonding.rst - file that is provided by the kernel-doc package. -

-

- (BZ#1949127) -

-
-

Support for the configuration of blackhole, - prohibit and unreachable route - types with latest NetworkManager

-

- Kernel supports several route types besides the common unicast, - broadcast and local route types. In - addition, users can now configure blackhole, prohibit and unreachable static route - types in the connection profile of the NetworkManager. The NetworkManager will add a profile - when the profile is activated. -

-
-

- (BZ#2060013) -

-
-

RoCE Express Adapters now use an improved interface naming scheme -

-

- With this enhancement, RDMA over Converged Ethernet (RoCE) Express adapters use the predictable - interface naming scheme and the Peripheral Communication Interface on z-system (zPCI) connector. - In this naming scheme, RHEL uses user identifier (UID) or function identifier (FID) to generate - unique names. In case that no unique UID is available, RHEL uses FID to set the naming scheme. -

-
-

- (BZ#2091653) -

-
-
-
-
-
-

4.9. Kernel

-
-
-
-
-

Kernel version in RHEL 9.0

-

- Red Hat Enterprise Linux 9.0 is distributed with the kernel version 5.14.0-70. -

-
-

- (BZ#2077836) -

-
-

Red Hat, by default, enables eBPF in all RHEL versions for privileged - users only

-

- Extended Berkeley Packet Filter (eBPF) is a - complex technology which allows users to execute custom code inside the Linux kernel. Due to its - nature, the eBPF code needs to pass through - the verifier and other security mechanisms. There were Common Vulnerabilities and Exposures - (CVE) instances, where bugs in this code could be misused for unauthorized operations. To - mitigate this risk, Red Hat by default enabled eBPF in all RHEL versions for privileged users - only. It is possible to enable eBPF for - unprivileged users by using the kernel.command-line parameter unprivileged_bpf_disabled=0. -

-
-

- However, note that -

-
-
    -
  • - Applying unprivileged_bpf_disabled=0 disqualifies your kernel - from Red Hat support and opens your system to security risks. -
    • -
  • - Red Hat urges you to treat processes with the CAP_BPF - capability as if the capability was equal to CAP_SYS_ADMIN. -
    • -
  • - Setting unprivileged_bpf_disabled=0 will not be sufficient to - execute many BPF programs by unprivileged users as loading of most BPF program types - requires additional capabilities (typically CAP_SYS_ADMIN or - CAP_PERFMON). -
    • -
-
-

- For information on how to apply kernel command-line parameters, see Configuring - kernel command-line parameters. -

-

- (BZ#2091643) -

-
-

Red Hat protects kernel symbols only for minor releases

-

- Red Hat guarantees that a kernel module will continue to load in all future updates within an - Extended Update Support (EUS) release, only if you compile the kernel module using protected - kernel symbols. There is no kernel Application Binary Interface (ABI) guarantee between minor - releases of RHEL 9. -

-
-

- (BZ#2059183) -

-
-

RHEL 9 Beta kernels signed with trusted SecureBoot certificates -

-

- Previously, RHEL Beta releases required users to enroll a separate Beta public key using the - Machine Owner Key (MOK) facility. Starting with RHEL 9 Beta, kernels are signed with trusted - SecureBoot certificates, hence users no longer need to enroll a separate Beta public key to use - the beta versions on systems having UEFI Secure Boot enabled. -

-
-

- (BZ#2002499) -

-
-

cgroup-v2 enabled by default in RHEL - 9

-

- The control groups version 2 (cgroup-v2) feature implements a - single hierarchy model that simplifies the management of control groups. Also, it ensures that a - process can only be a member of a single control group at a time. Deep integration with systemd improves the end-user experience when configuring resource - control on a RHEL system. -

-
-

- Development of new features is mostly done for cgroup-v2, which has - some features that are missing in cgroup-v1. Similarly, cgroup-v1 contains some legacy features that are missing in cgroup-v2. Also, the control interfaces are different. Therefore, third - party software with direct dependency on cgroup-v1 may not run properly - in the cgroup-v2 environment. -

-

- To use cgroup-v1, you need to add the following parameters to the - kernel command-line: -

- 
systemd.unified_cgroup_hierarchy=0
-systemd.legacy_systemd_cgroup_controller
-
-
Note
-
-

- Both cgroup-v1 and cgroup-v2 are - fully enabled in the kernel. There is no default control group version from the kernel point - of view, and is decided by systemd to mount at startup. -

-
-
-

- (BZ#1953515) -

-
-

Kernel changes potentially affecting third party kernel modules -

-

- Linux distributions with a kernel version prior to 5.9 supported exporting GPL functions as - non-GPL functions. As a result, users could link proprietary functions to GPL kernel functions - through the shim mechanism. With this release, the RHEL kernel - incorporates upstream changes that enhance the ability of RHEL to enforce GPL by rebuffing shim. -

-
-
-
Important
-
-

- Partners and independent software vendors (ISVs) should test their kernel modules with an - early version of RHEL 9 to ensure their compliance with GPL. -

-
-
-

- (BZ#1960556) -

-
-

The 64-bit ARM architecture has a 4 KB page size in RHEL 9

-

- Red Hat has selected a 4 KB page size of physical memory for the 64-bit ARM architecture in Red - Hat Enterprise Linux 9. This size pairs well with the workloads and memory amounts present on - the majority of ARM-based systems. To employ large page sizes efficiently, use the huge pages - option to address a greater amount of memory or workloads with large data sets. -

-
-

- For more information about huge pages see Monitoring - and Managing System Status and Performance. -

-

- (BZ#1978382) -

-
-

The strace utility now correctly displays - SELinux context mismatches

-

- An existing --secontext option of strace has been extended with the mismatch parameter. This parameter enables to print the expected - context along with the actual one upon mismatch only. The output is separated by double - exclamation marks (!!), first the actual context, then the expected - one. In the examples below, the full,mismatch parameters print the - expected full context along with the actual one because the user part of the contexts - mismatches. However, when using a solitary mismatch, it only checks - the type part of the context. The expected context is not printed because the type part of the - contexts matches. -

-
- 
[...]
-$ strace --secontext=full,mismatch -e statx stat /home/user/file
-statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ...
-
-$ strace --secontext=mismatch -e statx stat /home/user/file
-statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...
-

- SELinux context mismatches often cause access control issues associated with SELinux. The mismatches - printed in the system call traces can significantly expedite the checks of SELinux context - correctness. The system call traces can also explain specific kernel behavior with respect to access - control checks. -

-

- (BZ#2038965) -

-
-

perf-top now can sort by a certain - column

-

- With this update to the perf-top system profiling tool, you can - sort samples by an arbitrary event column. Previously, the events were sorted by the first - column in case multiple events in a group were sampled. To sort the samples, use the --group-sort-idx command-line option and press a number key to sort - the table by the matching data column. Note that column numbering starts from 0. -

-
-

- (BZ#1851933) -

-
-

New package: jigawatts

-

- Checkpoint/Restore In Userspace (CRIU) is a Linux utility that allows checkpointing and - restoring of processes. The jigawatts package contains a Java - library, which aims to improve the usability of CRIU mechanisms from Java applications. -

-
-

- (BZ#1972029) -

-
-

The trace-cmd reset command has new - behavior

-

- Previously, the trace-cmd reset command resetted the tracing_on configuration to 0. The new behavior of trace-cmd reset is to reset tracing_on - to its default value 1. -

-
-

- (BZ#1933980) -

-
-

Extended Berkeley Packet Filter is supported in RHEL 9

-

- The Extended Berkeley Packet Filter (eBPF) - is an in-kernel virtual machine that allows code execution in the kernel space, in the - restricted sandbox environment with access to a limited set of functions. The virtual machine - executes a special assembly-like code. -

-
-

- The eBPF bytecode first loads to the kernel. - Then the bytecode is verified and translated to the native machine code with just-in-time - compilation. Finally, the virtual machine executes the code. -

-

- Red Hat ships numerous components that utilize the eBPF virtual machine. In RHEL 9, these components - include: -

-
-
    -
  • - The BPF Compiler Collection (BCC) - package, which provides tools for I/O analysis, networking, and monitoring of Linux - operating systems using eBPF. -
    • -
  • - The BCC library, which allows the - development of tools similar to those provided in the BCC tools package. -
    • -
  • - The bpftrace tracing language. -
    • -
  • -

    - The libbpf package, which is crucial for bpf development and bpf-related - applications like bpftrace. -

    -
    -
      -
    • - The XDP and AF_XDP API - parts of the libbpf library are not supported and - may be removed in a future release. -
      • -
    -
    -
    • -
  • - The eBPF for Traffic Control (tc) - feature, which enables programmable packet processing inside the kernel network data path. -
    • -
  • - The eXpress Data Path (XDP) feature, - which provides access to the received packets before the kernel networking stack processes - them. Red Hat supports XDP only if it is - used through the libxdp library. -
    • -
  • -

    - The xdp-tools package, which contains user-space support - utilities for the XDP feature and is - supported on the AMD64 and Intel64 CPU architectures. The xdp-tools package includes: -

    -
    -
      -
    • - The libxdp library. -
      • -
    • - The xdp-loader utility for loading XDP programs. -
      • -
    • - The xdp-filter example program for packet - filtering. -
      • -
    • - The xdpdump utility for capturing packets from a - network interface with XDP - enabled. The xdpdump utility is currently supported - only on AMD64 and Intel64 CPU architectures. It is available for other - architectures as Technology Preview. -
      • -
    -
    -
    • -
  • - The AF_XDP socket for connecting the eXpress Data Path (XDP) path to - user-space. -
    • -
-
-

- (BZ#2070506) -

-
-

RHEL 9 provides the crash utility version - 8.0.0

-

- RHEL 9 is distributed with the crash utility version 8.0.0. The bug - fixes and and notable enhancements include: -

-
-
-
    -
  • - Adds the new offset parameter in the add-symbol-file command. This support helps to set the kaslr_offset to gdb. -
    • -
  • - Upgrades the gdb-7.6 to gdb-10.2. -
    • -
-
-

- (BZ#1896647) -

-
-

makedumpfile now supports an improved zstd compression capability

-

- With this enhancement, the makedumpfile now includes the Zstandard - (zstd) compression capability, which provides high compression - ratios. This improvement helps specifically on large memory systems. -

-
-

- The zstd compression capability now has a good balance between the - vmcore dump size and the compression time consumption as compared to - prior compression ratios. As a result, the improved compression mechanism now creates a smaller - vmcore file with an acceptable good compression time. -

-

- Note that a good compression ratio also depends on how the system is being used and the data type - stored in RAM. -

-

- (BZ#1988894) -

-
-

numatop enabled on Intel Xeon scalable server - processors

-

- numatop is a tool that tracks and analyzes the behavior of the - processes and threads running on NUMA systems and displays metrics which can identify - NUMA-related performance bottlenecks. -

-
-

- numatop uses Intel performance counter sampling technologies and - associates the performance data with Linux system runtime information, - to provide analysis in production systems. -

-

- (BZ#1874125) -

-
-

kexec_file_load has been added as the default - option for RHEL 9

-

- This update adds the kexec_file_load system call for the 64-bit ARM - architecture. It provides an in-kernel kexec loader for kdump. Previously, the kernel prevented the loading of unsigned - kernel images when the secure boot option was enabled. The kdump - mechanism would first try to detect whether secure boot is enabled and then choose the boot - interface to run. Consequently, an unsigned kernel failed to load with secure boot enabled and - kexec_file_load() specified. -

-
-

- This update fixes the problem and an unsigned kernel works correctly in the described scenario. -

-

- (BZ#1895232) -

-
-

makedumpfile now includes improved options to - get an estimated vmcore size

-

- With this implementation, the makedumpfile utility now includes the - following options which help to print an estimate for the dump size for the currently running - kernel: -

-
-
-
    -
  • - --dry-run performs all operations specified by the other - options but does not write the output file. -
    • -
  • - --show-stats prints the report messages. This is an alternative - to enabling bit 4 in the level provided to --message-level - option. -
    • -
-
-

- The following example shows the --dry-run and --show-stats usage: -

- 
$ makedumpfile --dry-run --show-stats -l --message-level 7 -d 31 /proc/kcore dump.dummy
-

- Note that the dump file size may vary depending on the system state at the time of panic and the - estimate provided by the options may differ from the actual state. -

-

- (BZ#1958452) -

-
-

The kexec-tools package now supports the - default crashkernel memory reservation values for RHEL - 9

-

- The kexec-tools package now maintains the default crashkernel memory reservation values. The kdump service uses the default value to reserve the crashkernel memory for each kernel. This implementation also improves - memory allocation for kdump when a system has less than 4GB of - available memory. -

-
-

- To query the default crashkernel value: -

- 
$ kdumpctl get-default-crashkernel
-

- If the memory reserved by the default crashkernel value is not - sufficient on your system, increase the crashkernel parameter. -

-

- Note that the crashkernel=auto option in the boot command line is no - longer supported in RHEL 9 and later releases. -

-

- For more information, see the /usr/share/doc/kexec-tools/crashkernel-howto.txt file. -

-

- (BZ#2034490) -

-
-

Core scheduling is supported in RHEL 9

-

- With the core scheduling functionality users can prevent tasks that should not trust each other - from sharing the same CPU core. Likewise, users can define groups of tasks that can share a CPU - core. -

-
-

- These groups can be specified: -

-
-
    -
  • - To improve security by mitigating some cross-Symmetric Multithreading (SMT) attacks -
    • -
  • - To isolate tasks that need a whole core. For example for tasks in real-time environments, or - for tasks that rely on specific processor features such as Single Instruction, Multiple Data - (SIMD) processing -
    • -
-
-

- For more information, see Core - Scheduling. -

-

- (JIRA:RHELPLAN-100497) -

-
-

Performance improved on 64-bit ARM architecture using non-strict iommu mode - as default

-

- With this upgrade, the 64-bit ARM architecture defaults to using the lazy direct memory access - (DMA) domain for system memory management unit (SMMU). While bringing a significant performance - gain, it can introduce a window between an address unmap and a Translation Lookaside Buffer - (TLB) flush on SMMU. On previous versions, the 64-bit ARM architecture configured the strict DMA - domains as default, which caused the performance to drop due to the 4KB page size. -

-
-

- If you need to use the strict DMA domain mode, specify the iommu.strict=1 mode using the kernel command-line. Note that using strict - DMA domains can cause performance drops on 64-bit ARM architectures. -

-

- (BZ#2050415) -

-
-

The kernel-rt source tree has been updated to - RHEL 9.0 tree

-

- The kernel-rt sources have been updated to use the latest Red Hat - Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest - upstream version, v5.15-rt19. These updates provide a number of bug fixes and enhancements. -

-
-

- (BZ#2002474) -

-
-

Support for CPU hotplug in the hv_24x7 and - hv_gpci PMUs

-

- With this update, PMU counters correctly react to the hot-plugging of a CPU. As a result, if a - hv_gpci event counter is running on a CPU that gets disabled, the - counting redirects to another CPU. -

-
-

- (BZ#1844416) -

-
-

Metrics for POWERPC hv_24x7 nest events are - now available

-

- Metrics for POWERPC hv_24x7 nest events are now available for perf. By aggregating multiple events, these metrics provide a better - understanding of the values obtained from perf counters and how - effectively the CPU is able to process the workload. -

-
-

- (BZ#1780258) -

-
-

The IRDMA driver has been introduced in RHEL 9

-

- The IRDMA driver enables RDMA functionality on RDMA-capable Intel® network devices. Devices - supported by this driver are: -

-
-
-
    -
  • - Intel® Ethernet Controller E810 -
    • -
  • - Intel® Ethernet Network Adapter X722 -
    • -
-
-

- RHEL 9 delivers updated Intel® Ethernet Protocol Driver for RDMA (IRDMA) for the X722 Internet - Wide-area RDMA Protocol (iWARP) device. RHEL 9 also introduces a new E810 device that supports iWARP - and RDMA over Converged Ethernet (RoCEv2). The IRDMA module replaces the legacy i40iw module for - X722 and extends the Application Binary Interface (ABI) defined for i40iw. The change is backward - compatible with legacy X722 RDMA-Core provider (libi40iw). -

-
-
    -
  • - The X722 device supports only iWARP and a more limited set of configuration parameters. -
    • -
  • -

    - The E810 device supports the following set of RDMA and congestion management features: -

    -
    -
      -
    • - iWARP and RoCEv2 RDMA transports -
      • -
    • - Priority Flow Control (PFC) -
      • -
    • - Explicit Congestion Notification (ECN) -
      • -
    -
    -
    • -
-
-

- (BZ#1874195) -

-
-

A new parameter for the kernel bonding module: - lacp_active

-

- RHEL 9 introduces the lacp_active parameter for the bonding kernel module. This parameter specifies whether to send Link - Aggregation Control Protocol Data Unit (LACPDU) frames at specified intervals. The options are - as follows: -

-
-
-
    -
  • - on (default) - enables to send the LACPDU frames along with the - configured lacp_rate parameter -
    • -
  • - off - the LACPDU frames act as "speak when spoken to" -
    • -
-
-

- Note that the LACPDU state frames are still sent when you initialize or unbind port. -

-

- (BZ#1951951) -

-
-
-
-
-
-

4.10. Boot loader

-
-
-
-
-

Boot loader configuration files are unified across CPU - architectures

-

- Configuration files for the GRUB boot loader are now stored in the /boot/grub2/ directory on all supported CPU architectures. The /boot/efi/EFI/redhat/grub.cfg file, which GRUB previously used as the - main configuration file on UEFI systems, now simply loads the /boot/grub2/grub.cfg file. -

-
-

- This change simplifies the layout of the GRUB configuration file, improves user experience, and - provides the following notable benefits: -

-
-
    -
  • - You can boot the same installation with either EFI or legacy BIOS. -
    • -
  • - You can use the same documentation and commands for all architectures. -
    • -
  • - GRUB configuration tools are more robust, because they no longer rely on symbolic links and - they do not have to handle platform-specific cases. -
    • -
  • - The usage of the GRUB configuration files is aligned with images generated by CoreOS - Assembler (COSA) and OSBuild. -
    • -
  • - The usage of the GRUB configuration files is aligned with other Linux distributions. -
    • -
-
-

- (JIRA:RHELPLAN-101246) -

-
-
-
-
-
-

4.11. File systems and storage

-
-
-
-
-

Options in Samba utilities have been renamed and removed for a consistent - user experience

-

- The Samba utilities have been improved to provide a consistent command-line interface. These - improvements include renamed and removed options. Therefore, to avoid problems after the update, - review your scripts that use Samba utilities, and update them, if necessary. -

-
-

- Samba 4.15 introduces the following changes to the Samba utilities: -

-
-
    -
  • - Previously, Samba command-line utilities silently ignored unknown options. To prevent - unexpected behavior, the utilities now consistently reject unknown options. -
    • -
  • - Several command-line options now have a corresponding smb.conf - variable to control their default value. See the man pages of the utilities to identify if a - command-line option has an smb.conf variable name. -
    • -
  • - By default, Samba utilities now log to standard error (stderr). - Use the --debug-stdout option to change this behavior. -
    • -
  • - The --client-protection=off|sign|encrypt option has been added - to the common parser. -
    • -
  • -

    - The following options have been renamed in all utilities: -

    -
    -
      -
    • - --kerberos to --use-kerberos=required|desired|off -
      • -
    • - --krb5-ccache to --use-krb5-ccache=CCACHE -
      • -
    • - --scope to --netbios-scope=SCOPE -
      • -
    • - --use-ccache to --use-winbind-ccache -
      • -
    -
    -
    • -
  • -

    - The following options have been removed from all utilities: -

    -
    -
      -
    • - -e and --encrypt -
      • -
    • - -C removed from --use-winbind-ccache -
      • -
    • - -i removed from --netbios-scope -
      • -
    • - -S and --signing -
      • -
    -
    -
    • -
  • -

    - To avoid duplicate options, certain options have been removed or renamed from the - following utilities: -

    -
    -
      -
    • - ndrdump: -l is no - longer available for --load-dso -
      • -
    • - net: -l is no longer - available for --long -
      • -
    • - sharesec: -V is no - longer available for --viewsddl -
      • -
    • - smbcquotas: --user has - been renamed to --quota-user -
      • -
    • - nmbd: --log-stdout has - been renamed to --debug-stdout -
      • -
    • - smbd: --log-stdout has - been renamed to --debug-stdout -
      • -
    • - winbindd: --log-stdout - has been renamed to --debug-stdout -
      • -
    -
    -
    • -
-
-

- (BZ#2065646) -

-
-

Changes in the NFS client and server in RHEL 9

-
    -
  • - RHEL 9.0 NFS server and client no longer support the insecure GSS Kerberos 5 encryption type - des-cbc-crc. -
    • -
  • - NFS client no longer supports mounting filesystems using UDP transports. -
    • -
-
-

- (BZ#1952863) -

-
-

GFS2 file systems are now created with format version 1802

-

- GFS2 file systems in RHEL 9 are created with format version 1802. This enables the following - features: -

-
-
-
    -
  • - Extended attributes in the trusted namespace ("trusted.* - xattrs") are recognized by gfs2 and gfs2-utils. -
    • -
  • - The rgrplvb option is active by default. This allows gfs2 to attach updated resource group data to DLM lock requests, - so the node acquiring the lock does not need to update the resource group information from - disk. This improves performance in some cases. -
    • -
-
-

- File systems created with the new format version will not be able to be mounted under earlier RHEL - versions and older versions of the fsck.gfs2 utility will not be able - to check them. -

-

- Users can create a file system with the older format version by running the mkfs.gfs2 command with the option -o format=1801. -

-

- Users can upgrade the format version of an older file system running tunegfs2 -r 1802 device on an - unmounted file system. Downgrading the format version is not supported. -

-

- (BZ#1616432) -

-
-

RHEL 9 provides nvml package version - 1.10.1

-

- RHEL 9.0 updates the nvml package to version 1.10.1. This update - adds features and fixes a potential data corruption bug on power loss. -

-
-

- (BZ#1874208) -

-
-

Support for exFAT file system has been added

-

- RHEL 9.0 supports Extensible File Allocation Table (exFAT) file system. You can now mount, - format, and generally use this file system, which is usually used by default on flash memory. -

-
-

- (BZ#1943423) -

-
-

rpcctl command now displays SunRPC connection - information

-

- With this update, you can use the rpcctl command to display - information collected in the SunRPC sysfs files about the system’s - SunRPC objects. You can show, remove, and set objects in the SunRPC network layer through the - sysfs file system. -

-
-

- (BZ#2059245) -

-
-

Limiting the set of the devices for LVM

-

- By default, LVM in RHEL 9 uses only the devices that you explicitly select. Use the new commands - lvmdevices and vgimportdevices to - select specific devices. Using the pvcreate, vgcreate, and vgextend commands - indirectly selects new devices for lvm, if they have not already - been selected. LVM ignores devices that are attached to the system until you select them by - using one of these commands. The lvm command saves the list of the - selected devices in the devices file /etc/lvm/devices/system.devices. The lvm.conf filter or any other command-line configuration filter does - not function when you enable the new devices file feature. If you remove or disable the devices - file, LVM applies the filter to all attached devices. For detailed information about this - feature, see the lvmdevices(8) man page. -

-
-

- (BZ#1749513) -

-
-

NVMe/TCP host with nvme_tcp.ko is now fully - supported

-

- Nonvolatile Memory Express (NVMe) storage over TCP/IP networks (NVMe/TCP) with the nvme_tcp.ko kernel module is now fully supported. The NVMe/TCP target - with the nvmet_tcp.ko module is available with an Unmaintained - status in RHEL 9.0. -

-
-

- (BZ#2054441) -

-
-

multipathd now supports detecting FPIN-Li - events

-

- When you add a new value fpin for the marginal_pathgroups config option, you enable multipathd to monitor the Link Integrity Fabric Performance Impact - Notification (PFIN-Li) events and move paths with link integrity issues to a marginal pathgroup. - With the fpin value set, multipathd - overrides its existing marginal path detection methods and relies on the Fibre Channel fabric to - identify link integrity issues. -

-
-

- With this enhancement, the multipathd method becomes more robust in - detecting marginal paths on Fibre Channel fabrics that can issue PFIN-Li events. -

-

- (BZ#2053642) -

-
-
-
-
-
-

4.12. High availability and clusters

-
-
-
-
-

The resource-stickiness resource - meta-attribute now defaults to 1 instead of 0 for newly-created clusters

-

- Previously, the default value for the resource-stickiness resource - meta-attribute had a default value of 0 for newly-created clusters. This meta-attribute now - defaults to 1. -

-
-

- With a stickiness of 0, a cluster may move resources as needed to balance resources across nodes. - This may result in resources moving when unrelated resources start or stop. With a positive - stickiness, resources have a preference to stay where they are, and move only if other circumstances - outweigh the stickiness. This may result in newly-added nodes not getting any resources assigned to - them without administrator intervention. Both approaches have potentially unexpected behavior, but - most users prefer having some stickiness. The default value for this meta-attribute has been changed - to 1 to reflect this preference. -

-

- Only newly-created clusters are affected by this change, so the behavior does not change for - existing clusters. Users who prefer the old behavior for their cluster can delete the resource-stickiness entry from resource defaults. -

-

- (BZ#1850145) -

-
-

New LVM volume group flag to control autoactivation

-

- LVM volume groups now support a setautoactivation flag which - controls whether logical volumes that you create from a volume group will be automatically - activated on startup. When creating a volume group that will be managed by Pacemaker in a - cluster, set this flag to n with the vgcreate --setautoactivation n command for the volume group to - prevent possible data corruption. If you have an existing volume group used in a Pacemaker - cluster, set the flag with vgchange --setautoactivation n. -

-
-

- (BZ#1899214) -

-
-

New pcs resource status display commands

-

- The pcs resource status and the pcs stonith status commands now support the following options: -

-
-
-
    -
  • - You can display the status of resources configured on a specific node with the pcs resource status node=node_id - command and the pcs stonith status node=node_id - command. You can use these commands to display the status of resources on both cluster and - remote nodes. -
    • -
  • - You can display the status of a single resource with the pcs resource status resource_id - and the pcs stonith status resource_id - commands. -
    • -
  • - You can display the status of all resources with a specified tag with the pcs resource status tag_id - and the pcs stonith status tag_id - commands. -
    • -
-
-

- (BZ#1290830, - BZ#1285269) -

-
-

New reduced output display option for pcs resource safe-disable command

-

- The pcs resource safe-disable and pcs resource disable --safe commands print a lengthy simulation - result after an error report. You can now specify the --brief - option for those commands to print errors only. The error report now always contains resource - IDs of affected resources. -

-
-

- (BZ#1909901) -

-
-

New pcs command to update SCSI fencing device - without causing restart of all other resources

-

- Updating a SCSI fencing device with the pcs stonith update command - causes a restart of all resources running on the same node where the stonith resource was - running. The new pcs stonith update-scsi-devices command allows you - to update SCSI devices without causing a restart of other cluster resources. -

-
-

- (BZ#1872378) -

-
-

Ability to configure watchdog-only SBD for fencing on subset of cluster - nodes

-

- Previously, to use a watchdog-only SBD configuration, all nodes in the cluster had to use SBD. - That prevented using SBD in a cluster where some nodes support it but other nodes (often remote - nodes) required some other form of fencing. Users can now configure a watchdog-only SBD setup - using the new fence_watchdog agent, which allows cluster - configurations where only some nodes use watchdog-only SBD for fencing and other nodes use other - fencing types. A cluster may only have a single such device, and it must be named watchdog. -

-
-

- (BZ#1443666) -

-
-

Detailed Pacemaker status display for internal errors

-

- If Pacemaker can not execute a resource or fence agent for some reason, for example the agent is - not installed or there has been an internal timeout, the Pacemaker status displays now show a - detailed exit reason for the internal error. -

-
-

- (BZ#1470834) -

-
-

The pcmk_delay_base parameter may now take - different values for different nodes

-

- When configuring a fence device, you now can specify different values for different nodes with - the pcmk_delay_base parameter. This allows a single fence device to - be used in a two-node cluster, with a different delay for each node. This helps prevent a - situation where each node attempts to fence the other node at the same time. To specify - different values for different nodes, you map the host names to the delay value for that node - using a similar syntax to pcmk_host_map. For example, node1:0;node2:10s would use no delay when - fencing node1 and a 10-second delay when fencing node2. -

-
-

- (BZ#1082146) -

-
-

Support for special characters inside pcmk_host_map values

-

- The pcmk_host_map property now supports special characters inside - pcmk_host_map values using a backslash (\) in front of the value. - For example, you can specify pcmk_host_map="node3:plug\ 1" to - include a space in the host alias. -

-
-

- (BZ#1376538) -

-
-

New fencing agent for OpenShift

-

- The fence_kubevirt fencing agent is now available for use with RHEL - High Availability on Red Hat OpenShift Virtualization. For information on the fence_kubevirt agent, see the fence_kubevirt(8) man page. -

-
-

- (BZ#1977588) -

-
-

Local mode version of pcs cluster setup - command is now fully supported

-

- By default, the pcs cluster setup command automatically - synchronizes all configuration files to the cluster nodes. The pcs cluster setup command now fully supports the --corosync-conf option. Specifying this option switches the command - to local mode. In this mode, the pcs - command-line interface creates a corosync.conf file and saves it to - a specified file on the local node only, without communicating with any other node. This allows - you to create a corosync.conf file in a script and handle that file - by means of the script. -

-
-

- (BZ#2008558) -

-
-

Automatic removal of location constraint following resource move -

-

- When you execute the pcs resource move command, this adds a - constraint to the resource to prevent it from running on the node on which it is currently - running. By default, the location constraint that the command creates is automatically removed - once the resource has been moved. This does not necessarily move the resources back to the - original node; where the resources can run at that point depends on how you have configured your - resources initially. If you would like to move a resource and leave the resulting constraint in - place, use the pcs resource move-with-contraint command. -

-
-

- (BZ#2008575) -

-
-

pcs suppport for OCF Resource Agent API 1.1 - standard

-

- The pcs command-line interface now supports OCF 1.1 resource and - STONITH agents. As part of the implementation of this support, any agent’s metadata must comply - with the OCF schema, whether the agent is an OCF 1.0 or OCF 1.1 agent. If an agent’s metadata - does not comply with the OCF schema, pcs considers the agent - invalid and will not create or update a resource of the agent unless the --force option is specified. The pcsd - Web UI and pcs commands for listing agents now omit agents with - invalid metadata from the listing. -

-
-

- (BZ#2018969) -

-
-

pcs now accepts Promoted and Unpromoted as role names

-

- The pcs command-line interface now accepts Promoted and Unpromoted anywhere roles - are specified in Pacemaker configuration. These role names are the functional equivalent of the - Master and Slave Pacemaker roles in - previous RHEL releases, and these are the role names that are visible in configuration displays - and help pages. -

-
-

- (BZ#2009455) -

-
-

Updated version of pcsd Web UI

-

- The pcsd Web UI, the graphical user interface to create and - configure Pacemaker/Corosync clusters, has been updated. The updated Web UI provides an improved - user experience and a standardized interface that is built with the PatternFly framework used in - other Red Hat web applications. -

-
-

- (BZ#1996067) -

-
-
-
-
-
-

4.13. Dynamic programming languages, web and database servers

-
-
-
-
-

Python in RHEL 9

-

- Python 3.9 is the default Python implementation in RHEL 9. Python 3.9 is distributed in a non-modular - python3 RPM package in the BaseOS repository and usually installed - by default. Python 3.9 will be supported for - the whole life cycle of RHEL 9. -

-
-

- Additional versions of Python 3 will be - distributed as RPM packages with a shorter life cycle through the AppStream repository and will be - installable in parallel. -

-

- The python command (/usr/bin/python), as - well as other Python-related commands such as - pip, are available in the unversioned form and point to the default - Python 3.9 version. -

-

- Python 2 is not distributed with RHEL 9. -

-

- For more information about Python in RHEL 9, see - Introduction - to Python. -

-

- (BZ#1941595, JIRA:RHELPLAN-80598) -

-
-

Node.js 16 available in RHEL 9

-

- RHEL 9 provides a Long Term Support (LTS) version 16 of Node.js, a - software development platform for building fast and scalable network applications in the - JavaScript programming language. -

-
-

- Notable changes in Node.js 16 over Node.js 14 include: -

-
-
    -
  • - The V8 engine has been upgraded to version 9.4. -
    • -
  • - The npm package manager has been upgraded to version 8.3.1. -
    • -
  • - A new Timers Promises API provides an alternative set of timer - functions that return Promise objects. -
    • -
  • - Node.js is now compatible with OpenSSL 3.0. -
    • -
  • - Node.js now provides a new experimental Web Streams API and an experimental ECMAScript modules (ESM) - loader hooks API. -
    • -
-
-

- Node.js 16 is the initial version of this Application Stream, which you - can install easily as an RPM package. Node.js 16 has a shorter life - cycle than RHEL 9. For details, see the Red - Hat Enterprise Linux Application Streams Life Cycle document. Additional Node.js versions will be provided as modules also with a shorter life - cycle in future minor releases of RHEL 9. -

-

- (BZ#1953491) -

-
-

RHEL 9 provides Ruby 3.0

-

- RHEL 9 is distributed with Ruby 3.0.3, which provides a number of - performance improvements, bug and security fixes, and new features over Ruby 2.7. -

-
-

- Notable enhancements include: -

-
-
    -
  • -

    - Concurrency and parallelism features: -

    -
    -
      -
    • - Ractor, an Actor-model abstraction that provides - thread-safe parallel execution, is provided as an experimental feature. -
      • -
    • - Fiber Scheduler has been introduced as an - experimental feature. Fiber Scheduler intercepts - blocking operations, which enables light-weight concurrency without changing - existing code. -
      • -
    -
    -
    • -
  • -

    - Static analysis features: -

    -
    -
      -
    • - The RBS language has been introduced which - describes the structure of Ruby programs. The rbs gem has been added to parse type definitions - written in RBS. -
      • -
    • - The TypeProf utility has been introduced which is a - type analysis tool for Ruby code. -
      • -
    -
    -
    • -
  • - Pattern matching with the case/in expression is no longer - experimental. -
    • -
  • - One-line pattern matching, which is an experimental feature, has been redesigned. -
    • -
  • - Find pattern has been added as an experimental feature. -
    • -
-
-

- The following performance improvements have been implemented: -

-
-
    -
  • - Pasting long code to the Interactive Ruby Shell (IRB) is now - significantly faster. -
    • -
  • - The measure command has been added to IRB for time measurement. -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - Keyword arguments are now separated from other arguments. -
    • -
  • - The default directory for user-installed gems is now $HOME/.local/share/gem/ unless the $HOME/.gem/ directory is already present. -
    • -
-
-

- Ruby 3.0 is the initial version of this Application Stream which you - can install easily as an RPM package. Additional Ruby versions will be - provided as modules with a shorter life cycle in future minor releases of RHEL 9. -

-

- (JIRA:RHELPLAN-80758) -

-
-

RHEL 9 introduces Perl 5.32

-

- RHEL 9 includes Perl 5.32, which provides a number of bug fixes and - enhancements over version 5.30. -

-
-

- Notable enhancement include: -

-
-
    -
  • - Perl now supports Unicode version 13.0. -
    • -
  • - The qr quote-like operator has been enhanced. -
    • -
  • - The POSIX::mblen(), mbtowc, and - wctomb functions now work on shift state locales and are - thread-safe on C99 and above compilers when executed on a platform that has locale - thread-safety; the length parameters are now optional. -
    • -
  • - The new experimental isa infix operator tests whether a given - object is an instance of a given class or a class derived from it. -
    • -
  • - Alpha assertions are no longer experimental. -
    • -
  • - Script runs are no longer experimental. -
    • -
  • - Feature checks are now faster. -
    • -
  • - Perl can now dump compiled patterns before optimization. -
    • -
-
-

- Perl 5.32 is the initial version of this Application Stream, which you - can install easily as an RPM package. Additional Perl versions will be - provided as modules with a shorter life cycle in future minor releases of RHEL 9. -

-

- (JIRA:RHELPLAN-80759) -

-
-

RHEL 9 includes PHP 8.0

-

- RHEL 9 is distributed with PHP 8.0, which provides a number of bug - fixes and enhancements over version 7.4. -

-
-

- Notable enhancements include: -

-
-
    -
  • - New named arguments are order-independent and self-documented, and enable you to specify - only required parameters. -
    • -
  • - New attributes enable you to use structured metadata with PHP’s native syntax. -
    • -
  • - New union types enable you to use native union type declarations that are validated at - runtime instead of PHPDoc annotations for a combination of types. -
    • -
  • - Internal functions now more consistently raise an Error exception instead of warnings if - parameter validation fails. -
    • -
  • - New Just-In-Time compilation engines significantly improve application performance. -
    • -
  • - The Xdebug debugging and productivity extension for PHP has - been updated to version 3. This version introduces major changes in functionality and - configuration compared to Xdebug 2. -
    • -
-
-

- PHP 8.0 is the initial version of this Application Stream, which you - can install easily as an RPM package. Additional PHP versions will be - provided as modules with a shorter life cycle in future minor releases of RHEL 9. -

-

- For more information, see Using - the PHP scripting language. -

-

- (BZ#1949319) -

-
-

RHEL 9 provides Git 2.31 and Git LFS 2.13

-

- RHEL 9 is distributed with Git 2.31 which provides a number of - enhancements and performance improvements over version 2.27 available in RHEL 8. Notable changes - include: -

-
-
-
    -
  • - The git status command now reports the status of sparse - checkout. -
    • -
  • - You can now use the --add-file option with the git archive command to include untracked files in a snapshot from - a tree-ish identifier. -
    • -
  • - You can use the clone.defaultremotename configuration variable - to customize a nickname of the source remote repository. -
    • -
  • - You can configure the maximum length of output file names created by the git format-patch command. Previously, the length limit was 64 - bytes. -
    • -
  • - Support for the deprecated PCRE1 library has been removed. -
    • -
-
-

- Additionally, the Git Large File Storage (LFS) extension version 2.13 - is now available. Enhancements over version 2.11 distributed in RHEL 8 include: -

-
-
    -
  • - Git LFS now supports SHA-256 repositories. -
    • -
  • - Git LFS now supports the socks5h - protocol. -
    • -
  • - A new --worktree option is available for the git lfs install and git lfs uninstall commands. -
    • -
  • - A new --above parameter is available for the git lfs migrate import command. -
    • -
-
-

- (BZ#1956345, BZ#1952517) -

-
-

Subversion 1.14 in RHEL 9

-

- RHEL 9 is distributed with Subversion 1.14. Subversion 1.14 is the initial version of this Application Stream, - which you can install easily as an RPM package. Additional Subversion versions will be provided as modules with a shorter life - cycle in future minor releases of RHEL 9. -

-
-

- (JIRA:RHELPLAN-82578) -

-
-

Notable changes in the Apache HTTP Server

-

- RHEL 9.0 provides version 2.4.51 of the Apache HTTP Server. Notable changes over version 2.4.37 - include: -

-
-
-
    -
  • -

    - Apache HTTP Server Control Interface (apachectl): -

    -
    -
      -
    • - The systemctl pager is now disabled for apachectl status output. -
      • -
    • - The apachectl command now fails instead of giving a - warning if you pass additional arguments. -
      • -
    • - The apachectl graceful-stop command now returns - immediately. -
      • -
    • - The apachectl configtest command now executes the - httpd -t command without changing the SELinux - context. -
      • -
    • - The apachectl(8) man page in RHEL now fully - documents differences from upstream apachectl. -
      • -
    -
    -
    • -
  • -

    - Apache eXtenSion tool (apxs): -

    -
    -
      -
    • - The /usr/bin/apxs command no longer uses or exposes - compiler optimisation flags as applied when building the httpd package. You can now use the /usr/lib64/httpd/build/vendor-apxs command to apply - the same compiler flags as used to build httpd. To - use the vendor-apxs command, you must install the - redhat-rpm-config package first. -
      • -
    -
    -
    • -
  • -

    - Apache modules: -

    -
    -
      -
    • - The mod_lua module is now provided in a separate - package. -
      • -
    • - A new mod_jk connector for the Apache HTTP Server - is a module that utilizes the Apache JServ Protocol (AJP) to connect web servers - with Apache Tomcat and other backends. -
      • -
    • - A new mod_proxy_cluster module provides an - httpd-based load balancer that uses a communication channel to forward requests - from the load balancer to one of a set of application server nodes. The - application server nodes use this connection to transmit server-side load - balance factors and lifecycle events back to the load balancer through a custom - set of HTTP methods called the Mod-Cluster Management Protocol (MCMP). This - additional feedback channel allows mod_proxy_cluster to offer a level of intelligence - and granularity not found in other load-balancing solutions. This module - requires the ModCluster client to be installed on - the backend server to successfully communicate. -
      • -
    -
    -
    • -
  • -

    - Configuration syntax changes: -

    -
    -
      -
    • - In the deprecated Allow directive provided by the - mod_access_compat module, a comment (the # character) now triggers a syntax error instead of - being silently ignored. -
      • -
    -
    -
    • -
  • -

    - Other changes: -

    -
    -
      -
    • - Kernel thread IDs are now used directly in error log messages, making them both - accurate and more concise. -
      • -
    • - Many minor enhancements and bug fixes. -
      • -
    • - A number of new interfaces are available to module authors. -
      • -
    -
    -
    • -
-
-

- There are no backwards-incompatible changes to the httpd module API - since RHEL 8. -

-

- Apache HTTP Server 2.4 is the initial version of this Application Stream, which you can install - easily as an RPM package. -

-

- For more information, see Setting - up the Apache HTTP web server. -

-

- (JIRA:RHELPLAN-68364, BZ#1931976, JIRA:RHELPLAN-80725) -

-
-

nginx 1.20 available in RHEL 9

-

- RHEL 9 includes the nginx 1.20 web and proxy server. This release - provides a number of bug fixes, security fixes, new features and enhancements over version 1.18. -

-
-

- New features: -

-
-
    -
  • - nginx now supports client SSL certificate validation with - Online Certificate Status Protocol (OCSP). -
    • -
  • - nginx now supports cache clearing based on the minimum amount - of free space. This support is implemented as the min_free - parameter of the proxy_cache_path directive. -
    • -
  • - A new ngx_stream_set_module module has been added, which - enables you to set a value for a variable. -
    • -
  • - A new nginx-mod-devel package has been added, which provides - all necessary files, including RPM macros and nginx source - code, for building external dynamic modules for nginx. -
    • -
-
-

- Enhanced directives: -

-
-
    -
  • - Multiple new directives are now available, such as ssl_conf_command and ssl_reject_handshake. -
    • -
  • - The proxy_cookie_flags directive now supports variables. -
    • -
-
-

- Improved support for HTTP/2: -

-
-
    -
  • - The ngx_http_v2 module now includes the lingering_close, lingering_time, - lingering_timeout directives. -
    • -
  • - Handling connections in HTTP/2 has been aligned with HTTP/1.x. From nginx 1.20, use the keepalive_timeout and keepalive_requests directives instead of the removed http2_recv_timeout, http2_idle_timeout, and http2_max_requests directives. -
    • -
-
-

- nginx 1.20 is the initial version of this Application Stream, which you - can install easily as an RPM package. Additional nginx versions will be - provided as modules with a shorter life cycle in future minor releases of RHEL 9. -

-

- For more information, see Setting - up and configuring NGINX. -

-

- (BZ#1953639, BZ#1991720) -

-
-

Varnish Cache 6.6 in RHEL 9

-

- RHEL 9 includes Varnish Cache 6.6, a high-performance HTTP reverse - proxy. -

-
-

- Notable changes since version 6.0 include: -

-
-
    -
  • - Improved performance of log-processing tools, such as varnishlog -
    • -
  • - Improved accuracy of statistics -
    • -
  • - A number of optimizations in cache lookups -
    • -
  • - Various configuration changes -
    • -
  • - Numerous enhancements and bugs fixes -
    • -
-
-

- Varnish Cache 6 is the initial version of this Application Stream, - which you can install easily as an RPM package. -

-

- (BZ#1984185) -

-
-

RHEL 9 introduces Squid 5

-

- RHEL 9 is distributed with Squid 5.2, a high-performance proxy - caching server for web clients, supporting FTP, Gopher, and HTTP data objects. This release - provides a number of bug fixes, security fixes, new features, and enhancements over version 4. -

-
-

- New features: -

-
-
    -
  • -

    - Squid improves responsibility by using the Happy Eyeballs - (HE) algorithm. -

    -
    -
      -
    • - Squid now uses a received IP address as soon - request forwarding requires it instead of waiting for all of the potential - forwarding destinations to be fully resolved. -
      • -
    • - New directives are now available: happy_eyeballs_connect_gap, happy_eyeballs_connect_limit, and happy_eyeballs_connect_timeout directives. -
      • -
    • - The dns_v4_first directive has been removed. -
      • -
    -
    -
    • -
  • - Squid now uses the CDN-Loop header - as a source for loop detection in Content Delivery Networks (CDN). -
    • -
  • - Squid introduces peering support for SSL bumping. -
    • -
  • - A new Internet Content Adaptation Protocol (ICAP) trailers feature is available, which - enables ICAP agents to reliably send message metadata after the message body. -
    • -
-
-

- Changes to configuration options: -

-
-
    -
  • - The mark_client_packet configuration option has replaced clientside_mark. -
    • -
  • - The shared_transient_entries_limit configuration option has - replaced collapsed_forwarding_shared_entries_limit. -
    • -
-
-

- Squid 5 is the initial version of this Application Stream, which you - can install easily as an RPM package. -

-

- For more information, see Configuring - the Squid caching proxy server. -

-

- (BZ#1990517) -

-
-

MariaDB 10.5 in RHEL 9

-

- RHEL 9 provides MariaDB 10.5. MariaDB 10.5 is the initial version of this Application Stream, which - you can install easily as an RPM package. Additional MariaDB - versions will be provided as modules with a shorter life cycle in future minor releases of RHEL - 9. -

-
-

- For more information, see Using - MariaDB. -

-

- (BZ#1971248) -

-
-

RHEL 9 includes MySQL 8.0

-

- RHEL 9 is distributed with MySQL 8.0. MySQL 8.0 is the initial version of this Application Stream, which - you can install easily as an RPM package. MySQL 8.0 has a shorter - life cycle than RHEL 9. For details, see the Red - Hat Enterprise Linux Application Streams Life Cycle document. -

-
-

- For information about usage, see Using - MySQL. -

-

- (JIRA:RHELPLAN-78673) -

-
-

RHEL 9 provides PostgreSQL 13

-

- PostgreSQL 13 is available with RHEL 9. PostgreSQL 13 is the initial version of this Application Stream, - which you can install easily as an RPM package. Additional PostgreSQL versions will be provided as modules with a shorter life - cycle in future minor releases of RHEL 9. -

-
-

- For more information, see Using - PostgreSQL. -

-

- (JIRA:RHELPLAN-78675) -

-
-

Redis 6.2 in RHEL 9

-

- RHEL 9 is distributed with Redis 6.2, which provides a number of - bug and security fixes and enhancements over version 6.0 available in RHEL 8. -

-
-

- Notably, Redis server configuration files are now located in a - dedicated directory: /etc/redis/redis.conf and /etc/redis/sentinel.conf. In the RHEL 8 version, the location of these - files was /etc/redis.conf and /etc/redis-sentinel.conf respectively. -

-

- Redis 6 is the initial version of this Application Stream, which you - can install easily as an RPM package. -

-

- (BZ#1959756) -

-
-

New package: perl-Module-Signature -

-

- RHEL 9 introduces the perl-Module-Signature Perl module. With this - new module, you can enable signature checking for cpan to mitigate - CVE-2020-16156. For more information, see How to mitigate CVE-2020-16154 in - perl-App-cpanminus and CVE-2020-16156 in perl-CPAN. -

-
-

- (BZ#2039361) -

-
-
-
-
-
-

4.14. Compilers and development tools

-
-
-
-
-

RHEL 9 provides support for IBM POWER10 processors

-

- From the Linux kernel, through the system toolchain (GCC, binutils, glibc), Red Hat Enterprise - Linux 9 has been updated to include support for IBM’s latest POWER processor, POWER10. RHEL 9 is - production ready for workloads on POWER10, with enhancements coming in future releases. -

-
-

- (BZ#2027596) -

-
-

GCC 11.2.1 is available

-

- RHEL 9 is distributed with GCC version 11.2.1. Notable bug fixes and enhancements include: -

-
-

- General improvements -

-
-
    -
  • - GCC now defaults to the DWARF Version 5 debugging format. -
    • -
  • - Column numbers shown in diagnostics represent real column numbers by default and respect - multicolumn characters. -
    • -
  • - The straight-line code vectorizer considers the whole function when vectorizing. -
    • -
  • - A series of conditional expressions that compare the same variable can be transformed into a - switch statement if each of them contains a comparison expression. -
    • -
  • -

    - Interprocedural optimization improvements: -

    -
    -
      -
    • - A new IPA-modref pass, controlled by the -fipa-modref option, tracks side effects of function - calls and improves the precision of points-to analysis. -
      • -
    • - The identical code folding pass, controlled by the -fipa-icf option, was significantly improved to - increase the number of unified functions and reduce compile-time memory use. -
      • -
    -
    -
    • -
  • -

    - Link-time optimization improvements: -

    -
    -
      -
    • - Link-time optimization (LTO) enables the compiler to perform various - optimizations across all translation units of your program by using its - intermediate representation at link time. For more information, see Link - time optimization. -
      • -
    • - Memory allocation during linking was improved to reduce peak memory use. -
      • -
    -
    -
    • -
  • - Using a new GCC_EXTRA_DIAGNOSTIC_OUTPUT environment variable in - IDEs, you can request machine-readable “fix-it hints” without adjusting build flags. -
    • -
  • - The static analyzer, run by the -fanalyzer option, is improved - significantly with numerous bug fixes and enhancements provided. -
    • -
-
-

- Language-specific improvements -

-

- C family -

-
-
    -
  • - C and C++ compilers support non-rectangular loop nests in OpenMP constructs and the - allocator routines of the OpenMP 5.0 specification. -
    • -
  • -

    - Attributes: -

    -
    -
      -
    • - The new no_stack_protector attribute marks - functions that should not be instrumented with stack protection (-fstack-protector). -
      • -
    • - The improved malloc attribute can be used to - identify allocator and deallocator API pairs. -
      • -
    -
    -
    • -
  • -

    - New warnings: -

    -
    -
      -
    • - -Wsizeof-array-div, enabled by the -Wall option, warns about divisions of two sizeof operators when the first one is applied to an - array and the divisor does not equal the size of the array element. -
      • -
    • - -Wstringop-overread, enabled by default, warns - about calls to string functions that try to read past the end of the arrays - passed to them as arguments. -
      • -
    -
    -
    • -
  • -

    - Enhanced warnings: -

    -
    -
      -
    • - -Wfree-nonheap-object detects more instances of - calls to deallocation functions with pointers not returned from a dynamic memory - allocation function. -
      • -
    • - -Wmaybe-uninitialized diagnoses the passing of - pointers and references to uninitialized memory to functions that take const-qualified arguments. -
      • -
    • - -Wuninitialized detects reads from uninitialized - dynamically allocated memory. -
      • -
    -
    -
    • -
-
-

- C -

-
-
    -
  • -

    - Several new features from the upcoming C2X revision of the ISO C standard are supported - with the -std=c2x and -std=gnu2x options. For example: -

    -
    -
      -
    • - The - standard attribute is supported. -
      • -
    • - The __has_c_attribute preprocessor operator is - supported. -
      • -
    • - Labels may appear before declarations and at the end of a compound statement. -
      • -
    -
    -
    • -
-
-

- C++ -

-
-
    -
  • - The default mode is changed to -std=gnu++17. -
    • -
  • - The C++ library libstdc++ has improved C++17 support now. -
    • -
  • -

    - Several new C++20 features are implemented. Note that C++20 support is experimental. -

    -

    - For more information about the features, see C++20 Language - Features. -

    -
    • -
  • - The C++ front end has experimental support for some of the upcoming C++23 draft features. -
    • -
  • -

    - New warnings: -

    -
    -
      -
    • - -Wctad-maybe-unsupported, disabled by default, - warns about performing class template argument deduction on a type with no - deduction guides. -
      • -
    • - -Wrange-loop-construct, enabled by -Wall, warns when a range-based for loop is creating - unnecessary and resource inefficient copies. -
      • -
    • - -Wmismatched-new-delete, enabled by -Wall, warns about calls to operator delete with - pointers returned from mismatched forms of operator new or from other mismatched - allocation functions. -
      • -
    • - -Wvexing-parse, enabled by default, warns about the - most vexing parse rule: the cases when a declaration looks like a variable - definition, but the C++ language requires it to be interpreted as a function - declaration. -
      • -
    -
    -
    • -
-
-

- Architecture-specific improvements -

-

- The 64-bit ARM architecture -

-
-
    -
  • - The Armv8-R architecture is supported through the -march=armv8-r option. -
    • -
  • - GCC can autovectorize operations performing addition, subtraction, multiplication, and the - accumulate and subtract variants on complex numbers. -
    • -
-
-

- AMD and Intel 64-bit architectures -

-
-
    -
  • - New ISA extension support for Intel AVX-VNNI is added. The -mavxvnni compiler switch controls the AVX-VNNI intrinsics. -
    • -
  • - AMD CPUs based on the znver3 core are supported with the new -march=znver3 option. -
    • -
  • - Three microarchitecture levels defined in the x86-64 psABI supplement are - supported with the new -march=x86-64-v2, -march=x86-64-v3, and -march=x86-64-v4 options. -
    • -
-
-

- IBM Z architectures -

-
-
    -
  • - GCC 11.2.1 defaults to the IBM z14 processor. -
    • -
-
-

- IBM Power Systems -

-
-
    -
  • - GCC 11.2.1 defaults to the IBM POWER9 processor. -
    • -
  • - The GCC compiler now supports POWER10 instructions with the new -mcpu=power10 command-line option -
    • -
-
-

- (BZ#1986836, - BZ#1870016, BZ#1870025, BZ#1870028, BZ#2019811, BZ#2047296) -

-
-

New command for capturing glibc optimization - data

-

- The new ld.so --list-diagnostics command captures data that - influences glibc optimization decisions, such as IFUNC selection - and glibc-hwcaps configuration, in a single machine-readable file. -

-
-

- (BZ#2023422) -

-
-

Notable changes to binutils

-

- RHEL 9 introduces the following changes to binutils: -

-
-
-
    -
  • - binutils now supports Intel’s AMX/TMUL instruction set, - resulting in improved performance for applications which can make use of this new feature. -
    • -
  • - The assembler, linker, and other binary utilities now support the POWER10 instructions. -
    • -
-
-

- (BZ#2030554, BZ#1870021) -

-
-

sched_getcpu implementation can now, - optionally, use rseq (restartable sequences) to improve - performance on the 64-bit ARM architectures and other architectures

-

- The previous implementation of sched_getcpu on the 64-bit ARM - architectures uses the getcpu system call, which is too slow for - efficient use in most parallel algorithms. Other architectures use vDSO (virtual dynamic shared - object) acceleration to work around this. Implementing sched_getcpu - using rseq greatly improves performance on the 64-bit ARM - architectures. Other architectures see a slight improvement. -

-
-

- To configure sched_getcpu to use rseq, set - the GLIBC_TUNABLES=glibc.pthread.rseq=1 environment variable: -

- 
# GLIBC_TUNABLES=glibc.pthread.rseq=1
-# export GLIBC_TUNABLES
-

- (BZ#2024347) -

-
-

Updated performance tools and debuggers

-

- The following performance tools and debuggers are available with RHEL 9.0: -

-
-
-
    -
  • - GDB 10.2 -
    • -
  • - Valgrind 3.18.1 -
    • -
  • - SystemTap 4.6 -
    • -
  • - Dyninst 11.0.0 -
    • -
  • - elfutils 0.186 -
    • -
-
-

- (BZ#2019806) -

-
-

DAWR functionality improved in GDB on IBM POWER10

-

- RHEL 9 is distributed with GDB 10.2 that provides improved DAWR functionality. New hardware - watchpoint capabilities are enabled for GDB on the IBM POWER10 processors. For example, a new - set of DAWR/DAWRX registers has been added. -

-
-

- (BZ#1870029) -

-
-

GDB supports new prefixed instructions on IBM POWER10

-

- GDB 10.2 fully supports the Power ISA 3.1 prefixed instructions on POWER10, which include - eight-byte prefixed instructions. In RHEL 8.4, GDB only supported four-byte instructions. -

-
-

- (BZ#1870031) -

-
-

RHEL 9 provides boost 1.75.0

-

- RHEL 9 is distributed with the boost package version 1.75.0. - Notable bug fixes and enhancements over version 1.67.0 include: -

-
-
-
    -
  • - The Boost.Signals library has been removed and replaced by the - header-only Boost.Signals2 component. -
    • -
  • - The bjam tool in the boost-jam - package has been replaced by b2 in the boost-b2 package. -
    • -
  • -

    - New libraries: -

    -
    -
      -
    • - Boost.Contracts -
      • -
    • - Boost.HOF -
      • -
    • - Boost.YAP -
      • -
    • - Boost.Safe Numerics -
      • -
    • - Boost.Outcome -
      • -
    • - Boost.Histogram -
      • -
    • - Boost.Variant2 -
      • -
    • - Boost.Nowide -
      • -
    • - Boost.StaticString -
      • -
    • - Boost.STL_Interfaces -
      • -
    • - Boost.JSON -
      • -
    • - Boost.LEAF -
      • -
    • - Boost.PFR -
      • -
    -
    -
    • -
-
-

- (BZ#1957950) -

-
-

RHEL 9 provides LLVM Toolset 13.0.1

-

- RHEL 9 is distributed with LLVM Toolset version 13.0.1. Notable bug fixes and enhancements over - version 12.0.1 include: -

-
-
-
    -
  • - Clang now supports guaranteed tail calls with statement attributes [[clang::musttail]] in C++ and __attribute__((musttail)) in C. -
    • -
  • - Clang now supports the -Wreserved-identifier warning, which - warns developers when using reserved identifiers in their code. -
    • -
  • - Clang’s -Wshadow flag now also checks for shadowed structured - bindings. -
    • -
  • - Clang’s -Wextra now also implies -Wnull-pointer-subtraction. -
    • -
  • - Clang now supports guaranteed tail calls with statement attributes [[clang::musttail]] in C++ and __attribute__((musttail)) in C. -
    • -
-
-

- In RHEL 9, you can install llvm-toolset easily as an RPM package. -

-

- (BZ#2001107) -

-
-

Notable changes in CMake 3.20.2

-

- RHEL 9 is distributed with CMake 3.20.2. To use CMake on a project that requires version 3.20.2 - or less, use the command cmake_minimum_required(version 3.20.2). -

-
-

- Notable changes include: -

-
-
    -
  • - C++23 compiler modes can now be specified by using the target properties CXX_STANDARD, CUDA_STANDARD, OBJCXX_STANDARD, or by using the cxx_std_23 meta-feature of the compile features function. -
    • -
  • - CUDA language support now allows the NVIDIA CUDA compiler to be a symbolic link. -
    • -
  • - The Intel oneAPI NextGen LLVM compilers are now supported with the IntelLLVM compiler ID. -
    • -
  • - CMake now facilitates cross compiling for Android by merging with the Android NDK’s - toolchain file. -
    • -
  • - When running cmake(1) to generate a project build system, - unknown command-line arguments starting with a hyphen are now rejected. -
    • -
-
-

- For further information on new features and deprecated functionalities, see the CMake Release Notes. -

-

- (BZ#1957948) -

-
-

RHEL 9 provides Go 1.17.7

-

- RHEL 9 is distributed with Go Toolset version 1.17.7. Notable bug fixes and enhancements over - version 1.16.7 include: -

-
-
-
    -
  • - Added an option to convert slices to array pointers. -
    • -
  • - Added support for //go:build lines. -
    • -
  • - Improvements to function call performance on amd64. -
    • -
  • - Function arguments are formatted more clearly in stack traces. -
    • -
  • - Functions containing closures can be inlined. -
    • -
  • - Reduced resource consumption in x509 certificate parsing. -
    • -
-
-

- In RHEL 9, you can install go-toolset easily as an RPM package. -

-

- (BZ#2014087) -

-
-

Go FIPS mode is supported with OpenSSL 3

-

- You can now use the OpenSSL 3 library when in Go FIPS mode. -

-
-

- (BZ#1984110) -

-
-

RHEL 9 provides Rust Toolset 1.58.1

-

- RHEL 9 is distributed with Rust Toolset version 1.58.1. Notable bug fixes and enhancements over - version 1.54.0 include: -

-
-
-
    -
  • - The Rust compiler now supports the 2021 edition of the language, featuring disjoint capture - in closure, IntoIterator for arrays, a new Cargo feature - resolver, and more. -
    • -
  • - Added Cargo support for new custom profiles. -
    • -
  • - Cargo deduplicates compiler errors. -
    • -
  • - Added new open range patterns. -
    • -
  • - Added captured identifiers in format strings. -
    • -
-
-

- For further information, see Rust 1.55Rust 1.56Rust 1.57Rust 1.58 -

-

- In RHEL 9, you can install rust-toolset easily as an RPM package. -

-

- (BZ#2002885) -

-
-

RHEL 9 provides the pcp package version - 5.3.5

-

- RHEL 9 is distributed with the Performance Co-Pilot (pcp) package - version 5.3.5. Since version 5.3.1, a new pcp-pmda-bpf sub-package - has been added which provides performance data from eBPF programs - utilizing BPF CO-RE (libbpf and BTF). -

-
-

- (BZ#1991764) -

-
-

Active Directory authentication for accessing SQL Server metrics in - PCP

-

- With this update, a system administrator can configure pmdamssql(1) - to connect securely to the SQL Server metrics using Active Directory (AD) authentication. -

-
-

- (BZ#1847808) -

-
-

The new pcp-ss PCP utility is now - available

-

- The pcp-ss PCP utility reports socket statistics collected by the - pmdasockets(1) PMDA. The command is compatible with many of the - ss command line options and reporting formats. It also offers the - advantages of local or remote monitoring in live mode and historical replay from a previously - recorded PCP archive. -

-
-

- (BZ#1981223) -

-
-

RHEL 9 provides grafana 7.5.11

-

- RHEL 9 is distributed with the grafana package version 7.5.11. - Notable changes over version 7.5.9 include: -

-
-
-
    -
  • - Added a new prepare time series transformation for backward - compatibility of panels that do not support the new data frame format. -
    • -
  • - Updated password recovery functionality to use HMAC-SHA-256 instead of SHA-1 to generate - password reset tokens. -
    • -
-
-

- (BZ#1993215) -

-
-

RHEL 9 provides grafana-pcp 3.2.0

-

- RHEL 9 is distributed with the grafana-pcp package version 3.2.0. - Notable bug fixes and enhancements over version 3.1.0 include: -

-
-
-
    -
  • - Added a new MS SQL server dashboard for PCP Redis. -
    • -
  • - Added visibility of empty histogram buckets in the PCP Vector eBPF/BCC Overview dashboard. -
    • -
  • - Fixed a bug where the metric() function of PCP Redis didn’t - return all metric names. -
    • -
-
-

- (BZ#1993156) -

-
-

Accessing remote hosts through a central pmproxy for the Vector data source in grafana-pcp

-

- In some environments, the network policy does not allow connections from the dashboard viewer’s - browser to the monitored hosts directly. This update makes it possible to customize the hostspec in order to connect to a central pmproxy, which forwards the requests to the individual hosts. -

-
-

- (BZ#1845592) -

-
-

A new package: ansible-pcp

-

- The ansible-pcp package contains roles for Performance Co-Pilot - (PCP) and related software, such as Redis and Grafana, used to implement the metrics RHEL system role. -

-
-

- (BZ#1957566) -

-
-

RHEL 9 provides python-jsonpointer - 2.0

-

- RHEL 9 is distributed with the python-jsonpointer package version - 2.0. -

-
-

- Notable changes over version 1.9 include: -

-
-
    -
  • - The Python versions 2.6 and 3.3 are deprecated. -
    • -
  • - The python-jsonpointer module now automatically checks pointers - for invalid escape sequences. -
    • -
  • - You can now write pointers as arguments in the command line. -
    • -
  • - Pointers can not be submitted in URL encoded format any more. -
    • -
-
-

- (BZ#1980256) -

-
-

.NET 6.0 is available

-

- RHEL 9 is distributed with .NET version 6.0. - Notable improvements include: -

-
-
-
    -
  • - Support for 64-bit Arm (aarch64) -
    • -
  • - Support for IBM Z and LinuxONE (s390x) -
    • -
-
-

- For more information, see Release - Notes for .NET 6.0 RPM packages and Release - Notes for .NET 6.0 containers. -

-

- .NET 6.0 is the initial version of this - Application Stream, which you can install easily as an RPM package. .NET 6.0 has a shorter life cycle than RHEL 9. For - details, see the Red - Hat Enterprise Linux Application Streams Life Cycle document. -

-

- (BZ#1986211) -

-
-

Java implementations in RHEL 9

-

- The RHEL 9 AppStream repository includes: -

-
-
-
    -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- For more information, see OpenJDK documentation. -

-

- (BZ#2021262) -

-
-

Java tools in RHEL 9

-

- The RHEL 9 AppStream repository includes the following Java tools: -

-
-
-
    -
  • - Maven 3.6.3, a software project management and comprehension - tool. -
    • -
  • - Ant 1.10.9, a Java library and command-line tool for compiling, - assembling, testing, and running Java applications. -
    • -
-
-

- Maven 3.6 and Ant 1.10 are the initial - versions of these Application Streams, which you can install easily as non-modular RPM packages. -

-

- (BZ#1951482) -

-
-

SWIG 4.0 available in the CRB - repository

-

- The Simplified Wrapper and Interface Generator (SWIG) version 4.0 is available in the CodeReady - Linux Builder (CRB) repository. This release adds support for PHP 8. -

-
-

- In RHEL 9, you can install SWIG easily as an RPM package. -

-

- Note that packages included in the CodeReady Linux Builder repository are unsupported. -

-

- (BZ#1943580) -

-
-
-
-
-
-

4.15. Identity Management

-
-
-
-
-

Directory Server no longer uses a global changelog

-

- With this enhancement, the Directory Server changelog has been integrated into the main - database. Previously, Directory Server used a global changelog. However, this could cause issues - if the directory used multiple databases. As a result, each suffix has now its own changelog in - the same directory as the regular database files. -

-
-

- (BZ#1805717) -

-
-

ansible-freeipa is now available in the - AppStream repository with all dependencies

-

- Previously in RHEL 8, before installing the ansible-freeipa - package, you first had to enable the Ansible repository and install the ansible package. In RHEL 8.6 and RHEL 9, you can install ansible-freeipa without any preliminary steps. Installing ansible-freeipa automatically installs the ansible-core package, a more basic version of ansible, as a dependency. Both ansible-freeipa and ansible-core are - available in the rhel-9-for-x86_64-appstream-rpms repository. -

-
-

- ansible-freeipa in RHEL 8.6 and RHEL 9 contains all the modules that it - contained in RHEL 8. -

-

- (JIRA:RHELPLAN-100359) -

-
-

IdM now supports the automountlocation, automountmap, and automountkey - Ansible modules

-

- With this update, the ansible-freeipa package contains the ipaautomountlocation, ipaautomountmap, - and ipaautomountkey modules. You can use these modules to configure - directories to be mounted automatically for IdM users logged in to IdM clients in an IdM - location. Note that currently, only direct maps are supported. -

-
-

- (JIRA:RHELPLAN-79161) -

-
-

The support for managing subID ranges is available in the - shadow-utils

-

- Previously, shadow-utils configured the subID ranges automatically - from the /etc/subuid and /etc/subgid - files. With this update, the configuration of subID ranges is available in the /etc/nsswitch.conf file by setting a value in the subid field. For more information, see man subuid and man subgid. Also, with - this update, an SSSD implementation of the shadow-utils plugin is - available, which provides the subID ranges from the IPA server. To use this functionality, add - the subid: sss value to the /etc/nsswitch.conf file. This solution might be useful in the - containerized environment to facilitate rootless containers. -

-
-

- Note that in case the /etc/nsswitch.conf file is configured by the - authselect tool, you must follow the procedures described in the authselect documentation. When it is not the case, you can modify the - /etc/nsswitch.conf file manually. -

-

- (BZ#1859252) -

-
-

Support for managing subID ranges is available in IdM

-

- With this update, you can manage ID subranges for users in Identity Management. You can use the - ipa CLI tool or IdM WebUI interface to assign automatically - configured subID ranges to a user, which might be useful in a containerized environment. -

-
-

- (BZ#1952028) -

-
-

Identity Management installation packages have been demodularized -

-

- Previously in RHEL 8, IdM packages were distributed as modules, which required you to enable a - stream and install the profile that corresponds to your desired installation. IdM installation - packages have been demodularized in RHEL 9, so you can use the following dnf commands to install IdM server packages: -

-
-

- For a server without integrated DNS services: -

- 
# dnf install ipa-server
-

- For a server with integrated DNS services: -

- 
# dnf install ipa-server ipa-server-dns
-

- (BZ#2080875) -

-
-

An alternative to the traditional RHEL ansible-freeipa repository: Ansible - Automation Hub

-

- With this update, you can download ansible-freeipa modules from the - Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By - using AAH, you can benefit from the faster updates of the ansible-freeipa modules available in this repository. -

-
-

- In AAH, ansible-freeipa roles and modules are distributed in the - collection format. Note that you need an Ansible Automation Platform (AAP) subscription to access - the content on the AAH portal. You also need ansible version 2.9 or - later. -

-

- The redhat.rhel_idm collection has the same content as the traditional - ansible-freeipa package. However, the collection format uses a fully - qualified collection name (FQCN) that consists of a namespace and the collection name. For example, - the redhat.rhel_idm.ipadnsconfig module corresponds to the ipadnsconfig module in ansible-freeipa - provided by a RHEL repository. The combination of a namespace and a collection name ensures that the - objects are unique and can be shared without any conflicts. -

-

- (JIRA:RHELPLAN-103147) -

-
-

ansible-freeipa modules can now be executed remotely on IdM - clients

-

- Previously, ansible-freeipa modules could only be executed on IdM - servers. This required your Ansible administrator to have SSH - access to your IdM server, causing a potential security threat. With this update, you can - execute ansible-freeipa modules remotely on systems that are IdM - clients. As a result, you can manage IdM configuration and entities in a more secure way. -

-
-

- To execute ansible-freeipa modules on an IdM client, choose one of the - following options: -

-
-
    -
  • - Set the hosts variable of the playbook to an IdM client host. -
    • -
  • - Add the ipa_context: client line to the playbook task that uses - the ansible-freeipa module. -
    • -
-
-

- You can set the ipa_context variable to client on an IdM server, too. However, the server context usually - provides better performance. If ipa_context is not set, ansible-freeipa checks if it is running on a server or a client, and sets - the context accordingly. Note that executing an ansible-freeipa module - with context set to server on an IdM - client host raises an error of missing libraries. -

-

- (JIRA:RHELPLAN-103146) -

-
-

The ipadnsconfig module now requires action: member to exclude a global forwarder

-

- With this update, excluding global forwarders in Identity Management (IdM) by using the ansible-freeipa ipadnsconfig module - requires using the action: member option in addition to the state: absent option. If you only use state: absent in your playbook without also using action: member, the playbook fails. Consequently, to remove all - global forwarders, you must specify all of them individually in the playbook. In contrast, the - state: present option does not require action: member. -

-
-

- (BZ#2046325) -

-
-

Automatic private groups for AD users support centralized - configuring

-

- You can now centrally define how compatible versions of SSSD on IdM clients manage private - groups for users from trusted Active Directory domains. With this enhancement, you can now - explicitly set the value for SSSD’s auto_private_groups option for - an ID range that handles AD users. -

-
-

- When the auto_private_groups option is not explicitly set, it uses a - default value: -

-
-
    -
  • - For an ipa-ad-trust-posix ID range, the default value is false. SSSD always uses the uidNumber and gidNumber of the AD - entry. A group with the gidNumber must exist in AD. -
    • -
  • - For an ipa-ad-trust ID range, the default value is true. SSSD maps the uidNumber from - the entry SID, the gidNumber is always set to the same value, - and a private group is always mapped. -
    • -
-
-

- You can also set auto_private_groups to a third setting: hybrid. With this setting, SSSD maps a private group if the user entry - has a GID equal to the UID but there is no group with this GID. If the UID and GID are different, a - group with this GID number must exist. -

-

- This feature is useful for administrators that want to stop maintaining separate group objects for - the user private groups, but also want to retain the existing user private groups. -

-

- (BZ#1957736) -

-
-

Customizable logging settings for BIND

-

- With this enhancement, you can now configure logging settings for the BIND DNS server component - of an Identity Management server in the /etc/named/ipa-logging-ext.conf configuration file. -

-
-

- (BZ#1966101) -

-
-

Autodiscovery of IdM servers when retrieving an IdM keytab

-

- With this enhancement, you no longer need to specify an IdM server host name when retrieving a - Kerberos keytab with the ipa-getkeytab command. If you do not - specify a server host name, DNS discovery is used to find an IdM server. If no servers are - found, the command falls back to the host value specified in the - /etc/ipa/default.conf configuration file. -

-
-

- (BZ#1988383) -

-
-

RHEL 9 provides Samba 4.15.5

-

- RHEL 9 is distributed with Samba 4.15.5, which provides bug fixes and enhancements over version - 4.14: -

-
-
- -
-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Note that Red Hat does - not support downgrading tdb database files. -

-

- After updating Samba, verify the /etc/samba/smb.conf file using the - testparm utility. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- (BZ#2013578) -

-
-

Tracking client requests using the log analyzer tool

-

- The System Security Services Daemon (SSSD) now includes a log parsing tool which tracks requests - from start to finish across log files from multiple SSSD components. -

-
-

- The log analyzer tool allows you to more easily review SSSD debug logs to help you to troubleshoot - any issues in SSSD. For example, you can extract and print SSSD logs pertaining only to certain - client requests across SSSD processes. To run the analyzer tool, use the sssctl analyze command. -

-

- (JIRA:RHELPLAN-97899) -

-
-

SSSD now logs backtraces by default

-

- With this enhancement, SSSD now stores detailed debug logs in an in-memory buffer and appends - them to log files when a failure occurs. By default, the following error levels trigger a - backtrace: -

-
-
-
    -
  • - Level 0: fatal failures -
    • -
  • - Level 1: critical failures -
    • -
  • - Level 2: serious failures -
    • -
-
-

- You can modify this behavior for each SSSD process by setting the debug_level option in the corresponding section of the sssd.conf configuration file: -

-
-
    -
  • - If you set the debugging level to 0, only level 0 events trigger a backtrace. -
    • -
  • - If you set the debugging level to 1, levels 0 and 1 trigger a backtrace. -
    • -
  • - If you set the debugging level to 2 or higher, events at level 0 through 2 trigger a - backtrace. -
    • -
-
-

- You can disable this feature per SSSD process by setting the debug_backtrace_enabled option to false in - the corresponding section of sssd.conf: -

- 
[sssd]
-debug_backtrace_enabled = true
-debug_level=0
-...
-
-[nss]
-debug_backtrace_enabled = false
-...
-
-[domain/idm.example.com]
-debug_backtrace_enabled = true
-debug_level=2
-...
-
-...
-

- (BZ#1949149) -

-
-

SSSD default SSH hashing value is now consistent with the OpenSSH - setting

-

- The default value of ssh_hash_known_hosts has been changed to - false. It is now consistent with the OpenSSH setting, which does not hash host names by default. -

-
-

- However, if you need to continue to hash host names, add ssh_hash_known_hosts = True to the [ssh] - section of the /etc/sssd/sssd.conf configuration file. -

-

- (BZ#2014249) -

-
-

Directory Server 12.0 is based on upstream version 2.0.14

-

- Directory Server 12.0 is based on upstream version 2.0.14 which provides a number of bug fixes - and enhancements over the previous version. For a complete list of notable changes, read the - upstream release notes before updating: -

-
-
- -
-

- (BZ#2024693) -

-
-

Directory Server now stores memory-mapped files of databases on a tmpfs file system

-

- In Directory Server, the nsslapd-db-home-directory parameter - defines the location of memory-mapped files of databases. This enhancement changes the default - value of the parameter from /var/lib/dirsrv/slapd-instance_name/db/ - to /dev/shm/. As a result, with the internal databases stored on a - tmpfs file system, the performance of Directory Server increases. -

-
-

- (BZ#2088414) -

-
-

FreeRADIUS support is now redesigned

-

- In RHEL 9, the existing FreeRADIUS offering is now streamlined and aligned more closely with the - strategic direction of Identity Management (IdM). In order to provide the best support for IdM - customers, Red Hat is strengthening support for these external authentication modules with - FreeRADIUS: -

-
-
-
    -
  • - Authentication based on krb5 and LDAP -
    • -
  • - Python 3 authentication -
    • -
-
-

- The following modules are no longer supported: -

-
-
    -
  • - The MySQL, PostgreSQL, SQlite, and unixODBC database connectors -
    • -
  • - The Perl language module -
    • -
  • - The REST API module -
    • -
-
-
-
Note
-
-

- The PAM authentication and other authentication modules that are provided as part of the - base package are not affected. -

-
-
-

- You can find replacements for the removed modules in community-supported packages, for example in - the Fedora project. -

-

- In addition, the scope of support for the freeradius package is now - limited to the following use cases: -

-
-
    -
  • - Using FreeRADIUS as an authentication provider with IdM as the backend source of - authentication. The authentication is happening through the krb5 and LDAP authentication packages or as PAM authentication in - the main FreeRADIUS package. -
    • -
  • - Using FreeRADIUS to provide a source-of-truth for authentication in IdM, through the Python 3 authentication package. -
    • -
-
-

- (JIRA:RHELDOCS-17553) -

-
-
-
-
-
-

4.16. Desktop

-
-
-
-
-

GNOME updated to version 40

-

- The GNOME environment is now updated from GNOME 3.28 to GNOME 40 with many new features. -

-
-

- GNOME 40 includes a new and improved Activities - Overview design. This gives the overview a more coherent look, and provides - an improved experience for navigating the system and launching applications. Workspaces are now - arranged horizontally, and the window overview and application grid are accessed vertically. -

-

- Other improvements to GNOME include: -

-
-
    -
  • - The performance and resource usage of GNOME has been significantly improved. -
    • -
  • - The visual style, including the user interface, the icons, and the desktop, has been - refreshed. -
    • -
  • - GNOME applications no longer use the application menu, which was available from the top - panel. The functionality is now located in a primary menu within the application window. -
    • -
  • - The Settings application has been - redesigned. -
    • -
  • - Screen sharing and remote desktop sessions have been improved. -
    • -
  • -

    - If you use the proprietary NVIDIA drivers, you can now launch applications using the - discrete GPU: -

    -
    -
      -
    1. - Open the overview. -
      2. -
    2. - Right-click the application icon in the dash. -
      3. -
    3. - Select the Launch on Discrete - GPU item in the menu. -
      4. -
    -
    -
    • -
  • - The Power Off / Log Out menu now - includes the Suspend option and a new - Restart option, which can reboot the - system to the boot loader menu when you hold Alt. -
    • -
  • - Flatpak applications now update automatically. -
    • -
  • - You can now group application icons in the overview together into folders using drag and - drop. -
    • -
  • - The Terminal application now supports - right-to-left and bi-directional text. -
    • -
  • - The Pointer Location accessibility - feature now works in the Wayland session. When the feature is enabled, pressing Ctrl highlights the pointer location on the - screen. -
    • -
  • - GNOME shell extensions are now managed by the Extensions application, rather than Software. The Extensions application handles updating - extensions, configuring extension preferences, and removing or disabling extensions. -
    • -
  • - The notifications popover now includes a Do Not - Disturb button. When the button enabled, notifications do not appear - on the screen. -
    • -
  • - System dialogs that require a password now have an option to reveal the password text by - clicking the eye (👁) icon. -
    • -
  • - The Software application now - automatically detects metered networks, such as mobile data networks. When the current - network is metered, Software pauses - updates in order to reduce data usage. -
    • -
  • - Each connected display can now use a different refresh rate in the Wayland session. -
    • -
  • -

    - Fractional display scaling is available as an experimental option. It includes several - preconfigured fractional ratios. -

    -

    - To enable the experimental fractional scaling, add the scale-monitor-framebuffer value to the list of enabled - experimental features: -

    - 
    $ dconf write \
-/org/gnome/mutter/experimental-features \
-"['scale-monitor-framebuffer']"
    -

    - As a result, fractional scaling options are accessible on the Display panel in Settings. -

    -
    • -
-
-

- For more details on the changes in GNOME, see versions 3.30 to 40.0 in Release Notes. -

-

- (JIRA:RHELPLAN-101240) -

-
-

PipeWire is now the default audio service

-

- The Pipewire service now manages all audio - output and input. Pipewire replaces the - PulseAudio service in general use cases and - the JACK service in professional use cases. - The system now redirects audio from applications that use PulseAudio, JACK, or the ALSA framework into Pipewire. -

-
-

- Benefits of Pipewire over the previous solutions - include: -

-
-
    -
  • - A unified solution for consumer and professional users -
    • -
  • - A flexible, modular architecture -
    • -
  • - High performance and low latency, similar to the JACK service -
    • -
  • - Isolation between audio clients for better security -
    • -
-
-

- You no longer have to configure the JACK service - for applications that use it. All JACK - applications now work in the default RHEL configuration. -

-

- PulseAudio is still available in RHEL, and you - can enable it instead of PipeWire. For details, - see Switching from PipeWire to - PulseAudio. -

-

- (JIRA:RHELPLAN-101241) -

-
-

Power profiles are available in GNOME

-

- You can now switch between several power profiles in the Power panel of Settings in the GNOME environment. The power - profiles optimize various system settings for the selected goal. -

-
-

- The following power profiles are available: -

-
-
-
Performance
-
- Optimizes for high system performance and reduces battery life. This profile is only - available on certain selected system configurations. -
-
Balanced
-
- Provides standard system performance and power consumption. This is the default profile. -
-
Power Saver
-
- Increases battery life and reduces system performance. This profile activates automatically - on low battery. -
-
-
-

- Your power profile configuration persists across system reboots. -

-

- The power profiles functionality is available from the power-profiles-daemon package, which is installed by default. -

-

- (JIRA:RHELPLAN-101242) -

-
-

Language support is now provided by langpacks

-

- Support for various languages is now available from langpacks - packages. You can customize the level of language support that you want to install using the - following package names, where code is the short ISO code for - the language, such as es for Spanish: -

-
-
-
-
langpacks-core-code -
-
-

- Provides a basic language support, including: -

-
-
    -
  • - The glibc locale -
    • -
  • - The default font -
    • -
  • - The default input method if the language requires it -
    • -
-
-
-
langpacks-core-font-code -
-
- Provides only the default font for the language. -
-
langpacks-code -
-
-

- Provides the complete language support, including the following in addition to the basic - language support: -

-
-
    -
  • - Translations -
    • -
  • - Spell checker dictionaries -
    • -
  • - Additional fonts -
    • -
-
-
-
-
-

- (JIRA:RHELPLAN-101247) -

-
-

Lightweight, single-application environment

-

- For graphical use cases that only present a single application, a lightweight user interface - (UI) is now available. -

-
-

- You can start GNOME in a single-application session, also known as kiosk mode. In this session, - GNOME displays only a full-screen window of an application that you have configured. -

-

- The single-application session is significantly less resource intensive than the standard GNOME - session. -

-

- For more information, see Restricting - the session to a single application. -

-

- (JIRA:RHELPLAN-102552) -

-
-

Security classification banners at login and in the desktop - session

-

- You can now configure classification banners to state the overall security classification level - of the system. This is useful for deployments where the user must be aware of the security - classification level of the system that they are logged into. -

-
-

- The classification banners can appear in the following contexts, depending on your configuration: -

-
-
    -
  • - Within the running session -
    • -
  • - On the lock screen -
    • -
  • - On the login screen -
    • -
-
-

- The classification banners can take the form of either a notification that you can dismiss, or a - permanent banner. -

-

- For more information, see Displaying - the system security classification. -

-

- (BZ#2031186) -

-
-

The default wallpaper adds a Red Hat logo

-

- The default RHEL wallpaper now displays a Red Hat logo. The logo is located in the upper left - corner of the screen. -

-
-

- To disable the logo, disable the Background Logo - GNOME Shell extension. -

-

- (BZ#2057150) -

-
-

Firefox now uses stronger encryption in PKCS#12 files

-

- The Firefox web browser uses PKCS#12 files to establish client authentication certificates. - Previously, Firefox encrypted these files using legacy algorithms: -

-
-
-
    -
  • - PBE-SHA1-RC2-40 to encrypt the certificate in the PKCS#12 file -
    • -
  • - PBE-SHA1-3DES to encrypt the key in the PKCS#12 file -
    • -
-
-

- With this release, Firefox encrypts the files using stronger algorithms by default: -

-
-
    -
  • - AES-256-CBC with PBKDF2 to encrypt the certificate in the PKCS#12 file -
    • -
  • - AES-128-CBC with PBKDF2 to encrypt the key in the PKCS#12 file -
    • -
-
-

- With this change, the PKCS#12 files are now compatible with the Federal Information Processing - Standard (FIPS). -

-

- The legacy encryption algorithms remain supported in Firefox as a non-default option. -

-

- (BZ#1764205) -

-
-
-
-
-
-

4.17. Graphics infrastructures

-
-
-
-
-

The Wayland session is now the default with NVIDIA drivers

-

- When using the NVIDIA drivers, the desktop session now selects the Wayland display protocol by - default, if the driver configuration supports Wayland. In previous RHEL releases, the NVIDIA - drivers always disabled Wayland. -

-
-

- To enable Wayland with the NVIDIA drivers on your system, add the following options to the kernel - command line: -

-
-
    -
  • - nvidia-drm.modeset=1 -
    • -
  • - NVreg_PreserveVideoMemoryAllocations=1 -
    • -
-
-

- Note that Wayland has been the default display protocol with other graphics drivers since RHEL 8.0. -

-

- Currently, the Wayland session with the NVIDIA drivers is still incomplete and presents certain - known issues. Red Hat is actively working with NVIDIA to address these gaps and problems across the - GPU stack. -

-

- For some of the limitations of Wayland with the NVIDIA drivers, see the Known issues section. -

-

- (JIRA:RHELPLAN-119000) -

-
-
-
-
-
-

4.18. The web console

-
-
-
-
-

Smart card authentication for sudo and SSH from the web console -

-

- Previously, it was not possible to use smart card authentication to obtain sudo privileges or - use SSH in the web console. With this update, Identity Management users can use a smart card to - gain sudo privileges or to connect to a different host with SSH. -

-
-
-
Note
-
-

- It is only possible to use one smart card to authenticate and gain sudo privileges. Using a - separate smart card for sudo is not supported. -

-
-
-

- (JIRA:RHELPLAN-95126) -

-
-

Kernel security patches without reboot in the web console

-

- This web console update allows users to apply kernel security patches without forcing reboots by - using the kpatch framework. Administrators can also automatically - subscribe any future kernel to the live patching stream. -

-
-

- (JIRA:RHELPLAN-95056) -

-
-

RHEL web console provides Insights registration by default

-

- With this update, when you use the Red Hat Enterprise Linux web console to register a RHEL - system, the Connect this system to Red Hat - Insights. check box is checked by default. If you do not want to connect - to the Insights service, uncheck the box. -

-
-

- (BZ#2049441) -

-
-

Cockpit now supports using an existing TLS certificate

-

- With this enhancement, the certificate does not have strict file permission requirements any - more (such as root:cockpit-ws 0640), and thus it can be shared with - other services. -

-
-

- (JIRA:RHELPLAN-103855) -

-
-
-
-
-
-

4.19. Red Hat Enterprise Linux system roles

-
-
-
-
-

The Networking system role now supports SAE

-

- In Wi-Fi protected access version 3 (WPA3) networks, the simultaneous authentication of equals - (SAE) method ensures that the encryption key is not transmitted. With this enhancement, the - Networking RHEL system role supports SAE. As a result, administrators can now use the Networking - system role to configure connections to Wi-Fi networks, which use WPA-SAE. -

-
-

- (BZ#1993304) -

-
-

The Networking system role now supports owe

-

- The Networking RHEL system role now supports Opportunistic Wireless Encryption (owe). owe is a wireless authentication key management type that uses - encryption between Wi-Fi clients and access points, and protects Wi-Fi clients from sniffing - attacks. To use owe, set the wireless authentication key management type,key_mgmt field, to owe. -

-
-

- (BZ#1993377) -

-
-

The Firewall system role now supports setting the firewall default - zone

-

- Zones represent a concept to manage incoming traffic more transparently. The zones are connected - to networking interfaces or assigned a range of source addresses. Firewall rules for each zone - are managed independently enabling the administrator to define complex firewall settings and - apply them to the traffic. This feature allows setting the default zone used as the default zone - to assign interfaces to, same as firewall-cmd --set-default-zone zone-name. -

-
-

- (BZ#2022461) -

-
-

The Storage RHEL system role now supports LVM VDO volumes

-

- With this enhancement, you can use the Storage system role to manage Logical Manager Volumes - (LVM) Virtual Data Optimizer (VDO) volumes. The LVM filesystem manages VDO volumes and with this - feature, it is now possible to compress and deduplicate on LVM volumes. As a result, VDO helps - to optimize the usage of the storage volumes. -

-
-

- (BZ#1978488) -

-
-

Support for volume sizes expressed as a percentage is available in the - Storage system role

-

- This enhancement adds support to the Storage RHEL system role to express LVM volume sizes as a - percentage of the pool’s total size. You can specify the size of LVM volumes as a percentage of - the pool/VG size, for example: 50% in addition to the human-readable size of the file system, - for example, 10g, 50 GiB. -

-
-

- (BZ#1984583) -

-
-

Support for cached volumes is available in the Storage system role -

-

- This enhancement adds support to the Storage RHEL system role to create and manage cached LVM - logical volumes. LVM cache can be used to improve performance of slower logical volumes, by - temporarily storing subsets of an LV’s data on a smaller, faster device, for example, an SSD. -

-
-

- (BZ#2016517) -

-
-

Ability to add or remove sources to the Firewall role

-

- This update enables you to add or remove sources in the firewall settings configuration using - the source parameter. -

-
-

- (BZ#2021667) -

-
-

New Ansible Role for Microsoft SQL Server Management

-

- The new microsoft.sql.server role is designed to help IT and - database administrators automate processes involved with setup, configuration, and performance - tuning of SQL Server on Red Hat Enterprise Linux. -

-
-

- (BZ#2013853) -

-
-

Microsoft SQL system role now supports customized repository for - disconnected or Satellite subscriptions

-

- Previously, users in disconnected environments that needed to pull packages from a custom server - or Satellite users that needed to point to Satellite or Capsule had no support from the microsoft.sql.server role. This update fixes it by providing the - mssql_rpm_key, mssql_server_repository, and mssql_client_repository variables that you can use to customize the - repositories to download packages from. If no URL is provided, the mssql role uses the official Microsoft servers to download RPMs. -

-
-

- (BZ#2064648) -

-
-

The MSSQL role consistently uses "Ansible_managed" comment in its managed - configuration files

-

- The MSSQL role generates the /var/opt/mssql/mssql.conf - configuration file. With this update, the MSSQL role inserts the "Ansible managed" comment to - the configuration files, using the Ansible standard ansible_managed - variable. The comment indicates that the configuration files should not be directly edited - because the MSSQL role can overwrite the file. As a result, the configuration files contain a - declaration stating that the configuration files are managed by Ansible. -

-
-

- (BZ#2064690) -

-
-

Ansible Core support for the RHEL system roles

-

- As of the RHEL 9 GA release, Ansible Core is provided, with a limited scope of support, to - enable RHEL supported automation use cases. Ansible Core replaces Ansible Engine which was - provided on previous versions of RHEL in a separate repository. Ansible Core is available in the - AppStream repository for RHEL. For more details on the supported use cases, see Scope of support for the Ansible Core - package included in the RHEL 9 AppStream. -

-
-

- If you require Ansible Engine support, or otherwise need support for non-RHEL automation use cases, - create a Case - at Red Hat Support. -

-

- (JIRA:RHELPLAN-103540) -

-
-

Support for configuring multiple elasticsearch hosts in one elasticsearch - output dictionary

-

- Previously, the server_host parameter used to take a string value - for a single host. This enhancement adjusts it to the underlying rsyslog omelasticsearch’s specification, so it now also takes a list - of strings to support multiple hosts. Consequently, it is adjusted to hosts, following the - underlying rsyslog omelasticsearch’s specification. As a result, - users can configure multiple elasticsearch hosts in one elasticsearch output dictionary. -

-
-

- (BZ#1986460) -

-
-

RHEL system roles now support VPN management

-

- Previously, it was difficult to set up secure and properly configured IPsec tunneling and - virtual private networking (VPN) solutions on Linux. With this enhancement, you can use the VPN - RHEL system role to set up and configure VPN tunnels for host-to-host and mesh connections more - easily across large numbers of hosts. As a result, you have a consistent and stable - configuration interface for VPN and IPsec tunneling configuration within the RHEL system roles - project. -

-
-

- (BZ#2019341) -

-
-

The SSHD RHEL system role now supports non-exclusive configuration - snippets

-

- With this feature, you can configure SSHD through different roles and playbooks without - rewriting the previous configurations by using namespaces. Namespaces are similar to a drop-in - directory, and define non-exclusive configuration snippets for SSHD. As a result, you can use - the SSHD RHEL system role from a different role, if you need to configure only a small part of - the configuration and not the entire configuration file. -

-
-

- (BZ#1978752) -

-
-

Network Time Security (NTS) option added to the timesync RHEL system role

-

- The NTS option was added to the Timesync RHEL system role to enable - NTS on client servers. NTS is a new security mechanism specified - for Network Time Protocol (NTP). NTS can secure synchronization of NTP clients without - client-specific configuration and can scale to large numbers of clients. The NTS option is supported only with the chrony NTP provider in version 4.0 and later. -

-
-

- (BZ#1978753) -

-
-

Support for HA Cluster RHEL system role

-

- The High Availability Cluster (HA Cluster) role is now fully supported. The following notable - configurations are available: -

-
-
-
    -
  • - Configuring fence devices, resources, resource groups, and resource clones including meta - attributes and resource operations -
    • -
  • - Configuring resource location constraints, resource colocation constraints, resource order - constraints, and resource ticket constraints -
    • -
  • - Configuring cluster properties -
    • -
  • - Configuring cluster nodes, custom cluster names and node names -
    • -
  • - Configuring multi-link clusters -
    • -
  • - Configuring whether clusters start automatically on boot -
    • -
-
-

- Running the role removes any configuration not supported by the role or not specified when running - the role. -

-

- The HA Cluster system role does not currently support SBD. -

-

- (BZ#2054401) -

-
-

Support for Rsyslog username and password authentication to - Elasticsearch

-

- This update adds the Elasticsearch username and password parameters to the Logging system role. - As a result, you can enable Rsyslog to authenticate to Elasticsearch using a username and - password. -

-
-

- (BZ#1990490) -

-
-

The NBDE Client system role supports static IP addresses

-

- In previous versions of RHEL, restarting a system with a static IP address and configured with - the Network Bound Disk Encryption (NBDE) Client system role would change the system’s IP - address. With this change, systems with static IP addresses are supported by the NBDE Client - system role, and their IP addresses do not change after a reboot. -

-
-

- Note that by default, the NBDE role uses DHCP when booting, and switches to the configured static IP - when the system is booted. -

-

- (BZ#2031555) -

-
-

Support for specifying raid_level for LVM has - been added

-

- RHEL 9.0 supports grouping Logical Volume Management (LVM) volumes into RAIDs using the lvmraid feature. -

-
-

- (BZ#2016518) -

-
-

The Certificate role consistently uses "Ansible_managed" comment in its - hook scripts

-

- With this enhancement, the Certificate role generates pre-scripts and post-scripts to support - providers, to which the role inserts the "Ansible managed" comment using the Ansible standard - "ansible_managed" variable: -

-
-
-
    -
  • - /etc/certmonger/pre-scripts/script_name.sh -
    • -
  • - /etc/certmonger/post-scripts/script_name.sh -
    • -
-
-

- The comment indicates that the script files should not be directly edited because the Certificate - role can overwrite the file. As a result, the configuration files contain a declaration stating that - the configuration files are managed by Ansible. -

-

- (BZ#2054364) -

-
-

A new option auto_gateway controls the default - route behavior

-

- Previously, the DEFROUTE parameter was not configurable with - configuration files but only manually configurable by naming every route. This update adds a new - auto_gateway option in the ip - configuration section for connections, with which you can control the default route behavior. - You can configure auto_gateway in the following ways: -

-
-
-
    -
  • - If set to true, default gateway settings apply to a default - route. -
    • -
  • - If set to false, the default route is removed. -
    • -
  • - If unspecified, the network role uses the default behavior of - the selected network_provider. -
    • -
-
-

- (BZ#1978773) -

-
-

Support to all bonding options added to the network system role

-

- This update provides support to all bonding options to the network - RHEL system role. Consequently, it enables you to flexibly control the network transmission over - the bonded interface. As a result, you can control the network transmission over the bonded - interface by specifying several options to that interface. -

-
-

- (BZ#2054435) -

-
-

NetworkManager supports specifying a network card using its PCI - address

-

- Previously, during setting a connection profile, NetworkManager was only allowed to specify a - network card using either its name or MAC address. In this case, the device name is not stable - and the MAC address requires inventory to maintain record of used MAC addresses. Now, you can - specify a network card based on its PCI address in a connection profile. -

-
-

- (BZ#1999162) -

-
-

The Network system role now directly manages the configuration files of - Ansible

-

- With this enhancement, the network role generates ifcfg files in /etc/sysconfig/network-scripts. Then, it inserts the comment “Ansible - managed”, using the standard ansible_managed variable. This comment - indicates that the ifcfg files are not directly editable as the - network role may overwrite it. The important difference in handling - the ifcfg file to add "Ansible managed" comment is that the network role uses the initscripts - package while the NetworkManager uses the nm package. -

-
-

- (BZ#2057657) -

-
-

Ansible Core support for RHEL system roles

-

- In RHEL 9.0, Ansible Core is provided, with a limited scope of support, to enable RHEL supported - automation use cases. Ansible Core replaces Ansible Engine which was previously provided in a - separate repository. Ansible Core is available in the AppStream repository for RHEL. For more - details on the supported use cases, see Scope of support for the Ansible Core - package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories. Users must - manually migrate their systems from Ansible Engine to Ansible Core. -

-
-

- (BZ#2012298) -

-
-

The Cockpit system role is now supported

-

- With this enhancement, you can install and configure the web console in your system. - Consequently, you can manage web console in an automated manner. -

-
-

- (BZ#2021028) -

-
-

The Terminal session recording system role uses the "Ansible managed" - comment in its managed configuration files

-

- The Terminal session recording role generates 2 configuration files: -

-
-
-
    -
  • - /etc/sssd/conf.d/sssd-session-recording.conf -
    • -
  • - /etc/tlog/tlog-rec-session.conf -
    • -
-
-

- With this update, the Terminal session recording role inserts the "Ansible managed" comment into the - configuration files, using the standard Ansible variable ansible_managed. The comment indicates that the configuration files - should not be directly edited because the Terminal session recording role can overwrite the file. As - a result, the configuration files contain a declaration stating that the configuration files are - managed by Ansible. -

-

- (BZ#2054367) -

-
-

The VPN role consistently uses "Ansible_managed" comment in its managed - configuration files

-

- The VPN role generates the following configuration file: -

-
-
-
    -
  • - /etc/ipsec.d/mesh.conf -
    • -
  • - /etc/ipsec.d/policies/clear -
    • -
  • - /etc/ipsec.d/policies/private -
    • -
  • - /etc/ipsec.d/policies/private-or-clear -
    • -
-
-

- With this update, the VPN role inserts the "Ansible managed" comment to the configuration files, - using the Ansible standard ansible_managed variable. The comment - indicates that the configuration files should not be directly edited because the VPN role can - overwrite the file. As a result, the configuration files contain a declaration stating that the - configuration files are managed by Ansible. -

-

- (BZ#2054369) -

-
-

The Postfix role consistently uses "Ansible_managed" comment in its managed - configuration files

-

- The Postfix role generates the /etc/postfix/main.cf configuration - file. With this update, the Postfix role inserts the "Ansible managed" comment to the - configuration files, using the Ansible standard ansible_managed - variable. The comment indicates that the configuration files should not be directly edited - because the Postfixrole can overwrite the file. As a result, the configuration files contain a - declaration stating that the configuration files are managed by Ansible. -

-
-

- (BZ#2057662) -

-
-

The Firewall RHEL system role has been added in RHEL 9

-

- With this enhancement, the rhel-system-roles.firewall RHEL system - role was added to the rhel-system-roles package. As a result, - administrators can automate their firewall settings for managed nodes. -

-
-

- (BZ#2021665) -

-
-

The SSH client RHEL system role now supports new configuration options in - OpenSSH 8.7

-

- With this enhancement, OpenSSH was updated to the latest version, which provides new - configuration options that are available in the SSH client role for configuring new hosts. -

-
-

- (BZ#2029427) -

-
-
-
-
-
-

4.20. Virtualization

-
-
-
-
-

RHEL web console new virtualization features

-

- With this update, the RHEL web console includes new features in the Virtual Machines page. You - can now: -

-
-
-
    -
  • - Rename a VM -
    • -
  • - Create a VM with cloud image authentication -
    • -
  • - Add and remove USB and PCI devices to the VM -
    • -
  • - Specify network interface model -
    • -
  • - Share and unshare files between a host and its VM -
    • -
-
-

- (JIRA:RHELPLAN-102009) -

-
-

QEMU uses Clang

-

- The QEMU emulator is now built using the Clang compiler. This enables the RHEL 9 KVM hypervisor - to use a number of advanced security and debugging features, and makes future feature - development more efficient. -

-
-

- (BZ#1940132) -

-
-

SafeStack for virtual machines

-

- In RHEL 9 on AMD64 and Intel 64 hardware (x86_64), the QEMU emulator can use SafeStack, an - enhanced compiler-based stack protection feature. SafeStack reduces the ability of an attacker - to exploit a stack- based buffer overflow to change return pointers in the stack and create - Return-Oriented Programming (ROP) attacks. As a result, virtual machines hosted on RHEL 9 are - significantly more secure against ROP-based vulnerabilities. -

-
-

- (BZ#1939509) -

-
-

virtiofs full support on Intel 64, AMD64, and IBM Z

-

- The virtio file system (virtiofs) is now fully supported on Intel - 64, AMD64, and IBM Z architectures. Using virtiofs, you can - efficiently share files between your host system and its virtual machines. -

-
-

- (JIRA:RHELPLAN-64576) -

-
-

AMD EPYC 7003 series processors supported on KVM guests

-

- Support for AMD EPYC 7003 series processors (also known as AMD Milan) has now been added to the KVM hypervisor and kernel code, - and to the libvirt API. This enables KVM virtual machines to use AMD EPYC 7003 series - processors. -

-
-

- (JIRA:RHELPLAN-65223) -

-
-

qemu-kvm now supports additional machine - types

-

- A set of new machine types, based on RHEL 9, has been added for use by virtual machines (VMs). - To obtain all currently supported machine types on your host, use the /usr/libexec/qemu-kvm -M help command. -

-
-

- In addition, all machine types based on RHEL 7.5.0 or earlier are now unsupported. These also - include pc-i440fx-rhel7.5.0 and earlier machine types, which were - default in earlier major versions of RHEL. As a consequence, attempting to start a VM with such - machine types on RHEL 9 fails with an unsupported configuration error. - If you encounter this problem after upgrading your host to RHEL 9, see the Red Hat KnowledgeBase. -

-

- (JIRA:RHELPLAN-75866) -

-
-

Mediated devices are now supported by virtualization CLIs on IBM Z -

-

- Using virt-install or virt-xml, you - can now attach mediated devices to your VMs, such as vfio-ap and vfio-ccw. This for example - enables more flexible management of DASD storage devices and cryptographic coprocessors on IBM Z - hosts. In addition, using virt-install, you can create a VM that - uses an existing DASD mediated device as its primary disk. For instructions to do so, see the - Configuring and Managing Virtualization in RHEL 9 guide. -

-
-

- (BZ#1995131) -

-
-

Modular libvirt daemons

-

- In RHEL 9, the libvirt library uses modular daemons that handle - individual virtualization driver sets on your host. For example, the virtqemud daemon handles QEMU drivers. This makes it possible to - fine-grain a variety of tasks that involve virtualization drivers, such as resource load - optimization and monitoring. -

-
-

- In addition, the monolithic libvirt daemon, libvirtd, has become - deprecated. However, if you upgrade from RHEL 8 to RHEL 9, your host will still use libvirtd, which you can continue using in RHEL 9. Nevertheless, Red Hat - recommends switching to modular libvirt daemons instead. -

-

- (JIRA:RHELPLAN-113994) -

-
-

Windows 11 and Windows Server 2022 guests are supported

-

- RHEL 9 supports using Windows 11 and Windows Server 2022 as the guest operating systems on KVM - virtual machines. -

-
-

- (BZ#2036856, BZ#2004161) -

-
-

ksmtuned is now distributed separately from - qemu-kvm

-

- To decrease the footprint of the KVM hypervisor, the ksmtuned - utility is no longer a dependency of qemu-kvm. As a consequence, if - you require configuring kernel same-page merging (KSM), you must install the ksmtuned package manually. -

-
-

- (BZ#2069501, BZ#1971678, BZ#1972158) -

-
-

New feature: vTPM

-

- The Virtual Trusted Platform Module (vTPM) is fully supported in RHEL 9. Using vTPM, you can add - a TPM virtual crypto-processor to a virtual machine (VM) running in the RHEL 9 KVM hypervisor. - This makes it possible to use the VM for generating, storing, and managing cryptographic keys. -

-
-

- (JIRA:RHELPLAN-98617) -

-
-

Virtualization support for Intel Atom P59 series processors

-

- With this update, virtualization on RHEL 9 adds support for the Intel Atom P59 series - processors, formerly known as Snow Ridge. As a result, virtual machines hosted on RHEL 9 can now - use the Snowridge CPU model and utilise new features that the - processors provide. -

-
-

- (BZ#1874187) -

-
-
-
-
-
-

4.21. RHEL in cloud environments

-
-
-
-
-

RHEL 9 provides WALinuxAgent 2.3.0.2

-

- RHEL 9 is distributed with the Windows Azure Linux Agent (WALinuxAgent) package version 2.3.0.2. Notable bug fixes and - enhancements over version 2.2.49 include: -

-
-
-
    -
  • - Support for RequiredFeatures and GoalStateAggregateStatus APIs has been added. -
    • -
  • - Fallback locations for extension manifests have been added. -
    • -
  • - Missing calls to str.format() have been added when creating exceptions. -
    • -
-
-

- (BZ#1972101) -

-
-

RHEL on Azure now supports MANA

-

- RHEL 9 virtual machines running on Microsoft Azure can now use the Microsoft Azure Network - Adapter (MANA). -

-
-

- (BZ#1957818) -

-
-

cloud-init supports the VMware GuestInfo - datasource

-

- With this update, the cloud-init utility is able to read the - datasource for VMware guestinfo data. As a result, using cloud-init - to set up RHEL 9 virtual machines on VMware vSphere is now more efficient and reliable. -

-
-

- (BZ#2040090) -

-
-

RHEL 9 virtual machines are now supported on certain ARM64 hosts on - Azure

-

- Virtual machines that use RHEL 9 as the guest operating system are now supported on Microsoft - Azure hypervisors running on Ampere Altra ARM-based processors. -

-
-

- (BZ#1949613) -

-
-

cloud-init supports user data on Microsoft - Azure

-

- The --user-data option has been introduced for the cloud-init utility. Using this option, you can pass scripts and - metadata from the Azure Instance Metadata Service (IMDS) when setting up a RHEL 9 virtual - machine on Azure. -

-
-

- (BZ#2042351) -

-
-

New SSH module for cloud-init

-

- With this update, an SSH module has been added to the cloud-init - utility, which automatically generates host keys during instance creation. -

-
-

- Note that with this change, the default cloud-init configuration has - been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg file contains the ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519'] line. -

-

- Otherwise, cloud-init creates an image which fails to start the sshd service. If this occurs, do the following to work around the - problem: -

-
-
    -
  1. -

    - Make sure the /etc/cloud/cloud.cfg file contains the - following line: -

    - 
    ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
    -
    2. -
  2. - Check whether /etc/ssh/ssh_host_* files exist in the instance. -
    3. -
  3. -

    - If the /etc/ssh/ssh_host_* files do not exist, use the - following command to generate host keys: -

    - 
    cloud-init single --name cc_ssh
    -
    4. -
  4. -

    - Restart the sshd service: -

    - 
    systemctl restart sshd
    -
    5. -
-
-

- (BZ#2115791) -

-
-
-
-
-
-

4.22. Supportability

-
-
-
-
-

sos report now offers an estimate mode - run

-

- This sos report update adds the --estimate-only option with which you can approximate the disk space - required for collecting an sos report from a RHEL server. Running - the sos report --estimate-only command: -

-
-
-
    -
  • - executes a dry run of sos report -
    • -
  • - mimics all plugins consecutively and estimates their disk size. -
    • -
-
-

- Note that the final disk space estimation is very approximate. Therefore, it is recommended to - double the estimated value. -

-

- (BZ#2011537) -

-
-
-
-
-
-

4.23. Containers

-
-
-
-
-

Podman now supports secure short names

-

- Short-name aliases for images can now be configured in the registries.conf file in the [aliases] - table. The short-names modes are: -

-
-
-
    -
  • - Enforcing: If no matching alias is found during the image pull, Podman prompts the user to - choose one of the unqualified-search registries. If the selected image is pulled - successfully, Podman automatically records a new short-name alias in the $HOME/.cache/containers/short-name-aliases.conf file (rootless - user) and in the /var/cache/containers/short-name-aliases.conf - (root user). If the user cannot be prompted (for example, stdin or stdout are not a TTY), - Podman fails. Note that the short-name-aliases.conf file has - precedence over registries.conf file if both specify the same - alias. -
    • -
  • - Permissive: Similar to enforcing mode, but Podman does not fail if the user cannot be - prompted. Instead, Podman searches in all unqualified-search registries in the given order. - Note that no alias is recorded. -
    • -
-
-

- Example: -

- 
unqualified-search-registries=["registry.fedoraproject.org", "quay.io"]
-
-[aliases]
-
-"fedora"="registry.fedoraproject.org/fedora"
-

- (JIRA:RHELPLAN-74542) -

-
-

Changes in the container-tools module -

-

- The container-tools module contains the Podman, Buildah, Skopeo, - and runc tools. The rolling stream, represented by the container-tools:rhel8 stream in RHEL 8, is named container-tools:latest in RHEL 9. Similarly to RHEL 8, stable - versions of container tools are going to be available in numbered streams (for example, 3.0). -

-
-

- For more information about the Container Tools Application Stream, see Container Tools AppStream - - Content Availability. -

-

- (JIRA:RHELPLAN-73678) -

-
-

The containers-common package is now - available

-

- The containers-common package has been added to the container-tools:latest module. The containers-common package contains common configuration files and - documentation for the container tools ecosystem, such as Podman, Buildah and Skopeo. -

-
-

- (JIRA:RHELPLAN-77549) -

-
-

Updating container images with new packages

-

- For instance, to update the registry.access.redhat.com/rhel9 - container image with the latest packages, use the following commands: -

-
- 
# podman run -it registry.access.redhat.com/rhel9
-# dnf update -y && rm -rf /var/cache/dnf
-

- To install a particular <package> enter: -

- 
# dnf install <package>
-

- For more information, see Adding - software to a running UBI container. -

-

- Note that for RHEL 9, updating or installing new packages in the image requires that you are running - on an entitled host. You can use the Red Hat Enterprise Linux Developer Subscription for Individuals - to gain access to entitled repositories at no-cost. -

-

- For more information, see No-cost Red - Hat Enterprise Linux Individual Developer Subscription: FAQs. -

-

- (JIRA:RHELPLAN-84168) -

-
-

The container-tools meta-package has been - updated

-

- The container-tools RPM meta-package, which contains the Podman, - Buildah, Skopeo, and runc tools is now available. This update provides a list of bug fixes and - enhancements over the previous version. -

-
-

- (JIRA:RHELPLAN-118914) -

-
-

The podman-py package is now - available

-

- The podman-py package has been added to the container-tools:3.0 stable module stream and the container-tools:latest module. The podman-py package is a library of bindings to use the RESTful API of - Podman. -

-
-

- (BZ#1975462) -

-
-

Control groups version 2 is now available

-

- The previous version of control groups, cgroups version 1 (cgroups v1) caused performance - problems with a variety of applications. The latest release of control groups, cgroups version 2 - (cgroups v2) enables system administrators to limit resources for any application without - causing performance problems. -

-
-

- This new version of control groups, cgroups v2, can be enabled in RHEL 8 and is enabled by default - in RHEL 9. -

-

- (JIRA:RHELPLAN-73697) -

-
-

The container-tools meta-package is now - available

-

- The container-tools RPM meta-package includes Podman, Buildah, - Skopeo, CRIU, Udica, and all required libraries, is available in RHEL 9. The stable streams are - not available on RHEL 9. To receive stable access to Podman, Buildah, Skopeo, and others, use - the RHEL EUS subscription. -

-
-

- To install the container-tools meta-package, enter: -

- 
# dnf install container-tools
-

- (BZ#2000871) -

-
-

Native overlay file system support in the kernel is now available -

-

- The overlay file system support is now available from kernel 5.11. The non-root users will have - native overlay performance even when running rootless (as a user). Thus, this enhancement - provides better performance to non-root users who wish to use overlayfs without the need for - bind mounting. -

-
-

- (JIRA:RHELPLAN-99892) -

-
-

The NFS storage is now available

-

- You can now use the NFS file system as a backend storage for containers and images if your file - system has xattr support. -

-
-

- (JIRA:RHELPLAN-74543) -

-
-

The container-tools meta-package has been - updated

-

- The container-tools meta-package includes Podman, Buildah, Skopeo, - CRIU, Udica, and all required libraries. This update provides a list of bug fixes and - enhancements over the previous version. -

-
-

- Notable changes include: -

-
-
    -
  • - Due to the changes in the network stack, containers created by Podman v3 and earlier are not - usable in Podman v4.0 -
    • -
  • - Native overlay file system is usable as a rootless user -
    • -
  • - NFS storage is now supported within a container -
    • -
  • - Control groups version 2 (cgroup v2) is enabled by default -
    • -
  • - Downgrading from Podman v4 to v3 is not supported unless all containers are destroyed and - recreated -
    • -
-
-

- For further information about notable changes in Podman, see the upstream release - notes. -

-

- (JIRA:RHELPLAN-99889) -

-
-

The crun container runtime is now the - default

-

- The crun container runtime is now the default runtime. The crun container runtime supports an annotation that allows the - container to access the rootless user’s additional groups. This is useful for volume mounting in - a directory where setgid is set, or where the user only has group access. Both the crun and runc runtimes fully support - cgroup v2. -

-
-

- (JIRA:RHELPLAN-99890) -

-
-

Control group version 2 is now available

-

- The previous version of control groups, cgroup version 1 (cgroup v1) caused performance problems - with a variety of applications. The latest release of control groups, cgroup version 2 (cgroup - v2) enables system administrators to limit resources for any application without causing - performance problems. -

-
-

- In RHEL 9, cgroup v2 is enabled by default. -

-

- (JIRA:RHELPLAN-75322) -

-
-

Universal Base Images are now available on Docker Hub

-

- Previously, Universal Base Images were only available from the Red Hat container catalog. With - this enhancement, Universal Base Images are also available from Docker Hub as a Verified Publisher image. -

-
-

- (JIRA:RHELPLAN-100032) -

-
-

The openssl container image is now - available

-

- The openssl image provides an openssl - command-line tool for using the various functions of the OpenSSL crypto library. Using the - OpenSSL library, you can generate private keys, create certificate signing requests (CSRs), and - display certificate information. -

-
-

- The openssl container image is available in these repositories: -

-
-
    -
  • - registry.redhat.io/rhel9/openssl -
    • -
  • - registry.access.redhat.com/ubi9/openssl -
    • -
-
-

- (JIRA:RHELPLAN-100034) -

-
-

Netavark network stack is now available

-

- The Netavark stack is a network configuration tool for containers. In RHEL 9, Netavark stack is - fully supported and enabled by default. -

-
-

- This network stack has the following capabilities: -

-
-
    -
  • - Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces -
    • -
  • - Configuring firewall settings, such as network address translation (NAT) and port mapping - rules -
    • -
  • - IPv4 and IPv6 -
    • -
  • - Improved capability for containers in multiple networks -
    • -
-
-

- (JIRA:RHELPLAN-101141) -

-
-

Podman now supports auto-building and auto-running pods using a YAML - file

-

- The podman play kube command automatically builds and runs multiple - pods with multiple containers in the pods using a YAML file. -

-
-

- (JIRA:RHELPLAN-108830) -

-
-

Podman now has ability to source subUID and subGID ranges from IdM -

-

- The subUID and subGID ranges can now be managed by IdM. Instead of deploying the same /etc/subuid and /etc/subgid files onto - every host, you can now define range in a single central storage. You have to modify the /etc/nsswitch.conf file and add sss to - the services map line: services: files sss. -

-
-

- For more details, see the section on Managing - subID ranges manually in IdM documentation. -

-

- (JIRA:RHELPLAN-100020) -

-
-
-
-
-
-
-

Chapter 5. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 9.0 that have a significant impact on users. -

-
-
-
-
-

5.1. Installer and image creation

-
-
-
-
-

--leavebootorder no longer changes boot - order

-

- Previously, using --leavebootorder for the bootloader kickstart - command did not work correctly on UEFI systems and changed the boot order. This caused the - installer to add RHEL at the top of the list of installed systems in the UEFI boot menu. -

-
-

- This update fixes the problem and using --leavebootorder no longer - changes the boot order in the boot loader. --leavebootorder is now - supported on RHEL for UEFI systems. -

-

- (BZ#2025953) -

-
-

Anaconda sets a static hostname before running the %post scripts

-

- Previously, when Anaconda was setting the installer environment host name to the value from the - kickstart configuration (network --hostname), it used to set a - transient hostname. Some of the actions performed during %post - script run, for example network device activation, were causing the host name reset to a value - obtained by reverse dns. -

-
-

- With this update, Anaconda now sets a static hostname of the installer environment to be stable - during the run of kickstart %post scripts. -

-

- (BZ#2009403) -

-
-

Users can now specify user accounts in the RHEL for Edge Installer - blueprint

-

- Previously, performing an update on your blueprint without a user account defined in the edge - commit for the upgrade, such as adding a rpm package, would cause users to be locked out of a - system, after an upgrade is applied. It caused users to redefine user accounts when upgrading an - existing system.This issue has been fixed to allow users to specify user accounts in the RHEL - for Edge Installer blueprint, which creates a user on the system at installation time, rather - than having the user as part of the ostree commit. -

-
-

- (BZ#2060575) -

-
-

The basic graphics mode has been removed from - the boot menu

-

- Previously, the basic graphics mode was used to install RHEL on - hardware with an unsupported graphics card or to work around issues in graphic drivers that - prevented starting the graphical interface. With this update, the option to install in a basic graphics mode has been removed from the installer boot menu. - Use the VNC installation options for graphical installations on unsupported hardware or to work - around driver bugs. -

-
-

- For more information on installations using VNC, see the Performing - a remote RHEL installation using VNC section. -

-

- (BZ#1961092) -

-
-
-
-
-
-

5.2. Subscription management

-
-
-
-
-

virt-who now works correctly with Hyper-V - hosts

-

- Previously, when using virt-who to set up RHEL 9 virtual machines - (VMs) on a Hyper-V hypervisor, virt-who did not properly - communicate with the hypervisor, and the setup failed. This was because of a deprecated - encryption method in the openssl package. -

-
-

- With this update, the virt-who authentication mode for Hyper-V has been - modified, and setting up RHEL 9 VMs on Hyper-V using virt-who now works - correctly. Note that this also requires the hypervisor to use basic authentication mode. To enable - this mode, use the following commands: -

- 
winrm set winrm/config/service/auth '@{Basic="true"}'
-winrm set winrm/config/service '@{AllowUnencrypted="true"}'
-

- (BZ#2008215) -

-
-
-
-
-
-

5.3. Software management

-
-
-
-
-

Running createrepo_c --update on a modular - repository now preserves modular metadata in it

-

- Previously, when running the createrepo_c --update command on an - already existing modular repository without the original source of modular metadata present, the - default policy was to remove all additional metadata including modular metadata from this - repository, which, consequently, broke it. To preserve metadata, it required running the createrepo_c --update command with the additional --keep-all-metadata option. -

-
-

- With this update, you can preserve modular metadata on a modular repository by running createrepo_c --update without any additional option. -

-

- To remove additional metadata, you can use the new --discard-additional-metadata option. -

-

- (BZ#2055032) -

-
-
-
-
-
-

5.4. Shells and command-line tools

-
-
-
-
-

RHEL 9 provides libservicelog 1.1.19 -

-

- RHEL 9 is distributed with libservicelog version 1.1.19. Notable - bug fixes include: -

-
-
-
    -
  • - Fixed output alignment issue. -
    • -
  • - Fixed segfault on servicelog_open() failure. -
    • -
-
-

- (BZ#1869568) -

-
-
-
-
-
-

5.5. Security

-
-
-
-
-

Hardware optimization enabled in libgcrypt - when in the FIPS mode

-

- Previously, the Federal Information Processing Standard (FIPS 140-2) did not allow using - hardware optimization. Therefore, in previous versions of RHEL, the operation was disabled in - the libgcrypt package when in the FIPS mode. RHEL 9 enables - hardware optimization in FIPS mode, and as a result, all cryptographic operations are performed - faster. -

-
-

- (BZ#1990059) -

-
-

crypto-policies now can disable ChaCha20 cipher usage

-

- Previously, the crypto-policies package used a wrong keyword to - disable the ChaCha20 cipher in OpenSSL. Consequently, you could not - disable ChaCha20 for the TLS 1.2 protocol in OpenSSL through crypto-policies. With this update, the -CHACHA20 keyword is used instead of -CHACHA20-POLY1305. As a result, you now can use the cryptographic - policies for disabling ChaCha20 cipher usage in OpenSSL for TLS 1.2 - and TLS 1.3. -

-
-

- (BZ#2004207) -

-
-

64-bit IBM Z systems no longer become unbootable when installing in FIPS - mode

-

- Previously, the fips-mode-setup command with the --no-bootcfg option did not execute the zipl tool. Because fips-mode-setup - regenerates the initial RAM disk (initrd), and the resulting system - needs an update of zipl internal state to boot, this put 64-bit IBM - Z systems into an unbootable state after installing in FIPS mode. With this update fips-mode-setup now executes zipl on - 64-bit IBM Z systems even if invoked with --no-bootcfg, and as a - result, the newly installed system boots successfully. -

-
-

- (BZ#2013195) -

-
-

GNUTLS_NO_EXPLICIT_INIT no longer disables - implicit library initialization

-

- Previously, the GNUTLS_NO_EXPLICIT_INIT environment variable - disabled implicit library initialization. In RHEL 9, the GNUTLS_NO_IMPLICIT_INIT variable disables implicit library - initialization instead. -

-
-

- (BZ#1999639) -

-
-

OpenSSL-based applications now work correctly with the Turkish - locale

-

- Because the OpenSSL library uses case-insensitive string comparison - functions, OpenSSL-based applications did not work correctly with the Turkish locale, and - omitted checks caused applications using this locale to crash. This update provides a patch to - use the Portable Operating System Interface (POSIX) locale for case-insensitive string - comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish - locale. -

-
-

- (BZ#2071631) -

-
-

kdump no longer crashes due to SELinux - permissions

-

- The kdump crash recovery service requires additional SELinux - permissions to start correctly. In previous versions, therefore, SELinux prevented kdump from working, kdump reported that - it is not operational, and Access Vector Cache (AVC) denials were audited. In this version, the - required permissions were added to selinux-policy and as a result, - kdump works correctly and no AVC denial is audited. -

-
-

- (BZ#1932752) -

-
-

The usbguard-selinux package is no longer - dependent on usbguard

-

- Previously, the usbguard-selinux package was dependent on the usbguard package. This, in combination with other dependencies of - these packages, led to file conflicts when installing usbguard. As - a consequence, this prevented the installation of usbguard on - certain systems. With this version, usbguard-selinux no longer - depends on usbguard, and as a result, dnf can install usbguard correctly. -

-
-

- (BZ#1986785) -

-
-

dnf install and dnf update now work with fapolicyd - in SELinux

-

- The fapolicyd-selinux package, which contains SELinux rules for - fapolicyd, did not contain permissions to watch all files and directories. As a consequence, the - fapolicyd-dnf-plugin did not work correctly, causing any dnf install and dnf update commands to - make the system stop responding indefinitely. In this version, the permissions to watch any file - type were added to fapolicyd-selinux. As a result, the fapolicyd-dnf-plugin works correctly and the commands dnf install and dnf update are - operational. -

-
-

- (BZ#1932225) -

-
-

Ambient capabilities are now applied correctly to non-root users -

-

- As a safety measure, changing a UID (User Identifier) from root to non-root nullifies permitted, - effective, and ambient sets of capabilities. -

-
-

- However, the pam_cap.so module is unable to set ambient capabilities - because a capability needs to be in both the permitted and the inheritable set to be in the ambient - set. In addition, the permitted set gets nullified after changing the UID (for example by using the - setuid utility), so the ambient capability cannot be set. -

-

- To fix this problem, the pam_cap.so module now supports the keepcaps option, which allows a process to retain its permitted - capabilities after changing the UID from root to non-root. The pam_cap.so module now also supports the defer option, which causes pam_cap.so to - reapply ambient capabilities within a callback to pam_end(). This - callback can be used by other applications after changing the UID. -

-

- Therefore, if the su and login utilities - are updated and PAM-compliant, you can now use pam_cap.so with the - keepcaps and defer options to set ambient - capabilities for non-root users. -

-

- (BZ#2037215) -

-
-

usbguard-notifier no longer logs too many - error messages to the Journal

-

- Previously, the usbguard-notifier service did not have - inter-process communication (IPC) permissions for connecting to the usbguard-daemon IPC interface. Consequently, usbguard-notifier failed to connect to the interface, and it wrote a - corresponding error message to the Journal. Because usbguard-notifier started with the --wait option, which ensured that usbguard-notifier attempted to connect to the IPC interface each - second after a connection failure, by default, the log contained an excessive amount of these - messages soon. -

-
-

- With this update, usbguard-notifier does not start with --wait by default. The service attempts to connect to the daemon only - three times in the 1-second intervals. As a result, the log contains three such error messages at - maximum. -

-

- (BZ#2009226) -

-
-
-
-
-
-

5.6. Networking

-
-
-
-
-

Wifi and 802.1x Ethernet connections profiles are now connecting - properly

-

- Previously, many Wifi and 802.1x Ethernet connections profiles were not able to connect. This - bug is now fixed. All the profiles are now connecting properly. Profiles that use legacy - cryptographic algorithms still work but you need to manually enable the OpenSSL legacy provider. - This is required, for example, when you use DES with MS-CHAPv2 and RC4 with TKIP. -

-
-

- (BZ#1975718) -

-
-

Afterburn no longer sets an overlong hostname in /etc/hostname

-

- The maximum length of a RHEL hostname is 64 characters. However, certain cloud providers use the - Fully-Qualified Domain Name (FQDN) as the hostname, which can be up to 255 characters. - Previously, the afterburn-hostname service wrote such an overlong - hostname directly to the /etc/hostname file. The systemd service truncated the hostname to 64 characters, and - NetworkManager derived an incorrect DNS search domain from the truncated value. With this fix, - afterburn-hostname truncates hostnames at the first dot or 64 - characters, whichever comes first. As a result, NetworkManager no longer sets invalid DNS search - domains in /etc/resolv.conf. -

-
-

- (BZ#2008521) -

-
-
-
-
-
-

5.7. Kernel

-
-
-
-
-

modprobe loads out-of-tree kernel modules as - expected

-

- The /etc/depmod.d/dist.conf configuration file provides a search - order for the depmod utility. Based on the search order, depmod creates the modules.dep.bin file. - This file lists module dependencies, which the modprobe utility - uses for loading and unloading kernel modules and resolving module dependencies at the same - time. Previously, /etc/depmod.d/dist.conf was missing. As a result, - modprobe could not load some out-of-tree kernel modules. This - update includes the /etc/depmod.d/dist.conf configuration file, - which fixes the search order. As a result, modprobe loads - out-of-tree kernel modules as expected. -

-
-

- (BZ#1985100) -

-
-

alsa-lib now correctly handles audio devices - that use UCM

-

- A bug in the alsa-lib package caused incorrect parsing of the - internal Use Case Manager (UCM) identifier. Consequently, some audio devices that used the UCM - configuration were not detected or they did not function correctly. The problem occurred more - often when the system used the pipewire sound service. With the new - release of RHEL 9, the problem has been fixed by updating the alsa-lib library. -

-
-

- (BZ#2015863) -

-
-
-
-
-
-

5.8. File systems and storage

-
-
-
-
-

Protection uevents no longer cause reload failure of multipath - devices

-

- Previously, when a read-only path device was rescanned, the kernel - sent out two write protection uevents - one with the device set to read/write, and the following with the device set to read-only. Consequently, upon detection of the read/write uevent on a path device, multipathd tried to reload the multipath device, which caused a - reload error message. With this update, multipathd now checks that - all the paths are set to read/write before reloading a device - read/write. As a result, multipathd no longer tries to reload read/write whenever a read-only device - is rescanned. -

-
-

- (BZ#2017979) -

-
-

device-mapper-multipath rebased to version - 0.8.7

-

- The device-mapper-multipath package has been upgraded to version - 0.8.7, which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Fixed memory leaks in the multipath and kpartx commands. -
    • -
  • - Fixed repeated trigger errors from the multipathd.socket unit - file. -
    • -
  • - Improved autoconfiguration of more devices, such as DELL SC Series arrays, EMC Invista and - Symmetrix arrays (among others). -
    • -
-
-

- (BZ#2017592) -

-
-
-
-
-
-

5.9. High availability and clusters

-
-
-
-
-

Pacemaker attribute manager correctly determines remote node attributes, - preventing unfencing loops

-

- Previously, Pacemaker’s controller on a node might be elected the Designated Controller (DC) - before its attribute manager learned an already-active remote node is remote. When this - occurred, the node’s scheduler would not see any of the remote node’s node attributes. If the - cluster used unfencing, this could result in an unfencing loop. With the fix, the attribute - manager can now learn a remote node is remote by means of additional events, including the - initial attribute sync at start-up. As a result, no unfencing loop occurs, regardless of which - node is elected DC. -

-
-

- (BZ#1975388) -

-
-
-
-
-
-

5.10. Compilers and development tools

-
-
-
-
-

-Wsequence-point warning behavior - fixed

-

- Previously, when compiling C++ programs with GCC, the -Wsequence-point warning option tried to warn about very long - expressions, it could cause quadratic behavior and therefore significantly longer compilation - time. With this update, -Wsequence-point doesn’t attempt to warn - about extremely large expressions and as a result, does not increase compilation time. -

-
-

- (BZ#1481850) -

-
-
-
-
-
-

5.11. Identity Management

-
-
-
-
-

MS-CHAP authentication with the OpenSSL legacy provider

-

- Previously, FreeRADIUS authentication mechanisms that used MS-CHAP failed because they depended - on MD4 hash functions, and MD4 has been deprecated in RHEL 9. With this update, you can - authenticate FreeRADIUS users with MS-CHAP or MS-CHAPv2 if you enable the OpenSSL legacy - provider. -

-
-

- If you use the default OpenSSL provider, MS-CHAP and MS-CHAPv2 authentication fails and the - following error message is displayed, indicating the fix: -

- 
 Couldn't init MD4 algorithm. Enable OpenSSL legacy provider.
-

- (BZ#1978216) -

-
-

Running sudo commands no longer exports the KRB5CCNAME environment - variable

-

- Previously, after running sudo commands, the environment variable - KRB5CCNAME pointed to the Kerberos credential cache of the original - user, which might not be accessible to the target user. As a result Kerberos related operations - might fail as this cache is not accessible. With this update, running sudo commands no longer sets the KRB5CCNAME environment variable and the target user can use their - default Kerberos credential cache. -

-
-

- (BZ#1879869) -

-
-

SSSD correctly evaluates the default setting for the Kerberos keytab name - in /etc/krb5.conf

-

- Previously, if you defined a non-standard location for your krb5.keytab file, SSSD did not use this location and used the default - /etc/krb5.keytab location instead. As a result, when you tried to - log into the system, the login failed as the /etc/krb5.keytab - contained no entries. -

-
-

- With this update, SSSD now evaluates the default_keytab_name variable - in the /etc/krb5.conf and uses the location specified by this variable. - SSSD only uses the default /etc/krb5.keytab location if the default_keytab_name variable is not set. -

-

- (BZ#1737489) -

-
-

Authenticating to Directory Server in FIPS mode with passwords hashed with - the PBKDF2 algorithm now works as expected

-

- When Directory Server runs in Federal Information Processing Standard (FIPS) mode, the PK11_ExtractKeyValue() function is not available. As a consequence, - prior to this update, users with a password hashed with the password-based key derivation - function 2 (PBKDF2) algorithm were not able to authenticate to the server when FIPS mode was - enabled. With this update, Directory Server now uses the PK11_Decrypt() function to get the password hash data. As a result, - authentication with passwords hashed with the PBKDF2 algorithm now works as expected. -

-
-

- (BZ#1779685) -

-
-
-
-
-
-

5.12. Red Hat Enterprise Linux system roles

-
-
-
-
-

The Networking system role no longer fails to set a DNS search domain if - IPv6 is disabled

-

- Previously, the nm_connection_verify() function of the libnm library did not ignore the DNS search domain if the IPv6 - protocol was disabled. As a consequence, when you used the Networking RHEL system role and set - dns_search together with ipv6_disabled: true, the system role failed with the following error: -

-
- 
nm-connection-error-quark: ipv6.dns-search: this property is not allowed for 'method=ignore' (7)
-

- With this update, the nm_connection_verify() function ignores the DNS - search domain if IPv6 is disabled. As a consequence, you can use dns_search as expected, even if IPv6 is disabled. -

-

- (BZ#2004899) -

-
-

Postfix role README no longer uses plain role - name

-

- Previously, the examples provided in the /usr/share/ansible/roles/rhel-system-roles.postfix/README.md used the - plain version of the role name, postfix, instead of using rhel-system-roles.postfix. Consequently, users would consult the - documentation and incorrectly use the plain role name instead of Full Qualified Role Name - (FQRN). This update fixes the issue, and the documentation contains examples with the FQRN, - rhel-system-roles.postfix, enabling users to correctly write - playbooks. -

-
-

- (BZ#1958964) -

-
-

Postfix RHEL system role README.md no longer missing variables under the - "Role Variables" section

-

- Previously, the Postfix RHEL system role variables, such as postfix_check, postfix_backup, postfix_backup_multiple were not available under the "Role Variables" - section. Consequently, users were not able to consult the Postfix role documentation. This - update adds role variable documentation to the Postfix README section. The role variables are - documented and available for users in the doc/usr/share/doc/rhel-system-roles/postfix/README.md documentation - provided by rhel-system-roles. -

-
-

- (BZ#1978734) -

-
-

Role tasks no longer change when running the same output

-

- Previously, several of the role tasks would report as CHANGED when - running the same input once again, even if there were no changes. Consequently, the role was not - acting idempotent. To fix the issue, perform the following actions: -

-
-
-
    -
  • - Check if configuration variables change before applying them. You can use the option --check for this verification. -
    • -
  • - Do not add a Last Modified: $date header to the configuration - file. -
    • -
-
-

- As a result, the role tasks are idempotent. -

-

- (BZ#1978760) -

-
-

The logging_purge_confs option correctly - deletes unnecessary configuration files

-

- With the logging_purge_confs option set to true, it should delete unnecessary logging configuration files. - Previously, however, unnecessary configuration files were not deleted from the configuration - directory even if logging_purge_confs was set to true. This issue is now fixed and the option has been redefined as - follows: if logging_purge_confs is set to true, Rsyslog removes files from the rsyslog.d directory which do not belong to any rpm packages. This - includes configuration files generated by previous runs of the Logging role. The default value - of logging_purge_confs is false. -

-
-

- (BZ#2039106) -

-
-

A playbook using the Metrics role completes successfully on multiple runs - even if the Grafana admin password is changed

-

- Previously, changes to the Grafana admin user password after - running the Metrics role with the metrics_graph_service: yes - boolean caused failure on subsequent runs of the Metrics role. This led to failures of playbooks - using the Metrics role, and the affected systems were only partially set up for performance - analysis. Now, the Metrics role uses the Grafana deployment API - when it is available and no longer requires knowledge of username or password to perform the - necessary configuration actions. As a result, a playbook using the Metrics role completes - successfully on multiple runs even if the administrator changes the Grafana admin password. -

-
-

- (BZ#2041632) -

-
-

Configuration by the Metrics role now follows symbolic links - correctly

-

- When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the Metrics - role overwrote the symbolic link instead of following it and configuring mssql.conf. Consequently, running the Metrics role changed the - symbolic link to a regular file and the configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed - symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The - issue is now fixed and the follow: yes option to follow the - symbolic link has been added to the Metrics role. As a result, the Metrics role preserves the - symbolic links and correctly configures the main configuration file. -

-
-

- (BZ#2058777) -

-
-

The timesync role no longer fails to find the - requested service ptp4l

-

- Previously, on some versions of RHEL, the Ansible service_facts - module, reported service facts incorrectly. Consequently, the timesync role reported an error attempting to stop the ptp4l service. With this fix, the Ansible service_facts module checks the return value of the tasks to stop - timesync services. If the returned value is failed, but the error message is Could not find the requested service NAME:, then the module assumes - success. As a result, the timesync role now runs without errors - like Could not find the requested service ptp4l. -

-
-

- (BZ#2058645) -

-
-

The kernel_settings configobj is available on managed hosts

-

- Previously, the kernel_settings role did not install the python3-configobj package on managed hosts. As a consequence, the - role returned an error stating that the configobj Python module - could not be found. With this fix, the role ensures that the python3-configobj package is present on managed hosts and the kernel_settings role works as expected. -

-
-

- (BZ#2058756) -

-
-

The Terminal Session Recording role tlog-rec-session is now correctly overlaid by SSSD

-

- Previously, the Terminal Session Recording RHEL system role relied on the System Security - Services Daemon (SSSD) files provider and on enabled authselect - option with-files-domain to set up correct passwd entries in the nsswitch.conf - file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and - consequently the tlog-rec-session shell overlay by SSSD did not - work. With this fix, the Terminal Session Recording role now updates the nsswitch.conf to ensure tlog-rec-session - is correctly overlaid by SSSD. -

-
-

- (BZ#2071804) -

-
-

The SSHD system role can manage systems in FIPS mode

-

- Previously, the SSHD system role could not create the not allowed - HostKey type when called. As a consequence, the SSHD system role could not manage RHEL 8 and - older systems in Federal Information Processing Standard (FIPS) mode. With this update, the SSHD - system role detects FIPS mode and adjusts the default HostKey list correctly. As a result, the - system role can manage RHEL systems in FIPS mode with the default HostKey configuration. -

-
-

- (BZ#2029634) -

-
-

The SSHD system role uses the correct template file

-

- Previously, the SSHD system role used a wrong template file. As a consequence, the generated - sshd_config file did not contain the ansible_managed comment. With this update, the system role uses the - correct template file and sshd_config contains the correct ansible_managed comment. -

-
-

- (BZ#2044408) -

-
-

The Kdump RHEL system role is be able to reboot, or indicate that a reboot - is required

-

- Previously, the Kdump RHEL system role ignored managed nodes without any reserved memory for - crash kernel. Consequently, the role finished with the "Success" status, even if it did not - configure the system properly. With this update of RHEL 9, the problem has been fixed. In cases - when managed nodes do not have any memory reserved for the crash kernel, the Kdump RHEL system - role fails and suggests that users set the kdump_reboot_ok variable - to true to properly configure the kdump service on managed nodes. -

-
-

- (BZ#2029602) -

-
-

The nm provider in the Networking system role - now correctly manages bridges

-

- Previously, if you used the initscripts provider, the Networking - system role created an ifcfg file which configured NetworkManager - to mark bridge interfaces as unmanaged. Also, NetworkManager failed to detect followup initscript actions. For example, the down and absent actions of initscript - provider will not change the NetworkManager’s understanding on unmanaged state of this interface - if not reloading the connection after the down and absent actions. With this fix, the Networking system role uses the - NM.Client.reload_connections_async() function to reload - NetworkManager on managed hosts with NetworkManager 1.18. As a result, NetworkManager manages - the bridge interface when switching the provider from initscript to - nm. -

-
-

- (BZ#2038957) -

-
-

Fixed a typo to support active-backup for the - correct bonding mode

-

- Previously, there was a typo,active_backup, in supporting the - InfiniBand port while specifying active-backup bonding mode. Due to - this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding - port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the - InfiniBand bonding port. -

-
-

- (BZ#2064391) -

-
-

The Logging system role no longer calls tasks multiple times

-

- Previously, the Logging role was calling tasks multiple times that should have been called only - once. As a consequence, the extra task calls slowed down the execution of the role. With this - fix, the Logging role was changed to call the tasks only once, improving the Logging role - performance. -

-
-

- (BZ#2004303) -

-
-

RHEL system roles now handle multi-line ansible_managed comments in generated files

-

- Previously, some of the RHEL system roles were using # {{ ansible_managed }} to generate some of the files. As a - consequence, if a customer had a custom multi-line ansible_managed - setting, the files would be generated incorrectly. With this fix, all of the system roles use - the equivalent of {{ ansible_managed | comment }} when generating - files so that the ansible_managed string is always properly - commented, including multi-line ansible_managed values. - Consequently, generated files have the correct multi-line ansible_managed value. -

-
-

- (BZ#2006230) -

-
-

The Firewall system role now reloads the firewall immediately when target changes

-

- Previously, the Firewall system role was not reloading the firewall when the target parameter has been changed. With this fix, the Firewall role - reloads the firewall when the target changes, and as a result, the - target change is immediate and available for subsequent operations. -

-
-

- (BZ#2057164) -

-
-

The group option in the Certificate system - role no longer keeps certificates inaccessible to the group

-

- Previously, when setting the group for a certificate, the mode was - not set to allow group read permission. As a consequence, group members were unable to read - certificates issued by the Certificate role. With this fix, the group setting now ensures that - the file mode includes group read permission. As a result, the certificates issued by the - Certificate role for groups are accessible by the group members. -

-
-

- (BZ#2021025) -

-
-

The Logging role no longer misses quotes for the immark module interval value

-

- Previously, the interval field value for the immark module was not properly quoted, because the immark module was not properly configured. This fix ensures that the - interval value is properly quoted. Now, the immark module works as expected. -

-
-

- (BZ#2021676) -

-
-

The /etc/tuned/kernel_settings/tuned.conf file - has a proper ansible_managed header

-

- Previously, the kernel_settings RHEL system role had a hard-coded - value for the ansible_managed header in the /etc/tuned/kernel_settings/tuned.conf file. Consequently, users could - not provide their custom ansible_managed header. In this update, - the problem has been fixed so that kernel_settings updates the - header of /etc/tuned/kernel_settings/tuned.conf with user’s ansible_managed setting. As a result, /etc/tuned/kernel_settings/tuned.conf has a proper ansible_managed header. -

-
-

- (BZ#2047506) -

-
-

The VPN system role filter plugin vpn_ipaddr - now converts to FQCN (Fully Qualified Collection Name)

-

- Previously, the conversion from the legacy role format to the collection format was not - converting the filter plugin vpn_ipaddr to FQCN (Fully Qualified - Collection Name) redhat.rhel_system_roles.vpn_ipaddr. As a - consequence, the VPN role could not find the plugin by the short name and reported an error. - With this fix, the conversion script has been changed so that the filter is converted to FQCN - format in the collection. And now the VPN role runs without issuing the error. -

-
-

- (BZ#2050341) -

-
-

Job for kdump.service no longer fails -

-

- Previously, the Kdump role code for configuring the kernel crash size was not updated for RHEL9, - which requires the use of kdumpctl reset-crashkernel. As a - consequence, the kdump.service could not start and issued an error. - With this update, the kdump.service role uses kdumpctl reset-crashkernel to configure the crash kernel size. Now, - kdump.service role successfully starts the kdump service and the - kernel crash size is configured correctly. -

-
-

- (BZ#2050419) -

-
-
-
-
-
-

5.13. Virtualization

-
-
-
-
-

Hot-unplugging a mounted virtual disk no longer causes the guest kernel to - crash on IBM Z

-

- Previously, when detaching a mounted disk from a running virtual machine (VM) on IBM Z hardware, - the VM kernel crashed under the following conditions: -

-
-
-
    -
  • - The disk was attached with target bus type scsi and mounted - inside the guest. -
    • -
  • - After hot-unplugging the disk device, the corresponding SCSI controller was hot-unplugged as - well. -
    • -
-
-

- With this update, the underlying code has been fixed and the described crash no longer occurs. -

-

- (BZ#1997541) -

-
-
-
-
-
-

5.14. Containers

-
-
-
-
-

UBI 9-Beta containers can run on RHEL 7 and 8 hosts

-

- Previously, the UBI 9-Beta container images had an incorrect seccomp profile set in the containers-common package. As a consequence, containers were not able - to deal with certain system calls causing a failure. With this update, the problem has been - fixed. -

-
-

- (BZ#2019901) -

-
-
-
-
-
-
-

Chapter 6. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

6.1. RHEL for Edge

-
-
-
-
-

FDO process available as a Technology Preview

-

- The FDO process for automatic provisioning and onboarding RHEL for Edge images is available as a - Technology Preview. With that, you can build a RHEL for Edge Simplified Installer image, - provision it to a RHEL for Edge image, and use the FDO (FIDO device onboarding) process to - automatically provision and onboard your Edge devices, exchange data with other devices and - systems connected on the networks. As a result, the FIDO device onboarding protocol performs - device initialization at the manufacturing stage and then late binding to actually use the - device. -

-
-

- (BZ#1989930) -

-
-
-
-
-
-

6.2. Shells and command-line tools

-
-
-
-
-

ReaR available on the 64-bit IBM Z architecture as a Technology - Preview

-

- Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture - as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM - environment. Backing up and recovering logical partitions (LPARs) has not been tested. -

-
-

- The only output method currently available is Initial Program Load (IPL). IPL produces a kernel and - an initial ramdisk (initrd) that can be used with the zIPL bootloader. -

-
-
Warning
-
-

- Currently, the rescue process reformats all the DASDs (Direct Attached Storage Devices) - connected to the system. Do not attempt a system recovery if there is any valuable data - present on the system storage devices. This also includes the device prepared with the zIPL bootloader, ReaR kernel, and initrd that were used to boot - into the rescue environment. Ensure to keep a copy. -

-
-
-

- For more information, see Using - a ReaR rescue image on the 64-bit IBM Z architecture. -

-

- (BZ#2046653) -

-
-

GIMP available as a Technology Preview in RHEL 9

-

- GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. - The gimp package version 2.99.8 is a pre-release version with a set - of improvements, but a limited set of features and no guarantee for stability. As soon as the - official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release - version. -

-
-

- In RHEL 9, you can install gimp easily as an RPM package. -

-

- (BZ#2047161) -

-
-
-
-
-
-

6.3. Networking

-
-
-
-
-

WireGuard VPN is available as a Technology Preview

-

- WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance - VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to - configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the - surface for attacks and, therefore, improves the security. -

-
-

- For further details, see Setting - up a WireGuard VPN. -

-

- (BZ#1613522) -

-
-

KTLS available as a Technology Preview

-

- RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. KTLS also includes the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that provides this functionality. -

-
-

- (BZ#1570255) -

-
-

The systemd-resolved service is available as a - Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, an Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that systemd-resolved is an unsupported Technology Preview. -

-

- (BZ#2020529) -

-
-
-
-
-
-

6.4. Kernel

-
-
-
-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- (BZ#2030412) -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms - using the Flexible Launch Control mechanism - to use the SGX technology. -

-
-

- (BZ#1874182) -

-
-

The Soft-iWARP driver is available as a Technology Preview

-

- Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for - Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This - protocol suite is fully implemented in software and does not require a specific Remote Direct - Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to - connect to an iWARP adapter or to another system with already installed Soft-iWARP. -

-
-

- (BZ#2023416) -

-
-
-
-
-
-

6.5. File systems and storage

-
-
-
-
-

DAX is now available for ext4 and XFS as a Technology Preview

-

- In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an - application to directly map persistent memory into its address space. To use DAX, a system must - have some form of persistent memory available, usually in the form of one or more Non-Volatile - Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the - NVDIMM(s). Also, the file system must be mounted with the dax mount - option. Then, an mmap of a file on the dax-mounted file system - results in a direct mapping of storage into the application’s address space. -

-
-

- (BZ#1995338) -

-
-

Stratis is available as a Technology Preview

-

- Stratis is a local storage manager. It provides managed file systems on top of pools of storage - with additional features to the user: -

-
-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- (BZ#2041558) -

-
-

NVMe-oF Discovery Service features available as a Technology - Preview

-

- The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) - 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device - that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM - Express 2.0 Ratified TPs from the https://nvmexpress.org/developers/nvme-specification/ - website. -

-
-

- (BZ#2021672) -

-
-
-
-
-
-

6.6. Compilers and development tools

-
-
-
-
-

jmc-core and owasp-java-encoder available as a Technology Preview

-

- RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features. -

-
-

- jmc-core is a library providing core APIs for Java Development Kit - (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, as - well as libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP). -

-

- The owasp-java-encoder package provides a collection of - high-performance low-overhead contextual encoders for Java. -

-

- (BZ#1980981) -

-
-
-
-
-
-

6.7. Identity Management

-
-
-
-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- (BZ#2084180) -

-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#2084166) -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- (BZ#2084181) -

-
-
-
-
-
-

6.8. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology - Preview. -

-
-

- You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can - manage the server using graphical applications. -

-

- A limited set of graphical applications is available on 64-bit ARM. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- (JIRA:RHELPLAN-27394) -

-
-

GNOME for the IBM Z architecture available as a Technology Preview -

-

- The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview. -

-
-

- You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage - the server using graphical applications. -

-

- A limited set of graphical applications is available on IBM Z. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- (JIRA:RHELPLAN-27737) -

-
-
-
-
-
-

6.9. The web console

-
-
-
-
-

Stratis available as a Technology Preview in the RHEL web console -

-

- With this update, the Red Hat Enterprise Linux web console provides the ability to manage - Stratis storage as a Technology Preview. -

-
-

- To learn more about Stratis, see What - is Stratis. -

-

- (JIRA:RHELPLAN-122345) -

-
-
-
-
-
-

6.10. Virtualization

-
-
-
-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or - RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs. -

-
-

- (JIRA:RHELDOCS-17040) -

-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- (JIRA:RHELPLAN-65217) -

-
-

Virtualization is now available on ARM 64

-

- As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM - 64 CPUs. -

-
-

- (JIRA:RHELPLAN-103993) -

-
-

virtio-mem is now available on AMD64 and Intel - 64

-

- As a Technology Preview, RHEL 9 introduces the virtio-mem feature - on AMD64 and Intel 64 systems. Using virtio-mem makes it possible - to dynamically add or remove host memory in virtual machines (VMs). -

-
-

- To use virtio-mem, define virtio-mem - memory devices in the XML configuration of a VM and use the virsh update-memory-device command to request memory device size changes - while the VM is running. To see the current memory size exposed by such memory devices to a running - VM, view the XML configuration of the VM. -

-

- (BZ#2014487) -

-
-

Intel vGPU available as a Technology Preview

-

- As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that this feature is deprecated and will be removed entirely in a future RHEL release. -

-

- (JIRA:RHELDOCS-17050) -

-
-
-
-
-
-

6.11. Containers

-
-
-
-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

Chapter 7. Deprecated functionality

-
-
-
-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 9. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

7.1. Installer and image creation

-
-
-
-
-

Deprecated Kickstart commands

-

- The following Kickstart commands have been deprecated: -

-
-
-
    -
  • - timezone --ntpservers -
    • -
  • - timezone --nontp -
    • -
  • - logging --level -
    • -
  • - %packages --excludeWeakdeps -
    • -
  • - %packages --instLangs -
    • -
  • - %anaconda -
    • -
  • - pwpolicy -
    • -
-
-

- Note that where only specific options are listed, the base command and its other options are still - available and not deprecated. Using the deprecated commands in Kickstart files prints a warning in - the logs. You can turn the deprecated command warnings into errors with the inst.ksstrict boot option. -

-

- (BZ#1899167) -

-
-
-
-
-
-

7.2. Shells and command-line tools

-
-
-
-
-

Setting the TMPDIR variable in the ReaR - configuration file is deprecated

-

- Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement - such as export TMPDIR=…​, does not work and is deprecated. -

-
-

- To specify a custom directory for ReaR temporary files, export the variable in the shell environment - before executing ReaR. For example, execute the export TMPDIR=…​ - statement and then execute the rear command in the same shell session - or script. -

-

- Jira:RHELDOCS-18049 -

-
-
-
-
-
-

7.3. Security

-
-
-
-
-

SHA-1 is deprecated for cryptographic purposes

-

- The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. - The digest produced by SHA-1 is not considered secure because of many documented successful - attacks based on finding hash collisions. The RHEL core crypto components no longer create - signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 - in security-relevant use cases. -

-
-

- Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier - (UUID) values can still be created using SHA-1 because these use cases do not currently pose - security risks. SHA-1 also can be used in limited cases connected with important interoperability - and compatibility concerns, such as Kerberos and WPA-2. See the List - of RHEL applications using cryptography that is not compliant with FIPS 140-3 section in the - RHEL - 9 Security hardening document for more details. -

-

- If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic - signatures, you can enable it by entering the following command: -

- 
# update-crypto-policies --set DEFAULT:SHA1
-

- Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY also enables - many other algorithms that are not secure. -

-

- (JIRA:RHELPLAN-110763) -

-
-

SCP is deprecated in RHEL 9

-

- The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The - SCP API remains available for the RHEL 9 lifecycle but using it reduces system security. -

-
-
-
    -
  • - In the scp utility, SCP is replaced by the SSH File Transfer - Protocol (SFTP) by default. -
    • -
  • - The OpenSSH suite does not use SCP in RHEL 9. -
    • -
  • - SCP is deprecated in the libssh library. -
    • -
-
-

- (JIRA:RHELPLAN-99136) -

-
-

Digest-MD5 in SASL is deprecated

-

- The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) - framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release. -

-
-

- (BZ#1995600) -

-
-

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, RIPEMD160, Blowfish, CAST, - DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

-

- The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, - uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 - provides them for migrating encrypted data to use new algorithms. Users must not depend on those - algorithms for the security of their systems. -

-
-

- The implementations of the following algorithms have been moved to the legacy provider in OpenSSL: - MD2, MD4, MDC2, Whirlpool, RIPEMD160, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1. -

-

- See the /etc/pki/tls/openssl.cnf configuration file for instructions on - how to load the legacy provider and enable support for the deprecated algorithms. -

-

- (BZ#1975836) -

-
-

/etc/system-fips is now deprecated -

-

- Support for indicating FIPS mode through the /etc/system-fips file - has been removed, and the file will not be included in future versions of RHEL. To install RHEL - in FIPS mode, add the fips=1 parameter to the kernel command line - during the system installation. You can check whether RHEL operates in FIPS mode by using the - fips-mode-setup --check command. -

-
-

- (JIRA:RHELPLAN-103232) -

-
-

libcrypt.so.1 is now deprecated

-

- The libcrypt.so.1 library is now deprecated, and it might be - removed in a future version of RHEL. -

-
-

- (BZ#2034569) -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- (BZ#2054740) -

-
-
-
-
-
-

7.4. Networking

-
-
-
-
-

ipset and iptables-nft have been deprecated

-

- The ipset and iptables-nft packages - have been deprecated in RHEL. The iptables-nft package contains - different tools such as iptables, ip6tables, ebtables and arptables. These tools will no longer receive new features and using - them for new deployments is not recommended. As a replacement, prefer using the nft command-line tool provided by the nftables package. Existing setups should migrate to nft if possible. -

-
-

- When you load the iptables, ip6tables, - ebtables, arptables, nft_compat, or ipset module, the module logs - the following warning to the /var/log/messages file: -

- 
Warning: <module_name> - this driver is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.
-

- For more information on migrating to nftables, see Migrating - from iptables to nftables, as well as the iptables-translate(8) - and ip6tables-translate(8) man pages. -

-

- (BZ#1945151) -

-
-

Network teams are deprecated in RHEL 9

-

- The teamd service and the libteam - library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major - release. As a replacement, configure a bond instead of a network team. -

-
-

- Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and - teams, that have similar functions. The bonding code has a high customer adoption, is robust, and - has an active community development. As a result, the bonding code receives enhancements and - updates. -

-

- For details about how to migrate a team to a bond, see Migrating - a network team configuration to network bond. -

-

- (BZ#1935544) -

-
-

NetworkManager connection profiles in ifcfg - format are deprecated

-

- In RHEL 9.0 and later, connection profiles in ifcfg format are - deprecated. The next major RHEL release will remove the support for this format. However, in - RHEL 9, NetworkManager still processes and updates existing profiles in this format if you - modify them. -

-
-

- By default, NetworkManager now stores connection profiles in keyfile format in the /etc/NetworkManager/system-connections/ directory. Unlike the ifcfg format, the keyfile format supports all connection settings that - NetworkManager provides. For further details about the keyfile format and how to migrate profiles, - see NetworkManager - connection profiles in keyfile format. -

-

- (BZ#1894877) -

-
-

The iptables back end in firewalld is deprecated

-

- In RHEL 9, the iptables framework is deprecated. As a consequence, - the iptables backend and the direct interface in firewalld are also - deprecated. Instead of the direct interface you can use the native - features in firewalld to configure the required rules. -

-
-

- (BZ#2089200) -

-
-
-
-
-
-

7.5. Kernel

-
-
-
-
-

ATM encapsulation is deprecated in RHEL 9

-

- Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, - Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not - been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is - being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the - ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is - deprecated in Red Hat Enterprise Linux 9. -

-
-

- For more information, see PPP Over - AAL5, Multiprotocol - Encapsulation over ATM Adaptation Layer 5, and Classical IP and ARP over ATM. -

-

- (BZ#2058153) -

-
-

v4l/dvb television and video capture devices - are no longer supported

-

- With RHEL 9, Red Hat no longer supports Video4Linux (v4l) and Linux DVB (DVB) devices that consist of various television tuner cards and - miscellaneous video capture cards and Red Hat no longer provides their associated drivers. -

-
-

- (BZ#2074598) -

-
-
-
-
-
-

7.6. File systems and storage

-
-
-
-
-

lvm2-activation-generator and its generated - services removed in RHEL 9.0

-

- The lvm2-activation-generator program and its generated services - lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is - no longer functional. The only method for auto activating volume groups is event based - activation. -

-
-

- (BZ#2038183) -

-
-
-
-
-
-

7.7. Dynamic programming languages, web and database servers

-
-
-
-
-

libdb has been deprecated

-

- RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version - 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is - available under the AGPLv3 license, which is more restrictive. -

-
-

- The libdb package is deprecated as of RHEL 9 and might not be available - in future major RHEL releases. -

-

- In addition, cryptographic algorithms have been removed from libdb in - RHEL 9 and multiple libdb dependencies have been removed from RHEL 9. -

-

- Users of libdb are advised to migrate to a different key-value - database. For more information, see the Knowledgebase article Available replacements for the deprecated - Berkeley DB (libdb) in RHEL. -

-

- (BZ#1927780, BZ#1974657, JIRA:RHELPLAN-80695) -

-
-
-
-
-
-

7.8. Identity Management

-
-
-
-
-

SHA-1 in OpenDNSSec is now deprecated -

-

- OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 - algorithm is no longer supported. With the RHEL 9 release, SHA-1 in - OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, - OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is - not supported standalone. -

-
-

- (BZ#1979521) -

-
-

The SSSD implicit files provider domain is disabled by default

-

- The SSSD implicit files provider domain, which retrieves user - information from local files such as /etc/shadow and group - information from /etc/groups, is now disabled by default. -

-
-

- To retrieve user and group information from local files with SSSD: -

-
-
    -
  1. -

    - Configure SSSD. Choose one of the following options: -

    -
    -
      -
    1. -

      - Explicitly configure a local domain with the id_provider=files option in the sssd.conf configuration file. -

      - 
      [domain/local]
-id_provider=files
-...
      -
      2. -
    2. -

      - Enable the files provider by setting enable_files_domain=true in the sssd.conf configuration file. -

      - 
      [sssd]
-enable_files_domain = true
      -
      3. -
    -
    -
    2. -
  2. -

    - Configure the name services switch. -

    - 
    # authselect enable-feature with-files-provider
    -
    3. -
-
-

- (JIRA:RHELPLAN-100639) -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612 -

-
-
-
-
-
-

7.9. Graphics infrastructures

-
-
-
-
-

X.org Server is now deprecated

-

- The X.org display server is deprecated, and - will be removed in a future major RHEL release. The default desktop session is now the Wayland session in most cases. -

-
-

- The X11 protocol remains fully supported using - the XWayland back end. As a result, applications - that require X11 can run in the Wayland session. -

-

- Red Hat is working on resolving the remaining problems and gaps in the Wayland session. For the outstanding problems in - Wayland, see the Known - issues section. -

-

- You can switch your user session back to the X.org back end. For more information, see Selecting - GNOME environment and display protocol. -

-

- (JIRA:RHELPLAN-121048) -

-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- (JIRA:RHELPLAN-98983) -

-
-
-
-
-
-

7.10. Red Hat Enterprise Linux system roles

-
-
-
-
-

The networking system role displays a - deprecation warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL system role on an RHEL 8 controller to configure a - network team on RHEL 9 nodes, shows a warning about its deprecation. -

-
-

- (BZ#1999770) -

-
-
-
-
-
-

7.11. Virtualization

-
-
-
-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- (BZ#1935497) -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. However, a new VM snapshot mechanism - is under development and is planned to be fully implemented in a future minor release of RHEL 9. -

-

- (JIRA:RHELPLAN-15509, BZ#1621944) -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available in the RHEL web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

libvirtd has become deprecated

-

- The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a - future major release of RHEL. Note that you can still use libvirtd - for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly - introduced modular libvirt daemons. For instructions and details, - see the RHEL - 9 Configuring and Managing Virtualization document. -

-
-

- (JIRA:RHELPLAN-113995) -

-
-

The virtual floppy driver has become deprecated

-

- The isa-fdc driver, which controls virtual floppy disk devices, is - now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure - forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy - disk devices in VMs hosted on RHEL 9. -

-
-

- (BZ#1965079) -

-
-

qcow2-v2 image format is deprecated

-

- With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become - unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot - create disk images in the qcow2-v2 format. -

-
-

- Instead of qcow2-v2, Red Hat strongly recommends using qcow2-v3. To convert a qcow2-v2 image to a - later format version, use the qemu-img amend command. -

-

- (BZ#1951814) -

-
-
-
-
-
-

7.12. Containers

-
-
-
-
-

Running RHEL 9 containers on a RHEL 7 host is not supported

-

- Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not - guaranteed. -

-
-

- For more information, see Red Hat Enterprise - Linux Container Compatibility Matrix. -

-

- (JIRA:RHELPLAN-100087) -

-
-

SHA1 hash algorithm within Podman has been deprecated

-

- The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer - supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 from - the RHBA-2022:5951 - advisory have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after - the upgrade. -

-
-

- (BZ#2069279) -

-
-

rhel9/pause has been deprecated

-

- The rhel9/pause container image has been deprecated. -

-
-

- (BZ#2106816) -

-
-
-
-
-
-

7.13. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 8 and RHEL 9, see Changes - to packages in the Considerations in adopting RHEL 9 - document. -

-
-
Important
-
-

- The support status of deprecated packages remains unchanged within RHEL 9. For more - information about the length of support, see Red Hat Enterprise Linux - Life Cycle and Red - Hat Enterprise Linux Application Streams Life Cycle. -

-
-
-

- The following packages have been deprecated in RHEL 9: -

-
-
    -
  • - iptables-devel -
    • -
  • - iptables-libs -
    • -
  • - iptables-nft -
    • -
  • - iptables-nft-services -
    • -
  • - iptables-utils -
    • -
  • - libdb -
    • -
  • - mcpp -
    • -
  • - python3-pytz -
    • -
-
-
-
-
-
-
-
-

Chapter 8. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 9.0. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

Local Media installation source is not - detected when booting the installation from a USB that is created using a third party - tool

-

- When booting the RHEL installation from a USB that is created using a third party tool, the - installer fails to detect the Local Media installation source (only - Red Hat CDN is detected). -

-
-

- This issue occurs because the default boot option int.stage2= attempts - to search for iso9660 image format. However, a third party tool might - create an ISO image with a different format. -

-

- As a workaround, use either of the following solution: -

-
-
    -
  • - When booting the installation, click the Tab key to edit the - kernel command line, and change the boot option inst.stage2= to - inst.repo=. -
    • -
  • - To create a bootable USB device on Windows, use Fedora Media Writer. -
    • -
  • - When using a third party tool like Rufus to create a bootable USB device, first regenerate - the RHEL ISO image on a Linux system, and then use the third party tool to create a bootable - USB device. -
    • -
-
-

- For more information on the steps involved in performing any of the specified workaround, see, Installation media is not auto - detected during the installation of RHEL 8.3. -

-

- (BZ#1877697) -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- (BZ#1640697) -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. To work around this problem, do not run Anaconda on the production - system and execute it in a temporary virtual machine. So that the SELinux policy on a production - system is not modified. Running anaconda as part of the system installation process such as - installing from boot.iso or dvd.iso is - not affected by this issue. -

-
-

- (BZ#2050140) -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- (BZ#1914955) -

-
-

Minimal RHEL installation no longer includes the s390utils-base package

-

- In RHEL 8.4 and later, the s390utils-base package is split into an - s390utils-core package and an auxiliary s390utils-base package. Consequently, setting the RHEL installation - to minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. To work around this problem, manually install - the s390utils-base package after completing the RHEL installation - or explicitly install s390utils-base using a kickstart file. -

-
-

- (BZ#1932480) -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- (BZ#1929105) -

-
-

Anaconda fails to verify existence of an administrator user - account

-

- While installing RHEL using a graphical user interface, Anaconda fails to verify if the - administrator account has been created. As a consequence, users might install a system without - any administrator user account. -

-
-

- To work around this problem, ensure you configure an administrator user account or the root password - is set and the root account is unlocked. As a result, users can perform administrative tasks on the - installed system. -

-

- (BZ#2047713) -

-
-

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication - attempt

-

- When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect - credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the - current session and login using the no authentication method. -

-
-

- (BZ#1983602) -

-
-

New XFS features prevent booting of PowerNV IBM POWER systems with firmware - older than version 5.10

-

- PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement - for GRUB. This results in the firmware kernel mounting /boot and - Petitboot reading the GRUB config and booting RHEL. -

-
-

- The RHEL 9 kernel introduces bigtime=1 and inobtcount=1 features to the XFS filesystem, which kernels with firmware - older than version 5.10 do not understand. -

-

- To work around this problem, you can use another filesystem for /boot, - for example ext4. -

-

- (BZ#1997832) -

-
-

Cannot install RHEL when PReP is not 4 or 8 MiB in size

-

- The RHEL installer cannot install the boot loader if the PowerPC Reference Platform (PReP) - partition is of a different size than 4 MiB or 8 MiB on a disk that uses 4 kiB sectors. As a - consequence, you cannot install RHEL on the disk. -

-
-

- To work around the problem, make sure that the PReP partition is exactly 4 MiB or 8 MiB in size, and - that the size is not rounded to another value. As a result, the installer can now install RHEL on - the disk. -

-

- (BZ#2026579) -

-
-

New XFS features prevent booting of PowerNV IBM POWER systems with firmware - kernel older than version 5.10

-

- PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement - for GRUB. This results in the firmware kernel mounting /boot and - Petitboot reading the GRUB config and booting RHEL. -

-
-

- The RHEL 9 kernel introduces bigtime=1 and inobtcount=1 features to the XFS filesystem, which firmware with kernel - older than version 5.10 do not understand. As a consequence, Anaconda prevents the installation with - the following error message: -

-

- Your firmware doesn’t support XFS file system features on the /boot - file system. The system will not be bootable. Please, upgrade the firmware or change the file system - type. -

-

- As a workaround, use another filesystem for /boot, for example ext4. -

-

- (BZ#2008792) -

-
-

RHEL installer does not process the inst.proxy - boot option correctly

-

- When running Anaconda, the installation program does not process the inst.proxy boot option correctly. As a consequence, you cannot use - the specified proxy to fetch the installation image. -

-
-

- To work around this issue: * Use the latest version of RHEL distribution. * Use proxy instead of inst.proxy boot option. -

-

- (JIRA:RHELDOCS-18764) -

-
-

RHEL installation fails on IBM Z architectures with multi-LUNs

-

- RHEL installation fails on IBM Z architectures when using multiple LUNs during installation. Due - to the multipath setup of FCP and the LUN auto-scan behavior, the length of the kernel command - line in the configuration file exceeds 896 bytes. -

-
-

- To work around this problem, you can do one of the following: -

-
-
    -
  • - Install the latest version of RHEL (RHEL 9.2 or later). -
    • -
  • - Install the RHEL system with a single LUN and add additional LUNs post installation. -
    • -
  • - Optimize the redundant zfcp entries in the boot configuration - on the installed system. -
    • -
  • - Create a physical volume (pvcreate) for each of the additional - LUNs listed under /dev/mapper/. -
    • -
  • - Extend the VG with PVs, for example, vgextend <vg_name> /dev/mapper/mpathX. -
    • -
  • - Increase the LV as needed for example, lvextend -r -l +100%FREE /dev/<vg name>/root. -
    • -
-
-

- For more information, see the KCS - solution. -

-

- (JIRA:RHELDOCS-18638) -

-
-
-
-
-
-

8.2. Subscription management

-
-
-
-
-

virt-who cannot connect to ESX servers when in - FIPS mode

-

- When using the virt-who utility on a RHEL 9 system in FIPS mode, - virt-who cannot connect to ESX servers. As a consequence, virt-who does not report any ESX servers, even if configured for - them, and logs the following error message: -

-
- 
ValueError: [digital envelope routines] unsupported
-

- To work around this issue, do one of the following: -

-
-
    -
  • - Do not set the RHEL 9 system you use for running virt-who to - FIPS mode. -
    • -
  • - Do not upgrade the RHEL system you use for running virt-who to - version 9.0. -
    • -
-
-

- (BZ#2054504) -

-
-
-
-
-
-

8.3. Software management

-
-
-
-
-

The Installation process sometimes becomes unresponsive

-

- When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log file displays the following message at the end: -

-
- 
10:20:56,416 DDEBUG dnf: RPM transaction over.
-

- To workaround this problem, restart the installation process. -

-

- (BZ#2073510) -

-
-
-
-
-
-

8.4. Shells and command-line tools

-
-
-
-
-

ReaR fails during recovery if the TMPDIR - variable is set in the configuration file

-

- Setting and exporting TMPDIR in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file does not work and is - deprecated. -

-
-

- The ReaR default configuration file /usr/share/rear/conf/default.conf - contains the following instructions: -

- 
# To have a specific working area directory prefix for Relax-and-Recover
-# specify in /etc/rear/local.conf something like
-#
-# export TMPDIR="/prefix/for/rear/working/directory"
-#
-# where /prefix/for/rear/working/directory must already exist.
-# This is useful for example when there is not sufficient free space
-# in /tmp or $TMPDIR for the ISO image or even the backup archive.
-

- The instructions mentioned above do not work correctly because the TMPDIR variable has the same value in the rescue environment, which is - not correct if the directory specified in the TMPDIR variable does not - exist in the rescue image. -

-

- As a consequence, setting and exporting TMPDIR in the /etc/rear/local.conf file leads to the following error when the rescue - image is booted : -

- 
mktemp: failed to create file via template '/prefix/for/rear/working/directory/tmp.XXXXXXXXXX': No such file or directory
-cp: missing destination file operand after '/etc/rear/mappings/mac'
-Try 'cp --help' for more information.
-No network interface mapping is specified in /etc/rear/mappings/mac
-

- or the following error and abort later, when running rear recover: -

- 
ERROR: Could not create build area
-

- To work around this problem, if you want to have a custom temporary directory, specify a custom - directory for ReaR temporary files by exporting the variable in the shell environment before - executing ReaR. For example, execute the export TMPDIR=…​ statement and - then execute the rear command in the same shell session or script. As a - result, the recovery is successful in the described configuration. -

-

- Jira:RHEL-24847 -

-
-

Renaming network interfaces using ifcfg files - fails

-

- On RHEL 9, the initscripts package is not installed by default. - Consequently, renaming network interfaces using ifcfg files fails. - To solve this problem, Red Hat recommends that you use udev rules - or link files to rename interfaces. For further details, see Consistent - network interface device naming and the systemd.link(5) man - page. -

-
-

- If you cannot use one of the recommended solutions, install the initscripts package. -

-

- (BZ#2018112) -

-
-

The chkconfig package is not installed by - default in RHEL 9

-

- The chkconfig package, which updates and queries runlevel - information for system services, is not installed by default in RHEL 9. -

-
-

- To manage services, use the systemctl commands or install the chkconfig package manually. -

-

- For more information about systemd, see Managing - systemd. For instructions on how to use the systemctl utility, - see Managing - system services with systemctl. -

-

- (BZ#2053598) -

-
-
-
-
-
-

8.5. Infrastructure services

-
-
-
-
-

Both bind and unbound disable validation of SHA-1-based signatures

-

- The bind and unbound components - disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 - (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT - system-wide cryptographic policy. -

-
-

- As a result, certain DNSSEC records signed with the SHA-1, RSA/SHA1, and RSASHA1-NSEC3-SHA1 digest - algorithms fail to verify in Red Hat Enterprise Linux 9 and the affected domain names become - vulnerable. -

-

- To work around this problem, upgrade to a different signature algorithm, such as RSA/SHA-256 or - elliptic curve keys. -

-

- For more information and a list of top-level domains that are affected and vulnerable, see the DNSSEC records signed with - RSASHA1 fail to verify solution. -

-

- (BZ#2070495) -

-
-

named fails to start if the same writable zone - file is used in multiple zones

-

- BIND does not allow the same writable zone file in multiple zones. Consequently, if a - configuration includes multiple zones which share a path to a file that can be modified by the - named service, named fails to start. - To work around this problem, use the in-view clause to share one - zone between multiple views and make sure to use different paths for different zones. For - example, include the view names in the path. -

-
-

- Note that writable zone files are typically used in zones with allowed dynamic updates, slave zones, - or zones maintained by DNSSEC. -

-

- (BZ#1984982) -

-
-

Setting the console keymap requires the libxkbcommon library on your minimal install

-

- In RHEL 9, certain systemd library dependencies have been converted - from dynamic linking to dynamic loading, so that your system opens and uses the libraries at - runtime when they are available. With this change, a functionality that depends on such - libraries is not available unless you install the necessary library. This also affects setting - the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb command fails. -

-
-

- To work around this problem, install the libxkbcommon library: -

- 
# dnf install libxkbcommon
-

- (BZ#2214130) -

-
-
-
-
-
-

8.6. Security

-
-
-
-
-

OpenSSL does not detect if a PKCS #11 token - supports the creation of raw RSA or RSA-PSS signatures

-

- The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not - support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to work with an RSA - key if the key is held by the PKCS #11 token. As a result, TLS - communication fails in the described scenario. -

-
-

- To work around this problem, configure servers and clients to use TLS version 1.2 as the highest TLS - protocol version available. -

-

- (BZ#1681178) -

-
-

OpenSSL incorrectly handles PKCS #11 tokens - that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created - with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include - line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- (BZ#1685470) -

-
-

Cryptography not approved by FIPS works in OpenSSL in FIPS mode -

-

- Cryptography that is not FIPS-approved works in the OpenSSL toolkit regardless of system - settings. Consequently, you can use cryptographic algorithms and ciphers that should be disabled - when the system is running in FIPS mode, for example: -

-
-
-
    -
  • - TLS cipher suites using the RSA key exchange work. -
    • -
  • - RSA-based algorithms for public-key encryption and decryption work despite using the PKCS #1 - and SSLv23 paddings or using keys shorter than 2048 bits. -
    • -
-
-

- (BZ#2053289) -

-
-

OpenSSL cannot use engines in FIPS mode

-

- Engine API is deprecated in OpenSSL 3.0 and is incompatible with OpenSSL Federal Information - Processing Standards (FIPS) implementation and other FIPS-compatible implementations. Therefore, - OpenSSL cannot run engines in FIPS mode. There is no workaround for this problem. -

-
-

- (BZ#2087253) -

-
-

PSK ciphersuites do not work with the FUTURE - crypto policy

-

- Pre-shared key (PSK) ciphersuites are not recognized as performing perfect forward secrecy (PFS) - key exchange methods. As a consequence, the ECDHE-PSK and DHE-PSK ciphersuites do not work with OpenSSL configured to SECLEVEL=3, for example with the FUTURE - crypto policy. As a workaround, you can set a less restrictive crypto policy or set a lower - security level (SECLEVEL) for applications that use PSK - ciphersuites. -

-
-

- (BZ#2060044) -

-
-

GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies

-

- The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use - the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic - policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT cryptographic policy, which is not consistent with the - system-wide deprecation of this insecure algorithm for signatures. -

-
-

- To work around this problem, do not use GnuPG options that involve SHA-1. As a result, you will - prevent GnuPG from lowering the default system security by using the non-secure SHA-1 signatures. -

-

- (BZ#2070722) -

-
-

Some OpenSSH operations do not used FIPS-approved interfaces

-

- The OpenSSL cryptographic library, which is used by OpenSSH, provides two interfaces: legacy and - modern. Because of changes to OpenSSL internals, only the modern interfaces use FIPS-certified - implementations of cryptographic algorithms. Because OpenSSH uses legacy interfaces for some - operations, it does not comply with FIPS requirements. -

-
-

- (BZ#2087121) -

-
-

gpg-agent does not work as an SSH agent in - FIPS mode

-

- The gpg-agent tool creates MD5 fingerprints when adding keys to the - ssh-agent program even though FIPS mode disables the MD5 digest. - Consequently, the ssh-add utility fails to add the keys to the - authentication agent. -

-
-

- To work around the problem, create the ~/.gnupg/sshcontrol file without - using the gpg-agent --daemon --enable-ssh-support command. For example, - you can paste the output of the gpg --list-keys command in the <FINGERPRINT> 0 format to ~/.gnupg/sshcontrol. As a result, gpg-agent - works as an SSH authentication agent. -

-

- (BZ#2073567) -

-
-

SELinux staff_u users can incorrectly switch - to unconfined_r

-

- When the secure_mode boolean is enabled, staff_u users can incorrectly switch to the unconfined_r role. As a consequence, staff_u users can perform privileged operations affecting the - security of the system. -

-
-

- (BZ#2021529) -

-
-

Default SELinux policy allows unconfined executables to make their stack - executable

-

- The default state of the selinuxuser_execstack boolean in the - SELinux policy is on, which means that unconfined executables can make their stack executable. - Executables should not use this option, and it might indicate poorly coded executables or a - possible attack. However, due to compatibility with other tools, packages, and third-party - products, Red Hat cannot change the value of the boolean in the default policy. If your scenario - does not depend on such compatibility aspects, you can turn the boolean off in your local policy - by entering the command setsebool -P selinuxuser_execstack off. -

-
-

- (BZ#2064274) -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- (BZ#1834716) -

-
-

SSH timeout rules in STIG profiles configure incorrect options

-

- An update of OpenSSH affected the rules in the following Defense Information Systems Agency - Security Technical Implementation Guide (DISA STIG) profiles: -

-
-
-
    -
  • - DISA STIG for RHEL 9 (xccdf_org.ssgproject.content_profile_stig) -
    • -
  • - DISA STIG with GUI for RHEL 9 (xccdf_org.ssgproject.content_profile_stig_gui) -
    • -
-
-

- In each of these profiles, the following two rules are affected: -

- 
Title: Set SSH Client Alive Count Max to zero
-CCE Identifier: CCE-90271-8
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
-
-Title: Set SSH Idle Timeout Interval
-CCE Identifier: CCE-90811-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
-

- When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax and ClientAliveInterval) - that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users - when it reaches the timeout configured by these rules. As a workaround, these rules have been - temporarily removed from the DISA STIG for RHEL 9 and DISA STIG with GUI for RHEL 9 profiles until a - solution is developed. -

-

- (BZ#2038978) -

-
-

fagenrules --load does not work - correctly

-

- The fapolicyd service does not correctly handle the signal hang up - (SIGHUP). Consequently, fapolicyd terminates after receiving the - SIGHUP signal. Therefore, the fagenrules --load command does not - work properly, and rule updates require manual restarts of fapolicyd. To work around this problem, restart the fapolicyd service after any change in rules, and as a result fagenrules --load will work correctly. -

-
-

- (BZ#2070655) -

-
-

Ansible remediations require additional collections

-

- With the replacement of Ansible Engine by the ansible-core package, - the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, - running remediations that use Ansible content included within the scap-security-guide package requires collections from the rhc-worker-playbook package. -

-
-

- For an Ansible remediation, perform the following steps: -

-
-
    -
  1. -

    - Install the required packages: -

    - 
    # dnf install -y ansible-core scap-security-guide rhc-worker-playbook
    -
    2. -
  2. - Navigate to the /usr/share/scap-security-guide/ansible - directory: # cd /usr/share/scap-security-guide/ansible -
    3. -
  3. -

    - Run the relevant Ansible playbook using environment variables that define the path to - the additional Ansible collections: -

    - 
    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-playbook-cis_server_l1.yml
    -

    - Replace cis_server_l1 with the - ID of the profile against which you want to remediate the system. -

    -
    4. -
-
-

- As a result, the Ansible content is processed correctly. -

-
-
Note
-
-

- Support of the collections provided in rhc-worker-playbook is - limited to enabling the Ansible content sourced in scap-security-guide. -

-
-
-

- (BZ#2105162) -

-
-
-
-
-
-

8.7. Networking

-
-
-
-
-

The nm-cloud-setup service removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain - cases, other services on the host can configure interfaces as well. For example, these services - could add secondary IP addresses. To avoid that nm-cloud-setup - removes secondary IP addresses: -

-
-
-
    -
  1. -

    - Stop and disable the nm-cloud-setup service and timer: -

    - 
    # systemctl disable --now nm-cloud-setup.service nm-cloud-setup.timer
    -
    2. -
  2. -

    - Display the available connection profiles: -

    - 
    # nmcli connection show
    -
    3. -
  3. -

    - Reactive the affected connection profiles: -

    - 
    # nmcli connection up "<profile_name>"
    -
    4. -
-
-

- As a result, the service no longer removes manually-configured secondary IP addresses from - interfaces. -

-

- (BZ#2151040) -

-
-

An empty rd.znet option in the kernel command - line causes the network configuration to fail

-

- An rd.znet option without any arguments, such as net types or - subchannels, in the kernel fails to configure networking. To work around this problem, either - remove the rd.znet option from the command line completely or - specify relevant net types, subchannels, and other relevant options. For more information about - these options, see the dracut.cmdline(7) man page. -

-
-

- (BZ#1931284) -

-
-

Failure to update the session key causes the connection to break -

-

- Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which - is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a - connection break. To work around this problem, disable kTLS. As a result, with the workaround, - it is possible to successfully update the session key. -

-
-

- (BZ#2013650) -

-
-

The initscripts package is not installed by - default

-

- By default, the initscripts package is not installed. As a - consequence, the ifup and ifdown - utilities are not available. As an alternative, use the nmcli connection up and nmcli connection down commands to enable and disable connections. If - the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown package, which provides a - NetworkManager solution for the ifup and ifdown utilities. -

-
-

- (BZ#2082303) -

-
-

The primary IP address of an instance changes after starting the - nm-cloud-setup service in Alibaba Cloud

-

- After launching an instance in the Alibaba Cloud, the nm-cloud-setup service assigns the primary IP address to an instance. - However, if you assign multiple secondary IP addresses to an instance and start the nm-cloud-setup service, the former primary IP address gets replaced - by one of the already assigned secondary IP addresses. The returned list of metadata verifies - the same. To work around the problem, configure secondary IP addresses manually to avoid that - the primary IP address changes. As a result, an instance retains both IP addresses and the - primary IP address does not change. -

-
-

- (BZ#2079849) -

-
-
-
-
-
-

8.8. Kernel

-
-
-
-
-

kdump fails to start on RHEL 9 kernel -

-

- The RHEL 9 kernel does not have the crashkernel=auto parameter - configured as default. Consequently, the kdump service fails to - start by default. -

-
-

- To work around this problem, configure the crashkernel= option to the - required value. -

-

- For example, to reserve 256 MB of memory using the grubby utility, - enter the following command: -

- 
# grubby --args crashkernel=256M --update-kernel ALL
-

- As a result, the RHEL 9 kernel starts kdump and uses the configured - memory size value to dump the vmcore file. -

-

- (BZ#1894783) -

-
-

The kdump mechanism fails to capture vmcore on LUKS-encrypted targets

-

- When running kdump on systems with Linux Unified Key Setup (LUKS) - encrypted partitions, systems require a certain amount of available memory. When the available - memory is less than the required amount of memory, the systemd-cryptsetup service fails to mount the partition. - Consequently, the second kernel fails to capture the crash dump file (vmcore) on LUKS-encrypted targets. -

-
-

- With the kdumpctl estimate command, you can query the Recommended crashkernel value, which is the recommended memory size - required for kdump. -

-

- To work around this issue, use following steps to configure the required memory for kdump on LUKS encrypted targets: -

-
-
    -
  1. -

    - Print the estimate crashkernel value: -

    - 
    # kdumpctl estimate
    -
    2. -
  2. -

    - Configure the amount of required memory by increasing the crashkernel value: -

    - 
    # grubby --args=crashkernel=652M --update-kernel=ALL
    -
    3. -
  3. -

    - Reboot the system for changes to take effect. -

    - 
    # reboot
    -
    4. -
-
-

- As a result, kdump works correctly on systems with LUKS-encrypted - partitions. -

-

- (BZ#2017401) -

-
-

Allocating crash kernel memory fails at boot time

-

- On certain Ampere Altra systems, allocating the crash kernel memory for kdump usage fails during boot when the available memory is below 1 - GB. Consequently, the kdumpctl command fails to start the kdump service as the required memory is more than the available - memory size. -

-
-

- As a workaround, decrease the value of the crashkernel parameter by a - minimum of 240 MB to fit the size requirement, for example crashkernel=240M. As a result, the crash kernel memory allocation for - kdump does not fail on Ampere Altra systems. -

-

- (BZ#2065013) -

-
-

kTLS does not support offloading of TLS 1.3 to NICs

-

- Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. - Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. - To work around this problem, disable TLS 1.3 if offload is required. As a result, you can - offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot - be offloaded. -

-
-

- (BZ#2000616) -

-
-

FADump enabled with Secure Boot might lead to GRUB Out of Memory - (OOM)

-

- In the Secure Boot environment, GRUB and PowerVM together allocate a 512 MB memory region, known - as the Real Mode Area (RMA), for boot memory. The region is divided among the boot components - and, if any component exceeds its allocation, out-of-memory failures occur. -

-
-

- Generally, the default installed initramfs file system and the vmlinux symbol table are within the limits to avoid such failures. - However, if Firmware Assisted Dump (FADump) is enabled in the system, the default initramfs size can increase and exceed 95 MB. As a consequence, every - system reboot leads to a GRUB OOM state. -

-

- To avoid this issue, do not use Secure Boot and FADump together. For more information and methods on - how to work around this issue, see link:https://www.ibm.com/support/pages/node/6846531. -

-

- (BZ#2149172) -

-
-

Systems in Secure Boot cannot run dynamic LPAR operations

-

- Users cannot run dynamic logical partition (DLPAR) operations from the Hardware Management - Console (HMC) if either of these conditions are met: -

-
-
-
    -
  • - The Secure Boot feature is enabled that implicitly enables kernel lockdown mechanism in integrity mode. -
    • -
  • - The kernel lockdown mechanism is manually enabled in integrity - or confidentiality mode. -
    • -
-
-

- In RHEL 9, kernel lockdown completely blocks Run Time Abstraction - Services (RTAS) access to system memory accessible through the /dev/mem - character device file. Several RTAS calls require write access to /dev/mem to function properly. Consequently, RTAS calls do not execute - correctly and users see the following error message: -

- 
HSCL2957 Either there is currently no RMC connection between the management console and the partition <LPAR name> or the partition does not support dynamic partitioning operations. Verify the network setup on the management console and the partition and ensure that any firewall authentication between the management console and the partition has occurred. Run the management console diagrmc command to identify problems that might be causing no RMC connection.
-

- (BZ#2083106) -

-
-

dkms provides an incorrect warning on program - failure with correctly compiled drivers on 64-bit ARM CPUs

-

- The Dynamic Kernel Module Support (dkms) utility does not recognize - that the kernel headers for 64-bit ARM CPUs work for both the kernels with 4 kilobytes and 64 - kilobytes page sizes. As a result, when the kernel update is performed and the kernel-64k-devel package is not installed, dkms provides an incorrect warning on why the program failed on - correctly compiled drivers. To work around this problem, install the kernel-headers package, which contains header files for both types of - ARM CPU architectures and is not specific to dkms and its - requirements. -

-
-

- (JIRA:RHEL-25967) -

-
-
-
-
-
-

8.9. Boot loader

-
-
-
-
-

New kernels lose previous command-line options

-

- The GRUB boot loader does not apply custom, previously configured kernel command-line options to - new kernels. Consequently, when you upgrade the kernel package, the system behavior might change - after reboot due to the missing options. -

-
-

- To work around the problem, manually add all custom kernel command-line options after each kernel - upgrade. As a result, the kernel applies custom options as expected, until the next kernel upgrade. -

-

- (BZ#1969362) -

-
-
-
-
-
-

8.10. File systems and storage

-
-
-
-
-

Device Mapper Multipath is not supported with NVMe/TCP

-

- Using Device Mapper Multipath with the nvme-tcp driver can result - in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users - must enable native NVMe multipathing and not use the device-mapper-multipath tools with NVMe. -

-
-

- By default, Native NVMe multipathing is enabled in RHEL 9. For more information, see Enabling - multipathing on NVMe devices. -

-

- (BZ#2033080) -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- (BZ#2011699) -

-
-

Invalid sysfs value for supported_speeds

-

- The qla2xxx driver reports 20Gb/s instead of the expected 64Gb/s as - one of the supported port speeds in the sysfs supported_speeds - attribute: -

-
- 
$ cat /sys/class/fc_host/host12/supported_speeds
-16 Gbit, 32 Gbit, 20 Gbit
-

- As a consequence, if the HBA supports 64Gb/s link speed, the sysfs supported_speeds value is incorrect. This affects only the supported_speeds value of sysfs and the port - operates at the expected negotiated link rate. -

-

- (BZ#2069758) -

-
-

Unable to connect to NVMe namespaces from Broadcom initiator on AMD EPYC - systems

-

- By default, the RHEL kernel enables the IOMMU on AMD-based platforms. Consequently, when you use - IOMMU-enabled platforms on servers with AMD processors, you might experience NVMe I/O problems, - such as I/Os failing due to transfer length mismatches. -

-
-

- To work around this problem, add the IOMMU in passthrough mode by using the kernel command-line - option, iommu=pt. As a result, you can now connect to NVMe namespaces - from Broadcom initiator on AMD EPYC systems. -

-

- (BZ#2073541) -

-
-
-
-
-
-

8.11. Dynamic programming languages, web and database servers

-
-
-
-
-

The --ssl-fips-mode option in MySQL and MariaDB does not change - FIPS mode

-

- The --ssl-fips-mode option in MySQL - and MariaDB in RHEL works differently than in upstream. -

-
-

- In RHEL 9, if you use --ssl-fips-mode as an argument for the mysqld or mariadbd daemon, or if you use - ssl-fips-mode in the MySQL or MariaDB server configuration files, --ssl-fips-mode does not change FIPS mode for these database servers. -

-

- Instead: -

-
-
    -
  • - If you set --ssl-fips-mode to ON, - the mysqld or mariadbd server - daemon does not start. -
    • -
  • - If you set --ssl-fips-mode to OFF - on a FIPS-enabled system, the mysqld or mariadbd server daemons still run in FIPS mode. -
    • -
-
-

- This is expected because FIPS mode should be enabled or disabled for the whole RHEL system, not for - specific components. -

-

- Therefore, do not use the --ssl-fips-mode option in MySQL or MariaDB in RHEL. Instead, ensure - FIPS mode is enabled on the whole RHEL system: -

-
-
    -
  • - Preferably, install RHEL with FIPS mode enabled. Enabling FIPS mode during the installation - ensures that the system generates all keys with FIPS-approved algorithms and continuous - monitoring tests in place. For information about installing RHEL in FIPS mode, see Installing - the system in FIPS mode. -
    • -
  • - Alternatively, you can switch FIPS mode for the entire RHEL system by following the - procedure in Switching - the system to FIPS mode. -
    • -
-
-

- (BZ#1991500) -

-
-
-
-
-
-

8.12. Compilers and development tools

-
-
-
-
-

Certain symbol-based probes do not work in SystemTap on the 64-bit ARM architecture

-

- Kernel configuration disables certain functionality needed for SystemTap. Consequently, some symbol-based probes do not work on the - 64-bit ARM architecture. As a result, affected SystemTap scripts - may not run or may not collect hits on desired probe points. -

-
-

- Note that this bug has been fixed for the remaining architectures with the release of the RHBA-2022:5259 advisory. -

-

- (BZ#2083727) -

-
-
-
-
-
-

8.13. Identity Management

-
-
-
-
-

RHEL 9 Kerberos client fails to authenticate a user using PKINIT against - Heimdal KDC

-

- During the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client, the Heimdal - Kerberos Distribution Center (KDC) on RHEL 9 or earlier uses the SHA-1 backup signature - algorithm because the Kerberos client does not support the supportedCMSTypes field. However, the SHA-1 algorithm has been - deprecated in RHEL 9 and therefore the user authentication fails. -

-
-

- To work around this problem, enable support for the SHA-1 algorithm on your RHEL 9 clients with the - following command: -

- 
# update-crypto-policies --set DEFAULT:SHA1
-

- As a result, PKINIT authentication works between the Kerberos client and Heimdal KDC. -

-

- For more details about supported backup signature algorithms, see Kerberos Encryption - Types Defined for CMS Algorithm Identifiers. -

-

- See also The - PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL 9 - Kerberos agent. -

-

- (BZ#2068935) -

-
-

The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent - communicates with a non-RHEL 9 Kerberos agent

-

- If a RHEL 9 Kerberos agent interacts with another, non-RHEL 9 Kerberos agent in your - environment, the Public Key Cryptography for initial authentication (PKINIT) authentication of a - user fails. To work around the problem, perform one of the following actions: -

-
-
-
    -
  • -

    - Set the RHEL 9 agent’s crypto-policy to DEFAULT:SHA1 to - allow the verification of SHA-1 signatures: -

    - 
    # update-crypto-policies --set DEFAULT:SHA1
    -
    • -
  • -

    - Update the non-RHEL 9 agent to ensure it does not sign CMS data using the SHA-1 - algorithm. For this, update your Kerberos packages to the versions that use SHA-256 - instead of SHA-1: -

    -
    -
      -
    • - CentOS 9 Stream: krb5-1.19.1-15 -
      • -
    • - RHEL 8.7: krb5-1.18.2-17 -
      • -
    • - RHEL 7.9: krb5-1.15.1-53 -
      • -
    • - Fedora Rawhide/36: krb5-1.19.2-7 -
      • -
    • - Fedora 35/34: krb5-1.19.2-3 -
      • -
    -
    -
    • -
-
-

- You must perform one of these actions regardless of whether the non-patched agent is a Kerberos - client or the Kerberos Distribution Center (KDC). -

-

- As a result, the PKINIT authentication of a user works correctly. -

-

- Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs - CMS data with SHA-256 instead of SHA-1. -

-

- See also The - DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against older RHEL - KDCs and AD KDCs. -

-

- (BZ#2077450) -

-
-

The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to - work against older RHEL KDCs and AD KDCs

-

- The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key - Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 - algorithm. -

-
-

- While SHA-256 is used by default starting with RHEL 7.9 and RHEL 8.7, older Kerberos Key - Distribution Centers (KDCs) on RHEL 7.8 and RHEL 8.6 and earlier still use the SHA-1 digest - algorithm to sign CMS messages. So does the Active Directory (AD) KDC. -

-

- As a result, RHEL 9 Kerberos clients fail to authenticate users using PKINIT against the following: -

-
-
    -
  • - KDCs running on RHEL 7.8 and earlier -
    • -
  • - KDCs running on RHEL 8.6 and earlier -
    • -
  • - AD KDCs -
    • -
-
-

- To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the - following command: -

- 
 # update-crypto-policies --set DEFAULT:SHA1
-

- See also RHEL - 9 Kerberos client fails to authenticate a user using PKINIT against Heimdal KDC. -

-

- (BZ#2060798) -

-
-

FIPS support for AD trust requires the AD-SUPPORT crypto - sub-policy

-

- Active Directory (AD) uses AES SHA-1 HMAC encryption types, which are not allowed in FIPS mode - on RHEL 9 by default. If you want to use RHEL 9 IdM hosts with an AD trust, enable support for - AES SHA-1 HMAC encryption types before installing IdM software. -

-
-

- Since FIPS compliance is a process that involves both technical and organizational agreements, - consult your FIPS auditor before enabling the AD-SUPPORT sub-policy to - allow technical measures to support AES SHA-1 HMAC encryption types, and then install RHEL IdM: -

- 
 # update-crypto-policies --set FIPS:AD-SUPPORT
-

- (BZ#2057471) -

-
-

Directory Server terminates unexpectedly when started in referral - mode

-

- Due to a bug, global referral mode does not work in Directory Server. If you start the ns-slapd process with the refer option - as the dirsrv user, Directory Server ignores the port settings and - terminates unexpectedly. Trying to run the process as the root user - changes SELinux labels and prevents the service from starting in future in normal mode. There - are no workarounds available. -

-
-

- (BZ#2053204) -

-
-

Configuring a referral for a suffix fails in Directory Server

-

- If you set a back-end referral in Directory Server, setting the state of the backend using the - dsconf <instance_name> backend suffix set --state referral - command fails with the following error: -

-
- 
Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state
-

- As a consequence, configuring a referral for suffixes fail. To work around the problem: -

-
-
    -
  1. -

    - Set the nsslapd-referral parameter manually: -

    - 
    # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com
-
-dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
-changetype: modify
-add: nsslapd-referral
-nsslapd-referral: ldap://remote_server:389/dc=example,dc=com
    -
    2. -
  2. -

    - Set the back-end state: -

    - 
    # dsconf <instance_name> backend suffix set --state referral
    -
    3. -
-
-

- As a result, with the workaround, you can configure a referral for a suffix. -

-

- (BZ#2063140) -

-
-

The dsconf utility has no option to create - fix-up tasks for the entryUUID plug-in

-

- The dsconf utility does not provide an option to create fix-up - tasks for the entryUUID plug-in. As a result, administrators cannot - not use dsconf to create a task to automatically add entryUUID attributes to existing entries. As a workaround, create a - task manually: -

-
- 
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
-
-dn: cn=entryuuid_fixup___<time_stamp__,cn=entryuuid task,cn=tasks,cn=config
-objectClass: top
-objectClass: extensibleObject
-basedn: __<fixup base tree>__
-cn: entryuuid_fixup___<time_stamp>__
-filter: __<filtered_entry>__
-

- After the task has been created, Directory Server fixes entries with missing or invalid entryUUID attributes. -

-

- (BZ#2047175) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

8.14. Desktop

-
-
-
-
-

Firefox add-ons are disabled after upgrading to RHEL 9

-

- If you upgrade from RHEL 8 to RHEL 9, all add-ons that you previously enabled in Firefox are - disabled. -

-
-

- To work around the problem, manually reinstall or update the add-ons. As a result, the add-ons are - enabled as expected. -

-

- (BZ#2013247) -

-
-

VNC is not running after upgrading to RHEL 9

-

- After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously - enabled. -

-
-

- To work around the problem, manually enable the vncserver service after - the system upgrade: -

- 
# systemctl enable --now vncserver@:port-number
-

- As a result, VNC is now enabled and starts after every system boot as expected. -

-

- (BZ#2060308) -

-
-
-
-
-
-

8.15. Graphics infrastructures

-
-
-
-
-

Matrox G200e shows no output on a VGA display

-

- Your display might show no graphical output if you use the following system configuration: -

-
-
-
    -
  • - The Matrox G200e GPU -
    • -
  • - A display connected over the VGA controller -
    • -
-
-

- As a consequence, you cannot use or install RHEL on this configuration. -

-

- To work around the problem, use the following procedure: -

-
-
    -
  1. - Boot the system to the boot loader menu. -
    2. -
  2. - Add the module_blacklist=mgag200 option to the kernel command - line. -
    3. -
-
-

- As a result, RHEL boots and shows graphical output as expected, but the maximum resolution is - limited to 1024x768 at the 16-bit color depth. -

-

- (BZ#1960467) -

-
-

X.org configuration utilities do not work under Wayland

-

- X.org utilities for manipulating the screen do not work in the Wayland session. Notably, the - xrandr utility does not work under Wayland due to its different - approach to handling, resolutions, rotations, and layout. -

-
-

- (JIRA:RHELPLAN-121049) -

-
-

NVIDIA drivers might revert to X.org

-

- Under certain conditions, the proprietary NVIDIA drivers disable the Wayland display protocol - and revert to the X.org display server: -

-
-
-
    -
  • - If the version of the NVIDIA driver is lower than 470. -
    • -
  • - If the system is a laptop that uses hybrid graphics. -
    • -
  • - If you have not enabled the required NVIDIA driver options. -
    • -
-
-

- Additionally, Wayland is enabled but the desktop session uses X.org by default if the version of the - NVIDIA driver is lower than 510. -

-

- (JIRA:RHELPLAN-119001) -

-
-

Night Light is not available on Wayland with NVIDIA

-

- When the proprietary NVIDIA drivers are enabled on your system, the Night Light feature of GNOME is not available - in Wayland sessions. The NVIDIA drivers do not currently support Night Light. -

-
-

- (JIRA:RHELPLAN-119852) -

-
-
-
-
-
-

8.16. The web console

-
-
-
-
-

Removing USB host devices using the web console does not work as - expected

-

- When you attach a USB device to a virtual machine (VM), the device number and bus number of the - USB device might change after they are passed to the VM. As a consequence, using the web console - to remove such devices fails due to the incorrect correlation of the device and bus numbers. To - workaround this problem, remove the <hostdev> part of the USB - device, from the VM’s XML configuration. -

-
-

- (JIRA:RHELPLAN-109067) -

-
-

Attaching multiple host devices using the web console does not - work

-

- When you select multiple devices to attach to a virtual machine (VM) using the web console, only - a single device is attached and the rest are ignored. To work around this problem, attach only - one device at a time. -

-
-

- (JIRA:RHELPLAN-115603) -

-
-
-
-
-
-

8.17. Virtualization

-
-
-
-
-

Installing a virtual machine over https in some cases fails

-

- Currently, the virt-install utility fails when attempting to - install a guest operating system from an ISO source over a https connection - for example using - virt-install --cdrom https://example/path/to/image.iso. Instead of - creating a virtual machine (VM), the described operation terminates unexpectedly with an internal error: process exited while connecting to monitor message. -

-
-

- To work around this problem, install qemu-kvm-block-curl on the host to - enable https protocol support. Alternatively, use a different connection protocol or a different - installation source. -

-

- (BZ#2014229) -

-
-

Using NVIDIA drivers in virtual machines disables Wayland

-

- Currently, NVIDIA drivers are not compatible with the Wayland graphical session. As a - consequence, RHEL guest operating systems that use NVIDIA drivers automatically disable Wayland - and load an Xorg session instead. This primarily occurs in the following scenarios: -

-
-
-
    -
  • - When you pass through an NVIDIA GPU device to a RHEL virtual machine (VM) -
    • -
  • - When you assign an NVIDIA vGPU mediated device to a RHEL VM -
    • -
-
-

- (JIRA:RHELPLAN-117234) -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the 'Milan' CPU type might not be available on these systems. In - addition, VM live migration between Milan hosts with different feature flag settings might fail. - To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- (BZ#2077767) -

-
-

Network traffic performance in virtual machines might be reduced -

-

- In some cases, RHEL 9.0 guest virtual machines (VMs) have somewhat decreased performance when - handling high levels of network traffic. -

-
-

- (BZ#1945040) -

-
-

Disabling AVX causes VMs to become unbootable

-

- On a host machine that uses a CPU with Advanced Vector Extensions (AVX) support, attempting to - boot a VM with AVX explicitly disabled currently fails, and instead triggers a kernel panic in - the VM. -

-
-

- (BZ#2005173) -

-
-

Failover virtio NICs are not assigned an IP address on Windows virtual - machines

-

- Currently, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM - fails to assign an IP address to the NIC. Consequently, the NIC is unable to set up a network - connection. Currently, there is no workaround. -

-
-

- (BZ#1969724) -

-
-

A hostdev interface with failover settings - cannot be hot-plugged after being hot-unplugged

-

- After removing a hostdev network interface with failover - configuration from a running virtual machine (VM), the interface currently cannot be re-attached - to the same running VM. -

-
-

- (BZ#2052424) -

-
-

Live post-copy migration of VMs with failover VFs fails

-

- Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a - device with the virtual function (VF) failover capability enabled. To work around the problem, - use the standard migration type, rather than post-copy migration. -

-
-

- (BZ#1817965, BZ#1789206) -

-
-
-
-
-
-

8.18. RHEL in cloud environments

-
-
-
-
-

SR-IOV performs suboptimally in ARM 64 RHEL 9 virtual machines on - Azure

-

- Currently, SR-IOV networking devices have significantly lower throughout and higher latency than - expected in ARM 64 RHEL 9 virtual machines VMs running on a Microsoft Azure platform. -

-
-

- (BZ#2068432) -

-
-

Mouse is not usable in RHEL 9 VMs on XenServer 7 with console - proxy

-

- When running a RHEL 9 virtual machine (VM) on a XenServer 7 platform with a console proxy, it is - not possible to use the mouse in the VM’s GUI. To work around this problem, disable the Wayland - compositor protocol in the VM as follows: -

-
-
-
    -
  1. - Open the /etc/gdm/custom.conf file. -
    2. -
  2. - Uncomment the WaylandEnable=false line. -
    3. -
  3. - Save the file. -
    4. -
-
-

- In addition, note that Red Hat does not support XenServer as a platform for running RHEL VMs, and - discourages using XenServer with RHEL in production environments. -

-

- (BZ#2019593) -

-
-

Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV - causes non-root partitions to disappear

-

- When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV - hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root - partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a - consequence, the following problems occur: -

-
-
-
    -
  • - After restoring the VM from a snapshot, the VM cannot boot, and instead enters emergency - mode. -
    • -
  • - A VM created by cloning cannot boot, and instead enters emergency mode. -
    • -
-
-

- To work around these problems, do the following in emergency mode of the VM: -

-
-
    -
  1. - Remove the LVM system devices file: rm /etc/lvm/devices/system.devices -
    2. -
  2. - Recreate LVM device settings: vgimportdevices -a -
    3. -
  3. - Reboot the VM -
    4. -
-
-

- This makes it possible for the cloned or restored VM to boot up correctly. -

-

- (BZ#2059545) -

-
-

The SR-IOV functionality of a network adapter attached to a Hyper-V virtual - machine might not work

-

- Currently, when attaching a network adapter with single-root I/O virtualization (SR-IOV) enabled - to a RHEL 9 virtual machine (VM) running on Microsoft Hyper-V hypervisor, the SR-IOV - functionality in some cases does not work correctly. -

-
-

- To work around this problem, disable SR-IOV in the VM configuration, and then enable it again. -

-
-
    -
  1. - In the Hyper-V Manager window, right-click the VM. -
    2. -
  2. - In the contextual menu, navigate to Settings/Network Adapter/Hardware Acceleration. -
    3. -
  3. - Uncheck Enable SR-IOV. -
    4. -
  4. - Click Apply. -
    5. -
  5. - Repeat steps 1 and 2 to navigate to the Enable SR-IOV option - again. -
    6. -
  6. - Check Enable SR-IOV. -
    7. -
  7. - Click Apply. -
    8. -
-
-

- (BZ#2030922) -

-
-

Customizing RHEL 9 guests on ESXi sometimes causes networking - problems

-

- Currently, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor does not - work correctly with NetworkManager key files. As a consequence, if the guest is using such a key - file, it will have incorrect network settings, such as the IP address or the gateway. -

-
-

- For details and workaround instructions, see the VMware Knowledge Base. -

-

- (BZ#2037657) -

-
-
-
-
-
-

8.19. Supportability

-
-
-
-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- (BZ#1869561) -

-
-
-
-
-
-

8.20. Containers

-
-
-
-
-

Container images signed with a Beta GPG key can not be pulled

-

- Currently, when you try to pull RHEL 9 Beta container images, podman exits with the error message: Error: Source image rejected: None of the signatures were accepted. - The images fail to be pulled due to current builds being configured to not trust the RHEL Beta - GPG keys by default. -

-
-

- As a workaround, ensure that the Red Hat Beta GPG key is stored on your local system and update the - existing trust scope with the podman image trust set command for the - appropriate beta namespace. -

-

- If you do not have the Beta GPG key stored locally, you can pull it by running the following - command: -

- 
sudo wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta https://www.redhat.com/security/data/f21541eb.txt
-

- To add the Beta GPG key as trusted to your namespace, use one of the following commands: -

- 
$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.access.redhat.com/namespace
-

- and -

- 
$ sudo podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta registry.redhat.io/namespace
-

- Replace namespace with ubi9-beta or rhel9-beta. -

-

- (BZ#2020026) -

-
-

Podman fails to pull a container "X509: certificate signed by unknown - authority"

-

- If you have your own internal registry signed by our own CA certificate, then you have to import - the certificate onto your host machine. Otherwise, an error occurs: -

-
- 
x509: certificate signed by unknown authority
-

- Import the CA certificates on your host: -

- 
# cd /etc/pki/ca-trust/source/anchors/
-[anchors]# curl -O <your_certificate>.crt
-
-[anchors]# update-ca-trust
-

- Then you can pull container images from the internal registry. -

-

- (BZ#2027576) -

-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
-Storing signatures
-Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
-[!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- (JIRA:RHELPLAN-96940) -

-
-

podman system connection add and podman image scp fails

-

- Podman uses SHA-1 hashes for the RSA key exchange. The regular SSH connection among machines - using RSA keys works, while the podman system connection add and - podman image scp commands do not work using the same RSA keys, - because the SHA-1 hashes are not accepted for key exchange on RHEL 9: -

-
- 
$ podman system connection add --identity ~/.ssh/id_rsa test_connection $REMOTE_SSH_MACHINE
-Error: failed to connect: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
-

- To work around this problem, use the ED25519 keys: -

-
-
    -
  1. -

    - Connect to the remote machine: -

    - 
    $ ssh -i ~/.ssh/id_ed25519 $REMOTE_SSH_MACHINE
    -
    2. -
  2. -

    - Record ssh destination for the Podman service: -

    - 
    $ podman system connection add --identity ~/.ssh/id_ed25519 test_connection $REMOTE_SSH_MACHINE
    -
    3. -
  3. -

    - Verify that the ssh destination was recorded: -

    - 
    $ podman system connection list
    -
    4. -
-
-

- Note that with the release of the RHBA-2022:5951 advisory, the problem - has been fixed. -

-

- (JIRA:RHELPLAN-121180) -

-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#2024693, - BZ#1805717, BZ#1779685, BZ#2053204, BZ#2063140, BZ#2047175 -

-
-

- ModemManager -

- 		-

- BZ#1996716 -

-
-

- NetworkManager -

- 		-

- BZ#1980387, BZ#1949127, - BZ#2060013, BZ#1931284, BZ#1894877, BZ#2079849 -

-
-

- RHCOS -

- 		-

- BZ#2008521 -

-
-

- WALinuxAgent -

- 		-

- BZ#1972101 -

-
-

- alsa-lib -

- 		-

- BZ#2015863 -

-
-

- anaconda -

- 		-

- BZ#1951709, BZ#1978264, BZ#2025953, BZ#2009403, BZ#2050140, - BZ#1877697, BZ#1914955, BZ#1929105, - BZ#1983602, BZ#1997832, BZ#2008792 -

-
-

- ansible-collection-microsoft-sql -

- 		-

- BZ#2064648, BZ#2064690 -

-
-

- ansible-collection-redhat-rhel_mgmt -

- 		-

- BZ#2023381 -

-
-

- ansible-pcp -

- 		-

- BZ#1957566 -

-
-

- bash -

- 		-

- BZ#2079078 -

-
-

- bind -

- 		-

- BZ#1984982 -

-
-

- binutils -

- 		-

- BZ#2030554 -

-
-

- boost -

- 		-

- BZ#1957950 -

-
-

- chrony -

- 		-

- BZ#1961131 -

-
-

- clevis -

- 		-

- BZ#1956760 -

-
-

- cloud-init -

- 		-

- BZ#2040090, BZ#2042351 -

-
-

- cmake -

- 		-

- BZ#1957948 -

-
-

- container-tools -

- 		-

- BZ#2000871 -

-
-

- containers-common -

- 		-

- BZ#2019901 -

-
-

- crash -

- 		-

- BZ#1896647 -

-
-

- createrepo_c -

- 		-

- BZ#2055032 -

-
-

- crypto-policies -

- 		-

- BZ#2004207, - BZ#2013195 -

-
-

- cyrus-sasl -

- 		-

- BZ#1947971, - BZ#1995600 -

-
-

- device-mapper-multipath -

- 		-

- BZ#2017979, BZ#2017592, - BZ#2011699 -

-
-

- distribution -

- 		-

- BZ#1878583 -

-
-

- dnf -

- 		-

- BZ#2005305, BZ#2073510 -

-
-

- dotnet6.0 -

- 		-

- BZ#1986211 -

-
-

- edk2 -

- 		-

- BZ#1935497 -

-
-

- eigen3 -

- 		-

- BZ#2032423 -

-
-

- fapolicyd -

- 		-

- BZ#2032408, - BZ#1932225, BZ#2054740, BZ#2070655 -

-
-

- fence-agents -

- 		-

- BZ#1977588 -

-
-

- fetchmail -

- 		-

- BZ#1999276 -

-
-

- fido-device-onboard -

- 		-

- BZ#1989930 -

-
-

- firefox -

- 		-

- BZ#1764205, BZ#2013247 -

-
-

- firewalld -

- 		-

- BZ#2029211 -

-
-

- freeradius -

- 		-

- BZ#1978216 -

-
-

- gcc -

- 		-

- BZ#1986836, - BZ#1481850 -

-
-

- gdb -

- 		-

- BZ#1870029, BZ#1870031 -

-
-

- gfs2-utils -

- 		-

- BZ#1616432 -

-
-

- gimp -

- 		-

- BZ#2047161 -

-
-

- git -

- 		-

- BZ#1956345 -

-
-

- glibc -

- 		-

- BZ#2023422, BZ#2024347 -

-
-

- gnome-shell-extension-background-logo -

- 		-

- BZ#2057150 -

-
-

- gnome-shell-extensions -

- 		-

- BZ#2031186 -

-
-

- gnupg2 -

- 		-

- BZ#2070722, BZ#2073567 -

-
-

- gnutls -

- 		-

- BZ#2033220, BZ#1999639 -

-
-

- golang -

- 		-

- BZ#2014087, BZ#1984110 -

-
-

- grafana-pcp -

- 		-

- BZ#1993156, BZ#1845592 -

-
-

- grafana -

- 		-

- BZ#1993215 -

-
-

- grub2 -

- 		-

- BZ#2026579 -

-
-

- grubby -

- 		-

- BZ#1969362 -

-
-

- hostapd -

- 		-

- BZ#2019830 -

-
-

- ipa -

- 		-

- BZ#1952028, - BZ#1957736, BZ#1966101, BZ#1988383, BZ#2084180, BZ#2084166, BZ#2057471 -

-
-

- iptables -

- 		-

- BZ#1945151 -

-
-

- javapackages-tools -

- 		-

- BZ#1951482 -

-
-

- jigawatts -

- 		-

- BZ#1972029 -

-
-

- jmc-core -

- 		-

- BZ#1980981 -

-
-

- kdump-anaconda-addon -

- 		-

- BZ#1894783, BZ#2017401 -

-
-

- kernel-rt -

- 		-

- BZ#2002474 -

-
-

- kernel -

- 		-

- BZ#1844416, BZ#1851933, BZ#1780258, BZ#1874195, BZ#1953515, BZ#1960556, - BZ#1948340, BZ#1952863, - BZ#1978382, BZ#1957818, BZ#2002499, - BZ#2050415, BZ#1951951, - BZ#1949613, BZ#2036856, BZ#2034490, BZ#1943423, BZ#2054441, - BZ#2046472, BZ#2068432, BZ#1997541, BZ#1613522, BZ#1874182, BZ#1995338, BZ#1570255, - BZ#2023416, BZ#2021672, BZ#2019593, BZ#2000616, BZ#2013650, BZ#2033080, BZ#2069758, - BZ#2059545, BZ#2030922, BZ#1945040, - BZ#2073541, BZ#1960467, BZ#2005173 -

-
-

- kexec-tools -

- 		-

- BZ#1988894, BZ#1895232, BZ#1958452, BZ#2065013 -

-
-

- kmod -

- 		-

- BZ#1985100 -

-
-

- krb5 -

- 		-

- BZ#2060798, BZ#2068935, BZ#2077450 -

-
-

- libburn -

- 		-

- BZ#2015861 -

-
-

- libcap -

- 		-

- BZ#2037215 -

-
-

- libgcrypt -

- 		-

- BZ#1990059 -

-
-

- libmodulemd -

- 		-

- BZ#1984403 -

-
-

- libreswan -

- 		-

- BZ#2017355, BZ#2039877 -

-
-

- libseccomp -

- 		-

- BZ#2019887 -

-
-

- libservicelog -

- 		-

- BZ#1869568 -

-
-

- libvirt -

- 		-

- BZ#2014487 -

-
-

- libxcrypt -

- 		-

- BZ#2034569 -

-
-

- llvm-toolset -

- 		-

- BZ#2001107 -

-
-

- lorax-templates-rhel -

- 		-

- BZ#1961092 -

-
-

- lsvpd -

- 		-

- BZ#1869564 -

-
-

- lvm2 -

- 		-

- BZ#1899214, BZ#1749513, BZ#2038183 -

-
-

- mariadb -

- 		-

- BZ#1971248 -

-
-

- mod_security_crs -

- 		-

- BZ#1947962 -

-
-

- nettle -

- 		-

- BZ#1986712 -

-
-

- nfs-utils -

- 		-

- BZ#2059245 -

-
-

- nginx -

- 		-

- BZ#1953639 -

-
-

- nmstate -

- 		-

- BZ#1969941 -

-
-

- nodejs -

- 		-

- BZ#1953491 -

-
-

- nss -

- 		-

- BZ#2008320, BZ#2099438 -

-
-

- numatop -

- 		-

- BZ#1874125 -

-
-

- nvml -

- 		-

- BZ#1874208 -

-
-

- opal-prd -

- 		-

- BZ#1869560 -

-
-

- open-vm-tools -

- 		-

- BZ#2037657 -

-
-

- opencryptoki -

- 		-

- BZ#1869533 -

-
-

- openscap -

- 		-

- BZ#2041782 -

-
-

- openssh -

- 		-

- BZ#1952957, BZ#2002734, BZ#1821501, BZ#2087121 -

-
-

- openssl -

- 		-

- BZ#1990814, - BZ#1871147, BZ#1970388, BZ#1975836, - BZ#1681178, BZ#1685470, BZ#2053289, BZ#2087253, BZ#2060044, BZ#2071631 -

-
-

- osbuild-composer -

- 		-

- BZ#2060575 -

-
-

- oscap-anaconda-addon -

- 		-

- BZ#1893753 -

-
-

- ostree -

- 		-

- BZ#1961254 -

-
-

- p11-kit -

- 		-

- BZ#1966680 -

-
-

- pacemaker -

- 		-

- BZ#1850145, BZ#1443666, - BZ#1470834, BZ#1082146, BZ#1376538, BZ#1975388 -

-
-

- pcp -

- 		-

- BZ#1991764, BZ#1847808, BZ#1981223 -

-
-

- pcs -

- 		-

- BZ#1290830, BZ#1909901, BZ#1872378, BZ#2018969, - BZ#1996067 -

-
-

- perl-Module-Signature -

- 		-

- BZ#2039361 -

-
-

- php -

- 		-

- BZ#1949319 -

-
-

- pki-core -

- 		-

- BZ#2084181 -

-
-

- podman -

- 		-

- JIRA:RHELPLAN-77549, JIRA:RHELPLAN-75322, JIRA:RHELPLAN-108830, BZ#2027576 -

-
-

- powerpc-utils -

- 		-

- BZ#1873868 -

-
-

- ppc64-diag -

- 		-

- BZ#1869567 -

-
-

- python-jsonpointer -

- 		-

- BZ#1980256 -

-
-

- python-podman -

- 		-

- BZ#1975462 -

-
-

- qemu-kvm -

- 		-

- BZ#1940132, BZ#1939509, JIRA:RHELPLAN-75866, BZ#1874187, BZ#1965079, BZ#1951814, BZ#2014229, BZ#2052424, BZ#1817965 -

-
-

- redis -

- 		-

- BZ#1959756 -

-
-

- rhel-system-roles -

- 		-

- BZ#1993304, BZ#1993377, BZ#2022461, BZ#1978488, BZ#1984583, BZ#2016517, BZ#2021667, BZ#1986460, BZ#1978752, BZ#1978753, BZ#1990490, - BZ#2031555, BZ#2016518, BZ#2054364, BZ#1978773, BZ#2054435, BZ#1999162, BZ#2057657, BZ#2012298, BZ#2021028, BZ#2054367, BZ#2054369, BZ#2057662, - BZ#2021665, BZ#2029427, BZ#2004899, BZ#1958964, BZ#1978734, BZ#1978760, BZ#2039106, BZ#2041632, BZ#2058777, - BZ#2058645, BZ#2058756, BZ#2071804, BZ#2029634, BZ#2044408, BZ#2029602, BZ#2038957, BZ#2064391, BZ#2004303, BZ#2006230, BZ#2057164, BZ#2021025, BZ#2021676, BZ#2047506, - BZ#2050341, BZ#2050419, BZ#1999770 -

-
-

- rpm-ostree -

- 		-

- BZ#1961324 -

-
-

- rpm -

- 		-

- BZ#1942549, BZ#1962234 -

-
-

- rsyslog -

- 		-

- BZ#2027971, BZ#1992155 -

-
-

- rust-toolset -

- 		-

- BZ#2002885 -

-
-

- s390utils -

- 		-

- BZ#1932480 -

-
-

- samba -

- 		-

- BZ#2013578, - Jira:RHELDOCS-16612 -

-
-

- scap-security-guide -

- 		-

- BZ#2028435, BZ#2014561, BZ#2045341, BZ#2038978 -

-
-

- selinux-policy -

- 		-

- BZ#2055822, - BZ#1932752, BZ#2021529, BZ#2064274 -

-
-

- shadow-utils -

- 		-

- BZ#1859252 -

-
-

- sos -

- 		-

- BZ#2011537, BZ#1869561 -

-
-

- squid -

- 		-

- BZ#1990517 -

-
-

- sssd -

- 		-

- BZ#1949149, BZ#2014249, - BZ#1879869, BZ#1737489 -

-
-

- strace -

- 		-

- BZ#2038965 -

-
-

- stratisd -

- 		-

- BZ#2041558 -

-
-

- stunnel -

- 		-

- BZ#2039299 -

-
-

- subscription-manager -

- 		-

- BZ#1898563, BZ#2049441 -

-
-

- sudo -

- 		-

- BZ#1981278 -

-
-

- swig -

- 		-

- BZ#1943580 -

-
-

- systemd -

- 		-

- BZ#2018112 -

-
-

- systemtap -

- 		-

- BZ#2083727 -

-
-

- tigervnc -

- 		-

- BZ#2060308 -

-
-

- trace-cmd -

- 		-

- BZ#1933980 -

-
-

- tuned -

- 		-

- BZ#2003838 -

-
-

- unbound -

- 		-

- BZ#2070495 -

-
-

- usbguard -

- 		-

- BZ#1986785, BZ#2009226 -

-
-

- varnish -

- 		-

- BZ#1984185 -

-
-

- virt-manager -

- 		-

- BZ#1995131 -

-
-

- virt-who -

- 		-

- BZ#2008215, BZ#2054504 -

-
-

- virtio-win -

- 		-

- BZ#1969724 -

-
-

- wpa_supplicant -

- 		-

- BZ#1975718 -

-
-

- other -

- 		-

- BZ#2077836, - BZ#2019806, BZ#1937651, BZ#2010291, - BZ#1941810, BZ#2091643, BZ#1941595, JIRA:RHELPLAN-80758, JIRA:RHELPLAN-80759, - JIRA:RHELPLAN-82578, JIRA:RHELPLAN-68364, JIRA:RHELPLAN-78673, JIRA:RHELPLAN-78675, - BZ#1940863, BZ#2079313, - JIRA:RHELPLAN-100497, BZ#2068532, BZ#2089193, - JIRA:RHELPLAN-102009, BZ#2065646, BZ#2088414, - JIRA:RHELPLAN-80734, BZ#2013853, - JIRA:RHELPLAN-103540, BZ#2019341, BZ#2008558, BZ#2008575, BZ#2009455, - JIRA:RHELPLAN-74542, JIRA:RHELPLAN-73678, JIRA:RHELPLAN-84168, JIRA:RHELPLAN-73697, - JIRA:RHELPLAN-95126, BZ#2080875, - JIRA:RHELPLAN-97899, JIRA:RHELPLAN-100359, JIRA:RHELPLAN-103147, - JIRA:RHELPLAN-103146, JIRA:RHELPLAN-79161, BZ#2046325, - BZ#2021262, JIRA:RHELPLAN-64576, JIRA:RHELPLAN-65223, BZ#2083036, BZ#2011448, BZ#2019318, - JIRA:RHELPLAN-101240, JIRA:RHELPLAN-101241, JIRA:RHELPLAN-101242, - JIRA:RHELPLAN-101246, JIRA:RHELPLAN-101247, JIRA:RHELPLAN-102552, - JIRA:RHELPLAN-99892, BZ#2027596, JIRA:RHELPLAN-119000, BZ#1940653, - JIRA:RHELPLAN-95056, BZ#2054401, - JIRA:RHELPLAN-113994, BZ#2059183, - JIRA:RHELPLAN-74543, JIRA:RHELPLAN-99889, JIRA:RHELPLAN-99890, JIRA:RHELPLAN-100032, - JIRA:RHELPLAN-100034, JIRA:RHELPLAN-101141, JIRA:RHELPLAN-100020, BZ#2069501, BZ#2070506, - JIRA:RHELPLAN-117903, JIRA:RHELPLAN-98617, JIRA:RHELPLAN-103855, BZ#2091653, BZ#2082306, - JIRA:RHELPLAN-65217, BZ#2020529, BZ#2030412, - BZ#2046653, JIRA:RHELPLAN-103993, JIRA:RHELPLAN-122345, BZ#1927780, - JIRA:RHELPLAN-110763, BZ#1935544, BZ#2089200, - JIRA:RHELPLAN-15509, JIRA:RHELPLAN-99136, JIRA:RHELPLAN-103232, BZ#1899167, BZ#1979521, - JIRA:RHELPLAN-100087, JIRA:RHELPLAN-100639, JIRA:RHELPLAN-10304, BZ#2058153, - JIRA:RHELPLAN-113995, JIRA:RHELPLAN-121048, JIRA:RHELPLAN-98983, BZ#1640697, - BZ#1697896, BZ#2020026, BZ#2047713, - JIRA:RHELPLAN-109067, JIRA:RHELPLAN-115603, JIRA:RHELPLAN-96940, - JIRA:RHELPLAN-117234, JIRA:RHELPLAN-119001, JIRA:RHELPLAN-119852, BZ#2077767, - BZ#2053598, JIRA:RHELPLAN-121180, BZ#2082303, - JIRA:RHELPLAN-121049 -

-
-
-
-
-
-
-
-

Appendix B. Acknowledgements

-
-
-
-

- Thank you to the below Red Hat Associates who provided feedback as part of the RHEL 9 Readiness - Challenge: -

-
-
    -
  • - Buland Singh -
    • -
  • - Pradeep Jagtap -
    • -
  • - Omkar Andhekar -
    • -
  • - Ju Ke -
    • -
  • - Suresh Jagtap -
    • -
  • - Prijesh Patel -
    • -
  • - Nikhil Suryawanshi -
    • -
  • - Amit Yadav -
    • -
  • - Pranav Lawate -
    • -
  • - John Pittman -
    • -
-
-
-
-
-
-
-

Appendix C. Revision history

-
-
-
-
-
-
0.4-3
-
-

- Wed Aug 28 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.4-2
-
-

- Thu Aug 22 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.4-1
-
-

- Thu Jul 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the abstract in the Deprecated functionalities section -
    • -
-
-
-
0.4-0
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Add Deprecated Functionality RHELDOCS-18049 - (Shells and command-line tools). -
    • -
-
-
-
0.3-9
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added an Known Issue JIRA:RHEL-24847 - (Shells and command-line tools). -
    • -
-
-
-
0.3-8
-
-

- Thu Mar 14 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-7
-
-

- Wed Feb 14 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-6
-
-

- Thu Feb 1 2024, Gabi Fialova (gfialova@redhat.com) -

-
- -
-
-
0.3-5
-
-

- Mon Nov 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-4
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.3-3
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-2
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3-1
-
-

- September 8 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a deprecated functionality release note JIRA:RHELDOCS-16612 - (Samba). -
    • -
  • - Updated "Providing feedback on Red Hat documentation" to reflect RHEL in JIRA. -
    • -
-
-
-
0.3-0
-
-

- August 17 2023, Gabi Fialova (gfialova@redhat.com) -

-
- -
-
-
0.2-9
-
-

- August 07 2023, Gabi Fialova (gfialova@redhat.com) -

-
- -
-
-
0.2-8
-
-

- August 02 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Updated a deprecated functionality release note BZ#1894877 - (NetworkManager). -
    • -
-
-
-
0.2-7
-
-

- Mon Jun 19, 2023, Gabi Fialova (gfialova@redhat.com) -

-
- -
-
-
0.2-6
-
-

- Thu May 18, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement BZ#2053642 - (Filesystem and storage). -
    • -
-
-
-
0.2-5
-
-

- Wed May 17, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Update deprecated-packages.adoc with info about EOL. -
    • -
-
-
-
0.2-4
-
-

- Thu May 11, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement BZ#2190045 (Installer). -
    • -
-
-
-
0.2-3
-
-

- Thu Apr 27, 2023, Gabi Fialova (gfialova@redhat.com) -

-
- -
-
-
0.2-2
-
-

- Thu Apr 13, 2023, Gabi Fialova (gfialova@redhat.com) -

-
- -
-
-
0.2-1
-
-

- Wed Mar 1, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Modified doc text for BZ#2091643 - (Kernel). -
    • -
-
-
-
0.2-0
-
-

- Mon Feb 20, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Added information into "In-place upgrade from RHEL 8 to RHEL 9" about SAP - Environments. -
    • -
-
-
-
0.1-9
-
-

- Wed Jan 18, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Added a Known Issue doc text BZ#2083106 - (Kernel). -
    • -
-
-
-
0.1-8
-
-

- Tue Jan 17, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a Tech Preview doc text BZ#2084181 (Identity - Management). -
    • -
-
-
-
0.1-7
-
-

- Mon Jan 16, 2023, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Added a Known Issue doc text BZ#2149172 - (Kernel). -
    • -
-
-
-
0.1-6
-
-

- Thu Dec 22, 2022, Gabi Fialova (gfialova@redhat.com) -

-
-
    -
  • - Updated a Known Issue doc text BZ#1960467 (Graphics - Infrastructures). -
    • -
-
-
-
0.1-5
-
-

- Thu Dec 08, 2022, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a Known Issue BZ#2151040 - (Networking). -
    • -
-
-
-
0.1-4
-
-

- Tue Nov 15, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-3
-
-

- Fri Sep 23, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a deprecated functionality BZ#2074598 - (Kernel). -
    • -
-
-
-
0.1-2
-
-

- Wed Sep 21, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Removed a known issue BZ#2060798 - (Identity Management). -
    • -
  • - Added a bug fix BZ#2060798 - (Identity Management). -
    • -
-
-
-
0.1-1
-
-

- Mon Sep 12, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated proc_providing-feedback-on-red-hat-documentation.adoc. -
    • -
  • - Added an enhancement BZ#2119694 (Security). -
    • -
-
-
-
0.1-0
-
-

- Mon Aug 22, 2022, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.0-9
-
-

- Wed Aug 10, 2022, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#1991500 - (Dynamic programming languages, web and database servers). -
    • -
-
-
-
0.0-8
-
-

- Thu Aug 4, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-7
-
-

- Thu Jul 28, 2022, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2099438 - (Security). -
    • -
  • - Added a known issue BZ#2087253 (Security). -
    • -
  • - Extended information about Application Streams in Distribution. -
    • -
-
-
-
0.0-6
-
-

- Mon Jul 11, 2022, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.0-5
-
-

- Wed Jun 29, 2022, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.0-4
-
-

- Wed Jun 1, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-3
-
-

- Tue May 24, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the list of top ten popular Customer Portal Labs. -
    • -
  • - Added and republished deprecated functionality BZ#2089200 - (Networking). -
    • -
-
-
-
0.0-2
-
-

- Wed May 18, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.0 Release Notes. -
    • -
-
-
-
0.0-1
-
-

- Wed Nov 03, 2021, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.0 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/9.1.html b/app/data/9.1.html deleted file mode 100644 index 16c6391..0000000 --- a/app/data/9.1.html +++ /dev/null @@ -1,16304 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 9.1
-
-

Release Notes for Red Hat Enterprise Linux 9.1

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 9.1 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information on how to install Red Hat Enterprise Linux, proceed to Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 9.1

-
-
-
-

Installer and image creation

-

- Following are image builder key highlights in RHEL 9.1 GA: -

-
-
    -
  • -

    - Image builder on-premise now supports: -

    -
    -
      -
    • - Uploading images to GCP -
      • -
    • - Customizing the /boot partition -
      • -
    • - Pushing a container image directly to a registry -
      • -
    • - Users can now customize their blueprints during the image creation process. -
      • -
    -
    -
    • -
-
-

- For more information, see Section 4.1, “Installer and image creation”. -

-

RHEL for Edge

-

- Following are RHEL for Edge key highlights in RHEL 9.1-GA: -

-
-
    -
  • - RHEL for Edge now supports installing the services and have them running with the default - configuration, by using the fdo-admin CLI utility -
    • -
-
-

- For more information, see Section 4.2, “RHEL for Edge”. -

-

Security

-

- RHEL 9.1 introduces Keylime, a remote machine - attestation tool using the trusted platform module (TPM) technology. With Keylime, you can verify - and continuously monitor the integrity of remote machines. -

-

- SELinux user-space packages have been upgraded - to version 3.4. The most notable changes include: -

-
-
    -
  • - Improved relabeling performance through parallel relabeling -
    • -
  • - Support for SHA-256 in the semodule tool -
    • -
  • - New policy utilities in the libsepol-utils package -
    • -
-
-

- Changes in the system configuration and the clevis-luks-systemd - subpackage enable the Clevis encryption client to unlock also LUKS-encrypted volumes that mount late - in the boot process without using the systemctl enable clevis-luks-askpass.path command during the deployment - process. -

-

- See New features - Security - for more information. -

-

Shells and command-line tools

-

- RHEL 9.1 introduces a new package xmlstarlet. With XMLStarlet, you can parse, - transform, query, validate, and edit XML files. -

-

- The following command-line tools have been updated in RHEL 9.1: -

-
-
    -
  • - opencryptoki to version 3.18.0 -
    • -
  • - powerpc-utils to version 1.3.10 -
    • -
  • - libvpd to version 2.2.9 -
    • -
  • - lsvpd to version 1.7.14 -
    • -
  • - ppc64-diag to version 2.7.8 -
    • -
-
-

- For more information, see New Features - Shells and command-line tools -

-

Infrastructure services

-

- The following infrastructure services tools have been updated in RHEL 9.1: -

-
-
    -
  • - chrony to version 4.2 -
    • -
  • - unbound to version 1.16.2 -
    • -
  • - frr to version 8.2.2 -
    • -
-
-

- For more information, see New Features - Infrastructure services. -

-

Networking

-

- NetworkManager supports migrating connection profiles from the deprecated ifcfg format to keyfile format. -

-

- NetworkManager now clearly indicates that WEP support is not available in RHEL 9. -

-

- The MultiPath TCP (MPTCP) code in the kernel has been updated from upstream Linux 5.19. -

-

- For further details, see New - features - Networking. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following components are now available as new module streams: -

-
-
    -
  • - PHP 8.1 -
    • -
  • - Ruby 3.1 -
    • -
  • - Node.js 18 -
    • -
-
-

- In addition, the Apache HTTP Server has been - updated to version 2.4.53. -

-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-
Updated system toolchain
-

- The following system toolchain components have been updated in RHEL 9.1: -

-
-
    -
  • - GCC 11.2.1 -
    • -
  • - glibc 2.34 -
    • -
  • - binutils 2.35.2 -
    • -
-
-
Updated performance tools and debuggers
-

- The following performance tools and debuggers have been updated in RHEL 9.1: -

-
-
    -
  • - GDB 10.2 -
    • -
  • - Valgrind 3.19 -
    • -
  • - SystemTap 4.7 -
    • -
  • - Dyninst 12.1.0 -
    • -
  • - elfutils 0.187 -
    • -
-
-
Updated performance monitoring tools
-

- The following performance monitoring tools have been updated in RHEL 9.1: -

-
-
    -
  • - PCP 5.3.7 -
    • -
  • - Grafana 7.5.13 -
    • -
-
-
Updated compiler toolsets
-

- The following compiler toolsets have been updated in RHEL 9.1: -

-
-
    -
  • - GCC Toolset 12 -
    • -
  • - LLVM Toolset 14.0.6 -
    • -
  • - Rust Toolset 1.62 -
    • -
  • - Go Toolset 1.18 -
    • -
-
-

- For detailed changes, see Section 4.14, “Compilers and development - tools”. -

-
Java implementations in RHEL 9
-

- The RHEL 9 AppStream repository includes: -

-
-
    -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- For more information, see OpenJDK - documentation. -

-
Java tools
-

- RHEL 9.1 introduces Maven 3.8 as a new module - stream. -

-

- See Section 4.14, “Compilers and development - tools” for more information. -

-

Identity Management

-

- Identity Management (IdM) in RHEL 9.1 introduces a Technology Preview where you can delegate user - authentication to external identity providers (IdPs) that support the OAuth 2 Device Authorization - Grant flow. When these users authenticate with SSSD, and after they complete authentication and - authorization at the external IdP, they receive RHEL IdM single sign-on capabilities with Kerberos - tickets. -

-

- For more information, see Technology Previews - Identity Management -

-

Red Hat Enterprise Linux system roles

-

- Notable new features in 9.1 RHEL system roles: -

-
-
    -
  • - RHEL system roles are now available also in playbooks with fact gathering disabled. -
    • -
  • - The ha_cluster role now supports SBD fencing, configuration of - Corosync settings, and configuration of bundle resources. -
    • -
  • - The network role now configures network settings for routing - rules, supports network configuration using the nmstate API, - and users can create connections with IPoIB capability. -
    • -
  • - The microsoft.sql.server role has new variables, such as - variables to control configuring a high availability cluster, to manage firewall ports - automatically, or variables to search for mssql_tls_cert and - mssql_tls_private_key values on managed nodes. -
    • -
  • - The logging role supports various new options, for example - startmsg.regex and endmsg.regex in - files inputs, or template, severity and facility options. -
    • -
  • - The storage role now includes support for thinly provisioned - volumes, and the role now also has less verbosity by default. -
    • -
  • - The sshd role verifies the include directive for the drop-in - directory, and the role can now be managed through /etc/ssh/sshd_config. -
    • -
  • - The metrics role can now export postfix performance data. -
    • -
  • - The postfix role now has a new option for overwriting previous - configuration. -
    • -
  • - The firewall role does not require the state parameter when - configuring masquerade or icmp_block_inversion. In the firewall - role, you can now add, update, or remove services using absent and present states. The role - can also provide Ansible facts, and add or remove an interface to the zone using PCI device - ID. The firewall role has a new option for overwriting previous - configuration. -
    • -
  • - The selinux role now includes setting of seuser and selevel parameters. -
    • -
-
-
-
-
-
-
-

1.2. In-place upgrade

-
-
-
-

In-place upgrade from RHEL 8 to RHEL 9

-

- The supported in-place upgrade paths currently are: -

-
-
    -
  • -

    - From RHEL 8.6 to RHEL 9.0 on the following architectures: -

    -
    -
      -
    • - 64-bit Intel -
      • -
    • - 64-bit AMD -
      • -
    • - 64-bit ARM -
      • -
    • - IBM POWER 9 (little endian) -
      • -
    • - IBM Z architectures, excluding z13 -
      • -
    -
    -
    • -
  • - From RHEL 8.6 to RHEL 9.0 on systems with SAP HANA -
    • -
-
-

- To ensure your system remains supported after upgrading to RHEL 9.0, either update to the latest - RHEL 9.1 version or enable the RHEL 9.0 Extended Update Support (EUS) repositories. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 8 to RHEL 9. -

-

- For instructions on performing an in-place upgrade on systems with SAP environments, see How - to in-place upgrade SAP environments from RHEL 8 to RHEL 9. -

-

- Notable enhancements include: -

-
-
    -
  • - In-place upgrades on Microsoft Azure and Google Cloud Platform with Red Hat Update - Infrastructure (RHUI) are now possible. -
    • -
  • - The OpenSSH and OpenSSL configurations are now migrated during the in-place upgrade. -
    • -
-
-

In-place upgrade from RHEL 7 to RHEL 9

-

- It is not possible to perform an in-place upgrade directly from RHEL 7 to RHEL 9. However, you can - perform an in-place upgrade from RHEL 7 to RHEL 8 and then perform a second in-place upgrade to RHEL - 9. For more information, see Upgrading - from RHEL 7 to RHEL 8. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-

- Capabilities and limits of Red Hat Enterprise - Linux 9 as compared to other versions of the system are available in the Knowledgebase article Red Hat Enterprise Linux - technology capabilities and limits. -

-

- Information regarding the Red Hat Enterprise Linux life - cycle is provided in the Red Hat Enterprise Linux Life - Cycle document. -

-

- The Package - manifest document provides a package - listing for RHEL 9, including licenses and application compatibility levels. -

-

- Application compatibility levels are explained - in the Red Hat - Enterprise Linux 9: Application Compatibility Guide document. -

-

- Major differences between RHEL 8 and RHEL 9, - including removed functionality, are documented in Considerations - in adopting RHEL 9. -

-

- Instructions on how to perform an in-place upgrade from RHEL 8 - to RHEL 9 are provided by the document Upgrading - from RHEL 8 to RHEL 9. -

-

- The Red Hat Insights service, which enables you - to proactively identify, examine, and resolve known technical issues, is available with all RHEL - subscriptions. For instructions on how to install the Red Hat Insights client and register your - system to the service, see the Red Hat Insights Get - Started page. -

-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 9.1 is distributed with the kernel version 5.14.0-162, which provides support - for the following architectures at the minimum required version: -

-
-
    -
  • - AMD and Intel 64-bit architectures (x86-64-v2) -
    • -
  • - The 64-bit ARM architecture (ARMv8.0-A) -
    • -
  • - IBM Power Systems, Little Endian (POWER9) -
    • -
  • - 64-bit IBM Z (z14) -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 9

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 9 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Installation ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. On the Product - Downloads page, the Installation ISO is referred to - as Binary DVD. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Installation ISO image. You can also register to - Red Hat CDN or Satellite during the installation to use the latest BaseOS and AppStream - content from Red Hat CDN or Satellite. -
    • -
-
-

- See the Performing - a standard RHEL 9 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 9 installation document. -

-

- For a list of users and groups created by RPMs in a base RHEL installation, and the steps to obtain - this list, see the What are all - of the users and groups in a base RHEL installation? Knowledgebase article. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 9 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For more - information, see the Scope of Coverage - Details document. -

-

- Content in the AppStream repository includes additional user-space applications, runtime languages, - and databases in support of the varied workloads and use cases. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 9 repositories and the packages they provide, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Multiple versions of user-space components are delivered as Application Streams and updated more - frequently than the core operating system packages. This provides greater flexibility to customize - RHEL without impacting the underlying stability of the platform or specific deployments. -

-

- Application Streams are available in the familiar RPM format, as an extension to the RPM format - called modules, as Software Collections, or as Flatpaks. -

-

- Each Application Stream component has a given life cycle, either the same as RHEL 9 or shorter. For - RHEL life cycle information, see Red Hat Enterprise Linux Life - Cycle. -

-

- RHEL 9 improves the Application Streams experience by providing initial Application Stream versions - that can be installed as RPM packages using the traditional dnf install - command. -

-
-
Note
-
-

- Certain initial Application Streams in the RPM format have a shorter life cycle than Red Hat - Enterprise Linux 9. -

-
-
-

- Some additional Application Stream versions will be distributed as modules with a shorter life cycle - in future minor RHEL 9 releases. Modules are collections of packages representing a logical unit: an - application, a language stack, a database, or a set of tools. These packages are built, tested, and - released together. -

-

- Always determine what version of an Application Stream you want to install and make sure to review - the Red Hat - Enterprise Linux Application Stream Lifecycle first. -

-

- Content that needs rapid updating, such as alternate compilers and container tools, is available in - rolling streams that will not provide alternative versions in parallel. Rolling streams may be - packaged as RPMs or modules. -

-

- For information about Application Streams available in RHEL 9 and their application compatibility - level, see the Package - manifest. Application compatibility levels are explained in the Red Hat Enterprise Linux 9: - Application Compatibility Guide document. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- In Red Hat Enterprise Linux 9, software installation is ensured by DNF. Red Hat continues to support the usage of the - yum term for consistency with previous major versions of RHEL. If you - type dnf instead of yum, the command works - as expected because both are aliases for compatibility. -

-

- Although RHEL 8 and RHEL 9 are based on DNF, - they are compatible with YUM used in RHEL 7. -

-

- For more information, see Managing - software with the DNF tool. -

-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.1. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Automatic FCP SCSI LUN scanning support in installer

-

- The installer can now use the automatic LUN scanning when attaching FCP SCSI LUNs on IBM Z - systems. Automatic LUN scanning is available for FCP devices operating in NPIV mode, if it is - not disabled through the zfcp.allow_lun_scan kernel module - parameter. It is enabled by default. It provides access to all SCSI devices found in the storage - area network attached to the FCP device with the specified device bus ID. It is not necessary to - specify WWPN and FCP LUNs anymore and it is sufficient to provide just the FCP device bus ID. -

-
-

- (BZ#1937031) -

-
-

Image builder on-premise now supports the /boot partition customization

-

- Image builder on-premise version now supports building images with custom /boot mount point partition size. You can specify the size of the - /boot mount point partition in the blueprint customization, to - increase the size of the /boot partition in case the default boot - partition size is too small. For example: -

-
- 
[[customizations.filesystem]]
-mountpoint = "/boot"
-size = "20 GiB"
-

- (JIRA:RHELPLAN-130379) -

-
-

Added the --allow-ssh kickstart option to - enable password-based SSH root logins

-

- During the graphical installation, you have an option to enable password-based SSH root logins. - This functionality was not available in kickstart installations. With this update, an option - --allow-ssh has been added to the rootpw kickstart command. This option enables the root user to login - to the system using SSH with a password. -

-
-

- (BZ#2083269) -

-
-

Boot loader menu hidden by default

-

- The GRUB boot loader is now configured to hide the boot menu by default. This results in a - smoother boot experience. The boot menu is hidden in all of the following cases: -

-
-
-
    -
  • - When you restart the system from the desktop environment or the login screen. -
    • -
  • - During the first system boot after the installation. -
    • -
  • - When the greenboot package is installed and enabled. -
    • -
-
-

- If the previous system boot failed, GRUB always displays the boot menu during the next boot. -

-

- To access the boot menu manually, use either of the following options: -

-
-
    -
  • - Repeatedly press Esc during boot. -
    • -
  • - Repeatedly press F8 during boot. -
    • -
  • - Hold Shift during boot. -
    • -
-
-

- To disable this feature and configure the boot loader menu to display by default, use the following - command: -

- 
# grub2-editenv - unset menu_auto_hide
-

- (BZ#2059414) -

-
-

Minimal RHEL installation now installs only the s390utils-core package

-

- In RHEL 8.4 and later, the s390utils-base package is split into an - s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to - minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must - manually install the package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file. -

-
-

- (BZ#1932480) -

-
-

Image builder on-premise now supports uploading images to GCP

-

- With this enhancement, you can use image builder CLI to build a gce - image, providing credentials for the user or service account that you want to use to upload the - images. As a result, image builder creates the image and then uploads the gce image directly to the GCP environment that you specified. -

-
-

- (BZ#2049492) -

-
-

Image builder on-premise CLI supports pushing a container image directly to - a registry

-

- With this enhancement, you can push RHEL for Edge container images directly to a container - registry after it has been built, using the image builder CLI. To build the container image: -

-
-
-
    -
  1. - Set up an upload provider and optionally, add credentials. -
    2. -
  2. -

    - Build the container image, passing the container registry and the repository to composer-cli as arguments. -

    -

    - After the image is ready, it is available in the container registry you set up. -

    -
    3. -
-
-

- (JIRA:RHELPLAN-130376) -

-
-

Image builder on-premise users now customize their blueprints during the - image creation process

-

- With this update, the Edit Blueprint page - was removed to unify the user experience in the image builder service and in the image builder - app in cockpit-composer. Users can now create their blueprints and - add their customization, such as adding packages, and create users, during the image creation - process. The versioning of blueprints has also been removed so that blueprints only have one - version: the current one. Users have access to older blueprint versions through their already - created images. -

-
-

- (JIRA:RHELPLAN-122735) -

-
-
-
-
-
-

4.2. RHEL for Edge

-
-
-
-
-

RHEL for Edge now supports the fdo-admin cli - utility

-

- With this update, you can configure the FDO services directly across all deployment scenarios by - using the CLI. -

-
-

- Run the following commands to generate the certificates and keys for the services : -

-
-
Note
-
-

- This example takes into consideration that you already installed the fdo-admin-cli RPM package. If you used the source code and - compiled it, the correct path is ./target/debug/fdo-admin-tool - or ./target/debug/fdo-admin-tool, depending on your build - options. -

-
-
- 
$ mkdir keys
-$ for i in "diun" "manufacturer" "device_ca" "owner"; do fdo-admin-tool generate-key-and-cert $i; done
-$ ls keys
-device_ca_cert.pem  device_ca_key.der  diun_cert.pem  diun_key.der  manufacturer_cert.pem  manufacturer_key.der  owner_cert.pem  owner_key.der
-

- As a result, after you install and start the service, it runs with the default settings. -

-

- (JIRA:RHELPLAN-122776) -

-
-
-
-
-
-

4.3. Subscription management

-
-
-
-
-

The subscription-manager utility displays the current status of - actions

-

- The subscription-manager utility now displays with progress - information while it is processing the current operation. This is helpful when subscription-manager takes more than usual time to complete its - operations related to server communication, for example, registration. -

-
-

- To revert to the previous behavior, enter: -

- 
 # subscription-manager config --rhsm.progress_messages=0
-

- (BZ#2092014) -

-
-
-
-
-
-

4.4. Software management

-
-
-
-
-

The modulesync command is now available to - replace certain workflows in RHEL 9

-

- In RHEL 9, modular packages cannot be installed without modular metadata. Previously, you could - use the dnf command to download packages, and then use the createrepo_c command to redistribute those packages. -

-
-

- This enhancement introduces the modulesync command to ensure the - presence of modular metadata, which ensures package installability. This command downloads RPM - packages from modules and creates a repository with modular metadata in a working directory. -

-

- (BZ#2066646) -

-
-
-
-
-
-

4.5. Shells and command-line tools

-
-
-
-
-

Cronie adds support for a randomized time - within a selected range

-

- The Cronie utility now supports the ~ - (random within range) operator for cronjob execution. As a result, you can start a cronjob on a - randomized time within the selected range. -

-
-

- (BZ#2090691) -

-
-

ReaR adds new variables for executing commands before and after - recovery

-

- With this enhancement, ReaR introduces two new variables for easier automation of commands to be - executed before and after recovery: -

-
-
-
    -
  • - PRE_RECOVERY_COMMANDS accepts an array of commands. These - commands will be executed before recovery starts. -
    • -
  • - POST_RECOVERY_COMMANDS accepts an array of commands. These - commands will be executed after recovery finishes. -
    • -
-
-

- These variables are an alternative to PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT with the following differences: -

-
-
    -
  • - The earlier PRE_RECOVERY_SCRIPT and POST_RECOVERY_SCRIPT variables accept a single shell command. To - pass multiple commands to these variables, you must separate the commands by semicolons. -
    • -
  • - The new PRE_RECOVERY_COMMANDS and POST_RECOVERY_COMMANDS variables accept arrays of commands, and - each element of the array is executed as a separate command. -
    • -
-
-

- As a result, providing multiple commands to be executed in the rescue system before and after - recovery is now easier and less error-prone. -

-

- For more information, see the default.conf file. -

-

- (BZ#2111059) -

-
-

A new package: xmlstarlet

-

- XMLStarlet is a set of command-line utilities for parsing, transforming, querying, validating, - and editing XML files. The new xmlstarlet package provides a simple - set of shell commands that you can use in a similar way as you use UNIX commands for plain text - files such as grep, sed, awk, diff, patch, join, and other. -

-
-

- (BZ#2069689) -

-
-

opencryptoki rebased to version - 3.18.0

-

- The opencryptoki package, which is an implementation of the - Public-Key Cryptography Standard (PKCS) #11, has been updated to version 3.18.0. Notable - improvements include: -

-
-
-
    -
  • - Default to Federal Information Processing Standards (FIPS) compliant token data format - (tokversion = 3.12). -
    • -
  • - Added support for restricting usage of mechanisms and keys with a global policy. -
    • -
  • - Added support for statistics counting of mechanism usage. -
    • -
  • - The ICA/EP11 tokens now support libica library version 4. -
    • -
  • - The p11sak tool enables setting different attributes for public - and private keys. -
    • -
  • - The C_GetMechanismList does not return CKR_BUFFER_TOO_SMALL in the EP11 token. -
    • -
-
-

- openCryptoki supports two different token data formats: -

-
-
    -
  • - the earlier data format, which uses non-FIPS-approved algorithms (such as DES and SHA1) -
    • -
  • - the new data format, which uses FIPS-approved algorithms only. -
    • -
-
-

- The earlier data format no longer works because the FIPS provider allows the use of only - FIPS-approved algorithms. -

-
-
Important
-
-

- To make openCryptoki work on RHEL 9, migrate the tokens to use the new data format before - enabling FIPS mode on the system. This is necessary because the earlier data format is still - the default in openCryptoki 3.17. Existing openCryptoki installations that use the earlier token data format - will no longer function when the system is changed to FIPS-enabled. -

-
-
-

- You can migrate the tokens to the new data format by using the pkcstok_migrate utility, which is provided with openCryptoki. Note that pkcstok_migrate uses - non-FIPS-approved algorithms during the migration. Therefore, use this tool before enabling FIPS - mode on the system. For additional information, see Migrating to - FIPS compliance - pkcstok_migrate utility. -

-

- (BZ#2044179) -

-
-

powerpc-utils rebased to version - 1.3.10

-

- The powerpc-utils package, which provides various utilities for a - PowerPC platform, has been updated to version 1.3.10. Notable improvements include: -

-
-
-
    -
  • - Added the capability to parsing the Power architecture platform reference (PAPR) information - for energy and frequency in the ppc64_cpu tool. -
    • -
  • - Improved the lparstat utility to display enhanced error - messages, when the lparstat -E command fails on max config - systems. The lparstat command reports logical partition-related - information. -
    • -
  • - Fixed reported online memory in legacy format in the lparstat - command. -
    • -
  • - Added support for the acc command for changing the quality of - service credits (QoS) dynamically for the NX GZIP accelerator. -
    • -
  • - Added improvements to format specifiers in printf() and sprintf() calls. -
    • -
  • -

    - The hcnmgr utility, which provides the HMC tools to hybrid - virtual network, includes following enhancements: -

    -
    -
      -
    • - Added the wicked feature to the Hybrid Network - Virtualization HNV FEATURE list. The hcnmgr utility supports wicked hybrid network - virtualization (HNV) to use the wicked functions - for bonding. -
      • -
    • - hcnmgr maintains an hcnid state for later cleanup. -
      • -
    • - hcnmgr excludes NetworkManager (NM) nmcli code. -
      • -
    • - The NM HNV primary slave setting was fixed. -
      • -
    • - hcnmgr supports the virtual Network Interface - Controller (vNIC) as a backup device. -
      • -
    -
    -
    • -
  • - Fixed the invalid hexadecimal numbering system message in bootlist. -
    • -
  • - The -l flag included in kpartx - utility as -p delimiter value in the bootlist command. -
    • -
  • - Fixes added to sslot utility to prevent memory leak when - listing IO slots. -
    • -
  • - Added the DRC type description strings for the latest peripheral component interconnect - express (PCIe) slot types in the lsslot utility. -
    • -
  • - Fixed the invalid config address to RTAS in errinjct tool. -
    • -
  • - Added support for non-volatile memory over fabrics (NVMf) devices in the ofpathname utility. The utility provides a mechanism for - converting a logical device name to an open firmware device path and the other way round. -
    • -
  • - Added fixes to the non-volatile memory (NVMe) support in asymmetric namespace access (ANA) - mode in the ofpathname utility. -
    • -
  • - Installed smt.state file as a configuration file. -
    • -
-
-

- (BZ#1920964) -

-
-

The Redfish modules are now part of the redhat.rhel_mgmt Ansible collection

-

- The redhat.rhel_mgmt Ansible collection now includes the following - modules: -

-
-
-
    -
  • - redfish_info -
    • -
  • - redfish_command -
    • -
  • - redfish_config -
    • -
-
-

- With that, users can benefit from the management automation, by using the Redfish modules to - retrieve server health status, get information about hardware and firmware inventory, perform power - management, change BIOS settings, configure Out-Of-Band (OOB) controllers, configure hardware RAID, - and perform firmware updates. -

-

- (BZ#2112434) -

-
-

libvpd rebased to version 2.2.9

-

- The libvpd package, which contains classes for accessing the Vital - Product Data (VPD), has been updated to version 2.2.9. Notable improvements include: -

-
-
-
    -
  • - Fixed database locking -
    • -
  • - Updated libtool utility version information -
    • -
-
-

- (BZ#2051288) -

-
-

lsvpd rebased to version 1.7.14

-

- The lsvpd package, which provides commands for constituting a - hardware inventory system, has been updated to version 1.7.14. With this update, the lsvpd utility prevents corruption of the database file when you run - the vpdupdate command. -

-
-

- (BZ#2051289) -

-
-

ppc64-diag rebased to version 2.7.8 -

-

- The ppc64-diag package for platform diagnostics has been updated to - version 2.7.8. Notable improvements include: -

-
-
-
    -
  • - Updated build dependency to use libvpd utility version 2.2.9 or - higher -
    • -
  • - Fixed extract_opal_dump error message on unsupported platform -
    • -
  • - Fixed build warning with GCC-8.5 and GCC-11 compilers -
    • -
-
-

- (BZ#2051286) -

-
-

sysctl introduces identic syntax for arguments - as systemd-sysctl

-

- The sysctl utility from the procps-ng - package, which you can use to modify kernel parameters at runtime, now uses the same syntax for - arguments as the systemd-sysctl utility. With this update, sysctl now parses configuration files that contain hyphens (-) or globs (*) on configuration lines. - For more information about the systemd-sysctl syntax, see the sysctl.d(5) man page. -

-
-

- (BZ#2052536) -

-
-

Updated systemd-udevd assigns consistent - network device names to InfiniBand interfaces

-

- Introduced in RHEL 9, the new version of the systemd package - contains the updated systemd-udevd device manager. The device - manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd. -

-
-

- You can define custom naming rules for naming InfiniBand interfaces by following the Renaming - IPoIB devices procedure. -

-

- For more details of the naming scheme, see the systemd.net-naming-scheme(7) man page. -

-

- (BZ#2136937) -

-
-
-
-
-
-

4.6. Infrastructure services

-
-
-
-
-

chrony now uses DHCPv6 NTP servers -

-

- The NetworkManager dispatcher script for chrony updates the Network - time protocol (NTP) sources passed from Dynamic Host Configuration Protocol (DHCP) options. - Since RHEL 9.1, the script uses NTP servers provided by DHCPv6 in addition to DHCPv4. The DHCP - option 56 specifies the usage of DHCPv6, the DHCP option 42 is DHCPv4-specific. -

-
-

- (BZ#2047415) -

-
-

chrony rebased to version 4.2

-

- The chrony suite has been updated to version 4.2. Notable - enhancements over version 4.1 include: -

-
-
-
    -
  • - The server interleaved mode has been improved to be more reliable and supports multiple - clients behind a single address translator (Network Address Translation - NAT). -
    • -
  • - Experimental support for the Network Time Protocol Version 4 (NTPv4) extension field has - been added to improve time synchronization stability and precision of estimated errors. You - can enable this field, which extends the capabilities of the protocol NTPv4, by using the - extfield F323 option. -
    • -
  • - Experimental support for NTP forwarding over the Precision Time Protocol (PTP) has been - added to enable full hardware timestamping on Network Interface Cards (NIC) that have - timestamping limited to PTP packets. You can enable NTP over PTP by using the ptpport 319 directive. -
    • -
-
-

- (BZ#2051441) -

-
-

unbound rebased to version 1.16.2

-

- The unbound component has been updated to version 1.16.2. unbound is a validating, recursive, and caching DNS resolver. Notable - improvements include: -

-
-
-
    -
  • - With the ZONEMD Zone Verification with RFC 8976 support, - recipients can now verify the zone contents for data integrity and origin authenticity. -
    • -
  • - With unbound, you can now configure persistent TCP connections. -
    • -
  • - The SVCB and HTTPS types and handling according to the Service binding and parameter - specification through the DNS draft-ietf-dnsop-svcb-https - document were added. -
    • -
  • - unbound takes the default TLS ciphers from crypto policies. -
    • -
  • - You can use a Special-Use Domain home.arpa. according to the - RFC8375. This domain is designated for non-unique use in - residential home networks. -
    • -
  • - unbound now supports selective enabling of tcp-upstream queries for stub or forward zones. -
    • -
  • - The default of aggressive-nsec option is now yes. -
    • -
  • - The ratelimit logic was updated. -
    • -
  • - You can use a new rpz-signal-nxdomain-ra option for unsetting - the RA flag when a query is blocked by an Unbound response - policy zone (RPZ) nxdomain reply. -
    • -
  • - With the basic support for Extended DNS Errors (EDE) according to the RFC8914, you can benefit from additional error information. -
    • -
-
-

- (BZ#2087120) -

-
-

The password encryption function is now available in whois

-

- The whois package now provides the /usr/bin/mkpasswd binary, which you can use to encrypt a password - with the crypt C library interface. -

-
-

- (BZ#2054043) -

-
-

frr rebased to version 8.2.2

-

- The frr package for managing dynamic routing stack has been updated - to version 8.2.2. Notable changes and enhancements over version 8.0 include: -

-
-
-
    -
  • - Added Ethernet VPN (EVPN) route type-5 gateway IP Overlay Index. -
    • -
  • - Added Autonomous system border router (ASBR) summarization in the Open-shortest-path-first - (OSPFv3) protocol. -
    • -
  • - Improved usage of stub and not-so-stubby-areas (NSSA) in OSPFv3. -
    • -
  • - Added the graceful restart capability in OSPFv2 and OSPFv3. -
    • -
  • - The link bandwidth in the border gateway protocol (BGP) is now encoded according to the IEEE - 754 standard. To use the previous encoding method, run the neighbor PEER disable-link-bw-encoding-ieee command in the - existing configuration. -
    • -
  • - Added the long-lived graceful restart capability in BGP. -
    • -
  • - Implemented the extended administrative shutdown communication rfc9003, and the extended optional parameters length rfc9072 in BGP. -
    • -
-
-

- (BZ#2069563) -

-
-

TuneD real-time profiles now auto determine initial CPU isolation - setup

-

- TuneD is a service for monitoring your system and optimizing the performance profile. You can - also isolate central processing units (CPUs) using the tuned-profiles-realtime package to give application threads the most - execution time possible. -

-
-

- Previously, the real-time profiles for systems running the real-time kernel did not load if you did - not specify the list of CPUs to isolate in the isolated_cores - parameter. -

-

- With this enhancement, TuneD introduces the calc_isolated_cores - built-in function that automatically calculates housekeeping and isolated cores lists, and applies - the calculation to the isolated_cores parameter. With the automatic - preset, one core from each socket is reserved for housekeeping, and you can start using the - real-time profile without any additional steps. If you want to change the preset, customize the - isolated_cores parameter by specifying the list of CPUs to isolate. -

-

- (BZ#2093847) -

-
-
-
-
-
-

4.7. Security

-
-
-
-
-

New packages: keylime

-

- RHEL 9.1 introduces Keylime, a tool for attestation of remote systems, which uses the trusted - platform module (TPM) technology. With Keylime, you can verify and continuously monitor the - integrity of remote systems. You can also specify encrypted payloads that Keylime delivers to - the monitored machines, and define automated actions that trigger whenever a system fails the - integrity test. -

-
-

- See Ensuring - system integrity with Keylime in the RHEL 9 Security hardening document for more - information. -

-

- (JIRA:RHELPLAN-92522) -

-
-

New option in OpenSSH supports setting the minimum RSA key length -

-

- Accidentally using short RSA keys makes the system more vulnerable to attacks. With this update, - you can set minimum RSA key lengths for OpenSSH servers and clients. To define the minimum RSA - key length, use the new RequiredRSASize option in the /etc/ssh/sshd_config file for OpenSSH servers, and in the /etc/ssh/ssh_config file for OpenSSH clients. -

-
-

- (BZ#2066882) -

-
-

crypto-policies enforce 2048-bit RSA key - length minimum for OpenSSH by default

-

- Using short RSA keys makes the system more vulnerable to attacks. Because OpenSSH now supports - limiting minimum RSA key length, the system-wide cryptographic policies enforce the 2048-bit - minimum key length for RSA by default. -

-
-

- If you encounter OpenSSH failing connections with an Invalid key length - error message, start using longer RSA keys. -

-

- Alternatively, you can relax the restriction by using a custom subpolicy at the expense of security. - For example, if the update-crypto-policies --show command reports that - the current policy is DEFAULT: -

-
-
    -
  1. - Define a custom subpolicy by inserting the min_rsa_size@openssh = 1024 parameter into the /etc/crypto-policies/policies/modules/RSA-OPENSSH-1024.pmod file. -
    2. -
  2. - Apply the custom subpolicy using the update-crypto-policies --set DEFAULT:RSA-OPENSSH-1024 command. -
    3. -
-
-

- (BZ#2102774) -

-
-

New option in OpenSSL supports SHA-1 for signatures

-

- OpenSSL 3.0.0 in RHEL 9 does not support SHA-1 for signature creation and verification by - default (SHA-1 key derivation functions (KDF) and hash-based message authentication codes (HMAC) - are still supported). However, to support backwards compatibility with RHEL 8 systems that still - use SHA-1 for signatures, a new configuration option rh-allow-sha1-signatures is introduced to RHEL 9. This option, if - enabled in the alg_section of openssl.cnf, permits the creation and verification of SHA-1 - signatures. -

-
-

- This option is automatically enabled if the LEGACY system-wide cryptographic policy (not legacy - provider) is set. -

-

- Note that this also affects the installation of RPM packages with SHA-1 signatures, which may - require switching to the LEGACY system-wide cryptographic policy. -

-

- (BZ#2060510, BZ#2055796) -

-
-

crypto-policies now support sntrup761x25519-sha512@openssh.com

-

- This update of the system-wide cryptographic policies adds support for the sntrup761x25519-sha512@openssh.com key exchange (KEX) method. The - post-quantum sntrup761 algorithm is already available in the - OpenSSH suite, and this method provides better security against attacks from quantum computers. - To enable sntrup761x25519-sha512@openssh.com, create and apply a - subpolicy, for example: -

-
- 
# echo 'key_exchange = +SNTRUP' > /etc/crypto-policies/policies/modules/SNTRUP.pmod
-# update-crypto-policies --set DEFAULT:SNTRUP
-

- For more information, see the Customizing - system-wide cryptographic policies with subpolicies section in the RHEL 9 Security hardening - document. -

-

- (BZ#2070604) -

-
-

NSS no longer support RSA keys shorter than 1023 bits

-

- The update of the Network Security Services (NSS) libraries changes the minimum key size for all - RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following - functions: -

-
-
-
    -
  • - Generate RSA keys shorter than 1023 bits. -
    • -
  • - Sign or verify RSA signatures with RSA keys shorter than 1023 bits. -
    • -
  • - Encrypt or decrypt values with RSA key shorter than 1023 bits. -
    • -
-
-

- (BZ#2091905) -

-
-

SELinux policy confines additional services

-

- The selinux-policy packages have been updated, and therefore the - following services are now confined by SELinux: -

-
-
-
    -
  • - ksm -
    • -
  • - nm-priv-helper -
    • -
  • - rhcd -
    • -
  • - stalld -
    • -
  • - systemd-network-generator -
    • -
  • - targetclid -
    • -
  • - wg-quick -
    • -
-
-

- (BZ#1965013, BZ#1964862, BZ#2020169, BZ#2021131, BZ#2042614, BZ#2053639, BZ#2111069) -

-
-

SELinux supports the self keyword in type - transitions

-

- SELinux tooling now supports type transition rules with the self - keyword in the policy sources. Support for type transitions with the self keyword prepares the SELinux policy for labeling of anonymous - inodes. -

-
-

- (BZ#2069718) -

-
-

SELinux user-space packages updated

-

- SELinux user-space packages libsepol, libselinux, libsemanage, policycoreutils, checkpolicy, and mcstrans were updated to the latest upstream release 3.4. The most - notable changes are: -

-
-
-
    -
  • -

    - Added support for parallel relabeling through the -T option - in the setfiles, restorecon, - and fixfiles tools. -

    -
    -
      -
    • - You can either specify the number of process threads in this option or use -T 0 for using the maximum of available processor - cores. This reduces the time required for relabeling significantly. -
      • -
    -
    -
    • -
  • - Added the new --checksum option, which prints SHA-256 hashes of - modules. -
    • -
  • - Added new policy utilities in the libsepol-utils package. -
    • -
-
-

- (BZ#2079276) -

-
-

SELinux automatic relabeling is now parallel by default

-

- Because the newly introduced parallel relabeling option significantly reduces the time required - for the SELinux relabeling process on multi-core systems, the automatic relabeling script now - contains the -T 0 option in the fixfiles command line. The -T 0 option - ensures that the setfiles program uses the maximum of available - processor cores for relabeling by default. -

-
-

- To use only one process thread for relabeling as in the previous version of RHEL, override this - setting by entering either the fixfiles -T 1 onboot command instead of - just fixfiles onboot or the echo "-T 1" > /.autorelabel command instead of touch /.autorelabel. -

-

- (BZ#2115242) -

-
-

SCAP Security Guide rebased to 0.1.63

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.63. This - version provides various enhancements and bug fixes, most notably: -

-
-
-
    -
  • - New compliance rules for sysctl, grub2, pam_pwquality, and build time - kernel configuration were added. -
    • -
  • - Rules hardening the PAM stack now use authselect as the - configuration tool. Note: With this change, the rules hardening the PAM stack are not - applied if the PAM stack was edited by other means. -
    • -
-
-

- (BZ#2070563) -

-
-

Added a maximum size option for Rsyslog error files

-

- Using the new action.errorfile.maxsize option, you can specify a - maximum number of bytes of the error file for the Rsyslog log processing system. When the error - file reaches the specified size, Rsyslog cannot write any additional errors or other data in it. - This prevents the error file from filling up the file system and making the host unusable. -

-
-

- (BZ#2064318) -

-
-

clevis-luks-askpass is now enabled by - default

-

- The /lib/systemd/system-preset/90-default.preset file now contains - the enable clevis-luks-askpass.path configuration option and the - installation of the clevis-systemd sub-package ensures that the - clevis-luks-askpass.path unit file is enabled. This enables the - Clevis encryption client to unlock also LUKS-encrypted volumes that mount late in the boot - process. Before this update, the administrator must use the systemctl enable clevis-luks-askpass.path command to enable Clevis to - unlock such volumes. -

-
-

- (BZ#2107078) -

-
-

fapolicyd rebased to 1.1.3

-

- The fapolicyd packages have been upgraded to version 1.1.3. Notable - improvements and bug fixes include: -

-
-
-
    -
  • - Rules can now contain the new subject PPID attribute, which matches the parent PID (process - ID) of a subject. -
    • -
  • - The OpenSSL library replaced the Libgcrypt library as a cryptographic engine for hash - computations. -
    • -
  • - The fagenrules --load command now works correctly. -
    • -
-
-

- (BZ#2100041) -

-
-
-
-
-
-

4.8. Networking

-
-
-
-
-

The act_ctinfo kernel module has been - added

-

- This enhancement adds the act_ctinfo kernel module to RHEL. Using - the ctinfo action of the tc utility, - administrators can copy the conntrack mark or the value of the - differentiated services code point (DSCP) of network packets into the socket buffer’s mark metadata field. As a result, you can use conditions based on the - conntrack mark or the DSCP value to filter traffic. For further - details, see the tc-ctinfo(8) man page. -

-
-

- (BZ#2027894) -

-
-

cloud-init updates network configuration at - every boot on Microsoft Azure

-

- Microsoft Azure does not change the instance ID when an administrator updates the network - interface configuration while a VM is offline. With this enhancement, the cloud-init service always updates the network configuration when the - VM boots to ensure that RHEL on Microsoft Azure uses the latest network settings. -

-
-

- As a consequence, if you manually configure settings on interfaces, such as an additional search - domain, cloud-init may override them when you reboot the VM. For - further details and a workaround, see the cloud-init-22.1-5 updates network config on - every boot solution. -

-

- (BZ#2144898) -

-
-

The PTP driver now supports virtual clocks and time stamping

-

- With this enhancement, the Precision Time Protocol (PTP) driver can create virtual PTP Hardware - Clocks (PHCs) on top of a free-running PHC by writing to /sys/class/ptp/ptp*/n_vclocks. As a result, users can run multiple - domain synchronization with hardware time stamps on one interface. -

-
-

- (BZ#2066451) -

-
-

firewalld was rebased to version - 1.1.1

-

- The firewalld packages have been upgraded to version 1.1.1. This - version provides multiple bug fixes and enhancements over the previous version: -

-
-

- New features: -

-
-
    -
  • - Rich rules support NetFilter-log (NFLOG) target for user-space logging. Note that there is - not any NFLOG capable logging daemon in RHEL. However, you can use the tcpdump -i nflog command to collect the logs you need. -
    • -
  • - Support for port forwarding in policies with ingress-zones=HOST - and egress-zones={ANY, source based zone}. -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - Support for the afp, http3, jellyfin, netbios-ns, ws-discovery, and ws-discovery-client services -
    • -
  • - Tab-completion and sub-options in Z Shell for the policy option -
    • -
-
-

- (BZ#2040689) -

-
-

NetworkManager now supports advmss, rto_min, and quickack route - attributes

-

- With this enhancement, administrators can configure the ipv4.routes - setting with the following attributes: -

-
-
-
    -
  • - rto_min (TIME) - configure the minimum TCP re-transmission - timeout in milliseconds when communicating with the route destination -
    • -
  • - quickack (BOOL) - a per-route setting to enable or disable TCP - quick ACKs -
    • -
  • - advmss (NUMBER) - advertise maximum segment size (MSS) to the - route destination when establishing TCP connections. If unspecified, Linux uses a default - value calculated from the maximum transmission unit (MTU) of the first hop device -
    • -
-
-

- Benefit of implementing the new functionality of ipv4.routes with the - mentioned attributes is that there is no need to run the dispatcher - script. -

-

- Note that once you activate a connection with the mentioned route attributes, such changes are set - in the kernel. -

-

- (BZ#2068525) -

-
-

Support for the 802.ad vlan-protocol option in - nmstate

-

- The nmstate API now supports creating the linux-bridge interfaces using the 802.ad vlan-protocol option. This feature enables the configuration of - Service-Tag VLANs. The following example illustrates usage of this functionality in a yaml configuration file. -

-
- 
---
-interfaces:
-  - name: br0
-    type: linux-bridge
-    state: up
-    bridge:
-      options:
-        vlan-protocol: 802.1ad
-      port:
-        - name: eth1
-          vlan:
-            mode: trunk
-            trunk-tags:
-            - id: 500
-

- (BZ#2084474) -

-
-

The firewalld service can forward NAT packets - originating from the local host to a different host and port

-

- You can forward packets sent from the localhost that runs the firewalld service to a different destination port and IP address. The - functionality is useful, for example, to forward ports on the loopback device to a container or a virtual machine. Prior to this - change, firewalld could only forward ports when it received a - packet that originated from another host. For more details and an illustrative configuration, - see Using - DNAT to forward HTTPS traffic to a different host. -

-
-

- (BZ#2039542) -

-
-

NetworkManager now supports migration from ifcfg-rh to key file

-

- Users can migrate their existing connection profile files from the ifcfg-rh format to the key file format. This way, all connection - profiles will be in one location and in the preferred format. The key file format has the - following advantages: -

-
-
-
    -
  • - Closely resembles the way how NetworkManager expresses network configuration -
    • -
  • - Guarantees compatibility with future RHEL releases -
    • -
  • - Is easier to read -
    • -
  • - Supports all connection profiles -
    • -
-
-

- To migrate the connections, run: -

- 
# nmcli connection migrate
-

- Note that the ifcfg-rh files will work correctly during the RHEL 9 - lifetime. However, migrating the configuration to the key file format guarantees compatibility - beyond RHEL 9. -

-

- For more details, see the nmcli(1), nm-settings-keyfile(5), and - nm-settings-ifcfg-rh(5) manual pages. -

-

- (BZ#2059608) -

-
-

More DHCP and IPv6 auto-configuration attributes have been added to the - nmstate API

-

- This enhancement adds support for the following attributes to the nmstate API: -

-
-
-
    -
  • - dhcp-client-id for DHCPv4 connections as described in RFC 2132 - and 4361. -
    • -
  • - dhcp-duid for DHCPv6 connections as described in RFC 8415. -
    • -
  • -

    - addr-gen-mode for IPv6 auto-configuration. You can set this - attribute to: -

    -
    -
      -
    • - eui64 as described in RFC 4862 -
      • -
    • - stable-privacy as described in RFC 7217 -
      • -
    -
    -
    • -
-
-

- (BZ#2082043) -

-
-

NetworkManager now clearly indicates that WEP support is not available in - RHEL 9

-

- The wpa_supplicant packages in RHEL 9.0 and later no longer contain - the deprecated and insecure Wired Equivalent Privacy (WEP) security algorithm. This enhancement - updates NetworkManager to reflect these changes. For example, the nmcli device wifi list command now returns WEP access points at the - end of the list in gray color, and connecting to a WEP-protected network returns a meaningful - error message. -

-
-

- For secure encryption, use only wifi networks with Wi-Fi Protected Access 2 (WPA2) and WPA3 - authentication. -

-

- (BZ#2030997) -

-
-

The MPTCP code has been updated

-

- The MultiPath TCP (MPTCP) code in the kernel has been updated and upstream Linux 5.19. This - update provides a number of bug fixes and enhancements over the previous version: -

-
-
-
    -
  • - The FASTCLOSE option has been added to close MPTCP connections - without a full three-way handshake. -
    • -
  • - The MP_FAIL option has been added to enable fallback to TCP - even after the initial handshake. -
    • -
  • - The monitoring capabilities have been improved by adding additional Management Information - Base (MIB) counters. -
    • -
  • - Monitor support for MPTCP listener sockets has been added. Use the ss utility to monitor the sockets. -
    • -
-
-

- (BZ#2079368) -

-
-
-
-
-
-

4.9. Kernel

-
-
-
-
-

Kernel version in RHEL 9.1

-

- Red Hat Enterprise Linux 9.1 is distributed with the kernel version 5.14.0-162. -

-
-

- (BZ#2125549) -

-
-

Memory consumption of the list_lru has been - optimized

-

- The internal kernel data structure, list_lru, tracks the "Least - Recently Used" status of kernel inodes and directory entries for files. Previously, the number - of list_lru allocated structures was directly proportional to the - number of mount points and the number of present memory cgroups. - Both these numbers increased with the number of running containers leading to memory consumption - of O(n^2) where n is the number of - running containers. This update optimizes the memory consumption of list_lru in the system to O(n). As a - result, sufficient memory is now available for the user applications, especially on the systems - with a large number of running containers. -

-
-

- (BZ#2013413) -

-
-

BPF rebased to Linux kernel version 5.16

-

- The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 5.16 with - multiple bug fixes and enhancements. The most notable changes include: -

-
-
-
    -
  • -

    - Streamlined internal BPF program sections handling and bpf_program__set_attach_target() API in the libbpf userspace library. -

    -

    - The bpf_program__set_attach_target() API sets the BTF based - attach targets for BPF based programs. -

    -
    • -
  • - Added support for the BTF_KIND_TAG kind, which allows you to - tag declarations. -
    • -
  • - Added support for the bpf_get_branch_snapshot() helper, which - enables the tracing program to capture the last branch records (LBR) from the hardware. -
    • -
  • - Added the legacy kprobe events support in the libbpf userspace library that enables kprobe tracepoint events creation through the legacy interface. -
    • -
  • - Added the capability to access hardware timestamps through BPF specific structures with the - __sk_buff helper function. -
    • -
  • - Added support for a batched interface for RX buffer allocation in AF_XDP buffer pool, with driver support for i40e and ice. -
    • -
  • - Added the legacy uprobe support in libbpf userspace library to complement recently merged legacy - kprobe. -
    • -
  • - Added the bpf_trace_vprintk() as variadic printk helper. -
    • -
  • - Added the libbpf opt-in for stricter BPF program section name - handling as part of libbpf 1.0 effort. -
    • -
  • - Added the libbpf support to locate specialized maps, such as - perf RB and internally delete BTF type identifiers while - creating them. -
    • -
  • - Added the bloomfilter BPF map type to test if an element exists - in a set. -
    • -
  • - Added support for kernel module function calls from BPF. -
    • -
  • - Added support for typeless and weak ksym in light skeleton. -
    • -
  • - Added support for the BTF_KIND_DECL_TAG kind. -
    • -
-
-

- For more information on the full list of BPF features available in the running kernel, use the bpftool feature command. -

-

- (BZ#2069045) -

-
-

BTF data is now located in the kernel module

-

- BPF Type Format (BTF) is the metadata format that encodes the debug information related to BPF - program and map. Previously, the BTF data for kernel modules was stored in the kernel-debuginfo package. As a consequence, it was necessary to - install the corresponding kernel-debuginfo package in order to use - BTF for kernel modules. With this update, the BTF data is now located directly in the kernel - module. As a result, you do not need to install any additional packages for BTF to work. -

-
-

- (BZ#2097188) -

-
-

The kernel-rt source tree has been updated to - RHEL 9.1 tree

-

- The kernel-rt sources have been updated to use the latest Red Hat - Enterprise Linux kernel source tree. The real-time patch set has also been updated to the latest - upstream version, v5.15-rt. These updates provide a number of bug - fixes and enhancements. -

-
-

- (BZ#2061574) -

-
-

Dynamic preemptive scheduling enabled on ARM and AMD and Intel 64-bit - architectures

-

- RHEL 9 provides the dynamic scheduling feature on the ARM and AMD and Intel 64-bit - architectures. This enhancement enables changing the preemption mode of the kernel at boot or - runtime instead of the compile time. The /sys/kernel/debug/sched/preempt file contains the current setting and - allows runtime modification. -

-
-

- Using the DYNAMIC_PREEMPT option, you can set the preempt= variable at boot time to either none, voluntary or full with voluntary preemption being the - default. Using dynamic preemptive handling, you can override the default preemption model to improve - scheduling latency. -

-

- (BZ#2065226) -

-
-

stalld rebased to version 1.17

-

- The stalld program, which provides the stall daemon, is a mechanism to prevent the starvation state of - operating system threads in a Linux system. This version monitors the threads for the starvation - state. Starvation occurs when a thread is on a CPU run queue for longer than the starvation - threshold. -

-
-

- This stalld version includes many improvements and bug fixes over the - previous version. The notable change includes the capability to detect runnable dying tasks. -

-

- When stalld detects a starving thread, the program changes the - scheduling class of the thread to the SCHED_DEADLINE policy, which - gives the thread a small slice of time for the specified CPU to run the thread. When the timeslice is used, the thread returns to its original scheduling policy - and stalld continues to monitor the thread states. -

-

- (BZ#2107275) -

-
-

The tpm2-tools package has been rebased to - tpm2-tools-5.2-1 version

-

- The tpm2-tools package has been rebased to version tpm2-tools-5.2-1. This upgrade provides many significant enhancements - and bug fixes. Most notable changes include: -

-
-
-
    -
  • - Adds support for public-key output at primary object creation using the tpm2_createprimary and tpm2_create - tools. -
    • -
  • - Adds support for the tpm2_print tool to print public-key output - formats. tpm2_print decodes a Trusted Platform Module (TPM) - data structure and prints enclosed elements. -
    • -
  • - Adds support to the tpm2_eventlog tool for reading logs larger - than 64 KB. -
    • -
  • - Adds the tpm2_sessionconfig tool to support displaying and - configuring session attributes. -
    • -
-
-

- For more information on notable changes, see the /usr/share/doc/tpm2-tools/Changelog.md file. -

-

- (BZ#2090748) -

-
-

Intel E800 devices now support iWARP and RoCE protocols

-

- With this enhancement, you can now use the enable_iwarp and enable_roce devlink parameters to turn on and off iWARP or RoCE - protocol support. With this mandatory feature, you can configure the device with one of the - protocols. The Intel E800 devices do not support both protocols simultaneously on the same port. -

-
-

- To enable or disable the iWARP protocol for a specific E800 device, first obtain the PCI location of - the card: -

- 
$ lspci | awk '/E810/ {print $1}'
-44:00.0
-44:00.1
-$
-

- Then enable, or disable, the protocol. You can use use pci/0000:44:00.0 - for the first port, and pci/0000:44:00.1 for second port of the card as - argument to the devlink command -

- 
$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value true cmode runtime
-$ devlink dev param set pci/0000:44:00.0 name enable_iwarp value false cmode runtime
-

- To enable or disable the RoCE protocol for a specific E800 device, obtain the PCI location of the - card as shown above. Then use one of the following commands: -

- 
$ devlink dev param set pci/0000:44:00.0 name enable_roce value true cmode runtime
-$ devlink dev param set pci/0000:44:00.0 name enable_roce value false cmode runtime
-

- (BZ#2096127) -

-
-
-
-
-
-

4.10. Boot loader

-
-
-
-
-

GRUB is signed by new keys

-

- Due to security reasons, GRUB is now signed by new keys. As a consequence, you need to update - the RHEL firmware to version FW1010.30 (or later) or FW1020 to be able to boot the little-endian - variant of IBM Power Systems with the Secure Boot feature enabled. -

-
-

- (BZ#2074761) -

-
-

Configurable disk access retries when booting a VM on IBM POWER -

-

- You can now configure how many times the GRUB boot loader retries accessing a remote disk when a - logical partition (lpar) virtual machine (VM) boots on the IBM - POWER architecture. Lowering the number of retries can prevent a slow boot in certain - situations. -

-
-

- Previously, GRUB retried accessing disks 20 times when disk access failed at boot. This caused - problems if you performed a Live Partition Mobility (LPM) migration on an lpar system that connected to slow Storage Area Network (SAN) disks. As a - consequence, the boot might have taken very long on the system until the 20 retries finished. -

-

- With this update, you can now configure and decrease the number of disk access retries using the - ofdisk_retries GRUB option. For details, see Configure disk access retries when booting a - VM on IBM POWER. -

-

- As a result, the lpar boot is no longer slow after LPM on POWER, and - the lpar system boots without the failed disks. -

-

- (BZ#2070725) -

-
-
-
-
-
-

4.11. File systems and storage

-
-
-
-
-

Stratis now enables setting the file system size upon creation

-

- You can now set the required size when creating a file system. Previously, the automatic default - size was 1 TiB. With this enhancement, users can set an arbitrary filesystem size. The lower - limit must not go below 512 MiB. -

-
-

- (BZ#1990905) -

-
-

Improved overprovision management of Stratis pools

-

- With the improvements to the management of thin provisioning, you can now have improved - warnings, precise allocation of space for the pool metadata, improved predictability, overall - safety, and reliability of thin pool management. A new distinct mode disables overprovisioning. - With this enhancement, the user can disable overprovisioning to ensure that a pool contains - enough space to support all its file systems, even if these are completely full. -

-
-

- (BZ#2040352) -

-
-

Stratis now provides improved individual pool management

-

- You can now stop and start stopped individual Stratis pools. Previously, stratisd attempted to start all available pools for all devices it - detected. This enhancement provides more flexible management of individual pools within Stratis, - better debugging and recovery capabilities. The system no longer requires a reboot to perform - recovery and maintenance operations for a single pool. -

-
-

- (BZ#2039960) -

-
-

Enabled protocol specific configuration of multipath device paths -

-

- Previously due to different optimal configurations for the different protocols, it was - impossible to set the configuration correctly without setting an option for each individual - protocol. With this enhancement, users can now configure multipath device paths based on their - path transport protocol. Use the protocol subsection of the overrides section in the /etc/multipath.conf file to correctly configure multipath device - paths, based on their protocol. -

-
-

- (BZ#2084365) -

-
-

New libnvme feature library

-

- Previously, the NVMe storage command line interface utility (nvme-cli) included all of the helper functions and definitions. This - enhancement brings a new libnvme library to RHEL 9.1. The library - includes: -

-
-
-
    -
  • - Type definitions for NVMe specification structures -
    • -
  • - Enumerations and bit fields -
    • -
  • - Helper functions to construct, dispatch, and decode commands and payloads -
    • -
  • - Utilities to connect, scan, and manage NVMe devices -
    • -
-
-

- With this update, users do not need to duplicate the code and multiple projects and packages, such - as nvme-stas, and can rely on this common library. -

-

- (BZ#2099619) -

-
-

A new library libnvme is now - available

-

- With this update, nvme-cli is divided in two different projects: * nvme-cli now only contains the code specific to the nvme tool * libnvme library now contains - all type definitions for NVMe specification structures, enumerations, bit fields, helper - functions to construct, dispatch, decode commands and payloads, and utilities to connect, scan, - and manage NVMe devices. -

-
-

- (BZ#2090121) -

-
-
-
-
-
-

4.12. High availability and clusters

-
-
-
-
-

Support for High Availability on Red Hat OpenStack platform

-

- You can now configure a high availability cluster on the Red Hat OpenStack platform. In support - of this feature, Red Hat provides the following new cluster agents: -

-
-
-
    -
  • - fence_openstack: fencing agent for HA clusters on OpenStack -
    • -
  • - openstack-info: resource agent to configure the openstack-info cloned resource, which is required for an HA - cluster on OpenStack -
    • -
  • - openstack-virtual-ip: resource agent to configure a virtual IP - address resource -
    • -
  • - openstack-floating-ip: resource agent to configure a floating - IP address resource -
    • -
  • - openstack-cinder-volume: resource agent to configure a block - storage resource -
    • -
-
-

- (BZ#2121838) -

-
-

pcs supports updating multipath SCSI devices - without requiring a system restart

-

- You can now update multipath SCSI devices with the pcs stonith update-scsi-devices command. This command updates SCSI - devices without causing a restart of other cluster resources running on the same node. -

-
-

- (BZ#2024522) -

-
-

Support for cluster UUID

-

- During cluster setup, the pcs command now generates a UUID for - every cluster. Since a cluster name is not a unique cluster identifier, you can use the cluster - UUID to identify clusters with the same name when you administer multiple clusters. -

-
-

- You can display the current cluster UUID with the pcs cluster config [show] command. You can add a UUID to an existing - cluster or regenerate a UUID if it already exists by using the pcs cluster config uuid generate command. -

-

- (BZ#2054671) -

-
-

New pcs resource config command option to - display the pcs commands that re-create configured - resources

-

- The pcs resource config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured resources on a - different system. -

-
-

- (BZ#2058251) -

-
-

New pcs stonith config command option to - display the pcs commands that re-create configured fence - devices

-

- The pcs stonith config command now accepts the --output-format=cmd option. Specifying this option displays the pcs commands you can use to re-create configured fence devices on a - different system. -

-
-

- (BZ#2058252) -

-
-

Pacemaker rebased to version 2.1.4

-

- The Pacemaker packages have been upgraded to the upstream version of Pacemaker 2.1.4. Notable - changes include: -

-
-
-
    -
  • - The multiple-active resource parameter now accepts a value of - stop_unexpected, The multiple-active resource parameter determines recovery behavior - when a resource is active on more than one node when it should not be. By default, this - situation requires a full restart of the resource, even if the resource is running - successfully where it should be. A value of stop_unexpected for - this parameter specifies that only unexpected instances of a multiply-active resource are - stopped. It is the user’s responsibility to verify that the service and its resource agent - can function with extra active instances without requiring a full restart. -
    • -
  • - Pacemaker now supports the allow-unhealthy-node resource - meta-attribute. When this meta-attribute is set to true, the - resource is not forced off a node due to degraded node health. When health resources have - this attribute set, the cluster can automatically detect if the node’s health recovers and - move resources back to it. -
    • -
  • - Users can now specify Access Control Lists (ACLS) for a system group using the pcs acl group command. Pacemaker previously allowed ACLs to be - specified for individual users, but it is sometimes simpler and would conform better with - local policies to specify ACLs for a system group, and to have them apply to all users in - that group. This command was present in earlier releases but had no effect. -
    • -
-
-

- (BZ#2072108) -

-
-

Samba no longer automatically installed with cluster packages

-

- As of this release, installing the packages for the RHEL High Availability Add-On no longer - installs the Samba packages automatically. This also allows you to remove the Samba packages - without automatically removing the HA packages as well. If your cluster uses Samba resources you - must now manually install them. -

-
-

- (BZ#1826455) -

-
-
-
-
-
-

4.13. Dynamic programming languages, web and database servers

-
-
-
-
-

The nodejs:18 module stream is now fully - supported

-

- The nodejs:18 module stream, previously available as a Technology - Preview, is fully supported with the release of the RHSA-2022:8832 advisory. The - nodejs:18 module stream now provides Node.js 18.12, which is a Long Term Support (LTS) version. -

-
-

- Node.js 18 included in RHEL 9.1 provides numerous new features together - with bug and security fixes over Node.js 16. -

-

- Notable changes include: -

-
-
    -
  • - The V8 engine has been upgraded to version 10.2. -
    • -
  • - The npm package manager has been upgraded to version 8.19.2. -
    • -
  • - Node.js now provides a new experimental fetch API. -
    • -
  • - Node.js now provides a new experimental node:test module, which facilitates the creation of tests that - report results in the Test Anything Protocol (TAP) format. -
    • -
  • - Node.js now prefers IPv6 addresses over IPv4. -
    • -
-
-

- To install the nodejs:18 module stream, use: -

- 
# dnf module install nodejs:18
-

- (BZ#2083072) -

-
-

A new module stream: php:8.1

-

- RHEL 9.1 adds PHP 8.1 as a new php:8.1 - module stream. -

-
-

- With PHP 8.1, you can: -

-
-
    -
  • - Define a custom type that is limited to one of a discrete number of possible values using - the Enumerations (Enums) feature -
    • -
  • - Declare a property with the readonly modifier to prevent - modification of the property after initialization -
    • -
  • - Use fibers, full-stack, interruptible functions -
    • -
-
-

- To install the php:8.1 module stream, use: -

- 
# dnf module install php:8.1
-

- For details regarding PHP usage on RHEL 9, see Using - the PHP scripting language. -

-

- (BZ#2070040) -

-
-

A new module stream: ruby:3.1

-

- RHEL 9.1 introduces Ruby 3.1.2 in a new ruby:3.1 module stream. This version provides a number of performance - improvements, bug and security fixes, and new features over Ruby 3.0 distributed with RHEL 9.0. -

-
-

- Notable enhancements include: -

-
-
    -
  • - The Interactive Ruby (IRB) utility now provides an autocomplete - feature and a documentation dialog -
    • -
  • - A new debug gem, which replaces lib/debug.rb, provides improved performance, and supports remote - debugging and multi-process/multi-thread debugging -
    • -
  • - The error_highlight gem now provides a fine-grained error - location in the backtrace -
    • -
  • - Values in the hash literal data types and keyword arguments can now be omitted -
    • -
  • - The pin operator (^) now accepts an expression in pattern - matching -
    • -
  • - Parentheses can now be omitted in one-line pattern matching -
    • -
  • - YJIT, a new experimental in-process Just-in-Time (JIT) compiler, is now available on the AMD - and Intel 64-bit architectures -
    • -
  • - The TypeProf For IDE utility has been introduced, which is an - experimental static type analysis tool for Ruby code in IDEs -
    • -
-
-

- The following performance improvements have been implemented in Method Based Just-in-Time Compiler - (MJIT): -

-
-
    -
  • - For workloads like Rails, the default maximum JIT cache value - has increased from 100 to 10000 -
    • -
  • - Code compiled using JIT is no longer canceled when a TracePoint - for class events is enabled -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - The tracer.rb file has been removed -
    • -
  • - Since version 4.0, the Psych YAML parser uses the safe_load method by default -
    • -
-
-

- To install the ruby:3.1 module stream, use: -

- 
# dnf module install ruby:3.1
-

- (BZ#2063773) -

-
-

httpd rebased to version 2.4.53

-

- The Apache HTTP Server has been updated to version 2.4.53, which provides bug fixes, - enhancements, and security fixes over version 2.4.51 distributed with RHEL 9.0. -

-
-

- Notable changes in the mod_proxy and mod_proxy_connect modules include: -

-
-
    -
  • - mod_proxy: The length limit of the name of the controller has - been increased -
    • -
  • - mod_proxy: You can now selectively configure timeouts for - backend and frontend -
    • -
  • - mod_proxy: You can now disable TCP connections redirection by - setting the SetEnv proxy-nohalfclose parameter -
    • -
  • - mod_proxy and mod_proxy_connect: - It is forbidden to change a status code after sending it to a client -
    • -
-
-

- In addition, a new ldap function has been added to the expression API, - which can help prevent the LDAP injection vulnerability. -

-

- (BZ#2079939) -

-
-

A new default for the LimitRequestBody - directive in httpd configuration

-

- To fix CVE-2022-29404, the default - value for the LimitRequestBody directive in the Apache HTTP Server - has been changed from 0 (unlimited) to 1 GiB. -

-
-

- On systems where the value of LimitRequestBody is not explicitly - specified in an httpd configuration file, updating the httpd package sets LimitRequestBody to the - default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 - GiB default limit, httpd returns the 413 Request Entity Too Large error code. -

-

- If the new default allowed size of an HTTP request message body is insufficient for your use case, - update your httpd configuration files within the respective context - (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For - example, to set a new 2 GiB limit, use: -

- 
LimitRequestBody 2147483648
-

- Systems already configured to use any explicit value for the LimitRequestBody directive are unaffected by this change. -

-

- (BZ#2128016) -

-
-

New package: httpd-core

-

- Starting with RHEL 9.1, the httpd binary file with all essential - files has been moved to the new httpd-core package to limit the - Apache HTTP Server’s dependencies in scenarios where only the basic httpd functionality is needed, for example, in containers. -

-
-

- The httpd package now provides systemd-related files, including mod_systemd, mod_brotli, and documentation. -

-

- With this change, the httpd package no longer provides the httpd Module Magic Number (MMN) value. Instead, the httpd-core package now provides the httpd-mmn value. As a consequence, fetching httpd-mmn from the httpd package is no - longer possible. -

-

- To obtain the httpd-mmn value of the installed httpd binary, you can use the apxs binary, - which is a part of the httpd-devel package. To obtain the httpd-mmn value, use the following command: -

- 
# apxs -q HTTPD_MMN
-20120211
-

- (BZ#2065677) -

-
-

pcre2 rebased to version 10.40

-

- The pcre2 package, which provides the Perl Compatible Regular - Expressions library v2, has been updated to version 10.40. -

-
-

- With this update, the use of the \K escape sequence in lookaround - assertions is forbidden, in accordance with the respective change in Perl 5.32. If you rely on the previous behavior, you can use the PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK option. Note that when this option is - set, \K is accepted only inside positive assertions but is ignored in - negative assertions. -

-

- (BZ#2086494) -

-
-
-
-
-
-

4.14. Compilers and development tools

-
-
-
-
-

The updated GCC compiler is now available for RHEL 9.1

-

- The system GCC compiler, version 11.2.1, has been updated to include numerous bug fixes and - enhancements available in the upstream GCC. -

-
-

- The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and - Fortran programming languages. -

-

- For usage information, see Developing - C and C++ applications in RHEL 9. -

-

- (BZ#2063255) -

-
-

New GCC Toolset 12

-

- GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- The GCC compiler has been updated to version 12.1.1, which provides many bug fixes and enhancements - that are available in upstream GCC. -

-

- The following tools and versions are provided by GCC Toolset 12: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 12.1.1 -

-
-

- GDB -

- 		-

- 11.2 -

-
-

- binutils -

- 		-

- 2.35 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- annobin -

- 		-

- 10.76 -

-
-
-

- To install GCC Toolset 12, run the following command as root: -

- 
# dnf install gcc-toolset-12
-

- To run a tool from GCC Toolset 12: -

- 
$ scl enable gcc-toolset-12 tool
-

- To run a shell session where tool versions from GCC Toolset 12 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-12 bash
-

- For more information, see GCC - Toolset 12. -

-

- (BZ#2077465) -

-
-

GCC Toolset 12: Annobin rebased to version 10.76

-

- In GCC Toolset 12, the Annobin package has been updated to version 10.76. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - A new command line option for annocheck tells it to avoid using the debuginfod service, if it is unable to find debug information in - another way. Using debuginfod provides annocheck with more - information, but it can also cause significant slow downs in annocheck’s performance if the - debuginfod server is unavailable. -
    • -
  • - The Annobin sources can now be built using meson and ninja rather than configure and make if desired. -
    • -
  • - Annocheck now supports binaries built by the Rust 1.18 compiler. -
    • -
-
-

- Additionally, the following known issue has been reported in the GCC Toolset 12 version of Annobin: -

-

- Under some circumstances it is possible for a compilation to fail with an error message that looks - similar to the following: -

- 
cc1: fatal error: inaccessible plugin file
-opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin/gcc-annobin.so
-expanded from short plugin name gcc-annobin: No such file or directory
-

- To work around the problem, create a symbolic link in the plugin directory from annobin.so to gcc-annobin.so: -

- 
# cd /opt/rh/gcc-toolset-12/root/usr/lib/gcc/architecture-linux-gnu/12/plugin
-# ln -s annobin.so gcc-annobin.so
-

- Where architecture is replaced with the architecture being - used: -

-
-
    -
  • - aarch64 -
    • -
  • - i686 -
    • -
  • - ppc64le -
    • -
  • - s390x -
    • -
  • - x86_64 -
    • -
-
-

- (BZ#2077438) -

-
-

GCC Toolset 12: binutils rebased to version - 2.38

-

- In GCC Toolset 12, the binutils package has been updated to version - 2.38. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - All tools in the binutils package now support options to - display or warn about the presence of multibyte characters. -
    • -
  • - The readelf and objdump tools now - automatically follow any links to separate debuginfo files by - default. This behavior can be disabled by using the --debug-dump=no-follow-links option for readelf or the --dwarf=no-follow-links option for objdump. -
    • -
-
-

- (BZ#2077445) -

-
-

GCC 12 and later supports _FORTIFY_SOURCE - level 3

-

- With this enhancement, users can build applications with -D_FORTIFY_SOURCE=3 in the compiler command line when building with - GCC version 12 or later. _FORTIFY_SOURCE level 3 improves coverage - of source code fortification, thus improving security for applications built with -D_FORTIFY_SOURCE=3 in the compiler command line. This is supported - in GCC versions 12 and later and all Clang in RHEL 9 with the __builtin_dynamic_object_size builtin. -

-
-

- (BZ#2033683) -

-
-

DNS stub resolver option now supports no-aaaa - option

-

- With this enhancement, glibc now recognizes the no-aaaa stub resolver option in /etc/resolv.conf and the RES_OPTIONS - environment variable. When this option is active, no AAAA queries will be sent over the network. - System administrators can disable AAAA DNS lookups for diagnostic purposes, such as ruling out - that the superfluous lookups on IPv4-only networks do not contribute to DNS issues. -

-
-

- (BZ#2096191) -

-
-

Added support for IBM Z Series z16

-

- The support is now available for the s390 instruction set with the - IBM z16 platform. IBM z16 provides two - additional hardware capabilities in glibc that are HWCAP_S390_VXRS_PDE2 and HWCAP_S390_NNPA. As a result, applications can now use these - capabilities to deliver optimized libraries and functions. -

-
-

- (BZ#2077838) -

-
-

Applications can use the restartable sequence features through the new - glibc interfaces

-

- To accelerate the sched_getcpu function (especially on aarch64), it - is necessary to use the restartable sequences (rseq) kernel feature by default in glibc. To allow applications to continuously use the shared rseq - area, glibc now provides the __rseq_offset, __rseq_size and __rseq_flags symbols which were first added in glibc 2.35 upstream version. With this enhancement, the performance - of the sched_getcpu function is increased and applications can now - use the restartable sequence features through the new glibc - interfaces. -

-
-

- (BZ#2085529) -

-
-

GCC Toolset 12: GDB rebased to version 11.2

-

- In GCC Toolset 12, the GDB package has been updated to version 11.2. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - New support for the 64-bit ARM architecture Memory Tagging Extension (MTE). See new commands - with the memory-tag prefix. -
    • -
  • -

    - --qualified option for -break-insert and -dprintf-insert. This option looks for an exact match of the - user’s event location instead of searching in all scopes. -

    -

    - For example, break --qualified foo - will look for a symbol named foo in the global - scope. Without --qualified, GDB will search all scopes for - a symbol with that name. -

    -
    • -
  • - --force-condition: Any supplied condition is defined even if it - is currently invalid. -
    • -
  • - -break-condition --force: Likewise for the MI command. -
    • -
  • - -file-list-exec-source-files accepts optional REGEXP to limit output. -
    • -
  • -

    - .gdbinit search path includes the config directory. The - order is: -

    -
    -
      -
    1. - $XDG_CONFIG_HOME/gdb/gdbinit -
      2. -
    2. - $HOME/.config/gdb/gdbinit -
      3. -
    3. - $HOME/.gdbinit -
      4. -
    -
    -
    • -
  • - Support for ~/.config/gdb/gdbearlyinit or ~/.gdbearlyinit. -
    • -
  • - -eix and -eiex early - initialization file options. -
    • -
-
-

- Terminal user interface (TUI): -

-
-
    -
  • - Support for mouse actions inside terminal user interface (TUI) windows. -
    • -
  • - Key combinations that do not act on the focused window are now passed to GDB. -
    • -
-
-

- New commands: -

-
-
    -
  • - show print memory-tag-violations -
    • -
  • - set print memory-tag-violations -
    • -
  • - memory-tag show-logical-tag -
    • -
  • - memory-tag with-logical-tag -
    • -
  • - memory-tag show-allocation-tag -
    • -
  • - memory-tag check -
    • -
  • - show startup-quietly and set startup-quietly: A way to specify -q or -quiet in GDB scripts. Only - valid in early initialization files. -
    • -
  • - show print type hex and set print type hex: Tells GDB to print sizes or offsets for - structure members in hexadecimal instead of decimal. -
    • -
  • - show python ignore-environment and set python ignore-environment: If enabled, GDB’s Python - interpreter ignores Python environment variables, much like passing -E to the Python executable. Only valid in early initialization - files. -
    • -
  • - show python dont-write-bytecode and set python dont-write-bytecode: If off, these commands suppress GDB’s Python interpreter from - writing bytecode compiled objects of imported modules, much like passing -B to the Python executable. Only valid in early initialization - files. -
    • -
-
-

- Changed commands: -

-
-
    -
  • - break LOCATION if CONDITION: - If CONDITION is invalid, GDB refuses to set a - breakpoint. The -force-condition option overrides this. -
    • -
  • - CONDITION -force N COND: - Same as the previous command. -
    • -
  • - inferior [ID]: When ID is omitted, this command prints - information about the current inferior. Otherwise, unchanged. -
    • -
  • - ptype[/FLAGS] TYPE | EXPRESSION: - Use the /x flag to use hexadecimal notation when printing sizes - and offsets of struct members. Use the /d flag to do the same - but using decimal. -
    • -
  • - info sources: Output has been restructured. -
    • -
-
-

- Python API: -

-
-
    -
  • - Inferior objects contain a read-only connection_num attribute. -
    • -
  • - New gdb.Frame.level() method. -
    • -
  • - New gdb.PendingFrame.level() method. -
    • -
  • - gdb.BreakpoiontEvent emitted instead of gdb.Stop. -
    • -
-
-

- (BZ#2077494) -

-
-

GDB supports Power 10 PLT instructions

-

- GDB now supports Power 10 PLT instructions. With this update, users are able to step into shared - library functions and inspect stack backtraces using GDB version 10.2-10 and later. -

-
-

- (BZ#1870017) -

-
-

The dyninst packaged rebased to version - 12.1

-

- The dyninst package has been rebased to version 12.1. Notable bug - fixes and enhancements include: -

-
-
-
    -
  • - Initial support for glibc-2.35 multiple namespaces -
    • -
  • - Concurrency fixes for DWARF parallel parsing -
    • -
  • - Better support for the CUDA and CDNA2 GPU binaries -
    • -
  • - Better support for IBM POWER Systems (little endian) register access -
    • -
  • - Better support for PIE binaries -
    • -
  • - Corrected parsing for catch blocks -
    • -
  • - Corrected access to 64-bit Arm (aarch64) floating point - registers -
    • -
-
-

- (BZ#2057675) -

-
-

A new fileset /etc/profile.d/debuginfod.*

-

- Added new fileset for activating organizational debuginfod services. To get a system-wide debuginfod client activation you must add the URL to /etc/debuginfod/FOO.urls file. -

-
-

- (BZ#2088774) -

-
-

Rust Toolset rebased to version 1.62.1

-

- Rust Toolset has been updated to version 1.62.1. Notable changes include: -

-
-
-
    -
  • - Destructuring assignment allows patterns to assign to existing variables in the left-hand - side of an assignment. For example, a tuple assignment can swap to variables: (a, b) = (b, a); -
    • -
  • - Inline assembly is now supported on 64-bit x86 and 64-bit ARM using the core::arch::asm! macro. See more details in the "Inline assembly" - chapter of the reference, /usr/share/doc/rust/html/reference/inline-assembly.html (online - at https://doc.rust-lang.org/reference/inline-assembly.html). -
    • -
  • - Enums can now derive the Default trait with an explicitly - annotated #[default] variant. -
    • -
  • - Mutex, CondVar, and RwLock now use a custom futex-based - implementation rather than pthreads, with new optimizations made possible by Rust language - guarantees. -
    • -
  • - Rust now supports custom exit codes from main, including - user-defined types that implement the newly-stabilized Termination trait. -
    • -
  • - Cargo supports more control over dependency features. The dep: - prefix can refer to an optional dependency without exposing that as a feature, and a ? only enables a dependency feature if that dependency is enabled - elsewhere, like package-name?/feature-name. -
    • -
  • - Cargo has a new cargo add subcommand for adding dependencies to - Cargo.toml. -
    • -
  • -

    - For more details, please see the series of upstream release announcements: -

    -
    - -
    -
    • -
-
-

- (BZ#2075337) -

-
-

LLVM Toolset rebased to version 14.0.6

-

- LLVM Toolset has been rebased to version 14.0.6. Notable changes include: -

-
-
-
    -
  • - On 64-bit x86, support for AVX512-FP16 instructions has been - added. -
    • -
  • - Support for the Armv9-A, Armv9.1-A and Armv9.2-A architectures has been added. -
    • -
  • - On PowerPC, added the __ibm128 type to represent IBM - double-double format, also available as __attribute__((mode(IF))). -
    • -
-
-

- clang changes: -

-
-
    -
  • - if consteval for C++2b is now - implemented. -
    • -
  • - On 64-bit x86, support for AVX512-FP16 instructions has been - added. -
    • -
  • - Completed support of OpenCL C 3.0 and C++ for OpenCL 2021 at - experimental state. -
    • -
  • - The -E -P preprocessor output now always omits blank lines, - matching GCC behavior. Previously, up to 8 consecutive blank lines could appear in the - output. -
    • -
  • - Support -Wdeclaration-after-statement with C99 and later standards, and not just C89, matching GCC’s - behavior. A notable use case is supporting style guides that forbid mixing declarations and - code, but want to move to newer C standards. -
    • -
-
-

- For more information, see the LLVM Toolset and Clang upstream - release notes. -

-

- (BZ#2061041) -

-
-

Go Toolset rebased to version 1.18.2

-

- Go Toolset has been rebased to version 1.18.2. -

-
-

- Notable changes include: -

-
-
    -
  • - The introduction of generics while maintaining backwards compatibility with earlier versions - of Go. -
    • -
  • - A new fuzzing library. -
    • -
  • - New debug/buildinfo and net/netip packages. -
    • -
  • - The go get tool no longer builds or installs packages. Now, it - only handles dependencies in go.mod. -
    • -
  • - If the main module’s go.mod file specifies go 1.17 or higher, the go mod download command used without any additional arguments - only downloads source code for the explicitly required modules in the main module’s go.mod file. To also download source code for transitive - dependencies, use the go mod download all command. -
    • -
  • - The go mod vendor subcommand now supports a -o option to set the output directory. -
    • -
  • - The go mod tidy command now retains additional checksums in the - go.sum file for modules whose source code is required to verify - that only one module in the build list provides each imported package. This change is not - conditioned on the Go version in the main module’s go.mod file. -
    • -
-
-

- (BZ#2075169) -

-
-

A new module stream: maven:3.8

-

- RHEL 9.1 introduces Maven 3.8 as a new module stream. -

-
-

- To install the maven:3.8 module stream, use: -

- 
# dnf module install maven:3.8
-

- (BZ#2083112) -

-
-

.NET version 7.0 is available

-

- Red Hat Enterprise Linux 9.1 is distributed with .NET version 7.0. Notable improvements - include: -

-
-
-
    -
  • - Support for IBM Power (ppc64le) -
    • -
-
-

- For more information, see Release - Notes for .NET 7.0 RPM packages and Release - Notes for .NET 7.0 containers. -

-

- (BZ#2112027) -

-
-
-
-
-
-

4.15. Identity Management

-
-
-
-
-

SSSD now supports memory caching for SID requests

-

- With this enhancement, SSSD now supports memory caching for SID requests, which are GID and UID - lookups by SID and vice versa. Memory caching results in improved performance, for example, when - copying large amounts of files to or from a Samba server. -

-
-

- (JIRA:RHELPLAN-123369) -

-
-

The ipaservicedelegationtarget and ipaservicedelegationrule Ansible modules are now - available

-

- You can now use the ipaservicedelegationtarget and ipaservicedelegationrule ansible-freeipa - modules to, for example, configure a web console client to allow an Identity Management (IdM) - user that has authenticated with a smart card to do the following: -

-
-
-
    -
  • - Use sudo on the RHEL host on which the web console service is - running without being asked to authenticate again. -
    • -
  • - Access a remote host using SSH and access services on the host - without being asked to authenticate again. -
    • -
-
-

- The ipaservicedelegationtarget and ipaservicedelegationrule modules utilize the Kerberos S4U2proxy feature, also known as constrained delegation. IdM - traditionally uses this feature to allow the web server framework to obtain an LDAP service ticket - on the user’s behalf. The IdM-AD trust system uses the feature to obtain a cifs principal. -

-

- (JIRA:RHELPLAN-117109) -

-
-

SSSD support for anonymous PKINIT for FAST

-

- With this enhancement, SSSD now supports anonymous PKINIT for Flexible Authentication via Secure - Tunneling (FAST), also called Kerberos armoring in Active Directory. Until now, to use FAST, a - Kerberos keytab was needed to request the required credentials. You can now use anonymous PKINIT - to create this credential cache to establish the FAST session. -

-
-

- To enable anonymous PKINIT, perform the following steps: -

-
-
    -
  1. - Set krb5_fast_use_anonymous_pkinit to true in the [domain] section of the - sssd.conf file. -
    2. -
  2. - Restart SSSD. -
    3. -
  3. -

    - In an IdM environment, you can verify that anonymous PKINIT was used to establish the - FAST session by logging in as the IdM user. A cache file with the FAST ticket is created - and the Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS - indicates that anonymous PKINIT was used: -

    - 
    klist /var/lib/sss/db/fast_ccache_IPA.VM
-Ticket cache: FILE:/var/lib/sss/db/fast_ccache_IPA.VM
-Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
-Valid starting Expires Service principal
-03/10/2022 10:33:45 03/10/2022 10:43:45 krbtgt/IPA.VM@IPA.VM
    -
    4. -
-
-

- (JIRA:RHELPLAN-123368) -

-
-

IdM now supports Random Serial Numbers

-

- With this update, Identity Management (IdM) now includes dogtagpki 11.2.0, which allows you to use Random Serial Numbers - version 3 (RSNv3). You can enable RSNv3 by using the --random-serial-numbers option when running ipa-server-install or ipa-ca-install. - With RSNv3 enabled, IdM generates fully random serial numbers for certificates and requests in - PKI without range management. Using RSNv3, you can avoid range management in large IdM - installations and prevent common collisions when reinstalling IdM. -

-
-
-
Important
-
-

- RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 - on all PKI services. -

-
-
-

- (BZ#747959) -

-
-

IdM now supports a limit on the number of LDAP binds allowed after a user - password has expired

-

- With this enhancement, you can set the number of LDAP binds allowed when the password of an - Identity Management (IdM) user has expired: -

-
-
-
-
-1
-
- IdM grants the user unlimited LDAP binds before the user must reset the password. This is - the default value, which matches the previous behavior. -
-
0
-
- This value disables all LDAP binds once a password is expired. In effect, the users must - reset their password immediately. -
-
1-MAXINT
-
- The value entered allows exactly that many binds post-expiration. -
-
-
-

- The value can be set in the global password policy and in group policies. -

-

- Note that the count is stored per server. -

-

- In order for a user to reset their own password they need to bind with their current, expired - password. If the user has exhausted all post-expiration binds, then the password must be - administratively reset. -

-

- (BZ#2091988) -

-
-

New ipasmartcard_server and ipasmartcard_client roles

-

- With this update, the ansible-freeipa package provides Ansible - roles to configure Identity Management (IdM) servers and clients for smart card authentication. - The ipasmartcard_server and ipasmartcard_client roles replace the ipa-advise scripts to automate and simplify the integration. The same - inventory and naming scheme are used as in the other ansible-freeipa roles. -

-
-

- (BZ#2076567) -

-
-

IdM now supports configuring an AD Trust with Windows Server 2022 -

-

- With this enhancement, you can establish a cross-forest trust between Identity Management (IdM) - domains and Active Directory forests that use Domain Controllers running Windows Server 2022. -

-
-

- (BZ#2122716) -

-
-

The ipa-dnskeysyncd and ipa-ods-exporter debug messages are no longer logged to - /var/log/messages by default

-

- Previously, ipa-dnskeysyncd, the service that is responsible for - the LDAP-to-OpenDNSSEC synchronization, and ipa-ods-exporter, the - Identity Management (IdM) OpenDNSSEC exporter service, logged all debug messages to /var/log/messages by default. As a consequence, log files grew - substantially. With this enhancement, you can configure the log level by setting debug=True in the /etc/ipa/dns.conf - file. For more information, refer to default.conf(5), the man page - for the IdM configuration file. -

-
-

- (BZ#2083218) -

-
-

samba rebased to version 4.16.1

-

- The samba packages have been upgraded to upstream version 4.16.1, - which provides bug fixes and enhancements over the previous version: -

-
-
-
    -
  • - By default, the smbd process automatically starts the new samba-dcerpcd process on demand to serve Distributed Computing - Environment / Remote Procedure Calls (DCERPC). Note that Samba 4.16 and later always - requires samba-dcerpcd to use DCERPC. If you disable the rpc start on demand helpers setting in the [global] section in the /etc/samba/smb.conf file, you must create a systemd service unit to run samba-dcerpcd in standalone mode. -
    • -
  • -

    - The Cluster Trivial Database (CTDB) recovery master role - has been renamed to leader. As a result, the following - ctdb sub-commands have been renamed: -

    -
    -
      -
    • - recmaster to leader -
      • -
    • - setrecmasterrole to setleaderrole -
      • -
    -
    -
    • -
  • - The CTDB recovery lock configuration has been renamed to cluster lock. -
    • -
  • - CTDB now uses leader broadcasts and an associated timeout to determine if an election is - required. -
    • -
-
-

- Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will - be removed in a future release. -

-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Note that Red Hat does - not support downgrading tdb database files. -

-

- After updating Samba, verify the /etc/samba/smb.conf file using the - testparm utility. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- (BZ#2077487) -

-
-

SSSD now supports direct integration with Windows Server 2022

-

- With this enhancement, you can use SSSD to directly integrate your RHEL system with Active - Directory forests that use Domain Controllers running Windows Server 2022. -

-
-

- (BZ#2070793) -

-
-

Improved SSSD multi-threaded performance

-

- Previously, SSSD serialized parallel requests from multi-threaded applications, such as Red Hat - Directory Server and Identity Management. This update fixes all SSSD client libraries, such as - nss and pam, so they do not serialize - requests, therefore allowing requests from multiple threads to be executed in parallel for - better performance. To enable the previous behavior of serialization, set the environment - variable SSS_LOCKFREE to NO. -

-
-

- (BZ#1978119) -

-
-

Directory Server now supports canceling the Auto Membership plug-in - task.

-

- Previously, the Auto Membership plug-in task could generate high CPU usage on the server if - Directory Server has complex configuration (large groups, complex rules and interaction with - other plugins). With this enhancement, you can cancel the Auto Membership plug-in task. As a - result, performance issues no longer occur. -

-
-

- (BZ#2052527) -

-
-

Directory Server now supports recursive delete operations when using ldapdelete

-

- With this enhancement, Directory Server now supports the Tree Delete Control [1.2.840.113556.1.4.805] OpenLDAP control. As a - result, you can use the ldapdelete utility to recursively delete - subentries of a parent entry. -

-
-

- (BZ#2057063) -

-
-

You can now set basic replication options during the Directory Server - installation

-

- With this enhancement, you can configure basic replication options like authentication - credentials and changelog trimming during an instance installation using an .inf file. -

-
-

- (BZ#2057066) -

-
-

Directory Server now supports instance creation by a non-root user -

-

- Previously, non-root users were not able to create Directory Server instances. With this - enhancement, a non-root user can use the dscreate ds-root - subcommand to configure an environment where dscreate,dsctl,dsconf commands are used as usual - to create and administer Directory Server instances. -

-
-

- (BZ#1872451) -

-
-

pki packages renamed to idm-pki

-

- The following pki packages are now renamed to idm-pki to better distinguish between IDM packages and Red Hat - Certificate System ones: -

-
-
-
    -
  • - idm-pki-tools -
    • -
  • - idm-pki-acme -
    • -
  • - idm-pki-base -
    • -
  • - idm-pki-java -
    • -
  • - idm-pki-ca -
    • -
  • - idm-pki-kra -
    • -
  • - idm-pki-server -
    • -
  • - python3-idm-pki -
    • -
-
-

- (BZ#2139877) -

-
-
-
-
-
-

4.16. Graphics infrastructures

-
-
-
-
-

Wayland is now enabled with Matrox GPUs

-

- The desktop session now enables the Wayland back end with Matrox GPUs. -

-
-

- In previous releases, Wayland was disabled with Matrox GPUs due to performance and other - limitations. These problems have now been fixed. -

-

- You can still switch the desktop session from Wayland back to Xorg. For more information, see Overview - of GNOME environments. -

-

- (BZ#2097308) -

-
-

12th generation Intel Core GPUs are now supported

-

- This release adds support for several integrated GPUs for the 12th Gen Intel Core CPUs. This - includes Intel UHD Graphics and Intel Xe integrated GPUs found with the following CPU models: -

-
-
-
    -
  • - Intel Core i3 12100T through Intel Core i9 12900KS -
    • -
  • - Intel Pentium Gold G7400 and G7400T -
    • -
  • - Intel Celeron G6900 and G6900T -
    • -
  • - Intel Core i5-12450HX through Intel Core i9-12950HX -
    • -
  • - Intel Core i3-1220P through Intel Core i7-1280P -
    • -
-
-

- (JIRA:RHELPLAN-135601) -

-
-

Support for new AMD GPUs

-

- This release adds support for several AMD Radeon RX 6000 Series GPUs and integrated graphics of - the AMD Ryzen 6000 Series CPUs. -

-
-

- The following AMD Radeon RX 6000 Series GPU models are now supported: -

-
-
    -
  • - AMD Radeon RX 6400 -
    • -
  • - AMD Radeon RX 6500 XT -
    • -
  • - AMD Radeon RX 6300M -
    • -
  • - AMD Radeon RX 6500M -
    • -
-
-

- AMD Ryzen 6000 Series includes integrated GPUs found with the following CPU models: -

-
-
    -
  • - AMD Ryzen 5 6600U -
    • -
  • - AMD Ryzen 5 6600H -
    • -
  • - AMD Ryzen 5 6600HS -
    • -
  • - AMD Ryzen 7 6800U -
    • -
  • - AMD Ryzen 7 6800H -
    • -
  • - AMD Ryzen 7 6800HS -
    • -
  • - AMD Ryzen 9 6900HS -
    • -
  • - AMD Ryzen 9 6900HX -
    • -
  • - AMD Ryzen 9 6980HS -
    • -
  • - AMD Ryzen 9 6980HX -
    • -
-
-

- (JIRA:RHELPLAN-135602) -

-
-
-
-
-
-

4.17. The web console

-
-
-
-
-

Update progress page in the web console now supports an automatic restart - option

-

- The update progress page now has a Reboot after - completion switch. This reboots the system automatically after - installing the updates. -

-
-

- (BZ#2056786) -

-
-
-
-
-
-

4.18. Red Hat Enterprise Linux system roles

-
-
-
-
-

The network RHEL system role supports network - configuration using the nmstate API

-

- With this update, the network RHEL system role supports network - configuration through the nmstate API. Users can now directly apply - the configuration of the required network state to a network interface instead of creating - connection profiles. The feature also allows partial configuration of a network. As a result, - the following benefits exist: -

-
-
-
    -
  • - decreased network configuration complexity -
    • -
  • - reliable way to apply the network state changes -
    • -
  • - no need to track the entire network configuration -
    • -
-
-

- (BZ#2072385) -

-
-

Users can create connections with IPoIB capability using the network RHEL system role

-

- The infiniband connection type of the network RHEL system role now supports the Internet Protocol over - Infiniband (IPoIB) capability. To enable this feature, define a value to the p_key option of infiniband. Note that if - you specify p_key, the interface_name - option of the network_connections variable must be left unset. The - previous implementation of the network RHEL system role did not - properly validate the p_key value and the interface_name option for the infiniband - connection type. Therefore, the IPoIB functionality never worked before. For more information, - see a README file in the /usr/share/doc/rhel-system-roles/network/ - directory. -

-
-

- (BZ#2086965) -

-
-

HA Cluster RHEL system role now supports SBD fencing and configuration of - Corosync settings

-

- The HA Cluster system role now supports the following features: -

-
-
-
-
SBD fencing
-
- Fencing is a crucial part of HA cluster configuration. SBD provides a means for nodes to - reliably self-terminate when fencing is required. SBD fencing can be particularly useful in - environments where traditional fencing mechanisms are not possible. It is now possible to - configure SBD fencing with the HA Cluster system role. -
-
Corosync settings
-
- The HA Cluster system role now supports the configuration of Corosync settings, such as - transport, compression, encryption, links, totem, and quorum. These settings are required to - match cluster configuration with customers' needs and environment when the default settings - are not suitable. -
-
-
-

- (BZ#2065337, BZ#2070452, BZ#2079626, BZ#2098212, BZ#2120709, BZ#2120712) -

-
-

The network RHEL role now configures network - settings for routing rules

-

- Previously, you could route the packet based on the destination address field in the packet, but - you could not define the source routing and other policy routing rules. With this enhancement, - network RHEL role supports routing rules so that the users have - control over the packet transmission or route selection. -

-
-

- (BZ#2079622) -

-
-

The new previous:replaced configuration - enables firewall system role to reset the firewall settings to - default

-

- System administrators who manage different sets of machines, where each machine has different - pre-existing firewall settings, can now use the previous: replaced - configuration in the firewall role to ensure that all machines have - the same firewall configuration settings. The previous: replaced - configuration can erase all the existing firewall settings and replace them with consistent - settings. -

-
-

- (BZ#2043010) -

-
-

New option in the postfix RHEL system role for - overwriting previous configuration

-

- If you manage a group of systems which have inconsistent postfix - configurations, you may want to make the configuration consistent on all of them. With this - enhancement, you can specify the previous: replaced option within - the postfix_conf dictionary to remove any existing configuration - and apply the desired configuration on top of a clean postfix - installation. As a result, you can erase any existing postfix - configuration and ensure consistency on all the systems being managed. -

-
-

- (BZ#2065383) -

-
-

Enhanced microsoft.sql.server RHEL system - role

-

- The following new variables are now available for the microsoft.sql.server RHEL system role: -

-
-
-
    -
  • - Variables with the mssql_ha_ prefix to control configuring a - high availability cluster. -
    • -
  • - The mssql_tls_remote_src variable to search for mssql_tls_cert and mssql_tls_private_key values on managed nodes. If you keep the - default false setting, the role searches for these files on the - control node. -
    • -
  • - The mssql_manage_firewall variable to manage firewall ports - automatically. If this variable is set to false, you must - enable firewall ports manually. -
    • -
  • - The mssql_pre_input_sql_file and mssql_post_input_sql_file variables to control whether you want - to run the SQL scripts before the role execution or after it. These new variables replace - the former mssql_input_sql_file variable, which did not allow - you to influence the time of SQL script execution. -
    • -
-
-

- (BZ#2066337) -

-
-

The logging RHEL system role supports options - startmsg.regex and endmsg.regex in - files inputs

-

- With this enhancement, you can now filter log messages coming from files by using regular - expressions. Options startmsg_regex and endmsg_regex are now included in the files’ input. The startmsg_regex represents the regular expression that matches the - start part of a message, and the endmsg_regex represents the - regular expression that matches the last part of a message. As a result, you can now filter - messages based upon properties such as date-time, priority, and severity. -

-
-

- (BZ#2112145) -

-
-

The sshd RHEL system role verifies the include - directive for the drop-in directory

-

- The sshd RHEL system role on RHEL 9 manages only a file in the - drop-in directory, but previously did not verify that the directory is included from the main - sshd_config file. With this update, the role verifies that sshd_config contains the include directive for the drop-in directory. - As a result, the role more reliably applies the provided configuration. -

-
-

- (BZ#2052081) -

-
-

The sshd RHEL system role can be managed - through /etc/ssh/sshd_config

-

- The sshd RHEL system role applied to a RHEL 9 managed node places - the SSHD configuration in a drop-in directory (/etc/ssh/sshd_config.d/00-ansible_system_role.conf by default). - Previously, any changes to the /etc/ssh/sshd_config file overwrote - the default values in 00-ansible_system_role.conf. With this - update, you can manage SSHD by using /etc/ssh/sshd_config instead - of 00-ansible_system_role.conf while preserving the system default - values in 00-ansible_system_role.conf. -

-
-

- (BZ#2052086) -

-
-

The metrics role consistently uses - "Ansible_managed" comment in its managed configuration files

-

- With this update, the metrics role inserts the "Ansible managed" - comment to the configuration files, using the Ansible standard ansible_managed variable. The comment indicates that the - configuration files should not be directly edited because the metrics role can overwrite the file. As a result, the configuration - files contain a declaration stating that the configuration files are managed by Ansible. -

-
-

- (BZ#2065392) -

-
-

The storage RHEL system role now supports - managing the pool members

-

- The storage RHEL system role can now add or remove disks from - existing LVM pools without removing the pool first. To increase the pool capacity, the storage RHEL system role can add new disks to the pool and free - currently allocated disks in the pool for another use. -

-
-

- (BZ#2072742) -

-
-

Support for thinly provisioned volumes is now available in the storage RHEL system role

-

- The storage RHEL system role can now create and manage thinly - provisioned LVM logical volumes (LVs). Thin provisioned LVs are allocated as they are written, - allowing better flexibility when creating volumes as physical storage provided for thin - provisioned LVs can be increased later as the need arises. LVM thin provisioning also allows - creating more efficient snapshots because the data blocks common to a thin LV and any of its - snapshots are shared. -

-
-

- (BZ#2072745) -

-
-

Better support for cached volumes is available in the storage RHEL system role

-

- The storage RHEL system role can now attach cache to existing LVM - logical volumes. LVM cache can be used to improve performance of slower logical volumes by - temporarily storing subsets of an LV’s data on a smaller, faster device, for example an SSD. - This enhances the previously added support for creating cached volumes by allowing adding - (attaching) a cache to an existing, previously uncached volume. -

-
-

- (BZ#2072746) -

-
-

The logging RHEL system role now supports - template, severity and facility options

-

- The logging RHEL system role now features new useful severity and facility options to the - files inputs as well as a new template option to the files and - forwards outputs. Use the template option to specify the - traditional time format by using the parameter traditional, the - syslog protocol 23 format by using the parameter syslog, and the - modern style format by using the parameter modern. As a result, you - can now use the logging role to filter by the severity and facility - as well as to specify the output format by template. -

-
-

- (BZ#2075119) -

-
-

RHEL system roles now available also in playbooks with fact gathering - disabled

-

- Ansible fact gathering might be disabled in your environment for performance or other reasons. - Previously, it was not possible to use RHEL system roles in such configurations. With this - update, the system detects the ANSIBLE_GATHERING=explicit parameter - in your configuration and gather_facts: false parameter in your - playbooks, and use the setup: module to gather only the facts - required by the given role, if not available from the fact cache. -

-
-
-
Note
-
-

- If you have disabled Ansible fact gathering due to performance, you can enable Ansible fact - caching instead, which does not cause a performance hit of retrieving them from source. -

-
-
-

- (BZ#2078989) -

-
-

The storage role now has less verbosity by default

-

- The storage role output is now less verbose by default. With this update, users can increase the - verbosity of storage role output to only produce debugging output if they are using Ansible - verbosity level 1 or above. -

-
-

- (BZ#2079627) -

-
-

The firewall RHEL system role does not require - the state parameter when configuring masquerade or icmp_block_inversion

-

- When configuring custom firewall zones, variables masquerade and - icmp_block_inversion are boolean settings. A value of true implies state: present and a value - of false implies state: absent. - Therefore, the state parameter is not required when configuring - masquerade or icmp_block_inversion. -

-
-

- (BZ#2093423) -

-
-

You can now add, update, or remove services using absent and present states in the - firewall RHEL system role

-

- With this enhancement, you can use the present state to add ports, - modules, protocols, services, and destination addresses, or use the absent state to remove them. Note that to use the absent and present states in the firewall RHEL system role, set the permanent option to true. With the permanent option set to true, the state - settings apply until changed, and remain unaffected by role reloads. -

-
-

- (BZ#2100292) -

-
-

The firewall system role can add or remove an - interface to the zone using PCI device ID

-

- Using the PCI device ID, the firewall system role can now assign or - remove a network interface to or from a zone. Previously, if only the PCI device ID was known - instead of the interface name, users had to first identify the corresponding interface name to - use the firewall system role. With this update, the firewall system role can now use the PCI device ID to manage a - network interface in a zone. -

-
-

- (BZ#2100942) -

-
-

The firewall RHEL system role can provide - Ansible facts

-

- With this enhancement, you can now gather the firewall RHEL system - role’s Ansible facts from all of your systems by including the firewall: variable in the playbook with no arguments. To gather a - more detailed version of the Ansible facts, use the detailed: true - argument, for example: -

-
- 
vars:
-  firewall:
-    detailed: true
-

- (BZ#2115154) -

-
-

Added setting of seuser and selevel to the selinux RHEL system - role

-

- Sometimes, it is necessary to set seuser and selevel parameters when setting SELinux context file system mappings. - With this update, you can use the seuser and selevel optional arguments in selinux_fcontext to specify SELinux user and level in the SELinux - context file system mappings. -

-
-

- (BZ#2115157) -

-
-

New cockpit system role variable for setting a - custom listening port

-

- The cockpit system role introduces the cockpit_port variable that allows you to set a custom listening port - other than the default 9090 port. Note that if you decide to set a custom listening port, you - will also need to adjust your SELinux policy to allow the web console to listen on that port. -

-
-

- (BZ#2115152) -

-
-

The metrics role can export postfix performance data

-

- You can now use the new metrics_from_postfix boolean variable in - the metrics role for recording and detailed performance analysis. - With this enhancement, setting the variable enables the pmdapostfix - metrics agent on the system, making statistics about postfix - available. -

-
-

- (BZ#2051737) -

-
-

The postfix role consistently uses - "Ansible_managed" comment in its managed configuration files

-

- The postfix role generates the /etc/postfix/main.cf configuration file. With this update, the postfix role inserts the "Ansible managed" comment to the - configuration files, using the Ansible standard ansible_managed - variable. The comment indicates that the configuration files should not be directly edited - because the postfix role can overwrite the file. As a result, the - configuration files contain a declaration stating that the configuration files are managed by - Ansible. -

-
-

- (BZ#2065393) -

-
-

The nbde-client RHEL system role supports - static IP addresses

-

- In previous versions of RHEL, restarting a system with a static IP address and configured with - the nbde_client RHEL system role changed the system’s IP address. - With this update, systems with static IP addresses are supported by the nbde_client role, and their IP addresses do not change after a - reboot. -

-
-

- Note that by default, the nbde_client role uses DHCP when booting, and - switches to the configured static IP after the system is booted. -

-

- (BZ#2070462) -

-
-
-
-
-
-

4.19. Virtualization

-
-
-
-
-

RHEL web console now features RHEL as an option for the Download an OS VM workflow

-

- With this enhancement, the RHEL web console now supports the installation of RHEL virtual - machines (VMs) using the default Download an OS workflow. As a - result, you can download and install the RHEL OS as a VM directly within the web console. -

-
-

- (JIRA:RHELPLAN-121982) -

-
-

Improved KVM architectural compliance

-

- With this update, the architectural compliance of the KVM hypervisor has now been enhanced and - made stricter. As a result, the hypervisor is now better prepared to address future changes to - Linux-based and other operating systems. -

-
-

- (JIRA:RHELPLAN-117713) -

-
-

ap-check is now available in RHEL 9 -

-

- The mdevctl tool now provides a new ap-check support utility. You can use mdevctl to persistently configure cryptographic adapters and domains - that are allowed for pass-through usage into virtual machines as well as the matrix and vfio-ap devices. With mdevctl, you do not have to reconfigure these adapters, domains, and - devices after every IPL. In addition, mdevctl prevents the - distributor from inventing other ways to reconfigure them. -

-
-

- When invoking mdevctl commands for vfio-ap - devices, the new ap-check support utility is invoked as part of the - mdevctl command to perform additional validity checks against vfio-ap device configurations. -

-

- In addition, the chzdev tool now provides the ability to manage the - system-wide Adjunct Processor (AP) mask settings, which determine what AP resources are available - for vfio-ap devices. When used, chzdev - makes it possible to persist these settings by generating an associated udev rule. Using lszdev, you can can now - also query the system-wide AP mask settings. -

-

- (BZ#1870699) -

-
-

open-vm-tools rebased to 12.0.5

-

- The open-vm-tools packages have been upgraded to version 12.0.5, - which introduces a number of bug fixes and new features. Most notably, support has been added - for the Salt Minion tool to be managed through guest OS variables. -

-
-

- (BZ#2061193) -

-
-

Selected VMs on IBM Z can now boot with kernel command lines longer than - 896 bytes

-

- Previously, booting a virtual machine (VM) on a RHEL 9 IBM Z host always failed if the kernel - command line of the VM was longer than 896 bytes. With this update, the QEMU emulator can handle - kernel command lines longer than 896 bytes. As a result, you can now use QEMU direct kernel boot - for VMs with very long kernel command lines, if the VM kernel supports it. Specifically, to use - a command line longer than 896 bytes, the VM must use Linux kernel version 5.16-rc1 or later. -

-
-

- (BZ#2044218) -

-
-

The Secure Execution feature on IBM Z now supports remote - attestation

-

- The Secure Execution feature on the IBM Z architecture now supports remote attestation. The - pvattest utility can create a remote attestation request to verify - the integrity of a guest that has Secure Execution enabled. -

-
-

- Additionally, it is now possible to inject interrupts to guests with Secure Execution through the - use of GISA. -

-

- (BZ#2001936, BZ#2044300) -

-
-

VM memory preallocation using multiple threads

-

- You can now define multiple CPU threads for virtual machine (VM) memory allocation in the domain - XML configuration, for example as follows: -

-
- 
<memoryBacking>
-  <allocation threads='8'/>
-</memoryBacking>
-

- This ensures that more than one thread is used for allocating memory pages when starting a VM. As a - result, VMs with multiple allocation threads configured start significantly faster, especially if - the VMs has large amounts of RAM assigned and backed by hugepages. -

-

- (BZ#2064194) -

-
-

RHEL 9 guests now support SEV-SNP

-

- On virtual machines (VMs) that use RHEL 9 as a guest operating system, you can now use AMD - Secure Encrypted Virtualization (SEV) with the Secure Nested Paging (SNP) feature. Among other - benefits, SNP enhances SEV by improving its memory integrity protection, which helps prevent - hypervisor-based attacks such as data replay or memory re-mapping. Note that for SEV-SNP to work - on a RHEL 9 VM, the host running the VM must support SEV-SNP as well. -

-
-

- (BZ#2169738) -

-
-
-
-
-
-

4.20. RHEL in cloud environments

-
-
-
-
-

New SSH module for cloud-init

-

- With this update, an SSH module has been added to the cloud-init - utility, which automatically generates host keys during instance creation. -

-
-

- Note that with this change, the default cloud-init configuration has - been updated. Therefore, if you had a local modification, make sure the /etc/cloud/cloud.cfg - contains "ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']" line. -

-

- Otherwise, cloud-init creates an image which fails to start the sshd service. If this occurs, do the following to work around the - problem: -

-
-
    -
  1. -

    - Make sure the /etc/cloud/cloud.cfg file contains the - following line: -

    - 
    ssh_genkeytypes:  ['rsa', 'ecdsa', 'ed25519']
    -
    2. -
  2. - Check whether /etc/ssh/ssh_host_* files exist in the instance. -
    3. -
  3. -

    - If the /etc/ssh/ssh_host_* files do not exist, use the - following command to generate host keys: -

    - 
    cloud-init single --name cc_ssh
    -
    4. -
  4. -

    - Restart the sshd service: -

    - 
    systemctl restart sshd
    -
    5. -
-
-

- (BZ#2115791) -

-
-
-
-
-
-

4.21. Containers

-
-
-
-
-

The Container Tools packages have been updated

-

- The Container Tools packages which contain the Podman, Buildah, Skopeo, crun, and runc tools are - now available. This update provides a list of bug fixes and enhancements over the previous - version. -

-
-

- Notable changes include: -

-
-
    -
  • - The podman pod create command now supports setting the CPU and - memory limits. You can set a limit for all containers in the pod, while individual - containers within the pod can have their own limits. -
    • -
  • - The podman pod clone command creates a copy of an existing pod. -
    • -
  • - The podman play kube command now supports the security context - settings using the BlockDevice and CharDevice volumes. -
    • -
  • - Pods created by the podman play kube can now be managed by - systemd unit files using a podman-kube@<service>.service - (for example systemctl --user start podman-play-kube@$(systemd-escape my.yaml).service). -
    • -
  • - The podman push and podman push manifest commands now support the sigstore - signatures. -
    • -
  • - The Podman networks can now be isolated by using the podman network --opt isolate command. -
    • -
-
-

- Podman has been upgraded to version 4.2, for further information about notable changes, see the upstream - release notes. -

-

- (JIRA:RHELPLAN-118462) -

-
-

GitLab Runner is now available on RHEL using Podman

-

- Beginning with GitLab Runner 15.1, you can use Podman as the container runtime in the GitLab - Runner Docker Executor. For more details, see GitLab’s Release Note. -

-
-

- (JIRA:RHELPLAN-101140) -

-
-

Podman now supports the --health-on-failure - option

-

- The podman run and podman create - commands now support the --health-on-failure option to determine - the actions to be performed when the status of a container becomes unhealthy. -

-
-

- The --health-on-failure option supports four actions: -

-
-
    -
  • - none: Take no action, this is the default action. -
    • -
  • - kill: Kill the container. -
    • -
  • - restart: Restart the container. -
    • -
  • - stop: Stop the container. -
    • -
-
-
-
Note
-
-

- Do not combine the restart action with the --restart option. When running inside of a systemd unit, consider - using the kill or stop action - instead to make use of systemd’s restart policy. -

-
-
-

- (BZ#2097708) -

-
-

Netavark network stack is now available

-

- The Netavark stack is a network configuration tool for containers. In RHEL 9, the Netavark stack - is fully supported and enabled by default. -

-
-

- This network stack has the following capabilities: -

-
-
    -
  • - Configuration of container networks using the JSON configuration file -
    • -
  • - Creating, managing, and removing network interfaces, including bridge and MACVLAN interfaces -
    • -
  • - Configuring firewall settings, such as network address translation (NAT) and port mapping - rules -
    • -
  • - IPv4 and IPv6 -
    • -
  • - Improved capability for containers in multiple networks -
    • -
  • - Container DNS resolution using the aardvark-dns project -
    • -
-
-
-
Note
-
-

- You have to use the same version of Netavark stack and the aardvark-dns authoritative DNS server. -

-
-
-

- (JIRA:RHELPLAN-132023) -

-
-

New package: catatonit in the CRB - repository

-

- A new catatonit package is now available in the CodeReady Linux - Builder (CRB) repository. The catatonit package is used as a - minimal init program for containers and can be included within the application container image. - Note that packages included in the CodeReady Linux Builder repository are unsupported. -

-
-

- Note that since RHEL 9.0, the podman-catonit package is available in - the AppStream repository. The podman-catatonit package is used only by - the Podman tool. -

-

- (BZ#2074193) -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel - distributed with Red Hat Enterprise Linux 9.1. These changes could include for example added or updated - proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
allow_mismatched_32bit_el0 = [ARM64]
-
-

- With this parameter you can allow systems with mismatched 32-bit support at the EL0 level to - run 32-bit applications. The set of CPUs supporting 32-bit EL0 is indicated by the /sys/devices/system/cpu/aarch32_el0 file. Also, you can restrict - hot-unplug operations. -

-

- For more information, see Documentation/arm64/asymmetric-32bit.rst. -

-
-
arm64.nomte = [ARM64]
-
- With this parameter you can unconditionally disable Memory Tagging Extension (MTE) support. -
-
i8042.probe_defer = [HW]
-
- With this parameter you can allow deferred probing on i8042 probe - errors. -
-
idxd.tc_override = [HW]
-
-

- With this parameter in the <bool> format, you can allow - override of default traffic class configuration for the device. -

-

- The default value is set to false (0). -

-
-
kvm.eager_page_split = [KVM,X86]
-
-

- With this parameter you can control whether or not a KVM proactively splits all huge pages - during dirty logging. Eager page splitting reduces interruptions to vCPU execution by - eliminating the write-protection faults and Memory Management Unit (MMU) lock contention - that is otherwise required to split huge pages lazily. -

-

- VM workloads that rarely perform writes or that write only to a small region of VM memory - can benefit from disabling eager page splitting to allow huge pages to still be used for - reads. -

-

- The behavior of eager page splitting depends on whether the KVM_DIRTY_LOG_INITIALLY_SET option is enabled or disabled. -

-
-
    -
  • - If disabled, all huge pages in a memslot are eagerly - split when dirty logging is enabled on that memslot. -
    • -
  • -

    - If enabled, eager page splitting is performed during the KVM_CLEAR_DIRTY ioctl() - system call, and only for the pages being cleared. -

    -

    - Eager page splitting currently only supports splitting huge pages mapped by the - two dimensional paging (TDP) MMU. -

    -

    - The default value is set to Y (on). -

    -
    • -
-
-
-
kvm.nx_huge_pages_recovery_period_ms = [KVM]
-
-

- With this parameter you can control the time period at which KVM zaps 4 KiB pages back to - huge pages. -

-
-
    -
  • - If the value is a non-zero N, KVM zaps a portion of the - pages every N milliseconds. -
    • -
  • -

    - If the value is 0, KVM picks a period based on the - ratio, such that a page is zapped after 1 hour on average. -

    -

    - The default value is set to 0. -

    -
    • -
-
-
-
l1d_flush = [X86,INTEL]
-
-

- With this parameter you can control mitigation for L1D-based snooping vulnerability. -

-

- Certain CPUs are vulnerable to an exploit against CPU internal buffers which can, under - certain conditions, forward information to a disclosure gadget. In vulnerable processors, - the speculatively forwarded data can be used in a cache side channel attack, to access data - to which the attacker does not have direct access. -

-

- The available option is on, which means enable the interface for the mitigation. -

-
-
mmio_stale_data = [X86,INTEL]
-
-

- With this parameter you can control mitigation for the Processor Memory-mapped I/O (MMIO) - Stale Data vulnerabilities. -

-

- Processor MMIO Stale Data is a class of vulnerabilities that can expose data after an MMIO - operation. Exposed data could originate or end in the same CPU buffers as affected by - metadata server (MDS) and Transactional Asynchronous Abort (TAA). Therefore, similar to MDS - and TAA, the mitigation is to clear the affected CPU buffers. -

-

- The available options are: -

-
-
    -
  • - full: enable mitigation on vulnerable CPUs -
    • -
  • - full,nosmt: enable mitigation and disable SMT on - vulnerable CPUs. -
    • -
  • -

    - off: unconditionally disable mitigation -

    -

    - On MDS or TAA affected machines, mmio_stale_data=off can be prevented by an active MDS - or TAA mitigation as these vulnerabilities are mitigated with the same - mechanism. Thus, in order to disable this mitigation, you need to specify mds=off and tsx_async_abort=off, too. -

    -

    - Not specifying this option is equivalent to mmio_stale_data=full. -

    -

    - For more information, see Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst. -

    -
    • -
-
-
-
random.trust_bootloader={on,off} = [KNL]
-
- With this parameter you can enable or disable trusting the use of a seed passed by the boot - loader (if available) to fully seed the kernel’s CRNG. The default behavior is controlled by the - CONFIG_RANDOM_TRUST_BOOTLOADER option. -
-
rcupdate.rcu_task_collapse_lim = [KNL]
-
- With this parameter you can set the maximum number of callbacks present at the beginning of a - grace period that allows the RCU Tasks flavors to collapse back to using a single callback - queue. This switching only occurs when the rcupdate.rcu_task_enqueue_lim option is set to the default value of - -1. -
-
rcupdate.rcu_task_contend_lim = [KNL]
-
- With this parameter you can set the minimum number of callback-queuing-time lock-contention - events per jiffy required to cause the RCU Tasks flavors to switch to per-CPU callback queuing. - This switching only occurs when the rcupdate.rcu_task_enqueue_lim - option is set to the default value of -1. -
-
rcupdate.rcu_task_enqueue_lim = [KNL]
-
-

- With this parameter you can set the number of callback queues to use for the RCU Tasks - family of RCU flavors. You can adjust the number of callback queues automatically and - dynamically with the default value of -1. -

-

- This parameter is intended for use in testing. -

-
-
retbleed = [X86]
-
-

- With this parameter you can control mitigation of Arbitrary Speculative Code Execution with - Return Instructions (RETBleed) vulnerability. The available options are: -

-
-
    -
  • - off: no mitigation -
    • -
  • - auto: automatically select a mitigation -
    • -
  • - auto,nosmt: automatically select a mitigation, - disabling SMT if necessary for the full mitigation (only on Zen1 and older without - STIBP). -
    • -
  • - ibpb: mitigate short speculation windows on basic block - boundaries too. Safe, highest performance impact. -
    • -
  • - unret: force enable untrained return thunks, only - effective on AMD f15h-f17h based systems. -
    • -
  • -

    - unret,nosmt: like the unret option, will disable SMT when STIBP is not - available. -

    -

    - Selecting the auto option chooses a mitigation - method at run time according to the CPU. -

    -

    - Not specifying this option is equivalent to retbleed=auto. -

    -
    • -
-
-
-
sev=option[,option…​] = [X86-64]
-
- For more information, see Documentation/x86/x86_64/boot-options.rst. -
-
-
-

Updated kernel parameters

-
-
-
acpi_sleep = [HW,ACPI]
-
-

- Format: { s3_bios, s3_mode, s3_beep, s4_hwsig, s4_nohwsig, old_ordering, nonvs, - sci_force_enable, nobl } -

-
-
    -
  • - For more information on s3_bios and s3_mode, see Documentation/power/video.rst. -
    • -
  • - s3_beep is for debugging; it makes the PC’s speaker - beep as soon as the kernel real-mode entry point is called. -
    • -
  • - s4_hwsig causes the kernel to check the ACPI hardware - signature during resume from hibernation, and gracefully refuse to resume if it has - changed. The default behavior is to allow resume and simply warn when the signature - changes, unless the s4_hwsig option is enabled. -
    • -
  • - s4_nohwsig prevents ACPI hardware signature from being - used, or even warned about, during resume. old_ordering - causes the ACPI 1.0 ordering of the _PTS control - method, with respect to putting devices into low power states, to be enforced. The - ACPI 2.0 ordering of _PTS is used by default. -
    • -
  • - nonvs prevents the kernel from saving and restoring the - ACPI NVS memory during suspend, hibernation, and resume. -
    • -
  • - sci_force_enable causes the kernel to set SCI_EN directly on resume from S1/S3. Even though this - behavior is contrary to the ACPI specifications, some corrupted systems do not work - without it. -
    • -
  • -

    - nobl causes the internal denylist of systems known - to behave incorrectly in some ways with respect to system suspend and resume to - be ignored. Use this option wisely. -

    -

    - For more information, see Documentation/power/video.rst. -

    -
    • -
-
-
-
crashkernel=size[KMG],high = [KNL, X86-64, ARM64]
-
-

- With this parameter you can allocate physical memory region from top as follows: -

-
-
    -
  • - If the system has more than 4 GB RAM installed, a physical memory region can exceed - 4 GB. -
    • -
  • -

    - If the system has less than 4 GB RAM installed, a physical memory region will be - allocated below 4 GB, if available. -

    -

    - This parameter is ignored if the crashkernel=X - parameter is specified. -

    -
    • -
-
-
-
crashkernel=size[KMG],low = [KNL, X86-64]
-
-

- When you pass crashkernel=X,high, the kernel can allocate a - physical memory region above 4 GB. This causes the second kernel crash on systems that - require some amount of low memory (for example, swiotlb - requires at least 64M+32K low memory) and enough extra low memory to make sure DMA buffers - for 32-bit devices are not exhausted. Kernel tries to allocate at least 256 M below 4 GB - automatically. With this parameter you can specify the low range under 4 GB for the second - kernel instead. -

-
-
    -
  • - 0: disables low allocation. It will be ignored when - crashkernel=X,high is not used or memory reserved is - below 4 GB. -
    • -
-
-
-
crashkernel=size[KMG],low = [KNL, ARM64]
-
- With this parameter you can specify a low range in the DMA zone for the crash dump kernel. It - will be ignored when crashkernel=X,high is not used or memory - reserved is located in the DMA zones. -
-
kvm.nx_huge_pages_recovery_ratio = [KVM]
-
-

- With this parameter you can control how many 4 KiB pages are periodically zapped back to - huge pages: -

-
-
    -
  • - 0 disables the recovery -
    • -
  • -

    - N KVM will zap 1/Nth - of the 4 KiB pages every period. -

    -

    - The default is set to 60. -

    -
    • -
-
-
-
kvm-arm.mode = [KVM,ARM]
-
-

- With this parameter you can select one of KVM modes of operation: -

-
-
    -
  • - none: forcefully disable KVM. -
    • -
  • - nvhe: standard nVHE-based mode, without support for - protected guests. -
    • -
  • -

    - protected: nVHE-based - mode with support for guests whose state is kept private from the host. Not - valid if the kernel is running in the EL2 level. -

    -

    - The default value is set to VHE/nVHE based on - hardware support. -

    -
    • -
-
-
-
mitigations = [X86,PPC,S390,ARM64]
-
-

- With this parameter you can control optional mitigations for CPU vulnerabilities. This is a - set of curated, arch-independent options, each of which is an aggregation of existing - arch-specific options: -

-
-
    -
  • -

    - off: disable all optional CPU mitigations. This - improves system performance, but it may also expose users to several CPU - vulnerabilities. -

    -
    -
      -
    • - Equivalent to: nopti [X86,PPC], kpti=0 [ARM64], nospectre_v1 [X86,PPC], nobp=0 [S390], nospectre_v2 [X86,PPC,S390,ARM64], spectre_v2_user=off [X86], spec_store_bypass_disable=off [X86,PPC], - ssbd=force-off [ARM64], l1tf=off [X86], mds=off [X86], tsx_async_abort=off [X86], kvm.nx_huge_pages=off [X86], no_entry_flush [PPC], no_uaccess_flush [PPC], mmio_stale_data=off [X86]. -
      • -
    • - Exceptions: This does not have any effect on kvm.nx_huge_pages when the kvm.nx_huge_pages=force option is specified. -
      • -
    -
    -
    • -
  • -

    - auto (default): mitigate all CPU vulnerabilities, - but leave SMT enabled, even if it is vulnerable. -

    -
    -
      -
    • - Equivalent to: (default behavior) -
      • -
    -
    -
    • -
  • -

    - auto,nosmt: mitigate all CPU vulnerabilities, - disabling SMT if needed. -

    -
    -
      -
    • - Equivalent to: l1tf=flush,nosmt [X86], - mds=full,nosmt [X86], tsx_async_abort=full,nosmt [X86], mmio_stale_data=full,nosmt [X86] -
      • -
    -
    -
    • -
-
-
-
rcu_nocbs[=cpu-list] = [KNL]
-
-

- The optional argument is a CPU list. -

-

- In kernels built with CONFIG_RCU_NOCB_CPU=y, you can enable the - no-callback CPU mode, which prevents such CPUs callbacks from being invoked in softirq - context. Invocation of such CPUs' RCU callbacks will instead be offloaded to rcuox/N kthreads created for that - purpose, where x is p for - RCU-preempt, s for RCU-sched, and g for the kthreads that mediate - grace periods; and N is the CPU number. This reduces OS jitter - on the offloaded CPUs, which can be useful for HPC and real-time workloads. It can also - improve energy efficiency for asymmetric multiprocessors. -

-
-
    -
  • - If a cpulist is passed as an argument, the specified - list of CPUs is set to no-callback mode from boot. -
    • -
  • - If the = sign and the cpulist arguments are omitted, no CPU will be set to - no-callback mode from boot but you can toggle the mode at runtime using cpusets. -
    • -
-
-
-
rcutree.kthread_prio = [KNL,BOOT]
-
-

- With this parameter you can set the SCHED_FIFO priority of the - RCU per-CPU kthreads (rcuc/N). - This value is also used for the priority of the RCU boost threads (rcub/N) and for the RCU grace-period kthreads (rcu_bh, rcu_preempt, and rcu_sched). -

-
-
    -
  • - If RCU_BOOST is set, valid values are 1-99 and the - default is 1, the least-favored priority. -
    • -
  • -

    - If RCU_BOOST is not set, valid values are 0-99 and - the default is 0, non-realtime operation. -

    -

    - When RCU_NOCB_CPU is set, you should adjust the - priority of NOCB callback kthreads. -

    -
    • -
-
-
-
rcutorture.fwd_progress = [KNL]
-
-

- With this parameter you can specify the number of kthreads to - be used for RCU grace-period forward-progress testing for the types of RCU supporting this - notion. -

-

- The default is set to 1 kthread. - Values less than zero or greater than the number of CPUs cause the number of CPUs to be - used. -

-
-
spectre_v2 = [X86]
-
-

- With this parameter you can control mitigation of Spectre variant 2 (indirect branch - speculation) vulnerability. The default operation protects the kernel from user space - attacks. -

-
-
    -
  • - on: unconditionally enable, implies spectre_v2_user=on -
    • -
  • - off: unconditionally disable, implies spectre_v2_user=off -
    • -
  • - auto: kernel detects whether your CPU model is - vulnerable -
    • -
  • - Selecting on will, and auto may, choose a mitigation method at run time - according to the CPU, the available microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compiler - with which the kernel was built. -
    • -
  • - Selecting on will also enable the mitigation against - user space to user space task attacks. -
    • -
  • - Selecting off will disable both the kernel and the user - space protections. -
    • -
  • -

    - Specific mitigations can also be selected manually: -

    -
    -
      -
    • - retpoline: replace indirect branches -
      • -
    • - retpoline,generic: Retpolines -
      • -
    • - retpoline,lfence: LFENCE; indirect branch -
      • -
    • - retpoline,amd: alias for retpoline,lfence -
      • -
    • - eibrs: enhanced IBRS -
      • -
    • - eibrs,retpoline: enhanced IBRS + Retpolines -
      • -
    • - eibrs,lfence: enhanced IBRS + LFENCE -
      • -
    • -

      - ibrs: use IBRS to protect kernel -

      -

      - Not specifying this option is equivalent to spectre_v2=auto. -

      -
      • -
    -
    -
    • -
-
-
-
-
-

New sysctl parameters

-
-
-
max_rcu_stall_to_panic
-
- When you set panic_on_rcu_stall to 1, - you determine the number of times that RCU can stall before panic() - is called. When you set panic_on_rcu_stall to 0, this value has no effect. -
-
perf_user_access = [ARM64]
-
-

- With this parameter you can control user space access for reading perf event counters. -

-
-
    -
  • - When set to 1, user space can read performance monitor - counter registers directly. -
    • -
  • -

    - The default is set to 0, which means access disabled. -

    -

    - For more information, see Documentation/arm64/perf.rst. -

    -
    • -
-
-
-
gro_normal_batch
-
- With this parameter you can set the maximum number of the segments to batch up on output of GRO. - When a packet exits GRO, either as a coalesced superframe or as an original packet which GRO has - decided not to coalesce, it is placed on a per-NAPI list. This list is then passed to the stack - when the number of segments reaches the gro_normal_batch limit. -
-
high_order_alloc_disable
-
-

- With this parameter you can choose order-0 allocation. By default, the allocator for page - fragments tries to use high order pages, that is order-3 on X86 systems. While the default - behavior returns good results, in certain situations a contention in page allocations and - freeing occurs. This was especially true on older kernels (version 5.14 and higher) when - high-order pages were not stored on per-CPU lists. This parameter exists now mostly of - historical importance. -

-

- The default value is 0. -

-
-
page_lock_unfairness
-
-

- By specifying the value for this parameter you can determine the number of times that the - page lock can be stolen from under a waiter. After the lock is stolen the number of times - specified in this file, the fair lock handoff semantics will - apply, and the waiter will only be awakened if the lock can be taken. -

-

- The default value is 5. -

-
-
-
-

Changed sysctl parameters

-
-
-
urandom_min_reseed_secs
-
- You can use this parameter to determine the minimum number of seconds between urandom pool reseeding. This file is writable for compatibility - purposes, but writing to it has no effect on any RNG behavior. -
-
write_wakeup_threshold
-
- When the entropy count sinks below this threshold in a number of bits, you can wake up processes - waiting to write to the /dev/random file. This file is writable for - compatibility purposes, but writing to it has no effect on any RNG behavior. -
-
-
-
-
-
-
-
-

Chapter 6. Device drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - Platform Firmware Runtime Update Telemetry driver (pfr_telemetry) -
    • -
  • - Platform Firmware Runtime Update device driver (pfr_update) -
    • -
  • - Bluetooth support for MediaTek devices ver 0.1 (btmtk) -
    • -
  • - MHI Host Interface (mhi) -
    • -
  • - Modem Host Interface (MHI) PCI controller driver (mhi_pci_generic) -
    • -
  • - IDXD driver dsa_bus_type driver (idxd_bus) -
    • -
  • - AMD PassThru DMA driver (ptdma) -
    • -
  • - Mellanox FAN driver (mlxreg-fan) -
    • -
  • - Mellanox LED regmap driver (leds-mlxreg) -
    • -
  • - Intel® LPSS ACPI driver (intel-lpss-acpi) -
    • -
  • - Intel® LPSS PCI driver (intel-lpss-pci) -
    • -
  • - Intel® LPSS core driver (intel-lpss) -
    • -
  • - Maxlinear Ethernet GPY Driver (mxl-gpy) -
    • -
  • - Realtek 802.11ax wireless 8852A driver (rtw89_8852a) -
    • -
  • - Realtek 802.11ax wireless 8852AE driver (rtw89_8852ae) -
    • -
  • - Intel® PMT Class driver (pmt_class) -
    • -
  • - Intel® PMT Crashlog driver (pmt_crashlog) -
    • -
  • - Intel® PMT Telemetry driver (pmt_telemetry) -
    • -
  • - Intel® speed select interface mailbox driver (isst_if_mbox_msr) -
    • -
  • - Intel® speed select interface pci mailbox driver (isst_if_mbox_pci) -
    • -
  • - Intel® speed select interface mmio driver (isst_if_mmio) -
    • -
  • - Intel® Software Defined Silicon driver (intel_sdsi) -
    • -
  • - Intel® Extended Capabilities auxiliary bus driver (intel_vsec) -
    • -
  • - ISH ISHTP eclite client opregion driver (ishtp_eclite) -
    • -
  • - Acer Wireless Radio Control Driver (acer-wireless) -
    • -
  • - AMD HSMP Platform Interface Driver (amd_hsmp) -
    • -
  • - DESIGNWARE HS OTG Core (dwc2) -
    • -
  • - Synopsys HAPS PCI Glue Layer (dwc3-haps) -
    • -
  • - DesignWare USB3 PCI Glue Layer (dwc3-pci) -
    • -
  • - DesignWare USB3 DRD Controller Driver (dwc3) -
    • -
  • - xHCI Platform Host Controller Driver (xhci-plat-hcd) -
    • -
  • - ON Semiconductor FSA4480 driver (fsa4480) -
    • -
  • - Richtek RT1719 Sink Only USBPD Controller Driver (rt1719) -
    • -
  • - Willsemi WUSB3801 Type-C port controller driver (wusb3801) -
    • -
  • - Core driver for VFIO based PCI devices (vfio-pci-core) -
    • -
  • - AMD SEV Guest Driver (sev-guest) -
    • -
  • - Mellanox watchdog driver (mlx_wdt) -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - Cirrus Logic DSP Support (cs_dsp) -
    • -
  • - DRM DisplayPort helper (drm_dp_helper) -
    • -
  • - DRM Buddy Allocator (drm_buddy) -
    • -
  • - DRM SHMEM memory-management helpers (drm_shmem_helper) -
    • -
  • - DRM driver using bochs dispi interface (bochs) -
    • -
  • - Letsketch tablet driver (hid-letsketch) -
    • -
  • - Intel® speed select interface driver (isst_if_common) -
    • -
  • - SiGma Micro HID driver (hid-sigmamicro) -
    • -
  • - Fixing side buttons of Xiaomi Mi Silent Mouse (hid-xiaomi) -
    • -
  • - Driver for DEC VSXXX-AA and -GA mice and VSXXX-AB tablet (vsxxxaa) -
    • -
  • - Nvidia line card platform driver (mlxreg-lc) -
    • -
  • - Intel PCH Thermal driver (intel_pch_thermal) -
    • -
  • - Intel LPSS UART driver (8250_lpss) -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Network driver updates

-
-
    -
  • - VMware vmxnet3 virtual NIC driver (vmxnet3) has been updated to - version 1.7.0.0-k. -
    • -
-
-

Storage driver updates

-
-
    -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc) has been - updated to version 14.2.0.5. -
    • -
  • - MPI3 Storage Controller Device Driver (mpi3mr) has been updated - to version 8.0.0.69.0. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas) has been updated - to version 40.100.00.00. -
    • -
  • - Driver for Microchip Smart Family Controller (smartpqi) has - been updated to version 2.1.18-045. -
    • -
-
-

Graphics and miscellaneous driver updates

-
-
    -
  • - Standalone drm driver for the VMware SVGA device (vmwgfx) has - been updated to version 2.20.0.0. -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Available BPF Features

-
-
-
-

- This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel of this minor version of Red Hat - Enterprise Linux 9. The tables include the lists of: -

-
- -
-

- This chapter contains automatically generated output of the bpftool feature - command. -

-
-

Table 7.1. System configuration and other options

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionValue
-

- unprivileged_bpf_disabled -

- 		-

- 2 (bpf() syscall restricted to privileged users, admin can change) -

-
-

- JIT compiler -

- 		-

- 1 (enabled) -

-
-

- JIT compiler hardening -

- 		-

- 1 (enabled for unprivileged users) -

-
-

- JIT compiler kallsyms exports -

- 		-

- 1 (enabled for root) -

-
-

- Memory limit for JIT for unprivileged users -

- 		-

- 264241152 -

-
-

- CONFIG_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_SYSCALL -

- 		-

- y -

-
-

- CONFIG_HAVE_EBPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT_ALWAYS_ON -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF_MODULES -

- 		-

- y -

-
-

- CONFIG_CGROUPS -

- 		-

- y -

-
-

- CONFIG_CGROUP_BPF -

- 		-

- y -

-
-

- CONFIG_CGROUP_NET_CLASSID -

- 		-

- y -

-
-

- CONFIG_SOCK_CGROUP_DATA -

- 		-

- y -

-
-

- CONFIG_BPF_EVENTS -

- 		-

- y -

-
-

- CONFIG_KPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_UPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_TRACING -

- 		-

- y -

-
-

- CONFIG_FTRACE_SYSCALLS -

- 		-

- y -

-
-

- CONFIG_FUNCTION_ERROR_INJECTION -

- 		-

- y -

-
-

- CONFIG_BPF_KPROBE_OVERRIDE -

- 		-

- n -

-
-

- CONFIG_NET -

- 		-

- y -

-
-

- CONFIG_XDP_SOCKETS -

- 		-

- y -

-
-

- CONFIG_LWTUNNEL_BPF -

- 		-

- y -

-
-

- CONFIG_NET_ACT_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_ACT -

- 		-

- y -

-
-

- CONFIG_NET_SCH_INGRESS -

- 		-

- m -

-
-

- CONFIG_XFRM -

- 		-

- y -

-
-

- CONFIG_IP_ROUTE_CLASSID -

- 		-

- y -

-
-

- CONFIG_IPV6_SEG6_BPF -

- 		-

- n -

-
-

- CONFIG_BPF_LIRC_MODE2 -

- 		-

- n -

-
-

- CONFIG_BPF_STREAM_PARSER -

- 		-

- y -

-
-

- CONFIG_NETFILTER_XT_MATCH_BPF -

- 		-

- m -

-
-

- CONFIG_BPFILTER -

- 		-

- n -

-
-

- CONFIG_BPFILTER_UMH -

- 		-

- n -

-
-

- CONFIG_TEST_BPF -

- 		-

- m -

-
-

- CONFIG_HZ -

- 		-

- 1000 -

-
-

- bpf() syscall -

- 		-

- available -

-
-

- Large program size limit -

- 		-

- available -

-
-
-
-
-

Table 7.2. Available program types and supported helpers

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Program typeAvailable helpers
-

- socket_filter -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- kprobe -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, bpf_task_pt_regs, - bpf_get_branch_snapshot -

-
-

- sched_cls -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- sched_act -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, bpf_task_pt_regs, - bpf_get_branch_snapshot -

-
-

- xdp -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, bpf_redirect, - bpf_perf_event_output, bpf_csum_diff, bpf_get_current_task, - bpf_get_numa_node_id, bpf_xdp_adjust_head, bpf_redirect_map, - bpf_xdp_adjust_meta, bpf_xdp_adjust_tail, bpf_fib_lookup, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, - bpf_task_pt_regs, bpf_skc_to_unix_sock -

-
-

- perf_event -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_get_task_stack, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, - bpf_task_pt_regs, bpf_get_branch_snapshot -

-
-

- cgroup_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_skb_cgroup_id, bpf_get_local_storage, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, - bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_sk_cgroup_id, - bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- cgroup_sock -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_current_cgroup_id, - bpf_get_local_storage, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs -

-
-

- lwt_in -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_push_encap, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- lwt_out -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- lwt_xmit -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, - bpf_csum_diff, bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid, - bpf_get_numa_node_id, bpf_skb_change_head, bpf_lwt_push_encap, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- sock_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_setsockopt, bpf_sock_map_update, bpf_getsockopt, - bpf_sock_ops_cb_flags_set, bpf_sock_hash_update, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_get_netns_cookie, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_load_hdr_opt, - bpf_store_hdr_opt, bpf_reserve_hdr_opt, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, bpf_skc_to_unix_sock -

-
-

- sk_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_tail_call, bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_adjust_room, bpf_sk_redirect_map, bpf_sk_redirect_hash, - bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, - bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, - bpf_skc_lookup_tcp, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- cgroup_device -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs -

-
-

- sk_msg -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_cgroup_classid, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_msg_redirect_hash, bpf_get_current_cgroup_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_msg_push_data, - bpf_msg_pop_data, bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_task_pt_regs, bpf_skc_to_unix_sock -

-
-

- raw_tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_task_pt_regs, bpf_get_branch_snapshot -

-
-

- cgroup_sock_addr -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_setsockopt, bpf_getsockopt, - bpf_bind, bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- lwt_seg6local -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- lirc_mode2 -

- 		-

- not supported -

-
-

- sk_reuseport -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_skb_load_bytes_relative, bpf_sk_select_reuseport, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs -

-
-

- flow_dissector -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-

- cgroup_sysctl -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_sysctl_get_name, bpf_sysctl_get_current_value, - bpf_sysctl_get_new_value, bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs -

-
-

- raw_tracepoint_writable -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_task_pt_regs, bpf_get_branch_snapshot -

-
-

- cgroup_sockopt -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_get_netns_cookie, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs -

-
-

- tracing -

- 		-

- not supported -

-
-

- struct_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, - bpf_skb_store_bytes, bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, - bpf_clone_redirect, bpf_get_current_pid_tgid, bpf_get_current_uid_gid, - bpf_get_current_comm, bpf_get_cgroup_classid, bpf_skb_vlan_push, - bpf_skb_vlan_pop, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_perf_event_read, bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_get_stackid, bpf_csum_diff, bpf_skb_get_tunnel_opt, - bpf_skb_set_tunnel_opt, bpf_skb_change_proto, bpf_skb_change_type, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_current_task_under_cgroup, bpf_skb_change_tail, bpf_skb_pull_data, - bpf_csum_update, bpf_set_hash_invalid, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_xdp_adjust_head, bpf_probe_read_str, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_setsockopt, - bpf_skb_adjust_room, bpf_redirect_map, bpf_sk_redirect_map, bpf_sock_map_update, - bpf_xdp_adjust_meta, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_getsockopt, bpf_override_return, bpf_sock_ops_cb_flags_set, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_bind, bpf_xdp_adjust_tail, bpf_skb_get_xfrm_state, - bpf_get_stack, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_sock_hash_update, bpf_msg_redirect_hash, bpf_sk_redirect_hash, - bpf_lwt_push_encap, bpf_lwt_seg6_store_bytes, bpf_lwt_seg6_adjust_srh, - bpf_lwt_seg6_action, bpf_rc_repeat, bpf_rc_keydown, bpf_skb_cgroup_id, - bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_select_reuseport, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_msg_push_data, bpf_msg_pop_data, bpf_rc_pointer_rel, bpf_spin_lock, - bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, bpf_skb_ecn_set_ce, - bpf_get_listener_sock, bpf_skc_lookup_tcp, bpf_tcp_check_syncookie, - bpf_sysctl_get_name, bpf_sysctl_get_current_value, bpf_sysctl_get_new_value, - bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_send_signal, bpf_tcp_gen_syncookie, bpf_skb_output, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_tcp_send_ack, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_xdp_output, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_seq_printf, bpf_seq_write, - bpf_sk_cgroup_id, bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, - bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, - bpf_get_task_stack, bpf_load_hdr_opt, bpf_store_hdr_opt, bpf_reserve_hdr_opt, - bpf_inode_storage_get, bpf_inode_storage_delete, bpf_d_path, bpf_copy_from_user, - bpf_snprintf_btf, bpf_seq_printf_btf, bpf_skb_cgroup_classid, - bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_redirect_peer, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_bprm_opts_set, bpf_ktime_get_coarse_ns, bpf_ima_inode_hash, - bpf_sock_from_file, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_sys_bpf, bpf_btf_find_by_name_kind, bpf_sys_close, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, - bpf_get_attach_cookie, bpf_task_pt_regs, bpf_get_branch_snapshot, - bpf_skc_to_unix_sock, bpf_kallsyms_lookup_name -

-
-

- ext -

- 		-

- not supported -

-
-

- lsm -

- 		-

- not supported -

-
-

- sk_lookup -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock -

-
-
-
-
-

Table 7.3. Available map types

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Map typeAvailable
-

- hash -

- 		-

- yes -

-
-

- array -

- 		-

- yes -

-
-

- prog_array -

- 		-

- yes -

-
-

- perf_event_array -

- 		-

- yes -

-
-

- percpu_hash -

- 		-

- yes -

-
-

- percpu_array -

- 		-

- yes -

-
-

- stack_trace -

- 		-

- yes -

-
-

- cgroup_array -

- 		-

- yes -

-
-

- lru_hash -

- 		-

- yes -

-
-

- lru_percpu_hash -

- 		-

- yes -

-
-

- lpm_trie -

- 		-

- yes -

-
-

- array_of_maps -

- 		-

- yes -

-
-

- hash_of_maps -

- 		-

- yes -

-
-

- devmap -

- 		-

- yes -

-
-

- sockmap -

- 		-

- yes -

-
-

- cpumap -

- 		-

- yes -

-
-

- xskmap -

- 		-

- yes -

-
-

- sockhash -

- 		-

- yes -

-
-

- cgroup_storage -

- 		-

- yes -

-
-

- reuseport_sockarray -

- 		-

- yes -

-
-

- percpu_cgroup_storage -

- 		-

- yes -

-
-

- queue -

- 		-

- yes -

-
-

- stack -

- 		-

- yes -

-
-

- sk_storage -

- 		-

- yes -

-
-

- devmap_hash -

- 		-

- yes -

-
-

- struct_ops -

- 		-

- no -

-
-

- ringbuf -

- 		-

- yes -

-
-

- inode_storage -

- 		-

- yes -

-
-

- task_storage -

- 		-

- yes -

-
-
-
-
-
-
-
-
-

Chapter 8. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 9.1 that have a significant impact on users. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

The installer no longer installs earlier versions of packages

-

- Previously, the installer did not correctly load the DNF configuration file during the - installation process. As a consequence, the installer sometimes installed earlier versions of - select packages in the RPM transaction. -

-
-

- This bug has been fixed, and only the latest versions of packages are now installed from the - installation repositories. In cases where it is impossible to install the latest versions of the - packages, the installation fails as expected. -

-

- (BZ#2053710) -

-
-

Anaconda installation is successful even if changing the network - configuration in stage2

-

- Previously, when using the rd.live.ram boot argument, Anaconda did - not unmount an NFS mount point that is used in initramfs to fetch - the installation image into memory. As a consequence, the installation process could become - unresponsive or fail with a timeout error if the network configuration was changed in stage2. -

-
-

- To fix this problem, the NFS mount point used to fetch the installation image into memory is - unmounted in initramfs before switchroot. As a result, the installation - process is completed without any interruption. -

-

- (BZ#2082132) -

-
-
-
-
-
-

8.2. Subscription management

-
-
-
-
-

virt-who now connects to ESX servers correctly - when in FIPS mode

-

- Previously, when using the virt-who utility on a RHEL 9 system in - FIPS mode, virt-who could not connect to ESX servers. As a - consequence, virt-who did not report any ESX servers, even if - configured for them, and logged the following error message: -

-
- 
ValueError: [digital envelope routines] unsupported
-

- With this update, virt-who has been fixed to handle FIPS mode - correctly, and the described problem no longer occurs. -

-

- (BZ#2054504) -

-
-
-
-
-
-

8.3. Software management

-
-
-
-
-

DNF now correctly rolls back a transaction containing an item with the - Reason Change Action type

-

- Previously, running the dnf history rollback command on a - transaction containing an item with the Reason Change Action type - failed. With this update, the issue has been fixed, and dnf history rollback now works as expected. -

-
-

- (BZ#2053014) -

-
-
-
-
-
-

8.4. Shells and command-line tools

-
-
-
-
-

The vi command in ReaR no longer results in an - infinite loop

-

- Previously, the ReaR rescue system did not contain the vi - executable, only the /bin/vi script. As a consequence, the /bin/vi script caused an infinite loop when invoked. With this - update, the ReaR rescue system contains the actual vi executable - /usr/libexec/vi, and running the vi - command no longer leads to an endless loop. -

-
-

- (BZ#2097437) -

-
-

ReaR with the PXE output method no longer fails to store the output files - in the rsync OUTPUT_URL location

-

- Previously, the handling of the OUTPUT_URL variable with the OUTPUT=PXE and BACKUP=RSYNC options was - removed. As a consequence, when using an rsync location for OUTPUT_URL, ReaR failed to copy the initrd and kernel files to this location, although it uploaded them - to the location specified by BACKUP_URL. With this update, the - behavior from RHEL 8.4 and earlier releases is restored. ReaR creates the required files at the - designated OUTPUT_URL destination using rsync. -

-
-

- (BZ#2115958) -

-
-

ReaR no longer fails to display an error message if it does not update the - UUID in /etc/fstab

-

- Previously, ReaR did not display an error message during recovery when it failed to update the - universally unique identifier (UUID) in /etc/fstab to match the - UUID of the newly created partition in case the UUIDs were different. This could have happened - if the rescue image was out of sync with the backup. With this update, an error message occurs - during recovery if the restored basic system files do not match the recreated system. -

-
-

- (BZ#2083272) -

-
-

ReaR now supports restoring a system using NetBackup version 9

-

- Previously, restoring a system using the NetBackup (NBU) method with NetBackup version 9 or - later failed due to missing libraries and other files. With this update, the NBU_LD_LIBRARY_PATH variable contains the required library paths and - the rescue system now incorporates the required files, and ReaR can use the NetBackup method. -

-
-

- (BZ#2120736) -

-
-

ReaR no longer displays a false error message about missing symlink - targets

-

- Previously, ReaR displayed incorrect error messages about missing symlink targets for the build and source symlinks under /usr/lib/modules/ when creating the rescue image. This situation was - harmless, and you could safely ignore the error message. With this update, ReaR does not report - a false error message about missing symlink targets in this situation. -

-
-

- (BZ#2119501) -

-
-

The cmx operation with no parameter no longer - crashes the CIM Client

-

- The cmx operation calls a method and returns XML, a parameter - specifies the name of the called method. Previously, the command line sblim-wbemcli Common Information Model (CIM) Client crashed when - running the cmx operation without an additional parameter. With - this update, the cmx operation requires the parameter that defines - the name of the called method. Invoking the cmx operation without - this parameter results in an error message, and the CIM Client no longer crashes. -

-
-

- (BZ#2083577) -

-
-

free command uses a new calculation method for - used memory

-

- Previously, the calculation of used memory in the free utility - subtracted free space, cache space and buffer space from the total memory. Consequently, a - discrepancy occurred when you compared the value of used memory with outcome of another tool - because the free utility did not calculate shared memory. With this - update, the free command uses a new calculation method that - provides clear state of free memory and considers the unreclaimable cache. Used memory is now - any memory that is not available, and includes also tmpfs objects - that are in the virtual memory. -

-
-

- (BZ#2003033) -

-
-
-
-
-
-

8.5. Infrastructure services

-
-
-
-
-

Unbound no longer validates SHA-1-based RSA signatures

-

- Previously, OpenSSL did not validate SHA-1-based RSA signatures in the DEFAULT system-wide - cryptographic policy. As a consequence, when Unbound tried to validate such signatures, the - error from OpenSSL caused the resolution to fail. With this update, Unbound disables validation - support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 (algorithm number 7) - signatures, which resolves the query. Note that this makes the result insecure under all - system-wide cryptographic policies. -

-
-

- (BZ#2071543) -

-
-
-
-
-
-

8.6. Security

-
-
-
-
-

OpenSSH key generation uses FIPS-compatible interfaces

-

- The OpenSSL cryptographic library, which is used by OpenSSH, provides two interfaces: legacy and - modern. Previously, OpenSSH used the legacy interface for key generation, which did not comply - with Federal Information Processing Standards (FIPS) requirements. With this update, the ssh-keygen utility uses the FIPS-compliant API instead of the - low-level FIPS-incompatible API. As a result, OpenSSH key generation is FIPS-compliant. -

-
-

- (BZ#2087121) -

-
-

Cryptography not approved by FIPS no longer works in OpenSSL in FIPS - mode

-

- Previously, cryptography that was not FIPS-approved worked in the OpenSSL toolkit regardless of - system settings. Consequently, you could use cryptographic algorithms and ciphers that should be - disabled when the system is running in FIPS mode, for example: -

-
-
-
    -
  • - TLS cipher suites using the RSA key exchange worked. -
    • -
  • - RSA-based algorithms for public-key encryption and decryption worked despite using the PKCS - #1 and SSLv23 paddings or using keys shorter than 2048 bits. -
    • -
-
-

- This update contains fixes ensuring that cryptography not approved by FIPS no longer works in - OpenSSL in FIPS mode. -

-

- (BZ#2053289) -

-
-

Specifying arbitrary curves removed from OpenSSL

-

- Previously, the checks of explicit curve parameters safety were incomplete. As a consequence, - arbitrary elliptic curves with sufficiently large p values worked - in RHEL. With this update, the checks now verify that the explicit curve parameters match one of - the well-known supported curves. As a result, the option to specify arbitrary curves through the - use of explicit curve parameters has been removed from OpenSSL. Parameter files, private keys, - public keys, and certificates that specify arbitrary explicit curves no longer work in OpenSSL. - Using explicit curve parameters to specify one of the well known and supported curves such as - P-224, P-256, P-384, P-521, and secp256k1 remains supported in - non-FIPS mode. -

-
-

- (BZ#2066412) -

-
-

OpenSSL req uses AES-256-CBC for private keys - encryption

-

- Previously, the OpenSSL req tool encrypted private key files by - using the 3DES algorithm. Because the 3DES algorithm is insecure and disallowed in the current - FIPS 140 standard for cryptographic modules, req now generates - private key files encrypted using the AES-256-CBC algorithm instead. The overall PKCS#8 file - format remains unchanged. -

-
-

- (BZ#2063947) -

-
-

OpenSSL no longer fails to connect when FFDHE is used

-

- Previously, TLS connections that use the finite-field-based Diffie-Hellman ephemeral (FFDHE) key - exchange mechanism sometimes failed when processing FFDHE key shares from a client. This was - caused by overly restrictive checks in OpenSSL. As a consequence, the OpenSSL server aborted the - connection with an internal_error alert. With this update, OpenSSL - accepts smaller but still compliant client key shares. As a result, connections between OpenSSL - and other implementations no longer randomly abort when using FFDHE key exchanges. -

-
-

- (BZ#2004915) -

-
-

OpenSSL-based applications now work correctly with the Turkish - locale

-

- Because the OpenSSL library uses case-insensitive string comparison - functions, OpenSSL-based applications did not work correctly with the Turkish locale, and - omitted checks caused applications using this locale to crash. This update provides a patch to - use the Portable Operating System Interface (POSIX) locale for case-insensitive string - comparison. As a result, OpenSSL-based applications such as curl work correctly with the Turkish - locale. -

-
-

- (BZ#2071631) -

-
-

Permissions for insights-client added to the - SELinux policy

-

- The new insights-client service requires permissions which were not - in the previous selinux-policy versions. As a consequence, some - components of insights-client did not work correctly and reported - access vector cache (AVC) error messages. This update adds new permissions to the SELinux - policy. As a result, insights-client runs correctly without - reporting AVC errors. -

-
-

- (BZ#2081425, BZ#2077377, BZ#2087765, BZ#2107363) -

-
-

SELinux staff_u users no longer can - incorrectly switch to unconfined_r

-

- Previously, when the secure_mode boolean was enabled, staff_u users could switch to the unconfined_r role, which was not expected behavior. As a consequence, - staff_u users could perform privileged operations affecting the - security of the system. With this update, the SELinux policy has been fixed, and staff_u users no longer can incorrectly switch to unconfined_r. -

-
-

- (BZ#2076681) -

-
-

OpenSCAP no longer produces incorrect errors when checking available - memory

-

- Previously, when evaluating some XCCDF rules, OpenSCAP incorrectly showed the error message - Failed to check available memory and produced invalid scan results. - For example, this occurred for rules accounts_user_dot_no_world_writable_programs, accounts_user_dot_group_ownership and accounts_users_home_files_permissions. With this update, the bug in - error handling is fixed and the error message appears only for real failures. -

-
-

- (BZ#2109485) -

-
-

fagenrules --load now works correctly -

-

- Previously, the fapolicyd service did not correctly handle the - signal hang up (SIGHUP). Consequently, fapolicyd terminated after - receiving SIGHUP, and the fagenrules --load command did not work - correctly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer - require manual restarts of fapolicyd. -

-
-

- (BZ#2070655) -

-
-
-
-
-
-

8.7. Networking

-
-
-
-
-

An instance now retains the primary IP address even after starting the - nm-cloud-setup service in Alibaba Cloud

-

- Previously, after launching an instance in the Alibaba Cloud, the nm-cloud-setup service configured the incorrect IP address as the - primary IP address in case of multiple IPv4 addresses. Consequently, this affected the selection - of the IPv4 source address for outgoing connections. With this update, after configuring - secondary IP addresses manually, the NetworkManager package fetches - the primary IP address from primary-ip-address metadata and - configures both primary and secondary IP addresses correctly. -

-
-

- (BZ#2079849) -

-
-

The NetworkManager utility enforces correct - ordering of manually added IPv6 addresses

-

- In general, the ordering of IPv6 addresses affects the priority for source address selection. - For example when you make an outgoing TCP connection. Previously, the relative priority of IPv6 - addresses added through the manual, dhcpv6, and autoconf6 methods was not - correct. This update fixes the problem and the ordering priority now reflects this logic: manual > dhcpv6 > autoconf6. Also, the order of addresses under the ipv6.addresses setting was reversed so that the address added first - has the highest priority. -

-
-

- (BZ#2097293) -

-
-
-
-
-
-

8.8. Kernel

-
-
-
-
-

Network socket tagging works again

-

- Certain legacy cgroup v1 controllers that have no cgroup v2 equivalent, such as net_prio - or net_cls, previously interfered with the cgroup v2 socket tagging when they were mounted together with other - cgroup v2 controllers in a mixed cgroup v1/v2 environment. As a consequence, a mixed cgroup v1/v2 environment using either the net_prio or net_cls v1 controller - disabled proper network socket tagging with cgroup v2. This update - eliminates this limitation, which makes it possible to use a mixed cgroup v1/v2 environment - network socket tagging. -

-
-

- (BZ#2060150) -

-
-

The kexec-tools package now supports the - default crashkernel memory reservation values

-

- The kexec-tools package now maintains the default crashkernel memory reservation values. The kdump service uses the default value to reserve the crash kernel - memory for each kernel. This implementation also improves memory allocation for kdump when a system has less than 4 GB of available memory. -

-
-

- If the memory reserved by the default crashkernel value is not - sufficient on your system, you can use the kdumpctl estimate command to - get an estimated value without triggering a crash. The estimated crashkernel= value may not be accurate and can serve as a reference to - set an appropriate crashkernel= value. -

-

- (BZ#1959203) -

-
-

Systems can successfully run dynamic LPAR operations

-

- Previously, users could not run dynamic logical partition (DLPAR) operations from the Hardware - Management Console (HMC) if either of these conditions were met: -

-
-
-
    -
  • - The Secure Boot feature was enabled that implicitly enables kernel lockdown mechanism in integrity mode. -
    • -
  • - The kernel lockdown mechanism was manually enabled in integrity - or confidentiality mode. -
    • -
-
-

- In RHEL 9, kernel lockdown completely blocked Run Time Abstraction - Services (RTAS) access to system memory accessible through the /dev/mem - character device file. Several RTAS calls required write access to /dev/mem to function properly. Consequently, RTAS calls did not execute - correctly and users would see the following error message: -

- 
HSCL2957 Either there is currently no RMC connection between the management console and the partition <LPAR name> or the partition does not support dynamic partitioning operations. Verify the network setup on the management console and the partition and ensure that any firewall authentication between the management console and the partition has occurred. Run the management console diagrmc command to identify problems that might be causing no RMC connection.
-

- With this update, the problem has been fixed by providing a very narrow PowerPC-specific exception - to lockdown. The exception permits RTAS to access the required /dev/mem areas. As a result, the problem no longer manifests in the - described scenario. -

-

- (BZ#2046472) -

-
-

No kernel warnings after setting the ring buffer value from rx to max

-

- The kernel was producing a warning message Missing unregister, handled but fix driver when an internal function - expecting a clean input was called with a reused, already initialized structure. With this - update, the problem has been fixed by reinitializing the structure before registering it again. -

-
-

- (BZ#2054379) -

-
-
-
-
-
-

8.9. Boot loader

-
-
-
-
-

grubby now passes arguments to future - kernels

-

- When installing a newer version of the kernel, the grubby tool did - not pass the kernel command-line arguments from the previous kernel version. As a consequence, - the GRUB boot loader ignored user settings. With this fix, the user settings now persist after - installing the new kernel version. -

-
-

- (BZ#1978226) -

-
-
-
-
-
-

8.10. File systems and storage

-
-
-
-
-

Journal entries no longer stop the journal writes

-

- Previously, in the VDO driver during device-mapper suspend operation and after resuming device - operation, some journal blocks could still be marked as waiting for some metadata updates to be - made before they could be reused, even though those updates had already been done. When enough - journal entries were made for the journal to wrap around back to the same physical block, it was - not available. Journal writes would stop, waiting for the block to become available, which never - happened. Consequently, when some operations on a VDO device included a suspend or resume cycle, - the device was in a frozen state after some journal updates. The journal updates before this - device state were unpredictable because it was depended on previous allocation patterns within - VDO, and the incoming write or discard patterns. With this update, after the suspend or resume - cycle saving data to storage, the internal data structure state is reset and lockups no longer - happened. -

-
-

- (BZ#2064802) -

-
-

Adding a data device no longer triggers assertion failure

-

- Previously, when adding additional devices to the cache, Stratis did not use cache immediately - after initialization. As a consequence, the stratisd service - returned an assertion failure message whenever a user attempted to add additional data devices - to a pool. With this fix, cache is now used immediately after initialization and no assertion - failures occur. -

-
-

- (BZ#2007018) -

-
-

Resolved errors when adding new data devices to the encrypted pool -

-

- Previously, whenever the user initialized an encrypted pool with encrypted data devices, using a - Clevis bind command on a tang server, specified with the --trust-url option, stratisd did not - include the thumbprint part of the Clevis tang configuration in the internal data structures. - Consequently, a failure occurred when attempting to add new data devices to the pool. With this - update, the internal data structures of stratisd now include the - thumbprint part of the Clevis tang configuration. -

-
-

- (BZ#2005110) -

-
-

Connecting to NVMe namespaces from Broadcom initiators on AMD EPYC systems - no longer require non-default IOMMU settings

-

- By default, the RHEL kernel enables the IOMMU on AMD-based platforms. Previously, the lpfc driver did not use the scatter-gather list accessor macros. - Consequently, certain servers with AMD processors encountered NVMe I/O problems, such as I/Os - failing due to transfer length mismatches. -

-
-

- With this update, you do not need to put IOMMU into passthrough mode with a kernel command-line - option in order to connect to NVMe namespaces from Broadcom initiators. -

-

- (BZ#2073541) -

-
-
-
-
-
-

8.11. High availability and clusters

-
-
-
-
-

pcs now validates the value of stonith-watchdog-timeout

-

- Previously, it was possible to set the stonith-watchdog-timeout - property to a value that is incompatible with SBD configuration. This could result in a fence - loop, or could cause the cluster to consider a fencing action to be successful even if the - action is not finished. With this fix, pcs validates the value of - stonith-watchdog-property when you set it, to prevent incorrect - configuration. -

-
-

- (BZ#2058246) -

-
-

pcs now recognizes the mode option when creating a new Booth ticket

-

- Previously, when a user specified a mode option when adding a new - Booth ticket, pcs reported the error invalid booth ticket option 'mode'. With this fix, you can now - specify the mode option when creating a Booth ticket. -

-
-

- (BZ#2058243) -

-
-

pcs now distinguishes between resources and - stonith resources

-

- Previously, some pcs commands did not distinguish between resources - and stonith resources. This allowed users to use pcs resource - sub-commands for stonith resources, and to use pcs stonith - sub-commands for resources that are not stonith resources. This could lead to user confusion or - resource misconfiguration. With this update, pcs displays a warning - when there is a resource type mismatch. -

-
-

- (BZ#1301204) -

-
-
-
-
-
-

8.12. Compilers and development tools

-
-
-
-
-

glibc now restores errno after loading an NSS - module

-

- Previously, the Name Service Switch (NSS) implementation in glibc - set errno incorrectly during database enumeration using functions such as getpwent() if the last NSS module did not provide any data. As a - result, applications using these enumeration functions incorrectly observed errors and failed. - glibc now restores errno after loading an NSS module and, as a - result, applications using these functions no longer fail. -

-
-

- (BZ#2063142) -

-
-

The auditing interface now saves and restores the x8 register and the full - width of the NEON registers for AArch64

-

- Previously, a bug in the implementation of the dynamic loader’s audit interface caused the AArch64 saved register state to be incomplete compared to the - procedure call standard. This bug has been fixed and the auditing interface now saves and - restores the x8 register and the full width of the NEON registers for AArch64. Applications using the dynamic loader auditing interface can - now inspect and influence the x8 register for AArch64. To use this - new x8 register and have access to the full width of the NEON registers on AArch64, the audit modules must be recompiled to use the new version - of the interface (LAV_CURRENT is 2). -

-
-

- (BZ#2003291) -

-
-

POWER9-optimized strncpy function no longer gives incorrect - results

-

- Previously, the POWER9 strncpy function did not use the correct register as the source of the - NUL bytes for padding. Consequently, the output buffer contained uninitialized register content - instead of the NUL padding. With this update, the strncpy function has been fixed, and the end - of the output buffer is now correctly padded with NUL bytes. -

-
-

- (BZ#2091549) -

-
-

Valgrind override of glibc memmem function installed on IBMz15 architecture

-

- Previously, a missing valgrind override of the glibc memmem function lead to false positive warnings of: -

-
- 
Conditional jump or move depends on uninitialised value(s)
-

- This update includes a valgrind override of the glibc memmem function and, as a result, there are no longer false positive - warnings when using the memmem function in programs running under - valgrind on the IBMz15 architecture. -

-

- (BZ#1993976) -

-
-
-
-
-
-

8.13. Identity Management

-
-
-
-
-

The ipa user-del --preserve user_login output - no longer indicates that the user was deleted

-

- Previously, if you ran the ipa user-del --preserve user_login - command to preserve a user account, the output incorrectly returned the message Deleted user “user_login”. With this update, the output now returns - Preserved user “user_login”. -

-
-

- (BZ#2100227) -

-
-

PKINIT user authentication now works correctly in the RHEL 9 Kerberos - client - Heimdal KDC scenario

-

- Previously, the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client against the - Heimdal Kerberos Distribution Center (KDC) failed. This failure occurred because the Kerberos - client did not support the supportedCMSTypes field required in the - context of the deprecation of the SHA-1 algorithm in RHEL 9. -

-
-

- With this update, the RHEL 9 Kerberos client sends a list of signature algorithms including sha512WithRSAEncryption, and sha256WithRSAEncryption as supportedCMSTypes - during PKINIT to Heimdal KDC. Heimdal KDC uses sha512WithRSAEncryption - and, as a result, PKINIT authentication works correctly. -

-

- (BZ#2068935) -

-
-

Handling unreadable objects in an LDAP group’s member list

-

- Before this update, SSSD inconsistently handled the unreadable objects in an LDAP group’s member - list and this resulted in unreadable objects causing an error or in certain situations - unreadable objects were ignored. -

-
-

- With this update, SSSD has a new option ldap_ignore_unreadable_references to modify this behavior. If the ldap_ignore_unreadable_references option is set to false, unreadable objects cause an error and if set to true, unreadable objects are ignored. The default is set to false and because of the original inconsistent behavior, after the - update, some group lookups may fail. In this case, set ldap_ignore_unreadable_references = True in the corresponding [domain/name of the domain] - section in the /etc/sssd/sssd.conf file. -

-

- This allows unreadable objects to be handled in a consistent manner and the behavior can be tuned - using the new ldap_ignore_unreadable_references option. -

-

- (BZ#2069376) -

-
-
-
-
-
-

8.14. Desktop

-
-
-
-
-

Subscription enrolling with Activation keys has been fixed

-

- Previously, you could not enroll your Red Hat subscription in Settings using Activation keys. Settings displayed the following error after - pressing Register: -

-
- 
Failed to register system; Failed to RegisterWithActivationKeys: Unknown arguments: dict_keys(['enable_content'])
-

- With this update, the problem has been fixed, and you can now enroll your subscription using - Activation keys as expected in Settings. -

-

- (BZ#2100467) -

-
-
-
-
-
-

8.15. Graphics infrastructures

-
-
-
-
-

X.org now enables the X11 SECURITY extension

-

- Previously, the X.org display server did not provide the X11 SECURITY extension. As a consequence, applications that used this - extension terminated unexpectedly. -

-
-

- With this update, X.org enables the X11 SECURITY extension. As a - result, applications that depend on the extension now work as expected. -

-

- (BZ#1894612) -

-
-

Matrox GPU with a VGA display now works as expected

-

- Prior to this release, your display showed no graphical output if you used the following system - configuration: -

-
-
-
    -
  • - A GPU in the Matrox MGA G200 family -
    • -
  • - A display connected over the VGA controller -
    • -
  • - UEFI switched to legacy mode -
    • -
-
-

- As a consequence, you could not use or install RHEL on this configuration. -

-

- With this update, the mgag200 driver has been significantly rewritten, - and as a result, the graphics output now works as expected. -

-

- (BZ#2100898) -

-
-
-
-
-
-

8.16. The web console

-
-
-
-
-

Removing USB host devices using the web console now works as - expected

-

- Previously, when you attached a USB device to a virtual machine (VM), the device number and bus - number of the USB device changed after they were passed to the VM. As a consequence, using the - web console to remove such devices failed due to the incorrect correlation of the device and bus - numbers. With this update, the issue has been fixed and you can remove the USB host devices - using the web console. -

-
-

- (JIRA:RHELPLAN-109067) -

-
-

Attaching multiple host devices using the web console now works as - expected

-

- Previously, when you selected multiple devices to attach to a virtual machine (VM) using the web - console, only a single device was attached and the rest were ignored. With this update, the - issue has been fixed and you can now simultaneously attach multiple host devices using the web - console. -

-
-

- (JIRA:RHELPLAN-115603) -

-
-
-
-
-
-

8.17. Red Hat Enterprise Linux system roles

-
-
-
-
-

The network RHEL role manages ansible_managed parameter in the configuration files

-

- Previously, the Ansible role was unable to provide the correct ansible_managed header for the network - role managed configuration files. As a consequence, system administrators were uncertain about - which files were managed by Ansible. With this fix, the role managed files have a correct ansible_managed header, and system administrators can reliably tell - about which files are managed Ansible. -

-
-

- (BZ#2065382) -

-
-

Fixed a typo to support active-backup for the - correct bonding mode

-

- Previously, there was a typo,active_backup, in supporting the - InfiniBand port while specifying active-backup bonding mode. Due to - this typo, the connection failed to support the correct bonding mode for the InfiniBand bonding - port. This update fixes the typo by changing bonding mode to active-backup. The connection now successfully supports the - InfiniBand bonding port. -

-
-

- (BZ#2065394) -

-
-

The IPRouteUtils.get_route_tables_mapping() - function now accepts any whitespace sequence

-

- Previously, a parser for the iproute2 routing table database, such - as /etc/iproute2/rt_tables, asserted that entries in the file were - of the form 254 main and only a single space character separated - the numeric id and the name. Consequently, the parser failed to cache all the mappings between - the route table name and table id.Therefore the user could not add a static route into the route - table by defining the route table name. With this update, the parser accepts any whitespace - sequence in between the table ID and table name. As a result, as the parser caches all the - mapping between the route table name and table ID, users can add a static route into the route - table by defining the route table name. -

-
-

- (BZ#2115886) -

-
-

The forward_port parameter now accepts both - the string and dict - option

-

- Previously, in the firewall RHEL system role, the forward_port parameter only accepted the string option. However, the role documentation claimed that both - string and - dict options were supported. Consequently, the users reading and - following the documentation were getting an error. This bug has been fixed by making forward_port accept both options. As a result, the users can safely - follow the documentation to configure port forwarding. -

-
-

- (BZ#2100605) -

-
-

Configuration by the metrics role now follows - symbolic links correctly

-

- When the mssql pcp package is installed, the mssql.conf file is located in /etc/pcp/mssql/ and is targeted by the symbolic link /var/lib/pcp/pmdas/mssql/mssql.conf. Previously, however, the metrics role overwrote the symbolic link instead of following it and - configuring mssql.conf. Consequently, running the metrics role changed the symbolic link to a regular file and the - configuration therefore only affected the /var/lib/pcp/pmdas/mssql/mssql.conf file. This resulted in a failed - symbolic link, and the main configuration file /etc/pcp/mssql/mssql.conf was not affected by the configuration. The - issue is now fixed and the follow: yes option to follow the - symbolic link has been added to the metrics role. As a result, the - metrics role preserves the symbolic links and correctly configures - the main configuration file. -

-
-

- (BZ#2060523) -

-
-

The kernel_settings configobj is available on managed hosts

-

- Previously, the kernel_settings role did not install the python3-configobj package on managed hosts. As a consequence, the - role returned an error stating that the configobj Python module - could not be found. With this fix, the role ensures that the python3-configobj package is present on managed hosts and the kernel_settings role works as expected. -

-
-

- (BZ#2060525) -

-
-

The mount_options parameter for volumes is now - valid for a volume

-

- Previously, the parameter was accidentally removed from the list of valid parameters for a - volume. Consequently, users were unable to set the mount_options - parameter for volumes. With this bug fix, the mount_options - parameter has been added back to the list of valid parameters and the code has been refactored - to catch the errors. As a result, the storage RHEL system role can - set the mount_options parameter for volumes. -

-
-

- (BZ#2083376) -

-
-

The storage RHEL system role now correctly - supports striped and raid0 levels for LVM volumes

-

- The storage RHEL system role previously incorrectly reported RAID - levels striped and raid0 as not - supported for LVM volumes. This is now fixed and the role can now correctly create LVM volumes - of all RAID levels supported by LVM: raid0, raid1, raid4, raid5, raid6, raid10, striped and mirror. -

-
-

- (BZ#2083410) -

-
-

The metrics RHEL system role README and - documentation now clearly specifies supported Redis and Grafana versions on specific - versions of RHEL by the role

-

- Previously, when trying to use the metrics role with unsupported - versions of Redis and Grafana on unsupported platforms, the role failed. This update clarifies - the documentation about which versions of Redis and Grafana are supported on which versions of - RHEL by the role. As a result, you can avoid trying to use unsupported versions of Redis and - Grafana on unsupported platforms. -

-
-

- (BZ#2100286) -

-
-

Minimal RSA key bit length option in the ssh - and sshd RHEL system roles

-

- Accidentally using short RSA keys might make the system more vulnerable to attacks. With this - update, you can set RSA key minimal bit lengths for OpenSSH clients and servers by using the - RequiredRSASize option in the ssh and - sshd RHEL system roles. -

-
-

- (BZ#2109998) -

-
-

The nbde_client RHEL system role now uses - proper spacing when specifying extra Dracut command line-parameters

-

- The Dracut framework requires proper spacing when specifying additional parameters, such as - kernel command-line parameters. If the parameters are not specified with proper spacing, Dracut - might not append the specified extra parameters to the kernel command line. With this update, - the nbde_client RHEL system role uses proper spacing when creating - add-on Dracut configuration files. As a result, the role correctly sets Dracut command-line - parameters. -

-
-

- (BZ#2115156) -

-
-

The tlog RHEL system roles is now correctly - overlaid by SSSD

-

- Previously, the tlog RHEL system role relied on the System Security - Services Daemon (SSSD) files provider and on enabled authselect - option with-files-domain to set up correct passwd entries in the nsswitch.conf - file. In RHEL 9.0, SSSD did not implicitly enable the files provider by default, and - consequently the tlog-rec-session shell overlay by SSSD did not - work. With this fix, the tlog role now updates the nsswitch.conf to ensure tlog-rec-session - is correctly overlaid by SSSD. -

-
-

- (BZ#2071804) -

-
-

The metrics RHEL system role automatically - restarts pmie and pmlogger - services after an update to their configuration

-

- Previously, the pmie and pmlogger - services did not restart after their configuration was changed and waited for handler execution. - This caused errors with other metrics services, which required - pmie and pmlogger configuration to - match their runtime behavior. With this update, the role restarts pmie and pmlogger immediately after a - configuration update, their configuration matches runtime behavior of dependent metrics - services, and they work correctly. -

-
-

- (BZ#2100294) -

-
-
-
-
-
-

8.18. Virtualization

-
-
-
-
-

Network traffic performance in virtual machines is no longer reduced when - under heavy load

-

- Previously, RHEL virtual machines had, in some cases, decreased performance when handling high - levels of network traffic. The underlying code has been fixed and network traffic performance - now works as expected in the described circumstances. -

-
-

- (BZ#1945040) -

-
-
-
-
-
-

8.19. RHEL in cloud environments

-
-
-
-
-

The SR-IOV functionality of a network adapter attached to a Hyper-V VM now - works reliably

-

- Previously, when attaching a network adapter with single-root I/O virtualization (SR-IOV) - enabled to a RHEL 9 virtual machine (VM) running on Microsoft Hyper-V hypervisor, the SR-IOV - functionality in some cases did not work correctly. A bug in the Hyper-V specific memory-mapped - I/O (MMIO) allocation code has been fixed and the SR-IOV functionality now works as expected on - Hyper-V VMs. -

-
-

- (BZ#2030922) -

-
-

SR-IOV no longer performs suboptimally in ARM 64 RHEL 9 virtual machines on - Azure

-

- Previously, SR-IOV networking devices had significantly lower throughout and higher latency than - expected in ARM 64 RHEL 9 virtual machines (VMs) running on a Microsoft Azure platform. The - problem has been fixed, and the affected VMs now perform as expected. -

-
-

- (BZ#2068432) -

-
-
-
-
-
-

8.20. Containers

-
-
-
-
-

podman system connection add and podman image scp no longer fail

-

- Podman uses SHA-1 hashes for the RSA key exchange. Previously, the regular SSH connection among - machines using RSA keys worked, while the podman system connection add and podman image scp commands did not work using the same RSA keys, - because the SHA-1 hashes were not accepted for key exchange on RHEL 9. With the update, the - problem has been fixed. -

-
-

- (JIRA:RHELPLAN-121180) -

-
-

Container images signed with a Beta GPG key can now be pulled

-

- Previously, when you pulled RHEL Beta container images, Podman failed with the error message: - Error: Source image rejected: None of the signatures were accepted. - The images failed to be pulled due to current builds being configured to not trust the RHEL Beta - GPG keys by default. With this update, the /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted - keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in - the default configuration. -

-
-

- (BZ#2094015) -

-
-

Podman no longer fails to pull a container "X509: certificate signed by - unknown authority"

-

- Previously, if you had your own internal registry signed by our own CA certificate, then you had - to import the certificate onto your host machine. Otherwise, an error occurs: -

-
- 
x509: certificate signed by unknown authority
-

- With this update, the problem has been fixed. -

-

- (BZ#2027576) -

-
-

DNF and YUM no longer fail because of non-matching repository IDs -

-

- Previously, DNF and YUM repository IDs did not match the format that DNF or YUM expected. For - example, if you ran the following example, the error occurred: -

-
- 
# podman run -ti ubi8-ubi
-# dnf debuginfo-install dnsmasq
-...
-This system is not registered with an entitlement server. You can use subscription-manager to register.
-

- With this update, the problem has been fixed. Suffix --debug-rpms was - added to all debug repository names (for example ubi-8-appstream-debug-rpms), and also the suffix -rpms was added to all UBI repository names (for example ubi-8-appstream-rpms). -

-

- For more information, see Universal Base Images (UBI): Images, - repositories, packages, and source code. -

-

- (BZ#2120378) -

-
-
-
-
-
-
-

Chapter 9. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

9.1. Shells and command-line tools

-
-
-
-
-

ReaR available on the 64-bit IBM Z architecture as a Technology - Preview

-

- Basic Relax and Recover (ReaR) functionality is now available on the 64-bit IBM Z architecture - as a Technology Preview. You can create a ReaR rescue image on IBM Z only in the z/VM - environment. Backing up and recovering logical partitions (LPARs) has not been tested. -

-
-

- The only output method currently available is Initial Program Load (IPL). IPL produces a kernel and - an initial ramdisk (initrd) that can be used with the zIPL bootloader. -

-
-
Warning
-
-

- Currently, the rescue process reformats all the DASDs (Direct Attached Storage Devices) - connected to the system. Do not attempt a system recovery if there is any valuable data - present on the system storage devices. This also includes the device prepared with the zIPL bootloader, ReaR kernel, and initrd that were used to boot - into the rescue environment. Ensure to keep a copy. -

-
-
-

- For more information, see Using - a ReaR rescue image on the 64-bit IBM Z architecture. -

-

- (BZ#2046653) -

-
-

GIMP available as a Technology Preview in RHEL 9

-

- GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. - The gimp package version 2.99.8 is a pre-release version with a set - of improvements, but a limited set of features and no guarantee for stability. As soon as the - official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release - version. -

-
-

- In RHEL 9, you can install gimp easily as an RPM package. -

-

- (BZ#2047161) -

-
-
-
-
-
-

9.2. Security

-
-
-
-
-

gnutls now uses KTLS as a Technology - Preview

-

- The updated gnutls packages can use Kernel TLS (KTLS) for - accelerating data transfer on encrypted channels as a Technology Preview. To enable KTLS, add - the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide - cryptographic policies with the following content: -

-
- 
[global]
-ktls = true
-

- Note that the current version does not support updating traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites. - See the RFC 7841 - - TLS 1.3 document for more information. -

-

- (BZ#2042009) -

-
-
-
-
-
-

9.3. Networking

-
-
-
-
-

WireGuard VPN is available as a Technology Preview

-

- WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance - VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to - configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the - surface for attacks and, therefore, improves the security. -

-
-

- For further details, see Setting - up a WireGuard VPN. -

-

- (BZ#1613522) -

-
-

Configuring Multipath TCP using NetworkManager is available as a Technology - Preview

-

- With this update, the NetworkManager utility provides you with the Multipath TCP (MPTCP) - functionality. You can use nmcli commands to control MPTCP and make - its settings persistent. -

-
-

- For more information, see Understanding - Multipath TCP: High availability for endpoints and the networking highway of the future and - RFC 8684: TCP Extensions for Multipath - Operation with Multiple Addresses. -

-

- (BZ#2029636) -

-
-

KTLS available as a Technology Preview

-

- RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. KTLS also includes the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that provides this functionality. -

-
-

- (BZ#1570255) -

-
-

The systemd-resolved service is available as a - Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, a Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that systemd-resolved is an unsupported Technology Preview. -

-

- (BZ#2020529) -

-
-
-
-
-
-

9.4. Kernel

-
-
-
-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- (BZ#2030412) -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms - using the Flexible Launch Control mechanism - to use the SGX technology. -

-
-

- (BZ#1874182) -

-
-

The Soft-iWARP driver is available as a Technology Preview

-

- Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for - Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This - protocol suite is fully implemented in software and does not require a specific Remote Direct - Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to - connect to an iWARP adapter or to another system with already installed Soft-iWARP. -

-
-

- (BZ#2023416) -

-
-
-
-
-
-

9.5. File systems and storage

-
-
-
-
-

DAX is now available for ext4 and XFS as a Technology Preview

-

- In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an - application to directly map persistent memory into its address space. To use DAX, a system must - have some form of persistent memory available, usually in the form of one or more Non-Volatile - Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the - NVDIMM(s). Also, the file system must be mounted with the dax mount - option. Then, an mmap of a file on the dax-mounted file system - results in a direct mapping of storage into the application’s address space. -

-
-

- (BZ#1995338) -

-
-

Stratis is available as a Technology Preview

-

- Stratis is a local storage manager. It provides managed file systems on top of pools of storage - with additional features to the user: -

-
-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- (BZ#2041558) -

-
-

NVMe-oF Discovery Service features available as a Technology - Preview

-

- The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) - 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device - that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM - Express 2.0 Ratified TPs from the https://nvmexpress.org/developers/nvme-specification/ - website. -

-
-

- (BZ#2021672) -

-
-

nvme-stas package available as a Technology - Preview

-

- The nvme-stas package, which is a Central Discovery Controller - (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event - Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, - and Automatic (zeroconf) and Manual configuration. -

-
-

- This package consists of two daemons, Storage Appliance Finder (stafd) - and Storage Appliance Connector (stacd). -

-

- (BZ#1893841) -

-
-
-
-
-
-

9.6. Compilers and development tools

-
-
-
-
-

jmc-core and owasp-java-encoder available as a Technology Preview

-

- RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features. -

-
-

- jmc-core is a library providing core APIs for Java Development Kit - (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, as - well as libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP). -

-

- The owasp-java-encoder package provides a collection of - high-performance low-overhead contextual encoders for Java. -

-

- (BZ#1980981) -

-
-
-
-
-
-

9.7. Identity Management

-
-
-
-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- (BZ#2084180) -

-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- (BZ#2084166) -

-
-

RHEL IdM allows delegating user authentication to external identity - providers as a Technology Preview

-

- In RHEL IdM, you can now associate users with external identity providers (IdP) that support the - OAuth 2 device authorization flow. When these users authenticate with the SSSD version available - in RHEL 9.1, they receive RHEL IdM single sign-on capabilities with Kerberos tickets after - performing authentication and authorization at the external IdP. -

-
-

- Notable features include: -

-
-
    -
  • - Adding, modifying, and deleting references to external IdPs with ipa idp-* commands -
    • -
  • - Enabling IdP authentication for users with the ipa user-mod --user-auth-type=idp command -
    • -
-
-

- For additional information, see Using - external identity providers to authenticate to IdM. -

-

- (BZ#2069202) -

-
-

sssd-idp sub-package available as a Technology Preview

-

- The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which - are client-side components that perform OAuth2 authentication against Identity Management (IdM) - servers. This feature is available only with IdM servers on RHEL 8.7 and higher, and RHEL 9.1 - and higher. -

-
-

- (BZ#2065693) -

-
-

SSSD internal krb5 idp plugin available as a Technology Preview -

-

- The SSSD krb5 idp plugin allows you to authenticate against an - external identity provider (IdP) using the OAuth2 protocol. This feature is available only with - IdM servers on RHEL 8.7 and higher, and RHEL 9.1 and higher. -

-
-

- (BZ#2056482) -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- (BZ#2084181) -

-
-
-
-
-
-

9.8. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology - Preview. -

-
-

- You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can - manage the server using graphical applications. -

-

- A limited set of graphical applications is available on 64-bit ARM. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- (JIRA:RHELPLAN-27394) -

-
-

GNOME for the IBM Z architecture available as a Technology Preview -

-

- The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview. -

-
-

- You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage - the server using graphical applications. -

-

- A limited set of graphical applications is available on IBM Z. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- (JIRA:RHELPLAN-27737) -

-
-
-
-
-
-

9.9. The web console

-
-
-
-
-

Stratis available as a Technology Preview in the RHEL web console -

-

- With this update, the Red Hat Enterprise Linux web console provides the ability to manage - Stratis storage as a Technology Preview. -

-
-

- To learn more about Stratis, see What - is Stratis. -

-

- (JIRA:RHELPLAN-122345) -

-
-
-
-
-
-

9.10. Virtualization

-
-
-
-
-

RHEL VMs can now be deployed to VMware ESXi instances running on ARM64 - processors

-

- As a Technology Preview, it is now possible to deploy RHEL virtual machines to VMware ESXi - hypervisor instances running on 64-bit ARM-based processors. -

-
-

- (JIRA:RHELPLAN-95456) -

-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- (JIRA:RHELPLAN-65217) -

-
-

Virtualization is now available on ARM 64

-

- As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM - 64 CPUs. -

-
-

- (JIRA:RHELPLAN-103993) -

-
-

virtio-mem is now available on AMD64, Intel - 64, and ARM 64

-

- As a Technology Preview, RHEL 9 introduces the virtio-mem feature - on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem makes it - possible to dynamically add or remove host memory in virtual machines (VMs). -

-
-

- To use virtio-mem, define virtio-mem - memory devices in the XML configuration of a VM and use the virsh update-memory-device command to request memory device size changes - while the VM is running. To see the current memory size exposed by such memory devices to a running - VM, view the XML configuration of the VM. -

-

- (BZ#2014487, BZ#2044162, BZ#2044172) -

-
-

Intel vGPU available as a Technology Preview

-

- As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that this feature is deprecated and will be removed entirely in a future RHEL release. -

-

- (JIRA:RHELDOCS-17050) -

-
-

Creating nested virtual machines

-

- - 

Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs.
- -

-
-

- (JIRA:RHELDOCS-17040) -

-
-
-
-
-
-

9.11. RHEL in cloud environments

-
-
-
-
-

RHEL confidential VMs are now available on Azure as a Technology - Preview

-

- With the updated RHEL kernel, you can now create and run confidential virtual machines (VMs) on - Microsoft Azure as a Technology Preview. However, it is not yet possible to encrypt RHEL - confidential VM images during boot on Azure. -

-
-

- (JIRA:RHELPLAN-122321) -

-
-
-
-
-
-

9.12. Containers

-
-
-
-
-

The capability for multiple trusted GPG keys for signing images is - available as a Technology Preview

-

- The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted - keys. Because of this, the container images signed with GA and Beta GPG keys are now accepted in - the default configuration. -

-
-

- For example: -

- 
"registry.redhat.io": [
-        {
-            "type": "signedBy",
-            "keyType": "GPGKeys",
-            "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
-        }
-]
-

- (JIRA:RHELPLAN-129327) -

-
-

The sigstore signatures are now available as a Technology Preview -

-

- Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The - sigstore signatures are stored in the container registry together with the container image - without the need to have a separate signature server to store image signatures. -

-
-

- (JIRA:RHELPLAN-74672) -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- (JIRA:RHELDOCS-16861) -

-
-
-
-
-
-
-

Chapter 10. Deprecated functionality

-
-
-
-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 9. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

Deprecated Kickstart commands

-

- The following Kickstart commands have been deprecated: -

-
-
-
    -
  • - timezone --ntpservers -
    • -
  • - timezone --nontp -
    • -
  • - logging --level -
    • -
  • - %packages --excludeWeakdeps -
    • -
  • - %packages --instLangs -
    • -
  • - %anaconda -
    • -
  • - pwpolicy -
    • -
-
-

- Note that where only specific options are listed, the base command and its other options are still - available and not deprecated. Using the deprecated commands in Kickstart files prints a warning in - the logs. You can turn the deprecated command warnings into errors with the inst.ksstrict boot option. -

-

- (BZ#1899167) -

-
-
-
-
-
-

10.2. Shells and command-line tools

-
-
-
-
-

Setting the TMPDIR variable in the ReaR - configuration file is deprecated

-

- Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement - such as export TMPDIR=…​, does not work and is deprecated. -

-
-

- To specify a custom directory for ReaR temporary files, export the variable in the shell environment - before executing ReaR. For example, execute the export TMPDIR=…​ - statement and then execute the rear command in the same shell session - or script. -

-

- Jira:RHELDOCS-18049 -

-
-
-
-
-
-

10.3. Security

-
-
-
-
-

SHA-1 is deprecated for cryptographic purposes

-

- The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. - The digest produced by SHA-1 is not considered secure because of many documented successful - attacks based on finding hash collisions. The RHEL core crypto components no longer create - signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 - in security-relevant use cases. -

-
-

- Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier - (UUID) values can still be created using SHA-1 because these use cases do not currently pose - security risks. SHA-1 also can be used in limited cases connected with important interoperability - and compatibility concerns, such as Kerberos and WPA-2. See the List - of RHEL applications using cryptography that is not compliant with FIPS 140-3 section in the - RHEL - 9 Security hardening document for more details. -

-

- If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic - signatures, you can enable it by entering the following command: -

- 
# update-crypto-policies --set DEFAULT:SHA1
-

- Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY also enables - many other algorithms that are not secure. -

-

- (JIRA:RHELPLAN-110763) -

-
-

SCP is deprecated in RHEL 9

-

- The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The - SCP API remains available for the RHEL 9 lifecycle but using it reduces system security. -

-
-
-
    -
  • - In the scp utility, SCP is replaced by the SSH File Transfer - Protocol (SFTP) by default. -
    • -
  • - The OpenSSH suite does not use SCP in RHEL 9. -
    • -
  • - SCP is deprecated in the libssh library. -
    • -
-
-

- (JIRA:RHELPLAN-99136) -

-
-

Digest-MD5 in SASL is deprecated

-

- The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) - framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release. -

-
-

- (BZ#1995600) -

-
-

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, RIPEMD160, Blowfish, CAST, - DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1

-

- The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, - uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 - provides them for migrating encrypted data to use new algorithms. Users must not depend on those - algorithms for the security of their systems. -

-
-

- The implementations of the following algorithms have been moved to the legacy provider in OpenSSL: - MD2, MD4, MDC2, Whirlpool, RIPEMD160, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1. -

-

- See the /etc/pki/tls/openssl.cnf configuration file for instructions on - how to load the legacy provider and enable support for the deprecated algorithms. -

-

- (BZ#1975836) -

-
-

/etc/system-fips is now deprecated -

-

- Support for indicating FIPS mode through the /etc/system-fips file - has been removed, and the file will not be included in future versions of RHEL. To install RHEL - in FIPS mode, add the fips=1 parameter to the kernel command line - during the system installation. You can check whether RHEL operates in FIPS mode by using the - fips-mode-setup --check command. -

-
-

- (JIRA:RHELPLAN-103232) -

-
-

libcrypt.so.1 is now deprecated

-

- The libcrypt.so.1 library is now deprecated, and it might be - removed in a future version of RHEL. -

-
-

- (BZ#2034569) -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- (BZ#2054740) -

-
-
-
-
-
-

10.4. Networking

-
-
-
-
-

Network teams are deprecated in RHEL 9

-

- The teamd service and the libteam - library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major - release. As a replacement, configure a bond instead of a network team. -

-
-

- Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and - teams, that have similar functions. The bonding code has a high customer adoption, is robust, and - has an active community development. As a result, the bonding code receives enhancements and - updates. -

-

- For details about how to migrate a team to a bond, see Migrating - a network team configuration to network bond. -

-

- (BZ#1935544) -

-
-

NetworkManager connection profiles in ifcfg - format are deprecated

-

- In RHEL 9.0 and later, connection profiles in ifcfg format are - deprecated. The next major RHEL release will remove the support for this format. However, in - RHEL 9, NetworkManager still processes and updates existing profiles in this format if you - modify them. -

-
-

- By default, NetworkManager now stores connection profiles in keyfile format in the /etc/NetworkManager/system-connections/ directory. Unlike the ifcfg format, the keyfile format supports all connection settings that - NetworkManager provides. For further details about the keyfile format and how to migrate profiles, - see NetworkManager - connection profiles in keyfile format. (BZ#1894877) -

-
-

The iptables back end in firewalld is deprecated

-

- In RHEL 9, the iptables framework is deprecated. As a consequence, - the iptables backend and the direct interface in firewalld are also - deprecated. Instead of the direct interface you can use the native - features in firewalld to configure the required rules. -

-
-

- (BZ#2089200) -

-
-
-
-
-
-

10.5. Kernel

-
-
-
-
-

ATM encapsulation is deprecated in RHEL 9

-

- Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, - Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not - been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is - being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the - ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is - deprecated in Red Hat Enterprise Linux 9. -

-
-

- For more information, see PPP Over - AAL5, Multiprotocol - Encapsulation over ATM Adaptation Layer 5, and Classical IP and ARP over ATM. -

-

- (BZ#2058153) -

-
-
-
-
-
-

10.6. File systems and storage

-
-
-
-
-

lvm2-activation-generator and its generated - services removed in RHEL 9.0

-

- The lvm2-activation-generator program and its generated services - lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is - no longer functional. The only method for auto activating volume groups is event based - activation. -

-
-

- (BZ#2038183) -

-
-
-
-
-
-

10.7. Dynamic programming languages, web and database servers

-
-
-
-
-

libdb has been deprecated

-

- RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version - 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is - available under the AGPLv3 license, which is more restrictive. -

-
-

- The libdb package is deprecated as of RHEL 9 and might not be available - in future major RHEL releases. -

-

- In addition, cryptographic algorithms have been removed from libdb in - RHEL 9 and multiple libdb dependencies have been removed from RHEL 9. -

-

- Users of libdb are advised to migrate to a different key-value - database. For more information, see the Knowledgebase article Available replacements for the deprecated - Berkeley DB (libdb) in RHEL. -

-

- (BZ#1927780, BZ#1974657, JIRA:RHELPLAN-80695) -

-
-
-
-
-
-

10.8. Compilers and development tools

-
-
-
-
-

Smaller size of keys than 2048 are deprecated by openssl 3.0

-

- Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and - no longer work in Go’s FIPS mode. -

-
-

- (BZ#2111072) -

-
-

Some PKCS1 v1.5 modes are now - deprecated

-

- Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work - in Go’s FIPS mode. -

-
-

- (BZ#2092016) -

-
-
-
-
-
-

10.9. Identity Management

-
-
-
-
-

SHA-1 in OpenDNSSec is now deprecated -

-

- OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 - algorithm is no longer supported. With the RHEL 9 release, SHA-1 in - OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, - OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is - not supported standalone. -

-
-

- (BZ#1979521) -

-
-

The SSSD implicit files provider domain is disabled by default

-

- The SSSD implicit files provider domain, which retrieves user - information from local files such as /etc/shadow and group - information from /etc/groups, is now disabled by default. -

-
-

- To retrieve user and group information from local files with SSSD: -

-
-
    -
  1. -

    - Configure SSSD. Choose one of the following options: -

    -
    -
      -
    1. -

      - Explicitly configure a local domain with the id_provider=files option in the sssd.conf configuration file. -

      - 
      [domain/local]
-id_provider=files
-...
      -
      2. -
    2. -

      - Enable the files provider by setting enable_files_domain=true in the sssd.conf configuration file. -

      - 
      [sssd]
-enable_files_domain = true
      -
      3. -
    -
    -
    2. -
  2. -

    - Configure the name services switch. -

    - 
    # authselect enable-feature with-files-provider
    -
    3. -
-
-

- (JIRA:RHELPLAN-100639) -

-
-

-h and -p options - were deprecated in OpenLDAP client utilities.

-

- The upstream OpenLDAP project has deprecated the -h and -p options in its utilities, and recommends using the -H option instead to specify the LDAP URI. As a consequence, RHEL 9 - has deprecated these two options in all OpenLDAP client utilities. The -h and -p options will be removed from - RHEL products in future releases. -

-
-

- (JIRA:RHELPLAN-137660) -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612 -

-
-
-
-
-
-

10.10. Desktop

-
-
-
-
-

GTK 2 is now deprecated

-

- The legacy GTK 2 toolkit and the following, related packages have been deprecated: -

-
-
-
    -
  • - adwaita-gtk2-theme -
    • -
  • - gnome-common -
    • -
  • - gtk2 -
    • -
  • - gtk2-immodules -
    • -
  • - hexchat -
    • -
-
-

- Several other packages currently depend on GTK 2. These have been modified so that they no longer - depend on the deprecated packages in a future major RHEL release. -

-

- If you maintain an application that uses GTK 2, Red Hat recommends that you port the application to - GTK 4. -

-

- (JIRA:RHELPLAN-131882) -

-
-
-
-
-
-

10.11. Graphics infrastructures

-
-
-
-
-

X.org Server is now deprecated

-

- The X.org display server is deprecated, and - will be removed in a future major RHEL release. The default desktop session is now the Wayland session in most cases. -

-
-

- The X11 protocol remains fully supported using - the XWayland back end. As a result, applications - that require X11 can run in the Wayland session. -

-

- Red Hat is working on resolving the remaining problems and gaps in the Wayland session. For the outstanding problems in - Wayland, see the Known - issues section. -

-

- You can switch your user session back to the X.org back end. For more information, see Selecting - GNOME environment and display protocol. -

-

- (JIRA:RHELPLAN-121048) -

-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- (JIRA:RHELPLAN-98983) -

-
-
-
-
-
-

10.12. Red Hat Enterprise Linux system roles

-
-
-
-
-

The networking system role displays a - deprecation warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the networking RHEL system role on an RHEL 8 controller to configure a - network team on RHEL 9 nodes, shows a warning about its deprecation. -

-
-

- (BZ#1999770) -

-
-
-
-
-
-

10.13. Virtualization

-
-
-
-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- (BZ#1935497) -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. However, a new VM snapshot mechanism - is under development and is planned to be fully implemented in a future minor release of RHEL 9. -

-

- (JIRA:RHELPLAN-15509, BZ#1621944) -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available in the RHEL web console. -

-
-

- (JIRA:RHELPLAN-10304) -

-
-

libvirtd has become deprecated

-

- The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a - future major release of RHEL. Note that you can still use libvirtd - for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly - introduced modular libvirt daemons. For instructions and details, - see the RHEL - 9 Configuring and Managing Virtualization document. -

-
-

- (JIRA:RHELPLAN-113995) -

-
-

The virtual floppy driver has become deprecated

-

- The isa-fdc driver, which controls virtual floppy disk devices, is - now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure - forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy - disk devices in VMs hosted on RHEL 9. -

-
-

- (BZ#1965079) -

-
-

qcow2-v2 image format is deprecated

-

- With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become - unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot - create disk images in the qcow2-v2 format. -

-
-

- Instead of qcow2-v2, Red Hat strongly recommends using qcow2-v3. To convert a qcow2-v2 image to a - later format version, use the qemu-img amend command. -

-

- (BZ#1951814) -

-
-

Legacy CPU models are now deprecated

-

- A significant number of CPU models have become deprecated and will become unsupported for use in - virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows: -

-
-
-
    -
  • - For Intel: models prior to Intel Xeon 55xx and 75xx Processor families (also known as - Nehalem) -
    • -
  • - For AMD: models prior to AMD Opteron G4 -
    • -
  • - For IBM Z: models prior to IBM z14 -
    • -
-
-

- To check whether your VM is using a deprecated CPU model, use the virsh dominfo utility, and look for a line similar to the following in - the Messages section: -

- 
tainted: use of deprecated configuration settings
-deprecated configuration: CPU model 'i486'
-

- (BZ#2060839) -

-
-
-
-
-
-

10.14. Containers

-
-
-
-
-

Running RHEL 9 containers on a RHEL 7 host is not supported

-

- Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not - guaranteed. -

-
-

- For more information, see Red Hat Enterprise - Linux Container Compatibility Matrix. -

-

- (JIRA:RHELPLAN-100087) -

-
-

SHA1 hash algorithm within Podman has been deprecated

-

- The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer - supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or - later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after - the upgrade. -

-
-

- (BZ#2069279) -

-
-

rhel9/pause has been deprecated

-

- The rhel9/pause container image has been deprecated. -

-
-

- (BZ#2106816) -

-
-
-
-
-
-

10.15. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 8 and RHEL 9, see Changes - to packages in the Considerations in adopting RHEL 9 - document. -

-
-
Important
-
-

- The support status of deprecated packages remains unchanged within RHEL 9. For more - information about the length of support, see Red Hat Enterprise Linux - Life Cycle and Red - Hat Enterprise Linux Application Streams Life Cycle. -

-
-
-

- The following packages have been deprecated in RHEL 9: -

-
-
    -
  • - iptables-devel -
    • -
  • - iptables-libs -
    • -
  • - iptables-nft -
    • -
  • - iptables-nft-services -
    • -
  • - iptables-utils -
    • -
  • - libdb -
    • -
  • - mcpp -
    • -
  • - mod_auth_mellon -
    • -
  • - python3-pytz -
    • -
  • - xorg-x11-server-Xorg -
    • -
-
-
-
-
-
-
-
-

Chapter 11. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 9.1. -

-
-
-
-
-

11.1. Installer and image creation

-
-
-
-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- (BZ#1697896) -

-
-

Local Media installation source is not - detected when booting the installation from a USB that is created using a third party - tool

-

- When booting the RHEL installation from a USB that is created using a third party tool, the - installer fails to detect the Local Media installation source (only - Red Hat CDN is detected). -

-
-

- This issue occurs because the default boot option int.stage2= attempts - to search for iso9660 image format. However, a third party tool might - create an ISO image with a different format. -

-

- As a workaround, use either of the following solution: -

-
-
    -
  • - When booting the installation, click the Tab key to edit the - kernel command line, and change the boot option inst.stage2= to - inst.repo=. -
    • -
  • - To create a bootable USB device on Windows, use Fedora Media Writer. -
    • -
  • - When using a third party tool like Rufus to create a bootable USB device, first regenerate - the RHEL ISO image on a Linux system, and then use the third party tool to create a bootable - USB device. -
    • -
-
-

- For more information on the steps involved in performing any of the specified workaround, see, Installation media is not auto - detected during the installation of RHEL 8.3. -

-

- (BZ#1877697) -

-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- (BZ#1640697) -

-
-

Driver disk menu fails to display user inputs on the console

-

- When you start RHEL installation using the inst.dd option on the - Kernel command line with a driver disk, the console fails to display the user input. - Consequently, it appears that the application does not respond to the user input and freezes, - but displays the output which is confusing for users. However, this behavior does not affect the - functionality, and user input gets registered after pressing Enter. -

-
-

- As a workaround, to see the expected results, ignore the absence of user inputs in the console and - press Enter when you finish adding inputs. -

-

- (BZ#2109231) -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. To work around this problem, do not run Anaconda on the production - system and execute it in a temporary virtual machine. So that the SELinux policy on a production - system is not modified. Running anaconda as part of the system installation process such as - installing from boot.iso or dvd.iso is - not affected by this issue. -

-
-

- (BZ#2050140) -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- (BZ#1914955) -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- (BZ#1929105) -

-
-

Anaconda fails to verify existence of an administrator user - account

-

- While installing RHEL using a graphical user interface, Anaconda fails to verify if the - administrator account has been created. As a consequence, users might install a system without - any administrator user account. -

-
-

- To work around this problem, ensure you configure an administrator user account or the root password - is set and the root account is unlocked. As a result, users can perform administrative tasks on the - installed system. -

-

- (BZ#2047713) -

-
-

New XFS features prevent booting of PowerNV IBM POWER systems with firmware - older than version 5.10

-

- PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement - for GRUB. This results in the firmware kernel mounting /boot and - Petitboot reading the GRUB config and booting RHEL. -

-
-

- The RHEL 9 kernel introduces bigtime=1 and inobtcount=1 features to the XFS filesystem, which kernels with firmware - older than version 5.10 do not understand. -

-

- To work around this problem, you can use another filesystem for /boot, - for example ext4. -

-

- (BZ#1997832) -

-
-

Cannot install RHEL when PReP is not 4 or 8 MiB in size

-

- The RHEL installer cannot install the boot loader if the PowerPC Reference Platform (PReP) - partition is of a different size than 4 MiB or 8 MiB on a disk that uses 4 kiB sectors. As a - consequence, you cannot install RHEL on the disk. -

-
-

- To work around the problem, make sure that the PReP partition is exactly 4 MiB or 8 MiB in size, and - that the size is not rounded to another value. As a result, the installer can now install RHEL on - the disk. -

-

- (BZ#2026579) -

-
-

The installer displays an incorrect total disk space while custom - partitioning with multipath devices

-

- The installer does not filter out individual paths of multipath devices while custom - partitioning. This causes the installer to display individual paths to multipath devices and - users can select individual paths to multipath devices for the created partitions. As a - consequence, an incorrect sum of the total disk space is displayed. It is computed by adding the - size of each individual path to the total disk space. -

-
-

- As a workaround, use only the multipath devices and not individual paths while custom partitioning, - and ignore the incorrectly computed total disk space. -

-

- (BZ#2052938) -

-
-

Installation fails with NVMe over Fibre Channel devices

-

- When installing RHEL, the installer shows and allows selecting Non-volatile Memory Express - (NVMe) over Fibre Channel devices. Use of such devices during the installation process is not - supported. As a result, the installation process might fail or the installed system might fail - to boot correctly. -

-
-

- To work around this problem, do not use NVMe over Fibre Channel devices during interactive - installation (text or graphical mode). When running a Kickstart installation, configure the system - to ignore NVMe over Fibre Channel devices by using the ignoredisk --drives=<IGNORE_DISKS> Kickstart command, replacing - <IGNORE_DISKS> with the NVMe over Fibre Channel devices. - Alternatively, you can define the disks Kickstart uses during installation with ignoredisk --only-use=<ONLY_USE_DISKS>, replacing <ONLY_USE_DISKS> with supported devices. -

-
-
Note
-
-

- Installation fails for NVMe over Fibre Channel devices only. Locally attached NVMe devices - work correctly. -

-
-
-

- For detailed information on the ignoredisk Kickstart command, see Kickstart - commands for handling storage in the Performing an advanced RHEL 9 installation guide. -

-

- (BZ#2107346) -

-
-

RHEL for Edge installer image fails to create mount points when installing - an rpm-ostree payload

-

- When deploying rpm-ostree payloads, used for example in a RHEL for - Edge installer image, the installer does not properly create some mount points for custom - partitions. As a consequence, the installation is aborted with the following error: -

-
- 
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
-

- To work around this issue: -

-
-
    -
  • - Use an automatic partitioning scheme and do not add any mount points manually. -
    • -
  • - Manually assign mount points only inside /var directory. For - example, /var/my-mount-point), and - the following standard directories: /, /boot, /var. -
    • -
-
-

- As a result, the installation process finishes successfully. -

-

- (BZ#2125542) -

-
-

NetworkManager fails to start after the installation when connected to a - network but without DHCP or a static IP address configured

-

- Starting with RHEL 9.0, Anaconda activates network devices automatically when there is no - specific ip= or kickstart network configuration set. Anaconda - creates a default persistent configuration file for each Ethernet device. The connection profile - has the ONBOOT and autoconnect value - set to true. As a consequence, during the start of the installed - system, RHEL activates the network devices, and the networkManager-wait-online service fails. -

-
-

- As a workaround, do one of the following: -

-
-
    -
  • -

    - Delete all connections using the nmcli utility except one - connection you want to use. For example: -

    -
    -
      -
    1. -

      - List all connection profiles: -

      - 
      # nmcli connection show
      -
      2. -
    2. -

      - Delete the connection profiles that you do not require: -

      - 
      # nmcli connection delete <connection_name>
      -

      - Replace <connection_name> with the name of the connection you want to - delete. -

      -
      3. -
    -
    -
    • -
  • -

    - Disable the auto connect network feature in Anaconda if no specific ip= or kickstart network configuration is set. -

    -
    -
      -
    1. - In the Anaconda GUI, navigate to Network - & Host Name. -
      2. -
    2. - Select a network device to disable. -
      3. -
    3. - Click Configure. -
      4. -
    4. - On the General tab, deselect - the Connect automatically with - priority -
      5. -
    5. - Click Save. -
      6. -
    -
    -
    • -
-
-

- (BZ#2115783) -

-
-

RHEL installer does not process the inst.proxy - boot option correctly

-

- When running Anaconda, the installation program does not process the inst.proxy boot option correctly. As a consequence, you cannot use - the specified proxy to fetch the installation image. -

-
-

- To work around this issue: * Use the latest version of RHEL distribution. * Use proxy instead of inst.proxy boot option. -

-

- (JIRA:RHELDOCS-18764) -

-
-

RHEL installation fails on IBM Z architectures with multi-LUNs

-

- RHEL installation fails on IBM Z architectures when using multiple LUNs during installation. Due - to the multipath setup of FCP and the LUN auto-scan behavior, the length of the kernel command - line in the configuration file exceeds 896 bytes. -

-
-

- To work around this problem, you can do one of the following: -

-
-
    -
  • - Install the latest version of RHEL (RHEL 9.2 or later). -
    • -
  • - Install the RHEL system with a single LUN and add additional LUNs post installation. -
    • -
  • - Optimize the redundant zfcp entries in the boot configuration - on the installed system. -
    • -
  • - Create a physical volume (pvcreate) for each of the additional - LUNs listed under /dev/mapper/. -
    • -
  • - Extend the VG with PVs, for example, vgextend <vg_name> /dev/mapper/mpathX. -
    • -
  • - Increase the LV as needed for example, lvextend -r -l +100%FREE /dev/<vg name>/root. -
    • -
-
-

- For more information, see the KCS - solution. -

-

- (JIRA:RHELDOCS-18638) -

-
-
-
-
-
-

11.2. Subscription management

-
-
-
-
-

The subscription-manager utility retains - nonessential text in the terminal after completing a command

-

- Starting with RHEL 9.1, the subscription-manager utility displays - progress information while processing an operation. For some languages (typically non-Latin), - progress messages might not be cleared after the operation finishes. As a result, you might see - parts of old progress messages in the terminal. -

-
-

- Note that this is not a functional failure for subscription-manager. -

-

- To work around this problem, perform either of the following steps: -

-
-
    -
  • - Include the --no-progress-messages option when running - `subscription-manager`commands in the terminal -
    • -
  • -

    - Configure subscription-manager to operate without - displaying progress messages by entering the following command: -

    - 
    # subscription-manager config --rhsm.progress_messages=0
    -
    • -
-
-

- (BZ#2136694) -

-
-
-
-
-
-

11.3. Software management

-
-
-
-
-

The Installation process sometimes becomes unresponsive

-

- When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log file displays the following message at the end: -

-
- 
10:20:56,416 DDEBUG dnf: RPM transaction over.
-

- To workaround this problem, restart the installation process. -

-

- (BZ#2073510) -

-
-

A security DNF upgrade fails for packages that change their architecture - through the upgrade

-

- The patch for BZ#2108969, released with the - RHBA-2022:8295 - advisory, introduced the following regression: The DNF upgrade using security filters fails for - packages that change their architecture from or to noarch through - the upgrade. Consequently, it can leave the system in a vulnerable state. -

-
-

- To work around this problem, perform the regular upgrade without security filters. -

-

- (BZ#2108969) -

-
-
-
-
-
-

11.4. Shells and command-line tools

-
-
-
-
-

ReaR fails during recovery if the TMPDIR - variable is set in the configuration file

-

- Setting and exporting TMPDIR in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file does not work and is - deprecated. -

-
-

- The ReaR default configuration file /usr/share/rear/conf/default.conf - contains the following instructions: -

- 
# To have a specific working area directory prefix for Relax-and-Recover
-# specify in /etc/rear/local.conf something like
-#
-# export TMPDIR="/prefix/for/rear/working/directory"
-#
-# where /prefix/for/rear/working/directory must already exist.
-# This is useful for example when there is not sufficient free space
-# in /tmp or $TMPDIR for the ISO image or even the backup archive.
-

- The instructions mentioned above do not work correctly because the TMPDIR variable has the same value in the rescue environment, which is - not correct if the directory specified in the TMPDIR variable does not - exist in the rescue image. -

-

- As a consequence, setting and exporting TMPDIR in the /etc/rear/local.conf file leads to the following error when the rescue - image is booted : -

- 
mktemp: failed to create file via template '/prefix/for/rear/working/directory/tmp.XXXXXXXXXX': No such file or directory
-cp: missing destination file operand after '/etc/rear/mappings/mac'
-Try 'cp --help' for more information.
-No network interface mapping is specified in /etc/rear/mappings/mac
-

- or the following error and abort later, when running rear recover: -

- 
ERROR: Could not create build area
-

- To work around this problem, if you want to have a custom temporary directory, specify a custom - directory for ReaR temporary files by exporting the variable in the shell environment before - executing ReaR. For example, execute the export TMPDIR=…​ statement and - then execute the rear command in the same shell session or script. As a - result, the recovery is successful in the described configuration. -

-

- Jira:RHEL-24847 -

-
-

Renaming network interfaces using ifcfg files - fails

-

- On RHEL 9, the initscripts package is not installed by default. - Consequently, renaming network interfaces using ifcfg files fails. - To solve this problem, Red Hat recommends that you use udev rules - or link files to rename interfaces. For further details, see Consistent - network interface device naming and the systemd.link(5) man - page. -

-
-

- If you cannot use one of the recommended solutions, install the initscripts package. -

-

- (BZ#2018112) -

-
-

The chkconfig package is not installed by - default in RHEL 9

-

- The chkconfig package, which updates and queries runlevel - information for system services, is not installed by default in RHEL 9. -

-
-

- To manage services, use the systemctl commands or install the chkconfig package manually. -

-

- For more information about systemd, see Managing - systemd. For instructions on how to use the systemctl utility, - see Managing - system services with systemctl. -

-

- (BZ#2053598) -

-
-
-
-
-
-

11.5. Infrastructure services

-
-
-
-
-

Both bind and unbound disable validation of SHA-1-based signatures

-

- The bind and unbound components - disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 - (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT - system-wide cryptographic policy. -

-
-

- As a result, certain DNSSEC records signed with the SHA-1, RSA/SHA1, and RSASHA1-NSEC3-SHA1 digest - algorithms fail to verify in Red Hat Enterprise Linux 9 and the affected domain names become - vulnerable. -

-

- To work around this problem, upgrade to a different signature algorithm, such as RSA/SHA-256 or - elliptic curve keys. -

-

- For more information and a list of top-level domains that are affected and vulnerable, see the DNSSEC records signed with - RSASHA1 fail to verify solution. -

-

- (BZ#2070495) -

-
-

named fails to start if the same writable zone - file is used in multiple zones

-

- BIND does not allow the same writable zone file in multiple zones. Consequently, if a - configuration includes multiple zones which share a path to a file that can be modified by the - named service, named fails to start. - To work around this problem, use the in-view clause to share one - zone between multiple views and make sure to use different paths for different zones. For - example, include the view names in the path. -

-
-

- Note that writable zone files are typically used in zones with allowed dynamic updates, slave zones, - or zones maintained by DNSSEC. -

-

- (BZ#1984982) -

-
-

Setting the console keymap requires the libxkbcommon library on your minimal install

-

- In RHEL 9, certain systemd library dependencies have been converted - from dynamic linking to dynamic loading, so that your system opens and uses the libraries at - runtime when they are available. With this change, a functionality that depends on such - libraries is not available unless you install the necessary library. This also affects setting - the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb command fails. -

-
-

- To work around this problem, install the libxkbcommon library: -

- 
# dnf install libxkbcommon
-

- (BZ#2214130) -

-
-
-
-
-
-

11.6. Security

-
-
-
-
-

OpenSSL does not detect if a PKCS #11 token - supports the creation of raw RSA or RSA-PSS signatures

-

- The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not - support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to work with an RSA - key if the key is held by the PKCS #11 token. As a result, TLS - communication fails in the described scenario. -

-
-

- To work around this problem, configure servers and clients to use TLS version 1.2 as the highest TLS - protocol version available. -

-

- (BZ#1681178) -

-
-

OpenSSL incorrectly handles PKCS #11 tokens - that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created - with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include - line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- (BZ#1685470) -

-
-

scp empties files copied to themselves when a - specific syntax is used

-

- The scp utility changed from the Secure copy protocol (SCP) to the - more secure SSH file transfer protocol (SFTP). Consequently, copying a file from a location to - the same location erases the file content. The problem affects the following syntax: -

-
-

- scp localhost:/myfile localhost:/myfile -

-

- To work around this problem, do not copy files to a destination that is the same as the source - location using this syntax. -

-

- The problem has been fixed for the following syntaxes: -

-
-
    -
  • - scp /myfile localhost:/myfile -
    • -
  • - scp localhost:~/myfile ~/myfile -
    • -
-
-

- (BZ#2056884) -

-
-

PSK ciphersuites do not work with the FUTURE - crypto policy

-

- Pre-shared key (PSK) ciphersuites are not recognized as performing perfect forward secrecy (PFS) - key exchange methods. As a consequence, the ECDHE-PSK and DHE-PSK ciphersuites do not work with OpenSSL configured to SECLEVEL=3, for example with the FUTURE - crypto policy. As a workaround, you can set a less restrictive crypto policy or set a lower - security level (SECLEVEL) for applications that use PSK - ciphersuites. -

-
-

- (BZ#2060044) -

-
-

GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies

-

- The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use - the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic - policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT cryptographic policy, which is not consistent with the - system-wide deprecation of this insecure algorithm for signatures. -

-
-

- To work around this problem, do not use GnuPG options that involve SHA-1. As a result, you will - prevent GnuPG from lowering the default system security by using the non-secure SHA-1 signatures. -

-

- (BZ#2070722) -

-
-

gpg-agent does not work as an SSH agent in - FIPS mode

-

- The gpg-agent tool creates MD5 fingerprints when adding keys to the - ssh-agent program even though FIPS mode disables the MD5 digest. - Consequently, the ssh-add utility fails to add the keys to the - authentication agent. -

-
-

- To work around the problem, create the ~/.gnupg/sshcontrol file without - using the gpg-agent --daemon --enable-ssh-support command. For example, - you can paste the output of the gpg --list-keys command in the <FINGERPRINT> 0 format to ~/.gnupg/sshcontrol. As a result, gpg-agent - works as an SSH authentication agent. -

-

- (BZ#2073567) -

-
-

Default SELinux policy allows unconfined executables to make their stack - executable

-

- The default state of the selinuxuser_execstack boolean in the - SELinux policy is on, which means that unconfined executables can make their stack executable. - Executables should not use this option, and it might indicate poorly coded executables or a - possible attack. However, due to compatibility with other tools, packages, and third-party - products, Red Hat cannot change the value of the boolean in the default policy. If your scenario - does not depend on such compatibility aspects, you can turn the boolean off in your local policy - by entering the command setsebool -P selinuxuser_execstack off. -

-
-

- (BZ#2064274) -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- (BZ#1834716) -

-
-

Remediation of SCAP Audit rules fails incorrectly

-

- Bash remediation of some SCAP rules related to Audit configuration does not add the Audit key - when remediating. This applies to the following rules: -

-
-
-
    -
  • - audit_rules_login_events -
    • -
  • - audit_rules_login_events_faillock -
    • -
  • - audit_rules_login_events_lastlog -
    • -
  • - audit_rules_login_events_tallylog -
    • -
  • - audit_rules_usergroup_modification -
    • -
  • - audit_rules_usergroup_modification_group -
    • -
  • - audit_rules_usergroup_modification_gshadow -
    • -
  • - audit_rules_usergroup_modification_opasswd -
    • -
  • - audit_rules_usergroup_modification_passwd -
    • -
  • - audit_rules_usergroup_modification_shadow -
    • -
  • - audit_rules_time_watch_localtime -
    • -
  • - audit_rules_mac_modification -
    • -
  • - audit_rules_networkconfig_modification -
    • -
  • - audit_rules_sysadmin_actions -
    • -
  • - audit_rules_session_events -
    • -
  • - audit_rules_sudoers -
    • -
  • - audit_rules_sudoers_d -
    • -
-
-

- In consequence, if the relevant Audit rule already exists but does not fully conform to the OVAL - check, the remediation fixes the functional part of the Audit rule, that is, the path and access - bits, but does not add the Audit key. Therefore, the resulting Audit rule works correctly, but the - SCAP rule incorrectly reports FAIL. To work around this problem, add the correct keys to the Audit - rules manually. -

-

- (BZ#2120978) -

-
-

SSH timeout rules in STIG profiles configure incorrect options

-

- An update of OpenSSH affected the rules in the following Defense Information Systems Agency - Security Technical Implementation Guide (DISA STIG) profiles: -

-
-
-
    -
  • - DISA STIG for RHEL 9 (xccdf_org.ssgproject.content_profile_stig) -
    • -
  • - DISA STIG with GUI for RHEL 9 (xccdf_org.ssgproject.content_profile_stig_gui) -
    • -
-
-

- In each of these profiles, the following two rules are affected: -

- 
Title: Set SSH Client Alive Count Max to zero
-CCE Identifier: CCE-90271-8
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
-
-Title: Set SSH Idle Timeout Interval
-CCE Identifier: CCE-90811-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
-

- When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax and ClientAliveInterval) - that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users - when it reaches the timeout configured by these rules. As a workaround, these rules have been - temporarily removed from the DISA STIG for RHEL 9 and DISA STIG with GUI for RHEL 9 profiles until a - solution is developed. -

-

- (BZ#2038978) -

-
-

Keylime might fail attestation of systems that access multiple IMA-measured - files

-

- If a system that runs the Keylime agent accesses multiple files measured by the Integrity - Measurement Architecture (IMA) in quick succession, the Keylime verifier might incorrectly - process the IMA log additions. As a consequence, the running hash does not match the correct - Platform Configuration Register (PCR) state, and the system fails attestation. There is - currently no workaround. -

-
-

- (BZ#2138167) -

-
-

Keylime measured boot policy generation script might cause a segmentation - fault and core dump

-

- The create_mb_refstate script, which generates policies for measure - boot attestation in Keylime, might incorrectly calculate the data length in the DevicePath field instead of using the value of the LengthOfDevicePath field when handling the output of the tpm2_eventlog tool depending on the input provided. As a consequence, - the script tries to access invalid memory using the incorrectly calculated length, which results - in a segmentation fault and core dump. The main functionality of Keylime is not affected by this - problem, but you might be unable to generate a measured boot policy. -

-
-

- To work around this problem, do not use a measured boot policy or write the policy file manually - from the data obtained using the tpm2_eventlog tool from the tpm2-tools package. -

-

- (BZ#2140670) -

-
-

Some TPM certificates cause Keylime registrar to crash

-

- The require_ek_cert configuration option in tenant.conf, which should be enabled in production deployments, - determines whether the Keylime tenant requires an endorsement key (EK) certificate from the - Trusted Platform Module (TPM). When performing the initial identity quote with require_ek_cert enabled, Kelime attempts to verify whether the TPM - device on the agent is genuine by comparing the EK certificate against the trusted certificates - present in the Keylime TPM certificate store. However, some certificates in the store are - malformed x509 certificates and cause the Keylime registrar to crash. There is currently no - simple workaround to this problem, except for setting require_ek_cert to false, and defining a - custom script in the ek_check_script option that will perform EK - validation. -

-
-

- (BZ#2142009) -

-
-
-
-
-
-

11.7. Networking

-
-
-
-
-

The nm-cloud-setup service removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain - cases, other services on the host can configure interfaces as well. For example, these services - could add secondary IP addresses. To avoid that nm-cloud-setup - removes secondary IP addresses: -

-
-
-
    -
  1. -

    - Stop and disable the nm-cloud-setup service and timer: -

    - 
    # systemctl disable --now nm-cloud-setup.service nm-cloud-setup.timer
    -
    2. -
  2. -

    - Display the available connection profiles: -

    - 
    # nmcli connection show
    -
    3. -
  3. -

    - Reactive the affected connection profiles: -

    - 
    # nmcli connection up "<profile_name>"
    -
    4. -
-
-

- As a result, the service no longer removes manually-configured secondary IP addresses from - interfaces. -

-

- (BZ#2151040) -

-
-

Failure to update the session key causes the connection to break -

-

- Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which - is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a - connection break. To work around this problem, disable kTLS. As a result, with the workaround, - it is possible to successfully update the session key. -

-
-

- (BZ#2013650) -

-
-

The initscripts package is not installed by - default

-

- By default, the initscripts package is not installed. As a - consequence, the ifup and ifdown - utilities are not available. As an alternative, use the nmcli connection up and nmcli connection down commands to enable and disable connections. If - the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown package, which provides a - NetworkManager solution for the ifup and ifdown utilities. -

-
-

- (BZ#2082303) -

-
-
-
-
-
-

11.8. Kernel

-
-
-
-
-

The mlx5 driver fails while using Mellanox - ConnectX-5 adapter

-

- In Ethernet switch device driver model (switchdev) mode, mlx5 driver fails when configured with device managed flow steering - (DMFS) parameter and ConnectX-5 adapter supported hardware. As a - consequence, you can see the following error message: -

-
- 
BUG: Bad page cache in process umount pfn:142b4b
-

- To workaround this problem, you need to use the software managed flow steering (SMFS) parameter - instead of DMFS. -

-

- (BZ#2180665) -

-
-

FADump enabled with Secure Boot might lead to GRUB Out of Memory - (OOM)

-

- In the Secure Boot environment, GRUB and PowerVM together allocate a 512 MB memory region, known - as the Real Mode Area (RMA), for boot memory. The region is divided among the boot components - and, if any component exceeds its allocation, out-of-memory failures occur. -

-
-

- Generally, the default installed initramfs file system and the vmlinux symbol table are within the limits to avoid such failures. - However, if Firmware Assisted Dump (FADump) is enabled in the system, the default initramfs size can increase and exceed 95 MB. As a consequence, every - system reboot leads to a GRUB OOM state. -

-

- To avoid this issue, do not use Secure Boot and FADump together. For more information and methods on - how to work around this issue, see https://www.ibm.com/support/pages/node/6846531. -

-

- (BZ#2149172) -

-
-

weak-modules from kmod fails to work with module inter-dependencies

-

- The weak-modules script provided by the kmod package determines which modules are kABI-compatible with - installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to - lower release of the kernel for which they were built. As a consequence, modules with - inter-dependencies built against different kernel releases might be interpreted as - non-compatible, and therefore the weak-modules script fails to work - in this scenario. -

-
-

- To work around the problem, build or put the extra modules against the latest stock kernel before - you install the new kernel. -

-

- (BZ#2103605) -

-
-

The kdump service fails to build the initrd file on IBM Z systems

-

- On the 64-bit IBM Z systems, the kdump service fails to load the - initial RAM disk (initrd) when znet - related configuration information such as s390-subchannels reside - in an inactive NetworkManager connection profile. Consequently, the - kdump mechanism fails with the following error: -

-
- 
dracut: Failed to set up znet
-kdump: mkdumprd: failed to make kdump initrd
-

- As a workaround, use one of the following solutions: -

-
-
    -
  • -

    - Configure a network bond or bridge by re-using the connection profile that has the znet configuration information: -

    - 
    $ nmcli connection modify enc600 master bond0 slave-type bond
    -
    • -
  • -

    - Copy the znet configuration information from the inactive - connection profile to the active connection profile: -

    -
    -
      -
    1. -

      - Run the nmcli command to query the NetworkManager connection profiles: -

      - 
      # nmcli connection show
-
-NAME                       UUID               TYPE   Device
-
-bridge-br0           ed391a43-bdea-4170-b8a2 bridge   br0
-bridge-slave-enc600  caf7f770-1e55-4126-a2f4 ethernet enc600
-enc600               bc293b8d-ef1e-45f6-bad1 ethernet --
      -
      2. -
    2. -

      - Update the active profile with configuration information from the inactive - connection: -

      - 
      #!/bin/bash
- inactive_connection=enc600
- active_connection=bridge-slave-enc600
- for name in nettype subchannels options; do
- field=802-3-ethernet.s390-$name
- val=$(nmcli --get-values "$field"connection show "$inactive_connection")
- nmcli connection modify "$active_connection" "$field" $val"
- done
      -
      3. -
    3. -

      - Restart the kdump service for changes to take - effect: -

      - 
      # kdumpctl restart
      -
      4. -
    -
    -
    • -
-
-

- (BZ#2064708) -

-
-

The kdump mechanism fails to capture the vmcore file on LUKS-encrypted targets

-

- When running kdump on systems with Linux Unified Key Setup (LUKS) - encrypted partitions, systems require a certain amount of available memory. When the available - memory is less than the required amount of memory, the systemd-cryptsetup service fails to mount the partition. - Consequently, the second kernel fails to capture the crash dump file (vmcore) on LUKS-encrypted targets. -

-
-

- With the kdumpctl estimate command, you can query the Recommended crashkernel value, which is the recommended memory size - required for kdump. -

-

- To work around this problem, use following steps to configure the required memory for kdump on LUKS encrypted targets: -

-
-
    -
  1. -

    - Print the estimate crashkernel value: -

    - 
    # kdumpctl estimate
    -
    2. -
  2. -

    - Configure the amount of required memory by increasing the crashkernel value: -

    - 
    # grubby --args=crashkernel=652M --update-kernel=ALL
    -
    3. -
  3. -

    - Reboot the system for changes to take effect. -

    - 
    # reboot
    -
    4. -
-
-

- As a result, kdump works correctly on systems with LUKS-encrypted - partitions. -

-

- (BZ#2017401) -

-
-

Allocating crash kernel memory fails at boot time

-

- On certain Ampere Altra systems, allocating the crash kernel memory for kdump usage fails during boot when the available memory is below 1 - GB. Consequently, the kdumpctl command fails to start the kdump service. -

-
-

- To workaround this problem, do one of the following: -

-
-
    -
  • - Decrease the value of the crashkernel parameter by a minimum of - 240 MB to fit the size requirement, for example crashkernel=240M. -
    • -
  • - Use the crashkernel=x,high option to reserve crash kernel - memory above 4 GB for kdump. -
    • -
-
-

- As a result, the crash kernel memory allocation for kdump does not fail - on Ampere Altra systems. -

-

- (BZ#2065013) -

-
-

The Delay Accounting functionality does not - display the SWAPIN and IO% - statistics columns by default

-

- The Delayed Accounting functionality, unlike early versions, is - disabled by default. Consequently, the iotop application does not - show the SWAPIN and IO% statistics - columns and displays the following warning: -

-
- 
CONFIG_TASK_DELAY_ACCT not enabled in kernel, cannot determine SWAPIN and IO%
-

- The Delay Accounting functionality, using the taskstats interface, provides the delay statistics for all tasks or - threads that belong to a thread group. Delays in task execution occur when they wait for a kernel - resource to become available, for example, a task waiting for a free CPU to run on. The statistics - help in setting a task’s CPU priority, I/O priority, and rss limit - values appropriately. -

-

- As a workaround, you can enable the delayacct boot option either at - runtime or boot. -

-
-
    -
  • -

    - To enable delayacct at runtime, enter: -

    - 
    echo 1 > /proc/sys/kernel/task_delayacct
    -

    - Note that this command enables the feature system wide, but only for the tasks that you - start after running this command. -

    -
    • -
  • -

    - To enable delayacct permanently at boot, use one of the - following procedures: -

    -
    -
      -
    • -

      - Edit the /etc/sysctl.conf file to override the - default parameters: -

      -
      -
        -
      1. -

        - Add the following entry to the /etc/sysctl.conf file: -

        - 
        kernel.task_delayacct = 1
        -

        - For more information, see How to set - sysctl variables on Red Hat Enterprise Linux. -

        -
        2. -
      2. - Reboot the system for changes to take effect. -
        3. -
      -
      -
      • -
    • -

      - Edit the GRUB 2 configuration file to override the default parameters: -

      -
      -
        -
      1. - Append the delayacct option to the - /etc/default/grub file’s GRUB _CMDLINE_LINUX entry. -
        2. -
      2. -

        - Run the grub2-mkconfig utility to - regenerate the boot configuration: -

        - 
        # grub2-mkconfig -o /boot/grub2/grub.cfg
        -

        - For more information, see How do I - permanently modify the kernel command line?. -

        -
        3. -
      3. - Reboot the system for changes to take effect. -
        4. -
      -
      -
      • -
    -
    -
    • -
-
-

- As a result, the iotop application displays the SWAPIN and IO% statistics columns. -

-

- (BZ#2132480) -

-
-

kTLS does not support offloading of TLS 1.3 to NICs

-

- Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. - Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. - To work around this problem, disable TLS 1.3 if offload is required. As a result, you can - offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot - be offloaded. -

-
-

- (BZ#2000616) -

-
-

The iwl7260-firmware breaks Wi-Fi on Intel - Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

-

- After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 8.7 and/or RHEL - 9.1 (and later), the hardware gets into an incorrect internal state. reports its state - incorrectly. Consequently, Intel Wifi 6 cards may not work and display the error message: -

-
- 
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110
-kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms)
-kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
-

- An unconfirmed work around is to power off the system and back on again. Do not reboot. -

-

- (BZ#2129288) -

-
-

dkms provides an incorrect warning on program - failure with correctly compiled drivers on 64-bit ARM CPUs

-

- The Dynamic Kernel Module Support (dkms) utility does not recognize - that the kernel headers for 64-bit ARM CPUs work for both the kernels with 4 kilobytes and 64 - kilobytes page sizes. As a result, when the kernel update is performed and the kernel-64k-devel package is not installed, dkms provides an incorrect warning on why the program failed on - correctly compiled drivers. To work around this problem, install the kernel-headers package, which contains header files for both types of - ARM CPU architectures and is not specific to dkms and its - requirements. -

-
-

- (JIRA:RHEL-25967) -

-
-
-
-
-
-

11.9. Boot loader

-
-
-
-
-

The behavior of grubby diverges from its - documentation

-

- When you add a new kernel using the grubby tool and do not specify - any arguments, grubby passes the default arguments to the new - entry. This behavior occurs even without passing the --copy-default - argument. Using --args and --copy-default options ensures those arguments are appended to the - default arguments as stated in the grubby documentation. -

-
-

- However, when you add additional arguments, such as $tuned_params, the - grubby tool does not pass these arguments unless the --copy-default option is invoked. -

-

- In this situation, two workarounds are available: -

-
-
    -
  • -

    - Either set the root= argument and leave --args empty: -

    - 
    # grubby --add-kernel /boot/my_kernel --initrd /boot/my_initrd --args "root=/dev/mapper/rhel-root" --title "entry_with_root_set"
    -
    • -
  • -

    - Or set the root= argument and the specified arguments, but - not the default ones: -

    - 
    # grubby --add-kernel /boot/my_kernel --initrd /boot/my_initrd --args "root=/dev/mapper/rhel-root some_args and_some_more" --title "entry_with_root_set_and_other_args_too"
    -
    • -
-
-

- (BZ#2127453) -

-
-
-
-
-
-

11.10. File systems and storage

-
-
-
-
-

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

-

- Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if - the VM was provisioned by the cloud-init tool and the guest - operating system of the VM has an NFSv3 mount entry in the /etc/fstab file. -

-
-

- (BZ#2081114) -

-
-

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication - attempt

-

- When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect - credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the - current session and login using the no authentication method. -

-
-

- (BZ#1983602) -

-
-

Device Mapper Multipath is not supported with NVMe/TCP

-

- Using Device Mapper Multipath with the nvme-tcp driver can result - in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users - must enable native NVMe multipathing and not use the device-mapper-multipath tools with NVMe. -

-
-

- By default, Native NVMe multipathing is enabled in RHEL 9. For more information, see Enabling - multipathing on NVMe devices. -

-

- (BZ#2033080) -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- (BZ#2011699) -

-
-

supported_speeds sysfs attribute reports - incorrect speed values

-

- Previously, due to an incorrect definition in the qla2xxx driver, - the supported_speeds sysfs attribute for the HBA reported 20 Gb/s - speed instead of the expected 64 Gb/s speed. Consequently, if the HBA supported 64 Gb/s link - speed, the sysfs supported_speeds value was incorrect, which - affected the reported speed value. -

-
-

- But now the supported_speeds sysfs attribute for the HBA returns a 100 - Gb/s speed instead of the intended 64 Gb/s, and 50 Gb/s speed instead of the intended 128 Gb/s - speed. This only affects the reported speed value, and the actual link rates used on the Fibre - connection are correct. -

-

- (BZ#2069758) -

-
-
-
-
-
-

11.11. Dynamic programming languages, web and database servers

-
-
-
-
-

The --ssl-fips-mode option in MySQL and MariaDB does not change - FIPS mode

-

- The --ssl-fips-mode option in MySQL - and MariaDB in RHEL works differently than in upstream. -

-
-

- In RHEL 9, if you use --ssl-fips-mode as an argument for the mysqld or mariadbd daemon, or if you use - ssl-fips-mode in the MySQL or MariaDB server configuration files, --ssl-fips-mode does not change FIPS mode for these database servers. -

-

- Instead: -

-
-
    -
  • - If you set --ssl-fips-mode to ON, - the mysqld or mariadbd server - daemon does not start. -
    • -
  • - If you set --ssl-fips-mode to OFF - on a FIPS-enabled system, the mysqld or mariadbd server daemons still run in FIPS mode. -
    • -
-
-

- This is expected because FIPS mode should be enabled or disabled for the whole RHEL system, not for - specific components. -

-

- Therefore, do not use the --ssl-fips-mode option in MySQL or MariaDB in RHEL. Instead, ensure - FIPS mode is enabled on the whole RHEL system: -

-
-
    -
  • - Preferably, install RHEL with FIPS mode enabled. Enabling FIPS mode during the installation - ensures that the system generates all keys with FIPS-approved algorithms and continuous - monitoring tests in place. For information about installing RHEL in FIPS mode, see Installing - the system in FIPS mode. -
    • -
  • - Alternatively, you can switch FIPS mode for the entire RHEL system by following the - procedure in Switching - the system to FIPS mode. -
    • -
-
-

- (BZ#1991500) -

-
-
-
-
-
-

11.12. Compilers and development tools

-
-
-
-
-

Certain symbol-based probes do not work in SystemTap on the 64-bit ARM architecture

-

- Kernel configuration disables certain functionality needed for SystemTap. Consequently, some symbol-based probes do not work on the - 64-bit ARM architecture. As a result, affected SystemTap scripts - may not run or may not collect hits on desired probe points. -

-
-

- Note that this bug has been fixed for the remaining architectures with the release of the RHBA-2022:5259 advisory. -

-

- (BZ#2083727) -

-
-
-
-
-
-

11.13. Identity Management

-
-
-
-
-

MIT Kerberos does not support ECC certificates for PKINIT

-

- MIT Kerberos does not implement the RFC5349 request for comments document, which describes the - design of elliptic-curve cryptography (ECC) support in Public Key Cryptography for initial - authentication (PKINIT). Consequently, the MIT krb5-pkinit package, - used by RHEL, does not support ECC certificates. For more information, see Elliptic Curve Cryptography (ECC) Support - for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). -

-
-

- (BZ#2106043) -

-
-

The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to - work against AD KDCs

-

- The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key - Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 - algorithm. -

-
-

- However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest - algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate users by - using PKINIT against an AD KDC. -

-

- To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the - following command: -

- 
 # update-crypto-policies --set DEFAULT:SHA1
-

- (BZ#2060798) -

-
-

The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent - communicates with a non-RHEL-9 and non-AD Kerberos agent

-

- If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts - with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT - authentication of the user fails. To work around the problem, perform one of the following - actions: -

-
-
-
    -
  • -

    - Set the RHEL 9 agent’s crypto-policy to DEFAULT:SHA1 to - allow the verification of SHA-1 signatures: -

    - 
    # update-crypto-polices --set DEFAULT:SHA1
    -
    • -
  • -

    - Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the - SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions - that use SHA-256 instead of SHA-1: -

    -
    -
      -
    • - CentOS 9 Stream: krb5-1.19.1-15 -
      • -
    • - RHEL 8.7: krb5-1.18.2-17 -
      • -
    • - RHEL 7.9: krb5-1.15.1-53 -
      • -
    • - Fedora Rawhide/36: krb5-1.19.2-7 -
      • -
    • - Fedora 35/34: krb5-1.19.2-3 -
      • -
    -
    -
    • -
-
-

- As a result, the PKINIT authentication of the user works correctly. -

-

- Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs - CMS data with SHA-256 instead of SHA-1. -

-

- See also The - DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs. -

-

- (BZ#2077450) -

-
-

FIPS support for AD trust requires the AD-SUPPORT crypto - sub-policy

-

- Active Directory (AD) uses AES SHA-1 HMAC encryption types, which are not allowed in FIPS mode - on RHEL 9 by default. If you want to use RHEL 9 IdM hosts with an AD trust, enable support for - AES SHA-1 HMAC encryption types before installing IdM software. -

-
-

- Since FIPS compliance is a process that involves both technical and organizational agreements, - consult your FIPS auditor before enabling the AD-SUPPORT sub-policy to - allow technical measures to support AES SHA-1 HMAC encryption types, and then install RHEL IdM: -

- 
 # update-crypto-policies --set FIPS:AD-SUPPORT
-

- (BZ#2057471) -

-
-

Heimdal client fails to authenticate a user using PKINIT against RHEL 9 - KDC

-

- By default, a Heimdal Kerberos client initiates the PKINIT authentication of an IdM user by - using Modular Exponential (MODP) Diffie-Hellman Group 2 for Internet Key Exchange (IKE). - However, the MIT Kerberos Distribution Center (KDC) on RHEL 9 only supports MODP Group 14 and - 16. -

-
-

- Consequently, the pre-autentication request fails with the krb5_get_init_creds: PREAUTH_FAILED error on the Heimdal client and Key parameters not accepted on the RHEL MIT KDC. -

-

- To work around this problem, ensure that the Heimdal client uses MODP Group 14. Set the pkinit_dh_min_bits parameter in the libdefaults section of the client configuration file to 1759: -

- 
[libdefaults]
-pkinit_dh_min_bits = 1759
-

- As a result, the Heimdal client completes the PKINIT pre-authentication against the RHEL MIT KDC. -

-

- (BZ#2106296) -

-
-

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a - two-way cross-forest trust

-

- Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management - (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support - Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the - RC4 NTLM hash that the AD domain controller uses when attempting to authenticate. -

-
-

- (BZ#2124243) -

-
-

IdM to AD cross-realm TGS requests fail

-

- The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with - AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). -

-
-

- Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with - the following error: -

- 
"Generic error (see e-text) while getting credentials for <service principal>"
-

- (BZ#2060421) -

-
-

IdM Vault encryption and decryption fails in FIPS mode

-

- The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, - Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 - padding for wrapping the session key with the transport certificate. -

-
-

- (BZ#2089907) -

-
-

Migrated IdM users might be unable to log in due to mismatching domain - SIDs

-

- If you have used the ipa migrate-ds script to migrate users from - one IdM deployment to another, those users might have problems using IdM services because their - previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM - environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, - see the following Knowledgebase article: Migrated IdM users unable to log in due - to mismatching domain SIDs. -

-
-

- (JIRA:RHELPLAN-109613) -

-
-

Directory Server terminates unexpectedly when started in referral - mode

-

- Due to a bug, global referral mode does not work in Directory Server. If you start the ns-slapd process with the refer option - as the dirsrv user, Directory Server ignores the port settings and - terminates unexpectedly. Trying to run the process as the root user - changes SELinux labels and prevents the service from starting in future in normal mode. There - are no workarounds available. -

-
-

- (BZ#2053204) -

-
-

Configuring a referral for a suffix fails in Directory Server

-

- If you set a back-end referral in Directory Server, setting the state of the backend using the - dsconf <instance_name> backend suffix set --state referral - command fails with the following error: -

-
- 
Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state
-

- As a consequence, configuring a referral for suffixes fail. To work around the problem: -

-
-
    -
  1. -

    - Set the nsslapd-referral parameter manually: -

    - 
    # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com
-
-dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
-changetype: modify
-add: nsslapd-referral
-nsslapd-referral: ldap://remote_server:389/dc=example,dc=com
    -
    2. -
  2. -

    - Set the back-end state: -

    - 
    # dsconf <instance_name> backend suffix set --state referral
    -
    3. -
-
-

- As a result, with the workaround, you can configure a referral for a suffix. -

-

- (BZ#2063140) -

-
-

The dsconf utility has no option to create - fix-up tasks for the entryUUID plug-in

-

- The dsconf utility does not provide an option to create fix-up - tasks for the entryUUID plug-in. As a result, administrators cannot - not use dsconf to create a task to automatically add entryUUID attributes to existing entries. As a workaround, create a - task manually: -

-
- 
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
-
-dn: cn=entryuuid_fixup_<time_stamp>,cn=entryuuid task,cn=tasks,cn=config
-objectClass: top
-objectClass: extensibleObject
-basedn: <fixup base tree>
-cn: entryuuid_fixup_<time_stamp>
-filter: <filtered_entry>
-

- After the task has been created, Directory Server fixes entries with missing or invalid entryUUID attributes. -

-

- (BZ#2047175) -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- (JIRA:RHELPLAN-155168) -

-
-
-
-
-
-

11.14. Desktop

-
-
-
-
-

Firefox add-ons are disabled after upgrading to RHEL 9

-

- If you upgrade from RHEL 8 to RHEL 9, all add-ons that you previously enabled in Firefox are - disabled. -

-
-

- To work around the problem, manually reinstall or update the add-ons. As a result, the add-ons are - enabled as expected. -

-

- (BZ#2013247) -

-
-

User Creation screen is unresponsive

-

- When installing RHEL using a graphical user interface, the User Creation screen is unresponsive. - As a consequence, creating users during installation is more difficult. -

-
-

- To work around this problem, use one of the following solutions to create users: -

-
-
    -
  • - Run the installation in VNC mode and resize the VNC window. -
    • -
  • - Create users after completing the installation process. -
    • -
-
-

- (BZ#2122636) -

-
-

VNC is not running after upgrading to RHEL 9

-

- After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously - enabled. -

-
-

- To work around the problem, manually enable the vncserver service after - the system upgrade: -

- 
# systemctl enable --now vncserver@:port-number
-

- As a result, VNC is now enabled and starts after every system boot as expected. -

-

- (BZ#2060308) -

-
-
-
-
-
-

11.15. Graphics infrastructures

-
-
-
-
-

Matrox G200e shows no output on a VGA display

-

- Your display might show no graphical output if you use the following system configuration: -

-
-
-
    -
  • - The Matrox G200e GPU -
    • -
  • - A display connected over the VGA controller -
    • -
-
-

- As a consequence, you cannot use or install RHEL on this configuration. -

-

- To work around the problem, use the following procedure: -

-
-
    -
  1. - Boot the system to the boot loader menu. -
    2. -
  2. - Add the module_blacklist=mgag200 option to the kernel command - line. -
    3. -
-
-

- As a result, RHEL boots and shows graphical output as expected, but the maximum resolution is - limited to 1024x768 at the 16-bit color depth. -

-

- (BZ#1960467) -

-
-

X.org configuration utilities do not work under Wayland

-

- X.org utilities for manipulating the screen do not work in the Wayland session. Notably, the - xrandr utility does not work under Wayland due to its different - approach to handling, resolutions, rotations, and layout. -

-
-

- (JIRA:RHELPLAN-121049) -

-
-

NVIDIA drivers might revert to X.org

-

- Under certain conditions, the proprietary NVIDIA drivers disable the Wayland display protocol - and revert to the X.org display server: -

-
-
-
    -
  • - If the version of the NVIDIA driver is lower than 470. -
    • -
  • - If the system is a laptop that uses hybrid graphics. -
    • -
  • - If you have not enabled the required NVIDIA driver options. -
    • -
-
-

- Additionally, Wayland is enabled but the desktop session uses X.org by default if the version of the - NVIDIA driver is lower than 510. -

-

- (JIRA:RHELPLAN-119001) -

-
-

Night Light is not available on Wayland with NVIDIA

-

- When the proprietary NVIDIA drivers are enabled on your system, the Night Light feature of GNOME is not available - in Wayland sessions. The NVIDIA drivers do not currently support Night Light. -

-
-

- (JIRA:RHELPLAN-119852) -

-
-
-
-
-
-

11.16. The web console

-
-
-
-
-

VNC console works incorrectly at certain resolutions

-

- When using the Virtual Network Computing (VNC) console under certain display resolutions, you - might experience a mouse offset issue or you might see only a part of the interface. - Consequently, using the VNC console might not be possible. To work around this issue, you can - try expanding the size of the VNC console or use the Desktop Viewer in the Console tab to launch - the remote viewer instead. -

-
-

- (BZ#2030836) -

-
-
-
-
-
-

11.17. Virtualization

-
-
-
-
-

Installing a virtual machine over https or ssh in some cases fails -

-

- Currently, the virt-install utility fails when attempting to - install a guest operating system (OS) from an ISO source over a https or ssh connection - for - example using virt-install --cdrom https://example/path/to/image.iso. Instead of - creating a virtual machine (VM), the described operation terminates unexpectedly with an internal error: process exited while connecting to monitor message. -

-
-

- Similarly, using the RHEL 9 web console to install a guest OS fails and displays an Unknown driver 'https' error if you use an https or ssh URL, or the Download OS function. -

-

- To work around this problem, install qemu-kvm-block-curl and qemu-kvm-block-ssh on the host to enable https and ssh protocol support, - respectively. Alternatively, use a different connection protocol or a different installation source. -

-

- (BZ#2014229) -

-
-

Using NVIDIA drivers in virtual machines disables Wayland

-

- Currently, NVIDIA drivers are not compatible with the Wayland graphical session. As a - consequence, RHEL guest operating systems that use NVIDIA drivers automatically disable Wayland - and load an Xorg session instead. This primarily occurs in the following scenarios: -

-
-
-
    -
  • - When you pass through an NVIDIA GPU device to a RHEL virtual machine (VM) -
    • -
  • - When you assign an NVIDIA vGPU mediated device to a RHEL VM -
    • -
-
-

- (JIRA:RHELPLAN-117234) -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the Milan CPU type might not be available - on these systems. In addition, VM live migration between Milan hosts with different feature flag - settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- (BZ#2077767) -

-
-

Disabling AVX causes VMs to become unbootable

-

- On a host machine that uses a CPU with Advanced Vector Extensions (AVX) support, attempting to - boot a VM with AVX explicitly disabled currently fails, and instead triggers a kernel panic in - the VM. -

-
-

- (BZ#2005173) -

-
-

VNC is unable to connect to UEFI VMs after migration

-

- If you enable or disable a message queue while migrating a virtual machine (VM), the Virtual - Network Computing (VNC) client will fail to connect to the VM after the migration is complete. -

-
-

- This problem affects only UEFI based VMs that use the Open Virtual Machine Firmware (OVMF). -

-

- (JIRA:RHELPLAN-135600) -

-
-

Failover virtio NICs are not assigned an IP address on Windows virtual - machines

-

- Currently, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM - fails to assign an IP address to the NIC. Consequently, the NIC is unable to set up a network - connection. Currently, there is no workaround. -

-
-

- (BZ#1969724) -

-
-

Windows VM fails to get IP address after network interface reset -

-

- Sometimes, Windows virtual machines fail to get an IP address after an automatic network - interface reset. As a consequence, the VM fails to connect to the network. To work around this - problem, disable and re-enable the network adapter driver in the Windows Device Manager. -

-
-

- (BZ#2084003) -

-
-

Broadcom network adapters work incorrectly on Windows VMs after a live - migration

-

- Currently, network adapters from the Broadcom family of devices, such as Broadcom, Qlogic, or - Marvell, cannot be hot-unplugged during live migration of Windows virtual machines (VMs). As a - consequence, the adapters work incorrectly after the migration is complete. -

-
-

- This problem affects only those adapters that are attached to Windows VMs using Single-root I/O - virtualization (SR-IOV). -

-

- (BZ#2090712, BZ#2091528, BZ#2111319) -

-
-

A hostdev interface with failover settings - cannot be hot-plugged after being hot-unplugged

-

- After removing a hostdev network interface with failover - configuration from a running virtual machine (VM), the interface currently cannot be re-attached - to the same running VM. -

-
-

- (BZ#2052424) -

-
-

Live post-copy migration of VMs with failover VFs fails

-

- Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a - device with the virtual function (VF) failover capability enabled. To work around the problem, - use the standard migration type, rather than post-copy migration. -

-
-

- (BZ#1817965) -

-
-

Host network cannot ping VMs with VFs during live migration

-

- When live migrating a virtual machine (VM) with a configured virtual function (VF), such as a - VMs that uses virtual SR-IOV software, the network of the VM is not visible to other devices and - the VM cannot be reached by commands such as ping. After the - migration is finished, however, the problem no longer occurs. -

-
-

- (BZ#1789206) -

-
-

Using a large number of queues might cause Windows virtual machines to - fail

-

- Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device - is enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- (BZ#2020146) -

-
-

PCIe ATS devices do not work on Windows VMs

-

- When you configure a PCIe Address Translation Services (ATS) device in the XML configuration of - virtual machine (VM) with a Windows guest operating system, the guest does not enable the ATS - device after booting the VM. This is because Windows currently does not support ATS on virtio devices. -

-
-

- For more information, see the Red - Hat KnowledgeBase. -

-

- (BZ#2073872) -

-
-

Kdump fails on virtual machines with AMD SEV-SNP

-

- Currently, kdump fails on RHEL 9 virtual machines (VMs) that use the AMD Secure Encrypted - Virtualization (SEV) with the Secure Nested Paging (SNP) feature. -

-
-

- (JIRA:RHEL-10019) -

-
-
-
-
-
-

11.18. RHEL in cloud environments

-
-
-
-
-

Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV - causes non-root partitions to disappear

-

- When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV - hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root - partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a - consequence, the following problems occur: -

-
-
-
    -
  • - After restoring the VM from a snapshot, the VM cannot boot, and instead enters emergency - mode. -
    • -
  • - A VM created by cloning cannot boot, and instead enters emergency mode. -
    • -
-
-

- To work around these problems, do the following in emergency mode of the VM: -

-
-
    -
  1. - Remove the LVM system devices file: rm /etc/lvm/devices/system.devices -
    2. -
  2. - Recreate LVM device settings: vgimportdevices -a -
    3. -
  3. - Reboot the VM -
    4. -
-
-

- This makes it possible for the cloned or restored VM to boot up correctly. -

-

- Alternatively, to prevent the issue from occurring, do the following before cloning a VM or creating - a VM snapshot: -

-
-
    -
  1. - Uncomment the use_devicesfile = 0 line in the /etc/lvm/lvm.conf file -
    2. -
  2. - Reboot the VM -
    3. -
-
-

- (BZ#2059545) -

-
-

Customizing RHEL 9 guests on ESXi sometimes causes networking - problems

-

- Currently, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor does not - work correctly with NetworkManager key files. As a consequence, if the guest is using such a key - file, it will have incorrect network settings, such as the IP address or the gateway. -

-
-

- For details and workaround instructions, see the VMware Knowledge Base. -

-

- (BZ#2037657) -

-
-

Setting static IP in a RHEL virtual machine on a VMware host does not - work

-

- Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- (BZ#1750862) -

-
-
-
-
-
-

11.19. Supportability

-
-
-
-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- (BZ#1869561) -

-
-
-
-
-
-

11.20. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- (JIRA:RHELPLAN-96940) -

-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA IDs are listed in this document for reference. Bugzilla bugs that are publicly - accessible include a link to the ticket. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- BZ#2052527, BZ#2057063, BZ#2057066, BZ#1872451, BZ#2053204, BZ#2063140, BZ#2047175 -

-
-

- NetworkManager -

- 		-

- BZ#2068525, BZ#2059608, BZ#2030997, BZ#2079849, BZ#2097293, BZ#2029636, - BZ#1894877, BZ#2151040 -

-
-

- anaconda -

- 		-

- BZ#2059414, BZ#2053710, - BZ#2082132, BZ#2050140, - BZ#1877697, BZ#1914955, BZ#1929105, - BZ#1997832, BZ#2052938, BZ#2107346, BZ#2125542, - BZ#2115783 -

-
-

- ansible-collection-microsoft-sql -

- 		-

- BZ#2066337 -

-
-

- ansible-collection-redhat-rhel_mgmt -

- 		-

- BZ#2112434 -

-
-

- ansible-freeipa -

- 		-

- BZ#2076567 -

-
-

- bind -

- 		-

- BZ#1984982 -

-
-

- catatonit -

- 		-

- BZ#2074193 -

-
-

- chrony -

- 		-

- BZ#2047415, BZ#2051441 -

-
-

- clevis -

- 		-

- BZ#2107078 -

-
-

- cloud-init -

- 		-

- BZ#1750862 -

-
-

- cockpit-appstream -

- 		-

- BZ#2030836 -

-
-

- cockpit -

- 		-

- BZ#2056786 -

-
-

- cronie -

- 		-

- BZ#2090691 -

-
-

- crypto-policies -

- 		-

- BZ#2102774, BZ#2070604 -

-
-

- cyrus-sasl -

- 		-

- BZ#1995600 -

-
-

- device-mapper-multipath -

- 		-

- BZ#2084365, - BZ#2033080, BZ#2011699 -

-
-

- distribution -

- 		-

- BZ#2063773 -

-
-

- dnf-plugins-core -

- 		-

- BZ#2066646 -

-
-

- dnf -

- 		-

- BZ#2053014, BZ#2073510 -

-
-

- dotnet7.0 -

- 		-

- BZ#2112027 -

-
-

- dyninst -

- 		-

- BZ#2057675 -

-
-

- edk2 -

- 		-

- BZ#1935497 -

-
-

- elfutils -

- 		-

- BZ#2088774 -

-
-

- fapolicyd -

- 		-

- BZ#2100041, BZ#2054740, BZ#2070655 -

-
-

- firefox -

- 		-

- BZ#2013247 -

-
-

- firewalld -

- 		-

- BZ#2040689, BZ#2039542 -

-
-

- frr -

- 		-

- BZ#2069563 -

-
-

- gcc-toolset-12-annobin -

- 		-

- BZ#2077438 -

-
-

- gcc-toolset-12-binutils -

- 		-

- BZ#2077445 -

-
-

- gcc-toolset-12-gcc -

- 		-

- BZ#2077465 -

-
-

- gcc-toolset-12-gdb -

- 		-

- BZ#2077494 -

-
-

- gcc -

- 		-

- BZ#2063255 -

-
-

- gdb -

- 		-

- BZ#1870017 -

-
-

- gdm -

- 		-

- BZ#2097308 -

-
-

- gimp -

- 		-

- BZ#2047161 -

-
-

- glibc -

- 		-

- BZ#2033683, BZ#2096191, BZ#2063142, - BZ#2077838, BZ#2085529, BZ#2003291, BZ#2091549 -

-
-

- gnome-settings-daemon -

- 		-

- BZ#2100467 -

-
-

- gnupg2 -

- 		-

- BZ#2070722, BZ#2073567 -

-
-

- gnutls -

- 		-

- BZ#2042009 -

-
-

- golang -

- 		-

- BZ#2075169, BZ#2111072, - BZ#2092016 -

-
-

- grub2 -

- 		-

- BZ#2074761, BZ#2026579 -

-
-

- grubby -

- 		-

- BZ#1978226, BZ#1969362, BZ#2127453 -

-
-

- httpd -

- 		-

- BZ#2079939, - BZ#2065677 -

-
-

- ipa -

- 		-

- BZ#747959, BZ#2091988, BZ#2083218, BZ#2100227, BZ#2084180, BZ#2084166, BZ#2069202, BZ#2057471, BZ#2124243, BZ#2089907 -

-
-

- jmc-core -

- 		-

- BZ#1980981 -

-
-

- kdump-anaconda-addon -

- 		-

- BZ#1959203, BZ#2017401 -

-
-

- kernel-rt -

- 		-

- BZ#2061574 -

-
-

- kernel -

- 		-

- JIRA:RHELPLAN-117713, BZ#2027894, BZ#2066451, BZ#2079368, BZ#2065226, BZ#2013413, - BZ#2069045, BZ#2001936, BZ#2097188, BZ#2096127, BZ#2054379, BZ#2073541, BZ#2030922, - BZ#1945040, - BZ#2100898, BZ#2068432, BZ#2046472, BZ#1613522, BZ#1874182, BZ#1995338, BZ#1570255, - BZ#2023416, BZ#2021672, BZ#2000616, BZ#2013650, BZ#2132480, BZ#2060150, BZ#2059545, - BZ#2069758, BZ#1960467, BZ#2005173, BZ#2129288 -

-
-

- kexec-tools -

- 		-

- BZ#2064708, BZ#2065013 -

-
-

- keylime -

- 		-

- BZ#2138167, BZ#2140670, BZ#2142009 -

-
-

- kmod-kvdo -

- 		-

- BZ#2064802 -

-
-

- kmod -

- 		-

- BZ#2103605 -

-
-

- krb5 -

- 		-

- BZ#2068935, BZ#2106043, BZ#2060798, BZ#2077450, BZ#2106296, BZ#2060421 -

-
-

- libdnf -

- 		-

- BZ#2108969 -

-
-

- libnvme -

- 		-

- BZ#2099619 -

-
-

- libsepol -

- 		-

- BZ#2069718, BZ#2079276 -

-
-

- libvirt -

- 		-

- BZ#2064194, BZ#2014487 -

-
-

- libvpd -

- 		-

- BZ#2051288 -

-
-

- libxcrypt -

- 		-

- BZ#2034569 -

-
-

- llvm-toolset -

- 		-

- BZ#2061041 -

-
-

- lsvpd -

- 		-

- BZ#2051289 -

-
-

- lvm2 -

- 		-

- BZ#2038183 -

-
-

- maven -

- 		-

- BZ#2083112 -

-
-

- mysql -

- 		-

- BZ#1991500 -

-
-

- nfs-utils -

- 		-

- BZ#2081114 -

-
-

- nmstate -

- 		-

- BZ#2084474, BZ#2082043 -

-
-

- nodejs -

- 		-

- BZ#2083072 -

-
-

- nss -

- 		-

- BZ#2091905 -

-
-

- nvme-cli -

- 		-

- BZ#2090121 -

-
-

- nvme-stas -

- 		-

- BZ#1893841 -

-
-

- open-vm-tools -

- 		-

- BZ#2061193, BZ#2037657 -

-
-

- opencryptoki -

- 		-

- BZ#2044179 -

-
-

- openscap -

- 		-

- BZ#2109485 -

-
-

- openssh -

- 		-

- BZ#2066882, BZ#2087121, BZ#2056884 -

-
-

- openssl -

- 		-

- BZ#2060510, BZ#2053289, - BZ#2066412, BZ#2063947, BZ#2004915, BZ#2058663, BZ#1975836, - BZ#1681178, BZ#1685470, BZ#2060044, BZ#2071631 -

-
-

- pacemaker -

- 		-

- BZ#2121838, BZ#2072108 -

-
-

- pause-container -

- 		-

- BZ#2106816 -

-
-

- pcre2 -

- 		-

- BZ#2086494 -

-
-

- pcs -

- 		-

- BZ#2024522, BZ#2054671, BZ#2058251, BZ#2058252, BZ#2058246, BZ#2058243, BZ#1301204 -

-
-

- php -

- 		-

- BZ#2070040 -

-
-

- pki-core -

- 		-

- BZ#2084181 -

-
-

- podman -

- 		-

- BZ#2097708, BZ#2027576, - BZ#2069279 -

-
-

- policycoreutils -

- 		-

- BZ#2115242 -

-
-

- powerpc-utils -

- 		-

- BZ#1920964 -

-
-

- ppc64-diag -

- 		-

- BZ#2051286 -

-
-

- procps-ng -

- 		-

- BZ#2052536, BZ#2003033 -

-
-

- pykickstart -

- 		-

- BZ#2083269 -

-
-

- qemu-kvm -

- 		-

- BZ#2044218, BZ#1965079, BZ#1951814, BZ#2060839, BZ#2014229, BZ#2052424, BZ#1817965, BZ#1789206, BZ#2090712, BZ#2020146 -

-
-

- rear -

- 		-

- BZ#2111059, BZ#2097437, BZ#2115958, BZ#2083272, - BZ#2120736, BZ#2119501 -

-
-

- resource-agents -

- 		-

- BZ#1826455 -

-
-

- rhel-system-roles -

- 		-

- BZ#2072385, BZ#2086965, BZ#2065337, BZ#2079622, BZ#2043010, BZ#2065383, BZ#2112145, BZ#2052081, BZ#2052086, BZ#2065392, BZ#2072742, BZ#2072745, BZ#2072746, BZ#2075119, BZ#2078989, BZ#2079627, BZ#2093423, BZ#2100292, BZ#2100942, BZ#2115154, BZ#2115157, BZ#2115152, BZ#2051737, BZ#2065382, BZ#2065394, BZ#2115886, BZ#2100605, BZ#2060523, BZ#2060525, BZ#2065393, - BZ#2070462, BZ#2083376, BZ#2083410, BZ#2100286, BZ#2109998, BZ#2115156, BZ#2071804, BZ#2100294, BZ#1999770 -

-
-

- rsyslog -

- 		-

- BZ#2064318 -

-
-

- rust -

- 		-

- BZ#2075337 -

-
-

- s390utils -

- 		-

- BZ#1870699, BZ#1932480 -

-
-

- samba -

- 		-

- BZ#2077487, - Jira:RHELDOCS-16612 -

-
-

- sblim-wbemcli -

- 		-

- BZ#2083577 -

-
-

- scap-security-guide -

- 		-

- BZ#2070563, BZ#2120978, BZ#2038978 -

-
-

- selinux-policy -

- 		-

- BZ#1965013, BZ#2081425, BZ#2076681, BZ#2064274 -

-
-

- sos -

- 		-

- BZ#1869561 -

-
-

- sssd -

- 		-

- BZ#1978119, BZ#2065693, BZ#2056482 -

-
-

- stalld -

- 		-

- BZ#2107275 -

-
-

- stratisd -

- 		-

- BZ#1990905, BZ#2040352, BZ#2039960, BZ#2007018, BZ#2005110, BZ#2041558 -

-
-

- subscription-manager -

- 		-

- BZ#2092014, - BZ#2136694 -

-
-

- systemd -

- 		-

- BZ#2018112 -

-
-

- systemtap -

- 		-

- BZ#2083727 -

-
-

- tigervnc -

- 		-

- BZ#2060308 -

-
-

- tpm2-tools -

- 		-

- BZ#2090748 -

-
-

- tuned -

- 		-

- BZ#2093847 -

-
-

- ubi8-container -

- 		-

- BZ#2120378 -

-
-

- udisks2 -

- 		-

- BZ#1983602 -

-
-

- unbound -

- 		-

- BZ#2087120, BZ#2071543, BZ#2070495 -

-
-

- valgrind -

- 		-

- BZ#1993976 -

-
-

- virt-who -

- 		-

- BZ#2054504 -

-
-

- virtio-win -

- 		-

- BZ#1969724, BZ#2084003 -

-
-

- whois -

- 		-

- BZ#2054043 -

-
-

- xmlstarlet -

- 		-

- BZ#2069689 -

-
-

- xorg-x11-server -

- 		-

- BZ#1894612 -

-
-

- other -

- 		-

- JIRA:RHELPLAN-92522, BZ#2125549, - BZ#2128016, BZ#1937031, JIRA:RHELPLAN-121982, JIRA:RHELPLAN-95456, - JIRA:RHELPLAN-122321, JIRA:RHELPLAN-118462, JIRA:RHELPLAN-101140, - JIRA:RHELPLAN-132023, JIRA:RHELPLAN-123369, JIRA:RHELPLAN-117109, - JIRA:RHELPLAN-130379, BZ#2049492, - JIRA:RHELPLAN-130376, JIRA:RHELPLAN-122735, BZ#2070793, BZ#2122716, - JIRA:RHELPLAN-123368, JIRA:RHELPLAN-135601, JIRA:RHELPLAN-135602, BZ#2139877, - JIRA:RHELPLAN-122776, JIRA:RHELPLAN-121180, BZ#2094015, - JIRA:RHELPLAN-109067, JIRA:RHELPLAN-115603, JIRA:RHELPLAN-65217, BZ#2020529, BZ#2030412, - BZ#2046653, JIRA:RHELPLAN-103993, JIRA:RHELPLAN-122345, JIRA:RHELPLAN-129327, - JIRA:RHELPLAN-74672, BZ#1927780, JIRA:RHELPLAN-110763, BZ#1935544, BZ#2089200, - JIRA:RHELPLAN-15509, JIRA:RHELPLAN-99136, JIRA:RHELPLAN-103232, BZ#1899167, BZ#1979521, - JIRA:RHELPLAN-100087, JIRA:RHELPLAN-100639, JIRA:RHELPLAN-10304, BZ#2058153, - JIRA:RHELPLAN-113995, JIRA:RHELPLAN-121048, JIRA:RHELPLAN-98983, - JIRA:RHELPLAN-131882, JIRA:RHELPLAN-137660, BZ#1640697, BZ#1697896, BZ#2047713, - JIRA:RHELPLAN-96940, JIRA:RHELPLAN-117234, JIRA:RHELPLAN-119001, - JIRA:RHELPLAN-119852, BZ#2077767, BZ#2053598, BZ#2082303, - JIRA:RHELPLAN-121049, JIRA:RHELPLAN-109613, JIRA:RHELPLAN-135600, BZ#2149172 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.2-9
-
-

- Wed Aug 28 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-8
-
-

- Thu Aug 22 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-7
-
-

- Thu Jul 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the abstract in the Deprecated functionalities section -
    • -
-
-
-
0.2-6
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Add Deprecated Functionality RHELDOCS-18049 - (Shells and command-line tools). -
    • -
-
-
-
0.2-5
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added an Known Issue JIRA:RHEL-24847 - (Shells and command-line tools). -
    • -
-
-
-
0.2-4
-
-

- Thu May 16 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-3
-
-

- Thu Mar 14 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-2
-
-

- Thu Feb 1 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-1
-
-

- Mon Nov 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-0
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.1-9
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-8
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-7
-
-

- September 25 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-6
-
-

- September 8 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added a deprecated functionality release note JIRA:RHELDOCS-16612 - (Samba). -
    • -
  • - Updated the "Providing feedback on Red Hat documentation" to reflect RHEL in JIRA. -
    • -
-
-
-
0.1-5
-
-

- August 17 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-4
-
-

- August 07 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-3
-
-

- August 02 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Updated a deprecated functionality release note BZ#1894877 - (NetworkManager). -
    • -
-
-
-
0.1-2
-
-

- July 25 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a Known Issue BZ#2109231 - (Installer). -
    • -
-
-
-
0.1-1
-
-

- Thu Jun 15, 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a new feature BZ#2070725 - (Boot loader). -
    • -
  • - Other minor updates. -
    • -
-
-
-
0.1-0
-
-

- Wed May 17, 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-9
-
-

- Thu Apr 27, 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-8
-
-

- Tue Apr 25, 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2180665 - (Kernel). -
    • -
-
-
-
0.0-7
-
-

- Mon Feb 20, 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-6
-
-

- Thu Feb 16, 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated a known issue BZ#2132480 - (Kernel). -
    • -
-
-
-
0.0-5
-
-

- Tue Feb 14, 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-4
-
-

- Tue Feb 14, 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2144898 - (Networking). -
    • -
-
-
-
0.0-3
-
-

- Wed Dec 07, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Moved the nodejs:18 module stream BZ#2083072 from - Technology Previews to fully supported features (Dynamic programming languages, web - and database servers). -
    • -
-
-
-
0.0-2
-
-

- Wed Nov 16, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.1 Release Notes. -
    • -
-
-
-
0.0-1
-
-

- Wed Sep 28, 2022, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.1 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/9.2.html b/app/data/9.2.html deleted file mode 100644 index f5db1a5..0000000 --- a/app/data/9.2.html +++ /dev/null @@ -1,19545 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 9.2
-
-

Release Notes for Red Hat Enterprise Linux 9.2

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 9.2 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information about installing Red Hat Enterprise Linux, see Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar. -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 9.2

-
-
-
-

Installer and image creation

-

- Key highlights for image builder: -

-
-
    -
  • - Image builder on-prem now offers a new and improved way to create blueprints and images in - the image builder web console. -
    • -
  • - Creating customized files and directories in the /etc directory - is now supported. -
    • -
  • - The RHEL for Edge Simplified Installer image type is now available in the image builder web - console. -
    • -
-
-

- For more information, see New features - Installer and image creation. -

-

RHEL for Edge

-

- Key highlights for RHEL for Edge: -

-
-
    -
  • - Specifying a user in a blueprint for simplified-installer - images is now supported. -
    • -
  • - The Ignition provisioning utility is now supported in RHEL for Edge Simplified images. -
    • -
  • - Simplified Installer images can now be composed without the FDO customization section in the - blueprint. -
    • -
-
-

- For more information, see New features - RHEL for Edge. -

-

Security

-

- Key security-related highlights: -

-
-
    -
  • - The OpenSSL secure communications - library was rebased to version 3.0.7. -
    • -
  • - SELinux user-space packages were updated - to version 3.5. -
    • -
  • - Keylime was rebased to version 6.5.2 -
    • -
  • - OpenSCAP was rebased to version 1.3.7. -
    • -
  • - SCAP Security Guide was rebased to - version 0.1.66. -
    • -
  • - A new rule for idle session termination was added to the SCAP Security Guide. -
    • -
  • - Clevis now accepts external tokens. -
    • -
  • - Rsyslog TLS-encrypted logging now - supports multiple CA files. -
    • -
  • - Rsyslog privileges are limited to minimize security exposure. -
    • -
  • - The fapolicyd framework now provides - filtering of the RPM database. -
    • -
-
-

- See New features - Security - for more information. -

-

Dynamic programming languages, web and - database servers

-

- Later versions of the following Application Streams are now available: -

-
-
    -
  • - Python 3.11 -
    • -
  • - nginx 1.22 -
    • -
  • - PostgreSQL 15 -
    • -
-
-

- The following components have been upgraded: -

-
-
    -
  • - Git to version 2.39.1 -
    • -
  • - Git LFS to version 3.2.0 -
    • -
-
-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-
Updated system toolchain
-

- The following system toolchain components have been updated in RHEL 9.2: -

-
-
    -
  • - GCC 11.3.1 -
    • -
  • - glibc 2.34 -
    • -
  • - binutils 2.35.2 -
    • -
-
-
Updated performance tools and debuggers
-

- The following performance tools and debuggers have been updated in RHEL 9.2: -

-
-
    -
  • - GDB 10.2 -
    • -
  • - Valgrind 3.19 -
    • -
  • - SystemTap 4.8 -
    • -
  • - Dyninst 12.1.0 -
    • -
  • - elfutils 0.188 -
    • -
-
-
Updated performance monitoring tools
-

- The following performance monitoring tools have been updated in RHEL 9.2: -

-
-
    -
  • - PCP 6.0.1 -
    • -
  • - Grafana 9.0.9 -
    • -
-
-
Updated compiler toolsets
-

- The following compiler toolsets have been updated in RHEL 9.2: -

-
-
    -
  • - GCC Toolset 12 -
    • -
  • - LLVM Toolset 15.0.7 -
    • -
  • - Rust Toolset 1.66 -
    • -
  • - Go Toolset 1.19.6 -
    • -
-
-

- For detailed changes, see New features - Compilers and development - tools. -

-
Java implementations in RHEL 9
-

- The RHEL 9 AppStream repository includes: -

-
-
    -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 Java - Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 Java - Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK 8 - Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- The Red Hat build of OpenJDK packages share a single set of binaries between its portable Linux - releases and RHEL 9.2 and later releases. With this update, there is a change in the process of - rebuilding the OpenJDK packages on RHEL from the source RPM. For more information about the new - rebuilding process, see the README.md file which is available in the SRPM package of the Red Hat - build of OpenJDK and is also installed by the java-*-openjdk-headless - packages under the /usr/share/doc tree. -

-

- For more information, see OpenJDK - documentation. -

-

The web console

-

- The RHEL web console now performs additional steps for binding LUKS-encrypted root volumes to NBDE deployments. -

-

- You can also apply the following cryptographic - subpolicies through the graphical interface now: DEFAULT:SHA1, LEGACY:AD-SUPPORT, and FIPS:OSPP. -

-

- See New features - - The web console for more information. -

-

Containers

-

- Notable changes include: -

-
-
    -
  • - The podman RHEL System Role is now available. -
    • -
  • - Clients for sigstore signatures with Fulcio and Rekor are now available. -
    • -
  • - Skopeo now supports generating sigstore key pairs. -
    • -
  • - Podman now supports events for auditing. -
    • -
  • - The Container Tools packages have been updated. -
    • -
  • - The Aardvark and Netavark networks stack now supports custom DNS server selection. -
    • -
  • - Toolbox is now available. -
    • -
  • - Podman Quadlet is now available as a Technology Preview. -
    • -
  • - The CNI network stack has been deprecated. -
    • -
-
-

- See New features - - Containers for more information. -

-
-
-
-
-
-

1.2. In-place upgrade

-
-
-
-

In-place upgrade from RHEL 8 to RHEL 9

-

- The supported in-place upgrade paths currently are: -

-
-
    -
  • -

    - From RHEL 8.6 to RHEL 9.0 and RHEL 8.8 to RHEL 9.2 on the following architectures: -

    -
    -
      -
    • - 64-bit Intel -
      • -
    • - 64-bit AMD -
      • -
    • - 64-bit ARM -
      • -
    • - IBM POWER 9 (little endian) -
      • -
    • - IBM Z architectures, excluding z13 -
      • -
    -
    -
    • -
  • - From RHEL 8.6 to RHEL 9.0 and RHEL 8.8 to RHEL 9.2 on systems with SAP HANA -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 8 to RHEL 9. -

-

- If you are upgrading to RHEL 9.2 with SAP HANA, ensure that the system is certified for SAP prior to - the upgrade. For instructions on performing an in-place upgrade on systems with SAP environments, - see How - to in-place upgrade SAP environments from RHEL 8 to RHEL 9. -

-

- Notable enhancements include: -

-
-
    -
  • - The RHEL in-place upgrade path strategy has changed. For more information, see Supported in-place - upgrade paths for Red Hat Enterprise Linux. -
    • -
  • - With the release of RHEL 9.2, multiple upgrade paths are now available for the in-place - upgrade from RHEL 8 to RHEL 9. For the current release, it is possible to perform an - in-place upgrade from either RHEL 8.8 to RHEL 9.2, or RHEL 8.6 to RHEL 9.0.Note that the - available upgrade paths differ between standard RHEL systems and RHEL systems with SAP HANA. -
    • -
  • - The latest release of the leapp-upgrade-el8toel9 package now - contains all required leapp data files. Customers no longer need to manually download these - data files. -
    • -
  • - In-place upgrades of RHEL 8.8 systems in FIPS mode are now supported. -
    • -
  • - In-place upgrades using an ISO image that contains the target version are now possible. -
    • -
  • - RPM signatures are now automatically checked during the in-place upgrade. To disable the - automatic check, use the --nogpgcheck option when performing - the upgrade. -
    • -
  • - Systems that are subscribed to RHSM are now automatically registered with Red Hat Insights. - To disable the automatic registration, set the LEAPP_NO_INSIGHTS_REGISTER environment variable to 1. -
    • -
  • - Red Hat now collects upgrade-related data, such as the upgrade start and end times and - whether the upgrade was successful, for utility usage analysis. To disable data collection, - set the LEAPP_NO_RHSM_FACTS environment variable to 1. -
    • -
-
-

In-place upgrade from RHEL 7 to RHEL 9

-

- It is not possible to perform an in-place upgrade directly from RHEL 7 to RHEL 9. However, you can - perform an in-place upgrade from RHEL 7 to RHEL 8 and then perform a second in-place upgrade to RHEL - 9. For more information, see Upgrading - from RHEL 7 to RHEL 8. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-

- Capabilities and limits of Red Hat Enterprise - Linux 9 as compared to other versions of the system are available in the Knowledgebase article Red Hat Enterprise Linux - technology capabilities and limits. -

-

- Information regarding the Red Hat Enterprise Linux life - cycle is provided in the Red Hat Enterprise Linux Life - Cycle document. -

-

- The Package - manifest document provides a package - listing for RHEL 9, including licenses and application compatibility levels. -

-

- Application compatibility levels are explained - in the Red Hat - Enterprise Linux 9: Application Compatibility Guide document. -

-

- Major differences between RHEL 8 and RHEL 9, - including removed functionality, are documented in Considerations - in adopting RHEL 9. -

-

- Instructions on how to perform an in-place upgrade from RHEL 8 - to RHEL 9 are provided by the document Upgrading - from RHEL 8 to RHEL 9. -

-

- The Red Hat Insights service, which enables you - to proactively identify, examine, and resolve known technical issues, is available with all RHEL - subscriptions. For instructions on how to install the Red Hat Insights client and register your - system to the service, see the Red Hat Insights Get - Started page. -

-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 9.2 is distributed with the kernel version 5.14.0-284.11.1, which provides - support for the following architectures at the minimum required version: -

-
-
    -
  • - AMD and Intel 64-bit architectures (x86-64-v2) -
    • -
  • - The 64-bit ARM architecture (ARMv8.0-A) -
    • -
  • - IBM Power Systems, Little Endian (POWER9) -
    • -
  • - 64-bit IBM Z (z14) -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 9

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 9 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Installation ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. On the Product - Downloads page, the Installation ISO is referred to - as Binary DVD. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Installation ISO image. You can also register to - Red Hat CDN or Satellite during the installation to use the latest BaseOS and AppStream - content from Red Hat CDN or Satellite. -
    • -
-
-

- See the Performing - a standard RHEL 9 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 9 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 9 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying OS - functionality that provides the foundation for all installations. This content is available in the - RPM format and is subject to support terms similar to those in previous releases of RHEL. For more - information, see the Scope of Coverage - Details document. -

-

- Content in the AppStream repository includes additional user-space applications, runtime languages, - and databases in support of the varied workloads and use cases. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 9 repositories and the packages they provide, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Multiple versions of user-space components are delivered as Application Streams and updated more - frequently than the core operating system packages. This provides greater flexibility to customize - RHEL without impacting the underlying stability of the platform or specific deployments. -

-

- Application Streams are available in the familiar RPM format, as an extension to the RPM format - called modules, as Software Collections, or as Flatpaks. -

-

- Each Application Stream component has a given life cycle, either the same as RHEL 9 or shorter. For - RHEL life cycle information, see Red Hat Enterprise Linux Life - Cycle. -

-

- RHEL 9 improves the Application Streams experience by providing initial Application Stream versions - that can be installed as RPM packages using the traditional dnf install - command. -

-
-
Note
-
-

- Certain initial Application Streams in the RPM format have a shorter life cycle than Red Hat - Enterprise Linux 9. -

-
-
-

- Some additional Application Stream versions will be distributed as modules with a shorter life cycle - in future minor RHEL 9 releases. Modules are collections of packages representing a logical unit: an - application, a language stack, a database, or a set of tools. These packages are built, tested, and - released together. -

-

- Always determine what version of an Application Stream you want to install and make sure to review - the Red Hat - Enterprise Linux Application Stream Lifecycle first. -

-

- Content that needs rapid updating, such as alternate compilers and container tools, is available in - rolling streams that will not provide alternative versions in parallel. Rolling streams may be - packaged as RPMs or modules. -

-

- For information about Application Streams available in RHEL 9 and their application compatibility - level, see the Package - manifest. Application compatibility levels are explained in the Red Hat Enterprise Linux 9: - Application Compatibility Guide document. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- In Red Hat Enterprise Linux 9, software installation is ensured by DNF. Red Hat continues to support the usage of the - yum term for consistency with previous major versions of RHEL. If you - type dnf instead of yum, the command works - as expected because both are aliases for compatibility. -

-

- Although RHEL 8 and RHEL 9 are based on DNF, - they are compatible with YUM used in RHEL 7. -

-

- For more information, see Managing - software with the DNF tool. -

-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.2. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

A new and improved way to create blueprints and images in the image builder - web console

-

- With this enhancement, you have access to a unified version of the image builder tool and a - significant improvement in your user experience. -

-
-

- Notable enhancements in the image builder dashboard GUI include: -

-
-
    -
  • - You can now customize your blueprints with all the customizations previously supported only - in the CLI, such as kernel, file system, firewall, locale, and other customizations. -
    • -
  • - You can import blueprints by either uploading or dragging the blueprint in the .JSON or .TOML format and create - images from the imported blueprint. -
    • -
  • - You can also export or save your blueprints in the .JSON or - .TOML format. -
    • -
  • - Access to a blueprint list that you can sort, filter, and is case-sensitive. -
    • -
  • -

    - With the image builder dashboard, you can now access your blueprints, images, and - sources by navigating through the following tabs: -

    -
    -
      -
    • - Blueprint - Under the Blueprint tab, you can now import, export, or delete your - blueprints. -
      • -
    • -

      - Images - Under the Images tab, you can: -

      -
      -
        -
      • - Download images. -
        • -
      • - Download image logs. -
        • -
      • - Delete images. -
        • -
      -
      -
      • -
    • -

      - Sources - Under the Sources tab, you can: -

      -
      -
        -
      • - Download images. -
        • -
      • - Download image logs. -
        • -
      • - Create sources for images. -
        • -
      • - Delete images. -
        • -
      -
      -
      • -
    -
    -
    • -
-
-

- Jira:RHELPLAN-139448 -

-
-

Ability to create customized files and directories in the /etc directory

-

- With this enhancement, two new blueprint customizations are available. The [[customizations.files]] and the [[customizations.directories]] blueprint customizations enable you to - create customized files and directories in the /etc directory of - your image. Currently, you can use these customization only in the /etc directory. -

-
-

- The [[customizations.directories]] enables you to: -

-
-
    -
  • - Create new directories -
    • -
  • - Set user and group ownership for the directory -
    • -
  • - Set the mode permission in the octal format -
    • -
-
-

- With the [[customizations.files]] blueprint customizations you can: -

-
-
    -
  • - Create new files under the parent / directory -
    • -
  • - Modifying existing files - this overrides the existing content -
    • -
  • - Set user and group ownership for the file you are creating -
    • -
  • - Set the mode permission in the octal format -
    • -
-
-
-
Note
-
-

- The new blueprint customizations are supported by all the image types, such as edge-container, edge-commit, among - others. The customizations not supported in the blueprints used to create Installer images, - such as edge-raw-image, edge-installer, and edge-simplified-installer. -

-
-
-

- Jira:RHELPLAN-147428 -

-
-

Ability to specify user in a blueprint for simplified-installer images

-

- Previously, when creating a blueprint for a simplified-installer image, you could not specify a - user in the blueprint customization, because the customization was not used and was discarded. - With this update, when you create an image from the blueprint, this blueprint creates a user - under the /usr/lib/passwd directory and a password under the /usr/etc/shadow directory during installation time. You can log in to - the device with the username and the password you created for the blueprint. Note that after you - access the system, you need to create users, for example, using the useradd command. -

-
-

- Jira:RHELPLAN-149091 -

-
-

Support for 64-bit ARM for .vhd images built - with image builder

-

- Previously, Microsoft Azure .vhd images created with the image - builder tool were not supported on 64-bit ARM architectures. This update adds support for 64-bit - ARM Microsoft Azure .vhd images and now you can build your .vhd images using image builder and upload them to the Microsoft - Azure cloud. -

-
-

- Jira:RHELPLAN-139424 -

-
-

Minimal RHEL installation now installs only the s390utils-core package

-

- In RHEL 8.4 and later, the s390utils-base package is split into an - s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to - minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must - manually install the package after completing the RHEL installation or explicitly install s390utils-base using a kickstart file. -

-
-

- Bugzilla:1932480 -

-
-
-
-
-
-

4.2. RHEL for Edge

-
-
-
-
-

Ignition support in RHEL for Edge Simplified images

-

- With this enhancement, you can add an Ignition file to the Simplified Installer images by - customizing your blueprint. Both GUI and CLI have support for the Ignition customization. RHEL - for Edge uses the Ignition provisioning utility to inject the user configuration into the images - at an early stage of the boot process. On the first boot, Ignition reads its configuration - either from a remote URL or a file embedded in the Simplified Installer image and applies that - configuration into the image. -

-
-

- Jira:RHELPLAN-139659 -

-
-

Simplified Installer images can now be composed without the FDO - customization section in the blueprint

-

- Previously, to build a RHEL for Edge Simplified Installer image, you had to add details to the - FIDO device onboarding (FDO) customization section. Otherwise, the image build would fail. With - this update, the FDO customization in blueprints is now optional, and you can build RHEL for - Edge Simplified Installer image with no errors. -

-
-

- Jira:RHELPLAN-139655 -

-
-

Red Hat build of MicroShift enablement for RHEL for Edge images -

-

- With this enhancement, you can enable Red Hat build of MicroShift services in a RHEL for Edge - system. By using the [[customizations.firewalld.zones]] blueprint - customization, you can add support for firewalld sources in the - blueprint customization. For that, specify a name for the zone and a list of sources in that - specific zone. Sources can be of the form source[/mask]|MAC|ipset:ipset. -

-
-

- The following is a blueprint example on how to configure and customize support for Red Hat build of - MicroShift services in a RHEL for Edge system. -

- 
[[packages]]
-name = "microshift"
-version = "*"
-[customizations.services]
-enabled = ["microshift"]
-[[customizations.firewall.zones]]
-name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
-

- The Red Hat build of MicroShift installation requirements, such as firewall policies, MicroShift - RPM, systemd service, enable you to create a deployment ready for - production to achieve workload portability to a minimum field deployed edge device and by default - LVM device mapper enablement. -

-

- Jira:RHELPLAN-136489 -

-
-
-
-
-
-

4.3. Software management

-
-
-
-
-

New dnf offline-upgrade command for offline - updates on RHEL

-

- With this enhancement, you can apply offline updates to RHEL by using the new dnf offline-upgrade command from the DNF system-upgrade plug-in. -

-
-
-
Important
-
-

- The dnf system-upgrade command included in the system-upgrade plug-in is not supported on RHEL. -

-
-
-

- Bugzilla:2131288 -

-
-

Applying advisory security filters to dnf offline-upgrade is now supported

-

- With this enhancement, the new functionality for advisories filtering has been added. As a - result, you can now download packages and their dependencies only from the specified advisory by - using the dnf offline-upgrade command with advisory security - filters (--advisory, --security, --bugfix, and other filters). -

-
-

- Bugzilla:2139326 -

-
-

The unload_plugins function is now available - for the DNF API

-

- With this enhancement, a new unload_plugins function has been added - to the DNF API to allow plug-ins unloading. -

-
-
-
Important
-
-

- Note that you must first run the init_plugins function, and - then run the unload_plugins function. -

-
-
-

- Bugzilla:2121662 -

-
-

New --nocompression option for rpm2archive

-

- With this enhancement, the --nocompression option has been added to - the rpm2archive utility. You can use this option to avoid - compression when directly unpacking an RPM package. -

-
-

- Bugzilla:2150804 -

-
-
-
-
-
-

4.4. Shells and command-line tools

-
-
-
-
-

ReaR is now fully supported also on the 64-bit IBM Z architecture -

-

- Basic Relax and Recover (ReaR) functionality, previously available on the 64-bit IBM Z - architecture as a Technology Preview, is fully supported with the rear package version 2.6-17.el9 or later. You can create a ReaR - rescue image on the IBM Z architecture in the z/VM environment only. Backing up and recovering - logical partitions (LPARs) is not supported at the moment. ReaR supports saving and restoring - disk layout only on Extended Count Key Data (ECKD) direct access storage devices (DASDs). Fixed - Block Access (FBA) DASDs and SCSI disks attached through Fibre Channel Protocol (FCP) are not - supported for this purpose. The only output method currently available is Initial Program Load - (IPL), which produces a kernel and an initial ramdisk (initrd) compatible with the zIPL bootloader. -

-
-

- For more information, see Using - a ReaR rescue image on the 64-bit IBM Z architecture. -

-

- Bugzilla:2046653 -

-
-

systemd rebased to version 252

-

- The systemd package has been upgraded to version 252. Notable - changes include: -

-
-
-
    -
  • - You can specify the default timeout when waiting for device units to activate by using the - DefaultDeviceTimeoutSec= option in system.conf and user.conf files. -
    • -
  • - At shutdown, systemd now logs about processes blocking - unmounting of file systems. -
    • -
  • - You can now use drop-ins for transient units too. -
    • -
  • - You can use size suffixes, such as K, M, G, T and others in the ConditionMemory= option. -
    • -
  • - You can list automount points by using the systemctl list-automounts command. -
    • -
  • - You can use the systemd-logind utility to stop an idle session - after a preconfigured timeout by using the StopIdleSessionSec= - option. -
    • -
  • - The systemd-udev utility now creates the infiniband by-path and infiniband by-ibdev links for Infiniband verbs devices. -
    • -
  • - The systemd-tmpfiles utility now gracefully handles the absent - source of C copy. -
    • -
  • - The systemd-repart utility now generates dm-verity partitions, including signatures. -
    • -
-
-

- Bugzilla:2217931 -

-
-

Updated systemd-udevd assigns consistent - network device names to InfiniBand interfaces

-

- Introduced in RHEL 9, the new version of the systemd package - contains the updated systemd-udevd device manager. The device - manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd. -

-
-

- You can define custom naming rules for naming InfiniBand interfaces by following the Renaming - IPoIB devices procedure. -

-

- For more details of the naming scheme, see the systemd.net-naming-scheme(7) man page. -

-

- Bugzilla:2136937 -

-
-
-
-
-
-

4.5. Infrastructure services

-
-
-
-
-

chrony rebased to version 4.3

-

- The chrony suite has been updated to version 4.3. Notable - enhancements over version 4.2 include: -

-
-
-
    -
  • - Added long-term quantile-based filtering of Network Time Protocol (NTP) measurements. You - can enable this feature by adding the maxdelayquant option to - the pool, server, or peer directive. -
    • -
  • - Added the selection log to provide more information about chronyd selection of sources. You can enable the selection log by - adding the selection option to the log directive. -
    • -
  • - Improved synchronization stability when using the hardware timestamping and Pulse-Per-Second - Hardware Clock (PHC) reference clocks. -
    • -
  • - Added support for the system clock stabilization using a free-running stable clock, for - example, Temperature Compensated Crystal Oscillator (TCXO), Oven-Controlled Crystal - Oscillator (OCXO), or an atomic clock. -
    • -
  • - Increased the maximum polling rate to 128 messages per second. -
    • -
-
-

- Bugzilla:2133754 -

-
-

frr rebased to version 8.3.1

-

- The frr package for managing dynamic routing stack has been updated - to version 8.3.1. Notable changes over version 8.2.2 include: -

-
-
-
    -
  • -

    - Added a new set of commands to interact with the Border Gateway Protocol (BGP): -

    -
    -
      -
    • - the set as-path replace command to replace the - Autonomous System (AS) path attribute of a BGP route with a new value. -
      • -
    • - the match peer command to match a specific BGP peer - or group when configuring a BGP route map. -
      • -
    • - the ead-es-frag evi-limit command to set a limit on - the number of Ethernet A-D per EVI fragments that can be sent in a given period - of time in EVPN. -
      • -
    • - the match evpn route-type command to take specific - actions on certain types of EVPN routes, such as route-target, - route-distinguisher, or MAC/IP routes. -
      • -
    -
    -
    • -
  • - Added the show thread timers command in the VTYSH command-line - interface for interacting with FRR daemons. -
    • -
  • - Added the show ip ospf reachable-routers command to display a - list of routers that are currently reachable through the OSPF protocol. -
    • -
  • -

    - Added new commands to interact with the Protocol Independent Multicast (PIM) daemon: -

    -
    -
      -
    • - the debug igmp trace detail command to enable - debugging for Internet Group Management Protocol (IGMP) messages with detailed - tracing. -
      • -
    • - the ip pim passive command to to configure the - interface as passive, not sending PIM messages. -
      • -
    -
    -
    • -
  • - Added new outputs for the show zebra command, such as ECMP, - EVPN, MPLS statuses. -
    • -
  • - Added the show ip nht mrib command to the ZEBRA component to - display multicast-related information from the mroute table in - the kernel. -
    • -
-
-

- Bugzilla:2129731 -

-
-

vsftpd rebased to version 3.0.5

-

- The Very Secure FTP Daemon (vsftpd) provides a secure method of - transferring files between hosts. The vsftpd package has been - updated to version 3.0.5. Notable changes and enhancements include the following SSL - modernizations: -

-
-
-
    -
  • - By default, the vsftpd utility now requires the use of TLS - version 1.2 or later for secure connections. -
    • -
  • - The vsftpd utility is now compatible with the latest FileZilla - client. -
    • -
-
-

- Bugzilla:2018284 -

-
-

The frr package now contains targeted SELinux - policy

-

- Due to the fast development of the frr package for managing dynamic - routing stack, new features and access vector cache (AVC) issues arose frequently. With this - enhancement, the SELinux rules are now packaged together with FRR to address any issues faster. - SELinux adds an additional level of protection to the package by enforcing mandatory access - control policies. -

-
-

- Bugzilla:2129743 -

-
-

powertop rebased to version 2.15

-

- The powertop package for improving the energy efficiency has been - updated to version 2.15. Notable changes and enhancements include: -

-
-
-
    -
  • - Several Valgrind errors and possible buffer overrun have been fixed to improve the powertop tool stability. -
    • -
  • - Improved compatibility with Ryzen processors and Kaby Lake platforms. -
    • -
  • - Enabled Lake Field, Alder Lake N, and Raptor Lake platforms support. -
    • -
  • - Enabled Ice Lake NNPI and Meteor Lake mobile and desktop support. -
    • -
-
-

- Bugzilla:2044132 -

-
-

The systemd-sysusers utility is available in - the chrony, dhcp, radvd, and squid packages -

-

- The systemd-sysusers utility creates system users and groups during - package installation and removes them during a removal of the package. With this enhancement, - the following packages contain the systemd-sysusers utility in - their scriptlets: -

-
-
-
    -
  • - chrony, -
    • -
  • - dhcp, -
    • -
  • - radvd, -
    • -
  • - squid. -
    • -
-
-

- Jira:RHELPLAN-136485 -

-
-

New synce4l package for frequency - synchronization is now available

-

- SyncE (Synchronous Ethernet) is a hardware feature that enables PTP clocks to achieve precise - synchronization of frequency at the physical layer. SyncE is supported in certain network - interface cards (NICs) and network switches. -

-
-

- With this enhancement, the new synce4l package is now available, which - provides support for SyncE. As a result, Telco Radio Access Network (RAN) applications can now - achieve more efficient communication due to more accurate time synchronization. -

-

- Bugzilla:2143264 -

-
-

tuned rebased to version 2.20.0

-

- The TuneD utility for optimizing the performance of applications and workloads has been updated - to version 2.20.0. Notable changes and enhancements over version 2.19.0 include: -

-
-
-
    -
  • - An extension of API enables you to move devices between plug-in instances at runtime. -
    • -
  • -

    - The plugin_cpu module, which provides fine-tuning of - CPU-related performance settings, introduces the following enhancements: -

    -
    -
      -
    • - The pm_qos_resume_latency_us feature enables you to - limit the maximum time allowed for each CPU to transition from an idle state to - an active state. -
      • -
    • - TuneD adds support for the intel_pstate scaling - driver, which provides scaling algorithms to tune the systems’ power management - based on different usage scenarios. -
      • -
    -
    -
    • -
  • - The socket API to control TuneD through a Unix domain socket is now available as a - Technology Preview. See Socket API for TuneD - available as a Technology Preview for more information. -
    • -
-
-

- Bugzilla:2133815, Bugzilla:2113925, Bugzilla:2118786, Bugzilla:2095829 -

-
-
-
-
-
-

4.6. Security

-
-
-
-
-

Libreswan rebased to 4.9

-

- The libreswan packages have been upgraded to version 4.9. Notable - changes over the previous version include: -

-
-
-
    -
  • - Support for the {left,right}pubkey= options to the addconn and whack utilities -
    • -
  • - KDF self-tests -
    • -
  • -

    - Show host’s authentication key (showhostkey): -

    -
    -
      -
    • - Support for ECDSA public keys -
      • -
    • - New --pem option to print PEM encoded public key -
      • -
    -
    -
    • -
  • -

    - The Internet Key Exchange Protocol Version 2 (IKEv2): -

    -
    -
      -
    • - Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) support -
      • -
    • - EAP-only Authentication support -
      • -
    -
    -
    • -
  • -

    - The pluto IKE daemon: -

    -
    -
      -
    • - Support for maxbytes and maxpacket counters -
      • -
    -
    -
    • -
-
-

- Bugzilla:2128669 -

-
-

OpenSSL rebased to 3.0.7

-

- The OpenSSL packages have been rebased to version 3.0.7, which contains various bug fixes and - enhancements. Most notably, the default provider now includes the RIPEMD160 hash function. -

-
-

- Bugzilla:2129063 -

-
-

libssh now supports smart cards

-

- You can now use smart cards through Public-Key Cryptography Standard (PKCS) #11 Uniform Resource - Identifier (URI). As a result, you can use smart cards with the libssh SSH library and with applications that use libssh. -

-
-

- Bugzilla:2026449 -

-
-

libssh rebased to 0.10.4

-

- The libssh library, which implements the SSH protocol for secure - remote access and file transfer between machines, has been updated to version 0.10.4. -

-
-

- New features: -

-
-
    -
  • - Support for OpenSSL 3.0 has been added. -
    • -
  • - Support for smart cards has been added. -
    • -
  • - Two new configuration options IdentityAgent and ModuliFile have been added. -
    • -
-
-

- Other notable changes include: -

-
-
    -
  • - OpenSSL versions older than 1.0.1 are no longer supported -
    • -
  • - By default, Digital Signature Algorithm (DSA) support has been disabled at build time. -
    • -
  • - The SCP API has been deprecated. -
    • -
  • - The pubkey and privatekey APIs - have been deprecated. -
    • -
-
-

- Bugzilla:2068475 -

-
-

SELinux user-space packages updated to 3.5

-

- The SELinux user-space packages libselinux, libsepol, libsemanage, checkpolicy, mcstrans, and policycoreutils, which includes the sepolicy utility, have been updated to version 3.5. Notable - enhancements and bug fixes include: -

-
-
-
    -
  • -

    - The sepolicy utility: -

    -
    -
      -
    • - Added missing booleans to man pages -
      • -
    • - Several Python and GTK updates -
      • -
    -
    -
    • -
  • - Added a workaround to libselinux that reduces heap memory usage - by the PCRE2 library -
    • -
  • -

    - The libsepol package: -

    -
    -
      -
    • - Rejects attributes in type AV rules for kernel policies -
      • -
    • - No longer writes empty class definitions, which allows simpler round-trip tests -
      • -
    • - Stricter policy validation -
      • -
    -
    -
    • -
  • - The fixfiles script unmounts temporary bind mounts on the SIGINT signal -
    • -
  • - Many code and spelling bugs fixed -
    • -
  • - Removed dependency on the deprecated Python module distutils - and the installation using PIP -
    • -
  • - The semodule option --rebuild-if-modules-changed renamed to --refresh -
    • -
  • - Translation updated for generated descriptions and improved handling of unsupported - languages -
    • -
  • - Fixed many static code analysis bugs, fuzzer problems, and compiler warnings -
    • -
-
-

- Bugzilla:2145224, Bugzilla:2145228, Bugzilla:2145229, Bugzilla:2145226, Bugzilla:2145230, Bugzilla:2145231 -

-
-

OpenSCAP rebased to 1.3.7

-

- The OpenSCAP packages have been rebased to upstream version 1.3.7. This version provides various - bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Fixed error when processing OVAL filters (RHBZ#2126882) -
    • -
  • - OpenSCAP no longer emits invalid empty xmlfilecontent items if - XPath does not match (RHBZ#2139060) -
    • -
  • - Prevented Failed to check available memory errors (RHBZ#2111040) -
    • -
-
-

- Bugzilla:2159286 -

-
-

SCAP Security Guide rebased to 0.1.66

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.66. This - version provides various enhancements and bug fixes, most notably: -

-
-
-
    -
  • - New CIS RHEL9 profiles -
    • -
  • - Deprecation of rule account_passwords_pam_faillock_audit in - favor of accounts_passwords_pam_faillock_audit -
    • -
-
-

- Bugzilla:2158405 -

-
-

New SCAP rule for idle session termination

-

- New SCAP rule logind_session_timeout has been added to the scap-security-guide package in ANSSI-BP-028 profiles for Enhanced and - High levels. This rule uses a new feature of the systemd service - manager and terminates idle user sessions after a certain time. This rule provides automatic - configuration of a robust idle session termination mechanism which is required by multiple - security policies. As a result, OpenSCAP can automatically check the security requirement - related to terminating idle user sessions and, if necessary, remediate it. -

-
-

- Bugzilla:2122325 -

-
-

scap-security-guide rules for Rsyslog log - files are compatible with RainerScript logs

-

- Rules in scap-security-guide for checking and remediating - ownership, group ownership, and permissions of Rsyslog log files are now also compatible with - the RainerScript syntax. Modern systems already use the RainerScript syntax in Rsyslog - configuration files and the respective rules were not able to recognize this syntax. As a - result, scap-security-guide rules can now check and remediate - ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes. -

-
-

- Bugzilla:2169414 -

-
-

Keylime rebased to 6.5.2

-

- The keylime packages have been rebased to upstream version - - keylime-6.5.2-5.el9. This version contains various enhancements and bug fixes, most notably the - following: -

-
-
-
    -
  • - Addressed vulnerability CVE-2022-3500 -
    • -
  • - The Keylime agent no longer fails IMA attestation when one scripts is executed quickly after - another RHBZ#2138167 -
    • -
  • - Fixed segmentation fault in the /usr/share/keylime/create_mb_refstate script RHBZ#2140670 -
    • -
  • - Registrar no longer crashes during EK validation when the require_ek_cert option is enabled RHBZ#2142009 -
    • -
-
-

- Bugzilla:2150830 -

-
-

Clevis accepts external tokens

-

- With the new -e option introduced to the Clevis automated - encryption tool, you can provide an external token ID to avoid entering your password during - cryptsetup. This feature makes the configuration process more - automated and convenient, and is useful particularly for packages such as stratis that use Clevis. -

-
-

- Bugzilla:2126533 -

-
-

Rsyslog TLS-encrypted logging now supports multiple CA files

-

- With the new NetstreamDriverCaExtraFiles directive, you can specify - a list of additional certificate authority (CA) files for TLS-encrypted remote logging. Note - that the new directive is available only for the ossl (OpenSSL) - Rsyslog network stream driver. -

-
-

- Bugzilla:2124849 -

-
-

Rsyslog privileges are limited

-

- The privileges of the Rsyslog log processing system are now limited to only the privileges - explicitly required by Rsyslog. This minimizes security exposure in case of a potential error in - input resources, for example, a networking plugin. As a result, Rsyslog has the same - functionality but does not have unnecessary privileges. -

-
-

- Bugzilla:2127404 -

-
-

SELinux policy allows Rsyslog to drop privileges at start

-

- Because the privileges of the Rsyslog log processing system are now more limited to minimize - security exposure (RHBZ#2127404), the SELinux - policy has been updated to allow the rsyslog service to drop - privileges at start. -

-
-

- Bugzilla:2151841 -

-
-

Tang now uses systemd-sysusers

-

- The Tang network presence server now adds system users and groups through the systemd-sysusers service instead of shell scripts containing useradd commands. This simplifies checking of the system user list, - and you can also override definitions of system users by providing sysuser.d files with higher priority. -

-
-

- Bugzilla:2095474 -

-
-

opencryptoki rebased to 3.19.0

-

- The opencryptoki package has been rebased to version 3.19.0, which - provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features: -

-
-
-
    -
  • - IBM-specific Dilithium keys -
    • -
  • - Dual-function cryptographic functions -
    • -
  • - Cancelling active session-based operations by using the new C_SessionCancel function, as described in the PKCS #11 - Cryptographic Token Interface Base Specification v3.0 -
    • -
  • - Schnorr signatures through the CKM_IBM_ECDSA_OTHER mechanism -
    • -
  • - Bitcoin key derivation through the CKM_IBM_BTC_DERIVE mechanism -
    • -
  • - EP11 tokens in IBM z16 systems -
    • -
-
-

- Bugzilla:2110314 -

-
-

SELinux now confines mptcpd and udftools

-

- With this update of the selinux-policy packages, SELinux confines - the following services: -

-
-
-
    -
  • - mptcpd -
    • -
  • - udftools -
    • -
-
-

- Bugzilla:1972222 -

-
-

fapolicyd now provides filtering of the RPM database

-

- With the new configuration file /etc/fapolicyd/rpm-filter.conf, you - can customize the list of RPM-database files that the fapolicyd - software framework stores in the trust database. This way, you can block certain applications - installed by RPM or allow an application denied by the default configuration filter. -

-
-

- Jira:RHEL-192 -

-
-

GnuTLS can add and remove padding during decryption and encryption -

-

- The implementation of certain protocols requires PKCS#7 padding during decryption and - encryption. The gnutls_cipher_encrypt3 and gnutls_cipher_decrypt3 block cipher functions have been added to - GnuTLS to transparently handle padding. As a result, you can now use these functions in - combination with the GNUTLS_CIPHER_PADDING_PKCS7 flag to - automatically add or remove padding if the length of the original plaintext is not a multiple of - the block size. -

-
-

- Bugzilla:2084161 -

-
-

NSS no longer support RSA keys shorter than 1023 bits

-

- The update of the Network Security Services (NSS) libraries changes the minimum key size for all - RSA operations from 128 to 1023 bits. This means that NSS no longer perform the following - functions: -

-
-
-
    -
  • - Generate RSA keys shorter than 1023 bits. -
    • -
  • - Sign or verify RSA signatures with RSA keys shorter than 1023 bits. -
    • -
  • - Encrypt or decrypt values with RSA key shorter than 1023 bits. -
    • -
-
-

- Bugzilla:2091905 -

-
-

The Extended Master Secret TLS Extension is - now enforced on FIPS-enabled systems

-

- With the release of the RHSA-2023:3722 advisory, the TLS - Extended Master Secret (EMS) extension (RFC 7627) is mandatory for - TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 - requirements. TLS 1.3 is not affected. -

-
-

- Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL - 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 - without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 - and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not - support EMS or TLS 1.3. -

-

- In addition, connecting from a FIPS-enabled RHEL client to a hypervisor such as VMWare ESX now fails - with a Provider routines::ems not enabled error if the hypervisor uses - TLS 1.2 without EMS. To work around this problem, update the hypervisor to support TLS 1.3 or TLS - 1.2 with the EMS extension. For VMWare vSphere, this means version 8.0 or later. -

-

- For more information, see TLS - Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2. -

-

- Bugzilla:2188046, Bugzilla:2218721 -

-
-
-
-
-
-

4.7. Networking

-
-
-
-
-

NetworkManager rebased to version 1.42.2

-

- The NetworkManager packages have been upgraded to upstream version - 1.42.2, which provides a number of enhancements and bug fixes over the previous version: -

-
-
-
    -
  • - Ethernet bonds support source load balancing. -
    • -
  • - NetworkManager can manage connections on the loopback device. -
    • -
  • - Support for IPv4 equal-cost multi-path (ECMP) routes was added. -
    • -
  • - Support for 802.1ad tagging in Virtual Local Area Networks - (VLANs) connections was added. -
    • -
  • - The nmtui application supports Wi-Fi WPA-Enterprise, Ethernet - with 802.1X authentication, and MACsec connection profiles. -
    • -
  • - NetworkManager rejects DHCPv6 leases if all addresses fail IPv6 duplicate address detection - (DAD). -
    • -
-
-

- For further information about notable changes, read the upstream - release notes. -

-

- Bugzilla:2134897 -

-
-

Introduction of the weight property in ECMP - routing with NetworkManager

-

- With this update, RHEL 9 supports a new property weight when - defining IPv4 Equal-Cost Multi-Path (ECMP) routes. You can configure multipath routing using - NetworkManager to load-balance and stabilize network traffic. This allows for multiple paths to - be used for data transmission between two nodes, which improves the network efficiency and - provides redundancy in the event of a link failure. Conditions for using the weight property include: -

-
-
-
    -
  • - The valid values are 1-256. -
    • -
  • - Define multiple next-hop routes as single-hop routes with the weight property. -
    • -
  • - If you do not set weight, NetworkManager cannot merge the - routes into an ECMP route. -
    • -
-
-

- Bugzilla:2081302 -

-
-

NetworkManager update brings improved flexibility for DNS configuration - across multiple networks

-

- With this update, you can use the existing [global-dns] section in - the /etc/Networkmanager/NetworkManager.conf file to configure DNS - options without specifying the nameserver value in the [global-dns-domain-*] section. This enables you to configure DNS - options in the /etc/resolv.conf file while still relying on the DNS - servers provided by the network connection for actual DNS resolution. As a result, the feature - makes it easier and more flexible to manage your DNS settings when connecting to different - networks with different DNS servers. Especially when you use the /etc/resolv.conf file to configure DNS options. -

-
-

- Bugzilla:2019306 -

-
-

NetworkManager now supports a new vlan.protocol property

-

- With this update, the vlan interface type now accepts a new protocol property. The property type is string. The accepted values - are either 802.1Q (default), or 802.1ad. The new property specifies which VLAN protocol controls the - tag identifier for encapsulation. -

-
-

- Bugzilla:2128809 -

-
-

NetworkManager now allows VLAN configuration over unmanaged - interface

-

- With this enhancement, you can use an unmanaged networking interface as a base interface when - configuring virtual LAN (VLAN) with NetworkManager. As a result, the VLAN base interface remains - intact unless changed explicitly through the nmcli device set enp1s0 managed true - command or other API of NetworkManager. -

-
-

- Bugzilla:2110307 -

-
-

Configuring Multipath TCP using NetworkManager is now fully - supported

-

- With this update, the NetworkManager utility provides you with the Multipath TCP (MPTCP) - functionality. You can use nmcli commands to control MPTCP and make - its settings persistent. -

-
-

- For more information, see: -

-
- -
-

- Bugzilla:2029636 -

-
-

The NetworkManager utility now supports activating connections on the loopback interface

-

- Administrators can manage the loopback interface to: -

-
-
-
    -
  • - Add extra IP addresses to the loopback interface -
    • -
  • - Define DNS configuration -
    • -
  • - Define a special route, which does not bind to an interface -
    • -
  • - Define a route rule, which is not interface-related -
    • -
  • - Change Maximum Transmission Unit (MTU) size of the loopback - interface -
    • -
-
-

- Bugzilla:2073512 -

-
-

The balance-slb bonding mode is now - supported

-

- The new balance-slb bonding mode Source load balancing requires no - switch configuration. The balance-slb divides traffic on the source - ethernet address using xmit_hash_policy=vlan+srcmac, and NetworkManager adds necessary nftables rules for traffic filtering. As a result, you can now create - bond profiles with the balance-slb option enabled by using - NetworkManager. -

-
-

- Bugzilla:2128216 -

-
-

firewalld rebased to version 1.2

-

- The firewalld package has been upgraded to version 1.2, which - provides multiple enhancements. Notable changes include: -

-
-
-
    -
  • - Support for new services (for example netdata, IPFS) -
    • -
  • - Fail-safe mode to ensure that the system remains protected and that network communication is - not disrupted if the firewalld service encounters an error - during its startup -
    • -
  • - Tab-completion in command-line (CLI) for some of the firewalld - policy commands -
    • -
-
-

- Bugzilla:2125371 -

-
-

The firewalld now supports the startup - failsafe mechanism

-

- With this enhancement, firewalld will fall back to failsafe - defaults in case of a startup failure. This feature protects the host in case of invalid - configurations or other startup issues. As a result, even if the user configuration is invalid, - hosts running firewalld are now startup failsafe. -

-
-

- Bugzilla:2077512 -

-
-

conntrack-tools rebased to version - 1.4.7

-

- The conntrack-tools package has been upgraded to version 1.4.7, - which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Adds the IPS_HW_OFFLOAD flag, which specifies offloading of a - conntrack entry to the hardware -
    • -
  • - Adds clash_resolve and chaintoolong statistical counters -
    • -
  • - Supports filtering events by IP address family -
    • -
  • - Accepts yes or no as synonyms to on or off in the conntrackd.conf file -
    • -
  • - Supports user space helper auto-loading upon daemon startup. Users do not have to manually - run the nfct add helper commands -
    • -
  • - Removes the -o userspace command option and always tags user - space triggered events -
    • -
  • - Logs external inject problems as warning only -
    • -
  • - Ignores conntrack ID when looking up cache entries to allow for stuck old ones to be - replaced -
    • -
  • - Fixes broken parsing of IPv6 M-SEARCH requests in the ssdp cthelper module -
    • -
  • - Eliminates the need for lazy binding technique in the nfct - library -
    • -
  • - Sanitizes protocol value parsing, catch invalid values -
    • -
-
-

- Bugzilla:2132398 -

-
-

The nmstate API now supports IPv6 link-local - addresses as DNS servers

-

- With this enhancement, you can use the nmstate API to set IPv6 - link-local addresses as DNS servers. Use the <link-local_address>%<interface> format, for example: -

-
- 
dns-resolver:
-  config:
-    server:
-    - fe80::deef:1%enp1s0
-

- Bugzilla:2095207 -

-
-

The nmstate API now supports MPTCP - flags

-

- This update enhances the nmstate API with support for MultiPath TCP - (MPTCP) flags. As a result, you can use nmstate to set MPTCP - address flags on interfaces with static or dynamic IP addresses. -

-
-

- Bugzilla:2120473 -

-
-

The min-mtu and max-mtu properties added to MTU on all interfaces

-

- Previously, an exception message was not clear enough to understand the supported MTU ranges. - This update introduces the min-mtu and max-mtu properties to all interfaces. As a result, nmstate will indicate the supported MTU range when the desired MTU is - out of range. -

-
-

- Bugzilla:2044150 -

-
-

NetworkManager now allows VLAN configuration over unmanaged - interface

-

- With this enhancement, you can use an unmanaged networking interface as a base interface when - configuring virtual LAN (VLAN) with NetworkManager. As a result, the VLAN base interface remains - intact unless changed explicitly through the nmcli device set enp1s0 managed true - command or other API of NetworkManager. -

-
-

- Bugzilla:2058292 -

-
-

The balance-slb bonding mode is now - supported

-

- The new balance-slb bonding mode Source load balancing requires no - switch configuration. The balance-slb divides traffic on the source - Ethernet address using xmit_hash_policy=vlan+srcmac, and NetworkManager adds necessary nftables rules for traffic filtering. As a result, you can now create - bond profiles with the balance-slb option enabled by using - NetworkManager. -

-
-

- Bugzilla:2130240 -

-
-

A new weight property in Nmstate

-

- This update introduces the weight property in the Nmstate API and - tooling suite. You can use weight to specify the relative weight of - each path in the Equal Cost Multi-Path routes (ECMP) group. The weight is a number between 1 and - 256. As a result, weight property in Nmstate provides greater - flexibility and control over traffic distribution in an ECMP group. -

-
-

- Bugzilla:2162401 -

-
-

xdp-tools rebased to version 1.3.1 -

-

- The xdp-tools packages have been upgraded to upstream version - 1.3.1, which provides a number of enhancements and bug fixes over the previous version: -

-
-
-
    -
  • -

    - The following utilities have been added: -

    -
    -
      -
    • - xdp-bench: Performs XDP benchmarks on the receive - side. -
      • -
    • - xdp-monitor: Monitors XDP errors and statistics - using kernel trace points. -
      • -
    • - xdp-trafficgen: Generates and sends traffic through - the XDP driver hook. -
      • -
    -
    -
    • -
  • -

    - The following features have been added to the libxdp - library: -

    -
    -
      -
    • - The xdp_multiprog__xdp_frags_support(), xdp_program__set_xdp_frags_support(), and xdp_program__xdp_frags_support() functions have been - added to support loading programs with XDP frags - support, a feature that is also known as multibuffer XDP. -
      • -
    • - The library performs proper reference counting when attaching programs to AF_XDP sockets. As a result, the application no - longer has to manually detach XDP programs when using sockets. The libxdp library detaches the program now automatically - when the program is no longer used. -
      • -
    • -

      - The following functions have been added to the library: -

      -
      -
        -
      • - xdp_program__create() for creating - xdp_program objects -
        • -
      • - xdp_program__clone() for cloning an - xdp_program reference -
        • -
      • - xdp_program__test_run() for running XDP - programs through the BPF_PROG_TEST_RUN - kernel API -
        • -
      -
      -
      • -
    • - When the LIBXDP_BPFFS_AUTOMOUNT environment - variable is set, the libxdp library now supports - automatically mounting of a bpffs virtual file - system if none is found. A subset of the library features can now also function - when no bpffs is mounted. -
      • -
    -
    -
    • -
-
-

- Note that this version also changes the version number of the XDP dispatcher program that is being - loaded on the network devices. This means that you can not use a previous and a new version of libxdp and xdp-tools at the same time. The - libxdp 1.3 library will display old versions of the dispatcher, but not - automatically upgrade them. Additionally, after loading a program with libxdp 1.3, older versions will not interoperate with the newer one. -

-

- Bugzilla:2160066 -

-
-

iproute rebased to version 6.1.0

-

- The iproute package has been upgraded to version 6.1.0, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • -

    - Supports reading the vdpa device statistics -

    -
    -
      -
    • -

      - Illustration of statistics reading for the virtqueue data structure at index 1: -

      - 
      # vdpa dev vstats show vdpa-a qidx 1
-vdpa-a:
-vdpa-a: queue_type tx received_desc 321812 completed_desc 321812
      -
      • -
    • -

      - Illustration of statistics reading for the virtqueue data structure at index 16: -

      - 
      # vdpa dev vstats show vdpa-a qidx 16
-vdpa-a: queue_type control_vq received_desc 17 completed_desc 17
      -
      • -
    -
    -
    • -
  • - Updates the corresponding manual pages -
    • -
-
-

- Bugzilla:2155604 -

-
-

The kernel now logs the listening address in SYN flood messages -

-

- This enhancement adds the listening IP address to SYN flood messages: -

-
- 
Possible SYN flooding on port <ip_address>:<port>.
-

- As a result, if many processes are bound to the same port on different IP addresses, administrators - can now clearly identify the affected socket. -

-

- Bugzilla:2143850 -

-
-

Introduction of new nmstate attributes for the - VLAN interface

-

- With this update of the nmstate framework, the following VLAN - attributes were introduced: -

-
-
-
    -
  • - registration-protocol: VLAN Registration Protocol. The valid - values are gvrp (GARP VLAN Registration Protocol), mvrp (Multiple VLAN Registration Protocol), and none. -
    • -
  • - reorder-headers: reordering of output packet headers. The valid - values are true and false. -
    • -
  • - loose-binding: loose binding of the interface to the operating - state of its primary device. The valid values are true and - false. -
    • -
-
-

- Your YAML configuration file can look similar to the following example: -

- 
---
-interfaces:
-  - name: eth1.101
-    type: vlan
-    state: up
-    vlan:
-      base-iface: eth1
-      id: 101
-      registration-protocol: mvrp
-      loose-binding: true
-      reorder-headers: true
-

- Jira:RHEL-19142 -

-
-
-
-
-
-

4.8. Kernel

-
-
-
-
-

Kernel version in RHEL 9.2

-

- Red Hat Enterprise Linux 9.2 is distributed with the kernel version 5.14.0-284.11.1. -

-
-

- Bugzilla:2177782 -

-
-

The 64k page size kernel is now available

-

- In addition to the RHEL 9 for ARM kernel which supports 4k pages, Red Hat now offers an optional - kernel package that supports 64k pages: kernel-64k. -

-
-

- The 64k page size kernel is a useful option for large datasets on ARM platforms. It enables better - performance for some types of memory- and CPU-intensive operations. -

-

- You must choose page size on 64-bit ARM architecture systems at the time of installation. You can - install kernel-64k only by Kickstart by adding the kernel-64k package to the package list in the Kickstart file. -

-

- For more information on installing kernel-64k, see Performing - an advanced RHEL 9 installation. -

-

- Bugzilla:2153073 -

-
-

virtiofs support for kexec-tools enabled

-

- This enhancement adds the virtiofs feature for kexec-tools by introducing the new option, virtiofs myfs, where myfs is a variable - tag name to set in the qemu command line, for example, -device vhost-user-fs-pci,tag=myfs -

-
-

- The virtiofs file system implements a driver that allows a guest to - mount a directory that has been exported on the host. By using this enhancement, you can save the - virtual machine’s vmcore dump file to: -

-
-
    -
  • - A virtiofs shared directory. -
    • -
  • - The sub-directory, such as /var/crash, when the root file - system is a virtiofs shared directory. -
    • -
  • - A different virtiofs shared directory, when the virtual - machine’s root file system is a virtiofs shared directory. -
    • -
-
-

- Bugzilla:2085347 -

-
-

The kexec-tools package now adds improvements - on remote kdump targets

-

- With this enhancement, the kexec-tools package adds significant bug - fixes and enhancements. The most notable changes include: -

-
-
-
    -
  • - Optimized memory consumption for kdump by enabling only the - required network interfaces. -
    • -
  • -

    - Improved network efficiency for kdump in events of - connection timeout failures. -

    -

    - The default wait time for a network to establish is 10 minutes maximum. This removes the - need to pass dracut parameters, such as rd.net.timeout.carrier or rd.net.timeout.dhcp as a workaround to identify a carrier. -

    -
    • -
-
-

- Bugzilla:2076416 -

-
-

BPF rebased to version 6.0

-

- The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.0 with - multiple enhancements. This update enables all the BPF features that depend on the BPF Type - Format (BTF) for kernel modules. Such features include the usage of BPF trampolines for tracing, - the availability of the Compile Once - Run Everywhere (CO-RE) mechanism, and several - networking-related features. Furthermore, the kernel modules now contain debugging information, - which means that you no longer need to install debuginfo packages - to inspect the running modules. -

-
-

- For more information on the complete list of BPF features available in the running kernel, use the - bpftool feature command. -

-

- Jira:RHELPLAN-133650 -

-
-

The rtla meta-tool adds the osnoise and timerlat tracers for - improved tracing capabilities

-

- The Real-Time Linux Analysis (rtla) is a meta-tool that includes a - set of commands that analyze the real-time properties of Linux. rtla leverages kernel tracing capabilities to provide precise - information about the properties and root causes of unexpected system results. rtla currently adds support for osnoise - and timerlat tracer commands: -

-
-
-
    -
  • - The osnoise tracer reports information about operating system - noise. -
    • -
  • - The timerlat tracer periodically prints the timer latency at - the timer IRQ handler and the thread handler. -
    • -
-
-

- Note that to use the timerlat feature of rtla, you must disable admission control by using the sysctl -w kernel.sched_rt_runtime_us=-1 script. -

-

- Bugzilla:2075216 -

-
-

The argparse module of Tuna now supports - configuring CPU sockets

-

- With this enhancement, you can specify a specific CPU socket when you have multiple CPU sockets. - You can view the help usage by using the -h on a subcommand, for - example, tuna show_threads -h. -

-
-

- To configure a specific CPU socket, specify the -S option with each - tuna command where you need to use CPU sockets: -

- 
tuna <command> [-S CPU_SOCKET_LIST]
-

- For example, use tuna show_threads -S 2,3 to view the threads or tuna show_irqs -S 2,3 to view attached interrupt requests (IRQs). -

-

- As a result, this enhancement facilitates CPU usage based on CPU sockets without the need to specify - each CPU individually. -

-

- Bugzilla:2122781 -

-
-

The output format for cgroups and irqs in Tuna is improved to provide better readability -

-

- With this enhancement, the tuna show_threads command output for the - cgroup utility is now structured based on the terminal size. You - can also configure additional spacing to the cgroups output by - adding the new -z or --spaced option - to the show_threads command. -

-
-

- As a result, the cgroups output now has an improved readable format - that is adaptable to your terminal size. -

-

- Bugzilla:2121517 -

-
-

A new command line interface has been added to the tuna tool in real-time

-

- This enhancement adds a new command line interface to the tuna - tool, which is based on the argparse parsing module. With this - update, you can now perform the following tasks: -

-
-
-
    -
  • - Change the attributes of the application and kernel threads. -
    • -
  • - Operate on interrupt requests (IRQs) by name or number. -
    • -
  • - Operate on tasks or threads by using the process identifier. -
    • -
  • - Specify CPUs and sets of CPUs with the CPU or the socket number. -
    • -
-
-

- By using the tuna -h command, you can print the command line arguments - and their corresponding options. For each command, there are optional arguments, which you can view - with the tuna <command> -h - command. -

-

- As a result, tuna now provides an interface with a more standardized - menu of commands and options that is easier to use and maintain than the command line interface. -

-

- Bugzilla:2062865 -

-
-

The rteval command output now includes the - program loads and measurement threads information

-

- The rteval command now displays a report summary with the number of - program loads, measurement threads, and the corresponding CPU that ran these threads. This - information helps to evaluate the performance of a real-time kernel under load on specific - hardware platforms. -

-
-

- The rteval report is written to an XML file along with the boot log for - the system and saved to the rteval-<date>-N-tar.bz2 compressed - file. The date specifies the report generation date and N is the counter for the Nth run. -

-

- To generate an rteval report, enter the following command: -

- 
# rteval --summarize rteval-<date>-N.tar.bz2
-

- Bugzilla:2081325 -

-
-

The -W and --bucket-width options has been added to the oslat program to measure latency

-

- With this enhancement, you can specify a latency range for a single bucket at nanoseconds - accuracy. Widths that are not multiples of 1000 nanoseconds indicate nanosecond precision. By - using the new options, -W or --bucket-width, you can modify the latency interval between buckets - to measure latency within sub-microseconds delay time. -

-
-

- For example to set a latency bucket width of 100 nanoseconds for 32 buckets over a duration of 10 - seconds to run on CPU range of 1-4 and omit zero bucket size, run the following command: -

- 
# oslat -b 32 -D 10s -W 100 -z -c 1-4
-

- Note that before using the option, you must determine what level of precision is significant in - relation to the error measurement. -

-

- Bugzilla:2041637 -

-
-

The NVMe/FC transport protocol enabled as the - kdump storage target

-

- The kdump mechanism now provides the support for Nonvolatile Memory - Express (NVMe) over Fibre Channel (NVMe/FC) protocol as the dump target. With this update, you - can configure kdump to save kernel crash dump files on NVMe/FC - storage targets. -

-
-

- As a result, kdump can capture and save the vmcore file on NVMe/FC in the event of a - kernel crash without timeout or reconnect - errors. -

-

- For more information on NVMe/FC configuration, see Managing - storage devices -

-

- Bugzilla:2080110 -

-
-

The crash-utility tool has been rebased to - version 8.0.2

-

- The crash-utility, which analyzes an active system state or after a - kernel crash, has been rebased to version 8.0.2. The notable change includes adding support for - multiqueue(blk-mq) devices. By using the dev -d or dev -D command, you can - display the disk I/O statistics for multiqueue(blk-mq) devices. -

-
-

- Bugzilla:2119685 -

-
-

openssl-ibmca rebased to version - 2.3.1

-

- The dynamic OpenSSL engine and provider for IBMCA on 64-bit IBM Z architecture have been rebased - to upstream version 2.3.1. Users of RHEL 9 are recommended to use the OpenSSL provider to ensure compatibility with future updates of - OpenSSL. The engine functionality has been deprecated in - OpenSSL version 3. -

-
-

- Bugzilla:2110378 -

-
-

Secure Execution guest dump encryption with customer keys

-

- This new feature allows hypervisor-initiated dumps for Secure Execution guests to collect kernel - crash information from KVM in scenarios in which the kdump utility - does not work. Note that hypervisor-initiated dumps for Secure Execution is designed for the IBM - Z Series z16 and LinuxONE Emperor 4 hardware. -

-
-

- Bugzilla:2044204 -

-
-

The TSN protocol for real-time has been enabled on the ADL-S - platform

-

- With this enhancement, the IEEE Time Sensitive Networking (TSN) specification enables time - synchronization and deterministic processing of real-time workloads over the network on Intel - Alder Lake S (ADL-S) platform. It supports the following network devices: -

-
-
-
    -
  • - A discrete 2.5GbE MAC-PHY combo with TSN support: Intel® i225/i226 -
    • -
  • - An integrated 2.5GbE MAC in the SOC with 3rd party PHY chips from Marvell, Maxlinear and TI - covering the 1GbE and 2.5Gbe speed, is available on select skus - and SOCs. -
    • -
-
-

- With the TSN protocol, you can manage deterministic applications scheduling, preemption, and - accurate time synchronization type workloads in embedded implementations. These implementations need - dedicated, specialized, and proprietary networks, while workloads run on standard Ethernet, Wi-Fi, - and 5G networks. -

-

- As a result, TSN provides improved capabilities for: -

-
-
    -
  • - Hardware: Intel based systems used for implementing real-time workloads in IoT -
    • -
  • - Deterministic and time sensitive applications -
    • -
-
-

- Bugzilla:2100606 -

-
-

The Intel ice driver rebased to version - 6.0.0

-

- The Intel ice driver has been upgraded to upstream version 6.0.0, - which provides a number of enhancements and bug fixes over previous versions. The notable - enhancements include: -

-
-
-
    -
  • - Point-to-Point Protocol over Ethernet (PPPoE) protocol hardware - offload -
    • -
  • - Inter-Integrated Circuit (I2C) protocol write command -
    • -
  • - VLAN Tag Protocol Identifier (TPID) filters in the Ethernet - switch device driver model (switchdev) -
    • -
  • - Double VLAN tagging in switchdev -
    • -
-
-

- Bugzilla:2104468 -

-
-

Option to write data for gnss module is now - available

-

- This update provides the option of writing data to the gnss - receiver. Previously, gnss was not fully configurable. With this - enhancement, all gnss functions are now available. -

-
-

- Bugzilla:2111048 -

-
-

Hosting Secure Boot certificates for IBM zSystems

-

- Starting with IBM z16 A02/AGZ and LinuxONE Rockhopper 4 LA2/AGL, you can manage certificates - used to validate Linux kernels when starting the system with Secure Boot enabled on the Hardware - Management Console (HMC). Notably: -

-
-
-
    -
  • - You can load certificates in a system certificate store using the HMC in DPM and classic - mode from an FTP server that can be accessed by the HMC. It is also possible to load - certificates from a USB device attached to the HMC. -
    • -
  • - You can associate certificates stored in the certificate store with an LPAR partition. - Multiple certificates can be associated with a partition and a certificate can be associated - with multiple partitions. -
    • -
  • - You can de-associate certificates in the certificate store from a partition by using HMC - interfaces. -
    • -
  • - You can remove certificates from the certificate store. -
    • -
  • - You can associate up to 20 certificates with a partition. -
    • -
-
-

- The built-in firmware certificates are still available. In particular, as soon as you use the - user-managed certificate store, the built-in certificates will no longer be available. -

-

- Certificate files loaded into the certificate store must meet the following requirements: -

-
-
    -
  • - They have the PEM- or DER-encoded X.509v3 format and one of the following filename - extensions: .pem, .cer, .crt, or .der. -
    • -
  • - They are not expired. -
    • -
  • - The key usage attribute must be Digital Signature. -
    • -
  • - The extended key usage attribute must contain Code - Signing. -
    • -
-
-

- A firmware interface allows a Linux kernel running in a logical partition to load the certificates - associated with this partition. Linux on IBM Z stores these certificates in the .platform keyring, allowing the Linux kernel to verify kexec kernels and third party kernel modules to be verified using - certificates associated with that partition. -

-

- It is the responsibility of the operator to only upload verified certificates and to remove - certificates that have been revoked. -

-
-
Note
-
-

- The Red Hat Secureboot 302 certificate that you need to load - into the HMC is available at Product Signing Keys. -

-
-
-

- Bugzilla:2190123 -

-
-

zipl support for Secure Boot IPL and dump on - 64-bit IBM Z

-

- With this update, the zipl utility supports List-Directed IPL and - List-Directed dump from Extended Count Key Data (ECKD) Direct Access Storage Devices (DASD) on - the 64-bit IBM Z architecture. As a result, Secure Boot for RHEL on IBM Z also works with the - ECKD type of DASDs. -

-
-

- Bugzilla:2044200 -

-
-

rtla rebased to version 6.6 of the upstream - kernel source code

-

- The rtla utility has been upgraded to the latest upstream version, - which provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Added the -C option to specify additional control groups for - rtla threads to run in, apart from the main rtla thread. -
    • -
  • - Added the --house-keeping option to place rtla threads on a housekeeping CPU and to put measurement threads - on different CPUs. -
    • -
  • - Added support to the timerlat tracer so that you can run timerlat hist and timerlat top - threads in user space. -
    • -
-
-

- Jira:RHEL-18359 -

-
-
-
-
-
-

4.9. File systems and storage

-
-
-
-
-

nvme-cli rebased to version 2.2.1

-

- The nvme-cli packages have been upgraded to version 2.2.1, which - provide multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Added the new nvme show-topology command, which displays the - topology of all NVMe subsystems. -
    • -
  • - Dropped the libuuid dependency. -
    • -
  • - The uint128 data fields are displayed correctly. -
    • -
  • - Updated the libnvme dependency to version 1.2. -
    • -
-
-

- Bugzilla:2139753 -

-
-

libnvme rebased to version 1.2

-

- The libnvme packages have been upgraded to version 1.2, which - provide multiple bug fixes and enhancements. The most notable change is a dropped dependency of - the libuuid library. -

-
-

- Bugzilla:2139752 -

-
-

Stratis enforces consistent block size in pools

-

- Stratis now enforces a consistent block size in pools to address potential edge case problems - that can occur when mixed block size devices exist within a pool. With this enhancement, users - can no longer create a pool or add new devices that have a different block size from the - existing devices in the pool. As a result, there is a reduced risk of pool failure. -

-
-

- Bugzilla:2039957 -

-
-

Support for existing disk growth within the Stratis pool

-

- Previously, when a user added new disks to the RAID array, the size of the RAID array would - generally increase. However, in all cases, Stratis ignored the increase in size and continued to - use only the space that was available on the RAID array when it was first added to the pool. As - a result, Stratis was unable to identify the new device, and users could not increase the size - of the pool. -

-
-

- With this enhancement, Stratis now identifies any pool device members that have expanded in size. As - a result, users can now issue a command to expand the pool based on their requirements. -

-

- Stratis now supports the growth of existing disks within its pool, in addition to the existing - feature of growing the pool by adding new disks. -

-

- Bugzilla:2039955 -

-
-

Improved functionality of the lvreduce - command

-

- With this enhancement, when the logical volume (LV) is active, the lvreduce command checks if reducing the LV size would damage any file - system present on it. If a file system on the LV requires reduction, and the lvreduce resizefs option has not been enabled, then the LV will not - be reduced. -

-
-

- Additionally, new options are now available to control the handling of file systems while reducing - an LV. These options provide users with greater flexibility and control when using the lvreduce command. -

-

- Bugzilla:1878893 -

-
-

Direct I/O alignment information for statx was - added

-

- This update introduces a new mask value, "STATX_DIOALIGN", to the - statx(2) call. When this value is set in the stx_mask field, it requests stx_dio_mem_align and stx_dio_offset_align values, which indicate the required alignment - (in bytes) for user memory buffers and file offsets and I/O segment lengths for direct I/O - (O_DIRECT) on this file, respectively. If direct I/O is not supported on the file, both values - will be 0. This interface is now implemented for block devices as well as for files on the xfs - and ext4 filesystems in RHEL9. -

-
-

- Bugzilla:2150284 -

-
-

NFSv4.1 session trunking discovery

-

- With this update, the client can use multiple connections to the same server and session, - resulting in faster data transfer. When an NFS client mounts a multi-homed NFS server with - different IP addresses, only one connection is used by default, ignoring the rest. To improve - performance, this update adds support for the trunkdiscovery and - max_connect mount options, which enable the client to test each - connection and associate multiple connections with the same NFSv4.1+ server and session. -

-
-

- Bugzilla:2066372 -

-
-

NFS IO sizes can now be set as a multiples of PAGE_SIZE for TCP and - RDMA

-

- This update allows users to set NFS IO sizes as a multiples of PAGE_SIZE for TCP and RDMA connections. This offers greater - flexibility in optimizing NFS performance for some architectures. -

-
-

- Bugzilla:2107347 -

-
-

nfsrahead has been added to RHEL 9 -

-

- With the introduction of the nfsrahead tool, you can use it to - modify the readahead value for NFS mounts, and thus affect the NFS - read performance. -

-
-

- Bugzilla:2143747 -

-
-
-
-
-
-

4.10. High availability and clusters

-
-
-
-
-

New enable-authfile Booth configuration - option

-

- When you create a Booth configuration to use the Booth ticket manager in a cluster - configuration, the pcs booth setup command now enables the new - enable-authfile Booth configuration option by default. You can - enable this option on an existing cluster with the pcs booth enable-authfile command. Additionally, the pcs status and pcs booth status commands - now display warnings when they detect a possible enable-authfile - misconfiguration. -

-
-

- Bugzilla:2116295 -

-
-

pcs can now run the validate-all action of resource and stonith agents

-

- When creating or updating a resource or a STONITH device, you can now specify the --agent-validation option. With this option, pcs uses an agent’s validate-all action, - when it is available, in addition to the validation done by pcs - based on the agent’s metadata. -

-
-

- Bugzilla:2112270, Bugzilla:2159454 -

-
-
-
-
-
-

4.11. Dynamic programming languages, web and database servers

-
-
-
-
-

Python 3.11 available in RHEL 9

-

- RHEL 9.2 introduces Python 3.11, provided by the new package python3.11 and a suite of packages built for it, as well as the ubi9/python-311 container image. -

-
-

- Notable enhancements compared to the previously released Python 3.9 include: -

-
-
    -
  • - Significantly improved performance. -
    • -
  • - Structural Pattern Matching using the new match keyword - (similar to switch in other languages). -
    • -
  • - Improved error messages, for example, indicating unclosed parentheses or brackets. -
    • -
  • - Exact line numbers for debugging and other use cases. -
    • -
  • - Support for defining context managers across multiple lines by enclosing the definitions in - parentheses. -
    • -
  • - Various new features related to type hints and the typing - module, such as the new X | Y type union operator, variadic - generics, and the new Self type. -
    • -
  • - Precise error locations in tracebacks pointing to the expression that caused the error. -
    • -
  • - A new tomllib standard library module which supports parsing - TOML. -
    • -
  • - An ability to raise and handle multiple unrelated exceptions simultaneously using Exception - Groups and the new except* syntax. -
    • -
-
-

- Python 3.11 and packages built for it can be installed in parallel with Python 3.9 on the same - system. -

-

- To install packages from the python3.11 stack, use, for example: -

- 
# dnf install python3.11
-# dnf install python3.11-pip
-

- To run the interpreter, use, for example: -

- 
$ python3.11
-$ python3.11 -m pip --help
-

- See Installing - and using Python for more information. -

-

- Note that Python 3.11 will have a shorter life cycle than Python 3.9, which is the default Python - implementation in RHEL 9; see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2127923 -

-
-

nodejs:18 rebased to version 18.14 with npm rebased to version 9 -

-

- The updated Node.js 18.14 includes a SemVer major upgrade of npm from version 8 to version 9. This update was necessary due to - maintenance reasons and may require you to adjust your npm - configuration. -

-
-

- Notably, auth-related settings that are not scoped to a specific registry are no longer supported. - This change was made for security reasons. If you used unscoped authentication configurations, the - supplied token was sent to every registry listed in the .npmrc file. -

-

- If you use unscoped authentication tokens, generate and supply registry-scoped tokens in your .npmrc file. -

-

- If you have configuration lines using _auth, such as //registry.npmjs.org/:_auth in your .npmrc - files, replace them with //registry.npmjs.org/:_authToken=${NPM_TOKEN} - and supply the scoped token that you generated. -

-

- For a complete list of changes, see the upstream changelog. -

-

- Bugzilla:2178088 -

-
-

git rebased to version 2.39.1

-

- The Git version control system has been updated to version 2.39.1, - which provides bug fixes, enhancements, and performance improvements over the previously - released version 2.31. -

-
-

- Notable enhancements include: -

-
-
    -
  • - The git log command now supports a format placeholder for the - git describe output: git log --format=%(describe) -
    • -
  • -

    - The git commit command now supports the --fixup<commit> option which enables you to fix the - content of the commit without changing the log message. With this update, you can also - use: -

    -
    -
      -
    • - The --fixup=amend:<commit> option to change - both the message and the content. -
      • -
    • - The --fixup=reword:<commit> option to update - only the commit message. -
      • -
    -
    -
    • -
  • - You can use the new --reject-shallow option with the git clone command to disable cloning from a shallow repository. -
    • -
  • - The git branch command now supports the --recurse-submodules option. -
    • -
  • -

    - You can now use the git merge-tree command to: -

    -
    -
      -
    • - Test if two branches can merge. -
      • -
    • - Compute a tree that would result in the merge commit if the branches were - merged. -
      • -
    -
    -
    • -
  • - You can use the new safe.bareRepository configuration variable - to filter out bare repositories. -
    • -
-
-

- Bugzilla:2139379 -

-
-

git-lfs rebased to version 3.2.0

-

- The Git Large File Storage (LFS) extension has been updated to - version 3.2.0, which provides bug fixes, enhancements, and performance improvements over the - previously released version 2.13. -

-
-

- Notable changes include: -

-
-
    -
  • - Git LFS introduces a pure SSH-based transport protocol. -
    • -
  • - Git LFS now provides a merge driver. -
    • -
  • - The git lfs fsck utility now additionally checks that pointers - are canonical and that expected LFS files have the correct format. -
    • -
  • - Support for the NT LAN Manager (NTLM) authentication protocol has been removed. Use Kerberos - or Basic authentication instead. -
    • -
-
-

- Bugzilla:2139383 -

-
-

A new module stream: nginx:1.22

-

- The nginx 1.22 web and proxy server is now available as the nginx:1.22 module stream. This update provides a number of bug fixes, - security fixes, new features, and enhancements over the previously released version 1.20. -

-
-

- New features: -

-
-
    -
  • -

    - nginx now supports: -

    -
    -
      -
    • - OpenSSL 3.0 and the SSL_sendfile() function when - using OpenSSL 3.0. -
      • -
    • - The PCRE2 library. -
      • -
    • - POP3 and IMAP pipelining in the mail proxy module. -
      • -
    -
    -
    • -
  • - nginx now passes the Auth-SSL-Protocol and Auth-SSL-Cipher header lines to the mail proxy authentication - server. -
    • -
-
-

- Enhanced directives: -

-
-
    -
  • - Multiple new directives are now available, such as ssl_conf_command and ssl_reject_handshake. -
    • -
  • - The proxy_cookie_flags directive now supports variables. -
    • -
  • - nginx now supports variables in the following directives: proxy_ssl_certificate, proxy_ssl_certificate_key, grpc_ssl_certificate, grpc_ssl_certificate_key, uwsgi_ssl_certificate, and uwsgi_ssl_certificate_key. -
    • -
  • - The listen directive in the stream module now supports a new - fastopen parameter, which enables TCP Fast Open mode for listening sockets. -
    • -
  • - A new max_errors directive has been added to the mail proxy module. -
    • -
-
-

- Other changes: -

-
-
    -
  • -

    - nginx now always returns an error if: -

    -
    -
      -
    • - The CONNECT method is used. -
      • -
    • - Both Content-Length and Transfer-Encoding headers are specified in the - request. -
      • -
    • - The request header name contains spaces or control characters. -
      • -
    • - The Host request header line contains spaces or - control characters. -
      • -
    -
    -
    • -
  • - nginx now blocks all HTTP/1.0 requests that include the Transfer-Encoding header. -
    • -
  • - nginx now establishes HTTP/2 connections using the Application - Layer Protocol Negotiation (ALPN) and no longer supports the Next Protocol Negotiation (NPN) - protocol. -
    • -
-
-

- To install the nginx:1.22 stream, use: -

- 
# dnf module install nginx:1.22
-

- For more information, see Setting - up and configuring NGINX. -

-

- For information about the length of support for the nginx module - streams, see the Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2096174 -

-
-

mod_security rebased to version 2.9.6 -

-

- The mod_security module for the Apache HTTP Server has been updated - to version 2.9.6, which provides new features, bug fixes, and security fixes over the previously - available version 2.9.3. -

-
-

- Notable enhancements include: -

-
-
    -
  • - Adjusted parser activation rules in the modsecurity.conf-recommended file. -
    • -
  • - Enhancements to the way mod_security parses HTTP multipart - requests. -
    • -
  • - Added a new MULTIPART_PART_HEADERS collection. -
    • -
  • - Added microsec timestamp resolution to the formatted log timestamp. -
    • -
  • - Added missing Geo Countries. -
    • -
-
-

- Bugzilla:2143211 -

-
-

New packages: tomcat

-

- RHEL 9.2 introduces the Apache Tomcat server version 9. Tomcat is the servlet container that is - used in the official Reference Implementation for the Java Servlet and JavaServer Pages - technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under - the Java Community Process. Tomcat is developed in an open and participatory environment and - released under the Apache Software License version 2.0. -

-
-

- Bugzilla:2160511 -

-
-

A new module stream: postgresql:15 -

-

- RHEL 9.2 introduces PostgreSQL 15 as the postgresql:15 module stream. PostgreSQL 15 provides a number of new features and enhancements over - version 13. Notable changes include: -

-
-
-
    -
  • -

    - You can now access PostgreSQL JSON data by using - subscripts. Example query: -

    - 
    SELECT ('{ "postgres": { "release": 15 }}'::jsonb)['postgres']['release'];
    -
    • -
  • - PostgreSQL now supports multirange data types and extends the - range_agg function to aggregate multirange data types. -
    • -
  • -

    - PostgreSQL improves monitoring and observability: -

    -
    -
      -
    • - You can now track progress of the COPY commands and - Write-ahead-log (WAL) activity. -
      • -
    • - PostgreSQL now provides statistics on replication - slots. -
      • -
    • - By enabling the compute_query_id parameter, you can - now uniquely track a query through several PostgreSQL features, including pg_stat_activity or EXPLAIN VERBOSE. -
      • -
    -
    -
    • -
  • -

    - PostgreSQL improves support for query parallelism by the - following: -

    -
    -
      -
    • - Improved performance of parallel sequential scans. -
      • -
    • - The ability of SQL Procedural Language (PL/pgSQL) - to execute parallel queries when using the RETURN QUERY command. -
      • -
    • - Enabled parallelism in the REFRESH MATERIALIZED VIEW command. -
      • -
    -
    -
    • -
  • - PostgreSQL now includes the SQL standard MERGE command. You can use MERGE to - write conditional SQL statements that can include the INSERT, - UPDATE, and DELETE actions in a - single statement. -
    • -
  • - PostgreSQL provides the following new functions for using - regular expressions to inspect strings: regexp_count(), regexp_instr(), regexp_like(), and - regexp_substr(). -
    • -
  • - PostgreSQL adds the security_invoker parameter, which you can use to query data with - the permissions of the view caller, not the view creator. This helps you ensure that view - callers have the correct permissions for working with the underlying data. -
    • -
  • - PostgreSQL improves performance, namely in its archiving and - backup facilities. -
    • -
  • - PostgreSQL adds support for the LZ4 and Zstandard (zstd) lossless compression algorithms. -
    • -
  • - PostgreSQL improves its in-memory and on-disk sorting - algorithms. -
    • -
  • - The updated postgresql.service systemd unit file now ensures - that the postgresql service is started after the network is up. -
    • -
-
-

- The following changes are backwards incompatible: -

-
-
    -
  • -

    - The default permissions of the public schema have been modified. Newly created users - need to grant permission explicitly by using the GRANT ALL ON SCHEMA public TO myuser; command. For example: -

    - 
    postgres=# CREATE USER mydbuser;
-postgres=# GRANT ALL ON SCHEMA public TO mydbuser;
-postgres=# \c postgres mydbuser
-postgres=$ CREATE TABLE mytable (id int);
    -
    • -
  • - The libpq PQsendQuery() function - is no longer supported in pipeline mode. Modify affected applications to use the PQsendQueryParams() function instead. -
    • -
-
-

- See also Using - PostgreSQL. -

-

- To install the postgresql:15 stream, use: -

- 
# dnf module install postgresql:15
-

- If you want to upgrade from an earlier postgresql stream within RHEL 9, - migrate your PostgreSQL data as described in Migrating - to a RHEL 9 version of PostgreSQL. -

-

- For information about the length of support for the postgresql module - streams, see the Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2128410 -

-
-
-
-
-
-

4.12. Compilers and development tools

-
-
-
-
-

openblas rebased to version 0.3.21 -

-

- The OpenBLAS library has been updated to version 0.3.21. This update includes performance - optimalization patches for the IBM POWER10 platform. -

-
-

- Bugzilla:2112099 -

-
-

A new module stream: swig:4.1

-

- RHEL 9.2 introduces the Simplified Wrapper and Interface Generator (SWIG) version 4.1 as the - swig:4.1 module stream available in the CodeReady Linux Builder - (CRB) repository. Note that packages included in the CodeReady Linux Builder repository are - unsupported. -

-
-

- Compared to SWIG 4.0 released in RHEL 9.0, SWIG 4.1: -

-
-
    -
  • - Adds support for Node.js versions 12 to 18 and removes support - for Node.js versions earlier than 6. -
    • -
  • - Adds support for PHP 8. -
    • -
  • - Handles PHP wrapping entirely through PHP C API and no longer generates a .php wrapper by default. -
    • -
  • - Supports only Perl 5.8.0 and later versions. -
    • -
  • - Adds support for Python versions 3.9 to 3.11. -
    • -
  • - Supports only Python 3.3 and later Python 3 versions, and Python 2.7. -
    • -
  • - Provides fixes for various memory leaks in Python-generated - code. -
    • -
  • - Improves support for the C99, C++11, C++14, and C++17 standards and starts implementing the - C++20 standard. -
    • -
  • - Adds support for the C++ std::unique_ptr pointer class. -
    • -
  • - Includes several minor improvements in C++ template handling. -
    • -
  • - Fixes C++ declaration usage in various cases. -
    • -
-
-

- To install the swig:4.1 module stream: -

-
-
    -
  1. - Enable the CodeReady Linux - Builder (CRB) repository. -
    2. -
  2. -

    - Install the module stream: -

    - 
    # dnf module install swig:4.1
    -
    3. -
-
-

- Bugzilla:2139101 -

-
-

New package: jmc in the CRB - repository

-

- RHEL 9.2 introduces the JDK Mission Control (JMC) profiler for HotSpot JVMs version 8.2.0, - available as the jmc package in the CodeReady Linux Builder (CRB) - repository for the AMD and Intel 64-bit architectures. -

-
-

- To install JMC, you must first enable the CodeReady Linux Builder (CRB) repository. -

-

- Note that packages included in the CRB repository are unsupported. -

-

- Bugzilla:2122401 -

-
-

OpenJDK service attributes now available in FIPS mode

-

- Previously, cryptographic services and algorithms available for OpenJDK in FIPS mode were too - strictly filtered and resulted in unavailable service attributes. With this enhancement, these - service attributes are now available in FIPS mode. -

-
-

- Bugzilla:2186803 -

-
-

Performance Co-Pilot rebased to version 6.0

-

- Performance Co-Pilot (PCP) has been updated to version 6.0. Notable improvements include: -

-
-
-
    -
  1. -

    - Version 3 PCP archive support: -

    -

    - This includes support for instance domain change-deltas, Y2038-safe timestamps, - nanosecond-precision timestamps, arbitrary timezones support, and 64-bit file offsets - used throughout for larger (beyond 2GB) individual volumes. -

    -

    - This feature is currently opt-in via the PCP_ARCHIVE_VERSION setting in the /etc/pcp.conf file. -

    -

    - Version 2 archives remain the default. -

    -
    2. -
  2. -

    - Only OpenSSL is used throughout PCP. Mozilla NSS/NSPR use has been dropped: -

    -

    - This impacts libpcp, PMAPI - clients and PMCD use of encryption. These elements are now - configured and used consistently with pmproxy HTTPS support - and redis-server, which were both already using OpenSSL. -

    -
    3. -
  3. -

    - New nanosecond precision timestamp PMAPI calls for PCP library interfaces that make use of timestamps. -

    -

    - These are all optional, and full backward compatibility is preserved for existing tools. -

    -
    4. -
  4. -

    - The following tools and services have been updated: -

    -
    -
    -
    pcp2elasticsearch
    -
    - Implemented authentication support. -
    -
    pcp-dstat
    -
    - Implemented support for the top-alike plugins. -
    -
    pcp-htop
    -
    - Updated to the latest stable upstream release. -
    -
    pmseries
    -
    - Added sum, avg, stdev, nth_percentile, - max_inst, max_sample, - min_inst and min_sample functions. -
    -
    pmdabpf
    -
    - Added CO-RE (Compile Once - Run Everywhere) modules and support for AMD64, Intel - 64-bit, 64-bit ARM, and IBM Power Systems. -
    -
    pmdabpftrace
    -
    - Moved example autostart scripts to the /usr/share - directory. -
    -
    pmdadenki
    -
    - Added support for multiple active batteries. -
    -
    pmdalinux
    -
    - Updates for the latest /proc/net/netstat changes. -
    -
    pmdaopenvswitch
    -
    - Added additional interface and coverage statistics. -
    -
    pmproxy
    -
    - Request parameters can now be sent in the request body. -
    -
    pmieconf
    -
    - Added several pmie rules for Open vSwitch metrics. -
    -
    pmlogger_farm
    -
    - Added a default configuration file for farm loggers. -
    -
    pmlogger_daily_report -
    -
    - Some major efficiency improvements. -
    -
    -
    -
    5. -
-
-

- Bugzilla:2117074 -

-
-

grafana rebased to version 9.0.9

-

- The grafana package has been rebased to version 9.0.9. Notable - changes include: -

-
-
-
    -
  • - The time series panel is now the default visualization option, replacing the graph panel -
    • -
  • - New heatmap panel -
    • -
  • - New Prometheus and Loki query builder -
    • -
  • - Updated Grafana Alerting -
    • -
  • - Multiple UI/UX and performance improvements -
    • -
  • - License changed from Apache 2.0 to GNU Affero General Public License (AGPL) -
    • -
-
-

- The following are offered as opt-in experimental features: -

-
-
    -
  • - New bar chart panel -
    • -
  • - New state timeline panel -
    • -
  • - New status history panel -
    • -
  • - New histogram panel -
    • -
-
-

- For more information, see: What’s new in Grafana - v9.0 and What’s new in Grafana - v8.0. -

-

- Bugzilla:2116847 -

-
-

grafana-pcp rebased to version 5.1.1 -

-

- The grafana-pcp package has been rebased to version 5.1.1. Notable - changes include: -

-
-
-
-
Query editor
-
- added buttons to disable rate conversion and time utilization conversion. -
-
Redis
-
- removed the deprecated label_values(metric, label) function. -
-
Redis
-
- fixed the network error for metrics with many series (requires Performance Co-Pilot v6+). -
-
Redis
-
- set the pmproxy API timeout to 1 minute. -
-
-
-

- Bugzilla:2116848 -

-
-

Updated GCC Toolset 12

-

- GCC Toolset 12 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream repository. -

-
-

- Notable changes introduced in RHEL 9.2 include: -

-
-
    -
  • - The GCC compiler has been updated to version 12.2.1, which provides many bug fixes and - enhancements that are available in upstream GCC. -
    • -
  • - annobin has been updated to version 11.08. -
    • -
-
-

- The following tools and versions are provided by GCC Toolset 12: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 12.2.1 -

-
-

- GDB -

- 		-

- 11.2 -

-
-

- binutils -

- 		-

- 2.38 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- annobin -

- 		-

- 11.08 -

-
-
-

- To install GCC Toolset 12, run the following command as root: -

- 
# dnf install gcc-toolset-12
-

- To run a tool from GCC Toolset 12: -

- 
$ scl enable gcc-toolset-12 tool
-

- To run a shell session where tool versions from GCC Toolset 12 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-12 bash
-

- For more information, see GCC - Toolset 12. -

-

- Bugzilla:2110583 -

-
-

The updated GCC compiler is now available for RHEL 9.2

-

- The system GCC compiler, version 11.3.1, has been updated to include numerous bug fixes and - enhancements available in the upstream GCC. -

-
-

- The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and - Fortran programming languages. -

-

- For usage information, see Developing - C and C++ applications in RHEL 9. -

-

- Bugzilla:2117632 -

-
-

LLVM Toolset rebased to version 15.0.7

-

- LLVM Toolset has been updated to version 15.0.7. Notable changes include: -

-
-
-
    -
  • - The -Wimplicit-function-declaration and -Wimplicit-int warnings are enabled by default in C99 and newer. - These warnings will become errors by default in Clang 16 and beyond. -
    • -
-
-

- Bugzilla:2118567 -

-
-

Rust Toolset rebased to version 1.66.1

-

- Rust Toolset has been updated to version 1.66.1. Notable changes include: -

-
-
-
    -
  • - The thread::scope API creates a lexical scope in which local - variables can be safely borrowed by newly spawned threads, and those threads are all - guaranteed to exit before the scope ends. -
    • -
  • - The hint::black_box API adds a barrier to compiler - optimization, which is useful for preserving behavior in benchmarks that might otherwise be - optimized away. -
    • -
  • - The .await keyword now makes conversions with the IntoFuture trait, similar to the relationship between for and IntoIterator. -
    • -
  • - Generic associated types (GATs) allow traits to include type aliases with generic - parameters, enabling new abstractions over both types and lifetimes. -
    • -
  • - A new let-else statement allows - binding local variables with conditional pattern matching, executing a divergent else block when the pattern does not match. -
    • -
  • - Labeled blocks allow break statements to jump to the end of the - block, optionally including an expression value. -
    • -
  • - rust-analyzer is a new implementation of the Language Server - Protocol, enabling Rust support in many editors. This replaces the former rls package, but you might need to adjust your editor - configuration to migrate to rust-analyzer. -
    • -
  • - Cargo has a new cargo remove subcommand for removing - dependencies from Cargo.toml. -
    • -
-
-

- Bugzilla:2123900 -

-
-

Go Toolset rebased to version 1.19.6

-

- Go Toolset has been updated to version 1.19.6. Notable changes include: -

-
-
-
    -
  • -

    - Security fixes to the following packages: -

    -
    -
      -
    • - crypto/tls -
      • -
    • - mime/multipart -
      • -
    • - net/http -
      • -
    • - path/filepath -
      • -
    -
    -
    • -
  • -

    - Bug fixes to: -

    -
    -
      -
    • - The go command -
      • -
    • - The linker -
      • -
    • - The runtime -
      • -
    • - The crypto/x509 package -
      • -
    • - The net/http package -
      • -
    • - The time package -
      • -
    -
    -
    • -
-
-

- Bugzilla:2175173 -

-
-

The tzdata package now includes the /usr/share/zoneinfo/leap-seconds.list file

-

- Previously, the tzdata package only shipped the /usr/share/zoneinfo/leapseconds file. Some applications rely on the - alternate format provided by the /usr/share/zoneinfo/leap-seconds.list file and, as a consequence, - would experience errors. -

-
-

- With this update, the tzdata package now includes both files, - supporting applications that rely on either format. -

-

- Bugzilla:2157982 -

-
-
-
-
-
-

4.13. Identity Management

-
-
-
-
-

SSSD support for converting home directories to lowercase

-

- With this enhancement, you can now configure SSSD to convert user home directories to lowercase. - This helps to integrate better with the case-sensitive nature of the RHEL environment. The override_homedir option in the [nss] - section of the /etc/sssd/sssd.conf file now recognizes the %h template value. If you use %h as part - of the override_homedir definition, SSSD replaces %h with the user’s home directory in lowercase. -

-
-

- Jira:RHELPLAN-139430 -

-
-

SSSD now supports changing LDAP user passwords with the shadow password policy

-

- With this enhancement, if you set ldap_pwd_policy to shadow in the /etc/sssd/sssd.conf file, - LDAP users can now change their password stored in LDAP. Previously, password changes were - rejected if ldap_pwd_policy was set to shadow as it was not clear if the corresponding shadow LDAP attributes were being updated. -

-
-

- Additionally, if the LDAP server cannot update the shadow attributes - automatically, set the ldap_chpass_update_last_change option to True in the /etc/sssd/sssd.conf file to - indicate to SSSD to update the attribute. -

-

- Bugzilla:1507035 -

-
-

IdM now supports the min_lifetime - parameter

-

- With this enhancement, the min_lifetime parameter has been added to - the /etc/gssproxy/*.conf file. The min_lifetime parameter triggers the renewal of a service ticket in - case its remaining lifetime is lower than this value. -

-
-

- By default its value is 15 seconds. For network volume clients such as NFS, to reduce the risk of - losing access in case the KDC is momentarily unavailable, set this value to 60 seconds. -

-

- Bugzilla:2184333 -

-
-

The ipapwpolicy ansible-freeipa module now supports new password policy - options

-

- With this update, the ipapwpolicy module included in the ansible-freeipa package supports additional libpwquality library options: -

-
-
-
-
maxrepeat
-
- Specifies the maximum number of the same character in sequence. -
-
maxsequence
-
- Specifies the maximum length of monotonic character sequences (abcd). -
-
dictcheck
-
- Checks if the password is a dictionary word. -
-
usercheck
-
- Checks if the password contains the username. -
-
-
-

- If any of the new password policy options are set, the minimum length of passwords is 6 characters. - The new password policy settings are applied only to new passwords. -

-

- In a mixed environment with RHEL 7 and RHEL 8 servers, the new password policy settings are enforced - only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM - client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password - policy requirements set by the system administrator do not apply. To ensure consistent behavior, - upgrade all servers to RHEL 8.4 and later. -

-

- Jira:RHELPLAN-137416 -

-
-

IdM now supports the ipanetgroup Ansible - management module

-

- As an Identity Management (IdM) system administrator, you can integrate IdM with NIS domains and - netgroups. Using the ipanetgroup ansible-freeipa module, you can achieve the following: -

-
-
-
    -
  • - You can ensure that an existing IdM netgroup contains specific IdM users, groups, hosts and - host groups and nested IdM netgroups. -
    • -
  • - You can ensure that specific IdM users, groups, hosts and host groups and nested IdM - netgroups are absent from an existing IdM netgroup. -
    • -
  • - You can ensure that a specific netgroup is present or absent in IdM. -
    • -
-
-

- Jira:RHELPLAN-137411 -

-
-

New ipaclient_configure_dns_resolver and ipaclient_dns_servers Ansible ipaclient role variables specifying the client’s DNS - resolver  

-

- Previously, when using the ansible-freeipa ipaclient role to install an Identity Management (IdM) client, it was - not possible to specify the DNS resolver during the installation process. You had to configure - the DNS resolver before the installation.    -

-
-

- With this enhancement, you can specify the DNS resolver when using the ipaclient role to install an IdM client with the ipaclient_configure_dns_resolver and ipaclient_dns_servers variables. Consequently, the ipaclient role modifies the resolv.conf file - and the NetworkManager and systemd-resolved utilities to configure the DNS resolver on the client in - a similar way that the ansible-freeipa ipaserver role does on the IdM server. As a result, configuring DNS when - using the ipaclient role to install an IdM client is now more - efficient. -

-
-
Note
-
-

- Using the ipa-client-install command-line installer to install - an IdM client still requires configuring the DNS resolver before the installation. -

-
-
-

- Jira:RHELPLAN-137406 -

-
-

Using the ipaclient role to install an IdM - client with an OTP requires no prior modification of the Ansible controller

-

- Previously, the kinit command on the Ansible controller was a - prerequisite for obtaining a one-time-password (OTP) for Identity Management (IdM) client - deployment. The need to obtain the OTP on the controller was a problem for Red Hat Ansible - Automation Platform (AAP), where the krb5-workstation package was - not installed by default. -

-
-

- With this update, the request for the administrator’s TGT is now delegated to the first specified or - discovered IdM server. As a result, you can now use an OTP to authorize the installation of an IdM - client with no additional modification of the Ansible controller. This simplifies using the ipaclient role with AAP. -

-

- Jira:RHELPLAN-137403 -

-
-

IdM now enforces the presence of the MS-PAC structure in Kerberos - tickets

-

- Starting with RHEL 9.2, to increase security, Identity Management (IdM) and MIT Kerberos now - enforce the presence of the Privilege Attribute Certificate (MS-PAC) structure in the Kerberos - tickets issued by the RHEL IdM Kerberos Distribution Center (KDC). -

-
-

- In November 2022, in response to CVE-2022-37967, Microsoft introduced an extended signature that is - calculated over the whole MS-PAC structure rather than over the server checksum. Starting with RHEL - 9.2, the Kerberos tickets issued by IdM KDC now also contain the extended signature. -

-
-
Note
-
-

- The presence of the extended signature is not yet enforced in IdM. -

-
-
-

- Jira:RHELPLAN-159146 -

-
-

New realm configuration template for KDC enabling FIPS 140-3-compliant key - encryption

-

- This update provides a new, EXAMPLE.COM, example realm - configuration in the /var/kerberos/krb5kdc/kdc.conf file. It brings - two changes: -

-
-
-
    -
  • - The FIPS 140-3-compliant AES HMAC SHA-2 family is added to the - list of supported types for key encryption. -
    • -
  • - The encryption type of the KDC master key is switched from AES 256 HMAC SHA-1 to AES 256 HMAC SHA-384. -
    • -
-
-
-
Warning
-
-

- This update is about standalone MIT realms. Do not change the Kerberos Distribution Center - (KDC) configuration in RHEL Identity Management. -

-
-
-

- Using this configuration template is recommended for new realms. The template does not affect any - realm already deployed. If you are planning to upgrade the configuration of your realm according to - the template, consider the following points: -

-

- For upgrading the master key, changing the setting in the KDC configuration is not enough. Follow - the process described in the MIT Kerberos documentation: https://web.mit.edu/kerberos/krb5-1.20/doc/admin/database.html#updating-the-master-key -

-

- Adding the AES HMAC SHA-2 family to the supported types for key - encryption is safe at any point because it does not affect existing entries in the KDC. Keys will be - generated only when creating new principals or when renewing credentials. Note that keys of this new - type cannot be generated based on existing keys. To make these new encryption types available for a - certain principal, its credentials have to be renewed, which means renewing keytabs for service - principals too. -

-

- The only case where principals should not feature an AES HMAC SHA-2 key - is the Active Directory (AD) cross-realm ticket-granting ticket (TGT) ones. Because AD does not - implement RFC8009, it does not use the AES HMAC SHA-2 encryption types - family. Therefore, a cross-realm TGS-REQ using an AES HMAC SHA-2-encrypted cross-realm TGT would fail. The best way to keep - the MIT Kerberos client from using AES HMAC SHA-2 against AD is to not - provide AES HMAC SHA-2 keys for the AD cross-realm principals. To do - so, ensure that you create the cross-realm TGT entries with an explicit list of key encryption types - that are all supported by AD: -

- 
  kadmin.local <<EOF
-  add_principal +requires_preauth -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 -pw [password] krbtgt/[MIT realm]@[AD realm]
-  add_principal +requires_preauth -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 -pw [password] krbtgt/[AD realm]@[MIT realm]
-  EOF
-

- To ensure the MIT Kerboros clients use the AES HMAC SHA-2 encryption - types, you must also set these encryption types as permitted in both - the client and the KDC configuration. On RHEL, this setting is managed by the crypto-policy system. - For example, on RHEL 9, hosts using the DEFAULT crypto-policy allow - AES HMAC SHA-2 and AES HMAC SHA-1 - encrypted tickets, while hosts using the FIPS crypto-policy only accept - AES HMAC SHA-2 ones. -

-

- Bugzilla:2068535 -

-
-

Configure pam_pwhistory using a configuration - file

-

- With this update, you can configure the pam_pwhistory module in the - /etc/security/pwhistory.conf configuration file. The pam_pwhistory module saves the last password for each user in order - to manage password change history. Support has also been added in authselect which allows you to add the pam_pwhistory module to the PAM stack. -

-
-

- Bugzilla:2126640, Bugzilla:2142805 -

-
-

IdM now supports new Active Directory certificate mapping - templates

-

- Active Directory (AD) domain administrators can manually map certificates to a user in AD using - the altSecurityIdentities attribute. There are six supported values - for this attribute, though three mappings are now considered insecure. As part of May - 10,2022 security update, once this update is installed on a domain controller, all - devices are in compatibility mode. If a certificate is weakly mapped to a user, authentication - occurs as expected but a warning message is logged identifying the certificates that are not - compatible with full enforcement mode. As of November 14, 2023 or later, all devices will be - updated to full enforcement mode and if a certificate fails the strong mapping criteria, - authentication will be denied. -

-
-

- IdM now supports the new mapping templates, making it easier for an AD administrator to use the new - rules and not maintain both. IdM now supports the following new mapping templates : -

-
-
    -
  • - Serial Number: LDAPU1:(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<SR>{serial_number!hex_ur}) -
    • -
  • - Subject Key Id: LDAPU1:(altSecurityIdentities=X509:<SKI>{subject_key_id!hex_u}) -
    • -
  • - User SID: LDAPU1:(objectsid={sid}) -
    • -
-
-

- If you do not want to reissue certificates with the new SID extension, you can create a manual - mapping by adding the appropriate mapping string to a user’s altSecurityIdentities attribute in AD. -

-

- Bugzilla:2087247 -

-
-

samba rebased to version 4.17.5

-

- The samba packages have been upgraded to upstream version 4.17.5, - which provides bug fixes and enhancements over the previous version. The most notable changes: -

-
-
-
    -
  • - Security improvements in previous releases impacted the performance of the Server Message - Block (SMB) server for high meta data workloads. This update improves he performance in this - scenario. -
    • -
  • - The --json option was added to the smbstatus utility to display detailed status information in JSON - format. -
    • -
  • - The samba.smb.conf and samba.samba3.smb.conf modules have been added to the smbconf Python API. You can use them in Python programs to read - and, optionally, write the Samba configuration natively. -
    • -
-
-

- Note that the server message block version 1 (SMB1) protocol is deprecated since Samba 4.11 and will - be removed in a future release. -

-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Red Hat does not support - downgrading tdb database files. -

-

- After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file. -

-

- For further information about notable changes, read the upstream release notes before - updating. -

-

- Bugzilla:2131993 -

-
-

ipa-client-install now supports authentication - with PKINIT

-

- Previously, the ipa-client-install supported only password based - authentication. This update provides support to ipa-client-install - for authentication with PKINIT. -

-
-

- For example: -

- 
ipa-client-install --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem --pkinit-anchor=FILE:/path/to/cacerts.pem
-

- To use the PKINIT authentication, you must establish trust between IdM and the CA chain of the - PKINIT certificate. For more information see the ipa-cacert-manage(1) - man page. Also, the certificate identity mapping rules must map the PKINIT certificate of the host - to a principal that has permission to add or modify a host record. For more information see the - ipa certmaprule-add man page. -

-

- Bugzilla:2143224 -

-
-

Red Hat IdM and Certificate System now support the EST protocol -

-

- Enrollment over Secure Transport (EST) is a new Certificate System subsystem feature that is - specified in RFC 7030 and it is used to provision certificates from a Certificate Authority - (CA). EST implements the server side of the operation, such as /getcacerts, /simpleenroll, and /simplereenroll. -

-
-

- Note that Red Hat supports both EST and the original Simple Certificate Enrollment Protocol (SCEP) - in Certificate System. -

-

- Bugzilla:1849834 -

-
-

Enhance negative cache usage

-

- This update improves the SSSD performance for lookups by Security Identifier (SID). It now - stores non-existing SIDs in the negative cache for individual domains and requests the domain - that the SID belongs to. -

-
-

- Bugzilla:1766490 -

-
-

Directory server now supports ECDSA private keys for TLS

-

- Previously, you could not use cryptographic algorithms that are stronger than RSA to secure - Directory Server connections. With this enhancement, Directory Server now supports both ECDSA - and RSA keys. -

-
-

- Bugzilla:2096795 -

-
-

Directory Server now supports extended logging of search - operations

-

- Previously, records in the access log did not show why some search operations had a very big - etime value. With this release, you can enable logging of - statistics such as a number of index lookups (database read operations) and overall duration of - index lookups per each search operation. These statistical records can help to analyze why the - etime value can be so resource expensive. -

-
-

- Bugzilla:1859271 -

-
-

The NUNC_STANS error logging level was replaced by the new 1048576 logging level

-

- Previously, you could not easily debug password policy issues. With the new 1048576 logging level for the error log, you can now check the - following password policy information: -

-
-
-
    -
  • - Which local policy rejects or allows a password update. -
    • -
  • - The exact syntax violation. -
    • -
-
-

- Bugzilla:2057070 -

-
-

Directory Server introduces the security log

-

- To properly track issues over time, Directory Server now has a specialized log that maintains - security data. The security log does not rotate quickly and consumes less disk resources in - comparison to the access log that has all the information, but requires expensive parsing to get - the security data. -

-
-

- The new server log records security events such as authentication events, authorization issues, - DoS/TCP attacks, and other events. -

-

- Directory Server stores the security log in the /var/log/dirsrv/slapd-instance_name/ - directory along with other log files. -

-

- Bugzilla:2093981 -

-
-

Directory Server now can compress archived log files

-

- Previously, archived log files were not compressed. With this release, you can enable access, - error, audit, audit fail log, security log files compression to save disk space. Note that only - security log file compression is enabled by default. -

-
-

- Use the following new configuration attributes in the cn=config entry - to manage the compression: -

-
-
    -
  • - nsslapd-accesslog-compress for the access log -
    • -
  • - nsslapd-errorlog-compress for the error log -
    • -
  • - nsslapd-auditlog-compress for the audit log -
    • -
  • - nsslapd-auditfaillog-compress for the audit fail log -
    • -
  • - nsslapd-securelog-compress for the security log -
    • -
-
-

- Bugzilla:1132524 -

-
-

New pamModuleIsThreadSafe configuration option - is now available

-

- When a PAM module is thread-safe, you can improve the PAM authentication throughput and response - time of that specific module, by setting the new pamModuleIsThreadSafe configuration option to yes: -

-
- 
pamModuleIsThreadSafe: yes
-

- This configuration applies on the PAM module configuration entry (child of cn=PAM Pass Through Auth,cn=plugins,cn=config). -

-

- Use pamModuleIsThreadSafe option in the dse.ldif configuration file or the ldapmodify command. Note that the ldapmodify - command requires you to restart the server. -

-

- Bugzilla:2142639 -

-
-

Directory Server can now import a certificate bundle

-

- Previously, when you tried to add a certificate bundle by using the dsconf or dsctl utility, the procedure - failed with an error, and the certificate bundle was not imported. Such behavior was caused by - the certutil utility that could import only one certificate at a - time. With this update, Directory Server works around the issue with the certutil, and a certificate bundle is added successfully. -

-
-

- Bugzilla:1878808 -

-
-

Default behavior change: Directory Server now returns a DN in exactly the - same spelling as it was added to the database

-

- With the new nsslapd-return-original-entrydn parameter under the - cn=config entry, you can manage how Directory Server returns the - distinguished name (DN) of entries during search operations. -

-
-

- By default, the nsslapd-return-original-entrydn parameter is set to - on, and Directory Server returns the DN exactly how it was originally - added to the database. For example, you added or modified the entry uid=User,ou=PEople,dc=ExaMPlE,DC=COM, and with the setting turned on, - Directory Server returns the same spelling of the DN for the entry: uid=User,ou=PEople,dc=ExaMPlE,DC=COM. -

-

- When the nsslapd-return-original-entrydn parameter is set to off, Directory Server generates the entry DN by putting together a - Relative DN (RDN) of the entry and the base DN that is stored in the database suffix configuration - under cn=userroot,cn=ldbm database,cn=plugins,cn=config. If you set the - base DN to ou=people,dc=example,dc=com, and the nsslapd-return-original-entrydn setting is off, Directory Server returns uid=User,ou=people,dc=example,dc=com during searches and not the spelling - of the DN when you added the entry to the database. -

-

- Bugzilla:2075017 -

-
-

MIT Kerberos supports the Ticket and Extended KDC MS-PAC - signatures

-

- With this update, MIT Kerberos, which is used by Red Hat, implements support for two types of - the Privilege Attribute Certificate (PAC) signatures introduced by Microsoft in response to - recent CVEs. Specifically, the following signatures are supported: -

-
-
-
    -
  • -

    - Ticket signature -

    -
    - -
    -
    • -
  • -

    - Extended KDC signature -

    -
    - -
    -
    • -
-
-

- See also RHSA-2023:2570 - and krb5-1.20.1-6.el9. -

-

- Bugzilla:2165827 -

-
-

New nsslapd-auditlog-display-attrs - configuration parameter for the Directory Server audit log

-

- Previously, the distinguished name (DN) was the only way to identify the target entry in the - audit log event. With the new nsslapd-auditlog-display-attrs - parameter, you can configure Directory Server to display additional attributes in the audit log, - providing more details about the modified entry.. -

-
-

- For example, if you set the nsslapd-auditlog-display-attrs parameter to - cn, the audit log displays the entry cn - attribute in the output. To include all attributes of a modified entry, use an asterisk (*) as the parameter value. -

-

- For more information, see nsslapd-auditlog-display-attrs. -

-

- Bugzilla:2136610 -

-
-
-
-
-
-

4.14. Desktop

-
-
-
-
-

Disable swipe to switch workspaces

-

- Previously, swiping up or down with three fingers always switched the workspace on a touch - screen. With this release, you can disable the workspace switching. -

-
-

- For details, see Disabling swipe - to switch workspaces. -

-

- Bugzilla:2154358 -

-
-

Wayland is now enabled on Aspeed GPUs

-

- Previously, the Aspeed GPU driver did not perform well enough to run a Wayland session. To work - around that problem, the Wayland session was disabled for Aspeed GPUs. -

-
-

- With this release, the driver performance has been significantly improved and the Wayland session is - now responsive. As a result, the Wayland session is now enabled on Aspeed GPUs by default. -

-

- Bugzilla:2131203 -

-
-

Custom right-click menu on the desktop

-

- You can now customize the menu that opens when you right-click the desktop background. You can - create custom entries in the menu that run arbitrary commands. -

-
-

- To customize the menu, see Customizing the right-click menu on the - desktop. -

-

- Bugzilla:2160553 -

-
-
-
-
-
-

4.15. The web console

-
-
-
-
-

Certain cryptographic subpolicies are now available in the web - console

-

- This update of the RHEL web console extends the options in the Change crypto policy dialog. Besides the four system-wide - cryptographic policies, you can also apply the following subpolicies through the graphical - interface now: -

-
-
-
    -
  • - DEFAULT:SHA1 is the DEFAULT policy - with the SHA-1 algorithm enabled. -
    • -
  • - LEGACY:AD-SUPPORT is the LEGACY - policy with less secure settings that improve interoperability for Active Directory - services. -
    • -
  • - FIPS:OSPP is the FIPS policy with - further restrictions inspired by the Common Criteria for Information Technology Security - Evaluation standard. -
    • -
-
-

- Jira:RHELPLAN-137505 -

-
-

The web console now performs additional steps for binding LUKS-encrypted - root volumes to NBDE

-

- With this update, the RHEL web console performs additional steps required for binding - LUKS-encrypted root volumes to Network-Bound Disk Encryption (NBDE) deployments. After you - select an encrypted root file system and a Tang server, you can skip adding the rd.neednet=1 parameter to the kernel command line, installing the - clevis-dracut package, and regenerating an initial ramdisk (initrd). For non-root file systems, the web console now enables the - remote-cryptsetup.target and clevis-luks-akspass.path systemd units, - installs the clevis-systemd package, and adds the _netdev parameter to the fstab and crypttab configuration files. As a result, you can now use the - graphical interface for all Clevis-client configuration steps when creating NBDE deployments for - automated unlocking of LUKS-encrypted root volumes. -

-
-

- Jira:RHELPLAN-139125 -

-
-
-
-
-
-

4.16. Red Hat Enterprise Linux system roles

-
-
-
-
-

Routing rule is able to look up a route table by its name

-

- With this update, the rhel-system-roles.network RHEL system role - supports looking up a route table by its name when you define a routing rule. This feature - provides quick navigation for complex network configurations where you need to have different - routing rules for different network segments. -

-
-

- Bugzilla:2131293 -

-
-

The network system role supports setting a DNS - priority value

-

- This enhancement adds the dns_priority parameter to the RHEL network system role. You can set this parameter to a value from -2147483648 to 2147483647. The default - value is 0. Lower values have a higher priority. Note that negative - values cause the system role to exclude other configurations with a greater numeric priority - value. Consequently, in presence of at least one negative priority value, the system role uses - only DNS servers from connection profiles with the lowest priority value. -

-
-

- As a result, you can use the network system role to define the order of - DNS servers in different connection profiles. -

-

- Bugzilla:2133858 -

-
-

New IPsec customization parameters for the vpn - RHEL system role

-

- Because certain network devices require IPsec customization to work correctly, the following - parameters have been added to the vpn RHEL system role: -

-
-
-
Important
-
-

- Do not change the following parameters without advanced knowledge. Most scenarios do not - require their customization. -

-

- Furthermore, for security reasons, encrypt a value of the shared_key_content parameter by using Ansible Vault. -

-
-
-
-
    -
  • -

    - Tunnel parameters: -

    -
    -
      -
    • - shared_key_content -
      • -
    • - ike -
      • -
    • - esp -
      • -
    • - ikelifetime -
      • -
    • - salifetime -
      • -
    • - retransmit_timeout -
      • -
    • - dpddelay -
      • -
    • - dpdtimeout -
      • -
    • - dpdaction -
      • -
    • - leftupdown -
      • -
    -
    -
    • -
  • -

    - Per-host parameters: -

    -
    -
      -
    • - leftid -
      • -
    • - rightid -
      • -
    -
    -
    • -
-
-

- As a result, you can use the vpn role to configure IPsec connectivity - to a wide range of network devices. -

-

- Bugzilla:2119102 -

-
-

The selinux RHEL system role now supports the - local parameter

-

- This update of the selinux RHEL system role introduces support for - the local parameter. By using this parameter, you can remove only - your local policy modifications and preserve the built-in SELinux policy. -

-
-

- Bugzilla:2128843 -

-
-

The ha_cluster system role now supports - automated execution of the firewall, selinux, and certificate system - roles

-

- The ha_cluster RHEL system role now supports the following features: -

-
-
-
-
Using the firewall and selinux system roles to manage port access
-
- To configure the ports of a cluster to run the firewalld and - selinux services, you can set the new role variables ha_cluster_manage_firewall and ha_cluster_manage_selinux to true. - This configures the cluster to use the firewall and selinux system roles, automating and performing these operations - within the ha_cluster system role. If these variables are set - to their default value of false, the roles are not performed. - With this release, the firewall is no longer configured by default, because it is configured - only when ha_cluster_manage_firewall is set to true. -
-
Using the certificate system role to create - a pcsd private key and certificate pair
-
- The ha_cluster system role now supports the ha_cluster_pcsd_certificates role variable. Setting this variable - passes on its value to the certificate_requests variable of the - certificate system role. This provides an alternative method - for creating the private key and certificate pair for pcsd. -
-
-
-

- Bugzilla:2130010 -

-
-

The postfix RHEL system role can now use the - firewall and selinux RHEL system - roles to manage port access

-

- With this enhancement, you can automate managing port access by using the new role variables - postfix_manage_firewall and postfix_manage_selinux: -

-
-
-
    -
  • - If they are set to true, each role is used to manage the port - access. -
    • -
  • - If they are set to false, which is default, the roles do not - engage. -
    • -
-
-

- Bugzilla:2130329 -

-
-

The vpn RHEL system role can now use the firewall and selinux roles to manage - port access

-

- With this enhancement, you can automate managing port access in the vpn RHEL system role through the firewall and selinux roles. If you set - the new role variables vpn_manage_firewall and vpn_manage_selinux to true, the roles - manage port access. -

-
-

- Bugzilla:2130344 -

-
-

The logging RHEL system role now supports port - access and generation of the certificates

-

- With this enhancement, you can use the logging role to manage ports access and generate - certificates with new role variables. If you set the new role variables logging_manage_firewall and logging_manage_selinux to true, the - roles manage port access. The new role variable for generating certificates is logging_certificates. The type and usage are the same as the certificate role certificate_requests. - You can now automate these operations directly by using the logging - role. -

-
-

- Bugzilla:2130357 -

-
-

The metrics RHEL system role now can use the - firewall role and the selinux role - to manage port access

-

- With this enhancement, you can control access to ports. If you set the new role variables metrics_manage_firewall and metrics_manage_firewall to true, the - roles manage port access. You can now automate and perform these operations directly by using - the metrics role. -

-
-

- Bugzilla:2133528 -

-
-

The nbde_server RHEL system role now can use - the firewall and selinux roles to - manage port access

-

- With this enhancement, you can use the firewall and selinux roles to manage ports access. If you set the new role - variables nbde_server_manage_firewall and nbde_server_manage_selinux to true, the - roles manage port access. You can now automate these operations directly by using the nbde_server role. -

-
-

- Bugzilla:2133930 -

-
-

The initscripts network provider supports - route metric configuration of the default gateway

-

- With this update, you can use the initscripts network provider in - the rhel-system-roles.network RHEL system role to configure the - route metric of the default gateway. -

-
-

- The reasons for such a configuration could be: -

-
-
    -
  • - Distributing the traffic load across the different paths -
    • -
  • - Specifying primary routes and backup routes -
    • -
  • - Leveraging routing policies to send traffic to specific destinations through specific paths -
    • -
-
-

- Bugzilla:2134202 -

-
-

The cockpit RHEL system role integration with - the firewall, selinux, and certificate roles

-

- This enhancement enables you to integrate the cockpit role with the - firewall role and the selinux role to - manage port access and the certificate role to generate - certificates. -

-
-

- To control the port access, use the new cockpit_manage_firewall and - cockpit_manage_selinux variables. Both variables are set to false by default and are not executed. Set them to true to allow the firewall and selinux roles to manage the RHEL web console service port access. The - operations will then be executed within the cockpit role. -

-

- Note that you are responsible for managing port access for firewall and SELinux. -

-

- To generate certificates, use the new cockpit_certificates variable. - The variable is set to false by default and is not executed. You can - use this variable the same way you would use the certificate_request - variable in the certificate role. The cockpit role will then use the certificate - role to manage the RHEL web console certificates. -

-

- Bugzilla:2137663 -

-
-

New RHEL system role for direct integration with Active Directory -

-

- The new rhel-system-roles.ad_integration RHEL system role was added - to the rhel-system-roles package. As a result, administrators can - now automate direct integration of a RHEL system with an Active Directory domain. -

-
-

- Bugzilla:2140795 -

-
-

New Ansible Role for Red Hat Insights and subscription management -

-

- The rhel-system-roles package now includes the remote host - configuration (rhc) system role. This role enables administrators - to easily register RHEL systems to Red Hat Subscription Management (RHSM) and Satellite servers. - By default, when you register a system by using the rhc system - role, the system connects to Red Hat Insights. With the new rhc - system role, administrators can now automate the following tasks on the managed nodes: -

-
-
-
    -
  • - Configure the connection to Red Hat Insights, including automatic update, remediations, and - tags for the system. -
    • -
  • - Enable and disable repositories. -
    • -
  • - Configure the proxy to use for the connection. -
    • -
  • - Set the release of the system. -
    • -
-
-

- For more information about how to automate these tasks, see Using - the RHC system role to register the system. -

-

- Bugzilla:2141330 -

-
-

Added support for the cloned MAC address

-

- Cloned MAC address is the MAC address of the device WAN port which is the same as the MAC - address of the machine. With this update, users can specify the bonding or bridge interface with - the MAC address or the strategy such as random or preserve to get the default MAC address for the bonding or bridge - interface. -

-
-

- Bugzilla:2143768 -

-
-

Microsoft SQL Server Ansible role supports asynchronous high availability - replicas

-

- Previously, Microsoft SQL Server Ansible role supported only primary, synchronous, and witness - high availability replicas. Now, you can set the mssql_ha_replica_type variable to asynchronous to configure it with asynchronous replica type for a new - or existing replica. -

-
-

- Bugzilla:2151282 -

-
-

Microsoft SQL Server Ansible role supports the read-scale cluster - type

-

- Previously, Microsoft SQL Ansible role supported only the external cluster type. Now, you can - configure the role with a new variable mssql_ha_ag_cluster_type. - The default value is external, use it to configure the cluster with - Pacemaker. To configure the cluster without Pacemaker, use the value none for that variable. -

-
-

- Bugzilla:2151283 -

-
-

Microsoft SQL Server Ansible role can generate TLS certificates -

-

- Previously, you needed to generate a TLS certificate and a private key on the nodes manually - before configuring the Microsoft SQL Ansible role. With this update, the Microsoft SQL Server - Ansible role can use the redhat.rhel_system_roles.certificate role - for that purpose. Now, you can set the mssql_tls_certificates - variable in the format of the certificate_requests variable of the - certificate role to generate a TLS certificate and a private key on - the node. -

-
-

- Bugzilla:2151284 -

-
-

Microsoft SQL Server Ansible role supports configuring SQL Server version - 2022

-

- Previously, Microsoft SQL Ansible role supported only configuring SQL Server version 2017 and - version 2019. This update provides you with the support for SQL Server version 2022 for - Microsoft SQL Ansible role. Now, you can set mssql_version value to - 2022 for configuring a new SQL Server 2022 or upgrading SQL Server - from version 2019 to version 2022. Note that upgrade of an SQL Server from version 2017 to - version 2022 is unavailable. -

-
-

- Bugzilla:2153428 -

-
-

Microsoft SQL Server Ansible role supports configuration of the Active - Directory authentication

-

- With this update, the Microsoft SQL Ansible role supports configuration of the Active Directory - authentication for an SQL Server. Now, you can configure the Active Directory authentication by - setting variables with the mssql_ad_ prefix. -

-
-

- Bugzilla:2163709 -

-
-

The journald RHEL system role is now - available

-

- The journald service collects and stores log data in a centralized - database. With this enhancement, you can use the journald system - role variables to automate the configuration of the systemd - journal, and configure persistent logging by using the Red Hat Ansible Automation Platform. -

-
-

- Bugzilla:2165175 -

-
-

The ha_cluster system role now supports quorum - device configuration

-

- A quorum device acts as a third-party arbitration device for a cluster. A quorum device is - recommended for clusters with an even number of nodes. With two-node clusters, the use of a - quorum device can better determine which node survives in a split-brain situation. You can now - configure a quorum device with the ha_cluster system role, both - qdevice for a cluster and qnetd for an - arbitration node. -

-
-

- Bugzilla:2140804 -

-
-
-
-
-
-

4.17. Virtualization

-
-
-
-
-

Hardware cryptographic devices can now be automatically - hot-plugged

-

- Previously, it was only possible to define cryptographic devices for passthrough if they were - present on the host before the mediated device was started. Now, you can define a mediated - device matrix that lists all the cryptographic devices that you want to pass through to your - virtual machine (VM). As a result, the specified cryptographic devices are automatically passed - through to the running VM if they become available later. Also, if the devices become - unavailable, they are removed from the VM, but the guest operating system keeps running - normally. -

-
-

- Bugzilla:1871126 -

-
-

Improved performance for PCI passthrough devices on IBM Z

-

- With this update, the PCI passthrough implementation on IBM Z hardware has been enhanced through - multiple improvements to I/O handling. As a result, PCI devices passed through to KVM virtual - machines (VMs) on IBM Z hosts now have significantly better performance. -

-
-

- In addition, ISM devices can now be assigned to VMs on IBM Z hosts. -

-

- Bugzilla:1871143 -

-
-

New package: passt

-

- This update adds the passt package, which makes it possible to use - the passt user-mode networking back end for virtual machines. -

-
-

- For more information on using passt, see Configuring - the passt user-space connection. -

-

- Bugzilla:2131015 -

-
-

zPCI device assignment

-

- It is now possible to attach zPCI devices as pass-through devices to virtual machines (VMs) - hosted on RHEL running on IBM Z hardware. For example, thís enables the use of NVMe flash drives - in VMs. -

-
-

- Jira:RHELPLAN-59528 -

-
-

New package: python-virt-firmware

-

- This update adds the python-virt-firmware package, which contains - tools for handling Open Virtual Machine Firmware (OVMF) firmware images. You can use these tools - for example for the following: -

-
-
-
    -
  • - Printing the content of firmware images -
    • -
  • - Updating the edk2 variables store -
    • -
  • - Handling secure boot key enrolment without booting up the virtual machine in QEMU -
    • -
-
-

- As a result, these make it easier to build OVMF images. -

-

- Bugzilla:2089785 -

-
-
-
-
-
-

4.18. Supportability

-
-
-
-
-

The sos utility is moving to a 4-week update - cadence

-

- Instead of releasing sos updates with RHEL minor releases, the - sos utility release cadence is changing from 6 months to 4 weeks. - You can find details about the updates for the sos package in the - RPM changelog every 4 weeks or you can read a summary of sos - updates in the RHEL Release Notes every 6 months. -

-
-

- Bugzilla:2164987 -

-
-

The sos clean command now obfuscates IPv6 - addresses

-

- Previously, the sos clean command did not obfuscate IPv6 addresses, - leaving some customer-sensitive data in the collected sos report. - With this update, sos clean detects and obfuscates IPv6 addresses - as expected. -

-
-

- Bugzilla:2134906 -

-
-
-
-
-
-

4.19. Containers

-
-
-
-
-

New podman RHEL System Role is now - available

-

- Beginning with Podman 4.2, you can use the podman System Role to - manage Podman configuration, containers, and systemd services that - run Podman containers. -

-
-

- Jira:RHELPLAN-118705 -

-
-

Podman now supports events for auditing

-

- Beginning with Podman v4.4, you can gather all relevant information about a container directly - from a single event and journald entry. To enable Podman auditing, - modify the container.conf configuration file and add the events_container_create_inspect_data=true option to the [engine] section. The data is in JSON format, the same as from the - podman container inspect command. For more information, see How to - use new container events and auditing features in Podman 4.4. -

-
-

- Jira:RHELPLAN-136602 -

-
-

The container-tools meta-package has been - updated

-

- The container-tools RPM meta-package, which contains the Podman, - Buildah, Skopeo, crun and runc tools are now available. This update applies a series of bug - fixes and enhancements over the previous version. -

-
-

- Notable changes in Podman v4.4 include: -

-
-
    -
  • - Introduce Quadlet, a new systemd-generator that easily creates and maintains systemd - services using Podman. -
    • -
  • - A new command, podman network update, has been added, which - updates networks for containers and pods. -
    • -
  • - A new command, podman buildx version, has been added, which - shows the buildah version. -
    • -
  • - Containers can now have startup healthchecks, allowing a command to be run to ensure the - container is fully started before the regular healthcheck is activated. -
    • -
  • - Support a custom DNS server selection using the podman --dns - command. -
    • -
  • - Creating and verifying sigstore signatures using Fulcio and Rekor is now available. -
    • -
  • - Improved compatibility with Docker (new options and aliases). -
    • -
  • - Improved Podman’s Kubernetes integration - the commands podman kube generate and podman kube play are now available and replace the podman generate kube and podman play kube commands. The podman generate kube and podman play kube commands are still available but it is - recommended to use the new podman kube commands. -
    • -
  • - Systemd-managed pods created by the podman kube play command - now integrate with sd-notify, using the io.containers.sdnotify - annotation (or io.containers.sdnotify/$name for specific - containers). -
    • -
  • - Systemd-managed pods created by podman kube play can now be - auto-updated, using the io.containers.auto-update annotation - (or io.containers.auto-update/$name for specific containers). -
    • -
-
-

- Podman has been upgraded to version 4.4, for further information about notable changes, see upstream - release notes. -

-

- Jira:RHELPLAN-136607 -

-
-

Aardvark and Netavark now support custom DNS server selection

-

- The Aardvark and Netavark network stack now support custom DNS server selection for containers - instead of the default DNS servers on the host. You have two options for specifying the custom - DNS server: -

-
-
-
    -
  • - Add the dns_servers field in the containers.conf configuration file. -
    • -
  • - Use the new --dns Podman option to specify an IP address of the - DNS server. -
    • -
-
-

- The --dns option overrides the values in the container.conf file. -

-

- Jira:RHELPLAN-138024 -

-
-

Skopeo now supports generating sigstore key pairs

-

- You can use the skopeo generate-sigstore-key command to generate a - sigstore public/private key pair. For more information, see skopeo-generate-sigstore-key man page. -

-
-

- Jira:RHELPLAN-151481 -

-
-

Toolbox is now available

-

- With the toolbox utility, you can use the containerized - command-line environment without installing troubleshooting tools directly on your system. - Toolbox is built on top of Podman and other standard container technologies from OCI. For more - information, see toolbx. -

-
-

- Jira:RHELPLAN-150266 -

-
-

Container images now have a two-digit tag

-

- In RHEL 9.0 and RHEL 9.1, container images had a three-digit tag. Starting from RHEL 9.2, - container images now have a two-digit tag. -

-
-

- Jira:RHELPLAN-147982 -

-
-

The capability for multiple trusted GPG keys for signing images is - available

-

- The /etc/containers/policy.json file supports a new keyPaths field which accepts a list of files containing the trusted - keys. Because of this, the container images signed with Red Hat’s General Availability and Beta - GPG keys are now accepted in the default configuration. -

-
-

- For example: -

- 
"registry.redhat.io": [
-        {
-            "type": "signedBy",
-            "keyType": "GPGKeys",
-            "keyPaths": ["/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release", "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta"]
-        }
-]
-

- Jira:RHELPLAN-129327 -

-
-

Podman now supports the pre-execution hooks

-

- The root-owned plugin scripts located in the /usr/libexec/podman/pre-exec-hooks and /etc/containers/pre-exec-hooks directories define a fine-control over - container operations, especially blocking unauthorized actions. -

-
-

- The /etc/containers/podman_preexec_hooks.txt file must be created by an - administrator and can be empty. If /etc/containers/podman_preexec_hooks.txt does not exist, the plugin - scripts will not be executed. If all plugin scripts return zero value, then the podman command is executed, otherwise, the podman command exits with the inherited exit code. -

-

- Red Hat recommends using the following naming convention to execute the scripts in the correct - order: DDD-plugin_name.lang, - for example 010-check-group.py. Note that the plugin scripts are valid - at the time of creation. Containers created before plugin scripts are not affected. -

-

- Bugzilla:2119200 -

-
-

The sigstore signatures are now available

-

- Beginning with Podman 4.2, you can use the sigstore format of container image signatures. The - sigstore signatures are stored in the container registry together with the container image - without the need to have a separate signature server to store image signatures. -

-
-

- Jira:RHELPLAN-74672 -

-
-

Toolbox can create RHEL 9 containers

-

- Previously, the Toolbox utility only supported RHEL UBI 8 images. With this release, Toolbox now - also supports RHEL UBI 9. As a result, you can create a Toolbox container based on RHEL 8 or 9. -

-
-

- The following command creates a RHEL container based on the same RHEL release as your host system: -

- 
$ toolbox create
-

- Alternatively, you can create a container with a specific RHEL release. For example, to create a - container based on RHEL 9.2, use the following command: -

- 
$ toolbox create --distro rhel --release 9.2
-

- Bugzilla:2163752 -

-
-

New package: passt

-

- This update adds the passt package, which makes it possible to use - the pasta rootless networking back end for containers. -

-
-

- In comparison to the Slirp connection, which is currently used as - default for unprivileged networking by Podman, pasta provides the - following enhancements: -

-
-
    -
  • - Improved throughput and better support for IPv6, which includes support for the Neighbor - Discovery Protocol (NDP) and for DHCPv6 -
    • -
  • - The ability to configure port forwarding of TCP and UDP ports on IPv6 -
    • -
-
-

- To use pasta to connect a Podman container, use the --network pasta command-line option. -

-

- Bugzilla:2209419 -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel - distributed with Red Hat Enterprise Linux 9.2. These changes could include for example added or updated - proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
nomodeset
-
-

- With this kernel parameter, you can disable kernel mode setting. DRM drivers will not - perform display-mode changes or accelerated rendering. Only the system frame buffer will be - available for use if this was set-up by the firmware or boot loader. -

-

- nomodeset is useful as fallback, or for testing and debugging. -

-
-
printk.console_no_auto_verbose
-
-

- With this kernel parameter, you can disable console loglevel raise on oops, panic or - lockdep-detected issues (only if lock debug is on). With an exception to setups with low - baudrate on serial console, set this parameter to 0 to provide - more debug information. -

-
-
    -
  • - Format: <bool> -
    • -
  • - Defaults to 0 (auto_verbose is enabled) -
    • -
-
-
-
rcupdate.rcu_exp_cpu_stall_timeout=[KNL]
-
-

- With this kernel parameter, you can set timeout for expedited RCU CPU stall warning - messages. The value is in milliseconds and the maximum allowed value is 21000 milliseconds. -

-

- Note that this value is adjusted to an arch timer tick resolution. Setting this to zero - causes the value from rcupdate.rcu_cpu_stall_timeout to be used - (after conversion from seconds to milliseconds). -

-
-
rcupdate.rcu_task_stall_info=[KNL]
-
-

- With this parameter, you can set initial timeout in jiffies for RCU task stall informational - messages, which give some indication of the problem for those not patient enough to wait for - ten minutes. Informational messages are only printed prior to the stall-warning message for - a given grace period. Disable with a value less than or equal to zero. -

-
-
    -
  • - Defaults to 10 seconds. -
    • -
  • - A change in value does not take effect until the beginning of the next grace period. -
    • -
-
-
-
rcupdate.rcu_task_stall_info_mult=[KNL]
-
-

- This parameter is a multiplier for time interval between successive RCU task stall - informational messages for a given RCU tasks grace period. This value is clamped to one - through ten, inclusive. -

-

- It defaults to the value of three, so that the first informational message is printed 10 - seconds into the grace period, the second at 40 seconds, the third at 160 seconds, and then - the stall warning at 600 seconds would prevent a fourth at 640 seconds. -

-
-
smp.csd_lock_timeout=[KNL]
-
-

- With this parameter, you can specify the period of time in milliseconds that smp_call_function() and friends will wait for a CPU to release - the CSD lock. This is useful when diagnosing bugs involving CPUs disabling interrupts for - extended periods of time. -

-
-
    -
  • - Defaults to 5,000 milliseconds. -
    • -
  • - Setting a value of zero disables this feature. -
    • -
  • - This feature may be more efficiently disabled using the csdlock_debug- kernel parameter. -
    • -
-
-
-
srcutree.big_cpu_lim=[KNL]
-
-

- With this parameter, you can specify the number of CPUs constituting a large system, such - that srcu_struct structures should immediately allocate an - srcu_node array. -

-
-
    -
  • - Defaults to 128. -
    • -
  • - takes effect only when the low-order four bits of srcutree.convert_to_big is equal to 3 (decide at boot). -
    • -
-
-
-
srcutree.convert_to_big=[KNL]
-
-

- With this parameter, you can specify under what conditions an SRCU tree srcu_struct structure will be converted to big form, that is, - with an rcu_node tree: -

-
-
    -
  • - 0: Never. -
    • -
  • - 1: At init_srcu_struct() time. -
    • -
  • - 2: When rcutorture decides to. -
    • -
  • - 3: Decide at boot time (default). -
    • -
  • -

    - 0x1X: Above plus if high contention. -

    -

    - Either way, the srcu_node tree will be sized based - on the actual runtime number of CPUs (nr_cpu_ids) - instead of the compile-time CONFIG_NR_CPUS. -

    -
    • -
-
-
-
srcutree.srcu_max_nodelay=[KNL]
-
- With this parameter, you can specify the number of no-delay instances per jiffy for which the - SRCU grace period worker thread will be rescheduled with zero delay. Beyond this limit, worker - thread will be rescheduled with a sleep delay of one jiffy. -
-
srcutree.srcu_max_nodelay_phase=[KNL]
-
- With this parameter, you can specify the per-grace-period phase, number of non-sleeping polls of - readers. Beyond this limit, grace period worker thread will be rescheduled with a sleep delay of - one jiffy, between each rescan of the readers, for a grace period phase. -
-
srcutree.srcu_retry_check_delay=[KNL]
-
- With this parameter, you can specify number of microseconds of non-sleeping delay between each - non-sleeping poll of readers. -
-
srcutree.small_contention_lim=[KNL]
-
-

- With this parameter, you can specify the number of update-side contention events per jiffy - will be tolerated before initiating a conversion of an srcu_struct structure to big form. -

-
-
Note
-
-

- The value of srcutree.convert_to_big must have the 0x10 - bit set for contention-based conversions to occur. -

-
-
-
-
-
-

Updated kernel parameters

-
-
-
crashkernel=size[KMG][@offset[KMG]]
-
-

- [KNL] Using kexec, Linux can switch to a crash kernel upon - panic. This parameter reserves the physical memory region [offset, offset + size] for that - kernel image. If @offset is omitted, then a suitable offset is - selected automatically. -

-

- [KNL, X86-64, ARM64] Select a region under 4G first, and fall back to reserve region above - 4G when @offset has not been specified. -

-

- For more details, see Documentation/admin-guide/kdump/kdump.rst. -

-
-
crashkernel=size[KMG],low
-
-
-
    -
  • -

    - [KNL, X86-64, ARM64] With this parameter, you can specify low range under 4G for - the second kernel. When crashkernel=X,high is - passed, that require some amount of low memory, for example swiotlb requires at least 64M+32K low memory, also - enough extra low memory is needed to make sure DMA buffers for 32-bit devices - will not run out. Kernel would try to allocate default size of memory below 4G - automatically. The default size is platform dependent. -

    -
    -
      -
    • - x86: max(swiotlb_size_or_default() + 8MiB, 256MiB) -
      • -
    • -

      - arm64: 128MiB -

      -

      - 0: to disable low allocation. -

      -

      - This parameter will be ignored when crashkernel=X,high is not used or memory - reserved is below 4G. -

      -
      • -
    -
    -
    • -
  • -

    - [KNL, ARM64] With this parameter, you can specify a low range in the DMA zone - for the crash dump kernel. -

    -

    - This parameter will be ignored when crashkernel=X,high is not used. -

    -
    • -
-
-
-
deferred_probe_timeout=[KNL]
-
-

- With this parameter, you can set a timeout in seconds for deferred probe to give up waiting - on dependencies to probe. Only specific dependencies (subsystems or drivers) that have opted - in will be ignored. -

-

- A timeout of 0 will time out at the end of initcalls. If the - time out has not expired, the option will be restarted by each successful driver - registration. This option will also dump out devices still on the deferred probe list after - retrying. -

-
-
driver_async_probe=[KNL]
-
-

- With this parameter, you can list of driver names to be probed asynchronously. * (the asterisk) matches with all driver names. -

-
-
    -
  • -

    - If * is specified, the rest of the listed driver - names are those that will NOT match the *. -

    -

    - Format: <driver_name1>,<driver_name2>…​ -

    -
    • -
-
-
-
hugetlb_cma=[HW,CMA]
-
-

- With this parameter, you can specify the size of a CMA area used for allocation of gigantic - hugepages. Or using node format, the size of a CMA area per node. -

-

- Format: nn[KMGTPE] or (node format) <node>:nn[KMGTPE][,<node>:nn[KMGTPE]] -

-

- Reserve a CMA area of given size and allocate gigantic hugepages using the CMA allocator. If - enabled, the boot-time allocation of gigantic hugepages is skipped. -

-
-
hugepages=[HW]
-
-

- With this parameter, you can specify the number of HugeTLB pages to allocate at boot. -

-
-
    -
  • - If this follows hugepagesz, it specifies the number of pages of hugepagesz to be - allocated. -
    • -
  • - If this is the first HugeTLB parameter on the command line, it specifies the number - of pages to allocate for the default huge page size. -
    • -
  • -

    - If using node format, the number of pages to allocate per-node can be specified. -

    -

    - See also Documentation/admin-guide/mm/hugetlbpage.rst. -

    -

    - Format: <integer> or (node format) <node>:<integer>[,<node>:<integer>] -

    -
    • -
-
-
-
hugetlb_free_vmemmap=[KNL]
-
-

- This parameter requires CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP to - be enabled. Allows heavy hugetlb users to free up some more memory (7 * PAGE_SIZE for each - 2MB hugetlb page). -

-
-
    -
  • - Format: { [oO][Nn]/Y/y/1 | [oO][Ff]/N/n/0 (default) } -
    • -
  • - [oO][Nn]/Y/y/1: enable the feature -
    • -
  • -

    - [oO][Ff]/N/n/0: disable the feature -

    -

    - Built with CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON=y, -

    -

    - Defaults to on. -

    -
    -
    Note
    -
    -

    - This parameter is not compatible with memory_hotplug.memmap_on_memory. If both - parameters are enabled, hugetlb_free_vmemmap takes precedence over - memory_hotplug.memmap_on_memory. -

    -
    -
    -
    • -
-
-
-
ivrs_ioapic=[HW,X86-64]
-
-

- This parameter provides an override to the IOAPIC-ID <-> DEVICE-ID mapping provided in - the IVRS ACPI table. -

-

- By default, PCI segment is 0, and can be omitted. For example, -

-
-
    -
  • -

    - to map IOAPIC-ID decimal 10 to PCI device 00:14.0, write the parameter as: -

    - 
    ivrs_ioapic[10]=00:14.0
    -
    • -
  • -

    - to map IOAPIC-ID decimal 10 to PCI segment 0x1 and PCI device 00:14.0, write the - parameter as: -

    - 
    ivrs_ioapic[10]=0001:00:14.0
    -
    • -
-
-
-
ivrs_hpet=[HW,X86-64]
-
-

- This parameter provides an override to the HPET-ID <-> DEVICE-ID mapping provided in - the IVRS ACPI table. -

-

- By default, PCI segment is 0, and can be omitted. For example: -

-
-
    -
  • -

    - to map HPET-ID decimal 0 to PCI device 00:14.0, write the parameter as: -

    - 
    ivrs_hpet[0]=00:14.0
    -
    • -
  • -

    - to map HPET-ID decimal 10 to PCI segment 0x1 and PCI device 00:14.0, write the - parameter as: -

    - 
    ivrs_ioapic[10]=0001:00:14.0
    -
    • -
-
-
-
ivrs_acpihid=[HW,X86-64]
-
-

- This parameter provides an override to the ACPI-HID:UID <-> DEVICE-ID mapping provided - in the IVRS ACPI table. -

-

- For example, to map UART-HID:UID AMD0020:0 to PCI - segment 0x1 and PCI device ID 00:14.5, write the parameter as: -

- 
ivrs_acpihid[0001:00:14.5]=AMD0020:0
-

- By default, PCI segment is 0, and can be omitted. For example, - for the PCI device 00:14.5 write the parameter as: -

- 
ivrs_acpihid[00:14.5]=AMD0020:0
-
-
kvm.eager_page_split=[KVM,X86]
-
-

- With this parameter, you can control whether or not KVM will try to proactively split all - huge pages during dirty logging. -

-

- Eager page splitting reduces interruptions to vCPU execution by eliminating the - write-protection faults and MMU lock contention that would otherwise be required to split - huge pages lazily. VM workloads that rarely perform writes or that write only to a small - region of VM memory may benefit from disabling eager page splitting to allow huge pages to - still be used for reads. -

-

- The behavior of eager page splitting depends on whether KVM_DIRTY_LOG_INITIALLY_SET is enabled or disabled. -

-
-
    -
  • - If disabled, all huge pages in a memslot will be eagerly split when dirty logging is - enabled on that memslot. -
    • -
  • -

    - If enabled, eager page splitting will be performed during the KVM_CLEAR_DIRTY ioctl, and only for the pages being - cleared. -

    -

    - Eager page splitting is only supported when kvm.tdp_mmu=Y. -

    -

    - Defaults to Y (on). -

    -
    • -
-
-
-
kvm-arm.mode=[KVM,ARM]
-
-

- With this parameter, you can select one of KVM/arm64’s modes of operation. -

-
-
    -
  • - none: Forcefully disable KVM. -
    • -
  • - nvhe: Standard nVHE-based mode, without support for protected guests. -
    • -
  • -

    - protected: nVHE-based mode with support for guests whose state is kept private - from the host. -

    -

    - Defaults to VHE/nVHE based on hardware support. -

    -
    • -
-
-
-
nosmep=[X86,PPC64s]
-
-

- With this parameter, you can disable SMEP (Supervisor Mode Execution Prevention) even if it - is supported by processor. -

-

- Format: pci=option[,option…​] [PCI] various_PCI_subsystem_options -

-

- Some options herein operate on a specific device or a set of devices (<pci_dev>). These are specified in one of the following - formats: -

- 
[<domain>:]<bus>:<dev>.<func>[/<dev>.<func>]*
-pci:<vendor>:<device>[:<subvendor>:<subdevice>]
-
-
Note
-
-
-
    -
  • - The first format specifies a PCI bus/device/function address which may - change if new hardware is inserted, if motherboard firmware changes, or due - to changes caused by other kernel parameters. If the domain is left - unspecified, it is taken to be zero. Optionally, a path to a device through - multiple device and function addresses can be specified after the base - address (this is more robust against renumbering issues). -
    • -
  • - The second format selects devices using IDs from the configuration space - which may match multiple devices in the system. -
    • -
-
-
-
-
-
    -
  • - earlydump: dump PCI config space before the kernel changes anything -
    • -
  • - off: [X86] do not probe for the PCI bus -
    • -
  • - bios: [X86-32] force use of PCI BIOS, do not access the hardware directly. Use this - if your machine has a non-standard PCI host bridge. -
    • -
  • - nobios: [X86-32] disallow use of PCI BIOS, only direct hardware access methods are - allowed. Use this if you experience crashes upon bootup and you suspect they are - caused by the BIOS. -
    • -
  • - conf1: [X86] Force use of PCI Configuration Access Mechanism 1 (configuration - address in IO port 0xCF8, data in IO port 0xCFC, both 32-bit). -
    • -
  • -

    - conf2: [X86] Force use of PCI Configuration Access Mechanism 2 (IO port 0xCF8 is - an 8-bit port for the function, IO port 0xCFA, also 8-bit, sets bus number. The - config space is then accessed through ports 0xC000-0xCFFF). -

    -
    - -
    -
    • -
  • - noaer: [PCIE] If the PCIEAER kernel configuration parameter is enabled, this kernel - boot option can be used to disable the use of PCIE advanced error reporting. -
    • -
  • - nodomains: [PCI] Disable support for multiple PCI root domains (aka PCI segments, in - ACPI-speak). -
    • -
  • - nommconf: [X86] Disable use of MMCONFIG for PCI Configuration -
    • -
  • - check_enable_amd_mmconf [X86]: check for and enable properly configured MMIO access - to PCI config space on AMD family 10h CPU -
    • -
  • - nomsi: [MSI] If the PCI_MSI kernel configuration - parameter is enabled, this kernel boot option can be used to disable the use of MSI - interrupts system-wide. -
    • -
  • - noioapicquirk: [APIC] Disable all boot interrupt quirks. Safety option to keep boot - IRQs enabled. This should never be necessary. -
    • -
  • - ioapicreroute: [APIC] Enable rerouting of boot IRQs to the primary IO-APIC for - bridges that cannot disable boot IRQs. This fixes a source of spurious IRQs when the - system masks IRQs. -
    • -
  • - noioapicreroute [APIC] Disable workaround that uses the boot IRQ equivalent of an - IRQ that connects to a chipset where boot IRQs cannot be disabled. The opposite of - ioapicreroute. -
    • -
  • - biosirq: [X86-32] Use PCI BIOS calls to get the interrupt routing table. These calls - are known to be buggy on several machines and they hang the machine when used, but - on other computers it is the only way to get the interrupt routing table. Try this - option if the kernel is unable to allocate IRQs or discover secondary PCI buses on - your Motherboard. -
    • -
  • - rom: [X86] Assign address space to expansion ROMs. Use with caution as certain - devices share address decoders between ROMs and other resources. -
    • -
  • - norom: [X86] Do not assign address space to expansion ROMs that do not already have - BIOS assigned address ranges. -
    • -
  • - nobar: [X86] Do not assign address space to the BARs that were not assigned by the - BIOS. -
    • -
  • - irqmask=0xMMMM: [X86] Set a bit mask of IRQs allowed to be assigned automatically to - PCI devices. You can make the kernel exclude IRQs of your ISA cards this way. -
    • -
  • - pirqaddr=0xAAAAA: [X86] Specify the physical address of the PIRQ table (normally - generated by the BIOS) if it is outside the F0000h-100000h range. -
    • -
  • - lastbus=N: [X86] Scan all buses thru bus #N. Can be useful if the kernel is unable - to find your secondary buses and you want to tell it explicitly which ones they are. -
    • -
  • - assign-busses: [X86] Always assign all PCI bus numbers ourselves, overriding - whatever the firmware may have done. -
    • -
  • - usepirqmask: [X86] Honor the possible IRQ mask stored in the BIOS $PIR table. This - is needed on some systems with broken BIOSes, notably some HP Pavilion N5400 and - Omnibook XE3 notebooks. This will have no effect if ACPI IRQ routing is enabled. -
    • -
  • - noacpi: [X86] Do not use ACPI for IRQ routing or for PCI scanning. -
    • -
  • - use_crs: [X86] Use PCI host bridge window information from ACPI. On BIOSes from 2008 - or later, this is enabled by default. If you need to use this, please report a bug. -
    • -
  • - nocrs: [X86] Ignore PCI host bridge windows from ACPI. If you need to use this, - please report a bug. -
    • -
  • - use_e820: [X86] Use E820 reservations to exclude parts of PCI host bridge windows. - This is a workaround for BIOS defects in host bridge _CRS methods. If you need to - use this, please report a bug to linux-pci@vger.kernel.org. -
    • -
  • - no_e820: [X86] Ignore E820 reservations for PCI host bridge windows. This is the - default on modern hardware. If you need to use this, please report a bug to linux-pci@vger.kernel.org. -
    • -
  • - routeirq: Do IRQ routing for all PCI devices. This is normally done in pci_enable_device(), so this option is a temporary - workaround for broken drivers that do not call it. -
    • -
  • - skip_isa_align: [X86] do not align io start addr, so can handle more pci cards -
    • -
  • - oearly: [X86] Do not do any early type 1 scanning. This might help on some broken - boards which machine check when some devices' config space is read. But various - workarounds are disabled and some IOMMU drivers will not work. -
    • -
  • - bfsort: Sort PCI devices into breadth-first order. This sorting is done to get a - device order compatible with older (⇐ 2.4) kernels. -
    • -
  • - nobfsort: Do not sort PCI devices into breadth-first order. -
    • -
  • - pcie_bus_tune_off: Disable PCIe MPS (Max Payload Size) tuning and use the - BIOS-configured MPS defaults. -
    • -
  • - pcie_bus_safe: Set every device’s MPS to the largest value supported by all devices - below the root complex. -
    • -
  • - pcie_bus_perf Set device MPS to the largest allowable MPS based on its parent bus. - Also set MRRS (Max Read Request Size) to the largest supported value (no larger than - the MPS that the device or bus can support) for best performance. -
    • -
  • - pcie_bus_peer2peer: Set every device’s MPS to 128B, which every device is guaranteed - to support. This configuration allows peer-to-peer DMA between any pair of devices, - possibly at the cost of reduced performance. This also guarantees that hot-added - devices will work. -
    • -
  • - cbiosize=nn[KMG]: The fixed amount of bus space which is reserved for the CardBus - bridge’s IO window. The default value is 256 - bytes. -
    • -
  • - cbmemsize=nn[KMG]: The fixed amount of bus space which is reserved for the CardBus - bridge’s memory window. The default value is 64 - megabytes. -
    • -
  • -

    - resource_alignment= -

    -
    -
      -
    • - Format: [<order of align>@]<pci_dev>[; …​] -
      • -
    • - Specifies alignment and device to reassign aligned memory resources. How - to specify the device is described above. If <order of align> is not specified, - PAGE_SIZE is used as alignment. A PCI-PCI - bridge can be specified if resource windows need to be expanded. To - specify the alignment for several instances of a device, the PCI vendor, - device, subvendor, and subdevice may be specified, for example, 12@pci:8086:9c22:103c:198f for 4096-byte - alignment. -
      • -
    -
    -
    • -
  • -

    - ecrc=: Enable/disable PCIe ECRC (transaction layer end-to-end CRC checking). -

    -
    -
      -
    • - bios: Use BIOS/firmware settings. This is the default. -
      • -
    • - off: Turn ECRC off -
      • -
    • - on: Turn ECRC on. -
      • -
    -
    -
    • -
  • - hpiosize=nn[KMG]: The fixed amount of bus space which is reserved for hotplug - bridge’s IO window. Default size is 256 - bytes. -
    • -
  • - hpmmiosize=nn[KMG]: The fixed amount of bus space which is reserved for hotplug - bridge’s MMIO window. Default size is 2 - megabytes. -
    • -
  • - hpmmioprefsize=nn[KMG]: The fixed amount of bus space which is reserved for hotplug - bridge’s MMIO_PREF window. Default size is 2 - megabytes. -
    • -
  • - hpmemsize=nn[KMG]: The fixed amount of bus space which is reserved for hotplug - bridge’s MMIO and MMIO_PREF window. Default size is 2 - megabytes. -
    • -
  • - hpbussize=nn: The minimum amount of additional bus numbers reserved for buses below - a hotplug bridge. Default is 1. -
    • -
  • -

    - realloc=: Enable/disable reallocating PCI bridge resources if allocations done - by BIOS are too small to accommodate resources required by all child devices. -

    -
    -
      -
    • - off: Turn realloc off -
      • -
    • - on: Turn realloc on -
      • -
    -
    -
    • -
  • - realloc: same as realloc=on -
    • -
  • - noari: do not use PCIe ARI. -
    • -
  • - noats: [PCIE, Intel-IOMMU, AMD-IOMMU] do not use PCIe ATS (and IOMMU device IOTLB). -
    • -
  • - pcie_scan_all: Scan all possible PCIe devices. Otherwise we only look for one device - below a PCIe downstream port. -
    • -
  • - big_root_window: Try to add a big 64bit memory window to the PCIe root complex on - AMD CPUs. Some GFX hardware can resize a BAR to allow access to all VRAM. Adding the - window is slightly risky (it may conflict with unreported devices), so this taints - the kernel. -
    • -
  • - disable_acs_redir=<pci_dev>[; …​]: Specify one or more PCI devices (in the - format specified above) separated by semicolons. Each device specified will have the - PCI ACS redirect capabilities forced off which will allow P2P traffic between - devices through bridges without forcing it upstream. Note: this removes isolation - between devices and may put more devices in an IOMMU group. -
    • -
  • - force_floating: [S390] Force usage of floating interrupts. -
    • -
  • - nomio: [S390] Do not use MIO instructions. -
    • -
  • - norid: [S390] ignore the RID field and force use of one PCI domain per PCI function -
    • -
-
-
-
rcupdate.rcu_cpu_stall_timeout=[KNL]
-
- Set timeout for RCU CPU stall warning messages. The value is in seconds and the maximum allowed - value is 300 seconds. -
-
rcupdate.rcu_task_stall_timeout=[KNL]
-
-

- With this parameter, you can set timeout in jiffies for RCU task stall warning messages. - Disable with a value less than or equal to zero. -

-

- Defaults to 10 minutes. -

-

- A change in value does not take effect until the beginning of the next grace period. -

-
-
retbleed=[X86]
-
-

- With this parameter, you can control mitigation of RETBleed (Arbitrary Speculative Code - Execution with Return Instructions) vulnerability. -

-

- AMD-based UNRET and IBPB mitigations alone do not stop sibling threads from influencing the - predictions of other sibling threads. For that reason, STIBP is used on processors that - support it, and mitigate SMT on processors that do not. -

-
-
    -
  • - off - no mitigation -
    • -
  • - auto - automatically select a migitation -
    • -
  • - auto,nosmt - automatically select a mitigation, disabling SMT if necessary for the - full mitigation (only on Zen1 and older without STIBP). -
    • -
  • - ibpb - On AMD, mitigate short speculation windows on basic block boundaries too. - Safe, highest perf impact. It also enables STIBP if present. Not suitable on Intel. -
    • -
  • - ibpb,nosmt - Like ibpb above but will disable SMT when - STIBP is not available. This is the alternative for systems which do not have STIBP. -
    • -
  • - unret - Force enable untrained return thunks, only effective on AMD f15h-f17h based - systems. -
    • -
  • -

    - unret,nosmt - Like unret, but will disable SMT when STIBP is not available. This - is the alternative for systems which do not have STIBP. -

    -

    - Selecting auto will choose a mitigation method at - run time according to the CPU. -

    -

    - Not specifying this option is equivalent to retbleed=auto. -

    -
    • -
-
-
-
swiotlb=[ARM,IA-64,PPC,MIPS,X86]
-
-

- Format: { <int> [,<int>] | force | noforce } -

-
-
    -
  • - <int> - Number of I/O TLB slabs -
    • -
  • - <int> - Second integer after comma. Number of swiotlb areas with their own lock. Will be rounded up to - a power of 2. -
    • -
  • - force - force using of bounce buffers even if they would not be automatically used - by the kernel -
    • -
  • - noforce - Never use bounce buffers (for debugging) -
    • -
-
-
-
-
-

New sysctl parameters

-
-
-
kernel.nmi_wd_lpm_factor (PPC only)
-
-

- This factor represents the percentage added to watchdog_thresh - when calculating the NMI watchdog timeout during an LPM. The soft lockup timeout is not - impacted. Use this factor to apply to the NMI watchdog timeout (only when nmi_watchdog is set to 1). -

-
-
    -
  • - A value of 0 means no change. -
    • -
  • - Defaults to 200, which means that the NMI watchdog is - set to 30s (based on watchdog_thresh equal to 10). -
    • -
-
-
-
net.core.txrehash
-
-

- With this parameter, you can control default hash rethink behavior on listening socket when - the SO_TXREHASH option is set to SOCK_TXREHASH_DEFAULT (that is, not overridden by setsockopt). -

-
-
    -
  • - If set to 1 (default), hash rethink is performed on - listening socket. -
    • -
  • - If set to 0, hash rethink is not performed. -
    • -
-
-
-
net.sctp.reconf_enable - BOOLEAN
-
-

- With this extension, you can enable or disable extension of Stream Reconfiguration - functionality specified in RFC6525. This extension provides the ability to "reset" a stream - and includes the parameters of Outgoing/Incoming SSN Reset, - SSN/TSN Reset and Add Outgoing/Incoming Streams. -

-
-
    -
  • - 1: Enable extension. -
    • -
  • - 0: Disable extension. -
    • -
  • - Defaults to 0. -
    • -
-
-
-
net.sctp.intl_enable - BOOLEAN
-
-

- With this extension, you can enable or disable extension of User Message Interleaving - functionality specified in RFC8260. This extension allows the interleaving of user messages - sent on different streams. With this feature enabled, I-DATA chunk will replace DATA chunk - to carry user messages if also supported by the peer. Note that to use this feature, you - must set this option to 1 and also set socket options SCTP_FRAGMENT_INTERLEAVE to 2 and - SCTP_INTERLEAVING_SUPPORTED to 1. -

-
-
    -
  • - 1: Enable extension. -
    • -
  • - 0: Disable extension. -
    • -
  • - Defaults to 0. -
    • -
-
-
-
net.sctp.ecn_enable - BOOLEAN
-
-

- With this extension, you can control use of Explicit Congestion Notification (ECN) by SCTP. - Like in TCP, ECN is used only when both ends of the SCTP connection indicate support for it. - This feature is useful in avoiding losses due to congestion by allowing supporting routers - to signal congestion before having to drop packets. -

-
-
    -
  • - 1: Enable ecn. -
    • -
  • - 0: Disable ecn. -
    • -
  • - Defaults to 1. -
    • -
-
-
-
vm.hugetlb_optimize_vmemmap
-
-

- This knob is not available when the memory_hotplug.memmap_on_memory kernel parameter is configured or - the size of struct page (a structure defined in include/linux/mm_types.h) is not power of two (an unusual system - configuration could result in this). -

-

- You can enable (set to 1) or disable (set to 0) the feature of optimizing vmemmap pages associated with each HugeTLB page. -

-
-
    -
  • - If enabled, the vmemmap pages of subsequent allocation - of HugeTLB pages from buddy allocator will be optimized (7 pages per 2MB HugeTLB - page and 4095 pages per 1GB HugeTLB page), whereas already allocated HugeTLB pages - will not be optimized. When those optimized HugeTLB pages are freed from the HugeTLB - pool to the buddy allocator, the vmemmap pages - representing that range needs to be remapped again and the vmemmap pages discarded earlier need to be rellocated - again. -
    • -
  • - If your use case is that HugeTLB pages are allocated impromptu (for example, never - explicitly allocating HugeTLB pages with nr_hugepages - but only set nr_overcommit_hugepages, those - overcommitted HugeTLB pages are allocated impromptu) instead of being pulled from - the HugeTLB pool, you should weigh the benefits of memory savings against the more - overhead (~2x slower than before) of allocation or freeing HugeTLB pages between the - HugeTLB pool and the buddy allocator. Another behavior to note is that if the system - is under heavy memory pressure, it could prevent the user from freeing HugeTLB pages - from the HugeTLB pool to the buddy allocator since the allocation of vmemmap pages could be failed, you have to retry later if - your system encounter this situation. -
    • -
  • - If disabled, the vmemmap pages of subsequent allocation - of HugeTLB pages from buddy allocator will not be optimized meaning the extra - overhead at allocation time from buddy allocator disappears, whereas already - optimized HugeTLB pages will not be affected. If you want to make sure there are no - optimized HugeTLB pages, you can set nr_hugepages to - 0 first and then disable this. Note that writing 0 to nr_hugepages will make - any in use HugeTLB pages become surplus - pages. So, those surplus pages are still optimized until they are no longer in use. - You will need to wait for those surplus pages to be released before there are no - optimized pages in the system. -
    • -
-
-
-
net.core.rps_default_mask
-
- The default RPS CPU mask used on newly created network devices. An empty mask means RPS disabled - by default. -
-
-
-

Changed sysctl parameters

-
-
-
kernel.numa_balancing
-
-

- With this parameter, you can enable, disable, and configure automatic page fault based NUMA - memory balancing. Memory is moved automatically to nodes that access it often. The value to - set can be the result of ORing the following: -

- 
= =================================
-0 NUMA_BALANCING_DISABLED
-1 NUMA_BALANCING_NORMAL
-2 NUMA_BALANCING_MEMORY_TIERING
-= =================================
-

- Or NUMA_BALANCING_NORMAL to optimize page placement among - different NUMA nodes to reduce remote accessing. On NUMA machines, there is a performance - penalty if remote memory is accessed by a CPU. When this feature is enabled the kernel - samples what task thread is accessing memory by periodically unmapping pages and later - trapping a page fault. At the time of the page fault, it is determined if the data being - accessed should be migrated to a local memory node. -

-

- Or NUMA_BALANCING_MEMORY_TIERING to optimize page placement - among different types of memory (represented as different NUMA nodes) to place the hot pages - in the fast memory. This is implemented based on unmapping and page fault, too. -

-
-
net.ipv6.route.max_size
-
- This is now deprecated for ipv6 as garbage collection manages cached route entries. -
-
net.sctp.sctp_wmem
-
-

- This tunable previously was documented as not having any effect. Now, only the first value - (min) is used, default and max are ignored. -

-
-
    -
  • - min: Minimum size of send buffer that can be used by SCTP sockets. It is guaranteed - to each SCTP socket (but not association) even under moderate memory pressure. -
    • -
  • - Defaults to 4K. -
    • -
-
-
-
-
-
-
-
-
-
-

Chapter 6. Device drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-
-
    -
  • - ACPI Video Driver (video), only in 64-bit ARM architecture -
    • -
  • - CXL driver for CXL memory endpoint devices and switches for memory expansion (cxl_mem) -
    • -
  • - GNSS receiver core (gnss) -
    • -
  • - GPIO Simulator Module (gpio-sim), only in 64-bit ARM - architecture -
    • -
  • - VirtIO GPIO driver (gpio-virtio), only in 64-bit ARM - architecture -
    • -
  • - NVIDIA Tegra HTE (Hardware Timestamping Engine) driver (hte-tegra194), only in 64-bit ARM architecture -
    • -
  • - I2C adapter driver for LPI2C bus (i2c-imx-lpi2c), only in - 64-bit ARM architecture -
    • -
  • - Virtio i2c bus driver (i2c-virtio), only in 64-bit ARM - architecture -
    • -
  • - User level driver support for input subsystem (uinput), only in - 64-bit ARM architecture -
    • -
  • - Module which implements common functions that can be used by the nvme host or target drivers - (nvme-common) -
    • -
  • - AMD PMC Driver (amd-pmc), only in AMD and Intel 64-bit - architectures -
    • -
  • - Nvidia sn2201 platform driver (nvsw-sn2201), only in AMD and - Intel 64-bit architectures -
    • -
  • - Serial multi instantiate pseudo device driver (serial-multi-instantiate), only in AMD and Intel 64-bit - architectures -
    • -
  • - Micro Crystal RV8803 RTC driver (rtc-rv8803), only in 64-bit - ARM architecture and AMD and Intel 64-bit architectures -
    • -
  • - NVIDIA Tegra QSPI Controller Driver (spi-tegra210-quad), only - in 64-bit ARM architecture -
    • -
  • - UCSI driver for Cypress CCGx Type-C controller (ucsi_ccg), only - in 64-bit ARM architecture -
    • -
  • - Confidential computing EFI secret area access (efi_secret), - only in AMD and Intel 64-bit architectures -
    • -
  • - TDX Guest Driver (tdx-guest), only in AMD and Intel 64-bit - architectures -
    • -
  • - HPE watchdog driver (hpwdt), only in 64-bit ARM architecture -
    • -
  • - POWER Architecture Platform Watchdog Driver (pseries-wdt), only - in IBM Power Systems, Little Endian -
    • -
-
-

Network drivers

-
-
    -
  • - Driver for VXLAN encapsulated traffic (vxlan) -
    • -
  • - Marvell OcteonTX2 RVU Admin Function Driver (rvu_af), only in - 64-bit ARM architecture -
    • -
  • - Marvell RVU NIC Physical Function Driver (rvu_nicpf), only in - 64-bit ARM architecture -
    • -
  • - Marvell RVU NIC PTP Driver (otx2_ptp), only in 64-bit ARM - architecture -
    • -
  • - Marvell RVU NIC Virtual Function Driver (rvu_nicvf), only in - 64-bit ARM architecture -
    • -
  • - NVIDIA Tegra MGBE driver (dwmac-tegra), only in 64-bit ARM - architecture -
    • -
  • - Serial line CAN interface (slcan), only in 64-bit ARM - architecture -
    • -
  • - Solarflare Siena network driver (sfc-siena), only in IBM Power - Systems, Little Endian and AMD and Intel 64-bit architectures -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - DRM Buddy Allocator (drm_buddy), only in 64-bit ARM - architecture and IBM Power Systems, Little Endian -
    • -
  • - DRM display adapter helper (drm_display_helper), only in 64-bit - ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures -
    • -
  • - DRM DisplayPort AUX bus (drm_dp_aux_bus), only in 64-bit ARM - architecture -
    • -
  • - Host1x driver for Tegra products (host1x), only in 64-bit ARM - architecture -
    • -
  • - NVIDIA Tegra DRM driver (tegra-drm), only in 64-bit ARM - architecture -
    • -
  • - Intel® GVT-g for KVM (kvmgt), only in AMD and Intel 64-bit - architectures -
    • -
  • - HP® iLO/iLO2 management processor (hpilo), only in 64-bit ARM - architecture -
    • -
  • - Intel® auxiliary driver for GSC devices (mei-gsc), only in AMD - and Intel 64-bit architectures -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Storage driver updates

-
-
    -
  • - Driver for Microchip Smart Family Controller (smartpqi) has - been updated to version 2.1.20-035 (only in 64-bit ARM architecture, IBM Power Systems, - Little Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc) has been - updated to version 14.2.0.8 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - MPI3 Storage Controller Device Driver (mpi3mr) has been updated - to version 8.2.0.3.0. -
    • -
  • - CSI debug adapter driver (scsi_debug) has been updated to - version 0191. -
    • -
  • - LSI MPT Fusion SAS 3.0 Device Driver (mpt3sas) has been updated - to version 43.100.00.00 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, - and AMD and Intel 64-bit architectures). -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Available BPF Features

-
-
-
-

- This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel of this minor version of Red Hat - Enterprise Linux 9. The tables include the lists of: -

-
- -
-

- This chapter contains automatically generated output of the bpftool feature - command. -

-
-

Table 7.1. System configuration and other options

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionValue
-

- unprivileged_bpf_disabled -

- 		-

- 2 (bpf() syscall restricted to privileged users, admin can change) -

-
-

- JIT compiler -

- 		-

- 1 (enabled) -

-
-

- JIT compiler hardening -

- 		-

- 1 (enabled for unprivileged users) -

-
-

- JIT compiler kallsyms exports -

- 		-

- 1 (enabled for root) -

-
-

- Memory limit for JIT for unprivileged users -

- 		-

- 264241152 -

-
-

- CONFIG_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_SYSCALL -

- 		-

- y -

-
-

- CONFIG_HAVE_EBPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT_ALWAYS_ON -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF_MODULES -

- 		-

- y -

-
-

- CONFIG_CGROUPS -

- 		-

- y -

-
-

- CONFIG_CGROUP_BPF -

- 		-

- y -

-
-

- CONFIG_CGROUP_NET_CLASSID -

- 		-

- y -

-
-

- CONFIG_SOCK_CGROUP_DATA -

- 		-

- y -

-
-

- CONFIG_BPF_EVENTS -

- 		-

- y -

-
-

- CONFIG_KPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_UPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_TRACING -

- 		-

- y -

-
-

- CONFIG_FTRACE_SYSCALLS -

- 		-

- y -

-
-

- CONFIG_FUNCTION_ERROR_INJECTION -

- 		-

- y -

-
-

- CONFIG_BPF_KPROBE_OVERRIDE -

- 		-

- n -

-
-

- CONFIG_NET -

- 		-

- y -

-
-

- CONFIG_XDP_SOCKETS -

- 		-

- y -

-
-

- CONFIG_LWTUNNEL_BPF -

- 		-

- y -

-
-

- CONFIG_NET_ACT_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_ACT -

- 		-

- y -

-
-

- CONFIG_NET_SCH_INGRESS -

- 		-

- m -

-
-

- CONFIG_XFRM -

- 		-

- y -

-
-

- CONFIG_IP_ROUTE_CLASSID -

- 		-

- y -

-
-

- CONFIG_IPV6_SEG6_BPF -

- 		-

- n -

-
-

- CONFIG_BPF_LIRC_MODE2 -

- 		-

- n -

-
-

- CONFIG_BPF_STREAM_PARSER -

- 		-

- y -

-
-

- CONFIG_NETFILTER_XT_MATCH_BPF -

- 		-

- m -

-
-

- CONFIG_BPFILTER -

- 		-

- n -

-
-

- CONFIG_BPFILTER_UMH -

- 		-

- n -

-
-

- CONFIG_TEST_BPF -

- 		-

- m -

-
-

- CONFIG_HZ -

- 		-

- 1000 -

-
-

- bpf() syscall -

- 		-

- available -

-
-

- Large program size limit -

- 		-

- available -

-
-

- Bounded loop support -

- 		-

- available -

-
-

- ISA extension v2 -

- 		-

- available -

-
-

- ISA extension v3 -

- 		-

- available -

-
-
-
-
-

Table 7.2. Available program types and supported helpers

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Program typeAvailable helpers
-

- socket_filter -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- kprobe -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, bpf_task_pt_regs, - bpf_get_branch_snapshot, bpf_find_vma, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data -

-
-

- sched_cls -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_skb_set_tstamp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_tcp_raw_gen_syncookie_ipv4, bpf_tcp_raw_gen_syncookie_ipv6, - bpf_tcp_raw_check_syncookie_ipv4, bpf_tcp_raw_check_syncookie_ipv6 -

-
-

- sched_act -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_tcp_gen_syncookie, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_redirect_peer, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_skb_set_tstamp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_tcp_raw_gen_syncookie_ipv4, bpf_tcp_raw_gen_syncookie_ipv6, - bpf_tcp_raw_check_syncookie_ipv4, bpf_tcp_raw_check_syncookie_ipv6 -

-
-

- tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, bpf_task_pt_regs, - bpf_get_branch_snapshot, bpf_find_vma, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data -

-
-

- xdp -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, bpf_redirect, - bpf_perf_event_output, bpf_csum_diff, bpf_get_current_task, - bpf_get_numa_node_id, bpf_xdp_adjust_head, bpf_redirect_map, - bpf_xdp_adjust_meta, bpf_xdp_adjust_tail, bpf_fib_lookup, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, - bpf_task_pt_regs, bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, - bpf_xdp_get_buff_len, bpf_xdp_load_bytes, bpf_xdp_store_bytes, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_tcp_raw_gen_syncookie_ipv4, bpf_tcp_raw_gen_syncookie_ipv6, - bpf_tcp_raw_check_syncookie_ipv4, bpf_tcp_raw_check_syncookie_ipv6 -

-
-

- perf_event -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_get_task_stack, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, - bpf_task_pt_regs, bpf_get_branch_snapshot, bpf_find_vma, bpf_loop, bpf_strncmp, - bpf_kptr_xchg, bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- cgroup_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_skb_cgroup_id, bpf_get_local_storage, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, - bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_sk_cgroup_id, - bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- cgroup_sock -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_current_cgroup_id, - bpf_get_local_storage, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- lwt_in -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_push_encap, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- lwt_out -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- lwt_xmit -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, - bpf_csum_diff, bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid, - bpf_get_numa_node_id, bpf_skb_change_head, bpf_lwt_push_encap, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- sock_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_setsockopt, bpf_sock_map_update, bpf_getsockopt, - bpf_sock_ops_cb_flags_set, bpf_sock_hash_update, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_get_netns_cookie, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_load_hdr_opt, - bpf_store_hdr_opt, bpf_reserve_hdr_opt, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, bpf_skc_to_unix_sock, - bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data -

-
-

- sk_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_tail_call, bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_adjust_room, bpf_sk_redirect_map, bpf_sk_redirect_hash, - bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, - bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, - bpf_skc_lookup_tcp, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- cgroup_device -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, bpf_loop, bpf_strncmp, - bpf_get_retval, bpf_set_retval, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- sk_msg -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_cgroup_classid, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_msg_redirect_hash, bpf_get_current_cgroup_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_msg_push_data, - bpf_msg_pop_data, bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_task_pt_regs, bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, - bpf_kptr_xchg, bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- raw_tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_task_pt_regs, bpf_get_branch_snapshot, - bpf_find_vma, bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- cgroup_sock_addr -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_setsockopt, bpf_getsockopt, - bpf_bind, bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- lwt_seg6local -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- lirc_mode2 -

- 		-

- not supported -

-
-

- sk_reuseport -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_skb_load_bytes_relative, bpf_sk_select_reuseport, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- flow_dissector -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- cgroup_sysctl -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_sysctl_get_name, bpf_sysctl_get_current_value, - bpf_sysctl_get_new_value, bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, bpf_loop, bpf_strncmp, - bpf_get_retval, bpf_set_retval, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- raw_tracepoint_writable -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_send_signal, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_task_pt_regs, bpf_get_branch_snapshot, - bpf_find_vma, bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- cgroup_sockopt -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_uid_gid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_get_netns_cookie, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, bpf_loop, bpf_strncmp, - bpf_get_retval, bpf_set_retval, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- tracing -

- 		-

- not supported -

-
-

- struct_ops -

- 		-

- not supported -

-
-

- ext -

- 		-

- not supported -

-
-

- lsm -

- 		-

- not supported -

-
-

- sk_lookup -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-

- syscall -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_get_socket_cookie, bpf_perf_event_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_send_signal, bpf_skb_output, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_send_signal_thread, bpf_jiffies64, bpf_get_ns_current_pid_tgid, - bpf_xdp_output, bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_get_task_stack, bpf_d_path, bpf_copy_from_user, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_task_storage_get, - bpf_task_storage_delete, bpf_get_current_task_btf, bpf_sock_from_file, - bpf_for_each_map_elem, bpf_snprintf, bpf_sys_bpf, bpf_btf_find_by_name_kind, - bpf_sys_close, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_get_func_ip, bpf_task_pt_regs, bpf_get_branch_snapshot, - bpf_skc_to_unix_sock, bpf_kallsyms_lookup_name, bpf_find_vma, bpf_loop, - bpf_strncmp, bpf_xdp_get_buff_len, bpf_copy_from_user_task, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data -

-
-
-
-
-

Table 7.3. Available map types

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Map typeAvailable
-

- hash -

- 		-

- yes -

-
-

- array -

- 		-

- yes -

-
-

- prog_array -

- 		-

- yes -

-
-

- perf_event_array -

- 		-

- yes -

-
-

- percpu_hash -

- 		-

- yes -

-
-

- percpu_array -

- 		-

- yes -

-
-

- stack_trace -

- 		-

- yes -

-
-

- cgroup_array -

- 		-

- yes -

-
-

- lru_hash -

- 		-

- yes -

-
-

- lru_percpu_hash -

- 		-

- yes -

-
-

- lpm_trie -

- 		-

- yes -

-
-

- array_of_maps -

- 		-

- yes -

-
-

- hash_of_maps -

- 		-

- yes -

-
-

- devmap -

- 		-

- yes -

-
-

- sockmap -

- 		-

- yes -

-
-

- cpumap -

- 		-

- yes -

-
-

- xskmap -

- 		-

- yes -

-
-

- sockhash -

- 		-

- yes -

-
-

- cgroup_storage -

- 		-

- yes -

-
-

- reuseport_sockarray -

- 		-

- yes -

-
-

- percpu_cgroup_storage -

- 		-

- yes -

-
-

- queue -

- 		-

- yes -

-
-

- stack -

- 		-

- yes -

-
-

- sk_storage -

- 		-

- yes -

-
-

- devmap_hash -

- 		-

- yes -

-
-

- struct_ops -

- 		-

- yes -

-
-

- ringbuf -

- 		-

- yes -

-
-

- inode_storage -

- 		-

- yes -

-
-

- task_storage -

- 		-

- yes -

-
-

- bloom_filter -

- 		-

- yes -

-
-
-
-
-
-
-
-
-

Chapter 8. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 9.2 that have a significant impact on users. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

The installer now displays correct total disk space in Custom partitioning - with multipath or DDF RAID devices

-

- Previously, when Custom partitioning was selected in Installer on a system with a multipath or - DDF RAID device, the total disk space was not reported correctly and member disk devices were - listed as available for partitioning. -

-
-

- With this update, the Custom partitioning in Installer reports correct value for total disk space - and only allows to use the DDF RAID or multipath device as a whole. -

-

- Bugzilla:2052938 -

-
-

The installer now adds configuration options correctly into the yum repo - files

-

- Previously, the installer did not add configuration options correctly into yum repo files while - including and excluding packages from additional installation repositories. With this update, - yum repo files are created correctly. As a result, using the --excludepkgs= or --includepkgs= options - in the repo kickstart command now excludes or includes the - specified packages during installation as expected. -

-
-

- Bugzilla:2158210 -

-
-

Using the filename DHCP option no longer - blocks downloading the kickstart file for installation -

-

- Previously, when building a path for getting the kickstart file from an NFS server, the - installer did not consider the filename DHCP option. As a - consequence, the installer did not download the kickstart file and was blocking the installation - process. With this update, the filename DHCP option correctly - constructs a path to the kickstart file. As a result, the kickstart file is downloaded properly, - and the installation process starts correctly. -

-
-

- Bugzilla:1991843 -

-
-

The installer now creates a new GPT disk layout while custom - partitioning

-

- Previously, the installer did not change the disk layout to GPT when inst.gpt was specified on the kernel command line, and the user - removed all partitions from a disk with the MBR disk layout on the custom partitioning spoke. As - a consequence, the MBR disk layout remained on the disk. -

-
-

- With this update, the installer creates a new GPT disk layout on the disk if inst.gpt is specified on the kernel command line, and all partitions are - removed from a disk on the custom partitioning spoke. -

-

- Bugzilla:2127100 -

-
-

Installer now lists all PPC PreP Boot or BIOS Boot partitions during custom partitioning

-

- Previously, when adding multiple PPC PreP Boot or BIOS Boot partitions during custom partitioning, the Custom - Partitioning screen displayed only one partition of a related type. As a consequence, the Custom - Partitioning screen did not reflect the real state of the intended partitioning layout, making - the partitioning process difficult and non-transparent. -

-
-

- With this update, the Custom Partitioning screen correctly displays all PPC PreP Boot or BIOS Boot partitions in the - partitions list. As a result, users can now better understand and manage the intended partitioning - layout. -

-

- Bugzilla:2093793 -

-
-

Anaconda now validates LUKS passphrases for the FIPS requirements -

-

- Previously, Anaconda did not check if the length of LUKS passphrases satisfies the FIPS - requirements, while the underlying tools performed this check. As a consequence, installing in - FIPS mode with a passphrase shorter than 8 characters caused the installer to terminate - prematurely. -

-
-

- With this update, the installer has been improved to validate and enforce the minimum length for - passphrase. As a result, the installer informs if the LUKS passphrase is too short for use in the - FIPS mode and prevents the unexpected termination. -

-

- Bugzilla:2163497 -

-
-
-
-
-
-

8.2. Subscription management

-
-
-
-
-

Subscription manager no longer denies registration and fetching of Red Hat - content

-

- Previously, subscription-manager operated in container mode when - run under OpenShift Container Platform (OCP) because of improved container detection logic in - RHEL 9. As a consequence, the system was unable to use the provided subscription credentials and - therefore not fetching Red Hat content. -

-
-

- This update fixed the container detection logic so that subscription-manager running under OCP does not detect the system (that - is the running pod) as a container. As a result, you can now use the provided subscription - credentials or even register using your own credentials to fetch Red Hat content from an OpenShift - container. -

-

- Bugzilla:2108549 -

-
-

subscription-manager no longer retains - nonessential text in the terminal

-

- Starting with RHEL 9.1, subscription-manager displays progress - information while processing any operation. Previously, for some languages, typically non-Latin, - progress messages did not clean up after the operation finished. With this update, all the - messages are cleaned up properly when the operation finishes. -

-
-

- If you have disabled the progress messages before, you can re-enable them by entering the following - command: -

- 
# subscription-manager config --rhsm.progress_messages=1
-

- Bugzilla:2136694 -

-
-
-
-
-
-

8.3. Software management

-
-
-
-
-

RPM no longer hangs during a transaction involving the fapolicyd service restart

-

- Previously, if you tried to update a package that caused the fapolicyd service to be restarted, for example, systemd, the RPM transaction stopped responding because the fapolicyd plug-in failed to communicate with the fapolicyd daemon. -

-
-

- With this update, the fapolicyd plug-in now correctly communicates with - the fapolicyd daemon. As a result, RPM no longer hangs during a - transaction which involves the fapolicyd service restart. -

-

- Bugzilla:2111251 -

-
-

Reverting a DNF upgrade transaction is now possible for a package group or - environment

-

- Previously, the dnf history rollback command failed when attempting - to revert an upgrade transaction for a package group or an environment. -

-
-

- With this update, the issue has been fixed, and you can now revert the DNF upgrade transaction for a - package group or environment. -

-

- Bugzilla:2122626 -

-
-

Security DNF upgrade is now possible for packages that change their - architecture through the upgrade

-

- Patch for BZ#2108969 introduced with RHBA-2022:8295 - caused a regression where DNF upgrade using security filters skipped packages that changed their - architecture from or to noarch through the upgrade. Consequently, - the missing security upgrades for these packages could leave the system in a vulnerable state. -

-
-

- With this update, the issue has been fixed, and security DNF upgrade no longer skips packages that - change architecture from or to noarch. -

-

- Bugzilla:2124480 -

-
-

Qt message QM files with 3-letter names are now packaged when an RPM - package is being built or rebuilt

-

- Previously, the find-lang.sh script could not find Qt message QM - files (.qm) with names consisting of 3 characters. Consequently, - these files were not added to an RPM package. -

-
-

- With this update, the issue has been fixed, and the 3-letter Qt message QM files can now be packaged - when building or rebuilding an RPM. -

-

- Bugzilla:2144005 -

-
-
-
-
-
-

8.4. Shells and command-line tools

-
-
-
-
-

ReaR handles excluded DASDs on the IBM Z architecture correctly -

-

- Previously on the IBM Z architecture, ReaR reformatted all connected Direct Access Storage - Devices (DASD) during the recovery process, including those DASDs that users excluded from the - saved layout and did not intend to restore their content. As a consequence, if you excluded some - DASDs from the saved layout, their data were lost during system recovery. With this update, ReaR - no longer formats excluded DASDs during system recovery, including the device from which the - ReaR rescue system was booted (using the zIPL bootloader). You are also prompted to confirm the - DASD formatting script before ReaR reformats DASDs. This ensures that the data on excluded DASDs - survive a system recovery. -

-
-

- Bugzilla:2172589 -

-
-

ReaR no longer fails to restore non-LVM XFS filesystems

-

- Previously, when you used ReaR to restore a non-LVM XFS filesystems with certain settings and - disk mapping, ReaR created the file system with the default settings instead of the specified - settings. For example, if you had a file system with the sunit and - swidth parameters set to non-zero values and you restored the file - system using ReaR with disk mapping, the file system would be created with default sunit and swidth parameters ignoring the - specified values. As a consequence, ReaR failed during mounting the filesystem with specific XFS - options. With this update, ReaR correctly restores the file system with the specified settings. -

-
-

- Bugzilla:2160748 -

-
-

wsmancli handles HTTP 401 Unauthorized - statuses correctly

-

- The wsmancli utility for managing systems using Web Services - Management protocol now handles authentication to better conform to RFC 2616. -

-
-

- Previously, when connecting to a service that requires authentication, the wsmancli command returned the error message Authentication failed, please retry immediately after receiving an HTTP - 401 Unauthorized response, for example, because of incomplete credentials. To proceed, wsmancli prompted you to provide both the username and the password, even - in situations where you had already provided a part of your credentials. -

-

- With this update, wsmancli requires only credentials that were not - previously provided. As a result, the first authentication attempt does not display any error - message. An error message is displayed only after you provide the complete credentials and - authentication fails. -

-

- Bugzilla:2127416 -

-
-
-
-
-
-

8.5. Security

-
-
-
-
-

USBGuard saves rules even if RuleFile is not defined

-

- Previously, if the RuleFolder configuration directive in USBGuard - was set but RuleFile was not, the rule set could not be changed. - With this update, you can now change the rule set even if RuleFolder is set but RuleFile is not. - As a result, you can modify the permanent policy in USBGuard to permanently save newly added - rules. -

-
-

- Bugzilla:2155910 -

-
-

python-sqlalchemy rebased to 1.4.45 -

-

- The python-sqlalchemy package has been rebased to version 1.4.45, - which provides many bug fixes over version 1.4.37. Most notably, this version contains a fix for - a critical memory bug in the cache key generation. -

-
-

- Bugzilla:2152649 -

-
-

crypto-policies now disable NSEC3DSA for - BIND

-

- Previously, the system-wide cryptographic policies did not control the NSEC3DSA algorithm in the - BIND configuration. Consequently, NSEC3DSA, which does not meet current security requirements, - was not disabled on DNS servers. With this update, all cryptographic policies disable NSEC3DSA - in the BIND configuration by default. -

-
-

- Bugzilla:2152635 -

-
-

OpenSSL in SECLEVEL=3 now works with PSK - cipher suites

-

- Previously, pre-shared key (PSK) cipher suites were not recognized as performing perfect forward - secrecy (PFS) key exchange methods. As a consequence, the ECDHE-PSK - and DHE-PSK cipher suites did not work with OpenSSL configured to - SECLEVEL=3, for example, when the system-wide cryptographic policy - was set to FUTURE. The new version of the openssl package fixes this problem. -

-
-

- Bugzilla:2060044 -

-
-

Clevis now correctly skips commented-out devices in crypttab

-

- Previously, Clevis tried to unlock commented-out devices in the crypttab file, causing the clevis-luks-askpass service to run even if the device was not valid. - This caused unnecessary service runs and made it difficult to troubleshoot. -

-
-

- With this fix, Clevis ignores commented-out devices. Now, if an invalid device is commented out, - Clevis does not attempt to unlock it, and clevis-luks-askpass finishes - appropriately. This makes it easier to troubleshoot and reduces unnecessary service runs. -

-

- Bugzilla:2159728 -

-
-

Clevis no longer requests too much entropy from pwmake

-

- Previously, the pwmake password generation utility displayed - unwanted warnings when Clevis used pwmake to create passwords for - storing data in LUKS metadata, which caused Clevis to use lower - entropy. With this update, Clevis is limited to 256 entropy bits provided to pwmake, which eliminates an unwanted warning and uses the correct - amount of entropy. -

-
-

- Bugzilla:2159735 -

-
-

USBGuard no longer causes a confusing warning

-

- Previously, a race condition could happen in USBGuard when a parent process finished sooner than - the first child process. As a consequence, systemd reported that a - process was present with a wrongly identified parent PID (PPID). With this update, a parent - process waits for the first child process to finish in working mode. As a result, systemd no longer reports such warnings. -

-
-

- Bugzilla:2042345 -

-
-

OOM killer no longer terminates usbguard - prematurely

-

- Previously, the usbguard.service file did not contain a definition - of the OOMScoreAdjust option for the systemd service. Consequently, when the system was low on resources, - the usbguard-daemon process could be terminated before other - unprivileged processes. With this update, usbguard.service file now - includes OOMScoreAdjust setting, which prevents the Out-of-Memory - (OOM) killer terminate the usbguard-daemon process prematurely. -

-
-

- Bugzilla:2097419 -

-
-

logrotate no longer incorrectly signals - Rsyslog in log rotation

-

- Previously, the argument order was incorrectly set in the logrotate - script, which caused a syntax error. This resulted in logrotate not - correctly signaling Rsyslog during log rotation. -

-
-

- With this update, the order of the arguments in logrotate is fixed and - logrotate signals Rsyslog correctly after log rotation even when the - POSIXLY_CORRECT environment variable is set. -

-

- Bugzilla:2124488 -

-
-

imklog no longer calls free() on missing objects

-

- Previously, the imklog module called a free() function on an already freed object. Consequently, imklog could cause a segmentation fault. With this update, the object - is no longer freed twice. -

-
-

- Bugzilla:2157659 -

-
-

fagenrules --load now works correctly -

-

- Previously, the fapolicyd service did not correctly handle the - signal hang up (SIGHUP). Consequently, fapolicyd terminated after - receiving SIGHUP, and the fagenrules --load command did not work - correctly. This update contains a fix for the problem. As a result, fagenrules --load now works correctly, and rule updates no longer - require manual restarts of fapolicyd. -

-
-

- Bugzilla:2070655 -

-
-

Scans and remediations correctly ignore SCAP Audit rules Audit key -

-

- Previously, Audit watch rules that were defined without an Audit key (-k or -F key) encountered the following - problems: -

-
-
-
    -
  • - The rules were marked as non-compliant even if other parts of the rule were correct. -
    • -
  • - Bash remediation fixed the path and permissions of the watch rule, but it did not add the - Audit key correctly. -
    • -
  • - Remediation sometimes did not fix the missing key, returning an error instead of a fixed value. -
    • -
-
-

- This affected the following rules: -

-
-
    -
  • - audit_rules_login_events -
    • -
  • - audit_rules_login_events_faillock -
    • -
  • - audit_rules_login_events_lastlog -
    • -
  • - audit_rules_login_events_tallylog -
    • -
  • - audit_rules_usergroup_modification -
    • -
  • - audit_rules_usergroup_modification_group -
    • -
  • - audit_rules_usergroup_modification_gshadow -
    • -
  • - audit_rules_usergroup_modification_opasswd -
    • -
  • - audit_rules_usergroup_modification_passwd -
    • -
  • - audit_rules_usergroup_modification_shadow -
    • -
  • - audit_rules_time_watch_localtime -
    • -
  • - audit_rules_mac_modification -
    • -
  • - audit_rules_networkconfig_modification -
    • -
  • - audit_rules_sysadmin_actions -
    • -
  • - audit_rules_session_events -
    • -
  • - audit_rules_sudoers -
    • -
  • - audit_rules_sudoers_d -
    • -
-
-

- With this update, the Audit key has been removed from checks and from Bash and Ansible remediations. - As a result, inconsistencies caused by the key field during checking and remediating no longer - occur, and auditors can choose these keys arbitrarily to make searching Audit logs easier. -

-

- Bugzilla:2120978 -

-
-

Keylime no longer fails attestation of systems that access multiple - IMA-measured files

-

- Previously, if a system that runs the Keylime agent accessed multiple files measured by the - Integrity Measurement Architecture (IMA) in quick succession, the Keylime verifier incorrectly - processed the IMA log additions. As a consequence, the running hash did not match the correct - Platform Configuration Register (PCR) state, and the system failed attestation. This update - fixes the problem and systems that quickly access multiple measured files no longer fail - attestation. -

-
-

- Bugzilla:2138167 -

-
-

Keylime policy generation script no longer causes a segmentation fault and - core dump

-

- The create_mb_refstate script generates policies for measured boot - attestation in Keylime. Previously, create_mb_refstate incorrectly - calculated the data length in the DevicePath field. As a - consequence, the script tried to access invalid memory using the incorrectly calculated length, - which resulted in a segmentation fault and core dump. -

-
-

- This update, which has been published in the advisory RHBA-2023:0309, prevents the - segmentation fault when processing the measured boot event log. As a consequence, you can generate a - measured boot policy. -

-

- Bugzilla:2140670 -

-
-

TPM certificates no longer cause Keylime registrar to crash

-

- Previously, some certificates in the Keylime TPM certificate store were malformed x509 - certificates and caused the Keylime registrar to crash. This update fixes the problem, and - Keylime registrar no longer crashes due to malformed ceritficates. -

-
-

- Bugzilla:2142009 -

-
-
-
-
-
-

8.6. Networking

-
-
-
-
-

NetworkManager now preserves IP addresses during reapply before acquiring a - new DHCP lease

-

- Previously, after changing the connection settings and then using nmcli device reapply command, NetworkManager did not preserve the - DHCP lease. Consequently, the IP address got removed temporarily. With this fix, NetworkManager - preserves the DHCP lease and uses it until the lease expires or the client requests a new one. - As a result, when the nmcli device reapply command restarts DHCP - client, it does not temporarily remove the IP address. -

-
-

- Bugzilla:2117352 -

-
-

The firewalld service now triggers the ipset deprecation warning only when using direct rules -

-

- Previously, the firewalld service used the deprecated ipset kernel module when it was not necessary. Consequently, RHEL - logged the module’s deprecation warning which could be misleading because the ipset feature of firewalld is not - deprecated. With this update, firewalld only uses the deprecated - ipset module and logs the warning if the user explicitly uses ipsets with the --direct option. -

-
-

- Bugzilla:2122678 -

-
-

The HNV interface now displays the options - after reboot

-

- Previously, the nmcli utility created a Hybrid Network - Virtualization (HNV) bond by using NetworkManager API. Consequently, after a reboot, the HNV - bond lost the primary port setting. With this fix, nmcli now uses - hcnmgr to set bonding options for the primary port. The hcnmgr utility supports migration of live partitions with Single Root - Input/Output Virtualization (SR-IOV) for hybrid networks. As a result, the HNV bond interface - displays the active slave/primary_reselect option after reboot. -

-
-

- Bugzilla:2125152 -

-
-
-
-
-
-

8.7. Kernel

-
-
-
-
-

FADump enabled with Secure Boot works correctly

-

- Previously, when Firmware Assisted Dump (FADump) was enabled in the Secure Boot environment and - any of the booting components exceeded the allocated memory region, system reboots caused a GRUB - Out of Memory (OOM) state. This update provides a fix in kexec-tools so that Secure Boot and FADump work together correctly. -

-
-

- Bugzilla:2139000 -

-
-
-
-
-
-

8.8. Boot loader

-
-
-
-
-

grubby now passes arguments to a new kernel - correctly

-

- When you add a new kernel using the grubby tool and do not specify - any arguments, or leave the arguments blank, grubby will not pass - any arguments to the new kernel and root will not be set. Using the - --args and --copy-default options - ensures new arguments are appended to the default arguments. -

-
-

- Bugzilla:2127453 -

-
-

RHEL installation now succeeds even when PReP is not 4 or 8 MiB in - size

-

- Previously, the RHEL installer could not install the boot loader if the PowerPC Reference - Platform (PReP) partition was of a different size than 4 MiB or 8 MiB on a disk that used 4 kiB - sectors. As a consequence, you could not install RHEL on the disk. -

-
-

- With this release, the problem has been fixed. As a result, the installer can now install RHEL on - the disk as expected. -

-

- Bugzilla:2026579 -

-
-
-
-
-
-

8.9. File systems and storage

-
-
-
-
-

Installer creating LUKSv2 devices with sector size of 512 bytes -

-

- Previously, the RHEL installer created LUKSv2 devices with 4096 bytes sectors if the disk had - 4096 bytes physical sectors. With this update, installer now creates LUKSv2 devices with sector - size of 512 bytes to offer better disk compatibility with different physical sector sizes used - together in one LVM volume group even when the LVM physical volumes are encrypted. -

-
-

- Bugzilla:2103800 -

-
-

supported_speeds sysfs attribute reports - correct speed values

-

- Previously, because of an incorrect definition in the qla2xxx - driver, the supported_speeds sysfs attribute for the HBA reported - 20 Gb/s speed instead of the expected 64 Gb/s speed. Consequently, if the HBA supported 64 Gb/s - link speed, the supported_speeds sysfs value was incorrect, which - affected the reported speed value. -

-
-

- With this update, the supported_speeds sysfs attribute for HBA reports - the correct speed values, which are 16 Gb/s, 32 Gb/s, and 64 Gb/s. You can view the speed values by - executing the cat /sys/class/fc_host/host*/supported_speeds command. -

-

- Bugzilla:2069758 -

-
-

The lpfc driver is in a valid state during the - D_ID port swap

-

- Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung - task warnings and stalled I/O. This problem occurred even when alternate paths were available in - a DM-Multipath environment due to the fiber channel D_ID port swap. - As a consequence of the race condition, the D_ID port swap resulted - in an inconsistent state in the lpfc driver, which prevented I/O - from being issued. -

-
-

- With this fix, the lpfc driver now ensures a valid state when the D_ID port swap occurs. As a result, a fiber channel D_ID port swap does not cause hung I/O. -

-

- Bugzilla:2173947 -

-
-
-
-
-
-

8.10. High availability and clusters

-
-
-
-
-

pcs no longer allows you to modify cluster - properties that should not be changed

-

- Previously, the pcs command line interface allowed you to modify - cluster properties that should not be changed or for which change does not take effect. With - this fix, pcs no longer allows you to modify these cluster - properties: cluster-infrastructure, cluster-name, dc-version, have-watchdog, and last-lrm-refresh. -

-
-

- Bugzilla:1620043 -

-
-

pcs now displays cluster properties that are - not explicitly configured

-

- Previously, a pcs command to display the value of a specific - cluster property did not list values that are not explicitly configured in the CIB. With this - fix, if a cluster property is not set pcs displays the default - value for the property. -

-
-

- Bugzilla:1796827 -

-
-

Cluster resources that call crm_mon now stop - cleanly at shutdown

-

- Previously, the crm_mon utility returned a nonzero exit status - while Pacemaker was in the process of shutting down. Resource agents that called crm_mon in their monitor action, such as ocf:heartbeat:pqsql, could incorrectly return a failure at cluster - shutdown. With this fix, crm_mon returns success even if the - cluster is in the process of shutting down. Resources that call crm_mon now stop cleanly at cluster shutdown. -

-
-

- Bugzilla:2133546 -

-
-

OCF resource agent metadata actions can now call crm_node without causing unexpected fencing

-

- As of RHEL 8.5, OCF resource agent metadata actions blocked the controller and crm_node queries performed controller requests. As a result, if an - agent’s metadata action called crm_node, it blocked the controller - for 30 seconds until the action timed out. This could cause other actions to fail and the node - to be fenced. -

-
-

- With this fix, the controller now performs metadata actions asynchronously. An OCF resource agent - metadata action can now call crm_node without issue. -

-

- Bugzilla:2125344 -

-
-

Pacemaker now rechecks resource assignments immediately when resource order - changes

-

- As of RHEL 8.7, Pacemaker did not recheck resource assignments when the order of resources in - the CIB changed with no changes to the resource definition. If configuration reordering would - cause resources to move, that would not take place until the next natural transition, up to the - value of cluster-recheck-interval-property. This could cause issues - if resource stickiness is not configured for a resource. -

-
-

- With this change, Pacemaker rechecks resource assignments when the order of the resources in the CIB - changes, as it did for earlier Pacemaker releases. The cluster now responds immediately to these - changes, if needed. -

-

- Bugzilla:2125337 -

-
-

Enabling a single resource and monitoring operation no longer enables - monitoring operations for all resources in a resource group

-

- Previously, after unmanaging all resources and monitoring operations in a resource group, - managing one of the resources in that group along with its monitoring operation re-enabled the - monitoring operations for all resources in the resource group. This could trigger unexpected - cluster behavior. -

-
-

- With this fix, managing a resource and re-enabling its monitoring operation re-enables the - monitoring operation for that resource only and not for the other resources in a resource group. -

-

- Bugzilla:2092950 -

-
-
-
-
-
-

8.11. Compilers and development tools

-
-
-
-
-

DNS lookup can now succeed even when some CNAME records are - invalid

-

- Previously, the glibc DNS stub resolver treated CNAME records with - owner names that are not host names as DNS packet errors. Consequently, the DNS query failed - because of the DNS packet errors. With this update, the glibc stub - resolver now skips invalid CNAME records and the corresponding alias information is not - extracted. Therefore, DNS lookups can now succeed even if the server response includes a CNAME - chain that contains a domain name that is not a host name. -

-
-

- Bugzilla:2129005 -

-
-

golang now supports 4096 bit keys in x509 FIPS - mode

-

- Previously, golang did not support the 4096 bit keys in x509 FIPS - mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, - golang now supports 4096 bit keys in x509 FIPS mode. -

-
-

- Bugzilla:2133019 -

-
-

You can install SciPy using pip on all - architectures

-

- Previously, the openblas-devel package did not contain a pkg-config - file for the OpenBLAS library. As a consequence, in certain scenarios, it was impossible to - determine the compiler and linker flags using the pkgconf utility - while compiling with OpenBLAS. For example, this caused a failure of the pip install scipy command on the 64-bit IBM Z and IBM Power Systems, - Little Endian architectures. -

-
-

- This update adds the openblas.pc file to the openblas-devel package on all supported architectures. As a result, you - can install the SciPy library using the pip package installer. -

-

- Note that in RHEL 9, it is recommended to build your applications against the flexiblas-devel package and link your projects to the FlexiBLAS wrapper - library. -

-

- Bugzilla:2115737 -

-
-

The tzset function in glibc now sets the daylight variable to a non-zero value if there - is any DST rule in the TZ data

-

- Previously, the tzset function in glibc would set the daylight variable to 0 if the last DST transition - in the time zone data file did not result in a clock change due to a simultaneous change in the - standard time offset. Consequently, when applications use the daylight variable to check if DST - was ever active, they do not get the right result and perform incorrect actions based on this - information. To fix this, the tzset function now sets the daylight - variable to a non-zero value if there is any DST rule in the time zone data, regardless of - offset. As a result, applications now observe the presence of DST rules regardless of offset - changes. -

-
-

- Bugzilla:2155352 -

-
-

OpenJDK RSAPSSSignature implementation now validates RSA keys before using - them

-

- Previously, the RSAPSSSignature implementation in OpenJDK did not fully check if given RSA keys - could be used by the SunRSASign provider before attempting to use them, which would result in - errors when using custom security providers. The bug is now fixed and, as a result, the - RSAPSSSignature implementation now validates RSA keys and allows other providers to handle these - keys when it cannot. -

-
-

- Bugzilla:2188023 -

-
-

The OpenJDK XML signature provider is now functional in FIPS mode -

-

- Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result - of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS - mode. -

-
-

- Bugzilla:2186810 -

-
-

OpenJDK in FIPS mode no longer experiences unexpected errors with certain - PKCS#11 tokens

-

- Previously, some PKCS#11 tokens were not fully initialized before use by OpenJDK in FIPS mode - resulting in unexpected errors. With this upgrade, these errors are now expected and handled by - the FIPS support code. -

-
-

- Bugzilla:2186806 -

-
-
-
-
-
-

8.12. Identity Management

-
-
-
-
-

Authentication to external IdPs that require a client secret is now - possible

-

- Previously, SSSD did not properly pass client secrets to external identity providers (IdPs). - Consequently, authentication failed against external IdPs that you previously configured with - the ipa idp-add --secret command to require a client secret. With - this update, SSSD passes the client secret to the IdP and users can authenticate. -

-
-

- Jira:RHELPLAN-148303 -

-
-

IdM now supports setting hostmasks for sudo - rules using Ansible

-

- Previously, the ipa sudorule-add-host command allowed setting a - hostmask to be used by the sudo rule, but this option was not - present in the ansible-freeipa package. With this update, you can - now use the ansible-freeipa hostmask - variable to define a list of hostmasks to which a particular sudo - rule, defined in Identity Management (IdM), applies. -

-
-

- As a result, you can now automate setting host masks for IdM sudo rules - with Ansible. -

-

- Bugzilla:2127913 -

-
-

The dscreate utility now works correctly when - it uses a custom path with the db_dir parameter

-

- Previously, an instance that used custom directory paths failed to start because the custom - directories had a wrong SELinux label. As a consequence, SELinux denied access to these - directories and the instance was not created. With this release, dscreate utility sets correct SELinux labels for the custom instance - directories. -

-
-

- Bugzilla:1924569 -

-
-

A password change for the Directory Server replication manager account now - works correctly

-

- Previously, after a password change, Directory Server did not properly update the password cache - for the replication agreement. As a consequence, when you changed the password for the - replication manager account, the replication failed. With this update, Directory Server updates - the cache properly and, as a result, the replication works as expected. -

-
-

- Bugzilla:1956987 -

-
-

The IdM client installer no longer specifies the TLS CA configuration in - the ldap.conf file

-

- Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default trust - store and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file. -

-
-

- Bugzilla:2094673 -

-
-

IdM clients correctly retrieve information for trusted AD users when their - names contain mixed case characters

-

- Previously, if you attempted a user lookup or authentication of a user, and that trusted Active - Directory (AD) user contained mixed case characters in their names and they were configured with - overrides in IdM, an error was returned preventing users from accessing IdM resources. -

-
-

- With the release of RHBA-2023:4359, a case-sensitive - comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a - result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain - mixed case characters and they are configured with overrides in IdM. -

-

- Jira:SSSD-6096 -

-
-
-
-
-
-

8.13. Graphics infrastructures

-
-
-
-
-

Matrox G200e now shows output on a VGA display

-

- Previously, your display might have shown no graphical output if you used the following system - configuration: -

-
-
-
    -
  • - The Matrox G200e GPU -
    • -
  • - A display connected over the VGA controller -
    • -
-
-

- As a consequence, you could not use or install RHEL on this configuration. -

-

- With this release, the problem has been fixed. As a result, RHEL boots and shows graphical output as - expected. -

-

- Bugzilla:1960467 -

-
-
-
-
-
-

8.14. The web console

-
-
-
-
-

The web console NBDE binding steps now work also on volume groups with a - root file system

-

- In RHEL 9.2.0, due to a bug in the code for determining whether or not the user was adding a - Tang key to the root file system, the binding process in the web console crashed when there was - no file system on the LUKS container at all. Because the web console displayed the error message - TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key - dialog, you had to perform all the required steps in the command-line interface in the described - scenario. -

-
-

- With the release of the RHBA-2023:4346 advisory, the web - console correctly handles additions of Tang keys to root file systems. As a result, the web console - finishes all binding steps required for the automated unlocking of LUKS-encrypted volumes using - Network-Bound Disk Encryption (NBDE) in various scenarios. -

-

- Bugzilla:2207498 -

-
-
-
-
-
-

8.15. Red Hat Enterprise Linux system roles

-
-
-
-
-

The nbde_client system role now correctly - handles different names of clevis-luks-askpass

-

- The nbde_client system role has been updated to handle the systems - on which the clevis-luks-askpass systemd unit has a different name. The role now correctly works with - different names of clevis-luks-askpass on managed nodes, which - requires unlocking also LUKS-encrypted volumes that mount late in the boot process. -

-
-

- Bugzilla:2126959 -

-
-

The ha_cluster system role logs no longer - display unencrypted passwords and secrets

-

- The ha_cluster system role accepts parameters that can be passwords - or other secrets. Previously, some of the tasks would log their inputs and outputs. As a result, - the role logs could contain unencrypted passwords and other secrets. -

-
-

- With this update, the tasks have been changed to use the Ansible no_log: true directive and the task output is no longer displayed in the - role logs. The ha_cluster system role logs no longer contain passwords - and other secrets. While this update protects secure information, the role logs now provide less - information that you can use when debugging your configuration. -

-

- Bugzilla:2143816 -

-
-

Clusters configured with ha_cluster system - role to use SBD and not start on boot now work correctly

-

- Previously, if a user configured a cluster using the ha_cluster - system role to use SBD and not start on boot, then the SBD service was disabled and SBD did not - start. With this fix, the SBD service is always enabled if a cluster is set to use SBD whether - or not the cluster is configured to start on boot. -

-
-

- Bugzilla:2153030 -

-
-

Enabling implicit files provider to fix cockpit-session-recording SSSD configuration

-

- A disabled SSSD implicit files provider caused the cockpit-session-recording modules to create an invalid System - Security Services Daemon (SSSD) configuration. This update unconditionally enables the files - provider and as a result, the SSSD configuration created by cockpit-session-recording now works as expected. -

-
-

- Bugzilla:2153043 -

-
-

The nbde_client_clevis role no longer reports - traceback to users

-

- Previously, the nbde_client_clevis role sometimes failed in - exception, causing a traceback and reporting sensitive data, such as the encryption_password field, back to the user. With this update, the - role no longer reports sensitive data, only the appropriate error messages. -

-
-

- Bugzilla:2162782 -

-
-

Setting stonith-watchdog-timeout property with - the ha_cluster system role now works in a stopped - cluster

-

- Previously, when you set the stonith-watchdog-timeout property with - the ha_cluster system role in a stopped cluster, the property - reverted to its previous value and the role failed. With this fix, configuring the stonith-watchdog-timeout property by using the ha_cluster system role works properly. -

-
-

- Bugzilla:2167528 -

-
-

Network traffic is now directed through the intended network interface when - using initscripts with the networking RHEL system role

-

- Previously, when using the initscripts provider, the routing - configuration for network connections did not specify the output device that the traffic should - go through. Consequently, the kernel could use a different output device than the user intended. - Now, if the network interface name is specified in the playbook for the connection, it is used - as the output device in the route configuration file. This aligns the behavior with - NetworkManager, which configures the output device in routes when activating profiles on - devices. As a result, the users can ensure that the traffic is directed through the intended - network interface. -

-
-

- Bugzilla:2168735 -

-
-

The selinux role now manages policy modules - idempotently

-

- Previously, the selinux role copied an existing module to the - managed node every time, reporting a change even when the module was already present. With this - update, the selinux role checks if the module has been installed on - the managed node, and does not attempt to copy and install the module if it is already - installed. -

-
-

- Bugzilla:2160152 -

-
-

The rhc system role no longer fails on the - registered systems when rhc_auth contains activation - keys

-

- Previously, a failure occurred when you executed playbook files on the registered systems with - the activation key specified in the rhc_auth parameter. This issue - has been resolved. It is now possible to execute playbook files on the already registered - systems, even when activation keys are provided in the rhc_auth - parameter. -

-
-

- Bugzilla:2186218 -

-
-
-
-
-
-

8.16. Virtualization

-
-
-
-
-

System time on nested VMs now works reliably

-

- Previously, system time on nested virtual machines (VMs) in some cases desynchronised from the - Level 0 and level 1 hosts. This also sometimes caused the nested VM to become unresponsive or - terminate unexpectedly. -

-
-

- With this update, the time handling code in the KVM host kernel code has been fixed, which prevents - the described errors from occurring. -

-

- Bugzilla:2140899 -

-
-

VMs on IBM Z no longer fail to start when using memfd memory backing

-

- Previously, on IBM Z hosts, virtual machines (VMs) failed to boot if they were configured to use - the memfd type of hugepage memory backing, for example as follows: -

-
- 
<memoryBacking>
-  <hugepages/>
-  <source type='memfd'/>
-</memoryBacking>
-

- With this update, the underlying cause has been fixed, and the affected VMs now start correctly. -

-

- Bugzilla:2116496 -

-
-

VNC can now reliably connect to UEFI VMs after migration

-

- Previously, if you enabled or disabled a message queue while migrating a virtual machine (VM), - the Virtual Network Computing (VNC) client failed to connect to the VM after the migration was - complete. -

-
-

- This problem affected only UEFI-based VMs that used the Open Virtual Machine Firmware (OVMF). -

-

- The problem has been fixed, and the VNC client now reliably connects to UEFI VMs after the migration - is complete. -

-

- Jira:RHELPLAN-135600 -

-
-

The installer shows the expected system disk to install RHEL on VM -

-

- Previously, when installing RHEL on a VM using virtio-scsi devices, - it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if - some devices had a serial set and some did not, the multipath - command was claiming all the devices that had a serial. Due to this, the installer was unable to - find the expected system disk to install RHEL in the VM. -

-
-

- With this update, multipath correctly sets the devices with no serial - as having no World Wide Identifier (WWID) and ignores them. On installation, multipath only claims devices that multipathd uses to bind a multipath device, and the installer shows the - expected system disk to install RHEL in the VM. -

-

- Bugzilla:1926147 -

-
-
-
-
-
-
-

Chapter 9. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

9.1. Installer and image creation

-
-
-
-
-

NVMe over Fibre Channel devices are now available in RHEL installer as a - Technology Preview

-

- You can now add NVMe over Fibre Channel devices to your RHEL installation as a Technology - Preview. In RHEL Installer, you can select these devices under the NVMe Fabrics Devices section - while adding disks on the Installation Destination screen. -

-
-

- Bugzilla:2107346 -

-
-
-
-
-
-

9.2. Shells and command-line tools

-
-
-
-
-

GIMP available as a Technology Preview in RHEL 9

-

- GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. - The gimp package version 2.99.8 is a pre-release version with a set - of improvements, but a limited set of features and no guarantee for stability. As soon as the - official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release - version. -

-
-

- In RHEL 9, you can install gimp easily as an RPM package. -

-

- Bugzilla:2047161 -

-
-
-
-
-
-

9.3. Infrastructure services

-
-
-
-
-

Socket API for TuneD available as a Technology Preview

-

- The socket API for controlling TuneD through Unix domain socket is now available as a Technology - Preview. The socket API maps one-to-one with the D-Bus API and provides an alternative - communication method for cases where D-Bus is not available. By using the socket API, you can - control the TuneD daemon to optimize the performance, and change the values of various tuning - parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file. -

-
-

- Bugzilla:2113900 -

-
-
-
-
-
-

9.4. Security

-
-
-
-
-

gnutls now uses KTLS as a Technology - Preview

-

- The updated gnutls packages can use Kernel TLS (KTLS) for - accelerating data transfer on encrypted channels as a Technology Preview. To enable KTLS, add - the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide - cryptographic policies with the following content: -

-
- 
[global]
-ktls = true
-

- Note that the current version does not support updating traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites. - See the RFC 7841 - - TLS 1.3 document for more information. -

-

- Bugzilla:2042009 -

-
-
-
-
-
-

9.5. Networking

-
-
-
-
-

WireGuard VPN is available as a Technology Preview

-

- WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance - VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to - configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the - surface for attacks and, therefore, improves the security. -

-
-

- For further details, see Setting - up a WireGuard VPN. -

-

- Bugzilla:1613522 -

-
-

KTLS available as a Technology Preview

-

- RHEL provides Kernel Transport Layer Security (KTLS) as a Technology Preview. KTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. KTLS also includes the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that provides this functionality. -

-
-

- Bugzilla:1570255 -

-
-

The systemd-resolved service is available as a - Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, a Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that systemd-resolved is an unsupported Technology Preview. -

-

- Bugzilla:2020529 -

-
-
-
-
-
-

9.6. Kernel

-
-
-
-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. The version 1 enables platforms - using the Flexible Launch Control mechanism - to use the SGX technology. -

-
-

- Bugzilla:1874182 -

-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- Bugzilla:2030412 -

-
-

The Soft-iWARP driver is available as a Technology Preview

-

- Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for - Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This - protocol suite is fully implemented in software and does not require a specific Remote Direct - Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to - connect to an iWARP adapter or to another system with already installed Soft-iWARP. -

-
-

- Bugzilla:2023416 -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using - the Flexible Launch Control mechanism to use - the SGX technology. Version 2 adds Enclave Dynamic Memory - Management (EDMM). Notable features include: -

-
-
-
    -
  • - Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave. -
    • -
  • - Dynamic addition of regular enclave pages to an initialized enclave. -
    • -
  • - Expanding an initialized enclave to accommodate more threads. -
    • -
  • - Removing regular and TCS pages from an initialized enclave. -
    • -
-
-

- Bugzilla:1660337 -

-
-

rvu_af, rvu_nicpf, and rvu_nicvf available - as Technology Preview

-

- The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 - Infrastructure Processor family: -

-
-
-
    -
  • - rvu_nicpf - Marvell OcteonTX2 NIC Physical Function driver -
    • -
  • - rvu_nicvf - Marvell OcteonTX2 NIC Virtual Function driver -
    • -
  • - rvu_nicvf - Marvell OcteonTX2 RVU Admin Function driver -
    • -
-
-

- Bugzilla:2040643 -

-
-
-
-
-
-

9.7. File systems and storage

-
-
-
-
-

DAX is now available for ext4 and XFS as a Technology Preview

-

- In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an - application to directly map persistent memory into its address space. To use DAX, a system must - have some form of persistent memory available, usually in the form of one or more Non-Volatile - Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the - NVDIMM(s). Also, the file system must be mounted with the dax mount - option. Then, an mmap of a file on the dax-mounted file system - results in a direct mapping of storage into the application’s address space. -

-
-

- Bugzilla:1995338 -

-
-

Stratis is available as a Technology Preview

-

- Stratis is a local storage manager. It provides managed file systems on top of pools of storage - with additional features to the user: -

-
-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- Stratis is provided as a Technology Preview. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- Bugzilla:2041558 -

-
-

NVMe-oF Discovery Service features available as a Technology - Preview

-

- The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) - 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device - that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM - Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ - website. -

-
-

- Bugzilla:2021672 -

-
-

nvme-stas package available as a Technology - Preview

-

- The nvme-stas package, which is a Central Discovery Controller - (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event - Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, - and Automatic (zeroconf) and Manual configuration. -

-
-

- This package consists of two daemons, Storage Appliance Finder (stafd) - and Storage Appliance Connector (stacd). -

-

- Bugzilla:1893841 -

-
-

NVMe TP 8006 in-band authentication available as a Technology - Preview

-

- Implementing Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for - NVMe over Fabrics (NVMe-oF) is now available as an unsupported Technology Preview. The NVMe - Technical Proposal 8006 defines the DH-HMAC-CHAP in-band - authentication protocol for NVMe-oF, which is provided with this enhancement. -

-
-

- For more information, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-connect(1) man page. -

-

- Bugzilla:2027304 -

-
-
-
-
-
-

9.8. Compilers and development tools

-
-
-
-
-

jmc-core and owasp-java-encoder available as a Technology Preview

-

- RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the - AMD and Intel 64-bit architectures. -

-
-

- jmc-core is a library providing core APIs for Java Development Kit - (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, as - well as libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP). -

-

- The owasp-java-encoder package provides a collection of - high-performance low-overhead contextual encoders for Java. -

-

- Note that since RHEL 9.2, jmc-core and owasp-java-encoder are available in the CodeReady Linux Builder (CRB) - repository, which you must explicitly enable. See How to enable and make use of content within - CodeReady Linux Builder for more information. -

-

- Bugzilla:1980981 -

-
-
-
-
-
-

9.9. Identity Management

-
-
-
-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- Bugzilla:2084180 -

-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- Bugzilla:2084166 -

-
-

sssd-idp sub-package available as a Technology Preview

-

- The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which - are client-side components that perform OAuth2 authentication against Identity Management (IdM) - servers. This feature is available only with IdM servers on RHEL 9.1 and later. -

-
-

- Bugzilla:2065693 -

-
-

SSSD internal krb5 idp plugin available as a Technology Preview -

-

- The SSSD krb5 idp plugin allows you to authenticate against an - external identity provider (IdP) using the OAuth2 protocol. This feature is available only with - IdM servers on RHEL 9.1 and later. -

-
-

- Bugzilla:2056482 -

-
-

RHEL IdM allows delegating user authentication to external identity - providers as a Technology Preview

-

- In RHEL IdM, you can now associate users with external identity providers (IdP) that support the - OAuth 2 device authorization flow. When these users authenticate with the SSSD version available - in RHEL 9.1 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets - after performing authentication and authorization at the external IdP. -

-
-

- Notable features include: -

-
-
    -
  • - Adding, modifying, and deleting references to external IdPs with ipa idp-* commands -
    • -
  • - Enabling IdP authentication for users with the ipa user-mod --user-auth-type=idp command -
    • -
-
-

- For additional information, see Using - external identity providers to authenticate to IdM. -

-

- Bugzilla:2069202 -

-
-

ACME supports automatically removing expired certificates as a Technology - Preview

-

- The Automated Certificate Management Environment (ACME) service in Identity Management (IdM) - adds an automatic mechanism to purge expired certificates from the certificate authority (CA) as - a Technology Preview. As a result, ACME can now automatically remove expired certificates at - specified intervals. Removing expired certificates is disabled by default. To enable it, enter: -

-
-

- With this enhancement, ACME can now automatically remove expired certificates at specified - intervals. -

-

- Removing expired certificates is disabled by default. To enable it, enter: -

- 
# ipa-acme-manage pruning --enable --cron "0 0 1 * *"
-

- This removes expired certificates on the first day of every month at midnight. -

-
-
Note
-
-

- Expired certificates are removed after their retention period. By default, this is 30 days - after expiry. -

-
-
-

- For more details, see the ipa-acme-manage(1) man page. -

-

- Bugzilla:2162677 -

-
-
-
-
-
-

9.10. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology - Preview. -

-
-

- You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can - manage the server using graphical applications. -

-

- A limited set of graphical applications is available on 64-bit ARM. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27394 -

-
-

GNOME for the IBM Z architecture available as a Technology Preview -

-

- The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview. -

-
-

- You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage - the server using graphical applications. -

-

- A limited set of graphical applications is available on IBM Z. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27737 -

-
-
-
-
-
-

9.11. Graphics infrastructures

-
-
-
-
-

Intel Arc A-Series graphics available as a Technology Preview

-

- Intel Arc A-Series graphics, also known as Alchemist or DG2, are now available as a Technology - Preview. -

-
-

- To enable hardware acceleration with Intel Arc A-Series graphics, add the following option on the - kernel command line: -

- 
i915.force_probe=pci-id
-

- In this option, replace pci-id - with either of the following: -

-
-
    -
  • - The PCI ID of your Intel GPU. -
    • -
  • - The * character to enable the i915 driver with all - alpha-quality hardware. -
    • -
-
-

- Bugzilla:2041690 -

-
-
-
-
-
-

9.12. The web console

-
-
-
-
-

Stratis available as a Technology Preview in the RHEL web console -

-

- With this update, the Red Hat Enterprise Linux web console provides the ability to manage - Stratis storage as a Technology Preview. -

-
-

- To learn more about Stratis, see What - is Stratis. -

-

- Jira:RHELPLAN-122345 -

-
-
-
-
-
-

9.13. Virtualization

-
-
-
-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or - RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs. -

-
-

- Jira:RHELDOCS-17040 -

-
-

Intel SGX available for VMs as a Technology Preview

-

- As a Technology Preview, the Intel Software Guard Extensions (SGX) can now be configured for - virtual machines (VMs) hosted on RHEL 9. SGX helps protect data integrity and confidentiality - for specific processes on Intel hardware. After you set up SGX on your host, the feature is - passed on to its VMs, so that the guest operating systems (OSs) can use it. -

-
-

- Note that for a guest OS to use SGX, you must first install SGX drivers for that specific OS. In - addition, SGX on your host cannot memory-encrypt VMs. -

-

- Jira:RHELPLAN-69761 -

-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- Jira:RHELPLAN-65217 -

-
-

Virtualization is now available on ARM 64

-

- As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM - 64 CPUs. -

-
-

- Jira:RHELPLAN-103993 -

-
-

virtio-mem is now available on AMD64, Intel - 64, and ARM 64

-

- As a Technology Preview, RHEL 9 introduces the virtio-mem feature - on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem makes it - possible to dynamically add or remove host memory in virtual machines (VMs). -

-
-

- To use virtio-mem, define virtio-mem - memory devices in the XML configuration of a VM and use the virsh update-memory-device command to request memory device size changes - while the VM is running. To see the current memory size exposed by such memory devices to a running - VM, view the XML configuration of the VM. -

-

- Bugzilla:2014487, Bugzilla:2044172, Bugzilla:2044162 -

-
-

Intel TDX in RHEL guests

-

- As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL - 9.2 guest operating systems. If the host system supports TDX, you can deploy hardware-isolated - RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that TDX currently - does not work with kdump, and enabling TDX will cause kdump to fail on the VM. -

-
-

- Bugzilla:1955275 -

-
-

A unified kernel image of RHEL is now available as a Technology - Preview

-

- As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for - virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel - command line into a single signed binary file. -

-
-

- UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong - SecureBoot capabilities are required. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories. -

-

- Currently, the RHEL UKI can only be used in a UEFI boot configuration. -

-

- Bugzilla:2142102 -

-
-

Intel vGPU available as a Technology Preview

-

- As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that this feature is deprecated and will be removed entirely in a future RHEL release. -

-

- Jira:RHELDOCS-17050 -

-
-
-
-
-
-

9.14. RHEL in cloud environments

-
-
-
-
-

RHEL is now available on Azure confidential VMs as a Technology - Preview

-

- With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines - (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now - enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories. -

-
-

- Currently, the RHEL UKI can only be used in a UEFI boot configuration. -

-

- Jira:RHELPLAN-139800 -

-
-
-
-
-
-

9.15. Containers

-
-
-
-
-

Quadlet in Podman is now available as a Technology Preview

-

- Beginning with Podman v4.4, you can use Quadlet to automatically generate a systemd service file from the container description as a Technology - Preview. The container description is in the systemd unit file - format. The description focuses on the relevant container details and hides the technical - complexity of running containers under systemd. The Quadlets are - easier to write and maintain than the systemd unit files. -

-
-

- For more details, see the upstream - documentation and Make - systemd better for Podman with Quadlet. -

-

- Jira:RHELPLAN-148394 -

-
-

Clients for sigstore signatures with Fulcio and Rekor are now available as - a Technology Preview

-

- With Fulcio and Rekor servers, you can now create signatures by using short-term certificates - based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private - key. Clients for sigstore signatures with Fulcio and Rekor are now available as a Technology - Preview. This added functionality is the client side support only, and does not include either - the Fulcio or Rekor servers. -

-
-

- Add the fulcio section in the policy.json - file. To sign container images, use the podman push --sign-by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml - commands, where file.yml is the - sigstore signing parameter file. -

-

- To verify signatures, add the fulcio section and the rekorPublicKeyPath or rekorPublicKeyData - fields in the policy.json file. For more information, see containers-policy.json man page. -

-

- Jira:RHELPLAN-136611 -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- Jira:RHELDOCS-16861 -

-
-
-
-
-
-
-

Chapter 10. Deprecated functionality

-
-
-
-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 9. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

Deprecated Kickstart commands

-

- The following Kickstart commands have been deprecated: -

-
-
-
    -
  • - timezone --ntpservers -
    • -
  • - timezone --nontp -
    • -
  • - logging --level -
    • -
  • - %packages --excludeWeakdeps -
    • -
  • - %packages --instLangs -
    • -
  • - %anaconda -
    • -
  • - pwpolicy -
    • -
-
-

- Note that where only specific options are listed, the base command and its other options are still - available and not deprecated. Using the deprecated commands in Kickstart files prints a warning in - the logs. You can turn the deprecated command warnings into errors with the inst.ksstrict boot option. -

-

- Bugzilla:1899167 -

-
-

User and Group customizations in the edge-commit and edge-container - blueprints have been deprecated

-

- Specifying a user or group customization in the blueprints is deprecated for the edge-commit and edge-container image - types, because the user customization disappears when you upgrade the image and do not specify - the user in the blueprint again. Therefore, you should specify the users and groups directly in - the blueprints for edge image types which are used to deploy an existing OSTree commit, such as - edge-raw-image, edge-installer, and - edge-simplified-installer. -

-
-

- Note that specifying a user or group customization in blueprints remains supported, but the support - will be eventually removed. -

-

- Bugzilla:2173928 -

-
-
-
-
-
-

10.2. Subscription management

-
-
-
-
-

The --token option of the subscription-manager command is deprecated

-

- The --token=<TOKEN> option of the subscription-manager register command is an authentication method - that helps register your system to Red Hat. This option depends on capabilities offered by the - entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this - capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with - the following error message: -

-
- 
Token authentication not supported by the entitlement server
-

- You can continue registering your system using other authorization methods, such as including paired - options --username / --password and --org / --activationkey of the subscription-manager register command. -

-

- Bugzilla:2163716 -

-
-
-
-
-
-

10.3. Shells and command-line tools

-
-
-
-
-

Setting the TMPDIR variable in the ReaR - configuration file is deprecated

-

- Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement - such as export TMPDIR=…​, does not work and is deprecated. -

-
-

- To specify a custom directory for ReaR temporary files, export the variable in the shell environment - before executing ReaR. For example, execute the export TMPDIR=…​ - statement and then execute the rear command in the same shell session - or script. -

-

- Jira:RHELDOCS-18049 -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type - of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- Bugzilla:1997366 -

-
-

The SQLite database backend in Bacula has been deprecated

-

- The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. - The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. - As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the - SQLite backend in new deployments. -

-
-

- Bugzilla:2089395 -

-
-
-
-
-
-

10.4. Security

-
-
-
-
-

SHA-1 is deprecated for cryptographic purposes

-

- The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. - The digest produced by SHA-1 is not considered secure because of many documented successful - attacks based on finding hash collisions. The RHEL core crypto components no longer create - signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 - in security-relevant use cases. -

-
-

- Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier - (UUID) values can still be created using SHA-1 because these use cases do not currently pose - security risks. SHA-1 also can be used in limited cases connected with important interoperability - and compatibility concerns, such as Kerberos and WPA-2. See the List - of RHEL applications using cryptography that is not compliant with FIPS 140-3 section in the - RHEL - 9 Security hardening document for more details. -

-

- If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic - signatures, you can enable it by entering the following command: -

- 
# update-crypto-policies --set DEFAULT:SHA1
-

- Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY also enables - many other algorithms that are not secure. -

-

- Jira:RHELPLAN-110763 -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- Bugzilla:2054740 -

-
-

SCP is deprecated in RHEL 9

-

- The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The - SCP API remains available for the RHEL 9 lifecycle but using it reduces system security. -

-
-
-
    -
  • - In the scp utility, SCP is replaced by the SSH File Transfer - Protocol (SFTP) by default. -
    • -
  • - The OpenSSH suite does not use SCP in RHEL 9. -
    • -
  • - SCP is deprecated in the libssh library. -
    • -
-
-

- Jira:RHELPLAN-99136 -

-
-

Digest-MD5 in SASL is deprecated

-

- The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) - framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release. -

-
-

- Bugzilla:1995600 -

-
-

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, - RC2, RC4, RC5, SEED, and PBKDF1

-

- The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, - uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 - provides them for migrating encrypted data to use new algorithms. Users must not depend on those - algorithms for the security of their systems. -

-
-

- The implementations of the following algorithms have been moved to the legacy provider in OpenSSL: - MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1. -

-

- See the /etc/pki/tls/openssl.cnf configuration file for instructions on - how to load the legacy provider and enable support for the deprecated algorithms. -

-

- Bugzilla:1975836 -

-
-

/etc/system-fips is now deprecated -

-

- Support for indicating FIPS mode through the /etc/system-fips file - has been removed, and the file will not be included in future versions of RHEL. To install RHEL - in FIPS mode, add the fips=1 parameter to the kernel command line - during the system installation. You can check whether RHEL operates in FIPS mode by using the - fips-mode-setup --check command. -

-
-

- Jira:RHELPLAN-103232 -

-
-

libcrypt.so.1 is now deprecated

-

- The libcrypt.so.1 library is now deprecated, and it might be - removed in a future version of RHEL. -

-
-

- Bugzilla:2034569 -

-
-

OpenSSL requires padding for RSA encryption in FIPS mode

-

- OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without - padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not - use padding but is still supported. -

-
-

- Bugzilla:2168665 -

-
-
-
-
-
-

10.5. Networking

-
-
-
-
-

Network teams are deprecated in RHEL 9

-

- The teamd service and the libteam - library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major - release. As a replacement, configure a bond instead of a network team. -

-
-

- Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and - teams, that have similar functions. The bonding code has a high customer adoption, is robust, and - has an active community development. As a result, the bonding code receives enhancements and - updates. -

-

- For details about how to migrate a team to a bond, see Migrating - a network team configuration to network bond. -

-

- Bugzilla:1935544 -

-
-

NetworkManager connection profiles in ifcfg - format are deprecated

-

- In RHEL 9.0 and later, connection profiles in ifcfg format are - deprecated. The next major RHEL release will remove the support for this format. However, in - RHEL 9, NetworkManager still processes and updates existing profiles in this format if you - modify them. -

-
-

- By default, NetworkManager now stores connection profiles in keyfile format in the /etc/NetworkManager/system-connections/ directory. Unlike the ifcfg format, the keyfile format supports all connection settings that - NetworkManager provides. For further details about the keyfile format and how to migrate profiles, - see NetworkManager - connection profiles in keyfile format. -

-

- Bugzilla:1894877 -

-
-

The iptables back end in firewalld is deprecated

-

- In RHEL 9, the iptables framework is deprecated. As a consequence, - the iptables backend and the direct interface in firewalld are also - deprecated. Instead of the direct interface you can use the native - features in firewalld to configure the required rules. -

-
-

- Bugzilla:2089200 -

-
-
-
-
-
-

10.6. Kernel

-
-
-
-
-

ATM encapsulation is deprecated in RHEL 9

-

- Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, - Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not - been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is - being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the - ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is - deprecated in Red Hat Enterprise Linux 9. -

-
-

- For more information, see PPP Over - AAL5, Multiprotocol - Encapsulation over ATM Adaptation Layer 5, and Classical IP and ARP over ATM. -

-

- Bugzilla:2058153 -

-
-

The kexec_load system call for kexec-tools has been deprecated

-

- The kexec_load system call, which loads the second kernel, will not - be supported in future RHEL releases. The kexec_file_load system - call replaces kexec_load and is now the default system call on all - architectures. -

-
-

- Bugzilla:2113873 -

-
-

Network teams are deprecated in RHEL 9

-

- The teamd service and the libteam - library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major - release. As a replacement, configure a bond instead of a network team. -

-
-

- Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and - teams, that have similar functions. The bonding code has a high customer adoption, is robust, and - has an active community development. As a result, the bonding code receives enhancements and - updates. -

-

- For details about how to migrate a team to a bond, see Migrating - a network team configuration to network bond. -

-

- Bugzilla:2013884 -

-
-
-
-
-
-

10.7. File systems and storage

-
-
-
-
-

lvm2-activation-generator and its generated - services removed in RHEL 9.0

-

- The lvm2-activation-generator program and its generated services - lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is - no longer functional. The only method for auto activating volume groups is event based - activation. -

-
-

- Bugzilla:2038183 -

-
-
-
-
-
-

10.8. Dynamic programming languages, web and database servers

-
-
-
-
-

libdb has been deprecated

-

- RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version - 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is - available under the AGPLv3 license, which is more restrictive. -

-
-

- The libdb package is deprecated as of RHEL 9 and might not be available - in future major RHEL releases. -

-

- In addition, cryptographic algorithms have been removed from libdb in - RHEL 9 and multiple libdb dependencies have been removed from RHEL 9. -

-

- Users of libdb are advised to migrate to a different key-value - database. For more information, see the Knowledgebase article Available replacements for the deprecated - Berkeley DB (libdb) in RHEL. -

-

- Bugzilla:1927780, Jira:RHELPLAN-80695, Bugzilla:1974657 -

-
-
-
-
-
-

10.9. Compilers and development tools

-
-
-
-
-

Smaller size of keys than 2048 are deprecated by openssl 3.0

-

- Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and - no longer work in Go’s FIPS mode. -

-
-

- Bugzilla:2111072 -

-
-

Some PKCS1 v1.5 modes are now - deprecated

-

- Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work - in Go’s FIPS mode. -

-
-

- Bugzilla:2092016 -

-
-
-
-
-
-

10.10. Identity Management

-
-
-
-
-

SHA-1 in OpenDNSSec is now deprecated -

-

- OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 - algorithm is no longer supported. With the RHEL 9 release, SHA-1 in - OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, - OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is - not supported standalone. -

-
-

- Bugzilla:1979521 -

-
-

The SSSD implicit files provider domain is disabled by default

-

- The SSSD implicit files provider domain, which retrieves user - information from local files such as /etc/shadow and group - information from /etc/groups, is now disabled by default. -

-
-

- To retrieve user and group information from local files with SSSD: -

-
-
    -
  1. -

    - Configure SSSD. Choose one of the following options: -

    -
    -
      -
    1. -

      - Explicitly configure a local domain with the id_provider=files option in the sssd.conf configuration file. -

      - 
      [domain/local]
-id_provider=files
-...
      -
      2. -
    2. -

      - Enable the files provider by setting enable_files_domain=true in the sssd.conf configuration file. -

      - 
      [sssd]
-enable_files_domain = true
      -
      3. -
    -
    -
    2. -
  2. -

    - Configure the name services switch. -

    - 
    # authselect enable-feature with-files-provider
    -
    3. -
-
-

- Jira:RHELPLAN-100639 -

-
-

-h and -p options - were deprecated in OpenLDAP client utilities.

-

- The upstream OpenLDAP project has deprecated the -h and -p options in its utilities, and recommends using the -H option instead to specify the LDAP URI. As a consequence, RHEL 9 - has deprecated these two options in all OpenLDAP client utilities. The -h and -p options will be removed from - RHEL products in future releases. -

-
-

- Jira:RHELPLAN-137660 -

-
-

The SSSD files provider has been - deprecated

-

- The SSSD files provider has been deprecated in Red Hat Enterprise - Linux (RHEL) 9. The files provider might be removed from a future - release of RHEL. -

-
-

- Jira:RHELPLAN-139805 -

-
-

The nsslapd-idlistscanlimit parameter is - deprecated and its default value has been changed

-

- With the new filter reordering optimization, the nsslapd-idlistscanlimit attribute impact on search performance is - more harmful than helpful. As a result, the attribute is deprecated. Additionally, the default - value has been changed to 2147483646 (unlimited). -

-
-

- Bugzilla:1952241 -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612 -

-
-
-
-
-
-

10.11. Desktop

-
-
-
-
-

GTK 2 is now deprecated

-

- The legacy GTK 2 toolkit and the following, related packages have been deprecated: -

-
-
-
    -
  • - adwaita-gtk2-theme -
    • -
  • - gnome-common -
    • -
  • - gtk2 -
    • -
  • - gtk2-immodules -
    • -
  • - hexchat -
    • -
-
-

- Several other packages currently depend on GTK 2. These have been modified so that they no longer - depend on the deprecated packages in a future major RHEL release. -

-

- If you maintain an application that uses GTK 2, Red Hat recommends that you port the application to - GTK 4. -

-

- Jira:RHELPLAN-131882 -

-
-

LibreOffice is deprecated

-

- The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL - release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, - and 9. -

-
-

- As a replacement for the RPM packages, Red Hat recommends that you install LibreOffice from either - of the following sources provided by The Document Foundation: -

-
- -
-

- Jira:RHELDOCS-16300 -

-
-
-
-
-
-

10.12. Graphics infrastructures

-
-
-
-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- Jira:RHELPLAN-98983 -

-
-
-
-
-
-

10.13. Red Hat Enterprise Linux system roles

-
-
-
-
-

The network system role displays a deprecation - warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL system role on a RHEL 8 control node to configure a - network team on RHEL 9 nodes, shows a warning about the deprecation. -

-
-

- Bugzilla:1999770 -

-
-
-
-
-
-

10.14. Virtualization

-
-
-
-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- Bugzilla:1935497 -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor may become blocked, - which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. However, a new VM snapshot mechanism - is under development and is planned to be fully implemented in a future minor release of RHEL 9. -

-

- Jira:RHELPLAN-15509, Bugzilla:1621944 -

-
-

The virtual floppy driver has become deprecated

-

- The isa-fdc driver, which controls virtual floppy disk devices, is - now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure - forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy - disk devices in VMs hosted on RHEL 9. -

-
-

- Bugzilla:1965079 -

-
-

qcow2-v2 image format is deprecated

-

- With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become - unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot - create disk images in the qcow2-v2 format. -

-
-

- Instead of qcow2-v2, Red Hat strongly recommends using qcow2-v3. To convert a qcow2-v2 image to a - later format version, use the qemu-img amend command. -

-

- Bugzilla:1951814 -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager may not be yet - available in the RHEL web console. -

-
-

- Jira:RHELPLAN-10304 -

-
-

libvirtd has become deprecated

-

- The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a - future major release of RHEL. Note that you can still use libvirtd - for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly - introduced modular libvirt daemons. For instructions and details, - see the RHEL - 9 Configuring and Managing Virtualization document. -

-
-

- Jira:RHELPLAN-113995 -

-
-

Legacy CPU models are now deprecated

-

- A significant number of CPU models have become deprecated and will become unsupported for use in - virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows: -

-
-
-
    -
  • - For Intel: models prior to Intel Xeon 55xx and 75xx Processor families (also known as - Nehalem) -
    • -
  • - For AMD: models prior to AMD Opteron G4 -
    • -
  • - For IBM Z: models prior to IBM z14 -
    • -
-
-

- To check whether your VM is using a deprecated CPU model, use the virsh dominfo utility, and look for a line similar to the following in - the Messages section: -

- 
tainted: use of deprecated configuration settings
-deprecated configuration: CPU model 'i486'
-

- Bugzilla:2060839 -

-
-

RDMA-based live migration is deprecated

-

- With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) - has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this - feature will become unsupported in a future major release of RHEL. -

-
-

- Jira:RHELPLAN-153267 -

-
-
-
-
-
-

10.15. Containers

-
-
-
-
-

Running RHEL 9 containers on a RHEL 7 host is not supported

-

- Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not - guaranteed. -

-
-

- For more information, see Red Hat Enterprise - Linux Container Compatibility Matrix. -

-

- Jira:RHELPLAN-100087 -

-
-

SHA1 hash algorithm within Podman has been deprecated

-

- The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer - supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or - later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after - the upgrade. -

-
-

- Bugzilla:2069279 -

-
-

rhel9/pause has been deprecated

-

- The rhel9/pause container image has been deprecated. -

-
-

- Bugzilla:2106816 -

-
-

The CNI network stack has been deprecated

-

- The Container Network Interface (CNI) network stack will be deprecated in a future minor - version. Previously, containers connected to the single Container Network Interface (CNI) plugin - only via DNS. Podman v.4.0 introduced a new Netavark network stack. You can use the Netavark - network stack with Podman and other Open Container Initiative (OCI) container management - applications. The Netavark network stack for Podman is also compatible with advanced Docker - functionalities. Containers in multiple networks can access containers on any of those networks. -

-
-

- For more information, see Switching - the network stack from CNI to Netavark. -

-

- Jira:RHELPLAN-147725 -

-
-
-
-
-
-

10.16. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 8 and RHEL 9, see Changes - to packages in the Considerations in adopting RHEL 9 - document. -

-
-
Important
-
-

- The support status of deprecated packages remains unchanged within RHEL 9. For more - information about the length of support, see Red Hat Enterprise Linux - Life Cycle and Red - Hat Enterprise Linux Application Streams Life Cycle. -

-
-
-

- The following packages have been deprecated in RHEL 9: -

-
-
    -
  • - iptables-devel -
    • -
  • - iptables-libs -
    • -
  • - iptables-nft -
    • -
  • - iptables-nft-services -
    • -
  • - iptables-utils -
    • -
  • - libdb -
    • -
  • - mcpp -
    • -
  • - mod_auth_mellon -
    • -
  • - motif -
    • -
  • - motif-devel -
    • -
  • - python3-pytz -
    • -
  • - xorg-x11-server-Xorg -
    • -
-
-
-
-
-
-
-
-

Chapter 11. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 9.2. -

-
-
-
-
-

11.1. Installer and image creation

-
-
-
-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installer or use the authselect Kickstart command during installation. -

-

- Bugzilla:1640697 -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- Bugzilla:1697896 -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. To work around this problem, do not run Anaconda on the production - system and execute it in a temporary virtual machine. So that the SELinux policy on a production - system is not modified. Running anaconda as part of the system installation process such as - installing from boot.iso or dvd.iso is - not affected by this issue. -

-
-

- Bugzilla:2050140 -

-
-

Local Media installation source is not - detected when booting the installation from a USB that is created using a third party - tool

-

- When booting the RHEL installation from a USB that is created using a third party tool, the - installer fails to detect the Local Media installation source (only - Red Hat CDN is detected). -

-
-

- This issue occurs because the default boot option int.stage2= attempts - to search for iso9660 image format. However, a third party tool might - create an ISO image with a different format. -

-

- As a workaround, use either of the following solution: -

-
-
    -
  • - When booting the installation, click the Tab key to edit the - kernel command line, and change the boot option inst.stage2= to - inst.repo=. -
    • -
  • - To create a bootable USB device on Windows, use Fedora Media Writer. -
    • -
  • - When using a third party tool like Rufus to create a bootable USB device, first regenerate - the RHEL ISO image on a Linux system, and then use the third party tool to create a bootable - USB device. -
    • -
-
-

- For more information on the steps involved in performing any of the specified workaround, see, Installation media is not auto - detected during the installation of RHEL 8.3. -

-

- Bugzilla:1877697 -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- Bugzilla:1914955 -

-
-

Driver disk menu fails to display user inputs on the console

-

- When you start RHEL installation using the inst.dd option on the - Kernel command line with a driver disk, the console fails to display the user input. - Consequently, it appears that the application does not respond to the user input and freezes, - but displays the output which is confusing for users. However, this behavior does not affect the - functionality, and user input gets registered after pressing Enter. -

-
-

- As a workaround, to see the expected results, ignore the absence of user inputs in the console and - press Enter when you finish adding inputs. -

-

- Bugzilla:2109231 -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- Bugzilla:1929105 -

-
-

Anaconda fails to verify existence of an administrator user - account

-

- While installing RHEL using a graphical user interface, Anaconda fails to verify if the - administrator account has been created. As a consequence, users might install a system without - any administrator user account. -

-
-

- To work around this problem, ensure you configure an administrator user account or the root password - is set and the root account is unlocked. As a result, users can perform administrative tasks on the - installed system. -

-

- Bugzilla:2047713 -

-
-

New XFS features prevent booting of PowerNV IBM POWER systems with firmware - older than version 5.10

-

- PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement - for GRUB. This results in the firmware kernel mounting /boot and - Petitboot reading the GRUB config and booting RHEL. -

-
-

- The RHEL 9 kernel introduces bigtime=1 and inobtcount=1 features to the XFS filesystem, which kernels with firmware - older than version 5.10 do not understand. -

-

- To work around this problem, you can use another filesystem for /boot, - for example ext4. -

-

- Bugzilla:1997832 -

-
-

RHEL for Edge installer image fails to create mount points when installing - an rpm-ostree payload

-

- When deploying rpm-ostree payloads, used for example in a RHEL for - Edge installer image, the installer does not properly create some mount points for custom - partitions. As a consequence, the installation is aborted with the following error: -

-
- 
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
-

- To work around this issue: -

-
-
    -
  • - Use an automatic partitioning scheme and do not add any mount points manually. -
    • -
  • - Manually assign mount points only inside /var directory. For - example, /var/my-mount-point), and - the following standard directories: /, /boot, /var. -
    • -
-
-

- As a result, the installation process finishes successfully. -

-

- Bugzilla:2125542 -

-
-

NetworkManager fails to start after the installation when connected to a - network but without DHCP or a static IP address configured

-

- Starting with RHEL 9.0, Anaconda activates network devices automatically when there is no - specific ip= or kickstart network configuration set. Anaconda - creates a default persistent configuration file for each Ethernet device. The connection profile - has the ONBOOT and autoconnect value - set to true. As a consequence, during the start of the installed - system, RHEL activates the network devices, and the networkManager-wait-online service fails. -

-
-

- As a workaround, do one of the following: -

-
-
    -
  • -

    - Delete all connections using the nmcli utility except one - connection you want to use. For example: -

    -
    -
      -
    1. -

      - List all connection profiles: -

      - 
      # nmcli connection show
      -
      2. -
    2. -

      - Delete the connection profiles that you do not require: -

      - 
      # nmcli connection delete <connection_name>
      -

      - Replace <connection_name> with the name of the connection you want to - delete. -

      -
      3. -
    -
    -
    • -
  • -

    - Disable the auto connect network feature in Anaconda if no specific ip= or kickstart network configuration is set. -

    -
    -
      -
    1. - In the Anaconda GUI, navigate to Network - & Host Name. -
      2. -
    2. - Select a network device to disable. -
      3. -
    3. - Click Configure. -
      4. -
    4. - On the General tab, deselect - the Connect automatically with - priority -
      5. -
    5. - Click Save. -
      6. -
    -
    -
    • -
-
-

- Bugzilla:2115783 -

-
-

Unable to load an updated driver from the driver update disc in the - installation environment

-

- A new version of a driver from the driver update disc might not load if the same driver from the - installation initial ramdisk has already been loaded. As a consequence, an updated version of - the driver cannot be applied to the installation environment. -

-
-

- As a workaround, use the modprobe.blacklist= kernel command line option - together with the inst.dd option. For example, to ensure that an - updated version of the virtio_blk driver from a driver update disc is - loaded, use modprobe.blacklist=virtio_blk and then continue with the - usual procedure to apply drivers from the driver update disk. As a result, the system can load an - updated version of the driver and use it in the installation environment. -

-

- Bugzilla:2164216 -

-
-

Kickstart installations fail to configure the network connection -

-

- Anaconda performs the kickstart network configuration only through the NetworkManager API. - Anaconda processes the network configuration after the %pre - kickstart section. As a consequence, some tasks from the kickstart %pre section are blocked. For example, downloading packages from the - %pre section fails due to unavailability of the network - configuration. -

-
-

- To work around this problem: -

-
-
    -
  • - Configure the network, for example using the nmcli tool, as a - part of the %pre script. -
    • -
  • - Use the installer boot options to configure the network for the %pre script. -
    • -
-
-

- As a result, it is possible to use the network for tasks in the %pre - section and the kickstart installation process completes. -

-

- Bugzilla:2173992 -

-
-

Installation might fail with Anaconda error while using USB 3.0 port on - select RAID volumes

-

- The RHEL installation process might fail with the following Anaconda error when you try to - install it on the select RAID 0 or RAID 1 with the bootable drive connected to USB 3.0 port: -

-
- 
dasbus.error.DBusError: 'DiskDevice' object has no attribute 'members'
-

- Anaconda fails only when users select the Install Red Hat Enterprise Linux option on the boot menu. -

-

- As a workaround, use one of the following solutions: -

-
-
    -
  • - Install RHEL 9.3 or later. -
    • -
  • - Connect to USB 2.0 port instead of USB 3.0 port. -
    • -
  • - Select Test this media and Install Red Hat Enterprise - Linux instead of the default boot menu option. -
    • -
-
-

- Jira:RHEL-34154 -

-
-

RHEL installer does not process the inst.proxy - boot option correctly

-

- When running Anaconda, the installation program does not process the inst.proxy boot option correctly. As a consequence, you cannot use - the specified proxy to fetch the installation image. -

-
-

- To work around this issue: -

-
-
    -
  • - Use the latest version of RHEL distribution. -
    • -
  • - Use proxy instead of inst.proxy - boot option. -
    • -
-
-

- Jira:RHELDOCS-18764 -

-
-

File name truncation when mounting RHEL ISO on Windows 11

-

- When mounting the RHEL 9.2 binary DVD ISO on a Windows 11 system, file names are truncated - compared to when the same ISO is mounted on a RHEL system. Consequently, you will see that the - file names differ on Windows 11 systems. To work around this issue, you should mount the RHEL - 9.2 binary DVD ISO on a RHEL system and then copy the files to a Windows system if needed for a - specific use case, or use the latest version of RHEL. -

-
-

- Jira:RHELDOCS-17878 -

-
-
-
-
-
-

11.2. Software management

-
-
-
-
-

The Installation process sometimes becomes unresponsive

-

- When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log file displays the following message at the end: -

-
- 
10:20:56,416 DDEBUG dnf: RPM transaction over.
-

- To workaround this problem, restart the installation process. -

-

- Bugzilla:2073510 -

-
-
-
-
-
-

11.3. Shells and command-line tools

-
-
-
-
-

ReaR fails during recovery if the TMPDIR - variable is set in the configuration file

-

- Setting and exporting TMPDIR in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file does not work and is - deprecated. -

-
-

- The ReaR default configuration file /usr/share/rear/conf/default.conf - contains the following instructions: -

- 
# To have a specific working area directory prefix for Relax-and-Recover
-# specify in /etc/rear/local.conf something like
-#
-# export TMPDIR="/prefix/for/rear/working/directory"
-#
-# where /prefix/for/rear/working/directory must already exist.
-# This is useful for example when there is not sufficient free space
-# in /tmp or $TMPDIR for the ISO image or even the backup archive.
-

- The instructions mentioned above do not work correctly because the TMPDIR variable has the same value in the rescue environment, which is - not correct if the directory specified in the TMPDIR variable does not - exist in the rescue image. -

-

- As a consequence, setting and exporting TMPDIR in the /etc/rear/local.conf file leads to the following error when the rescue - image is booted : -

- 
mktemp: failed to create file via template '/prefix/for/rear/working/directory/tmp.XXXXXXXXXX': No such file or directory
-cp: missing destination file operand after '/etc/rear/mappings/mac'
-Try 'cp --help' for more information.
-No network interface mapping is specified in /etc/rear/mappings/mac
-

- or the following error and abort later, when running rear recover: -

- 
ERROR: Could not create build area
-

- To work around this problem, if you want to have a custom temporary directory, specify a custom - directory for ReaR temporary files by exporting the variable in the shell environment before - executing ReaR. For example, execute the export TMPDIR=…​ statement and - then execute the rear command in the same shell session or script. As a - result, the recovery is successful in the described configuration. -

-

- Jira:RHEL-24847 -

-
-

Renaming network interfaces using ifcfg files - fails

-

- On RHEL 9, the initscripts package is not installed by default. - Consequently, renaming network interfaces using ifcfg files fails. - To solve this problem, Red Hat recommends that you use udev rules - or link files to rename interfaces. For further details, see Consistent - network interface device naming and the systemd.link(5) man - page. -

-
-

- If you cannot use one of the recommended solutions, install the initscripts package. -

-

- Bugzilla:2018112 -

-
-

The chkconfig package is not installed by - default in RHEL 9

-

- The chkconfig package, which updates and queries runlevel - information for system services, is not installed by default in RHEL 9. -

-
-

- To manage services, use the systemctl commands or install the chkconfig package manually. -

-

- For more information about systemd, see Managing - systemd. For instructions on how to use the systemctl utility, - see Managing - system services with systemctl. -

-

- Bugzilla:2053598 -

-
-

The Service Location Protocol (SLP) is vulnerable to an attack through - UDP

-

- The OpenSLP provides a dynamic configuration mechanism for applications in local area networks, - such as printers and file servers. However, SLP is vulnerable to a reflective denial of service - amplification attack through UDP on systems connected to the internet. SLP allows an - unauthenticated attacker to register new services without limits set by the SLP implementation. - By using UDP and spoofing the source address, an attacker can request the service list, creating - a Denial of Service on the spoofed address. -

-
-

- To prevent external attackers from accessing the SLP service, disable SLP on all systems running on - untrusted networks, such as those directly connected to the internet. Alternatively, to work around - this problem, configure firewalls to block or filter traffic on UDP and TCP port 427. -

-

- Bugzilla:2184570 -

-
-
-
-
-
-

11.4. Infrastructure services

-
-
-
-
-

Both bind and unbound disable validation of SHA-1-based signatures

-

- The bind and unbound components - disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 - (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT - system-wide cryptographic policy. -

-
-

- As a result, certain DNSSEC records signed with the SHA-1, RSA/SHA1, and RSASHA1-NSEC3-SHA1 digest - algorithms fail to verify in Red Hat Enterprise Linux 9 and the affected domain names become - vulnerable. -

-

- To work around this problem, upgrade to a different signature algorithm, such as RSA/SHA-256 or - elliptic curve keys. -

-

- For more information and a list of top-level domains that are affected and vulnerable, see the DNSSEC records signed with - RSASHA1 fail to verify solution. -

-

- Bugzilla:2070495 -

-
-

named fails to start if the same writable zone - file is used in multiple zones

-

- BIND does not allow the same writable zone file in multiple zones. Consequently, if a - configuration includes multiple zones which share a path to a file that can be modified by the - named service, named fails to start. - To work around this problem, use the in-view clause to share one - zone between multiple views and make sure to use different paths for different zones. For - example, include the view names in the path. -

-
-

- Note that writable zone files are typically used in zones with allowed dynamic updates, slave zones, - or zones maintained by DNSSEC. -

-

- Bugzilla:1984982 -

-
-

libotr is not compliant with FIPS

-

- The libotr library and toolkit for off-the-record (OTR) messaging - provides end-to-end encryption for instant messaging conversations. However, the libotr library does not conform to the Federal Information Processing - Standards (FIPS) due to its use of the gcry_pk_sign() and gcry_pk_verify() functions. As a result, you cannot use the libotr library in FIPS mode. -

-
-

- Bugzilla:2086562 -

-
-

Setting the console keymap requires the libxkbcommon library on your minimal install

-

- In RHEL 9, certain systemd library dependencies have been converted - from dynamic linking to dynamic loading, so that your system opens and uses the libraries at - runtime when they are available. With this change, a functionality that depends on such - libraries is not available unless you install the necessary library. This also affects setting - the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb command fails. -

-
-

- To work around this problem, install the libxkbcommon library: -

- 
# dnf install libxkbcommon
-

- Bugzilla:2214130 -

-
-

The %vmeff metric from the sysstat package displays incorrect values

-

- The sysstat package provides the %vmeff metric to measure the page reclaim efficiency. The values of - the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions. To work around - this problem, you can calculate the %vmeff value manually from the - /proc/vmstat file. For details, see Why the sar(1) tool reports %vmeff values - beyond 100 % in RHEL 8 and RHEL 9? -

-
-

- Bugzilla:2230431 -

-
-
-
-
-
-

11.5. Security

-
-
-
-
-

tangd-keygen does not handle non-default umask correctly

-

- The tangd-keygen script does not change file permissions for - generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returns the error message Internal Error 500 instead of displaying the keys. -

-
-

- To work around the problem, use the chmod o+r *.jwk command to change - permissions on the files in the /var/db/tang directory. -

-

- Bugzilla:2188743 -

-
-

OpenSSL does not detect if a PKCS #11 token supports the creation of raw - RSA or RSA-PSS signatures

-

- The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not - support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to - work with an RSA key if the key is held by the PKCS #11 token. As a result, TLS communication - fails in the described scenario. -

-
-

- To work around this problem, configure servers and clients to use TLS version 1.2 as the highest TLS - protocol version available. -

-

- Bugzilla:1681178 -

-
-

OpenSSL incorrectly handles PKCS #11 tokens - that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created - with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include - line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- Bugzilla:1685470 -

-
-

scp empties files copied to themselves when a - specific syntax is used

-

- The scp utility changed from the Secure copy protocol (SCP) to the - more secure SSH file transfer protocol (SFTP). Consequently, copying a file from a location to - the same location erases the file content. The problem affects the following syntax: -

-
-

- scp localhost:/myfile localhost:/myfile -

-

- To work around this problem, do not copy files to a destination that is the same as the source - location using this syntax. -

-

- The problem has been fixed for the following syntaxes: -

-
-
    -
  • - scp /myfile localhost:/myfile -
    • -
  • - scp localhost:~/myfile ~/myfile -
    • -
-
-

- Bugzilla:2056884 -

-
-

The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical - installation

-

- The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security - profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take - tailoring into account by default when installing from archives or RPM packages. Consequently, - the installation displays the following error message instead of fetching an OSCAP tailored - profile: -

-
- 
There was an unexpected problem with the supplied content.
-

- To work around this problem, you must specify paths in the %addon org_fedora_oscap section of your Kickstart file, for example: -

- 
xccdf-path = /usr/share/xml/scap/sc_tailoring/ds-combined.xml
-tailoring-path = /usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml
-

- As a result, you can use the graphical installation for OSCAP tailored profiles only with the - corresponding Kickstart specifications. -

-

- Bugzilla:2165920 -

-
-

Ansible remediations require additional collections

-

- With the replacement of Ansible Engine by the ansible-core package, - the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, - running remediations that use Ansible content included within the scap-security-guide package requires collections from the rhc-worker-playbook package. -

-
-

- For an Ansible remediation, perform the following steps: -

-
-
    -
  1. -

    - Install the required packages: -

    - 
    # dnf install -y ansible-core scap-security-guide rhc-worker-playbook
    -
    2. -
  2. -

    - Navigate to the /usr/share/scap-security-guide/ansible - directory: -

    - 
    # cd /usr/share/scap-security-guide/ansible
    -
    3. -
  3. -

    - Run the relevant Ansible playbook using environment variables that define the path to - the additional Ansible collections: -

    - 
    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-playbook-cis_server_l1.yml
    -

    - Replace cis_server_l1 with the - ID of the profile against which you want to remediate the system. -

    -
    4. -
-
-

- As a result, the Ansible content is processed correctly. -

-
-
Note
-
-

- Support of the collections provided in rhc-worker-playbook is - limited to enabling the Ansible content sourced in scap-security-guide. -

-
-
-

- Bugzilla:2105162 -

-
-

oscap-anaconda-addon does not allow CIS - hardening of systems with Network Servers package group

-

- When installing RHEL Network Servers with a CIS security profile (cis, cis_server_l1, cis_workstation_l1, or cis_workstation_l2) on systems with the Network Servers package group - selected, oscap-anaconda-addon sends the error message package tftp has been added to the list of excluded packages, but it can’t be removed from the current software selection without breaking the install. - To proceed with the installation, navigate back to Software Selection and uncheck the Network Servers additional software to allow the installation and - hardening to finish. Then, install the required packages. -

-
-

- Bugzilla:2172264 -

-
-

Keylime does not accept concatenated PEM certificates

-

- When Keylime receives a certificate chain as multiple certificates in the PEM format - concatenated in a single file, the keylime-agent-rust Keylime - component does not correctly use all the provided certificates during signature verification, - resulting in a TLS handshake failure. As a consequence, the client components (keylime_verifier and keylime_tenant) - cannot connect to the Keylime agent. To work around this problem, use just one certificate - instead of multiple certificates. -

-
-

- Jira:RHELPLAN-157225 -

-
-

Keylime requires a specific file for tls_dir = default

-

- When the tls_dir variable is set to default in Keylime verifier or registrar configuration, Keylime - checks for the presence of the cacert.crt file in the /var/lib/keylime/cv_ca directory. If the file is not present, the - keylime_verifier or keylime_registrar - service fails to start and records the following message in a log: Exception: It appears that the verifier has not yet created a CA and certificates, please run the verifier first. - As a consequence, Keylime rejects custom certificate authority (CA) certificates that have a - different file name even when they are placed in the /var/lib/keylime/ca_cv directory. -

-
-

- To work around this problem and use custom CA certificates, manually specify tls_dir =/var/lib/keylime/ca_cv instead of using tls_dir = default. -

-

- Jira:RHELPLAN-157337 -

-
-

Default SELinux policy allows unconfined executables to make their stack - executable

-

- The default state of the selinuxuser_execstack boolean in the - SELinux policy is on, which means that unconfined executables can make their stack executable. - Executables should not use this option, and it might indicate poorly coded executables or a - possible attack. However, due to compatibility with other tools, packages, and third-party - products, Red Hat cannot change the value of the boolean in the default policy. If your scenario - does not depend on such compatibility aspects, you can turn the boolean off in your local policy - by entering the command setsebool -P selinuxuser_execstack off. -

-
-

- Bugzilla:2064274 -

-
-

SSH timeout rules in STIG profiles configure incorrect options

-

- An update of OpenSSH affected the rules in the following Defense Information Systems Agency - Security Technical Implementation Guide (DISA STIG) profiles: -

-
-
-
    -
  • - DISA STIG for RHEL 9 (xccdf_org.ssgproject.content_profile_stig) -
    • -
  • - DISA STIG with GUI for RHEL 9 (xccdf_org.ssgproject.content_profile_stig_gui) -
    • -
-
-

- In each of these profiles, the following two rules are affected: -

- 
Title: Set SSH Client Alive Count Max to zero
-CCE Identifier: CCE-90271-8
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
-
-Title: Set SSH Idle Timeout Interval
-CCE Identifier: CCE-90811-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
-

- When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax and ClientAliveInterval) - that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users - when it reaches the timeout configured by these rules. As a workaround, these rules have been - temporarily removed from the DISA STIG for RHEL 9 and DISA STIG with GUI for RHEL 9 profiles until a - solution is developed. -

-

- Bugzilla:2038978 -

-
-

GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies

-

- The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use - the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic - policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT cryptographic policy, which is not consistent with the - system-wide deprecation of this insecure algorithm for signatures. -

-
-

- To work around this problem, do not use GnuPG options that involve SHA-1. As a result, you will - prevent GnuPG from lowering the default system security by using the non-secure SHA-1 signatures. -

-

- Bugzilla:2070722 -

-
-

gpg-agent does not work as an SSH agent in - FIPS mode

-

- The gpg-agent tool creates MD5 fingerprints when adding keys to the - ssh-agent program even though FIPS mode disables the MD5 digest. - Consequently, the ssh-add utility fails to add the keys to the - authentication agent. -

-
-

- To work around the problem, create the ~/.gnupg/sshcontrol file without - using the gpg-agent --daemon --enable-ssh-support command. For example, - you can paste the output of the gpg --list-keys command in the <FINGERPRINT> 0 format to ~/.gnupg/sshcontrol. As a result, gpg-agent - works as an SSH authentication agent. -

-

- Bugzilla:2073567 -

-
-

OpenSCAP memory-consumption problems

-

- On systems with limited memory, the OpenSCAP scanner might terminate prematurely or it might not - generate the results files. To work around this problem, you can customize the scanning profile - to deselect rules that involve recursion over the entire / file - system: -

-
-
-
    -
  • - rpm_verify_hashes -
    • -
  • - rpm_verify_permissions -
    • -
  • - rpm_verify_ownership -
    • -
  • - file_permissions_unauthorized_world_writable -
    • -
  • - no_files_unowned_by_user -
    • -
  • - dir_perms_world_writable_system_owned -
    • -
  • - file_permissions_unauthorized_suid -
    • -
  • - file_permissions_unauthorized_sgid -
    • -
  • - file_permissions_ungroupowned -
    • -
  • - dir_perms_world_writable_sticky_bits -
    • -
-
-

- For more details and more workarounds, see the related Knowledgebase article. -

-

- Bugzilla:2161499 -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- BZ#1834716 -

-
-
-
-
-
-

11.6. Networking

-
-
-
-
-

The nm-cloud-setup service removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configures network interfaces. Disable nm-cloud-setup to manually configure interfaces. However, in certain - cases, other services on the host can configure interfaces as well. For example, these services - could add secondary IP addresses. To avoid that nm-cloud-setup - removes secondary IP addresses: -

-
-
-
    -
  1. -

    - Stop and disable the nm-cloud-setup service and timer: -

    - 
    # systemctl disable --now nm-cloud-setup.service nm-cloud-setup.timer
    -
    2. -
  2. -

    - Display the available connection profiles: -

    - 
    # nmcli connection show
    -
    3. -
  3. -

    - Reactive the affected connection profiles: -

    - 
    # nmcli connection up "<profile_name>"
    -
    4. -
-
-

- As a result, the service no longer removes manually-configured secondary IP addresses from - interfaces. -

-

- Bugzilla:2151040 -

-
-

Failure to update the session key causes the connection to break -

-

- Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which - is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a - connection break. To work around this problem, disable kTLS. As a result, with the workaround, - it is possible to successfully update the session key. -

-
-

- Bugzilla:2013650 -

-
-

The initscripts package is not installed by - default

-

- By default, the initscripts package is not installed. As a - consequence, the ifup and ifdown - utilities are not available. As an alternative, use the nmcli connection up and nmcli connection down commands to enable and disable connections. If - the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown package, which provides a - NetworkManager solution for the ifup and ifdown utilities. -

-
-

- Bugzilla:2082303 -

-
-

Using the XDP multi buffer mode with the mlx5 - driver and a MTU greater than 3498 bytes requires disabling RX Striding RQ

-

- Running an eXpress Data Path (XDP) script with multi buffer mode on a host that matches all of - the following conditions fails: -

-
-
-
    -
  • - The host uses the mlx5 driver. -
    • -
  • - The Maximum Transmission Unit (MTU) value is greater than 3498 bytes. -
    • -
  • - The receive striding receive queue (RX Striding RQ) feature is enabled on the Mellanox - interface. -
    • -
-
-

- If all conditions apply, the script fails with a link set xdp fd failed - error. To run the XDP script on a host with a higher MTU, disable RX Striding RQ on the Mellanox - interface: -

- 
# ethtool --set-priv-flags <interface_name> rx_striding_rq off
-

- As a result, you can use the XDP multi buffer mode on interfaces that use the mlx5 driver and have an MTU value greater than 3498 bytes. -

-

- Jira:RHEL-6496 -

-
-
-
-
-
-

11.7. Kernel

-
-
-
-
-

The kdump mechanism in kernel causes OOM errors on the 64K kernel

-

- The 64K kernel page size on the 64-bit ARM architecture uses more memory than the 4KB kernel. - Consequently, kdump causes a kernel panic and memory allocation - fails with out of memory (OOM) errors. As a work around, manually configure the crashkernel value to 640 MB. For example, set the crashkernel= parameter as crashkernel=2G- :640M. -

-
-

- As a result, the kdump mechanism does not fail on the 64K kernel in the - described scenario. -

-

- Bugzilla:2160676 -

-
-

Customer applications with dependencies on kernel page size may need - updating when moving from 4k to 64k page size kernel

-

- RHEL is compatible with both 4k and 64k page size kernels. Customer applications with - dependencies on a 4k kernel page size may require updating when moving from 4k to 64k page size - kernels. Known instances of this include jemalloc and dependent - applications. -

-
-

- The jemalloc memory allocator library is sensitive to the page size - used in the system’s runtime environment. The library can be built to be compatible with 4k and 64k - page size kernels, for example, when configured with --with-lg-page=16 - or env JEMALLOC_SYS_WITH_LG_PAGE=16 (for jemallocator Rust crate). Consequently, a mismatch can occur between the - page size of the runtime environment and the page size that was present when compiling binaries that - depend on jemalloc. As a result, using a jemalloc-based application triggers the following error: -

- 
<jemalloc>: Unsupported system page size
-

- To avoid this problem, use one of the following approaches: -

-
-
    -
  • - Use the appropriate build configuration or environment options to create 4k and 64k page - size compatible binaries. -
    • -
  • - Build any userspace packages that use jemalloc after booting - into the final 64k kernel and runtime environment. -
    • -
-
-

- For example, you can build the fd-find tool, which also uses jemalloc, with the cargo Rust package - manager. In the final 64k environment, trigger a new build of all dependencies to resolve the - mismatch in the page size by entering the cargo command: -

- 
# cargo install fd-find --force
-

- Bugzilla:2167783 -

-
-

The kdump service fails to build the initrd file on IBM Z systems

-

- On the 64-bit IBM Z systems, the kdump service fails to load the - initial RAM disk (initrd) when znet - related configuration information such as s390-subchannels reside - in an inactive NetworkManager connection profile. Consequently, the - kdump mechanism fails with the following error: -

-
- 
dracut: Failed to set up znet
-kdump: mkdumprd: failed to make kdump initrd
-

- As a workaround, use one of the following solutions: -

-
-
    -
  • -

    - Configure a network bond or bridge by re-using the connection profile that has the znet configuration information: -

    - 
    $ nmcli connection modify enc600 master bond0 slave-type bond
    -
    • -
  • -

    - Copy the znet configuration information from the inactive - connection profile to the active connection profile: -

    -
    -
      -
    1. -

      - Run the nmcli command to query the NetworkManager connection profiles: -

      - 
      # nmcli connection show
-
-NAME                       UUID               TYPE   Device
-
-bridge-br0           ed391a43-bdea-4170-b8a2 bridge   br0
-bridge-slave-enc600  caf7f770-1e55-4126-a2f4 ethernet enc600
-enc600               bc293b8d-ef1e-45f6-bad1 ethernet --
      -
      2. -
    2. -

      - Update the active profile with configuration information from the inactive - connection: -

      - 
      #!/bin/bash
- inactive_connection=enc600
- active_connection=bridge-slave-enc600
- for name in nettype subchannels options; do
- field=802-3-ethernet.s390-$name
- val=$(nmcli --get-values "$field"connection show "$inactive_connection")
- nmcli connection modify "$active_connection" "$field" $val"
- done
      -
      3. -
    3. -

      - Restart the kdump service for changes to take - effect: -

      - 
      # kdumpctl restart
      -
      4. -
    -
    -
    • -
-
-

- Bugzilla:2064708 -

-
-

kTLS does not support offloading of TLS 1.3 to NICs

-

- Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. - Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. - To work around this problem, disable TLS 1.3 if offload is required. As a result, you can - offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot - be offloaded. -

-
-

- Bugzilla:2000616 -

-
-

The Delay Accounting functionality does not - display the SWAPIN and IO% - statistics columns by default

-

- The Delayed Accounting functionality, unlike early versions, is - disabled by default. Consequently, the iotop application does not - show the SWAPIN and IO% statistics - columns and displays the following warning: -

-
- 
CONFIG_TASK_DELAY_ACCT not enabled in kernel, cannot determine SWAPIN and IO%
-

- The Delay Accounting functionality, using the taskstats interface, provides the delay statistics for all tasks or - threads that belong to a thread group. Delays in task execution occur when they wait for a kernel - resource to become available, for example, a task waiting for a free CPU to run on. The statistics - help in setting a task’s CPU priority, I/O priority, and rss limit - values appropriately. -

-

- As a workaround, you can enable the delayacct boot option either at run - time or boot. -

-
-
    -
  • -

    - To enable delayacct at run time, enter: -

    - 
    echo 1 > /proc/sys/kernel/task_delayacct
    -

    - Note that this command enables the feature system wide, but only for the tasks that you - start after running this command. -

    -
    • -
  • -

    - To enable delayacct permanently at boot, use one of the - following procedures: -

    -
    - -
    -
    • -
-
-

- As a result, the iotop application displays the SWAPIN and IO% statistics columns. -

-

- Bugzilla:2132480 -

-
-

The kdump mechanism fails to capture the vmcore file on LUKS-encrypted targets

-

- When running kdump on systems with Linux Unified Key Setup (LUKS) - encrypted partitions, systems require a certain amount of available memory. When the available - memory is less than the required amount of memory, the systemd-cryptsetup service fails to mount the partition. - Consequently, the second kernel fails to capture the crash dump file (vmcore) on LUKS-encrypted targets. -

-
-

- With the kdumpctl estimate command, you can query the Recommended crashkernel value, which is the recommended memory size - required for kdump. -

-

- To work around this problem, use following steps to configure the required memory for kdump on LUKS encrypted targets: -

-
-
    -
  1. -

    - Print the estimate crashkernel value: -

    - 
    # kdumpctl estimate
    -
    2. -
  2. -

    - Configure the amount of required memory by increasing the crashkernel value: -

    - 
    # grubby --args=crashkernel=652M --update-kernel=ALL
    -
    3. -
  3. -

    - Reboot the system for changes to take effect. -

    - 
    # reboot
    -
    4. -
-
-

- As a result, kdump works correctly on systems with LUKS-encrypted - partitions. -

-

- Bugzilla:2017401 -

-
-

Allocating crash kernel memory fails at boot time

-

- On certain Ampere Altra systems, allocating the crash kernel memory for kdump usage fails during boot when the available memory is below 1 - GB. Consequently, the kdumpctl command fails to start the kdump service. -

-
-

- To workaround this problem, do one of the following: -

-
-
    -
  • - Decrease the value of the crashkernel parameter by a minimum of - 240 MB to fit the size requirement, for example crashkernel=240M. -
    • -
  • - Use the crashkernel=x,high option to reserve crash kernel - memory above 4 GB for kdump. -
    • -
-
-

- As a result, the crash kernel memory allocation for kdump does not fail - on Ampere Altra systems. -

-

- Bugzilla:2065013 -

-
-

RHEL fails to recognize NVMe disks when VMD is enabled

-

- When you reset or reattach the driver, the Volume Management Device (VMD) domain currently does - not soft-reset. Consequently, the hardware cannot properly detect and enumerate its devices. As - a result, the operating system with VMD enabled does not recognize NVMe disks, especially when - resetting a server or working with a VM machine. -

-
-

- Bugzilla:2128610 -

-
-

The iwl7260-firmware breaks Wi-Fi on Intel - Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

-

- After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 9.1 and later, - the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, - Intel Wifi 6 cards may not work and display the error message: -

-
- 
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110
-kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms)
-kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
-

- An unconfirmed work around is to power off the system and back on again. Do not reboot. -

-

- Bugzilla:2129288 -

-
-

weak-modules from kmod fails to work with module inter-dependencies

-

- The weak-modules script provided by the kmod package determines which modules are kABI-compatible with - installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to - lower release of the kernel for which they were built. As a consequence, modules with - inter-dependencies built against different kernel releases might be interpreted as - non-compatible, and therefore the weak-modules script fails to work - in this scenario. -

-
-

- To work around the problem, build or put the extra modules against the latest stock kernel before - you install the new kernel. -

-

- Bugzilla:2103605 -

-
-

The mlx5 driver fails while using the Mellanox - ConnectX-5 adapter

-

- In Ethernet switch device driver model (switchdev) mode, the mlx5 driver fails when configured with the device managed flow - steering (DMFS) parameter and ConnectX-5 adapter supported - hardware. As a consequence, you can see the following error message: -

-
- 
BUG: Bad page cache in process umount pfn:142b4b
-

- To work around this problem, use the software managed flow steering (SMFS) parameter instead of - DMFS. -

-

- Bugzilla:2180665 -

-
-

Hardware certification of the real-time kernel on systems with large - core-counts might require passing the skew-tick=1 boot - parameter to avoid lock contentions

-

- Large or moderate sized systems with numerous sockets and large core-counts can experience - latency spikes due to lock contentions on xtime_lock, which is used - in the timekeeping system. As a consequence, latency spikes and delays in hardware - certifications might occur on multiprocessing systems. As a workaround, you can offset the timer - tick per CPU to start at a different time by adding the skew_tick=1 - boot parameter. -

-
-

- To avoid lock conflicts, enable skew_tick=1: -

-
-
    -
  1. -

    - Enable the skew_tick=1 parameter with grubby. -

    - 
    # grubby --update-kernel=ALL --args="skew_tick=1"
    -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
  3. - Verify the new settings by running the cat /proc/cmdline - command. -
    4. -
-
-

- Note that enabling skew_tick=1 causes a significant increase in power - consumption and, therefore, it must be enabled only if you are running latency sensitive real-time - workloads. -

-

- Bugzilla:2214508 -

-
-

dkms provides an incorrect warning on program - failure with correctly compiled drivers on 64-bit ARM CPUs

-

- The Dynamic Kernel Module Support (dkms) utility does not recognize - that the kernel headers for 64-bit ARM CPUs work for both the kernels with 4 kilobytes and 64 - kilobytes page sizes. As a result, when the kernel update is performed and the kernel-64k-devel package is not installed, dkms provides an incorrect warning on why the program failed on - correctly compiled drivers. To work around this problem, install the kernel-headers package, which contains header files for both types of - ARM CPU architectures and is not specific to dkms and its - requirements. -

-
-

- Jira:RHEL-25967 -

-
-
-
-
-
-

11.8. File systems and storage

-
-
-
-
-

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication - attempt

-

- When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect - credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the - current session and login using the no authentication method. -

-
-

- Bugzilla:1983602 -

-
-

Device Mapper Multipath is not supported with NVMe/TCP

-

- Using Device Mapper Multipath with the nvme-tcp driver can result - in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users - must enable native NVMe multipathing and not use the device-mapper-multipath tools with NVMe. -

-
-

- By default, Native NVMe multipathing is enabled in RHEL 9. For more information, see Enabling - multipathing on NVMe devices. -

-

- Bugzilla:2033080 -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- Bugzilla:2011699 -

-
-

Disabling quota accounting is no longer possible for an XFS filesystem - mounted with quotas enabled

-

- As of RHEL 9.2, it is no longer possible to disable quota accounting on an XFS filesystem which - has been mounted with quotas enabled. -

-
-

- To work around this issue, disable quota accounting by remounting the filesystem, with the quota - option removed. -

-

- Bugzilla:2160619 -

-
-

System fails to boot when adding an NVMe-FC device as a mount point in - /etc/fstab

-

- The Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices mounted through the /etc/fstab file fails to mount at boot and the system enters into - emergency mode. This is due to a known bug in the nvme-cli nvmf-autoconnect systemd services. -

-
-

- Bugzilla:2168603 -

-
-

udev rule change for NVMe devices

-

- There is a udev rule change for NVMe devices that adds OPTIONS="string_escape=replace" parameter. This leads to a disk by-id - naming change for some vendors, if the serial number of your device has leading whitespace. -

-
-

- Bugzilla:2185048 -

-
-
-
-
-
-

11.9. Dynamic programming languages, web and database servers

-
-
-
-
-

python3.11-lxml does not provide the lxml.isoschematron submodule

-

- The python3.11-lxml package is distributed without the lxml.isoschematron submodule because it is not under an open source - license. The submodule implements ISO Schematron support. As an alternative, pre-ISO-Schematron - validation is available in the lxml.etree.Schematron class. The - remaining content of the python3.11-lxml package is unaffected. -

-
-

- Bugzilla:2157708 -

-
-

The --ssl-fips-mode option in MySQL and MariaDB does not change - FIPS mode

-

- The --ssl-fips-mode option in MySQL - and MariaDB in RHEL works differently than in upstream. -

-
-

- In RHEL 9, if you use --ssl-fips-mode as an argument for the mysqld or mariadbd daemon, or if you use - ssl-fips-mode in the MySQL or MariaDB server configuration files, --ssl-fips-mode does not change FIPS mode for these database servers. -

-

- Instead: -

-
-
    -
  • - If you set --ssl-fips-mode to ON, - the mysqld or mariadbd server - daemon does not start. -
    • -
  • - If you set --ssl-fips-mode to OFF - on a FIPS-enabled system, the mysqld or mariadbd server daemons still run in FIPS mode. -
    • -
-
-

- This is expected because FIPS mode should be enabled or disabled for the whole RHEL system, not for - specific components. -

-

- Therefore, do not use the --ssl-fips-mode option in MySQL or MariaDB in RHEL. Instead, ensure - FIPS mode is enabled on the whole RHEL system: -

-
-
    -
  • - Preferably, install RHEL with FIPS mode enabled. Enabling FIPS mode during the installation - ensures that the system generates all keys with FIPS-approved algorithms and continuous - monitoring tests in place. For information about installing RHEL in FIPS mode, see Installing - the system in FIPS mode. -
    • -
  • - Alternatively, you can switch FIPS mode for the entire RHEL system by following the - procedure in Switching - the system to FIPS mode. -
    • -
-
-

- Bugzilla:1991500 -

-
-
-
-
-
-

11.10. Compilers and development tools

-
-
-
-
-

Certain symbol-based probes do not work in SystemTap on the 64-bit ARM architecture

-

- Kernel configuration disables certain functionality needed for SystemTap. Consequently, some symbol-based probes do not work on the - 64-bit ARM architecture. As a result, affected SystemTap scripts - may not run or may not collect hits on desired probe points. -

-
-

- Note that this bug has been fixed for the remaining architectures with the release of the RHBA-2022:5259 advisory. -

-

- Bugzilla:2083727 -

-
-

GCC in GCC Toolset 12: CPU detection may fail on Intel Sapphire Rapids - processors

-

- CPU detection on Intel Sapphire Rapids processors relies on the existence of the AVX512_VP2INTERSECT feature. This feature has been removed from the - GCC Toolset 12 version of GCC and, as a consequence, CPU detection may fail on Intel Sapphire - Rapids processors. -

-
-

- Bugzilla:2141718 -

-
-
-
-
-
-

11.11. Identity Management

-
-
-
-
-

Configuring a referral for a suffix fails in Directory Server

-

- If you set a back-end referral in Directory Server, setting the state of the backend using the - dsconf <instance_name> backend suffix set --state referral - command fails with the following error: -

-
- 
Error: 103 - 9 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral before moving to referral state
-

- As a consequence, configuring a referral for suffixes fail. To work around the problem: -

-
-
    -
  1. -

    - Set the nsslapd-referral parameter manually: -

    - 
    # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com
-
-dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
-changetype: modify
-add: nsslapd-referral
-nsslapd-referral: ldap://remote_server:389/dc=example,dc=com
    -
    2. -
  2. -

    - Set the back-end state: -

    - 
    # dsconf <instance_name> backend suffix set --state referral
    -
    3. -
-
-

- As a result, with the workaround, you can configure a referral for a suffix. -

-

- Bugzilla:2063140 -

-
-

The dsconf utility has no option to create - fix-up tasks for the entryUUID plug-in

-

- The dsconf utility does not provide an option to create fix-up - tasks for the entryUUID plug-in. As a result, administrators cannot - not use dsconf to create a task to automatically add entryUUID attributes to existing entries. As a workaround, create a - task manually: -

-
- 
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x
-
-dn: cn=entryuuid_fixup_<time_stamp>,cn=entryuuid task,cn=tasks,cn=config
-objectClass: top
-objectClass: extensibleObject
-basedn: <fixup base tree>
-cn: entryuuid_fixup_<time_stamp>
-filter: <filtered_entry>
-

- After the task has been created, Directory Server fixes entries with missing or invalid entryUUID attributes. -

-

- Bugzilla:2047175 -

-
-

MIT Kerberos does not support ECC certificates for PKINIT

-

- MIT Kerberos does not implement the RFC5349 request for comments document, which describes the - design of elliptic-curve cryptography (ECC) support in Public Key Cryptography for initial - authentication (PKINIT). Consequently, the MIT krb5-pkinit package, - used by RHEL, does not support ECC certificates. For more information, see Elliptic Curve Cryptography (ECC) Support - for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). -

-
-

- Bugzilla:2106043 -

-
-

The DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to - work against AD KDCs

-

- The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key - Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 - algorithm. -

-
-

- However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest - algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate users by - using PKINIT against an AD KDC. -

-

- To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the - following command: -

- 
 # update-crypto-policies --set DEFAULT:SHA1
-

- Bugzilla:2060798 -

-
-

The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent - communicates with a non-RHEL-9 and non-AD Kerberos agent

-

- If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts - with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT - authentication of the user fails. To work around the problem, perform one of the following - actions: -

-
-
-
    -
  • -

    - Set the RHEL 9 agent’s crypto-policy to DEFAULT:SHA1 to - allow the verification of SHA-1 signatures: -

    - 
    # update-crypto-policies --set DEFAULT:SHA1
    -
    • -
  • -

    - Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the - SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions - that use SHA-256 instead of SHA-1: -

    -
    -
      -
    • - CentOS 9 Stream: krb5-1.19.1-15 -
      • -
    • - RHEL 8.7: krb5-1.18.2-17 -
      • -
    • - RHEL 7.9: krb5-1.15.1-53 -
      • -
    • - Fedora Rawhide/36: krb5-1.19.2-7 -
      • -
    • - Fedora 35/34: krb5-1.19.2-3 -
      • -
    -
    -
    • -
-
-

- As a result, the PKINIT authentication of the user works correctly. -

-

- Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs - CMS data with SHA-256 instead of SHA-1. -

-

- See also The - DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs. -

-

- Bugzilla:2077450 -

-
-

FIPS support for AD trust requires the AD-SUPPORT crypto subpolicy -

-

- Active Directory (AD) uses AES SHA-1 HMAC encryption types, which are not allowed in FIPS mode - on RHEL 9 by default. If you want to use RHEL 9 IdM hosts with an AD trust, enable support for - AES SHA-1 HMAC encryption types before installing IdM software. -

-
-

- Since FIPS compliance is a process that involves both technical and organizational agreements, - consult your FIPS auditor before enabling the AD-SUPPORT subpolicy to - allow technical measures to support AES SHA-1 HMAC encryption types, and then install RHEL IdM: -

- 
 # update-crypto-policies --set FIPS:AD-SUPPORT
-

- Bugzilla:2057471 -

-
-

Heimdal client fails to authenticate a user using PKINIT against RHEL 9 - KDC

-

- By default, a Heimdal Kerberos client initiates the PKINIT authentication of an IdM user by - using Modular Exponential (MODP) Diffie-Hellman Group 2 for Internet Key Exchange (IKE). - However, the MIT Kerberos Distribution Center (KDC) on RHEL 9 only supports MODP Group 14 and - 16. -

-
-

- Consequently, the pre-autentication request fails with the krb5_get_init_creds: PREAUTH_FAILED error on the Heimdal client and Key parameters not accepted on the RHEL MIT KDC. -

-

- To work around this problem, ensure that the Heimdal client uses MODP Group 14. Set the pkinit_dh_min_bits parameter in the libdefaults section of the client configuration file to 1759: -

- 
[libdefaults]
-pkinit_dh_min_bits = 1759
-

- As a result, the Heimdal client completes the PKINIT pre-authentication against the RHEL MIT KDC. -

-

- Bugzilla:2106296 -

-
-

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a - two-way cross-forest trust

-

- Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management - (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support - Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the - RC4 NTLM hash that the AD domain controller uses when attempting to authenticate. -

-
-

- Bugzilla:2124243 -

-
-

IdM to AD cross-realm TGS requests fail

-

- The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with - AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). -

-
-

- Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with - the following error: -

- 
Generic error (see e-text) while getting credentials for <service principal>
-

- Bugzilla:2060421 -

-
-

IdM Vault encryption and decryption fails in FIPS mode

-

- The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, - Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 - padding for wrapping the session key with the transport certificate. -

-
-

- Bugzilla:2089907 -

-
-

Users without SIDs cannot log in to IdM after an upgrade

-

- After upgrading your IdM replica to RHEL 9.2, the IdM Kerberos Distribution Centre (KDC) might - fail to issue ticket-granting tickets (TGTs) to users who do not have Security Identifiers - (SIDs) assigned to their accounts. Consequently, the users cannot log in to their accounts. -

-
-

- To work around the problem, generate SIDs by running the following command as an IdM administrator - on another IdM replica in the topology: -

- 
# ipa config-mod --enable-sid --add-sids
-

- Afterward, if users still cannot log in, examine the Directory Server error log. You might have to - adjust ID ranges to include user POSIX identities. -

-

- See the When upgrading to RHEL9, - IDM users are not able to login anymore Knowledgebase solution for more information. -

-

- Jira:RHELPLAN-157939 -

-
-

Migrated IdM users might be unable to log in due to mismatching domain - SIDs

-

- If you have used the ipa migrate-ds script to migrate users from - one IdM deployment to another, those users might have problems using IdM services because their - previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM - environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, - see the following Knowledgebase article: Migrated IdM users unable to log in due - to mismatching domain SIDs. -

-
-

- Jira:RHELPLAN-109613 -

-
-

MIT krb5 user fails to obtain an AD TGT - because of incompatible encryption types generating the user PAC

-

- In MIT krb5 1.20 and later packages, a Privilege Attribute - Certificate (PAC) is included in all Kerberos tickets by default. The MIT Kerberos Distribution - Center (KDC) selects the strongest encryption type available to generate the KDC checksum in the - PAC, which currently is the AES HMAC-SHA2 encryption types defined - in RFC8009. However, Active Directory (AD) does not support this RFC. Consequently, in an AD-MIT - cross-realm setup, an MIT krb5 user fails to obtain an AD - ticket-granting ticket (TGT) because the cross-realm TGT generated by MIT KDC contains an - incompatible KDC checksum type in the PAC. -

-
-

- To work around the problem, set the disable_pac parameter to true for the MIT realm in the [realms] - section of the /var/kerberos/krb5kdc/kdc.conf configuration file. As a - result, the MIT KDC generates tickets without PAC, which means that AD skips the failing checksum - verification and an MIT krb5 user can obtain an AD TGT. -

-

- Bugzilla:2016312 -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- Jira:RHELPLAN-155168 -

-
-

Adding a RHEL 9 replica in FIPS mode to an IdM deployment in FIPS mode that - was initialized with RHEL 8.6 or earlier fails

-

- The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the - use of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961, - section 5.1. -

-
-

- This constraint is a blocker when adding a RHEL 9 Identity Management (IdM) replica in FIPS mode to - a RHEL 8 IdM environment in FIPS mode in which the first server was installed on a RHEL 8.6 system - or earlier. This is because there are no common encryption types between RHEL 9 and the previous - RHEL versions, which commonly use the AES HMAC-SHA1 encryption types but do not use the AES - HMAC-SHA2 encryption types. -

-

- You can view the encryption type of your IdM master key by entering the following command on the - server: -

- 
# kadmin.local getprinc K/M | grep -E '^Key:'
-

- To work around the problem, enable the use of AES HMAC-SHA1 on the RHEL 9 replica: -

- 
update-crypto-policies --set FIPS:AD-SUPPORT
-
-
-
WARNING
-
- This workaround might violate FIPS compliance. -
-
-
-

- As a result, adding the RHEL 9 replica to the IdM deployment proceeds correctly. -

-

- Note that there is ongoing work to provide a procedure to generate missing AES HMAC-SHA2-encrypted - Kerberos keys on RHEL 7 and RHEL 8 servers. This will achieve FIPS 140-3 compliance on the RHEL 9 - replica. However, this process will not be fully automated, because the design of Kerberos key - cryptography makes it impossible to convert existing keys to different encryption types. The only - way is to ask users to renew their passwords. -

-

- Bugzilla:2103327 -

-
-

SSSD registers the DNS names properly

-

- Previously, if the DNS was set up incorrectly, SSSD always failed the first attempt to register - the DNS name. To work around the problem, this update provides a new parameter dns_resolver_use_search_list. Set dns_resolver_use_search_list = false to avoid using the DNS search - list. -

-
-

- Bugzilla:1608496 -

-
-

Directory Server terminates unexpectedly when started in referral - mode

-

- Due to a bug, global referral mode does not work in Directory Server. If you start the ns-slapd process with the refer option - as the dirsrv user, Directory Server ignores the port settings and - terminates unexpectedly. Trying to run the process as the root user - changes SELinux labels and prevents the service from starting in future in normal mode. There - are no workarounds available. -

-
-

- Bugzilla:2053204 -

-
-

Directory Server can import LDIF files only from /var/lib/dirsrv/slapd-instance_name/ldif/ -

-

- Since RHEL 8.3, Red Hat Directory Server (RHDS) uses its own private directories and the PrivateTmp systemd directive is enabled by - default for the LDAP services. As a result, RHDS can only import LDIF files from the /var/lib/dirsrv/slapd-instance_name/ldif/ - directory. If the LDIF file is stored in a different directory, such as /var/tmp, /tmp, or /root, the import fails with an error similar to the following: -

-
- 
Could not open LDIF file "/tmp/example.ldif", errno 2 (No such file or directory)
-

- To work around this problem, complete the following steps: -

-
-
    -
  1. -

    - Move the LDIF file to the /var/lib/dirsrv/slapd-instance_name/ldif/ - directory: -

    - 
    # mv /tmp/example.ldif /var/lib/dirsrv/slapd-instance_name__/ldif/
    -
    2. -
  2. -

    - Set permissions that allow the dirsrv user to read the - file: -

    - 
    # chown dirsrv /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    -
    3. -
  3. -

    - Restore the SELinux context: -

    - 
    # restorecon -Rv /var/lib/dirsrv/slapd-instance_name/ldif/
    -
    4. -
-
-

- For more information, see the solution article LDAP Service cannot access files under the - host’s /tmp and /var/tmp directories. -

-

- Bugzilla:2075525 -

-
-

Installing a RHEL 7 IdM client with a RHEL 9.2+ IdM server in FIPS mode - fails due to EMS enforcement

-

- The TLS Extended Master Secret (EMS) extension (RFC 7627) is now - mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 and later systems. This is in - accordance with FIPS-140-3 requirements. However, the openssl - version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL - 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 9.2 and later - fails. -

-
-

- If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around - the problem by removing the requirement for EMS usage on the RHEL 9 server by applying a - NO-ENFORCE-EMS subpolicy on top of the FIPS crypto policy: -

- 
# update-crypto-policies --set FIPS:NO-ENFORCE-EMS
-

- Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and - accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client - succeeds. -

-

- Bugzilla:2220915 -

-
-
-
-
-
-

11.12. Desktop

-
-
-
-
-

Firefox add-ons are disabled after upgrading to RHEL 9

-

- If you upgrade from RHEL 8 to RHEL 9, all add-ons that you previously enabled in Firefox are - disabled. -

-
-

- To work around the problem, manually reinstall or update the add-ons. As a result, the add-ons are - enabled as expected. -

-

- Bugzilla:2013247 -

-
-

VNC is not running after upgrading to RHEL 9

-

- After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously - enabled. -

-
-

- To work around the problem, manually enable the vncserver service after - the system upgrade: -

- 
# systemctl enable --now vncserver@:port-number
-

- As a result, VNC is now enabled and starts after every system boot as expected. -

-

- Bugzilla:2060308 -

-
-

User Creation screen is unresponsive

-

- When installing RHEL using a graphical user interface, the User Creation screen is unresponsive. - As a consequence, creating users during installation is more difficult. -

-
-

- To work around this problem, use one of the following solutions to create users: -

-
-
    -
  • - Run the installation in VNC mode and resize the VNC window. -
    • -
  • - Create users after completing the installation process. -
    • -
-
-

- BZ#2122636 -

-
-
-
-
-
-

11.13. Graphics infrastructures

-
-
-
-
-

NVIDIA drivers might revert to X.org

-

- Under certain conditions, the proprietary NVIDIA drivers disable the Wayland display protocol - and revert to the X.org display server: -

-
-
-
    -
  • - If the version of the NVIDIA driver is lower than 470. -
    • -
  • - If the system is a laptop that uses hybrid graphics. -
    • -
  • - If you have not enabled the required NVIDIA driver options. -
    • -
-
-

- Additionally, Wayland is enabled but the desktop session uses X.org by default if the version of the - NVIDIA driver is lower than 510. -

-

- Jira:RHELPLAN-119001 -

-
-

Night Light is not available on Wayland with NVIDIA

-

- When the proprietary NVIDIA drivers are enabled on your system, the Night Light feature of GNOME is not available - in Wayland sessions. The NVIDIA drivers do not currently support Night Light. -

-
-

- Jira:RHELPLAN-119852 -

-
-

X.org configuration utilities do not work under Wayland

-

- X.org utilities for manipulating the screen do not work in the Wayland session. Notably, the - xrandr utility does not work under Wayland due to its different - approach to handling, resolutions, rotations, and layout. -

-
-

- Jira:RHELPLAN-121049 -

-
-
-
-
-
-

11.14. The web console

-
-
-
-
-

VNC console works incorrectly at certain resolutions

-

- When using the Virtual Network Computing (VNC) console under certain display resolutions, you - might experience a mouse offset issue or you might see only a part of the interface. - Consequently, using the VNC console might not be possible. To work around this issue, you can - try expanding the size of the VNC console or use the Desktop Viewer in the console tab to launch - the remote viewer instead. -

-
-

- Bugzilla:2030836 -

-
-
-
-
-
-

11.15. Red Hat Enterprise Linux system roles

-
-
-
-
-

The metrics system role does not work with - disabled fact gathering

-

- Ansible fact gathering might be disabled in your environment for performance or other reasons. - In such configurations, it is not currently possible to use the metrics system role. To work around this problem, enable fact - caching, or do not use the metrics system role if it is not - possible to use fact gathering. -

-
-

- Bugzilla:2078999 -

-
-

If firewalld.service is masked, using the - firewall RHEL system role fails

-

- If firewalld.service is masked on a RHEL system, the firewall RHEL system role fails. To work around this problem, unmask - the firewalld.service: -

-
- 
systemctl unmask firewalld.service
-

- Bugzilla:2123859 -

-
-

Unable to register systems with environment names

-

- The rhc system role fails to register the system when specifying - environment names in rhc_environment. As a workaround, use - environment IDs instead of environment names while registering. -

-
-

- Bugzilla:2187539 -

-
-
-
-
-
-

11.16. Virtualization

-
-
-
-
-

Installing a virtual machine over https or ssh in some cases fails -

-

- Currently, the virt-install utility fails when attempting to - install a guest operating system (OS) from an ISO source over a https or ssh connection - for - example using virt-install --cdrom https://example/path/to/image.iso. Instead of - creating a virtual machine (VM), the described operation terminates unexpectedly with an internal error: process exited while connecting to monitor message. -

-
-

- Similarly, using the RHEL 9 web console to install a guest OS fails and displays an Unknown driver 'https' error if you use an https or ssh URL, or the Download OS function. -

-

- To work around this problem, install qemu-kvm-block-curl and qemu-kvm-block-ssh on the host to enable https and ssh protocol support, - respectively. Alternatively, use a different connection protocol or a different installation source. -

-

- Bugzilla:2014229 -

-
-

Using NVIDIA drivers in virtual machines disables Wayland

-

- Currently, NVIDIA drivers are not compatible with the Wayland graphical session. As a - consequence, RHEL guest operating systems that use NVIDIA drivers automatically disable Wayland - and load an Xorg session instead. This primarily occurs in the following scenarios: -

-
-
-
    -
  • - When you pass through an NVIDIA GPU device to a RHEL virtual machine (VM) -
    • -
  • - When you assign an NVIDIA vGPU mediated device to a RHEL VM -
    • -
-
-

- Jira:RHELPLAN-117234 -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the Milan CPU type might not be available - on these systems. In addition, VM live migration between Milan hosts with different feature flag - settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- Bugzilla:2077767 -

-
-

A hostdev interface with failover settings - cannot be hot-plugged after being hot-unplugged

-

- After removing a hostdev network interface with failover - configuration from a running virtual machine (VM), the interface currently cannot be re-attached - to the same running VM. -

-
-

- Bugzilla:2052424 -

-
-

Live post-copy migration of VMs with failover VFs fails

-

- Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a - device with the virtual function (VF) failover capability enabled. To work around the problem, - use the standard migration type, rather than post-copy migration. -

-
-

- Bugzilla:1817965 -

-
-

Host network cannot ping VMs with VFs during live migration

-

- When live migrating a virtual machine (VM) with a configured virtual function (VF), such as a - VMs that uses virtual SR-IOV software, the network of the VM is not visible to other devices and - the VM cannot be reached by commands such as ping. After the - migration is finished, however, the problem no longer occurs. -

-
-

- Bugzilla:1789206 -

-
-

Failover virtio NICs are not assigned an IP address on Windows virtual - machines

-

- Currently, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM - fails to assign an IP address to the NIC. Consequently, the NIC is unable to set up a network - connection. Currently, there is no workaround. -

-
-

- Bugzilla:1969724 -

-
-

Disabling AVX causes VMs to become unbootable

-

- On a host machine that uses a CPU with Advanced Vector Extensions (AVX) support, attempting to - boot a VM with AVX explicitly disabled currently fails, and instead triggers a kernel panic in - the VM. -

-
-

- Bugzilla:2005173 -

-
-

Windows VM fails to get IP address after network interface reset -

-

- Sometimes, Windows virtual machines fail to get an IP address after an automatic network - interface reset. As a consequence, the VM fails to connect to the network. To work around this - problem, disable and re-enable the network adapter driver in the Windows Device Manager. -

-
-

- Bugzilla:2084003 -

-
-

Broadcom network adapters work incorrectly on Windows VMs after a live - migration

-

- Currently, network adapters from the Broadcom family of devices, such as Broadcom, Qlogic, or - Marvell, cannot be hot-unplugged during live migration of Windows virtual machines (VMs). As a - consequence, the adapters work incorrectly after the migration is complete. -

-
-

- This problem affects only those adapters that are attached to Windows VMs using Single-root I/O - virtualization (SR-IOV). -

-

- Bugzilla:2090712, Bugzilla:2091528, Bugzilla:2111319 -

-
-

Windows Server 2016 VMs sometimes stops working after hot-plugging a - vCPU

-

- Currently, assigning a vCPU to a running virtual machine (VM) with a Windows Server 2016 guest - operating system might cause a variety of problems, such as the VM terminating unexpectedly, - becoming unresponsive, or rebooting. -

-
-

- Bugzilla:1915715 -

-
-

Using a large number of queues might cause Windows virtual machines to - fail

-

- Windows virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device - is enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hardcoded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- Bugzilla:2020146 -

-
-

Redundant error messages on VMs with NVIDIA passthrough devices -

-

- When using an Intel host machine with a RHEL 9.2 operating system, virtual machines (VMs) with a - passed through NVDIA GPU device frequently log the following error message: -

-
- 
Spurious APIC interrupt (vector 0xFF) on CPU#2, should never happen.
-

- However, this error message does not impact the functionality of the VM and can be ignored. For - details, see the Red Hat - KnoweldgeBase. -

-

- Bugzilla:2149989 -

-
-

Some Windows guests fail to boot after a v2v conversion on hosts with AMD - EPYC CPUs

-

- After using the virt-v2v utility to convert a virtual machine (VM) - that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM currently fails to boot. - This occurs on hosts that use AMD EPYC series CPUs. -

-
-

- Bugzilla:2168082 -

-
-

Restarting the OVS service on a host might block network connectivity on - its running VMs

-

- When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that - are running on this host cannot recover the state of the networking device. As a consequence, - VMs might be completely unable to receive packets. -

-
-

- This problem only affects systems that use the packed virtqueue format in their virtio networking stack. -

-

- To work around this problem, use the packed=off parameter in the virtio networking device definition to disable packed virtqueue. With - packed virtqueue disabled, the state of the networking device can, in some situations, be recovered - from RAM. -

-

- Bugzilla:1947422 -

-
-

The Nvidia GPU driver stops working after the VM shutdown

-

- The RHEL kernel has adopted an upstream Linux change that aligns device power transitions delays - more closely to those required by the PCIe specification. As a consequence, due to the audio - function of the GPU, some Nvidia GPUs might stop working after the shutdown of a VM. -

-
-

- To work around the problem, unassign the audio function of the GPU from the VM. In addition, due to - the DMA isolation requirements for device assignment (that is, IOMMU grouping), bind the audio - function to the vfio-pci driver, which allows the GPU function to - continue to be assigned and function normally. -

-

- Bugzilla:2178956 -

-
-

nodedev-dumpxml does not list attributes - correctly for certain mediated devices

-

- Currently, the nodedev-dumpxml does not list attributes correctly - for mediated devices that were created using the nodedev-create - command. To work around this problem, use the nodedev-define and - nodedev-start commands instead. -

-
-

- Bugzilla:2143158 -

-
-

Recovering an interrupted post-copy VM migration might fail

-

- If a post-copy migration of a virtual machine (VM) is interrupted and then immediately resumed - on the same incoming port, the migration might fail with the following error: Address already in use -

-
-

- To work around this problem, wait at least 10 seconds before resuming the post-copy migration or - switch to another port for migration recovery. -

-

- Bugzilla:2178376 -

-
-

virtiofs devices cannot be attached after - restarting virtqemud or libvirtd

-

- Currently, restarting the virtqemud or libvirtd services prevents virtiofs - storage devices from being attached to virtual machines on your host. -

-
-

- Bugzilla:2078693 -

-
-

virsh blkiotune --weight command fails to set - the correct cgroup I/O controller value

-

- Currently, using the virsh blkiotune --weight command to set the VM - weight does not work as expected. The command fails to set the correct io.bfq.weight value in the cgroup I/O controller interface file. - There is no workaround at this time. -

-
-

- Jira:RHELPLAN-83423 -

-
-

Hotplugging a Watchdog card to a virtual machine fails

-

- Currently, if there are no PCI slots available, adding a Watchdog card to a running virtual - machine (VM) fails with the following error: -

-
- 
Failed to configure watchdog
-ERROR Error attempting device hotplug: internal error: No more available PCI slots
-

- To work around this problem, shut down the VM before adding the Watchdog card. -

-

- Bugzilla:2173584 -

-
-

NUMA node mapping not working correctly on AMD EPYC CPUs

-

- QEMU does not handle NUMA node mapping on AMD EPYC CPUs correctly. As a result, the performance - of virtual machines (VMs) with these CPUs might be negatively impacted if using a NUMA node - configuration. In addition, the VMs display a warning similar to the following during boot. -

-
- 
sched: CPU #4's llc-sibling CPU #3 is not on the same node! [node: 1 != 0]. Ignoring dependency.
-WARNING: CPU: 4 PID: 0 at arch/x86/kernel/smpboot.c:415 topology_sane.isra.0+0x6b/0x80
-

- To work around this issue, do not use AMD EPYC CPUs for NUMA node configurations. -

-

- Bugzilla:2176010 -

-
-

NFS failure during VM migration causes migration failure and source VM - coredump

-

- Currently, if the NFS service or server is shut down during virtual machine (VM) migration, the - source VM’s QEMU is unable to reconnect to the NFS server when it starts running again. As a - result, the migration fails and a coredump is initiated on the source VM. Currently, there is no - workaround available. -

-
-

- Bugzilla:2058982 -

-
-

PCIe ATS devices do not work on Windows VMs

-

- When you configure a PCIe Address Translation Services (ATS) device in the XML configuration of - virtual machine (VM) with a Windows guest operating system, the guest does not enable the ATS - device after booting the VM. This is because Windows currently does not support ATS on virtio devices. -

-
-

- Bugzilla:2073872 -

-
-

Kdump fails on virtual machines with AMD SEV-SNP

-

- Currently, kdump fails on RHEL 9 virtual machines (VMs) that use the AMD Secure Encrypted - Virtualization (SEV) with the Secure Nested Paging (SNP) feature. -

-
-

- Jira:RHEL-10019 -

-
-
-
-
-
-

11.17. RHEL in cloud environments

-
-
-
-
-

Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV - causes non-root partitions to disappear

-

- When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV - hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root - partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a - consequence, the following problems occur: -

-
-
-
    -
  • - After restoring the VM from a snapshot, the VM cannot boot, and instead enters emergency - mode. -
    • -
  • - A VM created by cloning cannot boot, and instead enters emergency mode. -
    • -
-
-

- To work around these problems, do the following in emergency mode of the VM: -

-
-
    -
  1. - Remove the LVM system devices file: rm /etc/lvm/devices/system.devices -
    2. -
  2. - Recreate LVM device settings: vgimportdevices -a -
    3. -
  3. - Reboot the VM -
    4. -
-
-

- This makes it possible for the cloned or restored VM to boot up correctly. -

-

- Alternatively, to prevent the issue from occurring, do the following before cloning a VM or creating - a VM snapshot: -

-
-
    -
  1. - Uncomment the use_devicesfile = 0 line in the /etc/lvm/lvm.conf file -
    2. -
  2. - Reboot the VM -
    3. -
-
-

- Bugzilla:2059545 -

-
-

Customizing RHEL 9 guests on ESXi sometimes causes networking - problems

-

- Currently, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor does not - work correctly with NetworkManager key files. As a consequence, if the guest is using such a key - file, it will have incorrect network settings, such as the IP address or the gateway. -

-
-

- For details and workaround instructions, see the VMware Knowledge Base. -

-

- Bugzilla:2037657 -

-
-

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

-

- Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if - the VM was provisioned by the cloud-init tool and the guest - operating system of the VM has an NFSv3 mount entry in the /etc/fstab file. -

-
-

- Bugzilla:2081114 -

-
-

Setting static IP in a RHEL virtual machine on a VMware host does not - work

-

- Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- To work around this issue, see the VNware knowledgebase. -

-

- Bugzilla:1750862 -

-
-
-
-
-
-

11.18. Supportability

-
-
-
-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- Bugzilla:1869561 -

-
-
-
-
-
-

11.19. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- Jira:RHELPLAN-96940 -

-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA tickets are listed in this document for reference. The links lead to the release notes - in this document that describe the tickets. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- Bugzilla:2096795, - Bugzilla:1859271, - Bugzilla:2057070, - Bugzilla:2093981, Bugzilla:1132524, - Bugzilla:2136610, - Bugzilla:2142639, - Bugzilla:1878808, - Bugzilla:1924569, - Bugzilla:1956987, - Bugzilla:1952241, - Bugzilla:2063140, - Bugzilla:2047175, - Bugzilla:2053204 -

-
-

- Doc-administration-guide -

- 		-

- Bugzilla:2075525 -

-
-

- NetworkManager -

- 		-

- Bugzilla:2134897, Bugzilla:2081302, - Bugzilla:2019306, - Bugzilla:2128809, - Bugzilla:2110307, - Bugzilla:2117352, - Bugzilla:2029636, - Bugzilla:2073512, - Bugzilla:2128216, Bugzilla:1894877, - Bugzilla:2151040 -

-
-

- aardvark-dns -

- 		-

- Jira:RHELPLAN-138024 -

-
-

- anaconda -

- 		-

- Bugzilla:2052938, - Bugzilla:2158210, - Bugzilla:1991843, - Bugzilla:2127100, - Bugzilla:2093793, - Bugzilla:2107346, - Bugzilla:2050140, - Bugzilla:1877697, - Bugzilla:1914955, - Bugzilla:1929105, - Bugzilla:1997832, - Bugzilla:2125542, - Bugzilla:2115783, - Bugzilla:2164216, - Bugzilla:2163497 -

-
-

- ansible-collection-microsoft-sql -

- 		-

- Bugzilla:2151282, - Bugzilla:2151283, - Bugzilla:2151284, - Bugzilla:2153428, - Bugzilla:2163709 -

-
-

- ansible-freeipa -

- 		-

- Bugzilla:2127913 -

-
-

- bacula -

- 		-

- Bugzilla:2089395 -

-
-

- bind -

- 		-

- Bugzilla:1984982 -

-
-

- chrony -

- 		-

- Bugzilla:2133754 -

-
-

- clevis -

- 		-

- Bugzilla:2126533, Bugzilla:2159728, - Bugzilla:2159735 -

-
-

- cloud-init -

- 		-

- Bugzilla:1750862 -

-
-

- cockpit -

- 		-

- Bugzilla:2207498 -

-
-

- cockpit-appstream -

- 		-

- Bugzilla:2030836 -

-
-

- cockpit-machines -

- 		-

- Bugzilla:2173584 -

-
-

- conntrack-tools -

- 		-

- Bugzilla:2132398 -

-
-

- crash -

- 		-

- Bugzilla:2119685 -

-
-

- crypto-policies -

- 		-

- Bugzilla:2152635 -

-
-

- cyrus-sasl -

- 		-

- Bugzilla:1995600 -

-
-

- device-mapper-multipath -

- 		-

- Bugzilla:2033080, - Bugzilla:2011699, - Bugzilla:1926147 -

-
-

- dnf -

- 		-

- Bugzilla:2131288, - Bugzilla:2121662, - Bugzilla:2122626, - Bugzilla:2073510 -

-
-

- dnf-plugins-core -

- 		-

- Bugzilla:2139326 -

-
-

- edk2 -

- 		-

- Bugzilla:1935497 -

-
-

- fapolicyd -

- 		-

- Jira:RHEL-192, - Bugzilla:2054740, Bugzilla:2070655 -

-
-

- firefox -

- 		-

- Bugzilla:2013247 -

-
-

- firewalld -

- 		-

- Bugzilla:2125371, Bugzilla:2077512, - Bugzilla:2122678 -

-
-

- frr -

- 		-

- Bugzilla:2129731, Bugzilla:2129743 -

-
-

- gcc -

- 		-

- Bugzilla:2110583, Bugzilla:2117632, - Bugzilla:2141718 -

-
-

- gdm -

- 		-

- Bugzilla:2131203 -

-
-

- gimp -

- 		-

- Bugzilla:2047161 -

-
-

- git -

- 		-

- Bugzilla:2139379 -

-
-

- git-lfs -

- 		-

- Bugzilla:2139383 -

-
-

- glibc -

- 		-

- Bugzilla:2129005, - Bugzilla:2155352 -

-
-

- gnome-shell-extensions -

- 		-

- Bugzilla:2154358, Bugzilla:2160553 -

-
-

- gnupg2 -

- 		-

- Bugzilla:2070722, - Bugzilla:2073567 -

-
-

- gnutls -

- 		-

- Bugzilla:2084161, - Bugzilla:2042009 -

-
-

- golang -

- 		-

- Bugzilla:2133019, - Bugzilla:2175173, Bugzilla:2111072, - Bugzilla:2092016 -

-
-

- grafana -

- 		-

- Bugzilla:2116847 -

-
-

- grafana-pcp -

- 		-

- Bugzilla:2116848 -

-
-

- grub2 -

- 		-

- Bugzilla:2026579 -

-
-

- grubby -

- 		-

- Bugzilla:2127453 -

-
-

- gssproxy -

- 		-

- Bugzilla:2184333 -

-
-

- ipa -

- 		-

- Bugzilla:2143224, - Bugzilla:2162677, - Bugzilla:2084180, Bugzilla:2084166, - Bugzilla:2069202, - Bugzilla:2094673, - Bugzilla:2057471, - Bugzilla:2124243, - Bugzilla:2089907 -

-
-

- iproute -

- 		-

- Bugzilla:2155604 -

-
-

- java-1.8.0-openjdk -

- 		-

- Bugzilla:2188023 -

-
-

- java-17-openjdk -

- 		-

- Bugzilla:2186803, - Bugzilla:2186810, - Bugzilla:2186806 -

-
-

- jmc -

- 		-

- Bugzilla:2122401 -

-
-

- jmc-core -

- 		-

- Bugzilla:1980981 -

-
-

- kdump-anaconda-addon -

- 		-

- Bugzilla:2017401 -

-
-

- kernel -

- 		-

- Bugzilla:2153073, Bugzilla:2143850, - Bugzilla:1871126, - Bugzilla:1871143, - Bugzilla:2075216, - Bugzilla:2100606, - Bugzilla:2104468, Bugzilla:2111048, - Bugzilla:2150284, - Bugzilla:2066372, Bugzilla:2107347, - Bugzilla:2140899, Bugzilla:2069758, - Bugzilla:1613522, - Bugzilla:1874182, Bugzilla:1995338, - Bugzilla:1570255, Bugzilla:2023416, - Bugzilla:2021672, - Bugzilla:2027304, - Bugzilla:1660337, Bugzilla:1955275, Bugzilla:2142102, - Bugzilla:2041690, - Bugzilla:2040643, - Bugzilla:2167783, - Bugzilla:2000616, - Bugzilla:2013650, - Bugzilla:2132480, - Bugzilla:2059545, - Bugzilla:1960467, Bugzilla:2005173, Bugzilla:2128610, - Bugzilla:2129288, - Bugzilla:2013884, Bugzilla:2149989, - Bugzilla:2168603, - Bugzilla:2173947, - Bugzilla:2178956, - Bugzilla:2180665, - Jira:RHEL-6496 -

-
-

- kexec-tools -

- 		-

- Bugzilla:2085347, Bugzilla:2076416, - Bugzilla:2160676, - Bugzilla:2080110, - Bugzilla:2139000, Bugzilla:2113873, - Bugzilla:2064708, - Bugzilla:2065013 -

-
-

- keylime -

- 		-

- Bugzilla:2150830, Bugzilla:2138167, - Bugzilla:2140670, - Bugzilla:2142009 -

-
-

- kmod -

- 		-

- Bugzilla:2103605 -

-
-

- krb5 -

- 		-

- Bugzilla:2068535, - Bugzilla:2106043, - Bugzilla:2060798, - Bugzilla:2077450, - Bugzilla:2106296, - Bugzilla:2060421, Bugzilla:2016312, - Bugzilla:2103327 -

-
-

- libdnf -

- 		-

- Bugzilla:2124480 -

-
-

- libnvme -

- 		-

- Bugzilla:2139752 -

-
-

- libotr -

- 		-

- Bugzilla:2086562 -

-
-

- libreswan -

- 		-

- Bugzilla:2128669 -

-
-

- libsepol -

- 		-

- Bugzilla:2145224 -

-
-

- libssh -

- 		-

- Bugzilla:2026449, Bugzilla:2068475 -

-
-

- libvirt -

- 		-

- Bugzilla:2014487, - Bugzilla:2143158, - Bugzilla:2078693 -

-
-

- libxcrypt -

- 		-

- Bugzilla:2034569 -

-
-

- llvm-toolset -

- 		-

- Bugzilla:2118567 -

-
-

- lvm2 -

- 		-

- Bugzilla:1878893, Bugzilla:2038183 -

-
-

- mod_security -

- 		-

- Bugzilla:2143211 -

-
-

- mysql -

- 		-

- Bugzilla:1991500 -

-
-

- nfs-utils -

- 		-

- Bugzilla:2143747, Bugzilla:2081114 -

-
-

- nginx -

- 		-

- Bugzilla:2096174 -

-
-

- nmstate -

- 		-

- Bugzilla:2095207, - Bugzilla:2120473, Bugzilla:2044150, - Bugzilla:2058292, - Bugzilla:2130240, Bugzilla:2162401 -

-
-

- nodejs -

- 		-

- Bugzilla:2178088 -

-
-

- nss -

- 		-

- Bugzilla:2091905 -

-
-

- nvme-cli -

- 		-

- Bugzilla:2139753 -

-
-

- nvme-stas -

- 		-

- Bugzilla:1893841 -

-
-

- open-vm-tools -

- 		-

- Bugzilla:2037657 -

-
-

- openblas -

- 		-

- Bugzilla:2112099, Bugzilla:2115737 -

-
-

- opencryptoki -

- 		-

- Bugzilla:2110314 -

-
-

- openscap -

- 		-

- Bugzilla:2159286, Bugzilla:2161499 -

-
-

- openslp -

- 		-

- Bugzilla:2184570 -

-
-

- openssh -

- 		-

- Bugzilla:2056884 -

-
-

- openssl -

- 		-

- Bugzilla:2129063, Bugzilla:2188046, - Bugzilla:2060044, - Bugzilla:1975836, - Bugzilla:2168665, - Bugzilla:1681178, - Bugzilla:1685470 -

-
-

- openssl-ibmca -

- 		-

- Bugzilla:2110378 -

-
-

- osbuild-composer -

- 		-

- Bugzilla:2173928 -

-
-

- oscap-anaconda-addon -

- 		-

- Bugzilla:2165920, - Bugzilla:2172264 -

-
-

- pacemaker -

- 		-

- Bugzilla:2133546, - Bugzilla:2125344, - Bugzilla:2125337 -

-
-

- pam -

- 		-

- Bugzilla:2126640 -

-
-

- passt -

- 		-

- Bugzilla:2131015 -

-
-

- pause-container -

- 		-

- Bugzilla:2106816 -

-
-

- pcp -

- 		-

- Bugzilla:2117074 -

-
-

- pcs -

- 		-

- Bugzilla:2116295, Bugzilla:2112270, - Bugzilla:1620043, - Bugzilla:1796827, - Bugzilla:2092950 -

-
-

- pki-core -

- 		-

- Bugzilla:1849834 -

-
-

- podman -

- 		-

- Jira:RHELPLAN-136602, Jira:RHELPLAN-136607, - Bugzilla:2119200, Jira:RHELPLAN-136611, - Bugzilla:2069279 -

-
-

- postgresql -

- 		-

- Bugzilla:2128410 -

-
-

- powerpc-utils -

- 		-

- Bugzilla:2125152 -

-
-

- powertop -

- 		-

- Bugzilla:2044132 -

-
-

- python-blivet -

- 		-

- Bugzilla:2103800 -

-
-

- python-sqlalchemy -

- 		-

- Bugzilla:2152649 -

-
-

- python3.11 -

- 		-

- Bugzilla:2127923 -

-
-

- python3.11-lxml -

- 		-

- Bugzilla:2157708 -

-
-

- qemu-kvm -

- 		-

- Bugzilla:2116496, - Bugzilla:1965079, Bugzilla:1951814, Bugzilla:2060839, Bugzilla:2014229, - Bugzilla:2052424, - Bugzilla:1817965, - Bugzilla:1789206, - Bugzilla:2090712, - Bugzilla:1915715, - Bugzilla:2020146, - Bugzilla:1947422, - Bugzilla:2178376, - Bugzilla:2176010, - Bugzilla:2058982 -

-
-

- realtime-tests -

- 		-

- Bugzilla:2041637 -

-
-

- rear -

- 		-

- Bugzilla:2172589, - Bugzilla:2160748 -

-
-

- restore -

- 		-

- Bugzilla:1997366 -

-
-

- rhel-system-roles -

- 		-

- Bugzilla:2131293, - Bugzilla:2133858, - Bugzilla:2078999, - Bugzilla:2119102, - Bugzilla:2128843, - Bugzilla:2130010, - Bugzilla:2130329, - Bugzilla:2130344, - Bugzilla:2130357, - Bugzilla:2133528, - Bugzilla:2133930, - Bugzilla:2134202, - Bugzilla:2137663, - Bugzilla:2140795, - Bugzilla:2141330, - Bugzilla:2143768, Bugzilla:2165175, Bugzilla:2140804, - Bugzilla:2126959, - Bugzilla:2143816, - Bugzilla:2153030, - Bugzilla:2153043, - Bugzilla:2162782, - Bugzilla:2167528, - Bugzilla:2168735, - Bugzilla:2160152, - Bugzilla:1999770, - Bugzilla:2123859, - Bugzilla:2187539, - Bugzilla:2186218 -

-
-

- rpm -

- 		-

- Bugzilla:2150804, Bugzilla:2111251, - Bugzilla:2144005 -

-
-

- rsyslog -

- 		-

- Bugzilla:2124849, - Bugzilla:2127404, Bugzilla:2124488, - Bugzilla:2157659 -

-
-

- rteval -

- 		-

- Bugzilla:2081325 -

-
-

- rust -

- 		-

- Bugzilla:2123900 -

-
-

- s390utils -

- 		-

- Bugzilla:2044204, - Bugzilla:1932480 -

-
-

- samba -

- 		-

- Bugzilla:2131993, Jira:RHELDOCS-16612 -

-
-

- scap-security-guide -

- 		-

- Bugzilla:2158405, Bugzilla:2122325, Bugzilla:2169414, - Bugzilla:2105162, - Bugzilla:2120978, - Bugzilla:2038978 -

-
-

- selinux-policy -

- 		-

- Bugzilla:2151841, - Bugzilla:1972222, Bugzilla:2064274 -

-
-

- sos -

- 		-

- Bugzilla:2164987, - Bugzilla:2134906, - Bugzilla:1869561 -

-
-

- sssd -

- 		-

- Bugzilla:1507035, - Bugzilla:2087247, - Bugzilla:1766490, Bugzilla:2065693, - Bugzilla:2056482, - Bugzilla:1608496 -

-
-

- stratisd -

- 		-

- Bugzilla:2039957, Bugzilla:2039955, - Bugzilla:2041558 -

-
-

- subscription-manager -

- 		-

- Bugzilla:2108549, - Bugzilla:2163716, - Bugzilla:2136694 -

-
-

- swig -

- 		-

- Bugzilla:2139101 -

-
-

- synce4l -

- 		-

- Bugzilla:2143264 -

-
-

- systemd -

- 		-

- Bugzilla:2217931, Bugzilla:2018112 -

-
-

- systemtap -

- 		-

- Bugzilla:2083727 -

-
-

- tang -

- 		-

- Bugzilla:2095474, Bugzilla:2188743 -

-
-

- tigervnc -

- 		-

- Bugzilla:2060308 -

-
-

- tomcat -

- 		-

- Bugzilla:2160511 -

-
-

- toolbox -

- 		-

- Bugzilla:2163752 -

-
-

- tuna -

- 		-

- Bugzilla:2122781, - Bugzilla:2121517, - Bugzilla:2062865 -

-
-

- tuned -

- 		-

- Bugzilla:2133815, Bugzilla:2113900 -

-
-

- tzdata -

- 		-

- Bugzilla:2157982 -

-
-

- udisks2 -

- 		-

- Bugzilla:1983602 -

-
-

- unbound -

- 		-

- Bugzilla:2070495 -

-
-

- usbguard -

- 		-

- Bugzilla:2155910, - Bugzilla:2042345, Bugzilla:2097419 -

-
-

- virt-v2v -

- 		-

- Bugzilla:2168082 -

-
-

- virtio-win -

- 		-

- Bugzilla:1969724, - Bugzilla:2084003 -

-
-

- vsftpd -

- 		-

- Bugzilla:2018284 -

-
-

- wsmancli -

- 		-

- Bugzilla:2127416 -

-
-

- xdp-tools -

- 		-

- Bugzilla:2160066 -

-
-

- other -

- 		-

- Bugzilla:2177782, Jira:RHELPLAN-137505, - Jira:RHELPLAN-139125, - Bugzilla:2046653, - Jira:RHELPLAN-133650, Jira:RHELPLAN-139430, - Jira:RHELPLAN-137416, - Jira:RHELPLAN-137411, - Jira:RHELPLAN-137406, - Jira:RHELPLAN-137403, - Jira:RHELPLAN-159146, - Jira:RHELPLAN-139448, - Jira:RHELPLAN-151481, - Jira:RHELPLAN-150266, Jira:RHELPLAN-147982, Jira:RHELPLAN-147428, - Jira:RHELPLAN-139659, - Jira:RHELPLAN-149091, - Jira:RHELPLAN-139655, - Jira:RHELPLAN-139424, - Jira:RHELPLAN-136489, - Jira:RHELPLAN-59528, Bugzilla:2209419, Bugzilla:2190123, - Jira:RHELPLAN-135600, - Jira:RHELPLAN-148303, - Bugzilla:2020529, - Bugzilla:2030412, - Jira:RHELPLAN-103993, Jira:RHELPLAN-122345, - Jira:RHELPLAN-27394, - Jira:RHELPLAN-27737, - Jira:RHELPLAN-148394, - Bugzilla:1927780, Jira:RHELPLAN-110763, - Bugzilla:1935544, Bugzilla:2089200, - Jira:RHELPLAN-15509, - Jira:RHELPLAN-99136, Jira:RHELPLAN-103232, Bugzilla:1899167, Bugzilla:1979521, Jira:RHELPLAN-100087, - Jira:RHELPLAN-100639, - Bugzilla:2058153, Jira:RHELPLAN-113995, Jira:RHELPLAN-98983, Jira:RHELPLAN-131882, Jira:RHELPLAN-137660, - Jira:RHELPLAN-139805, Jira:RHELPLAN-147725, Jira:RHELPLAN-153267, Jira:RHELDOCS-16300, Jira:RHELPLAN-157225, - Jira:RHELPLAN-157337, - Bugzilla:1640697, - Bugzilla:1697896, - Bugzilla:2047713, - Jira:RHELPLAN-96940, - Jira:RHELPLAN-117234, - Jira:RHELPLAN-119001, Jira:RHELPLAN-119852, - Bugzilla:2077767, - Bugzilla:2053598, - Bugzilla:2082303, - Jira:RHELPLAN-121049, - Jira:RHELPLAN-157939, - Jira:RHELPLAN-109613, - Bugzilla:2160619, - Bugzilla:2173992, - Bugzilla:2185048, Jira:RHELPLAN-83423 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.4-2
-
-

- Tue Sep 03 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.4-1
-
-

- Thu Aug 22 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.4-0
-
-

- Thu Jul 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the abstract in the Deprecated functionalities section -
    • -
-
-
-
0.3-9
-
-

- Tue Jul 02 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a Known Issue RHEL-34154 - (Installer). -
    • -
-
-
-
0.3-8
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Add Deprecated Functionality RHELDOCS-18049 - (Shells and command-line tools). -
    • -
-
-
-
0.3-7
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added an Known Issue RHEL-24847 - (Shells and command-line tools). -
    • -
-
-
-
0.3-6
-
-

- Thu May 16 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Known Issue RHEL-10019 - (Virtualization). -
    • -
-
-
-
0.3-5
-
-

- Thu Apr 25 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement BZ#2136610 - (Identity Management). -
    • -
-
-
-
0.3-4
-
-

- Thu Apr 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement RHEL-19142 - (Networking). -
    • -
-
-
-
0.3-3
-
-

- Thu Mar 14 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement RHEL-18359 - (Kernel). -
    • -
  • - Added a Known Issue RHEL-25967 - (Kernel). -
    • -
-
-
-
0.3-2
-
-

- Mon Mar 04 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.3.1
-
-

- Thu Feb 1 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a Known Issue BZ#1834716 - (Security). -
    • -
-
-
-
0.3-0
-
-

- Fri Jan 12 2024, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
- -
-
-
0.2-9
-
-

- Tue Dec 12 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a Tech Preview BZ#2162677 - (IdM). -
    • -
-
-
-
0.2-8
-
-

- Thu Dec 7 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a new feature BZ#2044200 - (Kernel). -
    • -
-
-
-
0.2-7
-
-

- Mon Nov 20 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement BZ#2165827 - (Identity Management). -
    • -
-
-
-
0.2-6
-
-

- Mon Nov 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-5
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the module on Providing Feedback on RHEL Documentation. -
    • -
-
-
-
0.2-4
-
-

- Fri Nov 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-3
-
-

- Thu Nov 2 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated doc text in BZ#2125371 (Networking). -
    • -
-
-
-
0.2-2
-
-

- Fri Oct 13 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.2-1
-
-

- Sep 25 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2122636 (Desktop). -
    • -
-
-
-
0.2-0
-
-

- Sep 13 2023, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.1-9
-
-

- Sep 8 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
- -
-
-
0.1-8
-
-

- Sep 5 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an enhancement BZ#2075017 - (idm_ds). -
    • -
-
-
-
0.1-7
-
-

- Aug 31 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2230431 - (plumbers). -
    • -
-
-
-
0.1-6
-
-

- Aug 29 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-5
-
-

- Aug 25 2023, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a known issue BZ#2214508 - (Kernel). -
    • -
-
-
-
0.1.4
-
-

- Aug 17 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Add an enhancement BZ#2136937 - (Plumbers). -
    • -
-
-
-
0.1.3
-
-

- Aug 14 2023, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.1.2
-
-

- Aug 09 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated a Security Bug Fix BZ#2155910 - (CS). -
    • -
-
-
-
0.1.1
-
-

- Aug 07 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated a deprecated functionality release note BZ#2214130 - (CS). -
    • -
-
-
-
0.1.0
-
-

- Aug 03 2023, Lenka Špačková (lspackova@redhat.com) -

-
- -
-
-
0.0.9
-
-

- Aug 02 2023, Marc Muehlfeld (mmuehlfeld@redhat.com) -

-
-
    -
  • - Updated a deprecated functionality release note BZ#1894877 - (NetworkManager). -
    • -
-
-
-
0.0.8
-
-

- Aug 1 2023, Mirek Jahoda (mjahoda@redhat.com) -

-
-
    -
  • - Replaced the web console known issue with NBDE by a bug fix BZ#2207498 - (RHEL web console). -
    • -
-
-
-
0.0.7
-
-

- Jul 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Amended 3 enhancements in kernel and 1 in compilers and dev tools as per DDF - feedback. -
    • -
-
-
-
0.0.6
-
-

- Jul 25 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a Known Issue BZ#2109231 - (Installer). -
    • -
-
-
-
0.0.5
-
-

- Jun 22 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement BZ#2087247 - (IdM). -
    • -
-
-
-
0.0.4
-
-

- Jun 8 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement BZ#2190123 - (kernel). -
    • -
-
-
-
0.0.3
-
-

- Jun 6 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0.2
-
-

- Jun 5 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0.1
-
-

- May 10 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.2 Release Notes. -
    • -
-
-
-
0.0.0
-
-

- Mar 29 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.2 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/data/9.3.html b/app/data/9.3.html deleted file mode 100644 index cadccce..0000000 --- a/app/data/9.3.html +++ /dev/null @@ -1,22462 +0,0 @@ - -
-
-
-
Red Hat Enterprise Linux 9.3
-
-

Release Notes for Red Hat Enterprise Linux 9.3

-
-
-
Red Hat Customer Content Services
-
- -
-
-

Abstract

-
- The Release Notes provide high-level coverage of the improvements and additions that have - been implemented in Red Hat Enterprise Linux 9.3 and document known problems in this - release, as well as notable bug fixes, Technology Previews, deprecated functionality, and - other details. -
-
- For information about installing Red Hat Enterprise Linux, see Section 3.1, “Installation”. -
-
-
-
-
-
-
-
-
-
-

Providing feedback on Red Hat documentation

-
-
-
-

- We appreciate your feedback on our documentation. Let us know how we can improve it. -

-
-

Submitting feedback through Jira (account required)

-
    -
  1. - Log in to the Jira - website. -
    2. -
  2. - Click Create in the top navigation bar -
    3. -
  3. - Enter a descriptive title in the Summary - field. -
    4. -
  4. - Enter your suggestion for improvement in the Description field. Include links to the - relevant parts of the documentation. -
    5. -
  5. - Click Create at the bottom of the dialogue. -
    6. -
-
-
-
-
-
-
-

Chapter 1. Overview

-
-
-
-
-
-
-
-

1.1. Major changes in RHEL 9.3

-
-
-
-

Installer and image creation

-

- Key highlights for image builder: -

-
-
    -
  • - Enhancement to the AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, - in addition to the legacy BIOS boot. -
    • -
-
-

- For more information, see New features - Installer and image creation. -

-
-
-
-
-

1.1.1. Bootloader

-
-
-
-
-

New default behavior of grub2-mkconfig - with BLS

-

- With this release, the grub2-mkconfig command no longer - overwrites the kernel command line in Boot Loader Specification (BLS) snippets with GRUB_CMDLINE_LINUX by default. Each kernel in the boot loader - menu takes its kernel command line from its BLS snippet. This new default behavior is caused - by the GRUB_ENABLE_BLSCFG=true option. -

-
-

- For details, see New - features in Bootloader. -

-

RHEL for Edge

-

- Key highlights for RHEL for Edge: -

-
-
    -
  • -

    - Support added to the following image types: -

    -
    -
      -
    • - minimal-raw -
      • -
    • - edge-vsphere -
      • -
    • - edge-ami -
      • -
    -
    -
    • -
  • -

    - New FIDO Device Onboarding Servers container images available -

    -
    -
      -
    • - rhel9/fdo-manufacturing-server -
      • -
    • - rhel9/fdo-owner-onboarding-server -
      • -
    • - rhel9/fdo-rendezvous-server -
      • -
    • - rhel9/fdo-serviceinfo-api-server -
      • -
    -
    -
    • -
-
-

- For more information, see New features - RHEL for Edge. -

-

Security

-

- Key security-related highlights: -

-
-
    -
  • - Keylime was rebased to version - 7.3.0. -
    • -
  • - The keylime RHEL System - Role is available. With this role, you can more easily configure - the Keylime verifier and Keylime registrar. -
    • -
  • - OpenSSH was migrated further from - the less secure SHA-1 message digest for cryptographic purposes, and instead applies the - more secure SHA-2 in additional scenarios. -
    • -
  • - The pcsc-lite-ccid USB Chip/Smart - Card Interface Device(CCID)) and Integrated Circuit Card Device (ICCD) driver was - rebased to version 1.5.2. -
    • -
  • - RHEL 9.3 introduces further improvements to support the Extended Master Secret (EMS) extension - (RFC 7627) required by the FIPS-140-3 standard for all TLS 1.2 connections. -
    • -
  • - SEtools, the collection of graphical - tools, command-line tools, and libraries for SELinux policy analysis, was rebased to - version 4.4.3. -
    • -
  • - OpenSCAP was rebased to version - 1.3.8. -
    • -
  • -

    - SCAP Security Guide was rebased - to version 0.1.69, most notably: -

    -
    -
      -
    • - ANSSI profiles were updated to version 2.0. -
      • -
    • - Three new SCAP profiles were added for RHEL 9 aligned with the - CCN-STIC-610A22 Guide. -
      • -
    -
    -
    • -
-
-

- See New features - - Security for more information. -

-

Dynamic programming languages, web - and database servers

-

- Later versions of the following Application Streams are now available: -

-
-
    -
  • - Redis 7 -
    • -
  • - Node.js 20 -
    • -
-
-

- In addition, the Apache HTTP Server has been - updated to version 2.4.57. -

-

- See New features - Dynamic - programming languages, web and database servers for more information. -

-

Compilers and development tools

-
Updated system toolchain
-

- The following system toolchain component has been updated in RHEL 9.3: -

-
-
    -
  • - GCC 11.4.1 -
    • -
-
-
Updated performance tools and debuggers
-

- The following performance tools and debuggers have been updated in RHEL 9.3: -

-
-
    -
  • - Valgrind 3.21 -
    • -
  • - SystemTap 4.9 -
    • -
  • - elfutils 0.189 -
    • -
-
-
Updated performance monitoring tools
-

- The following performance monitoring tools have been updated in RHEL 9.3: -

-
-
    -
  • - PCP 6.0.5 -
    • -
  • - Grafana 9.2.10 -
    • -
-
-
Updated compiler toolsets
-

- The following compiler toolsets have been updated in RHEL 9.3: -

-
-
    -
  • - GCC Toolset 13 (new) -
    • -
  • - LLVM Toolset 16.0.6 -
    • -
  • - Rust Toolset 1.71.1 -
    • -
  • - Go Toolset 1.20.10 -
    • -
-
-

- For detailed changes, see New features - Compilers and development - tools. -

-
Java implementations in RHEL 9
-

- The RHEL 9 AppStream repository includes: -

-
-
    -
  • - The java-21-openjdk packages, which provide the OpenJDK 21 - Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. An OpenJDK - 21.0.1 security release is also available to install. It is recommended that you install - the OpenJDK 21.0.1 update to acquire the latest security fixes. -
    • -
  • - The java-17-openjdk packages, which provide the OpenJDK 17 - Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. -
    • -
  • - The java-11-openjdk packages, which provide the OpenJDK 11 - Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. -
    • -
  • - The java-1.8.0-openjdk packages, which provide the OpenJDK - 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. -
    • -
-
-

- The Red Hat build of OpenJDK packages share a single set of binaries between its portable Linux - releases and RHEL 9.3 and later releases. With this update, there is a change in the process of - rebuilding the OpenJDK packages on RHEL from the source RPM. For more information about the new - rebuilding process, see the README.md file which is available in the SRPM package of the Red Hat - build of OpenJDK and is also installed by the java-*-openjdk-headless packages under the /usr/share/doc tree. -

-

- For more information, see OpenJDK documentation. -

-
-
-
-
-
-
-

1.2. In-place upgrade

-
-
-
-

In-place upgrade from RHEL 8 to RHEL 9

-

- The supported in-place upgrade paths currently are: -

-
-
    -
  • -

    - From RHEL 8.6 to RHEL 9.0, RHEL 8.8 to RHEL 9.2, and RHEL 8.9 to RHEL 9.3 on the - following architectures: -

    -
    -
      -
    • - 64-bit Intel -
      • -
    • - 64-bit AMD -
      • -
    • - 64-bit ARM -
      • -
    • - IBM POWER 9 (little endian) -
      • -
    • - IBM Z architectures, excluding z13 -
      • -
    -
    -
    • -
  • - From RHEL 8.6 to RHEL 9.0 and RHEL 8.8 to RHEL 9.2 on systems with SAP HANA -
    • -
-
-

- For more information, see Supported in-place upgrade paths for Red Hat - Enterprise Linux. -

-

- For instructions on performing an in-place upgrade, see Upgrading - from RHEL 8 to RHEL 9. -

-

- If you are upgrading to RHEL 9.2 with SAP HANA, ensure that the system is certified for SAP before - the upgrade. For instructions on performing an in-place upgrade on systems with SAP environments, - see How - to in-place upgrade SAP environments from RHEL 8 to RHEL 9. -

-

- Notable enhancements include: -

-
-
    -
  • - Requirements on disk space have been significantly reduced on systems with XFS filesystems - formatted with ftype=0. -
    • -
  • - Disk images created during the upgrade process for upgrade purposes now have dynamic sizes. - The LEAPP_OVL_SIZE environment variable is not needed anymore. -
    • -
  • - Issues with the calculation of the required free space on existing disk partitions have been - fixed. The missing free disk space is now correctly detected before the required reboot of - the system, and the report correctly displays file systems that do not have enough free - space to proceed the upgrade RPM transaction. -
    • -
  • - Third-party drivers can now be managed during the in-place upgrade process using custom - leapp actors. -
    • -
  • - An overview of the pre-upgrade and upgrade reports is now printed in the terminal. -
    • -
  • - Upgrades of RHEL Real Time and RHEL Real Time for Network Functions Virtualization (NFV) in - Red Hat OpenStack Platform are now supported. -
    • -
-
-

In-place upgrade from RHEL 7 to RHEL 9

-

- It is not possible to perform an in-place upgrade directly from RHEL 7 to RHEL 9. However, you can - perform an in-place upgrade from RHEL 7 to RHEL 8 and then perform a second in-place upgrade to RHEL - 9. For more information, see Upgrading - from RHEL 7 to RHEL 8. -

-
-
-
-
-
-

1.3. Red Hat Customer Portal Labs

-
-
-
-

- Red Hat Customer Portal Labs is a set of tools - in a section of the Customer Portal available at https://access.redhat.com/labs/. The applications in - Red Hat Customer Portal Labs can help you improve performance, quickly troubleshoot issues, identify - security problems, and quickly deploy and configure complex applications. Some of the most popular - applications are: -

-
- -
-
-
-
-
-
-

1.4. Additional resources

-
-
-
-

- Capabilities and limits of Red Hat Enterprise - Linux 9 as compared to other versions of the system are available in the Knowledgebase article Red Hat Enterprise Linux - technology capabilities and limits. -

-

- Information regarding the Red Hat Enterprise Linux life - cycle is provided in the Red Hat Enterprise Linux Life - Cycle document. -

-

- The Package - manifest document provides a package - listing for RHEL 9, including licenses and application compatibility levels. -

-

- Application compatibility levels are explained - in the Red Hat - Enterprise Linux 9: Application Compatibility Guide document. -

-

- Major differences between RHEL 8 and RHEL 9, - including removed functionality, are documented in Considerations - in adopting RHEL 9. -

-

- Instructions on how to perform an in-place upgrade from RHEL 8 - to RHEL 9 are provided by the document Upgrading - from RHEL 8 to RHEL 9. -

-

- The Red Hat Insights service, which enables you - to proactively identify, examine, and resolve known technical issues, is available with all RHEL - subscriptions. For instructions on how to install the Red Hat Insights client and register your - system to the service, see the Red Hat Insights Get - Started page. -

-
-
Note
-
-

- Public release notes include links to access the original tracking tickets, but private - release notes are not viewable so do not include links.[1] -

-
-
-

-
-
-
[1] - - Public release notes include links to access the original tracking tickets, but private - release notes are not viewable so do not include links. -
-
-
-
-
-
-
-
-
-

Chapter 2. Architectures

-
-
-
-

- Red Hat Enterprise Linux 9.3 is distributed with the kernel version 5.14.0-362.8.1, which provides - support for the following architectures at the minimum required version (stated in parentheses): -

-
-
    -
  • - AMD and Intel 64-bit architectures (x86-64-v2) -
    • -
  • - The 64-bit ARM architecture (ARMv8.0-A) -
    • -
  • - IBM Power Systems, Little Endian (POWER9) -
    • -
  • - 64-bit IBM Z (z14) -
    • -
-
-

- Make sure you purchase the appropriate subscription for each architecture. For more information, see Get - Started with Red Hat Enterprise Linux - additional architectures. -

-
-
-
-
-
-

Chapter 3. Distribution of content in RHEL 9

-
-
-
-
-
-
-
-

3.1. Installation

-
-
-
-

- Red Hat Enterprise Linux 9 is installed using ISO images. Two types of ISO image are available for - the AMD64, Intel 64-bit, 64-bit ARM, IBM Power Systems, and IBM Z architectures: -

-
-
    -
  • -

    - Installation ISO: A full installation image that contains the BaseOS and AppStream - repositories and allows you to complete the installation without additional - repositories. On the Product - Downloads page, the Installation ISO is referred to - as Binary DVD. -

    -
    -
    Note
    -
    -

    - The Installation ISO image is in multiple GB size, and as a result, it might not - fit on optical media formats. A USB key or USB hard drive is recommended when - using the Installation ISO image to create bootable installation media. You can - also use the Image Builder tool to create customized RHEL images. For more - information about Image Builder, see the Composing a customized RHEL system - image document. -

    -
    -
    -
    • -
  • - Boot ISO: A minimal boot ISO image that is used to boot into the installation program. This - option requires access to the BaseOS and AppStream repositories to install software - packages. The repositories are part of the Installation ISO image. You can also register to - Red Hat CDN or Satellite during the installation to use the latest BaseOS and AppStream - content from Red Hat CDN or Satellite. -
    • -
-
-

- See the Performing - a standard RHEL 9 installation document for instructions on downloading ISO images, creating - installation media, and completing a RHEL installation. For automated Kickstart installations and - other advanced topics, see the Performing - an advanced RHEL 9 installation document. -

-
-
-
-
-
-

3.2. Repositories

-
-
-
-

- Red Hat Enterprise Linux 9 is distributed through two main repositories: -

-
-
    -
  • - BaseOS -
    • -
  • - AppStream -
    • -
-
-

- Both repositories are required for a basic RHEL installation, and are available with all RHEL - subscriptions. -

-

- Content in the BaseOS repository is intended to provide the core set of the underlying operating - system functionality that provides the foundation for all installations. This content is available - in the RPM format and is subject to support terms similar to those in previous releases of RHEL. For - more information, see the Scope of - Coverage Details document. -

-

- Content in the AppStream repository includes additional user-space applications, runtime languages, - and databases in support of the varied workloads and use cases. -

-

- In addition, the CodeReady Linux Builder repository is available with all RHEL subscriptions. It - provides additional packages for use by developers. Packages included in the CodeReady Linux Builder - repository are unsupported. -

-

- For more information about RHEL 9 repositories and the packages they provide, see the Package - manifest. -

-
-
-
-
-
-

3.3. Application Streams

-
-
-
-

- Multiple versions of user-space components are delivered as Application Streams and updated more - frequently than the core operating system packages. This provides greater flexibility to customize - RHEL without impacting the underlying stability of the platform or specific deployments. -

-

- Application Streams are available in the familiar RPM format, as an extension to the RPM format - called modules, as Software Collections, or as Flatpaks. -

-

- Each Application Stream component has a given life cycle, either the same as RHEL 9 or shorter. For - RHEL life cycle information, see Red Hat Enterprise Linux Life - Cycle. -

-

- RHEL 9 improves the Application Streams experience by providing initial Application Stream versions - that can be installed as RPM packages using the traditional dnf install - command. -

-
-
Note
-
-

- Certain initial Application Streams in the RPM format have a shorter life cycle than Red Hat - Enterprise Linux 9. -

-
-
-

- Some additional Application Stream versions will be distributed as modules with a shorter life cycle - in future minor RHEL 9 releases. Modules are collections of packages representing a logical unit: an - application, a language stack, a database, or a set of tools. These packages are built, tested, and - released together. -

-

- Always determine what version of an Application Stream you want to install and make sure to review - the Red Hat - Enterprise Linux Application Stream Lifecycle first. -

-

- Content that needs rapid updating, such as alternate compilers and container tools, is available in - rolling streams that will not provide alternative versions in parallel. Rolling streams may be - packaged as RPMs or modules. -

-

- For information about Application Streams available in RHEL 9 and their application compatibility - level, see the Package - manifest. Application compatibility levels are explained in the Red Hat Enterprise Linux 9: - Application Compatibility Guide document. -

-
-
-
-
-
-

3.4. Package management with YUM/DNF

-
-
-
-

- In Red Hat Enterprise Linux 9, software installation is ensured by DNF. Red Hat continues to support the usage of the - yum term for consistency with previous major versions of RHEL. If you - type dnf instead of yum, the command works - as expected because both are aliases for compatibility. -

-

- Although RHEL 8 and RHEL 9 are based on DNF, - they are compatible with YUM used in RHEL 7. -

-

- For more information, see Managing - software with the DNF tool. -

-
-
-
-
-
-
-

Chapter 4. New features

-
-
-
-

- This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 9.3. -

-
-
-
-
-

4.1. Installer and image creation

-
-
-
-
-

Support to both legacy and UEFI boot for AWS EC2 images

-

- Previously, RHEL image builder created EC2 AMD or Intel 64-bit architecture AMIs images with - support only for the legacy boot type. As a consequence, it was not possible to take advantage - of certain AWS features requiring UEFI boot, such as secure boot. This enhancement extends the - AWS EC2 AMD or Intel 64-bit architecture AMI image to support UEFI boot, in addition to the - legacy BIOS boot. As a result, it is now possible to take advantage of AWS features which - require booting the image with UEFI. -

-
-

- Jira:RHELDOCS-16339[1] -

-
-

New boot option inst.wait_for_disks= to add - wait time for loading a Kickstart file or the kernel drivers

-

- Sometimes, it may take a few seconds to load a Kickstart file or the kernel drivers from the - device with the OEMDRV label during the boot process. To adjust the - wait time, you can now use the new boot option, inst.wait_for_disks=. Using this option, you can specify how many - seconds to wait before the installation. The default time is set to 5 seconds, however, you can use 0 - seconds to minimize the delay. For more information about this option, see Storage - boot options. -

-
-

- Bugzilla:2171811 -

-
-

Ability to select required kernel while installing RHEL on ARM using GUI - and TUI

-

- Previously, you could install RHEL on ARM with kernel-64k page size only by using the Kickstart - method. With this update, you can now install RHEL on ARM using the GUI or the TUI and selecting - the required kernel version. The option to select the required kernel is available on the - Software Selection screen under Kernel Options. -

-
-

- Bugzilla:2164819[1] -

-
-

Support for VMware VSphere (OVA)

-

- This update adds support to build VMware VSphere OVA files by using RHEL image builder. The Open - Virtual Appliance (OVA) file is a virtual appliance used by the VMware VSphere virtualization - application. The OVA file contains files used to describe a virtual machine, such as an OVF - descriptor file, one or more virtual machine disk image files (VMDK), optional manifest (MF) and - certificate files. By using the VMware VSphere (.ova), you can more easily deploy the image to - VMware vSphere by using the vSphere GUI client. You can further customize the resulting VM - before you boot the image. -

-
-

- Jira:RHELDOCS-16877[1] -

-
-

New network Kickstart options to control DNS - handling

-

- You can now control DNS handling using the network Kickstart - command with the following new options. Use these new options with the --device option. -

-
-
-
    -
  • -

    - The --ipv4-dns-search and --ipv6-dns-search options allow you to set DNS search domains - manually. These options mirror their NetworkManager properties, for example: -

    - 
    network --device ens3 --ipv4-dns-search domain1.example.com,domain2.example.com
    -
    • -
  • - The --ipv4-ignore-auto-dns and --ipv6-ignore-auto-dns options allow you to ignore DNS settings - from DHCP. They do not require any arguments. -
    • -
-
-

- Bugzilla:2065754[1] -

-
-

Minimal RHEL installation now installs only the s390utils-core package

-

- In RHEL 8.4 and later, the s390utils-base package is split into an - s390utils-core package and an auxiliary s390utils-base package. As a result, setting the RHEL installation to - minimal-environment installs only the necessary s390utils-core package and not the auxiliary s390utils-base package. If you want to use the s390utils-base package with a minimal RHEL installation, you must - manually install the package after completing the RHEL installation or explicitly install s390utils-base using a Kickstart file. -

-
-

- Bugzilla:1932480[1] -

-
-
-
-
-
-

4.2. Security

-
-
-
-
-

Keylime rebased to version 7.3.0

-

- The Keylime packages have been updated to upstream version 7.3.0. This version provides various - enhancements and bug fixes. Most notably, the allow and exclude lists are combined into the - Keylime runtime policy. You can combine the two lists by using the convert_runtime_policy.py script. -

-
-

- In addition, the update fixes two vulnerabilities with the moderate impact rating: CVE-2023-38200 and CVE-2023-38201. -

-

- Jira:RHEL-476[1] -

-
-

Ports for Keylime have stricter rules in SELinux policy

-

- Ports used by Keylime are now labeled as keylime_port_t in the - Keylime SELinux policy. The policy now allows TCP connections for ports with this label. This is - because the previous Keylime SELinux policy allowed connecting to all undefined ports and also - most of the ports used by Keylime were in the undefined group. As a result, this update - increases the granularity of the Keylime SELinux policy, and port security can be more strict - and better targeted. -

-
-

- Jira:RHEL-595[1] -

-
-

Audit now supports FANOTIFY record - fields

-

- This update of the audit packages introduces support for FANOTIFY Audit record fields. The Audit subsystem now logs additional - information in the AUDIT_FANOTIFY record, notably: -

-
-
-
    -
  • - fan_type to specify the type of a FANOTIFY event -
    • -
  • - fan_info to specify additional context information -
    • -
  • - sub_trust and obj_trust to - indicate trust levels for a subject and an object involved in an event -
    • -
-
-

- As a result, you can better understand why the Audit system denied access in certain cases. This can - help you write policies for tools such as the fapolicyd framework. -

-

- Jira:RHELPLAN-161087[1] -

-
-

fapolicyd now provides rule numbers for - troubleshooting

-

- With this enhancement, new kernel and Audit components allow the fapolicyd service to send the number of the rule that causes a denial - to the fanotify API. As a result, you can troubleshoot problems - related to fapolicyd more precisely. -

-
-

- Jira:RHEL-624 -

-
-

crypto-policies now provides the NO-ENFORCE-EMS subpolicy for TLS 1.2 connections in FIPS - mode

-

- The system-wide cryptographic policies now contain the NO-ENFORCE-EMS subpolicy. After applying the new subpolicy, the - system no longer requires the Extended Master Secret (EMS) extension (RFC 7627) for all TLS 1.2 - connections negotiated in FIPS mode. This allows the system to connect to legacy systems without - support for EMS or TLS 1.3. Note that this violates the requirements of the FIPS-140-3 standard. - You can apply the subpolicy by entering the update-crypto-policies --set FIPS:NO-ENFORCE-EMS command. -

-
-

- Bugzilla:2216257[1] -

-
-

GnuTLS requires EMS with TLS 1.2 in FIPS mode

-

- To comply with the FIPS-140-3 standard, GnuTLS servers and clients require the Extended Master - Secret (EMS) extension (RFC 7627) for all TLS 1.2 connections negotiated in FIPS mode. If your - scenario requires preserving compatibility with older servers and clients that do not support - EMS and you cannot use TLS 1.3, you can apply the NO-ENFORCE-EMS - system-wide cryptographic subpolicy: -

-
- 
# update-crypto-policies --set FIPS:NO-ENFORCE-EMS
-
-
Warning
-
-

- If you allow TLS 1.2 connections without EMS, your system no longer meets the FIPS-140-3 - requirements. -

-
-
-

- Bugzilla:2157953 -

-
-

NSS now enforce EMS in FIPS mode

-

- The Network Security Services (NSS) libraries now contain the TLS-REQUIRE-EMS policy to require the Extended Master Secret (EMS) - extension (RFC 7627) for all TLS 1.2 connections as mandated by the FIPS 140-3 standard. NSS use - the new policy when the system-wide cryptographic policies are set to FIPS. -

-
-

- If your scenario requires interoperating with legacy systems without support for EMS or TLS 1.3, you - can apply the NO-ENFORCE-EMS system-wide cryptographic subpolicy. Such - a change violates the FIPS-140-3 requirements. -

-

- Bugzilla:2157950 -

-
-

OpenSSL now supports disabling EMS in FIPS mode

-

- You can now configure the OpenSSL cryptographic libraries to allow for TLS 1.2 connections - without the Extended Master Secret (EMS) extension (RFC 7627) in FIPS mode by editing the /etc/pki/tls/fips_local.cnf file. In a text editor of your choice, - add the following section to the configuration file: -

-
- 
[fips_sect]
-tls1-prf-ems-check = 0
-activate = 1
-

- Then, locate the SSL configuration section in the /etc/pki/tls/openssl.cnf file. The default SSL configuration section is - crypto_policy. At the end of the SSL configuration section, add the - following line: -

- 
Options=RHNoEnforceEMSinFIPS
-

- The previous configuration changes allow the system in FIPS mode to connect to legacy systems - without support for EMS or TLS 1.3. -

-
-
Warning
-
-

- You can stop enforcing EMS for TLS 1.2 in FIPS mode by entering the update-crypto-policies --set FIPS:NO-ENFORCE-EMS command. In both - cases, such a configuration change violates the requirements of the FIPS-140-3 standard. -

-
-
-

- Bugzilla:2216256[1] -

-
-

OpenSSH further enforces SHA-2

-

- As part of the effort to migrate further from the less secure SHA-1 message digest for - cryptographic purposes, the following changes were made in OpenSSH: -

-
-
-
    -
  • - Added a check on sshd startup whether using SHA-1 is configured - on the system. If it is not available, OpenSSH does not try to use SHA-1 for operations. - This eliminates loading DSS keys when they are present and also enforces advertising rsa-sha2 combinations when they are available. -
    • -
  • - On SSH private key conversion, OpenSSH explicitly uses SHA-2 for testing RSA keys. -
    • -
  • - When SHA-1 signatures are unavailable on the server side, sshd - uses SHA-2 to confirm host key proof. This might be incompatible with clients on RHEL 8 and - earlier versions. -
    • -
  • - When the SHA-1 algorithm is unavailable on the client side, OpenSSH uses SHA-2. -
    • -
  • - On the client side, OpenSSH permits SHA-2-based key proofs from the server when SHA-1 was - used in key proof request or when the hash algorithm is not specified (assuming default). - This is aligned with the already present exception for RSA certificates, and allows - connecting by using modern algorithms when supported. -
    • -
-
-

- Bugzilla:2070163 -

-
-

OpenSSL now contains protections against Bleichenbacher-like - attacks

-

- This release of the OpenSSL TLS toolkit introduces API-level protections against - Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now - returns a randomly generated deterministic message instead of an error if it detects an error - when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection - against vulnerabilities such as CVE-2020-25659 and CVE-2020-25657. -

-
-

- You can disable this protection by calling the EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") function - on the RSA decryption context, but this makes your system more vulnerable. -

-

- Bugzilla:2153471 -

-
-

OpenSSL now supports Brainpool curves configurable through the Groups option

-

- This update of the OpenSSL TLS toolkit introduces support for Brainpool curves in Elliptic Curve - Cryptography (ECC). Additionally, you can control the curves with the system-wide cryptographic - policies through the Groups configuration option. -

-
-

- The following Brainpool curves are enabled in OpenSSL ECC: -

-
-
    -
  • - brainpoolP256r1 -
    • -
  • - brainpoolP256t1 -
    • -
  • - brainpoolP320r1 -
    • -
  • - brainpoolP320t1 -
    • -
  • - brainpoolP384r1 -
    • -
  • - brainpoolP384t1 -
    • -
  • - brainpoolP512r1 -
    • -
  • - brainpoolP512t1 -
    • -
-
-

- Bugzilla:2188180 -

-
-

crypto-policies now supports OpenSSL ECC - Brainpool curves

-

- With this update of the system-wide cryptographic policies, you can now control the following - Brainpool Elliptic Curve Cryptography (ECC) curves in OpenSSL by using the group option: -

-
-
-
    -
  • - BRAINPOOL-P256R1 -
    • -
  • - BRAINPOOL-P384R1 -
    • -
  • - BRAINPOOL-P512R1. -
    • -
-
-

- For example, you can enable all supported Brainpool elliptic curves in OpenSSL by creating a - subpolicy that contains the following line: -

- 
group = BRAINPOOL-*+
-

- Bugzilla:2193324[1] -

-
-

crypto-policies now use the same group order - as OpenSSL by default

-

- In this release, the system-wide cryptographic policies (crypto-policies) control the group order in the OpenSSL Groups configuration option. To preserve the performance in OpenSSL, - crypto-policies use the default group order that matches the order - of the OpenSSL built-in preferences. As a result, the RHEL cryptographic back ends that support - crypto-policies for controlling the group order, such as GnuTLS, - now use the same order as OpenSSL. -

-
-

- Jira:RHEL-591[1] -

-
-

crypto-policies permitted_enctypes no longer break replications in FIPS - mode

-

- Before this update, an IdM server running on RHEL 8 sent an AES-256-HMAC-SHA-1-encrypted service - ticket that an IdM replica running RHEL 9 in FIPS mode. Consequently, the default permitted_enctypes krb5 configuration - broke a replication between the RHEL 8 IdM server and the RHEL 9 IdM replica in FIPS mode. -

-
-

- This update of the system-wide cryptographic policies reorders the permitted_enctypes krb5 configuration option - values to allow prioritization of more interoperable encryption types by default. As a result, the - permitted_enctypes configuration no longer break replications between a - RHEL 8 IdM servers and a RHEL 9 IdM replica in FIPS mode. -

-
-
Note
-
-

- If you use Kerberos, verify the order of the values of permitted_enctypes in the /etc/crypto-policies/back-ends/krb5.config file. If your scenario - requires a different order, apply a custom cryptographic subpolicy. -

-
-
-

- Bugzilla:2225222 -

-
-

pcsc-lite-ccid rebased to 1.5.2

-

- The pcsc-lite-ccid package has been updated to version 1.5.2. This - version provides various bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Support for new readers -
    • -
  • - Fix for Alcor Micro AU9560 -
    • -
-
-

- Bugzilla:2209457 -

-
-

opensc rebased to 0.23

-

- The opensc packages have been updated to version 0.23. This version - provides various bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Added support for encryption and decryption using symmetric keys -
    • -
  • - Added support for signing data with a length of more than 512 bytes -
    • -
  • - Disabled old card driver support by default -
    • -
  • - Removed support for old drivers MioCOS and JCOP -
    • -
-
-

- Jira:RHEL-280[1] -

-
-

setools rebased to 4.4.3

-

- The setools packages have been updated to version 4.4.3. This - version provides various bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Fixed compilation with Cython 3.0.0 -
    • -
  • - Improved man pages -
    • -
  • - Removed unused options in sediff, sesearch, and apol -
    • -
  • - Added the -r option to seinfoflow - command to get flows analysis into the source type -
    • -
  • - Rules with no permissions are automatically rejected as an invalid policy -
    • -
-
-

- Bugzilla:2231801, Bugzilla:2184140 -

-
-

Additional services confined in the SELinux policy

-

- This update adds additional rules to the SELinux policy that confine the following systemd services: -

-
-
-
    -
  • - qat -
    • -
  • - systemd-pstore -
    • -
  • - boothd -
    • -
  • - fdo-manufacturing-server -
    • -
  • - fdo-rendezvous-server -
    • -
  • - fdo-client-linuxapp -
    • -
  • - fdo-owner-onboarding-server -
    • -
-
-

- As a result, these services do not run with the unconfined_service_t - SELinux label anymore, and run successfully in SELinux enforcing mode. -

-

- Bugzilla:2080443[1], Bugzilla:2026795, Bugzilla:2181565, Bugzilla:2128833 -

-
-

OpenSCAP rebased to 1.3.8

-

- The OpenSCAP packages have been rebased to upstream version 1.3.8. This version provides various - bug fixes and enhancements, most notably: -

-
-
-
    -
  • - Fixed systemd probes to not ignore some systemd units -
    • -
  • - Added offline capabilities to the shadow OVAL probe -
    • -
  • - Added offline capabilities to the sysctl OVAL probe -
    • -
  • - Added auristorfs to the list of network filesystems -
    • -
  • - Created a workaround for issues with tailoring files produced by the autotailor utility -
    • -
-
-

- Bugzilla:2217442 -

-
-

SCAP Security Guide rebased to version 0.1.69

-

- The SCAP Security Guide (SSG) packages have been rebased to upstream version 0.1.69. This - version provides various enhancements and bug fixes. Most notably, it introduces three new SCAP - profiles for RHEL 9 aligned with the CCN-STIC-610A22 Guide issued by the National Cryptologic - Center of Spain in October 2022: -

-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Profile nameProfile IDPolicy version
-

- CCN Red Hat Enterprise Linux 9 - Advanced -

- 		-

- xccdf_org.ssgproject.content_profile_ccn_advanced -

- 		-

- 2022-10 -

-
-

- CCN Red Hat Enterprise Linux 9 - Basic -

- 		-

- xccdf_org.ssgproject.content_profile_ccn_basic -

- 		-

- 2022-10 -

-
-

- CCN Red Hat Enterprise Linux 9 - Intermediate -

- 		-

- xccdf_org.ssgproject.content_profile_ccn_intermediate -

- 		-

- 2022-10 -

-
-
-

- Bugzilla:2221697 -

-
-

ANSSI-BP-028 security profiles updated to version 2.0

-

- The following French National Agency for the Security of Information Systems (ANSSI) BP-028 in - the SCAP Security Guide were updated to be aligned with version 2.0: -

-
-
-
    -
  • - ANSSI-BP-028 Minimal Level -
    • -
  • - ANSSI-BP-028 Intermediary Level -
    • -
  • - ANSSI-BP-028 Enhanced Level -
    • -
  • - ANSSI-BP-028 High Level -
    • -
-
-

- Bugzilla:2155790 -

-
-

python3-greenlet-devel is now available in - CRB

-

- The python3-greenlet-devel package is now available in the - CodeReady Linux Builder (CRB) repository, which you must explicitly enable. See the How to enable and make use of - content within CodeReady Linux Builder Knowledgebase article for more information. Note - that packages included in the CRB repository are unsupported. -

-
-

- Bugzilla:2149497 -

-
-

SSG rule to check the group used by the pam_wheel.so module is simplified

-

- The CIS Benchmark requires restricting the su command in favor of - the sudo command. SCAP Security Guide (SSG) fulfills this - requirement with the pam_wheel.so module, which restricts the su command to a specific group. This update improves the rule that - checks whether this group exists and has no members. As a result, the rule is more efficient and - simplifies the interpretation of the assessment report. -

-
-

- Jira:RHEL-1905 -

-
-
-
-
-
-

4.3. RHEL for Edge

-
-
-
-
-

New FIDO Device Onboarding Servers container images are available -

-

- The following FIDO Device Onboarding Servers container images for onboarding IoT and edge - computing devices are now available in the Red Hat Container Catalog: -

-
-
-
    -
  • - rhel9/fdo-manufacturing-server container image -
    • -
  • - rhel9/fdo-owner-onboarding-server container image -
    • -
  • - rhel9/fdo-rendezvous-server container image -
    • -
  • - rhel9/fdo-serviceinfo-api-server container image -
    • -
-
-

- Jira:RHELPLAN-163133[1] -

-
-

The minimal-raw image type now supports 64-bit - ARM architectures

-

- With this enhancement, you can create a minimal-raw image type with - support for 64-bit ARM architecture, and AMD and Intel 64-bit architectures. The minimal-raw image is pre-packaged, bootable, minimal RPM image, - compressed in the xz format. To boot the image, you must decompress - it and copy to any bootable device, such as an SD card. To decompress the image, run the - following command: -

-
- 
$ xz -d <_uuid-minimal-raw.img_.xz>
-

- Jira:RHELPLAN-163665[1] -

-
-

The Commit ID is now supported as a value for the --parent argument of composer-cli - CLI

-

- You can now use the image Commit ID as a value for the --parent - argument of the composer-cli command line. To get the image Commit - ID, download and extract the RHEL for Edge Commit image. You can find the ref name and the commit ID in the extracted .tar file. -

-
-

- Jira:RHELDOCS-16386[1] -

-
-

Support to build RHEL for Edge .ami - images

-

- With this enhancement, you have support to build .ami images for - RHEL for Edge by using on-premise RHEL image builder. During the initial boot, you can customize - the blueprint with Ignition to inject the credentials into the image. You can upload the .ami image to AWS and boot an EC2 instance in AWS. -

-
-

- Jira:RHELDOCS-16708[1] -

-
-

Support to build .vmdk images for RHEL for - Edge

-

- With this enhancement, you have support to build a .vmdk image for - RHEL for Edge by using on-premise RHEL image builder. You can customize the blueprint with - Ignition to inject the credentials into the image during the initial boot. You can load the - image on vSphere and boot the image in a VM vSphere. The image is compatible with ESXi 7.0 U2, - ESXi 8.0, and later. The VM is compatible with versions 19 and 20. -

-
-

- Jira:RHELDOCS-16709[1] -

-
-

You can now log in to an Edge system as the initial user without setting a - password

-

- Previously, logging in as the initial user created during the FDO onboarding process did not - work because the system asked for a password that was not set with the useradd command. With this enhancement, the password is now set to - optional, and you can log in even if you did not previously set a password by using the useradd command. Note that you can log in with an SSH key without - entering a password, and if it fails, you will be prompted to enter a password. -

-
-

- Jira:RHELDOCS-17101[1] -

-
-
-
-
-
-

4.4. Software management

-
-
-
-
-

New DNF Automatic reboot option for an - automatic reboot after an upgrade

-

- With this enhancement, you can use the DNF Automatic reboot option - to set your system to automatically reboot to apply the changes after an upgrade. -

-
-

- The reboot option supports the following settings: -

-
-
    -
  • - never does not reboot the system. This is the current behavior. -
    • -
  • - when-changed triggers a reboot after any upgrade. -
    • -
  • - when-needed triggers a reboot only when rebooting is required - to apply changes, for example, when systemd or the kernel is upgraded. -
    • -
-
-

- You can use the reboot_command option to customize the command used to - reboot. The default reboot command is shutdown -r. -

-

- Bugzilla:2124793 -

-
-

The new --poweroff option allows you to shut - down the system after installing updates

-

- With this enhancement, the new --poweroff option has been added to - the reboot command of the dnf system-upgrade plugin. You can use this option to shut down the - system after installing updates instead of rebooting. -

-
-

- Bugzilla:2157844 -

-
-

New dnf leaves and show-leaves plug-ins are now available for the DNF API -

-

- With this enhancement, the following new DNF plug-ins are available that list packages installed - on your system that are not required as dependencies of other installed packages: -

-
-
-
    -
  • - dnf leaves lists all packages. -
    • -
  • - show-leaves lists newly installed packages and packages that - became unrequired as dependencies of other installed packages after a transaction. -
    • -
-
-

- Bugzilla:2134638 -

-
-
-
-
-
-

4.5. Shells and command-line tools

-
-
-
-
-

The NetBackup services are now enabled for backup restoration

-

- When using the NetBackup (NBU) backup method, ReaR now includes the unit files for the NetBackup - services version 10.1.1 in the rescue image and starts them when the rescue system boots. As a - result, you can restore the system backup by using the NBU backup method during the recovery - process and complete the restore successfully. -

-
-

- Bugzilla:2188593 -

-
-

opencryptoki rebased to 3.21.0

-

- The opencryptoki package has been rebased to version 3.21.0, which - provides many enhancements and bug fixes. Most notably, opencryptoki now supports the following features: -

-
-
-
    -
  • - Concurrent hardware security module (HSM) master key changes -
    • -
  • - The protected-key option to transform a chosen key into a - protected key -
    • -
  • - Additional key types, such as DH, DSA, and generic secret key types -
    • -
  • - EP11 host library version 4 -
    • -
  • - AES-XTS key type -
    • -
  • - IBM-specific Kyber key type and mechanism -
    • -
  • - Additional IBM-specific Dilithium key round 2 and 3 variants -
    • -
-
-

- Additionally, pkcsslotd slot manager no longer runs as root and opencryptoki offers further hardening. With this update, you can also use - the following set of new commands: -

-
-
-
p11sak set-key-attr
-
- To modify keys -
-
p11sak copy-key
-
- To copy keys -
-
p11sak import-key
-
- To import keys -
-
p11sak export-key
-
- To export keys -
-
-
-

- Bugzilla:2160061[1] -

-
-

Updated systemd-udevd assigns consistent - network device names to InfiniBand interfaces

-

- Introduced in RHEL 9, the new version of the systemd package - contains the updated systemd-udevd device manager. The device - manager changes the default names of InfiniBand interfaces to consistent names selected by systemd-udevd. -

-
-

- You can define custom naming rules for naming InfiniBand interfaces by following the Renaming - IPoIB devices using systemd link file procedure. -

-

- For more details of the naming scheme, see the systemd.net-naming-scheme(7) man page. -

-

- Bugzilla:2136937 -

-
-
-
-
-
-

4.6. Infrastructure services

-
-
-
-
-

Postfix now supports SRV lookups

-

- With this enhancement, you can now use the Postfix DNS service records resolution (SRV) to - automatically configure mail clients and balance load of servers. Additionally, you can prevent - mail delivery disruptions caused by temporary DNS issues or misconfigured SRV records by using - the following SRV-related options in your Postfix configuration: -

-
-
-
-
use_srv_lookup
-
- You can enable discovery for the specified service by using DNS SRV records. -
-
allow_srv_lookup_fallback
-
- You can use a cascading approach to locating a service. -
-
ignore_srv_lookup_error
-
- You can ensure that the service discovery remains functional even if SRV records are not - available or encounter errors. -
-
-
-

- Bugzilla:2134789 -

-
-

Generic LF-to-CRLF driver is available in cups-filters

-

- With this enhancement, you can now use the Generic LF-to-CRLF driver, which converts LF - characters to CR+LF characters for printers accepting files with CR+LF characters. The carriage - return (CR) and line feed (LF) are control characters that mark the end of lines. As a result, - by using this driver, you can send an LF character terminated file from your application to a - printer accepting only CR+LF characters. The Generic LF-to-CRLF driver is a renamed version of - the text-only driver from RHEL 7. The new name reflects its actual - functionality. -

-
-

- Bugzilla:2229784 -

-
-
-
-
-
-

4.7. Networking

-
-
-
-
-

RHEL on ARM now fully supports wifi adapters in RHEL 9.3

-

- With this enhancement, you can now enable access to wifi adapters for several cards for the - arm64 platforms. -

-
-

- For details on configuring wifi connections, see Managing - wifi connections. -

-

- Bugzilla:2208365[1] -

-
-

NetworkManager now supports the no-aaaa option in resolv.conf

-

- NetworkManager now supports adding the no-aaaa DNS option in the resolv.conf file. By using the no-aaaa value in the DNS option setting, you can disable IPv6 DNS - resolution. -

-
-

- Bugzilla:2176137 -

-
-

nmstate now supports mixing static DNS search - along with dynamic DNS name servers

-

- The nmstate framework now supports both static Domain Name System - (DNS) search domains and dynamic DNS name servers, which nmstate - obtained from Dynamic Host Configuration Protocol (DHCP) or the autoconf mechanism. Previously, static DNS search domains could not - co-exist with dynamic DNS name servers because the dynamic configurations were discarded by - nmstate. This often led to unnecessary complexity and limitations - in network setup and management. This enhancement aims to bring more flexibility in managing DNS - configurations. As a result, nmstate attempts to find a network - interface to store the DNS configuration in the following order: -

-
-
-
    -
  1. - The preferred interface, which currently holds the DNS configuration and is still valid for - DNS -
    2. -
  2. - An automatic interface -
    3. -
  3. - An IP enabled interface -
    4. -
-
-

- Note that this enhancement does not remove the DNS name servers learned from DHCP. -

-

- The following is an example YAML file to apply this feature: -

- 
---
-dns-resolver:
-  config:
-    search:
-      - example.com
-      - example.org
-interfaces:
-  - name: eth1
-    type: ethernet
-    state: up
-    ipv4:
-      enabled: true
-      dhcp: true
-    ipv6:
-      enabled: true
-      dhcp: true
-      autoconf: true
-

- Bugzilla:2179916 -

-
-

nmstate now supports the bridge.vlan-default-pvid NetworkManager configuration - option

-

- With this update, you can use the nmstate framework to configure - the bridge.vlan-default-pvid NetworkManager configuration option. - By using this option, you can set the default port VLAN identifier (PVID) for untagged traffic - on a bridge interface that supports VLANs, when you use Linux bridge VLAN filtering. To achieve - this result, use the following YAML configuration: -

-
- 
interfaces:
-  - name: linux-br0
-    type: linux-bridge
-    state: up
-    bridge:
-      options:
-        vlan-default-pvid: 5
-      port:
-        - name: eth1
-          stp-hairpin-mode: false
-          stp-path-cost: 100
-          stp-priority: 32
-          vlan:
-            mode: access
-            tag: 100
-

- Note that the default value of bridge.vlan-default-pvid is 1. When set - to 0 with VLAN filtering enabled, the untagged traffic is dropped. -

-

- Bugzilla:2180795 -

-
-

The NetworkManager service restarts - immediately after the dbus service is restarted

-

- Previously, after restarting dbus for some reason, NetworkManager stopped. This behavior was not optimal and caused a - loss of connectivity. Therefore, this enhancement updates NetworkManager to become more robust and to make it restart - automatically upon a dbus restart. -

-
-

- Bugzilla:2161915 -

-
-

The nm-cloud-setup utility now supports IMDSv2 - configuration

-

- Users can configure an AWS Red Hat Enterprise Linux EC2 instance with Instance Metadata Service - Version 2 (IMDSv2) with the nm-cloud-setup utility. To comply with - improved security that restricts unauthorized access to EC2 metadata and new features, - integration between AWS and Red Hat services is necessary to provide advanced features. This - enhancement enables the nm-cloud-setup utility to fetch and save - the IMDSv2 tokens, verify an EC2 environment, and retrieve information about available - interfaces and IP configuration by using the secured IMDSv2 tokens. -

-
-

- Bugzilla:2151986 -

-
-

NetworkManager notifies when using the deprecated ifcfg format

-

- Connection profiles in ifcfg format are deprecated in RHEL 9 (see - NetworkManager - connection profiles in ifcfg format are deprecated). With - this update, NetworkManager notifies users about the deprecation of this format: -

-
-
-
    -
  • -

    - NetworkManager logs the following warning to the systemd - journal if it processes a connection profile in ifcfg - format in the /etc/sysconfig/network-scripts/ directory: -

    - 
    Warning: the ifcfg-rh plugin is deprecated, please migrate connections to the keyfile format using "nmcli connection migrate"
    -
    • -
  • -

    - The nmcli utility reports the following error if you try to - modify a property that is not supported in ifcfg format: -

    - 
    Error: Failed to modify connection '<name>': failed to update connection: The ifcfg-rh plugin doesn't support setting '<property>'. If you are modifying an existing connection profile saved in ifcfg-rh format, please migrate the connection to keyfile using 'nmcli connection migrate <connection_uuid>' or via the Update2() D-Bus API and try again.
    -
    • -
-
-

- As a result of these enhancements, NetworkManager now notifies users if they still use or modify - connection profiles in the deprecated ifcfg format. -

-

- For further details about migrating profiles from ifcfg to keyfile - format, see Migrating - NetworkManager profiles from ifcfg to keyfile format. -

-

- Bugzilla:2190375 -

-
-

NetworkManager now supports the lacp_active option in the bonding configuration

-

- By using NetworkManager, the lacp_active option in bonding configuration provides fine-grained - control over Link Aggregation Control Protocol Data Units (LACPDU) frames. The lacp_active option also adjusts the behavior of LACPDU frames and - controls periodic transmission of these frames in the bonding setup. To customize network - configurations, you can enable or disable periodic transmission of LACPDU frames by setting - lacp_active to ON or OFF. -

-
-

- Bugzilla:2069001 -

-
-

NetworkManager now supports configuration of - the ns_ip6_target option for bond interfaces

-

- This enhancement allows setting the arp_interval option by - specifying a maximum of 16 IPv6 addresses as monitoring peers in NetworkManager for configuration of the ns_i6_target option for bond interfaces. Previously, it was not - possible to specify IPv6 monitoring peers in NetworkManager. With - this update, you can configure the ns_ip6_target option in the - bond.options parameter by using the nmcli utility. NetworkManager applies - this setting to the bond interface by enabling the specification of a maximum of 16 IPv6 - addresses. This enhancement equally applies to IPv4 and IPv6 settings. -

-
-

- Bugzilla:2069004 -

-
-

NetworkManager now supports both static and - DHCP IP configuration on the same network interface

-

- By using the nmstate utility, you can now assign a static IP - address with dhcp: true or autoconf: true value on the DHCP or Ad-Hoc Network Autoconfiguration - (autoconf) enabled interface. -

-
-

- With this enhancement, nmstate supports two properties of IP addresses: -

-
-
    -
  • - valid_lft means valid lifetime in seconds -
    • -
  • - preferred_lft means preferred lifetime in seconds -
    • -
-
-

- Default value of both parameters is forever which means static. -

-

- With above properties, nmstate can ignore DHCP/autoconf based IP - addresses to avoid converting dynamic IP addresses to static IP after applying the queried state - back. If your scenario requires having disabled DHCP/autoconf settings with dynamic IP addresses, - nmstate converts those dynamic IP to static IP addresses. -

-

- Bugzilla:2177733 -

-
-

nmstate supports MAC address identifiable - network interface

-

- The nmstate utility supports network configuration directly to a - network interface with a MAC address instead of an interface name. -

-
-

- This enhancement introduces two properties to the base interface: -

-
-
    -
  • - identifier : identifies name or - mac-address on a network. The default value is name. -
    • -
  • - profile-name : string -
    • -
-
-

- When the identifier variable is set to the mac-address value, nmstate uses the interface.mac-address over interface.name to - choose a network interface for a specific network state. When storing the network configuration, if - the interface.profile-name variable is not assigned, nmstate prefers interface.profile-name over - interface.name. If you check the current network state, the interface.profile-name remains hidden if it is equal to interface.name. -

-

- Bugzilla:2183214 -

-
-

NetworkManager supports defining after how many failed ARP checks the - bonding driver marks a port as down

-

- This enhancement adds the arp_missed_max option to bond connection - profiles in NetworkManager. If you use the Address Resolution Protocol (ARP) monitor to check if - ports of a bond are up, you can now set arp_missed_max to define - after how many failed checks the bonding driver marks the port as down. -

-
-

- Bugzilla:2148684 -

-
-

NetworkManager supports specifying link-related properties

-

- This enhancement adds the following network link properties to NetworkManager connection - profiles: -

-
-
-
    -
  • - link.tx-queue-length - The size of the transmit (TX) queue - length in number of packets. -
    • -
  • - link.gro-max-size - The maximum size in bytes of a Generic - Receive Offload (GRO) packet the device accepts. -
    • -
  • - link.gso-max-segments - The maximum number of segments of a - Generic Segmentation Offload (GSO) packet the device accepts. -
    • -
  • - link.gso-max-size - The maximum size in bytes of a GSO packet. -
    • -
-
-

- Previously, you could configure these kernel settings only by using ip - commands or by using such commands in NetworkManager dispatcher scripts. With this enhancement, you - can now configure these settings directly in connection profiles. -

-

- Note that NetworkManager supports these properties only in connection profiles in keyfile format and not in the deprecated ifcfg format. -

-

- Bugzilla:2158328 -

-
-

The nmstate API support available for dhcp-send-hostname and dhcp-custom-hostname DHCP options

-

- With this enhancement, the nmstate utility supports configuration - of the following two DHCP options in the connection file: -

-
-
-
    -
  • - dhcp-send-hostname: true or false value. If a DHCP request needs the hostname or fully - qualified domain name (FQDN) option, the hostname from that option is set. The default is - true. -
    • -
  • -

    - dhcp-custom-hostname: <string>. Use this option to - configure the hostname or FQDN option in a DHCP request, value type is string. -

    -
    -
    -
    For DHCPv4 network protocols
    -
    -
    -
    -
    • -
  • - If the hostname is FQDN, see the Fully Qualified Domain Name (FQDN), option (81) in RFC 4702. -
    • -
  • -

    - If the hostname is not FQDN, see the Host Name, option (12) - in RFC 2132. -

    -
    -
    -
    For DHCPv6 network protocols
    -
    -
    -
    -

    - Supports custom string, empty domain name, overrides the hostname for a DHCP request. - See the Fully Qualified Domain Name (FQDN), option (29) in - RFC 4704. -

    -
    • -
-
-

- Bugzilla:2187622 -

-
-

NetworkManager rebased to version 1.44.0

-

- The NetworkManager packages have been upgraded to upstream version - 1.44.0, which provides several enhancements and bug fixes over the previous version: -

-
-
-
    -
  • - Link-related - properties have been added to NetworkManager. -
    • -
  • - The arp_missed_max, lacp_active, - and ns_ip6_target properties have been added to bond connection - profiles. -
    • -
  • - You can now set a DHCPv6 prefix delegation hint in the ipv6.dhcp-pd-hint connection property. -
    • -
  • - Enabling the new rename parameter in the [keyfile] section of the /etc/NetworkManager/NetworkManager.conf file causes - NetworkManager to rename a connection profile in /etc/NetworkManager/system-connections/ if you change a profile - name (connection.id). If external applications or scripts rely - on the file names, do not enable this parameter. -
    • -
  • - When you set a hostname that contains a non-public top-level domain (TLD), NetworkManager - now uses this TLD as DNS search domain instead of the full hostname. -
    • -
  • - NetworkManager now applies DNS options from the [global-dns] - section in the /etc/NetworkManager/NetworkManager.conf file. -
    • -
  • - To avoid race conditions with other depending services, NetworkManager now acquires the - D-Bus name only after populating the D-Bus tree. Note that this can add a delay when - NetworkManager starts. -
    • -
  • - NetworkManager now adds a version-id argument to Update2() D-Bus calls to prevent concurrent profile - modifications.F -
    • -
  • - NetworkManager no longer uses tentative IPv6 addresses to resolve the system hostname from - DNS. -
    • -
  • - To prevent unexpected behaviors in case of multi-connect profiles, NetworkManager now tracks - the number of auto-connect retries left for each device and connection instead of only per - connection. -
    • -
  • - NetworkManager sets VLAN filtering options by using the kernel’s netlink interface instead of the sysfs file system. -
    • -
  • - The nm-cloud-setup utility now supports Instance Metadata - Service Version 2 (IDMSv2) on Amazon EC2. -
    • -
  • - Users can now enable and disable wifi and Wireless Wide Area Networks (WWANs) in the nmtui application. -
    • -
  • - Bond, bridge, and team connections now use the ignore-carrier=no setting in the [main] section of the /etc/NetworkManager/NetworkManager.conf file. -
    • -
-
-

- Bugzilla:2180966 -

-
-

SCTP rebased to the latest version of the kernel networking tree for RHEL - 9

-

- Notable changes in the Stream Control Transmission Protocol (SCTP) networking subsystem include: -

-
-
-
    -
  • - Virtual routing and forwarding (VRF) support to segment and isolate SCTP traffic within - complex network environments. -
    • -
  • - New stream schedulers (fair capacity, and weighted fair queueing) to ensure efficient and equal resource - allocation in the network. -
    • -
-
-

- Bugzilla:2189292 -

-
-

MPTCP rebased to the latest version of the kernel networking tree for RHEL - 9

-

- Notable changes in the Multipath TCP (MPTCP) protocol extension include: -

-
-
-
    -
  • - Support for TCP fastopen (TFO) extension, including the client-side support. This feature - offers latency, efficiency, and performance improvements for your network. -
    • -
  • - Support multiple mixed IPv4/IPv6 subflows to allow for greater flexibility and adaptability - in networks where both IP versions are used. -
    • -
-
-

- Bugzilla:2193330[1] -

-
-

The xdp-tools package rebased to version - 1.4.0

-

- The xdp-tools package has been upgraded to version 1.4.0, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - The xdp-bench utility gained support for multi-buffer eXpress - Data Path (XDP) and for benchmarking the xdp_load_bytes() - helper in the kernel. This feature enables conducting network benchmarking tests with large - maximum transmission units (MTUs). -
    • -
  • - The locking of the command line utilities of xdp-tools was - improved to prevent stale locks if the utility did not exit cleanly. -
    • -
  • - The libxdp library contains a new xsk_umem__create_with_fd() API that accepts an extra file - descriptor of an already open AF_XDP socket. You can use this - function as a substitute for the regular xsk_umem__create() - function when a process does not have CAP_NET_RAW privileges. -
    • -
-
-

- Bugzilla:2218500 -

-
-

iproute rebased to version 6.2.0

-

- The iproute packages have been upgraded to upstream version 6.2.0, - which provides several enhancements and bug fixes over the previous version. The most notable - changes are: -

-
-
-
    -
  • - The new ip stats command manages and shows interface - statistics. By default, the ip stats show command displays - statistics for all network devices, including bridges and bonds. You can filter the output - by using the dev and group - options. For further details, see the ip-stats(8) man page. -
    • -
  • - The ss utility now provides the -T - (--threads) option to display thread information, which extends - the -p (--processes) option. For - further details, see the ss(8) man page. -
    • -
  • - You can use the new bridge fdb flush command to remove specific - forwarding database (fdb) entries which match a supplied option. For further details, see - the bridge(8) man page. -
    • -
-
-

- Jira:RHEL-428[1] -

-
-

The kernel supports activating bond ports in a specific order

-

- With this enhancement, the kernel’s netlink interface supports - setting a priority on each port if you configure a bond in active-backup, balance-tlb or balance-alb mode. The priority value uses a 32-bit Integer, and a - higher value means a higher priority. As a result, you can now activate the bond ports in a - specific order. -

-
-

- To use this feature, you can configure the priority by setting the bond-port.prio property when you create or modify a NetworkManager port - connection profile. -

-

- Bugzilla:2092194[1] -

-
-

firewalld now avoids unnecessary firewall rule - flushes

-

- With the release of the RHBA-2023:7748, advisory the - firewalld service was upgraded in a sense that it will not remove - all the existing rules from the iptables configuration if both - following conditions are met: -

-
-
-
    -
  • - firewalld is using the nftables - backend. -
    • -
  • - There are no firewall rules created with the --direct option. -
    • -
-
-

- This change aims at reducing unnecessary operations (firewall rules flushes) and improves - integration with other software. -

-

- Jira:RHEL-14694[1] -

-
-

Introduction of new nmstate attributes for the - VLAN interface

-

- With this update of the nmstate framework, the following VLAN - attributes were introduced: -

-
-
-
    -
  • - registration-protocol: VLAN Registration Protocol. The valid - values are gvrp (GARP VLAN Registration Protocol), mvrp (Multiple VLAN Registration Protocol), and none. -
    • -
  • - reorder-headers: reordering of output packet headers. The valid - values are true and false. -
    • -
  • - loose-binding: loose binding of the interface to the operating - state of its primary device. The valid values are true and - false. -
    • -
-
-

- Your YAML configuration file can look similar to the following example: -

- 
---
-interfaces:
-  - name: eth1.101
-    type: vlan
-    state: up
-    vlan:
-      base-iface: eth1
-      id: 101
-      registration-protocol: mvrp
-      loose-binding: true
-      reorder-headers: true
-

- Jira:RHEL-19142[1] -

-
-
-
-
-
-

4.8. Kernel

-
-
-
-
-

Kernel version in RHEL 9.3

-

- Red Hat Enterprise Linux 9.3 is distributed with the kernel version 5.14.0-362.8.1. -

-
-

- Bugzilla:2232554 -

-
-

Support added for NVIDIA Grace CPUs

-

- Red Hat Enterprise Linux 9.3 adds support for the NVIDIA Grace ARM 64-bit CPU. -

-
-

- Jira:RHELDOCS-17055[1] -

-
-

The RHEL kernel now supports AutoIBRS

-

- Automatic Indirect Branch Restricted Speculation (AutoIBRS) is a feature provided by the AMD - EPYC 9004 Genoa family of processors and later CPU versions. AutoIBRS is the default mitigation - for the Spectre v2 CPU vulnerability, which boosts performance and improves scalability. -

-
-

- Bugzilla:1898184[1] -

-
-

perf rebased to version 6.2

-

- The perf performance analysis tool has been rebased to version 6.2. - Apart from numerous minor bug fixes and updates, the perf list - command now displays Performance Monitor Unit (PMU) events that contain human-friendly names and - descriptions. In addition, this update adds support for the following processors: -

-
-
-
    -
  • - Intel 13th generation of Core processors (Intel Raptor Lake-S) -
    • -
  • - Intel 14th generation of processors (Intel Meteor Lake) -
    • -
  • - Intel 5th generation Xeon server processors (Intel Emerald Rapids) -
    • -
-
-

- Bugzilla:2177180[1] -

-
-

The Intel® QAT kernel driver rebased to upstream version 6.2

-

- The Intel® Quick Assist Technology (QAT) has been rebased to upstream version 6.2. The Intel® - QAT includes accelerators optimized for symmetric and asymmetric cryptography, compression - performance, and other CPU intensive tasks. -

-
-

- The rebase includes many bug fixes and enhancements. The most notable enhancement is the support - available for following hardware accelerator devices for QAT GEN4: -

-
-
    -
  • - Intel Quick Assist Technology 401xx devices -
    • -
  • - Intel Quick Assist Technology 402xx devices -
    • -
-
-

- Bugzilla:2144528[1] -

-
-

vTPM functionality is available for Linux - containers

-

- This enhancement introduces virtual Trusted Platform Module (vTPM) - for Linux containers and other virtual environments. vTPM is a - virtualized version of TPM that provides a dedicated TPM instance to use for a secure running - environment. With vTPM proxy drivers, programs interact with an - emulated TPM the same way as they interact with physical TPMs. -

-
-

- As a result, each virtual machine can now have a dedicated vTPM - instance that is isolated and encrypted. -

-

- Bugzilla:2210263[1] -

-
-

crash rebased to version 8.0.3

-

- crash is an interactive utility to analyze a running system and a - core dump file created by kdump in case of a kernel crash. The - crash utility has been rebased to version 8.0.3 that includes many - bug fixes and enhancements. The most notable enhancement is the added IPv6 support. -

-
-

- For network interfaces that support IPv6, crash prints IPv6 addresses - with the net or net -s command. -

-
-
    -
  • - The net command displays the list of network devices, names, - and the IP address. -
    • -
  • -

    - The net -s command displays the following information: -

    -
    -
      -
    • - The open network socket and sock addresses -
      • -
    • - The family and the type of sockets and sock addresses -
      • -
    • - The source and destination address and ports for INET and INET6 families -
      • -
    -
    -
    • -
-
-

- Bugzilla:2170283 -

-
-

LVM thin-provisioned storage volumes supported as the vmcore dump target

-

- The kdump mechanism now supports thin-provisioned logical volumes - as the vmcore target. To configure LVM thin provisioning, complete - the following steps: -

-
-
-
    -
  1. -

    - Create an LVM volume group. -

    - 
    vgcreate vg00 /dev/sdb
    -
    2. -
  2. -

    - Create an LVM thin pool of 10 MB available space. -

    - 
    lvcreate -L 10M -T vg00/thinpool
    -
    3. -
  3. -

    - Create an LVM thin volume with 300 MB of the file system space. -

    - 
    lvcreate -V 300M -T vg00/thinpool -n thinvol
-mkfs.ext4 /dev/vg00/thinvol
    -
    4. -
  4. -

    - Configure the LVM thin pool threshold to automatically extend the space. -

    - 
    cat /etc/lvm/lvm.conf
-activation {
-	thin_pool_autoextend_threshold = 70
-	thin_pool_autoextend_percent = 20
-	monitoring = 1
-}
    -
    5. -
  5. -

    - Enable the LVM thin pool monitoring service for the first kernel. -

    - 
    systemctl enable lvm2-monitor.service
-systemctl start lvm2-monitor.service
    -
    6. -
  6. -

    - Append the following lines to the kdump.conf file to set - the LVM thin volume as the kdump target. -

    - 
    ext4 /dev/vg00/thinvol
-path /
    -
    7. -
  7. -

    - Start the kdump service. -

    - 
    kdumpctl restart
    -
    8. -
  8. - Verify the configuration by triggering a kernel panic and check if the vmcore is saved to /dev/vg00/thinvol. -
    9. -
-
-

- As a result, with this enhancement, the kdump mechanism now extends - capability to save the vmcore dump files on thin-provisioned storage - volumes. -

-

- Bugzilla:2083475 -

-
-

makedumpfile rebased to upstream version - 1.7.3

-

- The makedumpfile tool, which makes the crash dump file small by - compressing pages or excluding memory pages that are not required, has been rebased to upstream - version 1.7.3. The rebase includes many bug fixes and enhancements. -

-
-

- The most notable change is the added 5-level paging mode for standalone dump (sadump) mechanism on AMD and Intel 64-bit architecture. The 5-level - paging mode extends the processor’s linear address width to allow applications access larger amounts - of memory. 5-level paging extends the size of virtual addresses from 48 to 57 bits and the physical - addresses from 46 to 52 bits. -

-

- Bugzilla:2173815 -

-
-

Red Hat Enterprise Linux supports ARM’s SystemReady ES and IR tier -

-

- Red Hat Enterprise Linux now supports ARM’s SystemReady ES and IR, while previously only the SR - tier was supported. In RHEL 9.3, the NVIDIA Orin, NXP i.MX 8M, and NXP i.MX 8M Mini modules have - been enabled and are candidates for the RHEL hardware certification. Hardware partners are able - to submit - certifications by enrolling in the Red Hat hardware certification journey. Customers can - use the supported hardware listed in the catalog for an improved experience in production. -

-
-

- Bugzilla:2195986[1] -

-
-

RHEL on ARM now supports Bluetooth

-

- With this enhancement, you can configure a bluetooth device by using the bluetoothctl tool on the command-line interface. -

-
-

- Bugzilla:2187856[1] -

-
-

RHEL on ARM now fully supports USB-attached cameras in RHEL 9.3 -

-

- This enhancement enables the CONFIG_MEDIA_SUPPORT kernel - configuration for RHEL on AMD and Intel 64-bit architectures platforms. With that, you can now - use USB cameras on AMD and Intel 64-bit architectures systems. -

-
-

- Bugzilla:2192722[1] -

-
-

bpf rebased to version 6.3

-

- The Berkeley Packet Filter (BPF) facility has been rebased to Linux kernel version 6.3. Notable - changes and enhancements include: -

-
-
-
    -
  • - BPF trampoline is now available on the 64-bit IBM Z architecture. -
    • -
  • - A new map type - BPF_MAP_TYPE_USER_RINGBUF - and related - helpers have been defined for the communication between the user space and kernel over a - BPF-specific ring buffer. -
    • -
  • - BPF now provides new complex data structures: linked list and rbtree. -
    • -
  • - BPF trampoline that traces programs now supports struct - arguments. -
    • -
  • - BPF now provides a way to export XDP features supported by a NIC. -
    • -
  • - Hardware metadata are now exposed to XDP programs by using the BPF kernel functions (kfuncs) with initial support for RX hash and timestamp metadata. -
    • -
  • - BPF now provides a helper that sets source and destination NAT addresses and ports in new - conntrack module entries in BPF programs. -
    • -
  • - BPF can now write directly to the nf_conn:mark connection mark - of the netfilter packet filtering framework. -
    • -
-
-

- Bugzilla:2178930[1] -

-
-
-
-
-
-

4.9. Boot loader

-
-
-
-
-

New default behavior of grub2-mkconfig with - BLS

-

- In the Boot Loader Specification (BLS) framework, GRUB generates the boot menu dynamically from - BLS snippets at boot, and it is not predefined in the grub.cfg - file. -

-
-

- Previously, the grub2-mkconfig command generated a new grub.cfg file and always overwrote the command-line arguments in all BLS - snippets with the value of the GRUB_CMDLINE_LINUX variable found in the - /etc/default/grub file. -

-

- With this release, the grub2-mkconfig command no longer overwrites the - kernel command line in BLS snippets with GRUB_CMDLINE_LINUX by default. - Each kernel in the boot loader menu takes its kernel command line from its BLS snippet. This new - default behavior is caused by the GRUB_ENABLE_BLSCFG=true option. -

-

- To regenerate grub.cfg so that kernels ignore BLS snippets and take - their command line from GRUB_CMDLINE_LINUX instead, set the GRUB_ENABLE_BLSCFG=false option. -

-

- To update the kernel command line in BLS snippets according to GRUB_CMDLINE_LINUX, add the --update-bls-cmdline option: -

- 
# grub2-mkconfig -o /path/to/grub.cfg --update-bls-cmdline
-

- Also note that you can make changes to BLS snippets for individual kernels using grubby: -

- 
# grubby --update-kernel /path/to/kernel --args "new args"
-

- Jira:RHELDOCS-16752[1] -

-
-
-
-
-
-

4.10. File systems and storage

-
-
-
-
-

NFS server now implements courteous server code for nfsd

-

- This update introduces the implementation of courteous server code for nfsd in the RHEL kernel NFS server. With this new feature, the NFS - server avoids revoking leases for clients that have lost contact with the server for an extended - period, provided that there is no conflicting access while the client is out of contact. -

-
-

- Bugzilla:2180124 -

-
-

DAX mount option and reflink are now compatible

-

- With this update, reflinked files are now generally compatible with DAX mode. The file system - DAX mount option -o dax=always is compatible with reflink-enabled - file systems. Files that were reflinked can be set to DAX mode using inode flags. For more - information see the xfs(5) man page. -

-
-

- Bugzilla:2192730[1] -

-
-

New encryption types for the RPCSEC GSS Kerberos V5

-

- The RPCSEC GSS Kerberos V5 mechanism now supports encryption types defined in RFC 6803 (Camellia - Encryption for Kerberos 5) and RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos 5). -

-
-

- The following encryption types have been added: -

-
-
    -
  • - camellia128-cts-cmac -
    • -
  • - camellia256-cts-cmac -
    • -
  • - aes128-cts-hmac-sha256-128 -
    • -
  • - aes256-cts-hmac-sha384-192 -
    • -
-
-

- This allows NFS clients and NFS servers to use stronger encryption types when negotiating GSS - contexts. -

-

- Bugzilla:2178741 -

-
-

fuse3 now allows invalidating a directory - entry without triggering umount

-

- With this update, a new mechanism has been added to fuse3 package, - that allows invalidating a directory entry without automatically triggering the umount of any mounts that exists on the entry. -

-
-

- Bugzilla:2188182 -

-
-

Stratis storage manager is now available

-

- Stratis is a local storage manager. It provides managed file systems on top of pools of storage - with additional features to the user: -

-
-
-
    -
  • - Manage snapshots and thin provisioning -
    • -
  • - Automatically grow file system sizes as needed -
    • -
  • - Maintain file systems -
    • -
  • - Pool Level Encryption -
    • -
  • - TMP2 and NBDE Support -
    • -
-
-

- To administer Stratis storage, use the stratis utility, which - communicates with the stratisd background service. -

-

- For more information, see the Stratis documentation: Setting - up Stratis file systems. -

-

- Bugzilla:2041558 -

-
-

Improvements to GFS2 file system configuration and operation

-

- The following updates have been implemented for GFS2 file systems: -

-
-
-
    -
  • - The mkfs.gfs2 command now supports the new -U option, which makes it possible to specify the file system - UUID for the file system you create. If you omit this option, the file system’s UUID is - generated randomly. -
    • -
  • - The gfs2_jadd command creates journals at a much faster speed - than in previous releases. -
    • -
  • - The GFS2 man pages have been improved. -
    • -
-
-

- Bugzilla:2170017 -

-
-

dmpd rebased to version 1.0.2

-

- The dmpd package has been upgraded to version 1.0.2. Notable - changes include: -

-
-
-
    -
  • - Rewriting the tools in the Rust language for memory safety and for using multiple threads to - boost performance. -
    • -
  • - Improving the thin_check and cache_check tools to save the time of LVM pool activation along - with the system startup. The required execution time for these tools is now improved by more - than ten times as compared to the previous version. -
    • -
  • - Updating thin_dump and thin_restore tools to avoid losing sharing of the metadata btrees for snapshots. Now the restored metadata does not require - more space. -
    • -
  • - Adding new thin_metadata_pack and thin_metadata_unpack tools to compress thin metadata, typically - to a tenth of the size. This is better than the generic compressors. With this tool, it is - easier to pass damaged metadata around for inspection. -
    • -
-
-

- Bugzilla:2175198 -

-
-

New per-device counter is added for SCSI devices

-

- A new per-device counter, iotmo_cnt, is now added for the I/O - timeouts in the SCSI updates. In addition to the iorequest_cnt - count of I/O requests, the iodone_cnt I/O completions, and the - ioerr_cnt I/O errors, the number of request timeouts can be seen. - For example: -

-
- 
/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iorequest_cnt
-/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iodone_cnt
-/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/iotmo_cnt
-/sys/devices/pci0000:16/0000:16:02.0/0000:17:00.0/host2/target2:2:0/2:2:0:0/ioerr_cnt
-

- Bugzilla:2171093[1] -

-
-

mpathcleanup flushes the multipath devices in - device-mapper-multipath

-

- The mpathcleanup tool works on SCSI-based multipath devices and - removes the multipath device along with the SCSI path devices. Some users need to remove - multipath devices and their path devices regularly. Previously, there was no tool available to - remove multipath devices and a user-defined script was required for this operation. -

-
-

- With this new tool, users can now easily remove multipath devices and their underlying storage, and - there is no need to create any script for this operation. -

-

- Jira:RHEL-782[1] -

-
-

nvme-cli rebased to version 2.4

-

- The nvme-cli package has been upgraded to version 2.4, which - provides multiple bug fixes and enhancements. Notable changes include: -

-
-
-
    -
  • - Supports TLS over TCP. -
    • -
  • - Fixes incorrect ordering of the systemd auto-connect services - to mount file systems using the /etc/fstab file. -
    • -
  • - Fixes printing of the u32 values. -
    • -
  • - Validates storage tag size correctly. -
    • -
  • - Supports the nvme effects-log command for fabrics controllers. -
    • -
-
-

- Bugzilla:2159929[1] -

-
-
-
-
-
-

4.11. High availability and clusters

-
-
-
-
-

Support for failover of LVM volume groups with missing physical - volumes

-

- The LVM-activate resource agent now supports two new options that - allow volume group failover if the volume group is missing physical volumes: -

-
-
-
    -
  • - The majoritypvs option allows the system ID to be changed on a - volume group when a volume group is missing physical volumes, provided that a majority of - physical volumes are present. -
    • -
  • - The degraded_activation option allows RAID logical volumes in a - volume group to be activated when legs are missing, provided that sufficient devices are - available for RAID to provide all the data in the logical volume. -
    • -
-
-

- Bugzilla:2174911[1] -

-
-

IPaddr2 and IPsrcaddr cluster resource agents now support policy-based - routing

-

- The IPaddr2 and IPsrcaddr cluster - resource agents now support policy-based routing,which enables you to configure complex routing - scenarios. Policy-based routing requires that you configure the resource agent’s table parameter. -

-
-

- Bugzilla:2142518 -

-
-

The Filesystem resource agent now supports the - EFS file system type

-

- The ocf:heartbeat:Filesystem cluster resource agent now supports - the Amazon Elastic File System (EFS). You can now specify fstype=efs when configuring a Filesystem - resource. -

-
-

- Bugzilla:2142002 -

-
-

New pcs parsing requires meta keyword when specifying clone meta attributes

-

- To ensure consistency in the pcs command format, configuring clone - meta attributes with the pcs resource clone, pcs resource promotable, and pcs resource create commands without specifying the meta keyword is now deprecated. -

-
-

- Previously, the meta keyword was ignored in the pcs resource clone and pcs resource promotable commands. In the pcs resource create command, however, the meta attributes specified after - the meta keyword when it followed the clone keyword were assigned to the resource rather than to the clone. - With this updated parsing algorithm, meta attributes specified after the meta keyword when it follows the clone - keyword are assigned to the clone. To maintain compatibility with existing scripts which rely on the - older format, you must specify the --future command option to enable - this new argument processing when creating a cloned resource with the pcs resource create command. -

-

- The following command now creates a resource with the meta attribute mv=v1 and a clone with the meta attribute mv=v2: -

-

- pcs resource create dummy1 ocf:pacemaker:Dummy meta m1=v1 clone meta m2=v2 --future -

-

- Bugzilla:2168155 -

-
-

Displaying the pcs commands for re-creating - configured resource constraints

-

- You can now display the pcs constraint commands that can be used to - re-create configured resource constraints on a different system by using the pcs constraint command with the new --output-format=cmd option. The default output format is plain text, - as in previous releases, which you can specify with the --output-format=text option. The plain text format has been changed - slightly to make it consistent with the output format of other pcs - commands. -

-
-

- Bugzilla:2163953 -

-
-

Rebase Pacemaker packages to version: 2.1.6

-

- The Pacemaker packages have been upgraded to upstream version 2.1.6, which provides several - enhancements and bug fixes over the previous version. -

-
-

- The following features have been added: -

-
-
    -
  • - Previously, when a Pacemaker Remote connection was lost, Pacemaker would always purge its - transient node attributes. This was unnecessary if the connection was quickly recoverable - and the remote daemon had not restarted in the meantime. Pacemaker Remote nodes now preserve - transient node attributes after a brief, recoverable connection outage. -
    • -
  • - The alert_snmp.sh.sample alert agent, which is the sample alert - agent provided with Pacemaker, now supports the SNMPv3 protocol and SNMPv2. With this - update, you can copy the alert_snmp.sh.sample agent without - modification to use SNMPv3 with Pacemaker alerts. -
    • -
  • - Pacemaker alerts and alert recipients now support an enabled - meta option. Setting this option to false for an alert disables - the alert. Setting this option to true for an alert and false for a particular recipient disables the alert for that - recipient. The default value for this option is true. You can - use this option to temporarily disable an alert for any reason, such as planned maintenance. -
    • -
-
-

- The following bugs have been fixed: -

-
-
    -
  • - Pacemaker Designated Controller elections no longer finalized until all pending actions are - complete and no action results are lost. -
    • -
  • - The fence_scsi agent is now able to auto-detect shared lvmlockd devices when the devices - attribute is not set. -
    • -
  • - Resource stickiness now properly compares against colocation scores. -
    • -
  • - The crm_resource command now allows banning or moving a bundle - with only a single active replica. -
    • -
  • - Previously, promotable clone instances were assigned in numerical order, with promoted - instances first. As a result, if a promoted clone instance needed to start, an unpromoted - instance in some cases restarted unexpectedly, because the instance numbers changed. With - this fix, roles are considered when assigning instance numbers to nodes and as a result no - unnecessary restarts occur. -
    • -
-
-

- Bugzilla:2189301 -

-
-

Enhancements to the pcs property - command

-

- The pcs property command now supports the following enhancements: -

-
-
-
    -
  • -

    - The pcs property config --output-format= option -

    -
    -
      -
    • - Specify --output-format=cmd to display the pcs property set command created from the current - cluster properties configuration. You can use this command to re-create - configured cluster properties on a different system. -
      • -
    • - Specify --output-format=json to display the - configured cluster properties in JSON format. -
      • -
    • - Specify output-format=text to display the - configured cluster properties in plain text format, which is the default value - for this option. -
      • -
    -
    -
    • -
  • - The pcs property defaults command, which replaces the - deprecated pcs property --defaults option -
    • -
  • - The pcs property describe command, which describes the meaning - of cluster properties -
    • -
-
-

- Bugzilla:2163914 -

-
-
-
-
-
-

4.12. Dynamic programming languages, web and database servers

-
-
-
-
-

A new environment variable in Python to control parsing of email - addresses

-

- To mitigate CVE-2023-27043, a backward - incompatible change to ensure stricter parsing of email addresses was introduced in Python 3. -

-
-

- The update in RHSA-2024:2024 introduces a new PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING environment variable. When you - set this variable to true, the previous, less strict parsing behavior - is the default for the entire system: -

- 
export PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING=true
-

- However, individual calls to the affected functions can still enable stricter behavior. -

-

- You can achieve the same result by creating the /etc/python/email.cfg - configuration file with the following content: -

- 
[email_addr_parsing]
-PYTHON_EMAIL_DISABLE_STRICT_ADDR_PARSING = true
-

- For more information, see the Knowledgebase article Mitigation of CVE-2023-27043 introducing - stricter parsing of email addresses in Python. -

-

- Jira:RHELDOCS-17369[1] -

-
-

A new nodejs:20 module stream is fully - supported

-

- A new module stream, nodejs:20, previously available as a - Technology Preview, is fully supported with the release of the RHEA-2023:7252 advisory. The - nodejs:20 module stream now provides Node.js 20.9, which is a Long Term Support (LTS) version. -

-
-

- Node.js 20 included in RHEL 9.3 provides numerous new features, bug - fixes, security fixes, and performance improvements over Node.js 18 - available since RHEL 9.1. -

-

- Notable changes include: -

-
-
    -
  • - The V8 JavaScript engine has been upgraded to version 11.3. -
    • -
  • - The npm package manager has been upgraded to version 9.8.0. -
    • -
  • - Node.js introduces a new experimental Permission Model. -
    • -
  • - Node.js introduces a new experimental Single Executable - Application (SEA) feature. -
    • -
  • - Node.js provides improvements to the Experimental ECMAScript - modules (ESM) loader. -
    • -
  • - The native test runner, introduced as an experimental node:test - module in Node.js 18, is now considered stable. -
    • -
  • - Node.js provides various performance improvements. -
    • -
-
-

- To install the nodejs:20 module stream, use: -

- 
# dnf module install nodejs:20
-

- If you want to upgrade from the nodejs:18 stream, see Switching - to a later stream. -

-

- For information about the length of support for the nodejs Application - Streams, see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2186717 -

-
-

A new filter argument to the Python tarfile extraction functions

-

- To mitigate CVE-2007-4559, Python adds a - filter argument to the tarfile - extraction functions. The argument allows turning tar features off - for increased safety (including blocking the CVE-2007-4559 directory traversal attack). If a - filter is not specified, the 'data' filter, which is the safest but - most limited, is used by default in RHEL. In addition, Python emits a warning when your - application has been affected. -

-
-

- For more information, including instructions to hide the warning, see the Knowledgebase article Mitigation of directory traversal - attack in the Python tarfile library (CVE-2007-4559). -

-

- Jira:RHELDOCS-16405[1] -

-
-

The HTTP::Tiny Perl module now verifies TLS - certificates by default

-

- The default value for the verify_SSL option in the HTTP::Tiny Perl module has been changed from 0 to 1 to verify TLS certificates when - using HTTPS. This change fixes CVE-2023-31486 for HTTP::Tiny and CVE-2023-31484 for the CPAN - Perl module. -

-
-

- To make support for TLS verification available, this update adds the following dependencies to the - perl-HTTP-Tiny package: -

-
-
    -
  • - perl-IO-Socket-SSL -
    • -
  • - perl-Mozilla-CA -
    • -
  • - perl-Net-SSLeay -
    • -
-
-

- Bugzilla:2228412[1] -

-
-

httpd rebased to version 2.4.57

-

- The Apache HTTP Server has been updated to version 2.4.57, which provides bug fixes, - enhancements, and security fixes over version 2.4.53 available since RHEL 9.1. -

-
-

- Notable enhancements include: -

-
-
    -
  • - The rotatelogs utility provided with httpd introduces a new -T option to - truncate all rotated logfiles except the initial log file. -
    • -
  • - The LDAPConnectionPoolTTL directive of the mod_ldap module now accepts negative values to enable reuse of - connections of any age. Previously, a negative value was handled as an error. -
    • -
  • - Workers from the mod_proxy_hcheck module now correctly time out - according to the worker timeout settings. -
    • -
  • - The hcmethod parameter of the mod_proxy_hcheck module now provides new GET11, HEAD11, and OPTIONS11 methods for HTTP/1.1 requests. -
    • -
-
-

- Bugzilla:2184403 -

-
-

A new mod_authnz_fcgi module in httpd

-

- The Apache HTTP Server now includes the mod_authnz_fcgi module, - which enables FastCGI authorizer applications to authenticate users and authorize access to - resources. -

-
-

- The mod_authnz_fcgi module is not loaded by default. To load this - module, uncomment the following line in the /etc/httpd/conf.modules.d/00-optional.conf file: -

- 
LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
-

- Bugzilla:2173295[1] -

-
-

A new ssl_pass_phrase_dialog directive in - nginx:1.22

-

- With this update to the nginx:1.22 module stream, you can use the - new ssl_pass_phrase_dialog directive to configure an external - program that is called at nginx start for each encrypted private - key. -

-
-

- To use the new directive, add one of the following lines to the /etc/nginx/nginx.conf file: -

-
-
    -
  • -

    - To call an external program for each encrypted private key file, enter: -

    - 
    ssl_pass_phrase_dialog exec:<path_to_program>;
    -

    - nginx calls this program with the following two arguments: -

    -
    -
      -
    • - The server name specified in the server_name - setting. -
      • -
    • - One of the following algorithms: RSA, DSA, EC, DH, or UNK if a - cryptographic algorithm cannot be recognized. -
      • -
    -
    -
    • -
  • -

    - If you want to manually enter a passphrase for each encrypted private key file, enter: -

    - 
    ssl_pass_phrase_dialog builtin;
    -

    - This is the default behavior if ssl_pass_phrase_dialog is - not configured. -

    -

    - Note that the nginx service fails to start if you use this - method but have at least one private key protected by a passphrase. In this case, use - one of the other methods. -

    -
    • -
  • -

    - If you want systemd to prompt for the passphrase for each - encrypted private key when you start the nginx service by - using the systemctl utility, enter: -

    - 
    ssl_pass_phrase_dialog exec:/usr/libexec/nginx-ssl-pass-dialog;
    -
    • -
-
-

- Note that the ssl_pass_phrase_dialog directive in nginx is similar to the SSLPassPhraseDialog - directive in the Apache HTTP Server. -

-

- Bugzilla:2170808 -

-
-

A new rhel9/squid container image

-

- The rhel9/squid container image is now available in the Red Hat - Container Registry. Squid is a high-performance proxy caching - server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional - caching software, Squid handles all requests in a single, - non-blocking, I/O-driven process. Squid keeps metadata and - especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and - implements negative caching of failed requests. -

-
-

- To pull the new container image, run: -

- 
# podman pull registry.redhat.io/rhel9/squid
-

- Bugzilla:2178953 -

-
-

A new module stream: redis:7

-

- Redis 7, an advanced key-value store, is now available as a new - module stream, redis:7. -

-
-

- Notable changes over Redis 6 include: -

-
-
    -
  • - Server-side scripting in the Redis Functions API -
    • -
  • - Fine-grained access control list (ACL) support -
    • -
  • - Shared publish/subscribe (pub/sub) support for clusters -
    • -
  • - Various new commands and command arguments -
    • -
-
-

- Redis 7 introduces several backward incompatible changes, for example: -

-
-
    -
  • - Redis 7 now stores append-only files (AOF) as multiple files in - a folder -
    • -
  • - Redis 7 uses a new version format for Redis Database (RDB) - files that is incompatible with earlier versions -
    • -
-
-

- For a complete list of features and incompatible changes, see the upstream release notes. -

-

- To install the redis:7 module stream, use: -

- 
# dnf module install redis:7
-

- For information about the length of support for the redis Application - Streams, see Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- Bugzilla:2129826 -

-
-
-
-
-
-

4.13. Compilers and development tools

-
-
-
-
-

A new glibc option to influence optimized - routine usage on IBM Z

-

- On the IBM Z architecture, the glibc library selects function - implementations based on the hardware capabilities, such as hwcaps - and stfle bits. With this update, you can direct the choice made by - the library by setting the glibc.cpu.hwcaps tunable. -

-
-

- Bugzilla:2169978[1] -

-
-

Improved string and memory routine performance on Intel® Xeon® v5-based - hardware in glibc

-

- Previously, the default amount of cache used by glibc for string - and memory routines resulted in lower than expected performance on Intel® Xeon® v5-based - systems. With this update, the amount of cache to use has been tuned to improve performance. -

-
-

- Bugzilla:2213907 -

-
-

The system GCC compiler updated to version 11.4.1

-

- The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, - and Fortran programming languages. -

-
-

- The system GCC compiler has been updated to version 11.4.1, which includes numerous bug fixes and - enhancements available in the upstream GCC. -

-

- For usage information, see Developing - C and C++ applications in RHEL 9. -

-

- Bugzilla:2193180 -

-
-

GCC now supports preserving register arguments

-

- With this update, you can now store argument register content to the stack and generate proper - Call Frame Information (CFI) to allow the unwinder to locate it without negatively impacting - performance. -

-
-

- Bugzilla:2168204[1] -

-
-

A new -mdaz-ftz option in GCC on the 64-bit - Intel architecture

-

- The system version of GNU Compiler Collection (GCC) on the 64-bit Intel architecture now - supports the -mdaz-ftz option to enable flush-to-zero (FTZ) and - denormals-are-zero (DAZ) flags in the MXCSR Control and Status Register. -

-
-

- Bugzilla:2208908 -

-
-

New GCC Toolset 13

-

- GCC Toolset 13 is a compiler toolset that provides recent versions of development tools. It is - available as an Application Stream in the form of a Software Collection in the AppStream - repository. -

-
-

- The GCC compiler has been updated to version 13.1.1, which provides many bug fixes and enhancements - that are available in upstream GCC. -

-

- The following tools and versions are provided by GCC Toolset 13: -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ToolVersion
-

- GCC -

- 		-

- 13.1.1 -

-
-

- GDB -

- 		-

- 12.1 -

-
-

- binutils -

- 		-

- 2.40 -

-
-

- dwz -

- 		-

- 0.14 -

-
-

- annobin -

- 		-

- 12.20 -

-
-
-

- To install GCC Toolset 13, run the following command as root: -

- 
# dnf install gcc-toolset-13
-

- To run a tool from GCC Toolset 13: -

- 
$ scl enable gcc-toolset-13 tool
-

- To run a shell session where tool versions from GCC Toolset 13 override system versions of these - tools: -

- 
$ scl enable gcc-toolset-13 bash
-

- For more information, see GCC - Toolset 13 and Using - GCC Toolset. -

-

- Bugzilla:2171919[1], Bugzilla:2171930 -

-
-

GCC Toolset 13: GCC rebased to version 13.1.1

-

- In GCC Toolset 13, the GNU Compiler Collection (GCC) has been updated to version 13.1.1. Notable - changes include: -

-
-

- General improvements -

-
-
    -
  • -

    - OpenMP: -

    -
    -
      -
    • - OpenMP 5.0: Fortran now supports some non-rectangular loop nests. Such support - was added for C/C++ in GCC 11. -
      • -
    • - Many OpenMP 5.1 features have been added. -
      • -
    • - Initial support for OpenMP 5.2 features has been added. -
      • -
    -
    -
    • -
  • - A new debug info compression option value, -gz=zstd, is now - available. -
    • -
  • - The -Ofast, -ffast-math, and -funsafe-math-optimizations options no longer add startup code to - alter the floating-point environment when producing a shared object with the -shared option. -
    • -
  • - GCC can now emit its diagnostics using Static Analysis Results Interchange Format (SARIF), a - JSON-based format suited for capturing the results of static analysis tools (such as GCC’s - -fanalyzer). You can also use SARIF to capture other GCC - warnings and errors in a machine-readable format. -
    • -
  • - Link-time optimization improvements have been implemented. -
    • -
-
-

- New languages and language-specific improvements -

-

- C family: -

-
-
    -
  • - A new -Wxor-used-as-pow option warns about uses of the - exclusive or (^) operator where the user might have meant - exponentiation. -
    • -
  • -

    - Three new function attributes have been added for documenting int arguments that are file descriptors: -

    -
    -
      -
    • - attribute((fd_arg(N))) -
      • -
    • - attribute((fd_arg_read(N))) -
      • -
    • - attribute((fd_arg_write(N))) -
      • -
    -
    -

    - These attributes are also used by -fanalyzer to detect - misuses of file descriptors. -

    -
    • -
  • - A new statement attribute, attribute((assume(EXPR)));, - has been added for C++23 portable assumptions. The attribute is supported also in C or - earlier C++. -
    • -
  • - GCC can now control when to treat the trailing array of a structure as a flexible array - member for the purpose of accessing the elements of such an array. By default, all trailing - arrays in aggregates are treated as flexible array members. Use the new command-line option - -fstrict-flex-arrays to control what array members are treated - as flexible arrays. -
    • -
-
-

- C: -

-
-
    -
  • -

    - Several C23 features have been implemented: -

    -
    -
      -
    • - Introduced the nullptr constant. -
      • -
    • - Enumerations enhanced to specify underlying types. -
      • -
    • - Requirements for variadic parameter lists have been relaxed. -
      • -
    • - Introduced the auto feature to enable type - inference for object definitions. -
      • -
    • - Introduced the constexpr specifier for object - definitions. -
      • -
    • - Introduced storage-class specifiers for compound literals. -
      • -
    • - Introduced the typeof object (previously supported - as an extension) and the typeof_unqual object. -
      • -
    • - Added new keywords: alignas, alignof, bool, false, static_assert, - thread_local, and true. -
      • -
    • - Added the [[noreturn]] attribute to specify that a - function does not return execution to its caller. -
      • -
    • - Added support for empty initializer braces. -
      • -
    • - Added support for STDC_VERSION_*_H - header version macros. -
      • -
    • - Removed the ATOMIC_VAR_INIT macro. -
      • -
    • - Added the unreachable macro for the <stddef.h> header. -
      • -
    • - Removed trigraphs. -
      • -
    • - Removed unprototyped functions. -
      • -
    • - Added printf and scanf - format checking through the -Wformat option for the - %wN and %wfN format - length modifiers. -
      • -
    • - Added support for identifier syntax of Unicode Standard Annex (UAX) 31. -
      • -
    • - Existing features adopted in C23 have been adjusted to follow C23 requirements - and are not diagnosed using the -std=c2x -Wpedantic - option. -
      • -
    -
    -
    • -
  • - A new -Wenum-int-mismatch option warns about mismatches between - an enumerated type and an integer type. -
    • -
-
-

- C++: -

-
-
    -
  • -

    - Implemented excess precision support through the -fexcess-precision option. It is enabled by default in strict - standard modes such as -std=c++17, where it defaults to - -fexcess-precision=standard. In GNU standard modes such as - -std=gnu++20, it defaults to -fexcess-precision=fast, which restores previous behavior. -

    -

    - The -fexcess-precision option affects the following - architectures: -

    -
    -
      -
    • - Intel 32- and 64-bit using x87 math, in some cases on Motorola 68000, where - float and double - expressions are evaluated in long double precision. -
      • -
    • - 64-bit IBM Z systems where float expressions are - evaluated in double precision. -
      • -
    • - Several architectures that support the std::float16_t or std::bfloat16_t types, where these types are - evaluated in float precision. -
      • -
    -
    -
    • -
  • -

    - Improved experimental support for C++23, including:: -

    -
    -
      -
    • - Added support for labels at the end of compound statements. -
      • -
    • - Added a type trait to detect reference binding to a temporary. -
      • -
    • - Reintroduced support for volatile compound operations. -
      • -
    • - Added support for the #warning directive. -
      • -
    • - Added support for delimited escape sequences. -
      • -
    • - Added support for named universal character escapes. -
      • -
    • - Added a compatibility and portability fix for the char8_t type. -
      • -
    • - Added static operator() function objects. -
      • -
    • - Simplified implicit moves. -
      • -
    • - Rewriting equality in expressions is now less of a breaking change. -
      • -
    • - Removed non-encodable wide character literals and wide multicharacter literals. -
      • -
    • - Relaxed some constexpr function restrictions. -
      • -
    • - Extended floating-point types and standard names. -
      • -
    • - Implemented portable assumptions. -
      • -
    • - Added support for UTF-8 as a portable source file encoding standard. -
      • -
    • - Added support for static operator[] subscripts. -
      • -
    -
    -
    • -
  • -

    - New warnings: -

    -
    -
      -
    • - -Wself-move warns when a value is moved to itself - with std::move. -
      • -
    • - -Wdangling-reference warns when a reference is - bound to a temporary whose lifetime has ended. -
      • -
    • - The -Wpessimizing-move and -Wredundant-move warnings have been extended to warn - in more contexts. -
      • -
    -
    -
    • -
  • - The new -nostdlib++ option enables linking with g++ without implicitly linking in the C++ standard library. -
    • -
-
-

- Changes in the libstdc++ runtime - library -

-
-
    -
  • -

    - Improved experimental support for C++20, including: -

    -
    -
      -
    • - Added the <format> header and the std::format function. -
      • -
    • - Added support in the <chrono> header for the - std::chrono::utc_clock clock, other clocks, time - zones, and the std::format function. -
      • -
    -
    -
    • -
  • -

    - Improved experimental support for C++23, including: -

    -
    -
      -
    • - Additions to the <ranges> header: views::zip, views::zip_transform, views::adjacent, views::adjacent_transform, views::pairwise, views::slide, views::chunk, views::chunk_by, views::repeat, views::chunk_by, views::cartesian_product, views::as_rvalue, views::enumerate, views::as_const. -
      • -
    • - Additions to the <algorithm> header: ranges::contains, ranges::contains_subrange, ranges::iota, ranges::find_last, ranges::find_last_if, ranges::find_last_if_not, ranges::fold_left, ranges::fold_left_first, ranges::fold_right, ranges::fold_right_last, ranges::fold_left_with_iter, ranges::fold_left_first_with_iter. -
      • -
    • - Support for monadic operations for the std::expected class template. -
      • -
    • - Added constexpr modifiers to the std::bitset, std::to_chars and std::from_chars functions. -
      • -
    • - Added library support for extended floating-point types. -
      • -
    -
    -
    • -
  • - Added support for the <experimental/scope> header from - version 3 of the Library Fundamentals Technical Specification (TS). -
    • -
  • - Added support for the <experimental/synchronized_value> - header from version 2 of the Concurrency TS. -
    • -
  • -

    - Added support for many previously unavailable features in freestanding mode. For - example: -

    -
    -
      -
    • - The std::tuple class template is now available for - freestanding compilation. -
      • -
    • - The libstdc++ library adds components to the - freestanding subset, such as std::array and std::string_view. -
      • -
    • - The libstdc++ library now respects the -ffreestanding compiler option, so it is no longer - necessary to build a separate freestanding installation of the libstdc++ library. Compiling with -ffreestanding will restrict the available features - to the freestanding subset, even if the libstdc++ - library was built as a full, hosted implementation. -
      • -
    -
    -
    • -
-
-

- New targets and target-specific Improvements -

-

- The 64-bit ARM architecture: -

-
-
    -
  • - Added support for the armv9.1-a, armv9.2-a, and armv9.3-a arguments - for the -march= option. -
    • -
-
-

- The 32- and 64-bit AMD and Intel architectures: -

-
-
    -
  • - For both C and C++, the __bf16 type is supported on systems - with Streaming SIMD Extensions 2 and above enabled. -
    • -
  • - The real __bf16 type is now used for AVX512BF16 instruction intrinsics. Previously, __bfloat16, a typedef of short, was used. Adjust your AVX512BF16 related source code when upgrading GCC 12 to GCC 13. -
    • -
  • -

    - Added new Instruction Set Architecture (ISA) extensions to support the following Intel - instructions: -

    -
    -
      -
    • - AVX-IFMA whose instruction intrinsics are available - through the -mavxifma compiler switch. -
      • -
    • - AVX-VNNI-INT8 whose instruction intrinsics are - available through the -mavxvnniint8 compiler - switch. -
      • -
    • - AVX-NE-CONVERT whose instruction intrinsics are - available through the -mavxneconvert compiler - switch. -
      • -
    • - CMPccXADD whose instruction intrinsics are - available through the -mcmpccxadd compiler switch. -
      • -
    • - AMX-FP16 whose instruction intrinsics are available - through the -mamx-fp16 compiler switch. -
      • -
    • - PREFETCHI whose instruction intrinsics are - available through the -mprefetchi compiler switch. -
      • -
    • - RAO-INT whose instruction intrinsics are available - through the -mraoint compiler switch. -
      • -
    • - AMX-COMPLEX whose instruction intrinsics are - available through the -mamx-complex compiler - switch. -
      • -
    -
    -
    • -
  • - GCC now supports AMD CPUs based on the znver4 core through the - -march=znver4 compiler switch. The switch makes GCC consider - using 512-bit vectors when auto-vectorizing. -
    • -
-
-

- Improvements to the static analyzer -

-
-
    -
  • -

    - The static analyzer has gained 20 new warnings: -

    -
    -
      -
    • - -Wanalyzer-allocation-size -
      • -
    • - -Wanalyzer-deref-before-check -
      • -
    • - -Wanalyzer-exposure-through-uninit-copy -
      • -
    • - -Wanalyzer-imprecise-fp-arithmetic -
      • -
    • - -Wanalyzer-infinite-recursion -
      • -
    • - -Wanalyzer-jump-through-null -
      • -
    • - -Wanalyzer-out-of-bounds -
      • -
    • - -Wanalyzer-putenv-of-auto-var -
      • -
    • - -Wanalyzer-tainted-assertion -
      • -
    • -

      - Seven new warnings relating to misuse of file descriptors: -

      -
      -
        -
      • - -Wanalyzer-fd-access-mode-mismatch -
        • -
      • - -Wanalyzer-fd-double-close -
        • -
      • - -Wanalyzer-fd-leak -
        • -
      • - -Wanalyzer-fd-phase-mismatch (for - example, calling accept on a socket - before calling listen on it) -
        • -
      • - -Wanalyzer-fd-type-mismatch (for - example, using a stream socket operation on a datagram socket) -
        • -
      • - -Wanalyzer-fd-use-after-close -
        • -
      • -

        - -Wanalyzer-fd-use-without-check -

        -
        -
          -
        • - Also implemented special-casing handling of the behavior - of the open, close, creat, dup, dup2, dup3, pipe, pipe2, read, and write functions. -
          • -
        -
        -
        • -
      -
      -
      • -
    • -

      - Four new warnings for misuses of the <stdarg.h> header: -

      -
      -
        -
      • - -Wanalyzer-va-list-leak warns about - missing a va_end macro after a va_start or va_copy macro. -
        • -
      • - -Wanalyzer-va-list-use-after-va-end - warns about a va_arg or va_copy macro used on a va_list object type that has had the - va_end macro called on it. -
        • -
      • - -Wanalyzer-va-arg-type-mismatch - type-checks va_arg macro usage in - interprocedural execution paths against the types of the parameters - that were actually passed to the variadic call. -
        • -
      • - -Wanalyzer-va-list-exhausted warns if a - va_arg macro is used too many times on - a va_list object type in - interprocedural execution paths. -
        • -
      -
      -
      • -
    -
    -
    • -
  • - Numerous other improvements. -
    • -
-
-

- Backwards incompatible changes -

-

- For C++, construction of global iostream objects such as std::cout, - std::cin is now done inside the standard library, instead of in every - source file that includes the <iostream> header. This change - improves the startup performance of C++ programs, but it means that code compiled with GCC 13.1 will - crash if the correct version of libstdc++.so is not used at runtime. - See the documentation - about using the correct libstdc++.so at runtime. Future GCC releases - will mitigate the problem so that the program cannot be run at all with an earlier incompatible - libstdc++.so. -

-

- Bugzilla:2172093[1] -

-
-

GCC Toolset 13: annobin rebased to version - 12.20

-

- GCC Toolset 13 provides the annobin package version 12.20. Notable - enhancements include: -

-
-
-
    -
  • - Added support for moving annobin notes into a separate debug - info file. This results in reduced executable binary size. -
    • -
  • - Added support for a new smaller note format reduces the size of the separate debuginfo files - and the time taken to create these files. -
    • -
-
-

- Bugzilla:2171923[1] -

-
-

GCC Toolset 13: GDB rebased to version 12.1

-

- GCC Toolset 13 provides GDB version 12.1. -

-
-

- Notable bug fixes and enhancements include: -

-
-
    -
  • - GDB now styles source code and disassembler by default. If styling interferes with - automation or scripting of GDB, you can disable it by using the maint set gnu-source-highlight enabled off and maint set style disassembler enabled off commands. -
    • -
  • - GDB now displays backtraces whenever it encounters an internal error. If this affects - scripts or automation, you can use the maint set backtrace-on-fatal-signal off command to disable this - feature. -
    • -
-
-

- C/C++ improvements: -

-
-
    -
  • - GDB now treats functions or types involving C++ templates similarly to function overloads. - You can omit parameter lists to set breakpoints on families of template functions, including - types or functions composed of multiple template types. Tab completion has gained similar improvements. -
    • -
-
-

- Terminal user interface (TUI): -

-
-
    -
  • -

    - tui layout -

    -

    - tui focus -

    -

    - tui refresh -

    -

    - tui window height
    These are the new names for the old - layout, focus, refresh, and winheight TUI - commands. The old names still exist as aliases to these new commands. -

    -
    • -
  • -

    - tui window width -

    -

    - winwidth -

    -

    - Use the new tui window width command, or the winwidth alias, to adjust the width of a TUI window when - windows are laid out in horizontal mode. -

    -
    • -
  • -

    - info win -

    -

    - This command now includes information about the width of the TUI windows in its output. -

    -
    • -
-
-

- Machine Interface (MI) changes: -

-
-
    -
  • - The default version of the MI interpreter is now 4 (-i=mi4). -
    • -
  • - The -add-inferior command with no flag now inherits the - connection of the current inferior. This restores the behavior of GDB before version 10. -
    • -
  • - The -add-inferior command now accepts a --no-connection flag that causes the new inferior to start - without a connection. -
    • -
  • -

    - The script field in breakpoint output (which is - syntactically incorrect in MI 3 and earlier) has become a list in MI 4. This affects the - following commands and events: -

    -
    -
      -
    • - -break-insert -
      • -
    • - -break-info -
      • -
    • - =breakpoint-created -
      • -
    • -

      - =breakpoint-modified -

      -

      - Use the -fix-breakpoint-script-output command - to enable the new behavior with earlier MI versions. -

      -
      • -
    -
    -
    • -
-
-

- New commands: -

-
-
    -
  • -

    - maint set internal-error backtrace [on|off] -

    -

    - maint show internal-error backtrace -

    -

    - maint set internal-warning backtrace [on|off] -

    -

    - maint show internal-warning backtrace -

    -

    - GDB can now print a backtrace of itself when it encounters internal error or internal - warning. This is enabled by default for internal errors and disabled by default for - internal warnings. -

    -
    • -
  • -

    - exit -

    -

    - You can exit GDB using the new exit command in addition to - the existing quit command. -

    -
    • -
  • -

    - maint set gnu-source-highlight enabled [on|off] -

    -

    - maint show gnu-source-highlight enabled
    Enables or - disables the GNU Source Highlight library for adding styling to source code. When - disabled, the library is not used even if it is available. When the GNU Source Highlight - library is not used the Python Pygments library is used instead. -

    -
    • -
  • -

    - set suppress-cli-notifications [on|off] -

    -

    - show suppress-cli-notifications -

    -

    - Controls if printing the notifications is suppressed for CLI or not. CLI notifications - occur when you change the selected context (such as the current inferior, thread, or - frame), or when the program being debugged stops (for example: because of hitting a - breakpoint, completing source-stepping, or an interrupt). -

    -
    • -
  • -

    - set style disassembler enabled [on|off] -

    -

    - show style disassembler enabled -

    -

    - When enabled, the command applies styling to disassembler output if GDB is compiled with - Python support and the Python Pygments package is available. -

    -
    • -
-
-

- Changed commands: -

-
-
    -
  • -

    - set logging [on|off] -

    -

    - Deprecated and replaced by the set logging enabled [on|off] - command. -

    -
    • -
  • -

    - print -

    -

    - Printing of floating-point values with base-modifying formats such as /x has been changed to display the underlying bytes of the - value in the required base. -

    -
    • -
  • -

    - clone-inferior -

    -

    - The clone-inferior command now ensures that the TTY, CMD, and ARGs settings are copied from the original inferior to the - new one. All modifications to the environment variables done using the set environment or unset environment commands are also copied to the new - inferior. -

    -
    • -
-
-

- Python API: -

-
-
    -
  • - The new gdb.add_history() function takes a gdb.Value object and adds the value it represents to GDB’s - history list. The function returns an integer, which is the index of the new item in the - history list. -
    • -
  • - The new gdb.history_count() function returns the number of - values in GDB’s value history. -
    • -
  • - The new gdb.events.gdb_exiting event is called with a gdb.GdbExitingEvent object that has the read-only attribute exit_code containing the value of the GDB exit code. This event - is triggered before GDB’s exit before GDB starts to clean up its internal state. -
    • -
  • - The new gdb.architecture_names() function returns a list - containing all of the possible Architecture.name() values. Each - entry is a string. -
    • -
  • - The new gdb.Architecture.integer_type() function returns an - integer type given a size and a signed-ness. -
    • -
  • - The new gdb.TargetConnection object type represents a - connection (as displayed by the info connections command). A - sub-class, gdb.RemoteTargetConnection, represents remote and extended-remote - connections. -
    • -
  • - The gdb.Inferior type now has a connection property that is an instance of the gdb.TargetConnection object, the connection used by this - inferior. This can be None if the inferior has no connection. -
    • -
  • - The new gdb.events.connection_removed event registry emits a - gdb.ConnectionEvent event when a connection is removed from - GDB. This event has a connection property, a gdb.TargetConnection object for the connection being removed. -
    • -
  • - The new gdb.connections() function returns a list of all - currently active connections. -
    • -
  • - The new gdb.RemoteTargetConnection.send_packet(PACKET) method - is equivalent to the existing maint packet CLI command. You can - use it to send a specified packet to the remote target. -
    • -
  • - The new gdb.host_charset() function returns the name of the - current host character set as a string. -
    • -
  • - The new gdb.set_parameter(NAME, VALUE) - function sets the GDB parameter NAME to VALUE. -
    • -
  • - The new gdb.with_parameter(NAME, VALUE) - function returns a context manager that temporarily sets the GDB parameter NAME to VALUE and then resets it - when the context is exited. -
    • -
  • - The gdb.Value.format_string method now takes a styling argument, which is a boolean. When true, the returned string can include escape sequences to apply - styling. The styling is present only if styling is turned on in GDB (see help set styling). When false, which - is the default if the styling argument is not given, no styling - is applied to the returned string. -
    • -
  • - The new read-only attribute gdb.InferiorThread.details is - either a string containing additional target-specific thread-state information, or None if there is no such additional information. -
    • -
  • - The new read-only attribute gdb.Type.is_scalar is True for scalar types, and False for - all other types. -
    • -
  • - The new read-only attribute gdb.Type.is_signed should only be - read when Type.is_scalar is True, - and will be True for signed types and False for all other types. Attempting to read this attribute for - non-scalar types will raise a ValueError. -
    • -
  • - You can now add GDB and MI commands implemented in Python. -
    • -
-
-

- For more information see the upstream release notes: -

-

- What - has changed in GDB? -

-

- Bugzilla:2172096[1] -

-
-

GCC Toolset 13: bintuils rebased to version - 2.40

-

- GCC Toolset 13 provides the binutils package version 2.40. Notable - enhancements include: -

-
-

- Linkers: -

-
-
    -
  • - The new -w (--no-warnings) - command-line option for the linker suppresses the generation of any warning or error - messages. This is useful in case you need to create a known non-working binary. -
    • -
  • -

    - The ELF linker now generates a warning message if: -

    -
    -
      -
    • - The stack is made executable -
      • -
    • - It creates a memory resident segment with all three of the Read, Write and eXecute permissions set -
      • -
    • -

      - It creates a thread local data segment with the eXecute permission set. -

      -

      - You can disable these warnings by using the --no-warn-exec-stack or --no-warn-rwx-segments options. -

      -
      • -
    -
    -
    • -
  • - The linker can now insert arbitrary JSON-format metadata into binaries that it creates. -
    • -
-
-

- Other tools: -

-
-
    -
  • - A new the objdump tool’s --private - option to display fields in the file header and section headers for Portable Executable (PE) - format files. -
    • -
  • - A new --strip-section-headers command-line option for the objcopy and strip utilities to - remove the ELF section header from ELF files. -
    • -
  • - A new --show-all-symbols command-line option for the objdump utility to display all symbols that match a given address - when disassembling, as opposed to the default function of displaying only the first symbol - that matches an address. -
    • -
  • - A new -W (--no-weak) option to the - nm utility to make it ignore weak symbols. -
    • -
  • -

    - The objdump utility now supports syntax highlighting of - disassembler output for some architectures. Use the --disassembler-color=MODE - command-line option, with MODE being one of the - following: -

    -
    -
      -
    • - off -
      • -
    • - color - This option is supported by all terminal - emulators. -
      • -
    • - extended-color - This option uses 8-bit colors not - supported by all terminal emulators. -
      • -
    -
    -
    • -
-
-

- Bugzilla:2171926[1] -

-
-

libabigail rebased to version 2.3

-

- The libabigail package has been updated to version 2.3. Notable - improvements include: -

-
-
-
    -
  • - The BTF debuginfo format is now supported. -
    • -
  • - Improved support for Ada range types. -
    • -
  • - A new [allow_type] directive in suppression specifications is - now supported. -
    • -
  • - Added various new properties for the [supress_type] suppression - specification. -
    • -
  • - The ABIXML file format has been updated to version 2.2. -
    • -
  • - The SONAME of the library has been changed to reflect its own ABI change. -
    • -
-
-

- The libabigail package is available in the CodeReady Linux Builder - (CRB) repository. Note that packages included in the CodeReady Linux Builder repository are - unsupported. -

-

- Bugzilla:2186931 -

-
-

The find-debuginfo script in debugedit now supports the -q (--quiet) flag

-

- With this update, you can use the find-debuginfo script’s -q (--quiet) flag in the debugedit utility to silence non-error output from the script. -

-
-

- Bugzilla:2177302 -

-
-

Valgrind rebased to version 3.21.0

-

- Valgrind has been updated to version 3.21.0. Notable enhancements include: -

-
-
-
    -
  • - A new abexit value for the --vgdb-stop-at=event1,event2,…​ - option notifies the gdbserver utility when your program exits - abnormally, such as with a nonzero exit code. -
    • -
  • -

    - A new --enable-debuginfod=[yes|no] option instructs - Valgrind to use the debuginfod servers listed in the DEBUGINFOD_URLS environment variable to fetch any missing - DWARF debuginfo information for the program running under Valgrind. The default value - for this option is yes. -

    -
    -
    Note
    -
    -

    - The DEBUGINFOD_URLS environment variable is not set - by default. -

    -
    -
    -
    • -
  • - Valgrind now provides GDB Python commands. These GDB front end commands provide a better - integration in the GDB command-line interface. Benefits of this are, for example, GDB - auto-completion, and command-specific help, searching for a command or command help that - matches a regular expression. For relevant monitoring commands, GDB evaluates arguments to - simplify usage of monitor commands. -
    • -
  • - The vgdb utility now supports the extended remote protocol when - invoked with the --multi option. The GDB run command is supported in this mode and, as a result, you can - run GDB and Valgrind from a single terminal. -
    • -
  • - You can use the --realloc-zero-bytes-frees=[yes|no] option to - change the behavior of the realloc() function with a size of - zero for tools that intercept the malloc() call. -
    • -
  • - The memcheck tool now performs checks for the use of the realloc() function with a size of zero. Use the new --show-realloc-size-zero=[yes|no] switch to disable this feature. -
    • -
  • - You can use the new --history-backtrace-size=value - option for the helgrind tool to configure the number of entries - to record in the stack traces of earlier accesses. -
    • -
  • - The --cache-sim=[yes|no] cachegrind option now defaults to no - and, as a result, only instruction cache read events are gathered by default. -
    • -
  • - The source code for the cg_annotate, cg_diff, and cg_merge cachegrind utilities has been rewritten and, as a result, the - utilities have more flexible command line option handling. For example, they now support the - --show-percs and --no-show-percs - options and the existing --show-percs=yes and --show-percs=no options. -
    • -
  • - The cg_annotate cachegrind utility - now supports diffing (using the --diff, --mod-filename, and --mod-funcname - options) and merging (by passing multiple data files). In addition, cg_annotate now provides more information at the file and - function level. -
    • -
  • - A new user-request for the DHAT tool allows you to override the - 1024 byte limit on access count histograms for blocks of memory. -
    • -
-
-

- The following new architecture-specific instruction sets are now supported: -

-
-
    -
  • -

    - 64-bit ARM: -

    -
    -
      -
    • - v8.2 scalar and vector Floating-point Absolute Difference (FABD), Floating-point - Absolute Compare Greater than or Equal (FACGE), Floating-point Absolute Compare - Greater Than (FACGT), and Floating-point Add (FADD) instructions. -
      • -
    • - v8.2 Floating-point (FP) compare and conditional compare instructions. -
      • -
    • - Zero variants of v8.2 Floating-point (FP) compare instructions. -
      • -
    -
    -
    • -
  • -

    - 64-bit IBM Z: -

    -
    -
      -
    • - Support for the miscellaneous-instruction-extensions facility 3 and - the vector-enhancements facility 2. This enables - programs compiled with the -march=arch13 or -march=z15 options to be executed under Valgrind. -
      • -
    -
    -
    • -
  • -

    - IBM Power: -

    -
    -
      -
    • - ISA 3.1 support is now complete. -
      • -
    • - ISA 3.0 now supports the deliver a random number (darn) instruction. -
      • -
    • - ISA 3.0 now supports the System Call Vectored (scv) instruction. -
      • -
    • - ISA 3.0 now supports the copy, paste, and cpabort instructions. -
      • -
    -
    -
    • -
-
-

- Bugzilla:2124346 -

-
-

systemtap rebased to version 4.9

-

- The systemtap package has been upgraded to version 4.9. Notable - changes include: -

-
-
-
    -
  • - A new Language-Server-Protocol (LSP) backend for easier interactive drafting of systemtap scripts on LSP-capable editors. -
    • -
  • - Access to a Python/Jupyter interactive notebook front end. -
    • -
  • - Improved handling of DWARF 5 bit fields. -
    • -
-
-

- Bugzilla:2186934 -

-
-

elfutils rebased to version 0.189

-

- The elfutils package has been updated to version 0.189. Notable - improvements and bug fixes include: -

-
-
-
-
libelf
-
- The elf_compress tool now supports the ELFCOMPRESS_ZSTD ELF compression type. -
-
libdwfl
-
- The dwfl_module_return_value_location function now returns 0 - (no return type) for DWARF Information Entries (DIEs) that point to a DW_TAG_unspecified_type type tag. -
-
eu-elfcompress
-
- The -t and --type= options now - support the Zstandard (zstd) compression format via the zstd argument. -
-
-
-

- Bugzilla:2182061 -

-
-

libpfm rebased to version 4.13

-

- The libpfm package has been updated to version 4.13. With this - update, libpfm can access performance monitoring hardware native - events for the following processor microarchitectures: -

-
-
-
    -
  • - AMD Zen 2 -
    • -
  • - AMD Zen 3 -
    • -
  • - AMD Zen 4 -
    • -
  • - ARM Neoverse N1 -
    • -
  • - ARM Neoverse N2 -
    • -
  • - ARM Neoverse V1 -
    • -
  • - ARM Neoverse V2 -
    • -
  • - IBM z16 -
    • -
  • - 4th Generation Intel® Xeon® Scalable Processors -
    • -
-
-

- Bugzilla:2185652, - Bugzilla:2047720, Bugzilla:2111940, Bugzilla:2111924, Bugzilla:2111930, Bugzilla:2111933, - Bugzilla:2111957, Bugzilla:2111946 -

-
-

papi supports new processor - microarchitectures

-

- With this enhancement, you can access performance monitoring hardware using papi events presets on the following processor microarchitectures: -

-
-
-
    -
  • - AMD Zen 2 -
    • -
  • - AMD Zen 3 -
    • -
  • - ARM Neoverse N1 -
    • -
  • - ARM Neoverse N2 -
    • -
  • - ARM Neoverse V1 -
    • -
  • - ARM Neoverse V2 -
    • -
-
-

- Bugzilla:2111923[1], Bugzilla:2111947, Bugzilla:2111942 -

-
-

papi now supports fast performance event count - read operations for 64-bit ARM processors

-

- Previously on 64-bit ARM processors, all performance event counter read operations required the - use of a resource-intensive system call. papi has been updated for - 64-bit ARM to let processes monitoring themselves with the performance counters use a faster - user-space read of the performance event counters. Setting the /proc/sys/kernel/perf_user_access parameter to 1 reduces the average - number of clock cycles for papi to read 2 counters from 724 cycles - to 29 cycles. -

-
-

- Bugzilla:2186927[1] -

-
-

LLVM Toolset rebased to version 16.0.6

-

- LLVM Toolset has been updated to version 16.0.6. -

-
-

- Notable enhancements include: -

-
-
    -
  • - Improvements to optimization -
    • -
  • - Support for new CPU extensions -
    • -
  • - Improved support for new C++ versions. -
    • -
-
-

- Notable backwards incompatible changes include: -

-
-
    -
  • - Clang’s default C++ standard is now gnu++17 instead of gnu++14. -
    • -
  • - The -Wimplicit-function-declaration, -Wimplicit-int and -Wincompatible-function-pointer-types options now default to - error for C code. This might affect the behavior of configure scripts. -
    • -
-
-

- By default, Clang 16 uses the libstdc++ library version 13 and binutils 2.40 provided by GCC Toolset 13. -

-

- For more information, see the LLVM release notes and Clang - release notes. -

-

- Bugzilla:2178796 -

-
-

Rust Toolset rebased to version 1.71.1

-

- Rust Toolset has been updated to version 1.71.1. Notable changes include: -

-
-
-
    -
  • - A new implementation of multiple producer, single consumer (mpsc) channels to improve - performance -
    • -
  • - A new Cargo sparse index protocol for more efficient use of the - crates.io registry -
    • -
  • - New OnceCell and OnceLock types - for one-time value initialization -
    • -
  • - A new C-unwind ABI string to enable usage of forced unwinding - across Foreign Function Interface (FFI) boundaries -
    • -
-
-

- For more details, see the series of upstream release announcements: -

-
- -
-

- Bugzilla:2191743 -

-
-

The Rust profiler_builtins runtime component - is now available

-

- With this enhancement, the Rust profile_builtins runtime component - is now available. This runtime component enables the following compiler options: -

-
-
-
-
-C instrument-coverage
-
- Enables coverage profiling -
-
-C profile-generate
-
- Enables profile-guided optimization -
-
-
-

- Bugzilla:2227082[1] -

-
-

Go Toolset rebased to version 1.20.10

-

- Go Toolset has been updated to version 1.20.10. -

-
-

- Notable enhancements include: -

-
-
    -
  • - New functions added in the unsafe package to handle slices and - strings without depending on the internal representation. -
    • -
  • - Comparable types can now satisfy comparable constraints. -
    • -
  • - A new crypto/ecdh package. -
    • -
  • - The go build and go test commands - no longer accept the -i flag. -
    • -
  • - The go generate and go test - commands now accept the -skip pattern option. -
    • -
  • - The go build, go install, and - other build-related commands now support the -pgo and -cover flags. -
    • -
  • - The go command now disables cgo by - default on systems without a C toolchain. -
    • -
  • - The go version -m command now supports reading more Go binaries - types. -
    • -
  • - The go command now disables cgo by - default on systems without a C toolchain. -
    • -
  • - Added support for collecting code coverage profiles from applications and integration tests - instead of collecting them only from unit tests. -
    • -
-
-

- Bugzilla:2185259[1] -

-
-

pcp rebased to version 6.0.5

-

- The pcp package has been updated to version 6.0.5. Notable changes - include: -

-
-

- Collector tool features -

-
-
    -
  • -

    - pmdaproc: -

    -
    -
      -
    • - Added support for per-cgroup IRQ PSI metrics in recent kernels -
      • -
    • - Added a new proc.smaps.pss_dirty metric -
      • -
    -
    -
    • -
  • - pmdasmart: Added NVME disk information and power state metrics -
    • -
  • -

    - pmdalinux: -

    -
    -
      -
    • - Added support for system wide IRQ PSI metrics in recent kernels -
      • -
    • - Added NUMA external memory fragmentation metric -
      • -
    • - Added new networking (TCP, ICMP) metrics -
      • -
    -
    -
    • -
  • - pmdaoverhead: A new PMDA to measure overhead for groups of - processes -
    • -
  • - pmdahacluster: Updated to handle Pacemaker 2.1.5 crm_mon output changes -
    • -
-
-

- Monitoring tool features -

-
-
    -
  • -

    - pmieconf: -

    -
    -
      -
    • - Added support for webhook actions (Event Driven Ansible) -
      • -
    • - Added a new pmie rule that checks file descriptor - limits -
      • -
    -
    -
    • -
  • - pcp2json: Extended pcp2json with - an option to send HTTP POSTs -
    • -
  • - pcp-atop: Added cgroup, NUMA - memory, and NUMA CPU support -
    • -
  • - pcp-htop: Added support for a new open file descriptors Meter -
    • -
  • - pcp-ps: Added capability to show multiple archive samples -
    • -
-
-

- Bugzilla:2175602 -

-
-

PCP’s pmie utility now supports generating - webhook events

-

- The Performance Metrics Inference Engine (pmie) utility from - Performance Co-Pilot (PCP) now supports generating webhook events. With this update, configured - pmie rules generate events in a format consumable by Event-Driven - Ansible (EDA). As a result, EDA can respond to PCP rules. -

-
-

- To enable this feature, configure all local pmie rules to send to a - webhook at a given endpoint (URL): -

- 
# pmieconf modify global webhook_endpoint https://localhost:443/<endpoint>
-# pmieconf modify global webhook_action yes
-

- Bugzilla:2185803 -

-
-

grafana rebased to version 9.2.10

-

- The grafana package has been updated to version 9.2.10. Notable - changes include: -

-
-
-
    -
  • - The heatmap panel is now used throughout Grafana. -
    • -
  • - Geomaps can now measure both distance and area. -
    • -
  • - The Alertmanager is now based on Prometheus - Alertmanager version 0.24. -
    • -
  • - Grafana Alerting rules now return an Error state by default on - execution error or timeout. -
    • -
  • - Expressions can now be used on public dashboards. -
    • -
  • - The join transformation now supports inner joins. -
    • -
  • - Public dashboards now allow sharing Grafana dashboards. -
    • -
  • - A new Prometheus streaming parser is now available as an opt-in feature. -
    • -
-
-

- For more information, see the upstream release notes: -

-
- -
-

- Bugzilla:2193018 -

-
-

Grafana no longer enables weak cryptographic ciphers

-

- With this update, Grafana no longer enables ciphers that are considered weak for encrypting - secure communication. The affected ciphers are: -

-
-
-
    -
  • - AES128-GCM-SHA256 -
    • -
  • - AES128-SHA -
    • -
  • - AECDHE-RSA-AES128-SHA -
    • -
  • - AES256-GCM-SHA384 -
    • -
  • - AES256-SHA -
    • -
  • - ECDHE-RSA-AES256-SHA -
    • -
-
-

- Bugzilla:2190025[1] -

-
-

.NET 8.0 is available

-

- Red Hat Enterprise Linux 9.3 is distributed with .NET version 8.0. Notable improvements include: -

-
-
-
    -
  • - Added support for the C#12 and F#8 language versions. -
    • -
  • - Added support for building container images using the .NET Software Development Kit - directly. -
    • -
  • - Many performance improvements to the garbage collector (GC), Just-In-Time (JIT) compiler, - and the base libraries. -
    • -
-
-

- Jira:RHELPLAN-164399[1] -

-
-
-
-
-
-

4.14. Identity Management

-
-
-
-
-

samba rebased to version 4.18.6

-

- The samba packages have been upgraded to upstream version 4.18.6, - which provides bug fixes and enhancements over the previous version. The most notable changes: -

-
-
-
    -
  • - Security improvements in previous releases impacted the performance of the Server Message - Block (SMB) server for high metadata workloads. This update improves the performance in this - scenario. -
    • -
  • - The new wbinfo --change-secret-at=<domain_controller> - command enforces the change of the trust account password on the specified domain - controller. -
    • -
  • - By default, Samba stores access control lists (ACLs) in the security.NTACL extended attribute of files. You can now customize - the attribute name with the acl_xattr:<security_acl_name> - setting in the /etc/samba/smb.conf file. Note that a custom - extended attribute name is not a protected location as security.NTACL. Consequently, users with local access to the - server can be able to modify the custom attribute’s content and compromise the ACL. -
    • -
-
-

- Note that the server message block version 1 (SMB1) protocol has been deprecated since Samba 4.11 - and will be removed in a future release. -

-

- Back up the database files before starting Samba. When the smbd, nmbd, or winbind services start, Samba - automatically updates its tdb database files. Red Hat does not support - downgrading tdb database files. -

-

- After updating Samba, use the testparm utility to verify the /etc/samba/smb.conf file. -

-

- Bugzilla:2190415 -

-
-

The ipaclient role now allows configuring user - subID ranges on the IdM level

-

- With this update, the ipaclient ansible-freeipa role provides the ipaclient_subid option, using which you can configure subID ranges on - the Identity Management (IdM) level. Without the new option set explicitly to true, the ipaclient role keeps the - default behavior and installs the client without subID ranges configured for IdM users. -

-
-

- Previously, the role configured the sssd authselect profile that in turn customized the /etc/nsswitch.conf file. The subID database did not use IdM and relied - only on the local files of /etc/subuid and /etc/subgid. -

-

- Bugzilla:2175767 -

-
-

Multiple IdM groups and services can now be managed in a single Ansible - task

-

- With this enhancement in ansible-freeipa, you can add, modify, and - delete multiple Identity Management (IdM) user groups and services by using a single Ansible - task. For that, use the groups and services options of the ipagroup and - ipaservice modules. -

-
-

- Using the groups option available in ipagroup, you can specify multiple group variables that only apply to a - particular group. This group is defined by the name variable, which is - the only mandatory variable for the groups option. -

-

- Similarly, using the services option available in ipaservice, you can specify multiple service variables that only apply to - a particular service. This service is defined by the name variable, - which is the only mandatory variable for the services option. -

-

- Jira:RHELDOCS-16474[1] -

-
-

ansible-freeipa ipaserver role now supports Random Serial Numbers

-

- With this update, you can use the ipaserver_random_serial_numbers=true option with the ansible-freeipa ipaserver role. This - way, you can generate fully random serial numbers for certificates and requests in PKI when - installing an Identity Management (IdM) server using Ansible. With RSNv3, you can avoid range - management in large IdM installations and prevent common collisions when reinstalling IdM. -

-
-
-
Important
-
-

- RSNv3 is supported only for new IdM installations. If enabled, it is required to use RSNv3 - on all PKI services. -

-
-
-

- Jira:RHELDOCS-16462[1] -

-
-

ipa rebased to version 4.10.2

-

- The ipa package has been upgraded to version 4.10.2. Notable - changes include: -

-
-
-
    -
  • - Searching and listing certificates in the IdM CLI and Web UI now offer better performance. -
    • -
-
-

- For more information, see the upstream FreeIPA release notes. -

-

- Bugzilla:2196426 -

-
-

The ipaserver_remove_on_server and ipaserver_ignore_topology_disconnect options are now available in - the ipaserver role

-

- If removing a replica from an Identity Management (IdM) topology by using the remove_server_from_domain option of the ipaserver ansible-freeipa role leads to - a disconnected topology, you must now specify which part of the domain you want to preserve. - Specifically, you must do the following: -

-
-
-
    -
  • - Specify the ipaserver_remove_on_server value to identify which - part of the topology you want to preserve. -
    • -
  • - Set ipaserver_ignore_topology_disconnect to True. -
    • -
-
-

- Note that if removing a replica from IdM by using the remove_server_from_domain option preserves a connected topology, neither - of these options is required. -

-

- Bugzilla:2127903 -

-
-

IdM now supports the min_lifetime - parameter

-

- With this enhancement, the min_lifetime parameter has been added to - the /etc/gssproxy/*.conf file. The min_lifetime parameter triggers the renewal of a service ticket in - case its remaining lifetime is lower than this value. -

-
-

- By default its value is 15 seconds. For network volume clients such as NFS, to reduce the risk of - losing access in case the KDC is momentarily unavailable, set this value to 60 seconds. -

-

- Bugzilla:2181465 -

-
-

You can now manage IdM certificates using the ipacert Ansible module

-

- You can now use the ansible-freeipa ipacert module to request or retrieve SSL certificates for Identity - Management (IdM) users, hosts and services. The users, hosts and services can then use these - certificates to authenticate to IdM. You can also revoke the certificates, and restore - certificates that have been put on hold. -

-
-

- Bugzilla:2127907 -

-
-

The optional_pac_tkt_chksum option helps - preserve interoperability between different versions of krb5

-

- You can now use the optional_pac_tkt_chksum option to preserve the - interoperability between RHEL Kerberos Distribution Center (KDC) servers running different - versions of the krb5 package. Specifically, you can change their - behavior regarding Privilege Attribute Certificate (PAC) ticket signature verification. If you - set the optional_pac_tkt_chksum string attribute to true for the Kerberos principal expected to sign a ticket, then the - KDC does not reject service for user (S4U) requests containing a ticket that lacks the PAC - ticket signature. The principal to sign the ticket is the ticket-granting service (TGS) one or a - cross-realm TGS one, depending on the realm of the ticket’s target service. -

-
-

- Since the krb5-1.20 release, MIT Kerberos KDCs have required the - presence of ticket signatures in PACs based on the encrypted part of Kerberos tickets so that they - could process S4U requests successfully. Previously, this was a problem in gradual upgrade scenarios - where certain KDCs used krb5-1.19 or older, while others used krb5-1.20 or newer. KDCs using the newer versions of krb5 for S4U requests rejected service tickets that were provided by KDCs - using the older versions of krb5 if a service used them for S4U - requests. -

-

- For more information about how this feature is used in Identity Management (IdM), see this pull - request. -

-

- Bugzilla:2178298 -

-
-

IdM now supports resource-based constrained delegation

-

- With this update, IdM now supports resource-based constrained delegation (RBCD). RBCD allows a - granular control of delegation on a resource level and access can be set by the owner of the - service to which credentials are delegated. -

-
-

- RBCD can be useful, for example, in an integration between IdM and Active Directory (AD), because AD - enforces the use of RBCD when both target and proxy services belong to different forests. -

-
-
Important
-
-

- Currently, only services in the IdM domain can be configured with RBCD rules. If the target - service is part of an AD domain, the permission can only be granted on the AD side. As AD - domain controllers cannot resolve IdM service information to create the rule, this is not - currently supported. -

-
-
-

- For more information on delegation scenarios, see the FreeIPA design page. -

-

- Bugzilla:2165880 -

-
-

RHEL 9.3 provides 389-ds-base 2.3.4 -

-

- RHEL 9.3 is distributed with the 389-ds-base package version 2.3.4. - Notable bug fixes and enhancements over version 2.3.4 include: -

-
-
- -
-

- Bugzilla:2188627 -

-
-

Directory Server can now close a client connection if a bind operation fails

-

- Previously, when a bind operation failed, some applications that - ignore the bind return code could load Director Server with further - requests. -

-
-

- With the new nsslapd-close-on-failed-bind configuration attribute under - the cn=config entry, the server can close a client connection when the - bind operation fails. As a result, the server load can be reduced. -

-

- Bugzilla:1987471 -

-
-

Automembership plug-in improvements. It no longer cleans up groups by - default

-

- Previously, the automember rebuild task went through all the automember rules and removed all - the memberships, then the task rebuilt the memberships from scratch. Thus, the rebuild task was - expensive, especially if other be_txn plugins are enabled. -

-
-

- With this update, the Automembership plug-in has the following improvements: -

-
-
    -
  • - Only one rebuilt task is allowed at a time. -
    • -
  • -

    - The Automembership plug-in now does not clean up previous members by default. Use the - new CLI option --cleanup to intentionally clean up - memberships before rebuilding from scratch: -

    - 
    # dsconf slapd-instance_name plugins automember fixup -f objectclass=posixaccount -s sub --cleanup "ou=people,dc=example,dc=com"
    -
    • -
  • - Improved logging to show fixup progress. -
    • -
-
-

- Bugzilla:2149025 -

-
-

New passwordAdminSkipInfoUpdate: on/off - configuration option is now available

-

- You can add a new passwordAdminSkipInfoUpdate: on/off setting under - the cn=config entry to provide a fine grained control over password - updates performed by password administrators. When you enable this setting, password updates do - not update certain attributes, for example, passwordHistory,passwordExpirationTime,passwordRetryCount, pwdReset, and passwordExpWarned. -

-
-

- Bugzilla:2166332 -

-
-

New slapi_memberof() plug-in function is now - available for Directory Server plug-ins and client applications

-

- The new slapi_memberof() function retrieves distinguished names - (DNs) of groups to which the given entry belongs directly or indirectly. Previously, MemberOf, - Referential Integrity, and ACL plug-ins implemented their own mechanism to retrieve such groups. - With this update, you can use the slapi_memberof() function that - introduces a unified mechanism to return group DNs. -

-
-

- Bugzilla:2189946 -

-
-

Directory Server now replaces the virtual attribute nsRole with an indexed attribute for managed and filtered - roles

-

- Previously, LDAP searches that contained the virtual attribute nsRole in the filter were time consuming because that attribute - cannot be indexed. With this update, when you perform the ldapsearch with virtual attribute nsRole - in the filter, Directory Server replaces the nsRole attribute the - following way: -

-
-
-
    -
  • - For managed roles, the nsRole attribute is replaced with the - nsRoleDN attribute. -
    • -
  • - For filtered roles, the nsRole attribute is replaced with the - nsRoleFilter attribute. -
    • -
-
-

- As a result, response time for search with the nsRole attribute - improves because the search becomes indexed. -

-

- Note that this update does not apply to nested roles. -

-

- Bugzilla:2189954 -

-
-

New nsslapd-numlisteners configuration option - is now available

-

- The nsslapd-numlisteners attribute specifies the number of listener - threads Directory Server can use to monitor established connections. You can improve the - response times when the server experiences a large number of client connection by increasing the - attribute value. -

-
-

- Bugzilla:1975930 -

-
-

IdM supports the option to control the encryption type used to sign the - PAC

-

- By default, the Kerberos Key Distribution Center (KDC) generates an AES HMAC-SHA2 signature for - the Privilege Attribute Certificate (PAC). However, this encryption type is not supported by - Active Directory (AD). As a result, AD cross-realm constrained delegation requests are not - processed correctly. -

-
-

- With this enhancement, you can now control the encryption type used to sign the PAC by setting the - pac_privsvr_entype attribute on the TGS principal, krbtgt/[realm]@[realm], to the required encryption type for the target - realm. In IdM, this string attribute is automatically configured when an AD trust exists. -

- 
WARNING: This update is about standalone MIT realms. Do not change the Kerberos Distribution Center (KDC) configuration in RHEL Identity Management.
-

- For example, for an MIT realm and an AD - realm, to ensure cross-realm ticket-granting tickets (TGT) use AD-compatible encryption types, an - administrator must configure the cross-realm TGS principal as shown below on the MIT side. This - results in cross-realm TGTs using the AES 256 HMAC-SHA1 encryption type and constrained delegation - requests being processed correctly. -

- 
kadmin.local <<EOF
-setstr krbtgt/AD@IPA pac_privsvr_enctype aes256-cts-hmac-sha1-96
-setstr krbtgt/IPA@AD pac_privsvr_enctype aes256-cts-hmac-sha1-96
-EOF
-

- Bugzilla:2060421 -

-
-

Identity Management API is now fully supported

-

- The Identity Management (IdM) API was available as a Technology Preview in RHEL 9.2 and as of - RHEL 9.3, it is fully supported. -

-
-

- Users can use existing tools and scripts even if the IdM API is enhanced to enable multiple versions - of API commands. These enhancements do not change the behavior of a command in an incompatible way. - This has the following benefits: -

-
-
    -
  • - Administrators can use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- The communication with the server is possible, regardless if one side uses, for example, a newer - version that introduces new options for a feature. -

-
-
-
NOTE
-
- While IdM API provides a JSON-RPC interface, this type of access is not supported. Red Hat - recommends accessing the API with Python instead. Using Python automates important parts - such as the metadata retrieval from the server, which allows listing all available commands. -
-
-
-

- Bugzilla:1513934 -

-
-
-
-
-
-

4.15. Graphics infrastructures

-
-
-
-
-

Intel Arc A-Series graphics is now fully supported

-

- The Intel Arc A-Series graphics (Alchemist or DG2) feature, previously available as a Technology - Preview, is now fully supported. Intel Arc A-Series graphics is a GPU that enables hardware - acceleration, mostly used in PC gaming. -

-
-

- Bugzilla:2101598[1] -

-
-
-
-
-
-

4.16. The web console

-
-
-
-
-

Podman health check action is now available

-

- You can select one of the following Podman health check actions when creating a new container: -

-
-
-
    -
  • - No action (default): Take no action. -
    • -
  • - Restart: Restart the container. -
    • -
  • - Stop: Stop the container. -
    • -
  • - Force stop: Force stops the container, it does not wait for the container to exit. -
    • -
-
-

- Jira:RHELDOCS-16247[1] -

-
-

Stratis is now available in the RHEL web console

-

- With this update, the Red Hat Enterprise Linux web console provides the ability to manage - Stratis storage. -

-
-

- To learn more about Stratis, see Setting - up Stratis file systems using the web console. -

-

- Jira:RHELPLAN-122345[1] -

-
-
-
-
-
-

4.17. Red Hat Enterprise Linux system roles

-
-
-
-
-

New RHEL system role for managing systemd - units

-

- The rhel-system-role package now contains the systemd RHEL system role. You can use this role to deploy unit files - and manage systemd units on multiple systems. You can automate - systemd functionality by providing systemd unit files and templates, and by specifying the state of - those units, such as started, stopped, masked and other. -

-
-

- Bugzilla:2224384 -

-
-

New option in the ssh role to disable - configuration backups

-

- You can now prevent old configuration files from being backed up before they are overwritten by - setting the new ssh_backup option to false. Previously, backup configuration files were created - automatically, which might be unnecessary. The default value of the ssh_backup option is true, which - preserves the original behavior. -

-
-

- Bugzilla:2216753 -

-
-

keylime_server RHEL system role

-

- With the new keylime_server RHEL system role, you can use Ansible - Playbooks to configure the verifier and registrar Keylime components on RHEL 9 systems. Keylime - is a remote machine attestation tool that uses the trusted platform module (TPM) technology. -

-
-

- Bugzilla:2224385 -

-
-

Support for new ha_cluster system role - features

-

- The ha_cluster system role now supports the following features: -

-
-
-
    -
  • - Configuration of resource and resource operation defaults, including multiple sets of - defaults with rules. -
    • -
  • - Loading and blocking of SBD watchdog kernel modules. This makes installed hardware watchdogs - available to the cluster. -
    • -
  • - Assignment of distinct passwords to the cluster hosts and the quorum device. This allows you - to configure a deployment where the same quorum hosts are joined to multiple, separate - clusters, and the passwords of the hacluster user on these - clusters are different. -
    • -
-
-

- For information about the parameters you configure to implement these features, see Configuring - a high-availability cluster by using the ha_cluster RHEL system role. -

-

- Bugzilla:2185065, Bugzilla:2185067, Bugzilla:2216481 -

-
-

storage system role supports configuring the - stripe size for RAID LVM volumes

-

- With this update, you can now specify a custom stripe size when creating RAID LVM devices. For - better performance, use the custom stripe size for SAP HANA. The recommended stripe size for - RAID LVM volumes is 64 KB. -

-
-

- Bugzilla:2181656 -

-
-

The network RHEL system role supports the - auto-dns option to control automatic DNS record - updates

-

- This enhancement provides support for defined name servers and search domains. You can now use - only the name servers and search domains specified in dns and dns_search properties while disabling automatically configured name - servers and search domains such as dns record from DHCP. With this - enhancement, you can disable automatically auto dns record by changing the auto-dns settings. -

-
-

- Bugzilla:2211194 -

-
-

The network RHEL system role supports the - no-aaaa DNS option

-

- You can now use the no-aaaa option to configure DNS settings on - managed nodes. Previously, there was no option to suppress AAAA queries generated by the stub - resolver, including AAAA lookups triggered by NSS-based interfaces such as getaddrinfo; only DNS lookups were affected. With this enhancement, - you can now suppress AAAA queries generated by the stub resolver. -

-
-

- Bugzilla:2218592 -

-
-

The ad_integration RHEL system role can now - rejoin an AD domain

-

- With this update, you can now use the ad_integration RHEL system - role to rejoin an Active Directory (AD) domain. To do this, set the ad_integration_force_rejoin variable to true. If the realm_list output shows - that host is already in an AD domain, it will leave the existing domain before rejoining it. -

-
-

- Bugzilla:2211723 -

-
-

The certificate RHEL system role now allows - changing certificate file mode when using certmonger -

-

- Previously, certificates created by the certificate RHEL system - role with the certmonger provider used a default file mode. - However, in some use-cases you might require a more restrictive mode. With this update, you can - now set a different certificate and a key file mode using the mode - parameter. -

-
-

- Bugzilla:2218204 -

-
-

The postgresql RHEL system role is now - available

-

- The new postgresql RHEL system role installs, configures, manages, - and starts the PostgreSQL server. The role also optimizes the - database server settings to improve performance. -

-
-

- The role supports the currently released and supported versions of PostgreSQL on RHEL 8 and RHEL 9 managed nodes. -

-

- For more information, see Installing - and configuring PostgreSQL by using the postgresql RHEL system role. -

-

- Bugzilla:2151373 -

-
-

podman RHEL system role now supports Quadlets, - health checks, and secrets

-

- Starting with Podman 4.6, you can use the podman_quadlet_specs - variable in the podman RHEL system role. You can define a Quadlet - by specifying a unit file, or in the inventory by a name, a type of unit, and a specification. - Types of a unit can be the following: container, kube, network, and volume. Note that Quadlets work only with root containers on RHEL 8. - Quadlets work with rootless containers on RHEL 9. -

-
-

- The health checks are supported only for Quadlet Container types. In the [Container] section, specify the HealthCmd - field to define the health check command and HealthOnFailure field to - define the action when a container is unhealthy. Possible options are none, kill, restart, and stop. -

-

- You can use the podman_secrets variable to manage secrets. For details, - see upstream documentation. -

-

- Jira:RHELPLAN-154441[1] -

-
-

Improved performance of the selinux system - role with restorecon -T 0

-

- The selinux system role now uses the -T 0 option with the restorecon command - in all applicable cases. This improves the performance of tasks that restore default SELinux - security contexts on files. -

-
-

- Bugzilla:2179460 -

-
-

The rhc system role now supports setting a - proxy server type

-

- The newly introduced attribute scheme under the rhc_proxy parameter enables you to configure the proxy server type by - using the rhc system role. You can set two values: http, the default and https. -

-
-

- Bugzilla:2211748 -

-
-

firewall RHEL system role supports variables - related to ipsets

-

- With this update of the firewall RHEL system role, you can define, - modify, and delete ipsets. Also, you can add and remove those ipsets from firewall zones. Alternatively, you can use those ipsets when defining firewall rich rules. -

-
-

- You can manage ipsets with the firewall - RHEL system role using the following variables: -

-
-
    -
  • - ipset -
    • -
  • - ipset_type -
    • -
  • - ipset_entries -
    • -
  • - short -
    • -
  • - description -
    • -
  • - state: present or state: absent -
    • -
  • - permanent: true -
    • -
-
-

- The following are some notable benefits of this enhancement: -

-
-
    -
  • - You can reduce the complexity of the rich rules that define rules for many IP addresses. -
    • -
  • - You can add or remove IP addresses from sets as needed without modifying multiple rules. -
    • -
-
-

- For more details, see resources in the /usr/share/doc/rhel-system-roles/firewall/ directory. -

-

- Bugzilla:2229802 -

-
-

RHEL system roles now have new volume options for mount point - customization

-

- With this update, you can now specify mount_user, mount_group, and mount_permissions - parameters for your mount directory. -

-
-

- Bugzilla:2181657 -

-
-

The firewall RHEL system role has an option to - disable conflicting services, and it no longer fails if firewalld is masked

-

- Previously, the firewall system role failed when the firewalld service was masked on the role run or in the presence of - conflicting services. This update brings two notable enhancements: -

-
-

- The linux-system-roles.firewall role always attempts to install, - unmask, and enable the firewalld service on role run. You can now add a - new variable firewall_disable_conflicting_services to your playbook to - disable known conflicting services, for example, iptables.service, - nftables.service, and ufw.service. The - firewall_disable_conflicting_services variable is set to false by default. To disable conflicting services, set the variable to - true. -

-

- Bugzilla:2222761 -

-
-

Resetting the firewall RHEL system role - configuration now requires minimal downtime

-

- Previously, when you reset the firewall role configuration by using - the previous: replaced variable, the firewalld service restarted. Restarting adds downtime and prolongs - the period of an open connection in which firewalld does not block - traffic from active connections. With this enhancement, the firewalld service completes the configuration reset by reloading - instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass - firewall rules. As a result, using the previous: replaced variable - to reset the firewall role configuration now requires minimal - downtime. -

-
-

- Bugzilla:2223764 -

-
-
-
-
-
-

4.18. Virtualization

-
-
-
-
-

sevctl is now fully compatible with AMD EPYC - Rome and Milan

-

- With this update, the sevctl utility correctly recognizes the - latest AMD EPYC cores, including the AMD EPYC Rome and AMD EPYC Milan series. As a result, you - can use sevctl to configure the features of AMD Secure Encrypted - Virtualization (SEV) that are available on these CPUs. -

-
-

- Note, however, that advanced SEV functions, such as SEV-ES and SEV-SNP are only provided as - Technology Previews in RHEL 9, and therefore unsupported. -

-

- Bugzilla:2104857[1] -

-
-

virtio-vga and virtio-gpu devices now support blob - resources

-

- It is now possible for virtio-vga and virtio-gpu devices to use blob memory - resources, which improves their performance in certain scenarios. To attach a blob resource to a virtio graphics - device, add a blob="on" option to the corresponding <video> section in the virtual machine’s XML configuration. For - example: -

-
- 
<video>
-  <model type="virtio" heads="1" primary="yes" blob="on"/>
-  <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/>
-</video>
-

- Note, however, that this feature currently does not work on IBM Z hosts. -

-

- Bugzilla:2032406 -

-
-

Virtualization support for 4th Generation Intel Xeon Scalable - processors

-

- With this update, virtualization on RHEL 9 adds support for the 4th Generation Intel Xeon - Scalable processors, formerly known as Sapphire Rapids. As a result, virtual machines hosted on - RHEL 9 can now use the SapphireRapids CPU model and utilise new - features that the processors provide. -

-
-

- Bugzilla:1880531[1] -

-
-

Improved memory reclaiming for Secure Execution on IBM Z

-

- When using a virtual machine (VM) with IBM Secure Execution on IBM Z, you can now set up - enhanced memory reclaiming for the VM. If the VM is using 32 GiB or more RAM, this setting - improves the performance of rebooting or stopping the VM. -

-
-

- To set up enhanced memory reclaiming in a VM, add the <async-teardown enabled='yes'/> line to the <features></features> section in its XML configuration. -

-

- Bugzilla:2168499[1] -

-
-

New virtualization features in the RHEL web console

-

- With this update, the RHEL web console includes new features in the Virtual Machines page. You - can now: -

-
-
-
    -
  • - Select the Create and edit button for a virtual machine (VM) - based on a cloud image, which allows you to edit all of the VM properties before the VM is - installed. -
    • -
  • - Create a raw storage volume during virtual machine creation. -
    • -
  • -

    - Set up a virtual socket (vsock) to enable communication between the host and the VM over - a socket. -

    -

    - Note that a virtual socket requires vsock-aware software, such as socat, to enable the communication. -

    -
    • -
-
-

- Jira:RHELDOCS-16487[1] -

-
-
-
-
-
-

4.19. RHEL in cloud environments

-
-
-
-
-

cloud-init supports NetworkManager keyfiles

-

- With this update, the cloud-init utility can use a NetworkManager - (NM) keyfile to configure the network of the created cloud instance. -

-
-

- Note that by default, cloud-init still uses the sysconfig method for network setup. To configure cloud-init to use a NM keyfile instead, edit the /etc/cloud/cloud.cfg and set network-manager - as the primary network renderer: -

- 
# cat /etc/cloud/cloud.cfg
-
-   network:
-      renderers: ['network-manager', 'eni', 'netplan', 'sysconfig', 'networkd']
-

- Bugzilla:2118235[1] -

-
-

cloud-init now uses VMware datasources by - default on ESXi

-

- When creating RHEL virtual machines (VMs) on a host that uses the VMware ESXi hypervisor, such - as the VMware vSphere cloud platform. This improves the performance and stability of creating an - ESXi instance of RHEL by using cloud-init. Note, however, that ESXi - is still compatible with Open Virtualization Format (OVF) datasources, and you can use an OVF - datasource if a VMware one is not available. -

-
-

- Bugzilla:2172341[1] -

-
-
-
-
-
-

4.20. Supportability

-
-
-
-
-

sos rebased to version 4.6

-

- The sos utility, for collecting configuration, diagnostic, and - troubleshooting data, has been rebased to version 4.6. This update provides the following - enhancements: -

-
-
-
    -
  • - sos reports now include the contents of both /boot/grub2/custom.cfg and /boot/grub2/user.cfg files that might contain critical - information for troubleshooting boot issues. (BZ#2213951) -
    • -
  • - The sos plugin for OVN-Kubernetes collects additional logs for - the interconnect environment. With this update, sos also - collects logs from the ovnkube-controller container when both - ovnkube-node and ovnkube-controller containers are merged into one. -
    • -
-
-

- In addition, notable bug fixes include: -

-
-
    -
  • - sos now correctly gathers cgroup - data in the OpenShift Container Platform 4 environment (BZ#2186361). -
    • -
  • - While collecting sos reports with the sudo plugin enabled, sos now removes - the bindpw option properly. (BZ#2143272) -
    • -
  • - The subscription_manager plugin no longer collects proxy - usernames and passwords from the /var/lib/rhsm/ path. - (BZ#2177282) -
    • -
  • - The virsh plugin no longer collects the SPICE remote-display - passwords in virt-manager logs, which prevents sos from - disclosing passwords in its reports. (BZ#2184062) -
    • -
  • -

    - sos now masks usernames and passwords previously displayed - in the /var/lib/iscsi/nodes/<IQN>/<PortalIP>/default - file. -

    -
    -
    Important
    -
    -

    - The generated archive might contain data considered sensitive. Thus, you should - always review the content before passing it to any third party. -

    -
    -
    -

    - (BZ#2187859) -

    -
    • -
  • - sos completes the tailed log collection even when the size of - the log file is exceeded and when a plugin times out. (BZ#2203141) -
    • -
  • - When entering the sos collect command on a Pacemaker cluster - node, sos collects an sos report from the same cluster node. - (BZ#2186460) -
    • -
  • - When collecting data from a host in the OpenShift Container Platform 4 environment, sos now uses the sysroot path, which - ensures that only the correct data are assembled. (BZ#2075720) -
    • -
  • - The sos report --clean command obfuscates all MAC addresses as - intended. (BZ#2207562) -
    • -
  • - Disabling the hpssm plugin no longer raises exceptions. - (BZ#2216608) -
    • -
  • - The sos clean command follows permissions of sanitized files. - (BZ#2218279) -
    • -
-
-

- For details on each release of sos, see upstream release notes. -

-

- Jira:RHELPLAN-156196[1] -

-
-
-
-
-
-

4.21. Containers

-
-
-
-
-

Podman supports pulling and pushing images compressed with zstd -

-

- You can pull and push images compressed with the zstd format. The - zstd compression is more efficient and faster than gzip. It can reduce the amount of network - traffic and storage involved in pulling and pushing the image. -

-
-

- Jira:RHELPLAN-154314[1] -

-
-

Quadlet in Podman is now available

-

- Beginning with Podman v4.6, you can use Quadlet to automatically generate a systemd service file from a container description. The Quadlets might - be easier to use than the podman generate systemd command because - the description focuses on the relevant container details and without the technical complexity - of running containers under systemd. -

-
-

- For more details, see the Quadlet - upstream documentation and the Make systemd better for Podman with - Quadlet article. -

-

- Jira:RHELPLAN-154432[1] -

-
-

The Container Tools packages have been updated

-

- The updated Container Tools RPM meta-package, which contain the Podman, Buildah, Skopeo, crun, - and runc tools, are now available. This update applies a series of bug fixes and enhancements - over the previous version. -

-
-

- Notable changes in Podman v4.6 include: -

-
-
    -
  • - The podman kube play command now supports the --configmap=<path> - option to provide Kubernetes YAML file with environment variables used within the containers - of the pod. -
    • -
  • - The podman kube play command now supports multiple Kubernetes - YAML files for the --configmap option. -
    • -
  • - The podman kube play command now supports containerPort names - and port numbers within liveness probes. -
    • -
  • - The podman kube play command now adds the ctrName as an alias - to the pod network. -
    • -
  • - The podman kube play and podman kube generate commands now support SELinux filetype labels - and ulimit annotations. -
    • -
  • - A new command, podman secret exists, has been added, which - verifies if a secret with the given name exists. -
    • -
  • - The podman create, podman run, - podman pod create, and podman pod clone commands now support a new option, --shm-size-systemd, which allows limiting tmpfs sizes for - systemd-specific mounts. -
    • -
  • - The podman create and podman run commands now support a new - option, --security-opt label=nested, which allows SELinux - labeling within a confined container. -
    • -
  • - Podman now supports auto updates for containers running inside a pod. -
    • -
  • - Podman can now use an SQLite database as a backend for increased stability. The default - remains the BoltDB database. You can select the database by setting the database_backend field in the containers.conf file. -
    • -
  • - Podman now supports Quadlets to automatically generate a systemd service file from the container description. The - description focuses on the relevant container details and hides the technical complexity of - running containers under systemd. -
    • -
-
-

- For further information about notable changes, see upstream release - notes. -

-

- Jira:RHELPLAN-154438[1] -

-
-

Podman now supports a Podmansh login shell

-

- Beginning with Podman v4.6, you can use the Podmansh login shell to - manage user access and control. Configure your settings to use the /usr/bin/podmansh command as a login shell instead of a standard - shell command, for example, /usr/bin/bash. When a user logs into a - system setup, the podmansh command runs the user’s session into a - Podman container named podmansh. Containers into which users log in - are defined using the Quadlet files, which are created in the /etc/containers/systemd/users/ directory. In these files, set the - ContainerName field in the [Container] - section to podmansh. The systemd automatically starts podmansh when the user session starts and continues running until all - user sessions exit. -

-
-

- For more information, see Podman - v4.6.0 Introduces Podmansh: A Revolutionary Login Shell. -

-

- Jira:RHELPLAN-163003[1] -

-
-

Clients for sigstore signatures with Fulcio and Rekor are now - available

-

- With Fulcio and Rekor servers, you can now create signatures by using short-term certificates - based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private - key. Clients for sigstore signatures with Fulcio and Rekor, previously available as a Technology - Preview, are now fully supported. This added functionality is the client side support only, and - does not include either the Fulcio or Rekor servers. -

-
-

- Add the fulcio section in the policy.json - file. To sign container images, use the podman push --sign-by-sigstore=file.yml or skopeo copy --sign-by-sigstore=file.yml - commands, where file.yml is the - sigstore signing parameter file. -

-

- To verify signatures, add the fulcio section and the rekorPublicKeyPath or rekorPublicKeyData - fields in the policy.json file. For more information, see containers-policy.json man page. -

-

- Jira:RHELPLAN-160660[1] -

-
-

The pasta networking mode is now - available

-

- Starting with Podman v4.4.1, you can use the pasta network mode. It - is a high-performance replacement of the default network mode slirp4netns and supports IPv6 forwarding. To select the pasta network mode, install the passt - package to use the podman run command with the --network=pasta option. With Podman v4.6, you can set default - rootless network mode in the /etc/containers/containers.conf - configuration file by using the default_rootless_network_cmd field - under the [network] section. -

-
-

- Jira:RHELDOCS-16240[1] -

-
-

UBI 9 Micro Container Image no longer contains zoneinfo installed by tzdata

-

- With this update, the time zone information provided by the tzdata - package is no longer included in UBI 9 Micro container images, consequently reducing the image - size. The UBI 9 Minimal and UBI 9 Micro containers are UTC-only, and users should reinstall the - tzdata package to get the full zoneinfo, if needed. -

-
-

- Bugzilla:2223028 -

-
-
-
-
-
-
-

Chapter 5. Important changes to external kernel parameters

-
-
-
-

- This chapter provides system administrators with a summary of significant changes in the kernel - distributed with Red Hat Enterprise Linux 9.3. These changes could include, for example, added or - updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any - noticeable behavior changes. -

-

New kernel parameters

-
-
-
amd_pstate=[X86]
-
-

- With this kernel parameter, you can scale the performance of the AMD CPU. Available values - include: -

-
-
    -
  • - disable - Do not enable amd_pstate as the default scaling driver for the - supported processors. -
    • -
  • - passive - Use amd_pstate - with passive mode as a scaling driver. In this mode autonomous selection is - disabled. Driver requests a required performance level and platform tries to match - the same performance level if it is satisfied by guaranteed performance level. -
    • -
  • - active - Use amd_pstate_epp driver instance as the scaling driver, - driver provides a hint to the hardware if software wants to bias toward performance - (0x0) or energy efficiency (0xff) to the CPPC firmware. Then CPPC power algorithm - will calculate the runtime workload and adjust the realtime cores frequency. -
    • -
  • - guided - Activate guided autonomous mode. Driver - requests minimum and maximum performance level and the platform autonomously selects - a performance level in this range and appropriate to the current workload. -
    • -
-
-
-
arm64.nosve=[ARM64]
-
- With this kernel parameter, you can unconditionally disable Scalable Vector Extension support. -
-
arm64.nosme=[ARM64]
-
- With this kernel parameter, you can unconditionally disable Scalable Matrix Extension support. -
-
gather_data_sampling=[X86,INTEL]
-
-

- With this kernel parameter, you can control the Gather Data Sampling (GDS) mitigation. -

-

- GDS is a hardware vulnerability that allows unprivileged speculative access to data that was - previously stored in vector registers. -

-

- This issue is mitigated by default in updated microcode. The mitigation might have a - performance impact but can be disabled. On systems without the microcode mitigation - disabling AVX serves as a mitigation. Available values include: -

-
-
    -
  • - force - Disable AVX to mitigate systems without - microcode mitigation. No effect if the microcode mitigation is present. Known to - cause crashes in userspace with buggy AVX enumeration. -
    • -
  • - off - Disable GDS mitigation. -
    • -
-
-
-
nospectre_bhb=[ARM64]
-
- With this kernel parameter, you can disable all mitigations for Spectre-BHB (branch history - injection) vulnerability. System might allow data leaks with this option. -
-
trace_clock=[FTRACE]
-
-

- With this kernel parameter, you can set the clock used for tracing events at boot up. - Available values include: -

-
-
    -
  • - local - Use the per CPU timestamp counter. -
    • -
  • - global - Event timestamps are synchronize across CPUs. - Might be slower than the local clock, but better for some race conditions. -
    • -
  • - counter - Simple counting of events (1, 2, ..) note, - some counts might be skipped due to the infrastructure grabbing the clock more than - once per event. -
    • -
  • - uptime - Use jiffies as the timestamp. -
    • -
  • - perf - Use the same clock that perf uses. -
    • -
  • - mono - Use the ktime_get_mono_fast_ns() function for timestamps. -
    • -
  • - mono_raw - Use the ktime_get_raw_fast_ns() function for timestamps. -
    • -
  • -

    - boot - Use the ktime_get_boot_fast_ns() function for timestamps. -

    -

    - Architectures might add more clocks, see Documentation/trace/ftrace.rst for more details. -

    -
    • -
-
-
-
-
-

Updated kernel parameters

-
-
-
cgroup.memory=[KNL]
-
-

- With this kernel parameter, you can pass options to the cgroup - memory controller. -

-
-
    -
  • -

    - This parameter takes the format of: <string> -

    -

    - Available values include: -

    -
    • -
  • - nosocket - Disable socket memory accounting. -
    • -
  • - nokmem - Disable kernel memory accounting. -
    • -
  • - [NEW] nobpf - Disable BPF memory accounting. -
    • -
-
-
-
hugetlb_free_vmemmap=[KNL]
-
-

- This kernel parameter enables the feature of freeing unused vmemmap pages associated with each hugetlb page on boot. For this - parameter to work, the CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP - configuration option must be enabled. -

-

- This parameter takes the format of: { on | off (default) } -

-

- Available values include: -

-
-
    -
  • - on - enables this feature -
    • -
  • -

    - off - disables this feature -

    -
    -
    Note
    -
    -

    - The vmemmap pages might be allocated from - the added memory block itself when the memory_hotplug.memmap_on_memory module - parameter is enabled. Those vmemmap pages - cannot be optimized even if this feature is enabled. Other vmemmap pages not allocated from the added - memory block itself are not affected. -

    -
    -
    -
    • -
-
-
-
intel_pstate=[X86]
-
-

- You can use this kernel parameter for CPU performance scaling. Available values include: -

-
-
    -
  • - disable - Do not enable intel_pstate as the default scaling driver for the - supported processors. -
    • -
  • - [NEW] active - Use intel_pstate - driver to bypass the scaling governors layer of cpufreq - and provides it own algorithms for p-state selection. There are two P-state - selection algorithms provided by intel_pstate in the - active mode: powersave and performance. The way they both operate depends on whether - or not the hardware managed P-states (HWP) feature has been enabled in the processor - and possibly on the processor model. -
    • -
  • - passive - Use intel_pstate - as a scaling driver, but configure it to work with generic cpufreq governors (instead of enabling its internal - governor). This mode cannot be used along with the hardware-managed P-states (HWP) - feature. -
    • -
  • - force - Enable intel_pstate on systems that prohibit it by default in - favor of acpi-cpufreq. Forcing the intel_pstate driver instead of acpi-cpufreq might disable platform features, such as - thermal controls and power capping, that rely on ACPI P-States information being - indicated to OSPM and therefore should be used with caution. This option does not - work with processors that are not supported by the intel_pstate driver or on platforms that use pcc-cpufreq instead of acpi-cpufreq. -
    • -
  • - no_hwp - Do not enable hardware P state control (HWP) - if available. -
    • -
  • - hwp_only - Only load intel_pstate on systems that support hardware P state - control (HWP) if available. -
    • -
  • - support_acpi_ppc - Enforce ACPI _PPC performance limits. If the Fixed ACPI - Description Table specifies preferred power management profile as "Enterprise - Server" or "Performance Server", then this feature is turned on by default. -
    • -
  • - per_cpu_perf_limits - Allow per-logical-CPU P-State - performance control limits using the cpufreq sysfs - interface. -
    • -
-
-
-
kvm-arm.mode=[KVM,ARM]
-
-

- With this kernel parameter, you can select one of KVM/arm64’s modes of operation. Available - values include: -

-
-
    -
  • - none - Forcefully disable KVM. -
    • -
  • - nvhe - Standard nVHE-based mode, without support for - protected guests. -
    • -
  • - protected - nVHE-based mode with support for guests - whose state is kept private from the host. Setting mode to protected disables kexec and - hibernation for the host. -
    • -
  • -

    - [NEW] nested - VHE-based mode with support for nested - virtualization. Requires at least ARMv8.3 hardware. The nested option is experimental and should be used with - extreme caution. -

    -

    - Defaults to VHE/nVHE based on hardware support. -

    -
    • -
-
-
-
libata.force=[LIBATA]
-
-

- With this kernel parameter, you can force configurations. -

-

- The format is a comma-separated list of "[ID:]VAL" where ID is PORT[.DEVICE]. PORT and - DEVICE are decimal numbers matching port, link or device. Basically, it matches the ATA ID - string printed on console by libata. -

-
-
    -
  • - If the whole ID part is omitted, the last PORT and - DEVICE values are used. -
    • -
  • - If ID has not been specified yet, the configuration applies to all ports, links and - devices. -
    • -
  • - If only the DEVICE value is omitted, the parameter - applies to the port and all links and devices behind it. DEVICE number of 0 either - selects the first device or the first fan-out link behind PMP device. It does not - select the host link. DEVICE number of 15 selects the host link and device attached - to it. -
    • -
  • -

    - The VAL specifies the configuration to force. As long as there is no ambiguity, - shortcut notation is allowed. For example, both 1.5 and 1.5G would work for - 1.5Gbps. -

    -

    - With the libata.force= parameter, you can force the - following configurations: -

    -
    • -
  • - Cable type: 40c, 80c, short40c, unk, ign or sata. Any ID with matching PORT is used. -
    • -
  • - SATA link speed limit: 1.5Gbps or 3.0Gbps. -
    • -
  • - Transfer mode: pio[0-7], mwdma[0-4] and udma[0-7]. udma[/][16,25,33,44,66,100,133] - notation is also allowed. -
    • -
  • - nohrst, nosrst, norst: suppress hard, soft and both resets. -
    • -
  • - rstonce: only attempt one reset during hot-unplug link - recovery. -
    • -
  • - [NEW] [no]dbdelay: Enable or disable the extra 200ms delay - before debouncing a link PHY and device presence detection. -
    • -
  • - [no]ncq: Turn on or off NCQ. -
    • -
  • - [no]ncqtrim: Enable or disable queued DSM TRIM. -
    • -
  • - [NEW] [no]ncqati: Enable or disable NCQ trim on ATI chipset. -
    • -
  • - [NEW] [no]trim: Enable or disable (unqueued) TRIM. -
    • -
  • - [NEW] trim_zero: Indicate that TRIM command zeroes data. -
    • -
  • - [NEW] max_trim_128m: Set 128M maximum trim size limit. -
    • -
  • - [NEW] [no]dma: Turn on or off DMA transfers. -
    • -
  • - atapi_dmadir: Enable ATAPI DMADIR bridge support. -
    • -
  • - atapi_mod16_dma: Enable the use of ATAPI DMA for - commands that are not a multiple of 16 bytes. -
    • -
  • - [no]dmalog: Enable or disable the use of the READ LOG - DMA EXT command to access logs. -
    • -
  • - [no]iddevlog: Enable or disable access to the identify - device data log. -
    • -
  • - [no]logdir: Enable or disable access to the general - purpose log directory. -
    • -
  • - [NEW] max_sec_128: Set transfer size limit to 128 sectors. -
    • -
  • - [NEW] max_sec_1024: Set or clear transfer size limit to 1024 - sectors. -
    • -
  • - [NEW] max_sec_lba48: Set or clear transfer size limit to 65535 - sectors. -
    • -
  • - [NEW] [no]lpm: Enable or disable link power management. -
    • -
  • - [NEW] [no]setxfer: Indicate if transfer speed mode setting - should be skipped. -
    • -
  • - [NEW] [no]fua: Disable or enable FUA (Force Unit Access) - support for devices supporting this feature. -
    • -
  • - dump_id: Dump IDENTIFY data. -
    • -
  • -

    - disable: Disable this device. -

    -
    -
    Note
    -
    -

    - If there are multiple matching configurations changing the same - attribute, the last one is used. -

    -
    -
    -
    • -
-
-
-
mitigations=[X86,PPC,S390,ARM64]
-
-

- With this kernel parameter, you can control optional mitigations for CPU vulnerabilities. - This is a set of curated, arch-independent options, each of which is an aggregation of - existing arch-specific options. Available values include: -

-
-
    -
  • -

    - off - disable all optional CPU mitigations. This - improves system performance, but it can also expose users to several CPU - vulnerabilities. The off value is equivalent to: -

    -
    -
      -
    • - if nokaslr then kpti=0 [ARM64] -
      • -
    • - gather_data_sampling=off [X86] -
      • -
    • - kvm.nx_huge_pages=off [X86] -
      • -
    • - l1tf=off [X86] -
      • -
    • - mds=off [X86] -
      • -
    • - mmio_stale_data=off [X86] -
      • -
    • - no_entry_flush [PPC] -
      • -
    • - no_uaccess_flush [PPC] -
      • -
    • - nobp=0 [S390] -
      • -
    • - nopti [X86,PPC] -
      • -
    • - nospectre_bhb [ARM64] -
      • -
    • - nospectre_v1 [X86,PPC] -
      • -
    • - nospectre_v2 [X86,PPC,S390,ARM64] -
      • -
    • - retbleed=off [X86] -
      • -
    • - spec_store_bypass_disable=off [X86,PPC] -
      • -
    • - spectre_v2_user=off [X86] -
      • -
    • - srbds=off [X86,INTEL] -
      • -
    • - ssbd=force-off [ARM64] -
      • -
    • -

      - tsx_async_abort=off [X86] -

      -

      - Exceptions: This - does not have any effect on kvm.nx_huge_pages when kvm.nx_huge_pages=force. -

      -
      • -
    -
    -
    • -
  • - auto (default) - Mitigate all CPU vulnerabilities, but - leave SMT enabled, even if it is vulnerable. This is for users who do not want to be - surprised by SMT getting disabled across kernel upgrades, or who have other ways of - avoiding SMT-based attacks. -
    • -
  • -

    - auto,nosmt - Mitigate - all CPU vulnerabilities, disabling SMT if needed. This is for users who always - want to be fully mitigated, even if it means losing SMT. The auto,nosmt options are - equivalent to: -

    -
    -
      -
    • - l1tf=flush,nosmt [X86] -
      • -
    • - mds=full,nosmt [X86] -
      • -
    • - tsx_async_abort=full,nosmt [X86] -
      • -
    • - mmio_stale_data=full,nosmt [X86] -
      • -
    • - retbleed=auto,nosmt [X86] -
      • -
    -
    -
    • -
-
-
-
nomodeset
-
-

- With this kernel parameter, you can disable kernel modesetting. Most systems' firmware sets - up a display mode and provides framebuffer memory for output. With nomodeset, DRM and fbdev drivers - will not load if they could possibly displace the preinitialized output. Only the system - framebuffer will be available for use. The drivers will not perform display-mode changes or - accelerated rendering. -

-

- This parameter is especially useful as error fallback, or for testing and debugging. -

-
-
rdt=[HW,X86,RDT]
-
-

- With this kernel parameter, you can turn on or off individual RDT features. The list - includes: cmt, mbmtotal, mbmlocal, l3cat, l3cdp, l2cat, l2cdp, mba, smba, bmec. -

-

- For example, to turn on cmt and turn off mba use: -

- 
rdt=cmt,!mba
-
-
rodata=[KNL]
-
-

- With this kernel parameter, you can disable read-only kernel mappings. Available options - include: -

-
-
    -
  • - on - Mark read-only kernel memory as read-only - (default). -
    • -
  • - off - Leave read-only kernel memory writable for - debugging. -
    • -
  • - [NEW] full - Mark read-only kernel memory and aliases as - read-only [arm64]. -
    • -
-
-
-
-
-

Removed kernel parameters

-
-
-
nobats=[PPC]
-
- With this kernel parameter, you can forbid the use of BATs for mapping kernel lowmem on - "Classic" PPC cores. -
-
noltlbs=[PPC]
-
- With this kernel parameter, you can forbid the use of huge page and tlb entries for kernel - lowmem mapping on PPC40x and PPC8xx. -
-
swapaccount=[0|1]=[KNL]
-
- With this kernel parameter, you can enable or disable accounting of swap in memory resource - controller. For more information, see Documentation/admin-guide/cgroup-v1/memory.rst. -
-
-
-
-
-
-
-
-

Chapter 6. Device drivers

-
-
-
-
-
-
-
-

6.1. New drivers

-
-
-
-

Network drivers

-
-
    -
  • - MediaTek MT7601U (USB) support (mt7601u), adds support for - MT7601U-based wireless USB dongles (only in 64-bit ARM architecture) -
    • -
  • - MediaTek MT76x0E (PCIe) support (mt76x0e), adds support for - MT7610/MT7630-based wireless PCIe devices (only in 64-bit ARM architecture) -
    • -
  • - MediaTek MT76x0U (USB) support (mt76x0u), adds support for - MT7610U-based wireless USB 2.0 dongles (only in 64-bit ARM architecture) -
    • -
  • - MediaTek MT76x2E (PCIe) support (mt76x2e), adds support for - MT7612/MT7602/MT7662-based wireless PCIe devices (only in 64-bit ARM architecture) -
    • -
  • - MediaTek MT76x2U (USB) support (mt76x2u), adds support for - MT7612U-based wireless USB 3.0 dongles (only in 64-bit ARM architecture) -
    • -
  • - MediaTek MT7921E (PCIe) support (mt7921e), adds support for - MT7921E 802.11ax 2x2:2SS wireless devices (only in 64-bit ARM architecture) -
    • -
  • - Atheros driver 802.11n HTC based wireless devices (ath9k_htc) - (only in 64-bit ARM architecture) -
    • -
  • - Broadcom 802.11n wireless LAN driver (brcmsmac) (only in 64-bit - ARM architecture) -
    • -
  • - Broadcom 802.11n wireless LAN driver utilities (brcmutil) (only - in 64-bit ARM architecture) -
    • -
  • - Broadcom 802.11 wireless LAN fullmac driver (brcmfmac) (only in - 64-bit ARM architecture) -
    • -
  • - Core module for Qualcomm Atheros 802.11ac wireless LAN cards (ath10k_core) (only in 64-bit ARM architecture) -
    • -
  • - Core module for Qualcomm Atheros 802.11ax wireless LAN cards (ath11k) (only in 64-bit ARM architecture) -
    • -
  • - Device simulator for WWAN framework (wwan_hwsim) -
    • -
  • - Driver support for Qualcomm Atheros 802.11ac WLAN PCIe/AHB devices (ath10k_pci) (only in 64-bit ARM architecture) -
    • -
  • - Driver support for Qualcomm Technologies 802.11ax WLAN PCIe devices (ath11k_pci) (only in 64-bit ARM architecture) -
    • -
  • - Intel® Wireless Wi-Fi driver for Linux (iwlwifi) (only in - 64-bit ARM architecture) -
    • -
  • - Intel® Wireless Wi-Fi Link AGN driver for Linux (iwldvm)- (only - in 64-bit ARM architecture) -
    • -
  • - IOSM Driver (iosm) -
    • -
  • - Marvell WiFi-Ex Driver version 1.0 (mwifiex) (only in 64-bit - ARM architecture) -
    • -
  • - Marvell WiFi-Ex PCI-Express Driver version 1.0 (mwifiex_pcie) - (only in 64-bit ARM architecture) -
    • -
  • - Marvell WiFi-Ex SDIO Driver version 1.0 (mwifiex_sdio) (only in - 64-bit ARM architecture) -
    • -
  • - Marvell WiFi-Ex USB Driver version 1.0 (mwifiex_usb) (only in - 64-bit ARM architecture) -
    • -
  • - MediaTek PCIe 5G WWAN modem T7xx driver (mtk_t7xx) -
    • -
  • - Network/MBIM over MHI (mhi_wwan_mbim) (only in 64-bit ARM - architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures) -
    • -
  • - PCI basic driver for rtlwifi (rtl_pci) (only in 64-bit ARM - architecture) -
    • -
  • - Ralink RT2800 library version 2.3.0 (rt2800lib) (only in 64-bit - ARM architecture) -
    • -
  • - Ralink RT2800 PCI & PCMCIA Wireless LAN driver version 2.3.0 (rt2800pci) (only in 64-bit ARM architecture) -
    • -
  • - Ralink RT2800 USB Wireless LAN driver version 2.3.0 (rt2800usb) - (only in 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless 8821c driver (rtw88_8821c) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless 8821ce driver (rtw88_8821ce) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless 8822b driver (rtw88_8822b) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless 8822be driver (rtw88_8822be) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless 8822c driver (rtw88_8822c) - (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless 8822ce driver (rtw88_8822ce) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless core module (rtw88_core) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ac wireless PCI driver (rtw88_pci) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ax wireless 8852A driver (rtw89_8852a) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ax wireless 8852AE driver (rtw89_8852ae) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ax wireless 8852B driver (rtw89_8852b) (only in - 64-bit ARM architecture and AMD and Intel 64-bit architectures) -
    • -
  • - Realtek 802.11ax wireless 8852BE driver (rtw89_8852be) (only in - 64-bit ARM architecture and AMD and Intel 64-bit architectures) -
    • -
  • - Realtek 802.11ax wireless core module (rtw89_core) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11ax wireless PCI driver (rtw89_pci) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11n PCI wireless core (btcoexist) (only in 64-bit - ARM architecture) -
    • -
  • - Realtek 802.11n PCI wireless core (rtlwifi) (only in 64-bit ARM - architecture) -
    • -
  • - Realtek 802.11n wireless 8723d driver (rtw88_8723d) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 802.11n wireless 8723de driver (rtw88_8723de) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 8188E 802.11n PCI wireless (rtl8188ee) (only in 64-bit - ARM architecture) -
    • -
  • - Realtek 8192C/8188C 802.11n PCI wireless (rtl8192c-common) - (only in 64-bit ARM architecture) -
    • -
  • - Realtek 8192C/8188C 802.11n PCI wireless (rtl8192ce) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 8192C/8188C 802.11n USB wireless (rtl8192cu) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 8192DE 802.11n Dual Mac PCI wireless (rtl8192de) (only - in 64-bit ARM architecture) -
    • -
  • - Realtek 8192EE 802.11n PCI wireless (rtl8192ee) (only in 64-bit - ARM architecture) -
    • -
  • - Realtek 8192S/8191S 802.11n PCI wireless (rtl8192se) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek 8723BE 802.11n PCI wireless (rtl8723be) (only in 64-bit - ARM architecture) -
    • -
  • - Realtek 8723E 802.11n PCI wireless (rtl8723ae) (only in 64-bit - ARM architecture) -
    • -
  • - Realtek 8821ae 802.11ac PCI wireless (rtl8821ae) (only in - 64-bit ARM architecture) -
    • -
  • - Realtek RTL8723AE/RTL8723BE 802.11n PCI wireless common routines (rtl8723-common) (only in 64-bit ARM architecture) -
    • -
  • - rt2800 MMIO library version 2.3.0 (rt2800mmio) (only in 64-bit - ARM architecture) -
    • -
  • - rt2x00 library version 2.3.0 (rt2x00lib) (only in 64-bit ARM - architecture) -
    • -
  • - rt2x00 mmio library version 2.3.0 ( rt2x00mmio) (only in 64-bit - ARM architecture) -
    • -
  • - rt2x00 pci library version 2.3.0 ( rt2x00pci) (only in 64-bit - ARM architecture) -
    • -
  • - rt2x00 usb library version 2.3.0 (rt2x00usb) (only in 64-bit - ARM architecture) -
    • -
  • - RTL8XXXu USB mac80211 Wireless LAN Driver (rtl8xxxu) (only in - 64-bit ARM architecture) -
    • -
  • - Shared library for Atheros wireless 802.11n LAN cards (ath9k_common) (only in 64-bit ARM architecture) -
    • -
  • - Shared library for Atheros wireless LAN cards (ath) (only in - 64-bit ARM architecture) -
    • -
  • - Support for Atheros 802.11n wireless LAN cards (ath9k_hw) (only - in 64-bit ARM architecture) -
    • -
  • - Support for Atheros 802.11n wireless LAN cards (ath9k) (only in - 64-bit ARM architecture) -
    • -
  • - The new Intel® wireless AGN driver for Linux (iwlmvm) (only in - 64-bit ARM architecture) -
    • -
  • - Thunderbolt/USB4 network driver (thunderbolt_net) -
    • -
  • - USB basic driver for rtlwifi (rtl_usb) (only in 64-bit ARM - architecture) -
    • -
-
-

Graphics drivers and miscellaneous drivers

-
-
    -
  • - Atheros AR30xx firmware driver 1.0 (ath3k) (only in 64-bit ARM - architecture) -
    • -
  • - BlueFRITZ! USB driver version 1.2 (bfusb) (only in 64-bit ARM - architecture) -
    • -
  • - Bluetooth HCI UART driver version 2.3 (hci_uart) (only in - 64-bit ARM architecture) -
    • -
  • - Bluetooth support for Broadcom devices version 0.1 (btbcm) - (only in 64-bit ARM architecture) -
    • -
  • - Bluetooth support for Intel devices version 0.1 (btintel) (only - in 64-bit ARM architecture) -
    • -
  • - Bluetooth support for MediaTek devices version 0.1 (btmtk) - (only in 64-bit ARM architecture) -
    • -
  • - Bluetooth support for Realtek devices version 0.1 (btrtl) (only - in 64-bit ARM architecture) -
    • -
  • - Bluetooth virtual HCI driver version 1.5 (hci_vhci) (only in - 64-bit ARM architecture) -
    • -
  • - Broadcom Blutonium firmware driver version 1.2 (bcm203x) (only - in 64-bit ARM architecture) -
    • -
  • - Digianswer Bluetooth USB driver version 0.11 ( bpa10x) (only in - 64-bit ARM architecture) -
    • -
  • - Generic Bluetooth SDIO driver version 0.1 (btsdio) (only in - 64-bit ARM architecture) -
    • -
  • - Generic Bluetooth USB driver version 0.8 (btusb) (only in - 64-bit ARM architecture) -
    • -
  • - Marvell Bluetooth driver version 1.0 (btmrvl) (only in 64-bit - ARM architecture) -
    • -
  • - Marvell BT-over-SDIO driver version 1.0 (btmrvl_sdio) (only in - 64-bit ARM architecture) -
    • -
  • - Linux device driver of the BMC IPMI SSIF interface (ssif_bmc) - (only in 64-bit ARM architecture) -
    • -
  • - vTPM Driver version 0.1 (tpm_vtpm_proxy) -
    • -
  • - AMD P-state driver Test module (amd-pstate-ut) (only in AMD and - Intel 64-bit architectures) -
    • -
  • - Compute Express Link (CXL) ACPI driver (cxl_acpi) (only in - 64-bit ARM architecture and AMD and Intel 64-bit architectures) -
    • -
  • - Compute Express Link (CXL) core driver (cxl_core) -
    • -
  • - Compute Express Link (CXL) port driver (cxl_port) -
    • -
  • - NVIDIA Tegra GPC DMA Controller driver (tegra186-gpc-dma) (only - in 64-bit ARM architecture) -
    • -
  • - DRM Buddy Allocator (drm_buddy) (only in 64-bit IBM Z - architecture) -
    • -
  • - DRM display adapter helper (drm_display_helper) (only in 64-bit - IBM Z architecture) -
    • -
  • - HID driver for EVision devices (hid-evision) (only in 64-bit - ARM architecture, IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures) -
    • -
  • - Texas Instruments INA3221 HWMon Driver (ina3221) (only in - 64-bit ARM architecture) -
    • -
  • - I3C core (i3c) (only in 64-bit ARM architecture) -
    • -
  • - Silvaco dual-role I3C master driver (svc-i3c-master) (only in - 64-bit ARM architecture) -
    • -
  • - Microsoft Azure Network Adapter IB driver (mana_ib) (only in - AMD and Intel 64-bit architectures) -
    • -
  • - Soft RDMA transport (rdma_rxe) -
    • -
  • - i.MX8MP interconnect driver - Generic interconnect drivers for i.MX SOCs (imx8mp-interconnect) (only in 64-bit ARM architecture) -
    • -
  • - Linux USB Video Class (uvc) (only in 64-bit ARM architecture, - IBM Power Systems, Little Endian, and AMD and Intel 64-bit architectures) -
    • -
  • - Common memory handling routines for videobuf2 (videobuf2-memops) (only in 64-bit ARM architecture) -
    • -
  • - Device node registration for cec drivers (cec) (only in 64-bit - IBM Z architecture) -
    • -
  • - Device node registration for media drivers (mc) (only in 64-bit - ARM architecture) -
    • -
  • - Driver helper framework for Video for Linux 2 (videobuf2-v4l2) - (only in 64-bit ARM architecture) -
    • -
  • - Media buffer core framework (videobuf2-common) (only in 64-bit - ARM architecture) -
    • -
  • - USB Video Class driver version 1.1.1 (uvcvideo) (only in 64-bit - ARM architecture) -
    • -
  • - V4L2 DV Timings Helper Functions (v4l2-dv-timings) (only in - 64-bit ARM architecture) -
    • -
  • - Video4Linux2 core driver (videodev) (only in 64-bit ARM - architecture) -
    • -
  • - vmalloc memory handling routines for videobuf2 (videobuf2-vmalloc) (only in 64-bit ARM architecture) -
    • -
  • - Framework for SPI NOR (spi-nor) (only in 64-bit ARM - architecture) -
    • -
  • - Marvell CN10K DRAM Subsystem(DSS) PMU (marvell_cn10k_ddr_pmu) - (only in 64-bit ARM architecture) -
    • -
  • - Marvell CN10K LLC-TAD Perf driver (marvell_cn10k_tad_pmu) (only - in 64-bit ARM architecture) -
    • -
  • - Intel Meteor Lake PCH pinctrl/GPIO driver (pinctrl-meteorlake) - (only in AMD and Intel 64-bit architectures) -
    • -
  • - Intel In Field Scan (IFS) device (intel_ifs) (only in AMD and - Intel 64-bit architectures) -
    • -
  • - NVIDIA WMI EC Backlight driver (nvidia-wmi-ec-backlight) (only - in AMD and Intel 64-bit architectures) -
    • -
  • - QMI encoder/decoder helper (qmi_helpers) (only in 64-bit ARM - architecture) -
    • -
  • - AMD SoundWire driver (soundwire-amd) (only in AMD and Intel - 64-bit architectures) -
    • -
  • - NVIDIA Tegra114 SPI Controller Driver (spi-tegra114) (only in - 64-bit ARM architecture) -
    • -
  • - STMicroelectronics STUSB160x Type-C controller driver (stusb160x) (only in 64-bit ARM architecture) -
    • -
  • - MLX5 VFIO PCI - User Level meta-driver for MLX5 device family (mlx5-vfio-pci) -
    • -
-
-
-
-
-
-
-

6.2. Updated drivers

-
-
-
-

Network driver updates

-
-
    -
  • - Realtek RTL8152/RTL8153 Based USB Ethernet Adapters (r8152) has - been updated to version v1.12.13 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
-
-

Storage driver updates

-
-
    -
  • - Broadcom MegaRAID SAS Driver (megaraid_sas) has been updated to - version 07.725.01.00-rc1 (only in 64-bit ARM architecture, IBM Power Systems, Little Endian, - and AMD and Intel 64-bit architectures). -
    • -
  • - Driver for Microchip Smart Family Controller (smartpqi) has - been updated to version 2.1.22-040 (only in 64-bit ARM architecture, IBM Power Systems, - Little Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - Emulex LightPulse Fibre Channel SCSI driver (lpfc) has been - updated to version 0:14.2.0.12 (only in 64-bit ARM architecture, IBM Power Systems, Little - Endian, and AMD and Intel 64-bit architectures). -
    • -
  • - MPI3 Storage Controller Device Driver (mpi3mr) has been updated - to version 8.4.1.0.0. -
    • -
-
-
-
-
-
-
-
-

Chapter 7. Available BPF Features

-
-
-
-

- This chapter provides the complete list of Berkeley Packet Filter (BPF) features available in the kernel of this minor version of Red Hat - Enterprise Linux 9. The tables include the lists of: -

-
- -
-

- This chapter contains automatically generated output of the bpftool feature - command. -

-
-

Table 7.1. System configuration and other options

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionValue
-

- unprivileged_bpf_disabled -

- 		-

- 2 (bpf() syscall restricted to privileged users, admin can change) -

-
-

- JIT compiler -

- 		-

- 1 (enabled) -

-
-

- JIT compiler hardening -

- 		-

- 1 (enabled for unprivileged users) -

-
-

- JIT compiler kallsyms exports -

- 		-

- 1 (enabled for root) -

-
-

- Memory limit for JIT for unprivileged users -

- 		-

- 528482304 -

-
-

- CONFIG_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_SYSCALL -

- 		-

- y -

-
-

- CONFIG_HAVE_EBPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT -

- 		-

- y -

-
-

- CONFIG_BPF_JIT_ALWAYS_ON -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF -

- 		-

- y -

-
-

- CONFIG_DEBUG_INFO_BTF_MODULES -

- 		-

- y -

-
-

- CONFIG_CGROUPS -

- 		-

- y -

-
-

- CONFIG_CGROUP_BPF -

- 		-

- y -

-
-

- CONFIG_CGROUP_NET_CLASSID -

- 		-

- y -

-
-

- CONFIG_SOCK_CGROUP_DATA -

- 		-

- y -

-
-

- CONFIG_BPF_EVENTS -

- 		-

- y -

-
-

- CONFIG_KPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_UPROBE_EVENTS -

- 		-

- y -

-
-

- CONFIG_TRACING -

- 		-

- y -

-
-

- CONFIG_FTRACE_SYSCALLS -

- 		-

- y -

-
-

- CONFIG_FUNCTION_ERROR_INJECTION -

- 		-

- y -

-
-

- CONFIG_BPF_KPROBE_OVERRIDE -

- 		-

- n -

-
-

- CONFIG_NET -

- 		-

- y -

-
-

- CONFIG_XDP_SOCKETS -

- 		-

- y -

-
-

- CONFIG_LWTUNNEL_BPF -

- 		-

- y -

-
-

- CONFIG_NET_ACT_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_BPF -

- 		-

- m -

-
-

- CONFIG_NET_CLS_ACT -

- 		-

- y -

-
-

- CONFIG_NET_SCH_INGRESS -

- 		-

- m -

-
-

- CONFIG_XFRM -

- 		-

- y -

-
-

- CONFIG_IP_ROUTE_CLASSID -

- 		-

- y -

-
-

- CONFIG_IPV6_SEG6_BPF -

- 		-

- y -

-
-

- CONFIG_BPF_LIRC_MODE2 -

- 		-

- n -

-
-

- CONFIG_BPF_STREAM_PARSER -

- 		-

- y -

-
-

- CONFIG_NETFILTER_XT_MATCH_BPF -

- 		-

- m -

-
-

- CONFIG_BPFILTER -

- 		-

- n -

-
-

- CONFIG_BPFILTER_UMH -

- 		-

- n -

-
-

- CONFIG_TEST_BPF -

- 		-

- m -

-
-

- CONFIG_HZ -

- 		-

- 1000 -

-
-

- bpf() syscall -

- 		-

- available -

-
-

- Large program size limit -

- 		-

- available -

-
-

- Bounded loop support -

- 		-

- available -

-
-

- ISA extension v2 -

- 		-

- available -

-
-

- ISA extension v3 -

- 		-

- available -

-
-
-
-
-

Table 7.2. Available program types and supported helpers

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Program typeAvailable helpers
-

- socket_filter -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, - bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, - bpf_timer_cancel, bpf_task_pt_regs, bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, - bpf_kptr_xchg, bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- kprobe -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_copy_from_user, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, - bpf_task_pt_regs, bpf_get_branch_snapshot, bpf_find_vma, bpf_loop, bpf_strncmp, - bpf_copy_from_user_task, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- sched_cls -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, - bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, - bpf_snprintf_btf, bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_redirect_peer, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, - bpf_task_pt_regs, bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, - bpf_skb_set_tstamp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data, bpf_tcp_raw_gen_syncookie_ipv4, - bpf_tcp_raw_gen_syncookie_ipv6, bpf_tcp_raw_check_syncookie_ipv4, - bpf_tcp_raw_check_syncookie_ipv6, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, - bpf_cgrp_storage_get, bpf_cgrp_storage_delete -

-
-

- sched_act -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_vlan_push, bpf_skb_vlan_pop, - bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, bpf_redirect, - bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, bpf_csum_diff, - bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, bpf_skb_change_proto, - bpf_skb_change_type, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, - bpf_set_hash_invalid, bpf_get_numa_node_id, bpf_skb_change_head, - bpf_get_socket_cookie, bpf_get_socket_uid, bpf_set_hash, bpf_skb_adjust_room, - bpf_skb_get_xfrm_state, bpf_skb_load_bytes_relative, bpf_fib_lookup, - bpf_skb_cgroup_id, bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, - bpf_tcp_sock, bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_tcp_gen_syncookie, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_csum_level, bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, - bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, - bpf_snprintf_btf, bpf_skb_cgroup_classid, bpf_redirect_neigh, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_redirect_peer, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_check_mtu, bpf_for_each_map_elem, bpf_snprintf, - bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, - bpf_task_pt_regs, bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, - bpf_skb_set_tstamp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data, bpf_tcp_raw_gen_syncookie_ipv4, - bpf_tcp_raw_gen_syncookie_ipv6, bpf_tcp_raw_check_syncookie_ipv4, - bpf_tcp_raw_check_syncookie_ipv6, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, - bpf_cgrp_storage_get, bpf_cgrp_storage_delete -

-
-

- tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_copy_from_user, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, bpf_get_attach_cookie, - bpf_task_pt_regs, bpf_get_branch_snapshot, bpf_find_vma, bpf_loop, bpf_strncmp, - bpf_copy_from_user_task, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- xdp -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, bpf_redirect, - bpf_perf_event_output, bpf_csum_diff, bpf_get_current_task, - bpf_get_numa_node_id, bpf_xdp_adjust_head, bpf_redirect_map, - bpf_xdp_adjust_meta, bpf_xdp_adjust_tail, bpf_fib_lookup, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_tcp_check_syncookie, bpf_strtol, bpf_strtoul, bpf_tcp_gen_syncookie, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_skc_to_tcp6_sock, - bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, bpf_skc_to_tcp_request_sock, - bpf_skc_to_udp6_sock, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, bpf_check_mtu, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, bpf_skc_to_unix_sock, - bpf_loop, bpf_strncmp, bpf_xdp_get_buff_len, bpf_xdp_load_bytes, - bpf_xdp_store_bytes, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data, bpf_tcp_raw_gen_syncookie_ipv4, - bpf_tcp_raw_gen_syncookie_ipv6, bpf_tcp_raw_check_syncookie_ipv4, - bpf_tcp_raw_check_syncookie_ipv6, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, - bpf_cgrp_storage_get, bpf_cgrp_storage_delete -

-
-

- perf_event -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_perf_prog_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_read_branch_records, bpf_get_ns_current_pid_tgid, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_get_task_stack, bpf_copy_from_user, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_task_storage_get, bpf_task_storage_delete, - bpf_get_current_task_btf, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, - bpf_get_attach_cookie, bpf_task_pt_regs, bpf_get_branch_snapshot, bpf_find_vma, - bpf_loop, bpf_strncmp, bpf_copy_from_user_task, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, - bpf_cgrp_storage_get, bpf_cgrp_storage_delete -

-
-

- cgroup_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_load_bytes_relative, bpf_skb_cgroup_id, bpf_get_local_storage, - bpf_skb_ancestor_cgroup_id, bpf_sk_lookup_tcp, bpf_sk_lookup_udp, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_sk_fullsock, bpf_tcp_sock, - bpf_skb_ecn_set_ce, bpf_get_listener_sock, bpf_skc_lookup_tcp, bpf_strtol, - bpf_strtoul, bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_sk_cgroup_id, - bpf_sk_ancestor_cgroup_id, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- cgroup_sock -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_get_current_cgroup_id, - bpf_get_local_storage, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_get_netns_cookie, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_loop, bpf_strncmp, bpf_get_retval, bpf_set_retval, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, - bpf_cgrp_storage_get, bpf_cgrp_storage_delete -

-
-

- lwt_in -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_push_encap, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- lwt_out -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- lwt_xmit -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_l3_csum_replace, bpf_l4_csum_replace, bpf_tail_call, bpf_clone_redirect, - bpf_get_cgroup_classid, bpf_skb_get_tunnel_key, bpf_skb_set_tunnel_key, - bpf_redirect, bpf_get_route_realm, bpf_perf_event_output, bpf_skb_load_bytes, - bpf_csum_diff, bpf_skb_get_tunnel_opt, bpf_skb_set_tunnel_opt, - bpf_skb_under_cgroup, bpf_get_hash_recalc, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_csum_update, bpf_set_hash_invalid, - bpf_get_numa_node_id, bpf_skb_change_head, bpf_lwt_push_encap, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_csum_level, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- sock_ops -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_setsockopt, bpf_sock_map_update, bpf_getsockopt, - bpf_sock_ops_cb_flags_set, bpf_sock_hash_update, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_netns_cookie, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_load_hdr_opt, - bpf_store_hdr_opt, bpf_reserve_hdr_opt, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_get_current_task_btf, bpf_ktime_get_coarse_ns, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, bpf_skc_to_unix_sock, - bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, - bpf_cgrp_storage_get, bpf_cgrp_storage_delete -

-
-

- sk_skb -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_skb_store_bytes, - bpf_tail_call, bpf_perf_event_output, bpf_skb_load_bytes, bpf_get_current_task, - bpf_skb_change_tail, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_skb_change_head, bpf_get_socket_cookie, bpf_get_socket_uid, - bpf_skb_adjust_room, bpf_sk_redirect_map, bpf_sk_redirect_hash, - bpf_sk_lookup_tcp, bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, - bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, - bpf_skc_lookup_tcp, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- cgroup_device -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_get_current_task_btf, bpf_for_each_map_elem, bpf_snprintf, - bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, - bpf_task_pt_regs, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, - bpf_ringbuf_submit_dynptr, bpf_ringbuf_discard_dynptr, bpf_dynptr_read, - bpf_dynptr_write, bpf_dynptr_data, bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, - bpf_cgrp_storage_get, bpf_cgrp_storage_delete -

-
-

- sk_msg -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_cgroup_classid, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_msg_redirect_map, bpf_msg_apply_bytes, bpf_msg_cork_bytes, - bpf_msg_pull_data, bpf_msg_redirect_hash, bpf_get_current_cgroup_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_msg_push_data, - bpf_msg_pop_data, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- raw_tracepoint -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_copy_from_user, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, bpf_task_pt_regs, - bpf_get_branch_snapshot, bpf_find_vma, bpf_loop, bpf_strncmp, - bpf_copy_from_user_task, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- cgroup_sock_addr -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_socket_cookie, bpf_setsockopt, bpf_getsockopt, - bpf_bind, bpf_get_current_cgroup_id, bpf_get_local_storage, bpf_sk_lookup_tcp, - bpf_sk_lookup_udp, bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_skc_lookup_tcp, - bpf_strtol, bpf_strtoul, bpf_sk_storage_get, bpf_sk_storage_delete, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_get_netns_cookie, - bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_get_retval, bpf_set_retval, - bpf_kptr_xchg, bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- lwt_seg6local -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_cgroup_classid, bpf_get_route_realm, bpf_perf_event_output, - bpf_skb_load_bytes, bpf_csum_diff, bpf_skb_under_cgroup, bpf_get_hash_recalc, - bpf_get_current_task, bpf_skb_pull_data, bpf_get_numa_node_id, - bpf_lwt_seg6_store_bytes, bpf_lwt_seg6_adjust_srh, bpf_lwt_seg6_action, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- lirc_mode2 -

- 		-

- not supported -

-
-

- sk_reuseport -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_get_socket_cookie, bpf_skb_load_bytes_relative, bpf_sk_select_reuseport, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- flow_dissector -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_skb_load_bytes, bpf_get_current_task, bpf_get_numa_node_id, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- cgroup_sysctl -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_sysctl_get_name, bpf_sysctl_get_current_value, - bpf_sysctl_get_new_value, bpf_sysctl_set_new_value, bpf_strtol, bpf_strtoul, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_jiffies64, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_loop, bpf_strncmp, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- raw_tracepoint_writable -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_perf_event_read_value, bpf_get_stack, - bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_send_signal, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_send_signal_thread, - bpf_jiffies64, bpf_get_ns_current_pid_tgid, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, bpf_get_task_stack, - bpf_copy_from_user, bpf_snprintf_btf, bpf_per_cpu_ptr, bpf_this_cpu_ptr, - bpf_task_storage_get, bpf_task_storage_delete, bpf_get_current_task_btf, - bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, bpf_timer_set_callback, - bpf_timer_start, bpf_timer_cancel, bpf_get_func_ip, bpf_task_pt_regs, - bpf_get_branch_snapshot, bpf_find_vma, bpf_loop, bpf_strncmp, - bpf_copy_from_user_task, bpf_kptr_xchg, bpf_map_lookup_percpu_elem, - bpf_dynptr_from_mem, bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- cgroup_sockopt -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_get_cgroup_classid, bpf_perf_event_output, bpf_get_current_task, - bpf_get_numa_node_id, bpf_get_current_cgroup_id, bpf_get_local_storage, - bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, bpf_spin_lock, - bpf_spin_unlock, bpf_tcp_sock, bpf_strtol, bpf_strtoul, bpf_sk_storage_get, - bpf_sk_storage_delete, bpf_probe_read_user, bpf_probe_read_kernel, - bpf_probe_read_user_str, bpf_probe_read_kernel_str, bpf_jiffies64, - bpf_get_netns_cookie, bpf_get_current_ancestor_cgroup_id, bpf_ktime_get_boot_ns, - bpf_ringbuf_output, bpf_ringbuf_reserve, bpf_ringbuf_submit, - bpf_ringbuf_discard, bpf_ringbuf_query, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_get_current_task_btf, bpf_for_each_map_elem, bpf_snprintf, - bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, - bpf_task_pt_regs, bpf_loop, bpf_strncmp, bpf_get_retval, bpf_set_retval, - bpf_kptr_xchg, bpf_map_lookup_percpu_elem, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- tracing -

- 		-

- not supported -

-
-

- struct_ops -

- 		-

- not supported -

-
-

- ext -

- 		-

- not supported -

-
-

- lsm -

- 		-

- not supported -

-
-

- sk_lookup -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_ktime_get_ns, - bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_perf_event_output, bpf_get_current_task, bpf_get_numa_node_id, - bpf_sk_release, bpf_map_push_elem, bpf_map_pop_elem, bpf_map_peek_elem, - bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, bpf_probe_read_user, - bpf_probe_read_kernel, bpf_probe_read_user_str, bpf_probe_read_kernel_str, - bpf_jiffies64, bpf_sk_assign, bpf_ktime_get_boot_ns, bpf_ringbuf_output, - bpf_ringbuf_reserve, bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_snprintf_btf, - bpf_per_cpu_ptr, bpf_this_cpu_ptr, bpf_get_current_task_btf, - bpf_ktime_get_coarse_ns, bpf_for_each_map_elem, bpf_snprintf, bpf_timer_init, - bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, bpf_task_pt_regs, - bpf_skc_to_unix_sock, bpf_loop, bpf_strncmp, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-

- syscall -

- 		-

- bpf_map_lookup_elem, bpf_map_update_elem, bpf_map_delete_elem, bpf_probe_read, - bpf_ktime_get_ns, bpf_get_prandom_u32, bpf_get_smp_processor_id, bpf_tail_call, - bpf_get_current_pid_tgid, bpf_get_current_uid_gid, bpf_get_current_comm, - bpf_perf_event_read, bpf_perf_event_output, bpf_get_stackid, - bpf_get_current_task, bpf_current_task_under_cgroup, bpf_get_numa_node_id, - bpf_probe_read_str, bpf_get_socket_cookie, bpf_perf_event_read_value, - bpf_get_stack, bpf_get_current_cgroup_id, bpf_map_push_elem, bpf_map_pop_elem, - bpf_map_peek_elem, bpf_spin_lock, bpf_spin_unlock, bpf_strtol, bpf_strtoul, - bpf_sk_storage_get, bpf_sk_storage_delete, bpf_send_signal, bpf_skb_output, - bpf_probe_read_user, bpf_probe_read_kernel, bpf_probe_read_user_str, - bpf_probe_read_kernel_str, bpf_send_signal_thread, bpf_jiffies64, - bpf_get_ns_current_pid_tgid, bpf_xdp_output, bpf_get_current_ancestor_cgroup_id, - bpf_ktime_get_boot_ns, bpf_ringbuf_output, bpf_ringbuf_reserve, - bpf_ringbuf_submit, bpf_ringbuf_discard, bpf_ringbuf_query, - bpf_skc_to_tcp6_sock, bpf_skc_to_tcp_sock, bpf_skc_to_tcp_timewait_sock, - bpf_skc_to_tcp_request_sock, bpf_skc_to_udp6_sock, bpf_get_task_stack, - bpf_d_path, bpf_copy_from_user, bpf_snprintf_btf, bpf_per_cpu_ptr, - bpf_this_cpu_ptr, bpf_task_storage_get, bpf_task_storage_delete, - bpf_get_current_task_btf, bpf_sock_from_file, bpf_for_each_map_elem, - bpf_snprintf, bpf_sys_bpf, bpf_btf_find_by_name_kind, bpf_sys_close, - bpf_timer_init, bpf_timer_set_callback, bpf_timer_start, bpf_timer_cancel, - bpf_get_func_ip, bpf_task_pt_regs, bpf_get_branch_snapshot, - bpf_skc_to_unix_sock, bpf_kallsyms_lookup_name, bpf_find_vma, bpf_loop, - bpf_strncmp, bpf_xdp_get_buff_len, bpf_copy_from_user_task, bpf_kptr_xchg, - bpf_map_lookup_percpu_elem, bpf_skc_to_mptcp_sock, bpf_dynptr_from_mem, - bpf_ringbuf_reserve_dynptr, bpf_ringbuf_submit_dynptr, - bpf_ringbuf_discard_dynptr, bpf_dynptr_read, bpf_dynptr_write, bpf_dynptr_data, - bpf_ktime_get_tai_ns, bpf_user_ringbuf_drain, bpf_cgrp_storage_get, - bpf_cgrp_storage_delete -

-
-
-
-
-

Table 7.3. Available map types

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Map typeAvailable
-

- hash -

- 		-

- yes -

-
-

- array -

- 		-

- yes -

-
-

- prog_array -

- 		-

- yes -

-
-

- perf_event_array -

- 		-

- yes -

-
-

- percpu_hash -

- 		-

- yes -

-
-

- percpu_array -

- 		-

- yes -

-
-

- stack_trace -

- 		-

- yes -

-
-

- cgroup_array -

- 		-

- yes -

-
-

- lru_hash -

- 		-

- yes -

-
-

- lru_percpu_hash -

- 		-

- yes -

-
-

- lpm_trie -

- 		-

- yes -

-
-

- array_of_maps -

- 		-

- yes -

-
-

- hash_of_maps -

- 		-

- yes -

-
-

- devmap -

- 		-

- yes -

-
-

- sockmap -

- 		-

- yes -

-
-

- cpumap -

- 		-

- yes -

-
-

- xskmap -

- 		-

- yes -

-
-

- sockhash -

- 		-

- yes -

-
-

- cgroup_storage -

- 		-

- yes -

-
-

- reuseport_sockarray -

- 		-

- yes -

-
-

- percpu_cgroup_storage -

- 		-

- yes -

-
-

- queue -

- 		-

- yes -

-
-

- stack -

- 		-

- yes -

-
-

- sk_storage -

- 		-

- yes -

-
-

- devmap_hash -

- 		-

- yes -

-
-

- struct_ops -

- 		-

- yes -

-
-

- ringbuf -

- 		-

- yes -

-
-

- inode_storage -

- 		-

- yes -

-
-

- task_storage -

- 		-

- yes -

-
-

- bloom_filter -

- 		-

- yes -

-
-

- user_ringbuf -

- 		-

- yes -

-
-

- cgrp_storage -

- 		-

- yes -

-
-
-
-
-
-
-
-
-

Chapter 8. Bug fixes

-
-
-
-

- This part describes bugs fixed in Red Hat Enterprise Linux 9.3 that have a significant impact on users. -

-
-
-
-
-

8.1. Installer and image creation

-
-
-
-
-

The installation program now correctly processes the --proxy option of the url Kickstart - command

-

- Previously, the installation program did not correctly process the --proxy option of the url Kickstart - command. As a consequence, you could not use the specified proxy to fetch the installation - image. With this update, the issue is fixed and the --proxy option - now works as expected. -

-
-

- Bugzilla:2177219 -

-
-

The --noverifyssl option for liveimg no longer checks the server’s certificate for images - downloaded using HTTPS

-

- Previously, the installation program ignored the --noverifyssl - option from the liveimg Kickstart command. Consequently, if the - server’s certificate could not be validated for images downloaded using the HTTPS protocol, the - installation process failed. With this update, this issue has been fixed, and the --noverifyssl option of the liveimg - Kickstart command works correctly. -

-
-

- Bugzilla:2157921 -

-
-

Anaconda now validates LUKS passphrases for the FIPS requirements -

-

- Previously, Anaconda did not check whether the length of LUKS passphrases satisfied the FIPS - requirements, even though the underlying tools performed this check. As a consequence, - installing in FIPS mode with a passphrase shorter than 8 characters caused the installer to stop - prematurely. -

-
-

- With this update, the installation program has been improved to validate and enforce the minimum - length for passphrase. As a result, the installation program informs if the LUKS passphrase is too - short for use in the FIPS mode and prevents the unexpected stop. -

-

- Bugzilla:2163497 -

-
-

The new version of xfsprogs no longer shrinks - the size of /boot

-

- Previously, the xfsprogs package with the 5.19 version in the RHEL - 9.3 caused the size of /boot to shrink. As a consequence, it caused - a difference in the available space on the /boot partition, if - compared to the RHEL 9.2 version. This fix increases the /boot - partition to 600 MiB for all images, instead of 500 MiB, and the /boot partition is no longer affected by space issues. -

-
-

- Jira:RHEL-7999 -

-
-
-
-
-
-

8.2. Security

-
-
-
-
-

OpenSSL commands cms and smime can encrypt files in FIPS mode

-

- Previously, the default configuration of the cms and smime OpenSSL commands used legacy encryption algorithms, such as - 3DES or PKCS #1 v1.5. These algorithms are disabled in FIPS mode. As a result, encrypting files - by using the smime command with the default settings did not work - on systems in FIPS mode. This update introduces the following changes: -

-
-
-
    -
  • - In FIPS mode, OpenSSL APIs create CMS data by using OAEP with RSA keys by default. -
    • -
  • - In FIPS mode, the cms OpenSSL command creates CMS files - encrypted with aes-128-cbc and OAEP when provided RSA keys. -
    • -
-
-

- The use of ECDSA keys is unaffected. In non-FIPS mode, OpenSSL APIs and the cms command continue to use PKCS#1 v1.5 padding and 3DES encryption by - default. -

-

- As a consequence, you can use the cms and smime OpenSSL commands in FIPS mode to encrypt files. -

-

- Bugzilla:2160797 -

-
-

SELinux allows mail replication in Dovecot

-

- You can configure the Dovecot high-performance mail delivery agent for high availability with - two-way replication set, but the SELinux policy previously did not contain rules for the dovecot-deliver utility to communicate over a pipe in the runtime - filesystem. As a consequence, mail replication in Dovecot did not work. With this update, - permissions have been added to the SELinux policy, and as a result, mail replication in Dovecot - works. -

-
-

- Bugzilla:2170495[1] -

-
-

Booting from an NFS filesystem now works with SELinux set to enforcing - mode

-

- Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the - server, causing boot failures when SELinux was set to enforcing mode. -

-
-

- With this fix, SELinux has been fixed to correctly flag NFS mounts created before the initial - SELinux policy load as supporting security labels. As a result, the NFS mount now forwards SELinux - labels between the server and the client and the boot can succeed with SELinux set to enforcing - mode. -

-

- Bugzilla:2218207[1] -

-
-

rabbitmq no longer fails with IPv6 -

-

- Previously, when you deployed rabbitmq server with IPv6 enabled, - the inet_gethost command tried to access the /proc/sys/net/ipv6/conf/all/disable_ipv6 file. Consequently, the - system denied access to /proc/sys/net/ipv6/conf/all/disable_ipv6. - With this update, system can now read /proc/sys/net/ipv6/conf/all/disable_ipv6, and rabbitmq now works with IPv6. -

-
-

- Bugzilla:2184999 -

-
-

Registration to Insights through cloud-init is - no longer blocked by SELinux

-

- Previously, the SELinux policy did not contain a rule that allows the cloud-init script to run the insights-client service. Consequently, an attempt to run the insights-client --register command by the cloud-init script failed. With this update, the missing rule has been - added to the policy, and you can register to Insights through cloud-init with SELinux in enforcing mode. -

-
-

- Bugzilla:2162663 -

-
-

Users in the staff_r SELinux role can now run - scap_workbench probes

-

- Previously, the selinux-policy packages did not contain rules for - users in the staff_r SELinux role required to run the scap-workbench utility. Consequently, scap-workbench probes failed when run by user in the staff_r SELinux role. With this update, the missing rules have been - added to selinux-policy, and SELinux users can now run scap_workbench probes. -

-
-

- Bugzilla:2112729 -

-
-

Permissions for insights-client added to the - SELinux policy

-

- The insights-client service requires permissions that were not in - the previous versions of the selinux-policy. As a consequence, some - components of insights-client did not work correctly and reported - access vector cache (AVC) error messages. This update adds new permissions to the SELinux - policy. As a result, insights-client runs correctly without - reporting AVC errors. -

-
-

- Jira:RHELPLAN-163014[1], Bugzilla:2190178, Bugzilla:2224737, - Bugzilla:2207894, Bugzilla:2214581 -

-
-

Keylime allowlist generation script updated

-

- The Keylime script create_allowlist.sh generates an allowlist for - the Keylime policy. In RHEL 9.3, it was replaced with the create_runtime_policy.sh script, which failed when trying to convert - the allowlist to the JSON runtime policy. -

-
-

- With this update, the script was reverted to create_allowlist.sh. Now, - you can combine the allowlist and excludelist into the JSON runtime policy by using the keylime_create_policy script. -

-

- Jira:RHEL-11866[1] -

-
-

Keylime no longer requires a specific file for tls_dir = default

-

- Previously, when the tls_dir variable was set to default in Keylime verifier or registrar configuration, Keylime - rejected custom certificate authority (CA) certificates that had a different file name than - cacert.crt. With this update, the problem no longer occurs, and you - can use custom CA certificate files even with the tls_dir = default - setting. -

-
-

- Jira:RHELPLAN-157337[1] -

-
-

Environment variables can override Keylime agent options with - underscores

-

- Previously, when a Keylime agent configuration option name contained an underscore (_), - overriding this option through environment variables did not work. With this update, the - override through environment variables works correctly even when an option name contains an - underscore. -

-
-

- Jira:RHEL-395[1] -

-
-

Keylime registrar correctly identifies IPv6 addresses

-

- Previously, the Keylime registrar did not correctly recognize IPv6 addresses, and therefore - failed to bind its listening port. With this update, the registrar properly identifies IPv6 - addresses and, consequently, binds to its port correctly. -

-
-

- Jira:RHEL-392[1] -

-
-

Keylime agent correctly handles IPv6 addresses

-

- Previously, when registering a Keylime agent by using an IPv6 address not enclosed in brackets, - [ ], the keylime_tenant utility failed with an error. With this - update, keylime_tenant handles IPv6 addresses correctly even when - they are not enclosed in brackets. -

-
-

- Jira:RHEL-393[1] -

-
-

Keylime no longer fails measured boot attestation due to new events in QEMU - VMs

-

- An update of the edk2-ovmf package introduced a new type of events - in the measured boot log for virtual systems operated by QEMU. These events caused failures in - Keylime measured boot attestation. With this update, Keylime handles these events correctly. -

-
-

- Jira:RHEL-947[1] -

-
-

Keylime webhook notifier correctly closes TLS sessions

-

- Previously, the keylime webhook notifier did not correctly close TLS sessions. This caused - warnings being reported on the listener side. This update fixed this issue, and the webhook - notifier now correctly closes TLS sessions. -

-
-

- Jira:RHEL-1252[1] -

-
-

gpg-agent now works as an SSH agent in FIPS - mode

-

- Previously, the gpg-agent tool created MD5 fingerprints when adding - keys to the ssh-agent program even though FIPS mode disabled the - MD5 digest. As a consequence, the ssh-add utility failed to add the - keys to the authentication agent. -

-
-

- With this release, gpg-agent no longer use MD5 checksums. As a result, - gpg-agent now works as an SSH authentication agent also on systems - running in FIPS mode. -

-

- Bugzilla:2073567 -

-
-

tangd-keygen now handles non-default umask correctly

-

- Previously, the tangd-keygen script did not change file permissions - for generated key files. Consequently, on systems with a default user file-creation mode mask - (umask) that prevents reading keys to other users, the tang-show-keys command returned the error message Internal Error 500 instead of displaying the keys. With this update, - tangd-keygen sets file permissions for generated key files, and - therefore the script now works correctly on systems with non-default umask. -

-
-

- Bugzilla:2188743 -

-
-

fapolicyd service no longer runs programs that - are removed from the trusted database

-

- Previously, the fapolicyd service incorrectly handled a program as - trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update command had no effect, and the program could - be executed even after being removed. With this update, the fapolicyd-cli --update command correctly updates the trusted programs - database, and removed programs can no longer be executed. -

-
-

- Jira:RHEL-622 -

-
-

fapolicyd no longer causes the system to hang - after mount and umount -

-

- Previously, when the mount or umount - actions were run twice followed by the fapolicyd-cli --update - command, the fapolicyd service might enter an endless loop. As a - result, the system stopped responding. With this update, the service runs the fapolicyd-cli --update command correctly, and the service handles any - number of mount or umount actions. -

-
-

- Jira:RHEL-817 -

-
-

Keylime now accepts concatenated PEM certificates

-

- Previously, when Keylime received a certificate chain as multiple certificates in the PEM format - concatenated in a single file, the keylime-agent-rust Keylime - component produced a TLS handshake failure. As a consequence, the client components (keylime_verifier and keylime_tenant) - could not connect to the Keylime agent. With this update, keylime-agent-rust correctly handles multiple certificates including - intermediary CA certificates. As a result, you can now use concatenated PEM certificates with - Keylime. -

-
-

- Jira:RHEL-396[1] -

-
-

Rsyslog can start even without capabilities

-

- When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog process has no capabilities. Consequently, Rsyslog in this - scenario could not drop capabilities and exited at startup. With this update, the process no - longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start - even when it has no capabilities. -

-
-

- Jira:RHELPLAN-160541[1] -

-
-

io_uring now works without SELinux - denials

-

- Previously, the io_uring kernel interface missed the map permission in the SELinux policy. Consequently, the mmap system call failed and the io_uring - interface did not work properly. With this update, the map - permissions have been allowed in SELinux policy and the interface now works without SELinux - denials. -

-
-

- Bugzilla:2187745 -

-
-

oscap-anaconda-addon can now harden Network - Servers for CIS

-

- Previously, installing RHEL Network Servers with a CIS security profile (cis, cis_server_l1, cis_workstation_l1, or cis_workstation_l2) was not possible with the Network Servers package - group selected. This problem is fixed by excluding the tftp package - in oscap-anaconda-addon-2.0.0-17.el9 provided with RHEL 9.3. As a - consequence, you can install CIS-hardened RHEL Network Servers with the Network Servers package - group. -

-
-

- Bugzilla:2172264 -

-
-

Rules checking home directories apply only to local users

-

- Multiple compliance profiles provided by the scap-security-guide - package contain the following rules that check the correct configuration of user home - directories: -

-
-
-
    -
  • - accounts_umask_interactive_users -
    • -
  • - accounts_user_dot_group_ownership -
    • -
  • - accounts_user_dot_user_ownership -
    • -
  • - accounts_user_interactive_home_directory_exists -
    • -
  • - accounts_users_home_files_groupownership -
    • -
  • - accounts_users_home_files_ownership -
    • -
  • - accounts_users_home_files_permissions -
    • -
  • - file_groupownership_home_directories -
    • -
  • - file_ownership_home_directories -
    • -
  • - file_permissions_home_directories -
    • -
-
-

- These rules correctly check the configuration of local users. Previously, the scanner also - incorrectly checked the configuration of remote users provided by network sources such as NSS even - though the remediation scripts could not change remote users’ configuration. This was because the - OpenSCAP scanner previously used the getpwent() system call. This - update changes the internal implementation of these rules to depend only on the data from the /etc/passwd file. As a result, the rules now apply only to the local - users’ configuration. -

-

- Bugzilla:2203791 -

-
-

Password age rules apply only to local users

-

- Some compliance profiles, for example CIS and DISA STIG, contain the following rules checking - password age and password expiration of user account passwords: -

-
-
-
    -
  • - accounts_password_set_max_life_existing -
    • -
  • - accounts_password_set_min_life_existing -
    • -
  • - accounts_password_set_warn_age_existing -
    • -
  • - accounts_set_post_pw_existing -
    • -
-
-

- These rules correctly check the configuration of local users. Previously, the scanner also - incorrectly checked the configuration of remote users provided by network sources such as NSS even - though the remediation scripts could not change remote users’ configuration. This was because the - OpenSCAP scanner previously used the getpwent() system call. -

-

- This update changes the internal implementation of these rules to depend only on the data from the - /etc/shadow file. As a result, the rules now apply only to the local - users’ configuration. -

-

- Bugzilla:2213958 -

-
-

Red Hat CVE feeds have been updated

-

- The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at https://access.redhat.com/security/data/oval/ - has been discontinued and replaced by the version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/. -

-
-

- Consequently, the links in SCAP source data streams provided by the scap-security-guide package have been updated to link to the new version - of the Red Hat CVE feeds. -

-

- Bugzilla:2223178 -

-
-

Rules related to journald configuration no - longer add extra quotes

-

- Previously, the SCAP Security Guide rules journald_compress, journald_forward_to_syslog, and journald_storage previously contained a bug in the remediation script - which caused adding extra quotes to the configuration options in the /etc/systemd/journald.conf configuration file. Consequently, the - journald system service failed to parse the configuration options - and ignored them. Therefore, the configuration options were not effective. This caused false - pass results in OpenSCAP scans. With this update, the rules and - remediations scripts no longer add the extra quotes. As a result, these rules now produce a - valid configuration for journald. -

-
-

- Bugzilla:2193169 -

-
-

Files under /var/lib/fdo now get the correct - SElinux label

-

- Previously, there was a security issue that allowed the FDO process to access the entire host. - With this update, by using the service-info-api server with - SElinux, you can add any file to send to the device under the /var/lib/fdo directory, and, as a consequence, the files under /var/lib/fdo will now get the correct SElinux label. -

-
-

- Bugzilla:2229722 -

-
-
-
-
-
-

8.3. Subscription management

-
-
-
-
-

subscription-manager no longer retains - nonessential text in the terminal

-

- Starting with RHEL 9.1, subscription-manager displays progress - information while processing any operation. Previously, for some languages, typically non-Latin, - progress messages did not clean up after the operation finished. With this update, all the - messages are cleaned up properly when the operation finishes. -

-
-

- If you have disabled the progress messages before, you can re-enable them by entering the following - command: -

- 
# subscription-manager config --rhsm.progress_messages=1
-

- Bugzilla:2136694[1] -

-
-
-
-
-
-

8.4. Software management

-
-
-
-
-

The dnf needs-restarting -s command now - correctly displays the list of systemd services

-

- Previously, when you used the needs-restarting command with the - -s or --services option, an error - occurred when a non-systemd or malfunctioning process was detected. With this update, the dnf needs-restarting -s command ignores such processes and displays a - warning instead with the list of affected systemd services. -

-
-

- Bugzilla:2203100 -

-
-

The dnf-automatic command now correctly - reports the exit status of transactions

-

- Previously, the dnf-automatic command returned a successful exit - code of a transaction even if some actions during this transaction were not successfully - completed. This could cause a security risk on machines that use dnf-automatic for automatic deployment of errata. With this update, - the issue has been fixed and dnf-automatic now reports every - problem with packages during the transaction. -

-
-

- Bugzilla:2212262 -

-
-

Installing packages with IMA signatures on file systems without extended - file attributes no longer fails

-

- Previously, RPM tried to apply IMA signatures to files even if they did not support these - signatures. As a consequence, package installation failed. With this update, RPM skips applying - IMA signatures. As a result, package installation no longer fails. -

-
-

- Bugzilla:2157836 -

-
-
-
-
-
-

8.5. Shells and command-line tools

-
-
-
-
-

The rsyslog logging service now starts at boot - of the rescue system

-

- Previously, the rsyslog service for message logging did not - automatically start in the rescue system. The /dev/log socket kept - receiving messages during the recovery process with no service listening at this socket. - Consequently, the /dev/log socket was filled with messages and - caused the recovery process to be stuck. For example, the grub2-mkconfig command to regenerate the GRUB configuration produces - a high amount of log messages depending on the number of mounted file systems. If you used ReaR - to recover systems with many mounted file systems, numerous log messages would fill the /dev/log socket, and the recovery process froze. -

-
-

- With this fix, the systemd units in the rescue system now include the - sockets target in the boot procedure to start the logging socket at boot. As a result, the rsyslog service starts in the rescue environment when required, and the - processes that need to log messages during recovery are no longer stuck. The recovery process - completes successfully and you can find the log messages in the /var/log/messages file in the rescue RAM disk. -

-

- Bugzilla:2172912 -

-
-

The which command no longer fails for a long - path

-

- Previously, when you executed the which command in a directory with - a path longer than 256 characters, the command failed with the Can’t get current working directory error message. With this fix, the - which command now uses the PATH_MAX - value for the path length limit. As a result, the command no longer fails. -

-
-

- Bugzilla:2181974 -

-
-

ReaR now supports UEFI Secure Boot with OUTPUT=USB

-

- Previously, the OUTPUT=USB ReaR output method, which stores the - rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER setting. Consequently, on systems with UEFI - Secure Boot enabled, the disk with the rescue image would not boot because the boot loader was - not signed. -

-
-

- With this fix, the OUTPUT=USB ReaR output method now uses the boot - loader that you specify in the SECURE_BOOT_BOOTLOADER setting when - creating the rescue disk. To use the signed UEFI shim boot loader, change the following setting in - the /etc/rear/local.conf file: -

- 
SECURE_BOOT_BOOTLOADER=/boot/efi/EFI/redhat/shimx64.efi
-

- As a result, the rescue disk is bootable when UEFI Secure Boot is enabled. It is safe to set the - variable to this value on all systems with UEFI, even when Secure Boot is not enabled. It is even - recommended for consistency. For details about the UEFI boot procedure and the shim boot loader, see - UEFI: what happens when booting - the system. -

-

- Bugzilla:2196445 -

-
-

System recovered by ReaR no longer fails to mount all VG logical - volumes

-

- The /etc/lvm/devices/system.devices file represents the Logical - Volume Manager (LVM) system devices and controls device visibility and usability to LVM. By - default, the system.devices feature is enabled in RHEL 9 and when - active, it replaces the LVM device filter. -

-
-

- Previously, when you used ReaR to recover the systems to disks with hardware IDs different from - those the original system used, the recovered system did not find all LVM volumes and failed to - boot. With this fix, if ReaR finds the system.devices file, ReaR moves - this file to /etc/lvm/devices/system.devices.rearbak at the end of - recovery. As a result, the recovered system does not use the LVM devices file to restrict device - visibility and the system finds the restored volumes at boot. -

-

- Optional: If you want to restore the default behavior and regenerate the LVM devices file, use the - vgimportdevices -a command after booting the recovered system and - connecting all disk devices needed for a normal operation, in case you disconnected any disks before - the recovery process. -

-

- Bugzilla:2145014 -

-
-
-
-
-
-

8.6. Networking

-
-
-
-
-

Intel Corporation I350 Gigabit Fiber Network Connection now provides a link - after kernel update

-

- Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules - without External Thermal Sensor (ETS) caused the igb driver to - erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, - connections did not obtain links. With this bug fix, the igb driver - only initializes I2C when SFP with ETS is available. As a result, connections obtain links. -

-
-

- Bugzilla:2173594[1] -

-
-

The nm-cloud-setup service no longer removes - manually-configured secondary IP addresses from interfaces

-

- Based on the information received from the cloud environment, the nm-cloud-setup service configured network interfaces. While you had - the option to disable nm-cloud-setup for manual interface - configuration, certain scenarios led to conflicts. In some cases, other services on the host - would independently configure interfaces, including the addition of secondary IP addresses. - nm-cloud-setup incorrectly removed these secondary IP addresses - when triggered again by the systemd timer unit. This update for the - NetworkManager package fixes the problem. You only need to wait for - the systemd timer unit to trigger nm-cloud-setup. If you do not want to wait for the timer, you can - enable nm-cloud-setup manually with the following command: -

-
- 
# systemctl enable nm-cloud-setup.service
-

- As a result, nm-cloud-setup no longer removes manually-configured - secondary IP addresses from interfaces. -

-

- Bugzilla:2151040 -

-
-
-
-
-
-

8.7. Kernel

-
-
-
-
-

RHEL previously failed to recognize NVMe disks when VMD was - enabled

-

- When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did - not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. - With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, - especially when resetting a server or working with a VM machine. -

-
-

- Bugzilla:2128610[1] -

-
-
-
-
-
-

8.8. Boot loader

-
-
-
-
-

GRUB now correctly handles non-debug kernel variants

-

- Previously, in systems with multiple kernel RPMs installed, entering the dnf install kernel-$VERSION or dnf update commands set the last-installed kernel as the default - kernel. This occurred, for example, in systems with the standard kernel and real-time kernel on - AMD and Intel 64-bit architectures, or kernel (4k) and kernel-64k - on 64-bit ARM architecture. As a consequence, the system could boot into the unneeded kernel on - future reboots. With this update, GRUB uses the DEFAULTKERNEL - variable in the /etc/sysconfig/kernel configuration file, and the - default kernel remains the proper variant and latest version. -

-
-

- For more information, see the Changing the default kernel in Red Hat - Enterprise Linux 8 & 9 solution. -

-

- Bugzilla:2184069[1] -

-
-
-
-
-
-

8.9. File systems and storage

-
-
-
-
-

The lpfc driver is in a valid state during the - D_ID port swap

-

- Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung - task warnings and stalled I/O. This problem occurred even when alternate paths were available in - a DM-Multipath environment due to the fiber channel D_ID port swap. - As a consequence of the race condition, the D_ID port swap resulted - in an inconsistent state in the lpfc driver, which prevented I/O - from being issued. -

-
-

- With this fix, the lpfc driver now ensures a valid state when the D_ID port swap occurs. As a result, a fiber channel D_ID port swap does not cause hung I/O. -

-

- Bugzilla:2173947[1] -

-
-

multipathd adds the persistent reservation - registration key to all paths

-

- Previously, when the multipathd daemon started and it recognized a - registration key for the persistent reservations on one path of an existing multipath device, - not all paths of that device had the registration key. As a consequence, if new paths appeared - to a multipath device with persistent reservations while multipathd - was stopped, persistent reservations were not set up on those. This allowed IO processing on the - paths, even if they were supposed to be forbidden by the reservation key. -

-
-

- With this fix, if multipathd finds a persistent reservation - registration key on any device path, it adds the key to all active paths. As a result, multipath - devices now have persistent reservations set up correctly on all the paths, even if path devices - first appear while multipathd is not running. -

-

- Bugzilla:2164869 -

-
-

LUNs are now visible during the operating system installation

-

- Previously, the system was not using the authentication information from firmware sources, - specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake - Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a - consequence, the iSCSI login failed during installation. -

-
-

- With the fix in the udisks2-2.9.4-9.el9 firmware authentication, this - issue is now resolved and LUNs are visible during the installation and initial boot. -

-

- Bugzilla:2213769[1] -

-
-

System boots correctly when adding a NVMe-FC device as a mount point in - /etc/fstab

-

- Previously, due to a known issue in the nvme-cli nvmf-autoconnect systemd services, systems failed to boot - while adding the Non-volatile Memory Express over Fibre Channel (NVMe-FC) devices as a mount - point in the /etc/fstab file. Consequently, the system entered into - an emergency mode. With this update, a system boots without any issue when mounting an NVMe-FC - device. -

-
-

- Jira:RHEL-8171[1] -

-
-
-
-
-
-

8.10. High availability and clusters

-
-
-
-
-

The pcs config checkpoint diff command now - works correctly for all configuration sections

-

- As of the RHEL 9.0 release, the pcs config checkpoint diff command - had stopped showing the differences for the following configuration sections: Fencing Levels, - Ordering Constraints, Colocation Constraints, Ticket Constraints, Resources Defaults, and - Operations Defaults. As of the RHEL 9.1 release, the pcs config checkpoint diff command had stopped showing the - differences for the Resources and Stonith devices configuration sections. This is because as the - code responsible for displaying each of the different configuration sections switched to a new - mechanism for loading CIB files, the loaded content was cached. The second file used for the - difference comparison was not loaded and the cached content of the first file was used instead. - As a result, the diff command yielded no output. With this fix, the - CIB file content is no longer cached and the pcs config checkpoint diff command shows differences for all - configuration sections. -

-
-

- Bugzilla:2175881 -

-
-

pcsd Web UI now displays cluster status when - fence levels are configured

-

- Previously, the pcsd Web UI did not display cluster status when - fence levels were configured. With this fix, you can now view the cluster status and change the - cluster settings with the Web UI when fence levels are configured. -

-
-

- Bugzilla:2182810 -

-
-

A fence watchdog configured as a second fencing device now fences a node - when the first device times out

-

- Previously, when a watchdog fencing device was configured as the second device in a fencing - topology, the watchdog timeout would not be considered when calculating the timeout for the - fencing operation. As a result, if the first device timed out the fencing operation would time - out even though the watchdog would fence the node. With this fix, the watchdog timeout is - included in the fencing operation timeout and the fencing operation succeeds if the first device - times out. -

-
-

- Bugzilla:2182482 -

-
-

Location constraints with rules no longer displayed when listing is grouped - by nodes

-

- Location constraints with rules cannot have a node assigned. Previously, when you grouped the - listing by nodes, location constraints with rules were displayed under an empty node. With this - fix, the location constraints with rules are no longer displayed and a warning is given - indicating that constraints with rules are not displayed. -

-
-

- Bugzilla:1423473 -

-
-

pcs command to update multipath SCSI devices - now works correctly

-

- Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices command stopped working as designed, - causing an unwanted restart of some cluster resources. With this fix, this command works - correctly and updates SCSI devices without requiring a restart of other cluster resources - running on the same node. -

-
-

- Bugzilla:2177996 -

-
-

Memory footprint of pcsd-ruby daemon now - reduced when pscd Web UI is open

-

- Previously, when the pcsd Web UI was open, memory usage of the - pcsd-ruby daemon increased steadily over the course of several - hours. With this fix, the web server that runs in the pcsd-ruby - daemon now periodically performs a graceful restart. This frees the allocated memory and reduces - the memory footprint. -

-
-

- Bugzilla:1860626[1] -

-
-

The azure-events-az resource agent no longer - produces an error with Pacemaker 2.1 and later

-

- The azure-events-az resource agent executes the crm_simulate -Ls command and parses the output. With Pacemaker 2.1 - and later, the output of the crm_simulate command no longer - contains the text Transition Summary:, which resulted in an error. - With this fix, the agent no longer yields an error when this text is missing. -

-
-

- Bugzilla:2182415 -

-
-

The mysql resource agent now works correctly - with promotable clone resources

-

- Previously, the mysql resource agent moved cloned resources that - were operating in a Promoted role between nodes, due to promotion scores changing between - promoted and non-promoted values. With this fix, a node in a Promoted role remains in a Promoted - role. -

-
-

- Bugzilla:2179003[1] -

-
-

The fence_scsi agent is now able to - auto-detect shared lvmlockd devices

-

- Previously, the fence_scsi agent did not auto-detect shared lvmlockd devices. With this update, fence_scsi is able to auto-detect lvmlockd devices when the devices - attribute is not set. -

-
-

- Bugzilla:2187327 -

-
-
-
-
-
-

8.11. Compilers and development tools

-
-
-
-
-

The glibc system() function now restores the previous signal mask - unconditionally

-

- Previously, if the glibc system() - function was called concurrently from multiple threads, the signal mask for the SIGCHLD signal might not be restored correctly. As a consequence, the - SIGCHLD signal remained blocked after the return from the glibc system() function on some threads. -

-
-

- With this update, the glibc system() - function now restores the previous signal mask unconditionally, even when parallel system() function calls are running. As a result, the SIGCHLD signal is no longer incorrectly blocked if the glibc system() function is called - concurrently from multiple threads. -

-

- Bugzilla:2177235 -

-
-

eu-addr2line -C now correctly recognizes other - arguments

-

- Previously, when you used the -C argument in eu-addr2line command from elfutils, the - following single character argument disappeared. Consequently, the eu-addr2line -Ci command behaved the same way as eu-addr2line -C while eu-addr2line -iC - worked as expected. This bug has been fixed, and eu-addr2line -Ci - now recognizes both arguments. -

-
-

- Bugzilla:2182059 -

-
-

eu-addr2line -i now correctly handles code - compiled with GCC link-time optimization

-

- Previously, the dwarf_getscopes function from the libdw library included in elfutils was - unable to find an abstract origin definition of a function that was compiled with GCC link-time - optimization. Consequently, when you used the -i argument in the - eu-addr2line command, eu-addr2line was - unable to show inline functions for code compiled with gcc -flto. - With this update, the libdw dwarf_getscopes function looks in the - correct compile unit for the inlined scope, and eu-addr2line -i - works as expected. -

-
-

- Bugzilla:2236182 -

-
-

Programs using papi no longer stop when - shutting down

-

- Previously, papi initialized threads before papi initialized some components. Because of this, entries for - certain components describing the number of elements in arrays were not set to correct values - and zero-sized memory allocations were attempted. As a consequence, later accesses and frees of - those zero-sized memory allocations caused the programs to stop. -

-
-

- The bug has been fixed and programs using papi no longer stop when - shutting down. -

-

- Bugzilla:2215582 -

-
-

The OpenJDK XML signature provider is now functional in FIPS mode -

-

- Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result - of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS - mode. -

-
-

- Bugzilla:2186647 -

-
-
-
-
-
-

8.12. Identity Management

-
-
-
-
-

Paged searches from a regular user now do not impact performance -

-

- Previously, when Directory Server was under the search load, paged searches from a regular user - could impact the server performance because a lock conflicted with the thread that polls for - network events. In addition, if a network issue occurred while sending the page search, the - whole server was unresponsive until the nsslapd-iotimeout parameter - expired. With this update, the lock was split into several parts to avoid the contention with - the network events. As a result, no performance impact during paged searches from a regular - user. -

-
-

- Bugzilla:1974242 -

-
-

Schema replication now works correctly in Directory Server

-

- Previously, when Directory Server replicated a schema to a new server, it added all the schema - to the 99user.ldif file on the remote replica. It seemed it was all - custom schema because X-ORIGIN keyword was set to user defined for all definitions. As a result, it could cause issues - with the web console and possibly for customers who monitor the schema and expect the X-ORIGIN keyword to have specific values. With this update, schema - replication works as expected. -

-
-

- Bugzilla:1759941 -

-
-

Referral mode is now working correctly in Directory Server

-

- Previously, CLI set nsslapd-referral configuration attribute to the - backend and not to the mapping tree. As a result, referral mode did not work. With this update, - the nsslapd-referral attribute is set correctly and the referral - mode works as expected. -

-
-

- Bugzilla:2053204 -

-
-

The LMDB import now works faster

-

- Previously, to build the entryrdn index, LMDB import worker threads - waited for other worker threads to ensure that the parent entry was processed. This generated - lock contention that drastically slowed import. With this update, the LDIF import over LMDB - database was redesigned and the provider thread stores the data about the entry RDN and its - parents in a temporary database that the worker thread uses to build the entryrdn index. As a result, worker threads synchronization is no - longer needed and the average import rate is better. -

-
-

- Note that the LMDB import still has an import rate three times slower than the BDB import because - LMDB does not support concurrent write transactions. -

-

- Bugzilla:2116948 -

-
-

The dirsrv service now starts correctly after - reboot

-

- Previously, dirsrv service could fail to start after reboot because - dirsrv service did not explicitly wait for systemd-tmpfiles-setup.service to finish. This led to a race - condition. With this update, dirsrv service waits for the systemd-tmpfiles-setup.service to finish and no longer fail to start - after reboot. -

-
-

- Bugzilla:2179278 -

-
-

Changing a security parameter now works correctly

-

- Previously, when you changed a security parameter by using the dsconf instance_name security set - command, the operation failed with the error: -

-
- 
Name 'log' is not defined
-

- With this update, the security parameter change works as expected. -

-

- Bugzilla:2189717 -

-
-

SSSD now uses sAMAccountName when evaluating - GPO-based access control

-

- Previously, if ldap_user_name was set to a value other than sAMAccountName on an AD client, GPO-based access control failed. With - this update, SSSD now always uses sAMAccountName when evaluating - GPO-based access control. Even if ldap_user_name is set to a value - different from sAMAccountName on an AD client, GPO-based access - control now works correctly. -

-
-

- Jira:SSSD-6107 -

-
-

SSSD now handles duplicate attributes in the user_attributes option when retrieving users

-

- Previously, if sssd.conf contained duplicate attributes in the - user_attributes option, SSSD did not handle these duplicates - correctly. As a consequence, users with those attributes could not be retrieved. With this - update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can - now be retrieved. -

-
-

- Jira:SSSD-6177 -

-
-

The dynamic Kerberos PAC ticket signature enforcement mechanism now fixes - cross-version incompatibility in IdM

-

- Previously, if your Identity Management (IdM) deployment featured servers running on both RHEL 9 - and RHEL 8, the incompatibility caused by the upstream implementation of the Privilege Attribute - Certificate (PAC) ticket signature support caused certain operations to fail. With this update, - the implementation of the dynamic ticket signature enforcement mechanism feature in RHEL 9 fixes - this cross-version incompatibility. For this feature to actually take effect, you must: -

-
-
-
    -
  1. - Update all the servers in the domain. -
    2. -
  2. - Restart all the IdM Kerberos Distribution Center (KDC) services. -
    3. -
-
-

- The order of these two actions is important. When starting, the KDCs query the metadata of all the - other servers in the domain to check if they all support the PAC ticket signature. If this is not - the case, the signature will not be enforced. -

-

- For more information about the dynamic Kerberos PAC ticket signature enforcement mechanism, - including an example of a constrained delegation request, see this Knowledgebase article. -

-

- Jira:RHELDOCS-17011[1], Bugzilla:2182683, Bugzilla:2178298 -

-
-

SHA-1 signature verification can now be allowed in FIPS mode

-

- Previously, it was not possible to allow the use of SHA-1 signature verification when Identity - Management (IdM) was in FIPS mode. This is because IdM uses the FIPS-140-3 standard, which does - not allow SHA-1 signatures. This situation caused problems with Active Directory (AD) - interoperability, because AD only complies with the older FIPS-140-2 standard and therefore - requires SHA-1 signatures. -

-
-

- This update introduces a FIPS exception for PKINIT signature verification. When FIPS mode is enabled - in IdM, its restrictions are ignored. Only default mode restrictions are applied, allowing the use - of the SHA1 crypto module even when in FIPS mode. As a result, AD - interoperability in FIPS mode works as intended. -

-

- In the scenario of an IdM/AD trust, or using a RHEL 9.2 or later host as an AD client, you need to - set the crypto policy to FIPS:AD-SUPPORT:SHA1 to support PKINIT while in FIPS mode. -

-

- Bugzilla:2155607 -

-
-

Deleting the IdM admin user is now no longer - permitted

-

- Previously, nothing prevented you from deleting the Identity Management (IdM) admin user if you were a member of the admins group. The absence of the admin - user causes the trust between IdM and Active Directory (AD) to stop functioning correctly. With - this update, you can no longer delete the admin user. As a result, - the IdM-AD trust works correctly. -

-
-

- Bugzilla:2229712 -

-
-

ipa-kdb no longer causes krb5kdc to fail

-

- Previously, the ipa-kdb driver did not differentiate between the - absence of a server host object and a connection failure. Consequently, the krb5kdc server sometimes stopped unexpectedly because of a NULL LDAP context produced by a connection issue with the LDAP - server. -

-
-

- With this update, the ipa-kdb driver correctly identifies connection - failures and differentiates between them and the absence of a server host object. As a result, the - krb5kdc server does not fail anymore. -

-

- Bugzilla:2227831 -

-
-

The IdM client installer no longer specifies the TLS CA configuration in - the ldap.conf file

-

- Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default - truststore and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file. -

-
-

- Bugzilla:2094673 -

-
-

IdM clients correctly retrieve information for trusted AD users when their - names contain mixed case characters

-

- Previously, if you attempted a user lookup or authentication of a user, and that trusted Active - Directory (AD) user contained mixed case characters in their names and they were configured with - overrides in IdM, an error was returned preventing users from accessing IdM resources. -

-
-

- With the release of RHBA-2023:4359, a case-sensitive - comparison is replaced with a case-insensitive comparison that ignores the case of a character. As a - result, IdM clients can now lookup users of an AD trusted domain, even if their usernames contain - mixed case characters and they are configured with overrides in IdM. -

-

- Jira:SSSD-6096 -

-
-
-
-
-
-

8.13. The web console

-
-
-
-
-

The web console NBDE binding steps now work also on volume groups with a - root file system

-

- In RHEL 9.2, due to a bug in the code for determining whether or not the user was adding a Tang - key to the root file system, the binding process in the web console crashed when there was no - file system on the LUKS container at all. Because the web console displayed the error message - TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key - dialog, you had to perform all the required steps in the command-line interface in the described - scenario. -

-
-

- With this update, the web console correctly handles additions of Tang keys to root file systems. As - a result, the web console finishes all binding steps required for the automated unlocking of - LUKS-encrypted volumes using Network-Bound Disk Encryption (NBDE) in various scenarios. -

-

- Bugzilla:2203361 -

-
-

VNC console now works at most resolutions

-

- Previously, when using the Virtual Network Computing (VNC) console under certain display - resolutions, a mouse offset problem was present or only a part of the interface was visible. - Consequently, using the VNC console was not possible. -

-
-

- With this update, the problem has been fixed and the VNC console works correctly at most - resolutions, with the exception of ultra high resolutions, such as 3840x2160. -

-

- Note that a small offset between the recorded and displayed positions of the cursor might still be - present. However, this does not significantly impact the usability of the VNC console. -

-

- Bugzilla:2030836 -

-
-
-
-
-
-

8.14. Red Hat Enterprise Linux System roles

-
-
-
-
-

The storage role can now resize the mounted - file systems without unmounting

-

- Previously, the storage role was unable to resize mounted devices, - even if the file system supported online resizing. As a consequence, the storage role unmounted all file systems before resizing, which failed - for file systems that were in use, for example, while resizing the / directory of the running system. -

-
-

- With this update, the storage role now supports resizing mounted file - systems that support online resizing such as XFS and Ext4. As a result, the mounted file systems can - now be resized without unmounting them. -

-

- Bugzilla:2168692 -

-
-

The podman_registries_conf variable now - configures unqualified-search-registries field - correctly

-

- Previously, after configuring the podman_registries_conf variable, - the podman RHEL system role failed. Consequently, unqualified-search-registries = ["registry.access.redhat.com"] - setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf file. With this - update, this problem has been fixed. -

-
-

- Bugzilla:2211984 -

-
-

The kdump role adds authorized_keys idempotently

-

- Previously, the task to add authorized_key added an extra newline - character every time. Consequently the role was not acting idempotent. With this fix, adding a - new authorized_key works correctly and adds only a single key value - idempotently. -

-
-

- Bugzilla:2232241 -

-
-

The kdump system role does not fail if kdump_authorized_keys is missing

-

- Previously, the kdump system role failed to add SSH authorized keys if the user defined in the kdump_ssh_user variable did not have access to the .ssh directory in the home directory or - an empty .ssh/authorized_keys file. With this fix, the kdump system role now correctly adds authorized keys to the SSH configuration. As a result, the key based authentication works - reliably in the described scenario. -

-
-

- Bugzilla:2232231 -

-
-

Failure to remove data from member disks before creation no longer - persists

-

- Previously, when creating RAID volumes, the system did not effectively eliminate existing data - from member disks before forming the RAID volume. With this update, RAID volumes remove any - per-existing data from member disks as needed. -

-
-

- Bugzilla:2224090 -

-
-

Running the firewall RHEL system role in check - mode with non-existent services no longer fails

-

- Previously, running the firewall role in check mode with - non-existent services would fail. This fix implements better compliance with Ansible best - practices for check mode. As a result, non-existent services being enabled or disabled no longer - fails the role in check mode. Instead, a warning prompts you to confirm that the service is - defined in a previous playbook. -

-
-

- Bugzilla:2222428 -

-
-

The firewall RHEL system role on RHEL 7 no - longer attempts to install non-existent Python packages

-

- Previously, when the firewall role on RHEL 7 was called from - another role, and that role was using python3, the firewall role attempted to install the python3-firewall library for that version of Python. However, that - library is not available in RHEL 7. Consequently, the python3-firewall library was not found, and you received the - following error message: -

-
- 
No package matching 'python3-firewall' found available, installed or updated
-

- With this update, the firewall role does not attempt to install the - python-firewall or python3-firewall - library. As a result, the firewall role does not fail on RHEL 7 when - python3 is installed on the managed node. -

-

- Bugzilla:2216520 -

-
-

kdump RHEL system role updates

-

- The kdump RHEL system role has been updated to a newer version, - which brings the following notable enhancements: -

-
-
-
    -
  • - After installing kexec-tools, the utility suite no longer - generates the /etc/sysconfig/kdump file because you do not need - to manage this file anymore. -
    • -
  • - The role supports the auto_reset_crashkernel and dracut_args variables. -
    • -
-
-

- For more details, see resources in the /usr/share/doc/rhel-system-roles/kdump/ directory. -

-

- Bugzilla:2211187 -

-
-

Insights tags created by using the rhc role - are now applied correctly

-

- Previously, when you created Insights tags by using the rhc role, - tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a - result they were not applied to the systems in the Insights inventory. -

-
-

- With this fix, tags are stored correctly and applied to the systems present in the Insights - inventory. -

-

- Bugzilla:2209200 -

-
-

raid_chunk_size parameter no longer returns an - error message

-

- Previously, raid_chunk_size attribute was not allowed for RAID - pools and volumes. With this update, you can now configure the raid_chunk_size attribute for RAID pools and volumes without - encountering any restrictions. -

-
-

- Bugzilla:2193058 -

-
-

The certificate RHEL system role now checks - for the certificate key size when determining whether to perform a new certificate - request

-

- Previously, the certificate RHEL system role did not check the key - size of a certificate when evaluating whether to request a new certificate. As a consequence, - the role sometimes did not issue new certificate requests in cases where it should. With this - update, certificate now checks the key_size parameter to determine if a new certificate request should - be performed. -

-
-

- Bugzilla:2186057 -

-
-

The kdump role adds multiple keys to authorized_keys idempotently

-

- Previously, adding multiple SSH keys to the authorized_keys file at - the same time replaced the key value of one host by another. This update fixes the problem by - using the lineinfile module to manage the authorized_keys file. lineinfile - iterates the tasks in sequence, checking for an existing key and writing the new key in one - atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts - works correctly, and does not replace the key value from another host. -

-
-

- Note: Use the serial: 1 play serial keyword at play level to control - the number of hosts executing at one time. -

-

- Jira:RHEL-1499[1] -

-
-

The kdump role successfully updates .ssh/authorized_keys for kdump_ssh_server authentication

-

- Previously, the .ssh directory was not accessible by the kdump role to securely authenticate users to log into kdump_ssh_server. As a consequence, the kdump role did not update the .ssh/authorized_keys file and the SSH mechanism to verify the kdump_ssh_server failed. This update fixes the problem. As a result - the kdump_ssh_user authentication on kdump_ssh_server works reliably. -

-
-

- Jira:RHEL-1397[1] -

-
-

Enabling kdump for system role requires using - the failure_action configuration parameter on RHEL 9 and later - versions

-

- Previously, using the default option during kdump configuration was not successful and printed the following - warning in logs: -

-
- 
kdump: warning: option 'default' was renamed 'failure_action' and will be removed in the future.
-please update /etc/kdump.conf to use option 'failure_action' instead.
-

- Consequently, the role did not enable kdump successfully if default option was used. This update fixes the problem and you can - configure kernel dump parameters on multiple systems by using the failure_action parameter. As a result, enabling kdump works successfully in the described scenario. -

-

- Jira:RHEL-906[1] -

-
-

The previous: replaced parameter of the firewall system role now overrides the previous configuration - without deleting it

-

- Previously, if you added the previous: replaced parameter to the - variable list, the firewall system role removed all existing - user-defined settings and reset firewalld to the default settings. - This fix uses the fallback configuration in firewalld, which was - introduced in the EL7 release, to retain the previous configuration. As a result, when you use - the previous: replaced parameter in the variable list, the firewall.conf configuration file is not deleted on reset, but the - file and comments in the file are retained. -

-
-

- Jira:RHEL-1495[1] -

-
-

The firewall RHEL system role correctly - reports changes when using previous: replaced in check - mode

-

- Previously, the firewall role was not checking whether any files - would be changed when using the previous: replaced parameter in - check mode. As a consequence, the role gave an error about undefined variables. This fix adds - new check variables to the check mode to assess whether any files would be changed by the previous: replaced parameter. The check for the firewalld.conf file assesses the rpm - database to determine whether the file has been changed from the version shipped in the package. - As a result, the firewall role now correctly reports changes when - using the previous: replaced parameter. -

-
-

- Jira:RHEL-898[1] -

-
-

The firewall RHEL system role correctly - reports changes when assigning zones to Network Manager interfaces

-

- Previously, the Network Manager interface assignment reported changes when no changes were - present. With this fix, the try_set_zone_of_interface module in the - file library/firewall_lib.py returns a second value, which denotes - whether the interface’s zone was changed. As a result, the module now correctly reports changes - when assigning zones to interfaces handled by Network Manager. -

-
-

- Jira:RHEL-885[1] -

-
-

The rhc system role no longer fails on the - registered systems when rhc_auth contains activation - keys

-

- Previously, a failure occurred when you executed playbook files on the registered systems with - the activation key specified in the rhc_auth parameter. This issue - has been resolved. It is now possible to execute playbook files on the already registered - systems, even when activation keys are provided in the rhc_auth - parameter. -

-
-

- Bugzilla:2186218 -

-
-
-
-
-
-

8.15. Virtualization

-
-
-
-
-

The NVIDIA graphics device continues working after VM shutdown

-

- Previously, in the RHEL kernel, device power transition delays were more closely aligned to - those required by the PCIe specification. As a consequence, some NVIDIA GPUs could become - unresponsive when used for device assignment after a shutdown of the attached VM. This update - extends the device power transition delay for NVIDIA audio device functions. As a result, NVIDIA - GPUs continue to work correctly in this scenario. -

-
-

- Bugzilla:2178956[1] -

-
-

Failover virtio NICs are now correctly assigned an IP address on Windows - virtual machines

-

- Previously, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM - failed to assign an IP address to the NIC. Consequently, the NIC was unable to set up a network - connection. This problem has been fixed and VM NICs now set up network connections as expected - in the described scenario. -

-
-

- Bugzilla:1969724 -

-
-

The installer shows the expected system disk to install RHEL on VM -

-

- Previously, when installing RHEL on a VM using virtio-scsi devices, - it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if - some devices had a serial set and some did not, the multipath - command was claiming all the devices that had a serial. Due to this, the installer was unable to - find the expected system disk to install RHEL in the VM. -

-
-

- With this update, multipath correctly sets the devices with no serial - as having no World Wide Identifier (WWID) and ignores them. On installation, multipath only claims devices that multipathd uses to bind a multipath device, and the installer shows the - expected system disk to install RHEL in the VM. -

-

- Bugzilla:1926147[1] -

-
-

Broadcom network adapters now work correctly on Windows VMs after a live - migration

-

- Previously, network adapters from the Broadcom family of devices, such as Broadcom, Qlogic, or - Marvell, could not be hot-unplugged during live migration of Windows virtual machines (VMs). As - a consequence, the adapters worked incorrectly after the migration was complete. This problem - affected only adapters that were attached to Windows VMs using Single-root I/O virtualization - (SR-IOV). With this update, the underlying code has been fixed and the problem no longer occurs. -

-
-

- Jira:RHEL-910, Bugzilla:2091528, Bugzilla:2111319 -

-
-

nodedev-dumpxml lists attributes correctly for - certain mediated devices

-

- Before this update, the nodedev-dumpxml utility did not list - attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated - devices properly. -

-
-

- Bugzilla:2143158 -

-
-

virtiofs devices could not be attached after - restarting virtqemud or libvirtd

-

- Previously, restarting the virtqemud or libvirtd services prevented virtiofs - storage devices from being attached to virtual machines (VMs) on your host. This bug has been - fixed, and you can now attach virtiofs devices in the described - scenario as expected. -

-
-

- Bugzilla:2078693 -

-
-

Hot plugging a Watchdog card to a virtual machine no longer fails -

-

- Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine - (VM) failed with the following error: -

-
- 
Failed to configure watchdog
-ERROR Error attempting device hotplug: internal error: No more available PCI slots
-

- With this update, the problem has been fixed and adding a Watchdog card to a running VM now works as - expected. -

-

- Bugzilla:2173584 -

-
-

blob resources do not work correctly for virtio-gpu on IBM Z

-

- The virtio-gpu device is currently not compatible with blob memory resources on IBM Z systems. As a consequence, if you - configure a virtual machine (VM) with virtio-gpu on an IBM Z host - to use blob resources, the VM does not have any graphical output. -

-
-

- Jira:RHEL-7135 -

-
-
-
-
-
-
-

Chapter 9. Technology Previews

-
-
-
-

- This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 9. -

-

- For information on Red Hat scope of support for Technology Preview features, see Technology Preview Features Support - Scope. -

-
-
-
-
-

9.1. Installer and image creation

-
-
-
-
-

NVMe over Fibre Channel devices are now available in RHEL installation - program as a Technology Preview

-

- You can now add NVMe over Fibre Channel devices to your RHEL installation as a Technology - Preview. In RHEL installation program, you can select these devices under the NVMe Fabrics - Devices section while adding disks on the Installation Destination screen. -

-
-

- Bugzilla:2107346 -

-
-
-
-
-
-

9.2. Security

-
-
-
-
-

gnutls now uses kTLS as a Technology - Preview

-

- The updated gnutls packages can use kernel TLS (kTLS) for - accelerating data transfer on encrypted channels as a Technology Preview. To enable kTLS, add - the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide - cryptographic policies with the following content: -

-
- 
[global]
-ktls = true
-

- Note that the current version does not support updating traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites. - See the RFC 7841 - - TLS 1.3 document for more information. -

-

- Bugzilla:2108532[1] -

-
-
-
-
-
-

9.3. Shells and command-line tools

-
-
-
-
-

GIMP available as a Technology Preview in RHEL 9

-

- GNU Image Manipulation Program (GIMP) 2.99.8 is now available in RHEL 9 as a Technology Preview. - The gimp package version 2.99.8 is a pre-release version with a set - of improvements, but a limited set of features and no guarantee for stability. As soon as the - official GIMP 3 is released, it will be introduced into RHEL 9 as an update of this pre-release - version. -

-
-

- In RHEL 9, you can install gimp easily as an RPM package. -

-

- Bugzilla:2047161[1] -

-
-
-
-
-
-

9.4. Infrastructure services

-
-
-
-
-

Socket API for TuneD available as a Technology Preview

-

- The socket API for controlling TuneD through a UNIX domain socket is now available as a - Technology Preview. The socket API maps one-to-one with the D-Bus API and provides an - alternative communication method for cases where D-Bus is not available. By using the socket - API, you can control the TuneD daemon to optimize the performance, and change the values of - various tuning parameters. The socket API is disabled by default, you can enable it in the tuned-main.conf file. -

-
-

- Bugzilla:2113900 -

-
-
-
-
-
-

9.5. Networking

-
-
-
-
-

WireGuard VPN is available as a Technology Preview

-

- WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance - VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to - configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the - surface for attacks and, therefore, improves the security. -

-
-

- For further details, see Setting - up a WireGuard VPN. -

-

- Bugzilla:1613522[1] -

-
-

kTLS available as a Technology Preview

-

- RHEL provides kernel Transport Layer Security (KTLS) as a Technology Preview. kTLS handles TLS - records using the symmetric encryption or decryption algorithms in the kernel for the AES-GCM - cipher. kTLS also includes the interface for offloading TLS record encryption to Network - Interface Controllers (NICs) that provides this functionality. -

-
-

- Bugzilla:1570255[1] -

-
-

The systemd-resolved service is available as a - Technology Preview

-

- The systemd-resolved service provides name resolution to local - applications. The service implements a caching and validating DNS stub resolver, a Link-Local - Multicast Name Resolution (LLMNR), and Multicast DNS resolver and responder. -

-
-

- Note that systemd-resolved is an unsupported Technology Preview. -

-

- Bugzilla:2020529 -

-
-

The PRP and HSR protocols are now available as a Technology - Preview

-

- This update adds the hsr kernel module that provides the following - protocols: -

-
-
-
    -
  • - Parallel Redundancy Protocol (PRP) -
    • -
  • - High-availability Seamless Redundancy (HSR) -
    • -
-
-

- The IEC 62439-3 standard defines these protocols, and you can use this feature to configure - zero-loss redundancy in Ethernet networks. -

-

- Bugzilla:2177256[1] -

-
-

Offloading IPsec encapsulation to a NIC is now available as a Technology - Preview

-

- This update adds the IPsec packet offloading capabilities to the kernel. Previously, it was - possible to only offload the encryption to a network interface controller (NIC). With this - enhancement, the kernel can now offload the entire IPsec encapsulation process to a NIC to - reduce the workload. -

-
-

- Note that offloading the IPsec encapsulation process to a NIC also reduces the ability of the kernel - to monitor and filter such packets. -

-

- Bugzilla:2178699[1] -

-
-

Network drivers for modems in RHEL are available as Technology - Preview

-

- Device manufacturers support Federal Communications Commission (FCC) locking as the default - setting. FCC provides a lock to bind WWAN drivers to a specific system where WWAN drivers - provide a channel to communicate with modems. Based on the modem PCI ID, manufacturers integrate - unlocking tools on Red Hat Enterprise Linux for ModemManager. However, a modem remains unusable - if not unlocked previously even if the WWAN driver is compatible and functional. Red Hat - Enterprise Linux provides the drivers for the following modems with limited functionality as a - Technology Preview: -

-
-
-
    -
  • - Qualcomm MHI WWAM MBIM - Telit FN990Axx -
    • -
  • - Intel IPC over Shared Memory (IOSM) - Intel XMM 7360 LTE Advanced -
    • -
  • - Mediatek t7xx (WWAN) - Fibocom FM350GL -
    • -
  • - Intel IPC over Shared Memory (IOSM) - Fibocom L860GL modem -
    • -
-
-

- Jira:RHELDOCS-16760[1], Bugzilla:2123542, Jira:RHEL-6564, Bugzilla:2110561, - Bugzilla:2222914 -

-
-

Segment Routing over IPv6 (SRv6) is available as a Technology - Preview

-

- The RHEL kernel provides Segment Routing over IPv6 (SRv6) as a Technology Preview. You can use - this functionality to optimize traffic flows in edge computing or to improve network - programmability in data centers. However, the most significant use case is the end-to-end (E2E) - network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with - the programmable custom network slices and resource reservations to address network requirements - for specific applications or services. At the same time, the solution can be deployed on a - single-purpose appliance, and it satisfies the need for a smaller computational footprint. -

-
-

- Bugzilla:2186375[1] -

-
-

kTLS rebased to version 6.3

-

- The kernel Transport Layer Security (KTLS) functionality is a Technology Preview. With this RHEL - release, kTLS has been rebased to the 6.3 upstream version, and notable changes include: -

-
-
-
    -
  • - Added the support for 256-bit keys with TX device offload -
    • -
  • - Delivered various bugfixes -
    • -
-
-

- Bugzilla:2183538[1] -

-
-
-
-
-
-

9.6. Kernel

-
-
-
-
-

The kdump mechanism with a unified kernel - image is available as a Technology Preview

-

- The kdump mechanism with a kernel image contained in a unified - kernel image (UKI) is available as a Technology Preview. UKI is a single executable, combining - the initramfs, vmlinuz,and the kernel - command line in a single file. The UKI key benefit being extending the cryptographic signature - for SecureBoot to all components at once. -

-
-

- For the feature to work, with the kernel command line contained in the UKI, set the crashkernel= parameter with an appropriate value. This reserves the - required memory for kdump. -

-

- Note: Currently the kexec_file_load system call from the Linux kernel - cannot load UKI. Therefore, only the kernel image contained in the UKI is used when loading the - crash kernel with the kexec_file_load system call. -

-

- Bugzilla:2169720[1] -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using - the Flexible Launch Control mechanism to use - the SGX technology. Version 2 adds Enclave Dynamic Memory - Management (EDMM). Notable features include: -

-
-
-
    -
  • - Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave. -
    • -
  • - Dynamic addition of regular enclave pages to an initialized enclave. -
    • -
  • - Expanding an initialized enclave to accommodate more threads. -
    • -
  • - Removing regular and TCS pages from an initialized enclave. -
    • -
-
-

- Bugzilla:1874182[1] -

-
-

The Intel data streaming accelerator driver for kernel is available as a - Technology Preview

-

- The Intel data streaming accelerator driver (IDXD) for the kernel is currently available as a - Technology Preview. It is an Intel CPU integrated accelerator and includes the shared work queue - with process address space ID (pasid) submission and shared virtual memory (SVM). -

-
-

- Bugzilla:2030412 -

-
-

The Soft-iWARP driver is available as a Technology Preview

-

- Soft-iWARP (siw) is a software, Internet Wide-area RDMA Protocol (iWARP), kernel driver for - Linux. Soft-iWARP implements the iWARP protocol suite over the TCP/IP network stack. This - protocol suite is fully implemented in software and does not require a specific Remote Direct - Memory Access (RDMA) hardware. Soft-iWARP enables a system with a standard Ethernet adapter to - connect to an iWARP adapter or to another system with already installed Soft-iWARP. -

-
-

- Bugzilla:2023416[1] -

-
-

SGX available as a Technology Preview

-

- Software Guard Extensions (SGX) is an Intel® - technology for protecting software code and data from disclosure and modification. The RHEL - kernel partially provides the SGX v1 and v1.5 functionality. Version 1 enables platforms using - the Flexible Launch Control mechanism to use - the SGX technology. Version 2 adds Enclave Dynamic Memory - Management (EDMM). Notable features include: -

-
-
-
    -
  • - Modifying EPCM permissions of regular enclave pages that belong to an initialized enclave. -
    • -
  • - Dynamic addition of regular enclave pages to an initialized enclave. -
    • -
  • - Expanding an initialized enclave to accommodate more threads. -
    • -
  • - Removing regular and TCS pages from an initialized enclave. -
    • -
-
-

- Bugzilla:1660337[1] -

-
-

rvu_af, rvu_nicpf, and rvu_nicvf available - as Technology Preview

-

- The following kernel modules are available as Technology Preview for Marvell OCTEON TX2 - Infrastructure Processor family: -

-
-
-
    -
  • - rvu_nicpf - Marvell OcteonTX2 NIC Physical Function driver -
    • -
  • - rvu_nicvf - Marvell OcteonTX2 NIC Virtual Function driver -
    • -
  • - rvu_nicvf - Marvell OcteonTX2 RVU Admin Function driver -
    • -
-
-

- Bugzilla:2040643[1] -

-
-
-
-
-
-

9.7. File systems and storage

-
-
-
-
-

DAX is now available for ext4 and XFS as a Technology Preview

-

- In RHEL 9, the DAX file system is available as a Technology Preview. DAX provides means for an - application to directly map persistent memory into its address space. To use DAX, a system must - have some form of persistent memory available, usually in the form of one or more Non-Volatile - Dual In-line Memory Modules (NVDIMMs), and a DAX compatible file system must be created on the - NVDIMM(s). Also, the file system must be mounted with the dax mount - option. Then, an mmap of a file on the dax-mounted file system - results in a direct mapping of storage into the application’s address space. -

-
-

- Bugzilla:1995338[1] -

-
-

NVMe-oF Discovery Service features available as a Technology - Preview

-

- The NVMe-oF Discovery Service features, defined in the NVMexpress.org Technical Proposals (TP) - 8013 and 8014, are available as a Technology Preview. To preview these features, use the nvme-cli 2.0 package and attach the host to an NVMe-oF target device - that implements TP-8013 or TP-8014. For more information about TP-8013 and TP-8014, see the NVM - Express 2.0 Ratified TPs from the https://nvmexpress.org/specifications/ - website. -

-
-

- Bugzilla:2021672[1] -

-
-

nvme-stas package available as a Technology - Preview

-

- The nvme-stas package, which is a Central Discovery Controller - (CDC) client for Linux, is now available as a Technology Preview. It handles Asynchronous Event - Notifications (AEN), Automated NVMe subsystem connection controls, Error handling and reporting, - and Automatic (zeroconf) and Manual configuration. -

-
-

- This package consists of two daemons, Storage Appliance Finder (stafd) - and Storage Appliance Connector (stacd). -

-

- Bugzilla:1893841[1] -

-
-

NVMe TP 8006 in-band authentication available as a Technology - Preview

-

- Implementing Non-Volatile Memory Express (NVMe) TP 8006, which is an in-band authentication for - NVMe over Fabrics (NVMe-oF) is now available as an unsupported Technology Preview. The NVMe - Technical Proposal 8006 defines the DH-HMAC-CHAP in-band - authentication protocol for NVMe-oF, which is provided with this enhancement. -

-
-

- For more information, see the dhchap-secret and dhchap-ctrl-secret option descriptions in the nvme-connect(1) man page. -

-

- Bugzilla:2027304[1] -

-
-

The io_uring interface is available as a - Technology Preview

-

- io_uring is a new and effective asynchronous I/O interface, which - is now available as a Technology Preview. By default, this feature is disabled. You can enable - this interface by setting the kernel.io_uring_disabled sysctl - variable to any one of the following values: -

-
-
-
-
0
-
- All processes can create io_uring instances as usual. -
-
1
-
- io_uring creation is disabled for unprivileged processes. The - io_uring_setup fails with the -EPERM error unless the calling process is privileged by the - CAP_SYS_ADMIN capability. Existing io_uring instances can still be used. -
-
2
-
- io_uring creation is disabled for all processes. The io_uring_setup always fails with -EPERM. Existing io_uring instances - can still be used. This is the default setting. -
-
-
-

- An updated version of the SELinux policy to enable the mmap system call - on anonymous inodes is also required to use this feature. -

-

- By using the io_uring command pass-through, an application can issue - commands directly to the underlying hardware, such as nvme. Use of - io_uring command pass-through currently requires a custom SELinux - policy module. Create a custom SELinux policy module: -

-
-
    -
  1. -

    - Save the following lines as io_uring_cmd_passthrough.cil - file: -

    - 
    ---cut here---
-( allow unconfined_domain_type device_node ( io_uring ( cmd )))
-( allow unconfined_domain_type file_type ( io_uring ( cmd )))
----cut here---
    -
    2. -
  2. -

    - Load the policy module: -

    - 
    # semodule -i io_uring_cmd_passthrough.cil
    -
    3. -
-
-

- Bugzilla:2068237[1] -

-
-
-
-
-
-

9.8. Compilers and development tools

-
-
-
-
-

jmc-core and owasp-java-encoder available as a Technology Preview

-

- RHEL 9 is distributed with the jmc-core and owasp-java-encoder packages as Technology Preview features for the - AMD and Intel 64-bit architectures. -

-
-

- jmc-core is a library providing core APIs for Java Development Kit - (JDK) Mission Control, including libraries for parsing and writing JDK Flight Recording files, and - libraries for Java Virtual Machine (JVM) discovery through Java Discovery Protocol (JDP). -

-

- The owasp-java-encoder package provides a collection of - high-performance low-overhead contextual encoders for Java. -

-

- Note that since RHEL 9.2, jmc-core and owasp-java-encoder are available in the CodeReady Linux Builder (CRB) - repository, which you must explicitly enable. See How to enable and make use of content within - CodeReady Linux Builder for more information. -

-

- Bugzilla:1980981 -

-
-
-
-
-
-

9.9. Identity Management

-
-
-
-
-

DNSSEC available as Technology Preview in IdM

-

- Identity Management (IdM) servers with integrated DNS now implement DNS Security Extensions - (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted - on IdM servers can be automatically signed using DNSSEC. The cryptographic keys are - automatically generated and rotated. -

-
-

- Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these - documents: -

-
- -
-

- Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS - servers. This might affect the availability of DNS zones that are not configured in accordance with - recommended naming practices. -

-

- Bugzilla:2084180 -

-
-

Identity Management JSON-RPC API available as Technology Preview -

-

- An API is available for Identity Management (IdM). To view the API, IdM also provides an API - browser as a Technology Preview. -

-
-

- Previously, the IdM API was enhanced to enable multiple versions of API commands. These enhancements - could change the behavior of a command in an incompatible way. Users are now able to continue using - existing tools and scripts even if the IdM API changes. This enables: -

-
-
    -
  • - Administrators to use previous or later versions of IdM on the server than on the managing - client. -
    • -
  • - Developers can use a specific version of an IdM call, even if the IdM version changes on the - server. -
    • -
-
-

- In all cases, the communication with the server is possible, regardless if one side uses, for - example, a newer version that introduces new options for a feature. -

-

- For details on using the API, see Using the Identity Management API to - Communicate with the IdM Server (TECHNOLOGY PREVIEW). -

-

- Bugzilla:2084166 -

-
-

sssd-idp sub-package available as a Technology Preview

-

- The sssd-idp sub-package for SSSD contains the oidc_child and krb5 idp plugins, which - are client-side components that perform OAuth2 authentication against Identity Management (IdM) - servers. This feature is available only with IdM servers on RHEL 9.1 and later. -

-
-

- Bugzilla:2065693 -

-
-

SSSD internal krb5 idp plugin available as a Technology Preview -

-

- The SSSD krb5 idp plugin allows you to authenticate against an - external identity provider (IdP) using the OAuth2 protocol. This feature is available only with - IdM servers on RHEL 9.1 and later. -

-
-

- Bugzilla:2056482 -

-
-

RHEL IdM allows delegating user authentication to external identity - providers as a Technology Preview

-

- In RHEL IdM, you can now associate users with external identity providers (IdP) that support the - OAuth 2 device authorization flow. When these users authenticate with the SSSD version available - in RHEL 9.1 or later, they receive RHEL IdM single sign-on capabilities with Kerberos tickets - after performing authentication and authorization at the external IdP. -

-
-

- Notable features include: -

-
-
    -
  • - Adding, modifying, and deleting references to external IdPs with ipa idp-* commands -
    • -
  • - Enabling IdP authentication for users with the ipa user-mod --user-auth-type=idp command -
    • -
-
-

- For additional information, see Using - external identity providers to authenticate to IdM. -

-

- Bugzilla:2069202 -

-
-

ACME available as a Technology Preview

-

- The Automated Certificate Management Environment (ACME) service is now available in Identity - Management (IdM) as a Technology Preview. ACME is a protocol for automated identifier validation - and certificate issuance. Its goal is to improve security by reducing certificate lifetimes and - avoiding manual processes from certificate lifecycle management. -

-
-

- In RHEL, the ACME service uses the Red Hat Certificate System (RHCS) PKI ACME responder. The RHCS - ACME subsystem is automatically deployed on every certificate authority (CA) server in the IdM - deployment, but it does not service requests until the administrator enables it. RHCS uses the acmeIPAServerCert profile when issuing ACME certificates. The validity - period of issued certificates is 90 days. Enabling or disabling the ACME service affects the entire - IdM deployment. -

-
-
Important
-
-

- It is recommended to enable ACME only in an IdM deployment where all servers are running - RHEL 8.4 or later. Earlier RHEL versions do not include the ACME service, which can cause - problems in mixed-version deployments. For example, a CA server without ACME can cause - client connections to fail, because it uses a different DNS Subject Alternative Name (SAN). -

-
-
-
-
Warning
-
-

- Currently, RHCS does not remove expired certificates. Because ACME certificates expire after - 90 days, the expired certificates can accumulate and this can affect performance. -

-
-
-
-
    -
  • -

    - To enable ACME across the whole IdM deployment, use the ipa-acme-manage enable command: -

    - 
    # ipa-acme-manage enable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To disable ACME across the whole IdM deployment, use the ipa-acme-manage disable command: -

    - 
    # ipa-acme-manage disable
-The ipa-acme-manage command was successful
    -
    • -
  • -

    - To check whether the ACME service is installed and if it is enabled or disabled, use the - ipa-acme-manage status command: -

    - 
    # ipa-acme-manage status
-ACME is enabled
-The ipa-acme-manage command was successful
    -
    • -
-
-

- Bugzilla:2084181[1] -

-
-
-
-
-
-

9.10. Desktop

-
-
-
-
-

GNOME for the 64-bit ARM architecture available as a Technology - Preview

-

- The GNOME desktop environment is available for the 64-bit ARM architecture as a Technology - Preview. -

-
-

- You can now connect to the desktop session on a 64-bit ARM server using VNC. As a result, you can - manage the server using graphical applications. -

-

- A limited set of graphical applications is available on 64-bit ARM. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27394[1] -

-
-

GNOME for the IBM Z architecture available as a Technology Preview -

-

- The GNOME desktop environment is available for the IBM Z architecture as a Technology Preview. -

-
-

- You can now connect to the desktop session on an IBM Z server using VNC. As a result, you can manage - the server using graphical applications. -

-

- A limited set of graphical applications is available on IBM Z. For example: -

-
-
    -
  • - The Firefox web browser -
    • -
  • - Red Hat Subscription Manager (subscription-manager-cockpit) -
    • -
  • - Firewall Configuration (firewall-config) -
    • -
  • - Disk Usage Analyzer (baobab) -
    • -
-
-

- Using Firefox, you can connect to the Cockpit service on the server. -

-

- Certain applications, such as LibreOffice, only provide a command-line interface, and their - graphical interface is disabled. -

-

- Jira:RHELPLAN-27737[1] -

-
-
-
-
-
-

9.11. Virtualization

-
-
-
-
-

Creating nested virtual machines

-

- Nested KVM virtualization is provided as a Technology Preview for KVM virtual machines (VMs) - running on Intel, AMD64, and IBM Z hosts with RHEL 9. With this feature, a RHEL 7, RHEL 8, or - RHEL 9 VM that runs on a physical RHEL 9 host can act as a hypervisor, and host its own VMs. -

-
-

- Jira:RHELDOCS-17040[1] -

-
-

AMD SEV and SEV-ES for KVM virtual machines

-

- As a Technology Preview, RHEL 9 provides the Secure Encrypted Virtualization (SEV) feature for - AMD EPYC host machines that use the KVM hypervisor. If enabled on a virtual machine (VM), SEV - encrypts the VM’s memory to protect the VM from access by the host. This increases the security - of the VM. -

-
-

- In addition, the enhanced Encrypted State version of SEV (SEV-ES) is also provided as Technology - Preview. SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the host - from modifying the VM’s CPU registers or reading any information from them. -

-

- Note that SEV and SEV-ES work only on the 2nd generation of AMD EPYC CPUs (codenamed Rome) or later. - Also note that RHEL 9 includes SEV and SEV-ES encryption, but not the SEV and SEV-ES security - attestation. -

-

- Jira:RHELPLAN-65217[1] -

-
-

Virtualization is now available on ARM 64

-

- As a Technology Preview, it is now possible to create KVM virtual machines on systems using ARM - 64 CPUs. -

-
-

- Jira:RHELPLAN-103993[1] -

-
-

virtio-mem is now available on AMD64, Intel - 64, and ARM 64

-

- As a Technology Preview, RHEL 9 introduces the virtio-mem feature - on AMD64, Intel 64, and ARM 64 systems. Using virtio-mem makes it - possible to dynamically add or remove host memory in virtual machines (VMs). -

-
-

- To use virtio-mem, define virtio-mem - memory devices in the XML configuration of a VM and use the virsh update-memory-device command to request memory device size changes - while the VM is running. To see the current memory size exposed by such memory devices to a running - VM, view the XML configuration of the VM. -

-

- Note, however, that virtio-mem currently does not work on VMs that use - a Windows operating system. -

-

- Bugzilla:2014487, Bugzilla:2044162, Bugzilla:2044172 -

-
-

Intel TDX in RHEL guests

-

- As a Technology Preview, the Intel Trust Domain Extension (TDX) feature can now be used in RHEL - 9.2 and later guest operating systems. If the host system supports TDX, you can deploy - hardware-isolated RHEL 9 virtual machines (VMs), called trust domains (TDs). Note, however, that - TDX currently does not work with kdump, and enabling TDX will cause - kdump to fail on the VM. -

-
-

- Bugzilla:1955275[1] -

-
-

A unified kernel image of RHEL is now available as a Technology - Preview

-

- As a Technology Preview, you can now obtain the RHEL kernel as a unified kernel image (UKI) for - virtual machines (VMs). A unified kernel image combines the kernel, initramfs, and kernel - command line into a single signed binary file. -

-
-

- UKIs can be used in virtualized and cloud environments, especially in confidential VMs where strong - SecureBoot capabilities are required. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories. -

-

- Currently, the RHEL UKI can only be used in a UEFI boot configuration. -

-

- Bugzilla:2142102[1] -

-
-

Intel vGPU available as a Technology Preview

-

- As a Technology Preview, it is possible to divide a physical Intel GPU device into multiple - virtual devices referred to as mediated devices. These mediated - devices can then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a result, - these VMs share the performance of a single physical Intel GPU. -

-
-

- Note that this feature is deprecated and was removed entirely with the RHEL 9.3 release. -

-

- Jira:RHELDOCS-17050[1] -

-
-
-
-
-
-

9.12. RHEL in cloud environments

-
-
-
-
-

RHEL is now available on Azure confidential VMs as a Technology - Preview

-

- With the updated RHEL kernel, you can now create and run RHEL confidential virtual machines - (VMs) on Microsoft Azure as a Technology Preview. The newly added unified kernel image (UKI) now - enables booting encrypted confidential VM images on Azure. The UKI is available as a kernel-uki-virt package in RHEL 9 repositories. -

-
-

- Currently, the RHEL UKI can only be used in a UEFI boot configuration. -

-

- Jira:RHELPLAN-139800[1] -

-
-
-
-
-
-

9.13. Containers

-
-
-
-
-

SQLite database backend for Podman is available as a Technology - Preview

-

- Beginning with Podman v4.6, the SQLite database backend for Podman is available as a Technology - Preview. To set the database backend to SQLite, add the database_backend = "sqlite" option in the /etc/containers/containers.conf configuration file. Run the podman system reset command to reset storage back to the initial - state before you switch to the SQLite database backend. Note that you have to re-create all - containers and pods. The SQLite database guarantees good stability and consistency. Other - databases in the containers stack will be moved to SQLite as well. The BoltDB remains the - default database backend. -

-
-

- Jira:RHELPLAN-154429[1] -

-
-

The podman-machine command is - unsupported

-

- The podman-machine command for managing virtual machines, is - available only as a Technology Preview. Instead, run Podman directly from the command line. -

-
-

- Jira:RHELDOCS-16861[1] -

-
-
-
-
-
-
-

Chapter 10. Deprecated functionality

-
-
-
-

- Deprecated devices are fully supported, which means that they are tested and maintained, and their - support status remains unchanged within Red Hat Enterprise Linux 9. However, these devices will likely - not be supported in the next major version release, and are not recommended for new deployments on the - current or future major versions of RHEL. -

-

- For the most recent list of deprecated functionality within a particular major release, see the latest - version of release documentation. For information about the length of support, see Red Hat Enterprise Linux Life - Cycle and Red Hat - Enterprise Linux Application Streams Life Cycle. -

-

- A package can be deprecated and not recommended for further use. Under certain circumstances, a package - can be removed from the product. Product documentation then identifies more recent packages that offer - functionality similar, identical, or more advanced to the one deprecated, and provides further - recommendations. -

-

- For information regarding functionality that is present in RHEL 8 but has been removed in RHEL 9, see Considerations - in adopting RHEL 9. -

-
-
-
-
-

10.1. Installer and image creation

-
-
-
-
-

Deprecated Kickstart commands

-

- The following Kickstart commands have been deprecated: -

-
-
-
    -
  • - timezone --ntpservers -
    • -
  • - timezone --nontp -
    • -
  • - logging --level -
    • -
  • - %packages --excludeWeakdeps -
    • -
  • - %packages --instLangs -
    • -
  • - %anaconda -
    • -
  • - pwpolicy -
    • -
-
-

- Note that where only specific options are listed, the base command and its other options are still - available and not deprecated. Using the deprecated commands in Kickstart files prints a warning in - the logs. You can turn the deprecated command warnings into errors with the inst.ksstrict boot option. -

-

- Bugzilla:1899167[1] -

-
-

User and Group customizations in the edge-commit and edge-container - blueprints have been deprecated

-

- Specifying a user or group customization in the blueprints is deprecated for the edge-commit and edge-container image - types, because the user customization disappears when you upgrade the image and do not specify - the user in the blueprint again. -

-
-

- Note that specifying a user or group customization in blueprints that are used to deploy an existing - OSTree commit, such as edge-raw-image, edge-installer, and edge-simplified-installer image types remains supported. -

-

- Bugzilla:2173928 -

-
-

The initial-setup package now has been - deprecated

-

- The initial-setup package has been deprecated in Red Hat Enterprise - Linux 9.3 and will be removed in the next major RHEL release. As a replacement, use gnome-initial-setup for the graphical user interface. -

-
-

- Jira:RHELDOCS-16393[1] -

-
-

The provider_hostip and provider_fedora_geoip values of the inst.geoloc boot option are deprecated

-

- The provider_hostip and provider_fedora_geoip values that specified the GeoIP API for the - inst.geoloc= boot option are deprecated. As a replacement, you can - use the geolocation_provider=URL option to set the required - geolocation in the installation program configuration file. You can still use the inst.geoloc=0 option to disable the geolocation. -

-
-

- Bugzilla:2127473 -

-
-
-
-
-
-

10.2. Security

-
-
-
-
-

SHA-1 is deprecated for cryptographic purposes

-

- The usage of the SHA-1 message digest for cryptographic purposes has been deprecated in RHEL 9. - The digest produced by SHA-1 is not considered secure because of many documented successful - attacks based on finding hash collisions. The RHEL core crypto components no longer create - signatures using SHA-1 by default. Applications in RHEL 9 have been updated to avoid using SHA-1 - in security-relevant use cases. -

-
-

- Among the exceptions, the HMAC-SHA1 message authentication code and the Universal Unique Identifier - (UUID) values can still be created using SHA-1 because these use cases do not currently pose - security risks. SHA-1 also can be used in limited cases connected with important interoperability - and compatibility concerns, such as Kerberos and WPA-2. See the List - of RHEL applications using cryptography that is not compliant with FIPS 140-3 section in the - RHEL - 9 Security hardening document for more details. -

-

- If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic - signatures, you can enable it by entering the following command: -

- 
# update-crypto-policies --set DEFAULT:SHA1
-

- Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY also enables - many other algorithms that are not secure. -

-

- Jira:RHELPLAN-110763[1] -

-
-

fapolicyd.rules is deprecated

-

- The /etc/fapolicyd/rules.d/ directory for files containing allow - and deny execution rules replaces the /etc/fapolicyd/fapolicyd.rules file. The fagenrules script now merges all component rule files in this - directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility. -

-
-

- Bugzilla:2054740 -

-
-

SCP is deprecated in RHEL 9

-

- The secure copy protocol (SCP) is deprecated because it has known security vulnerabilities. The - SCP API remains available for the RHEL 9 lifecycle but using it reduces system security. -

-
-
-
    -
  • - In the scp utility, SCP is replaced by the SSH File Transfer - Protocol (SFTP) by default. -
    • -
  • - The OpenSSH suite does not use SCP in RHEL 9. -
    • -
  • - SCP is deprecated in the libssh library. -
    • -
-
-

- Jira:RHELPLAN-99136[1] -

-
-

OpenSSL requires padding for RSA encryption in FIPS mode

-

- OpenSSL no longer supports RSA encryption without padding in FIPS mode. RSA encryption without - padding is uncommon and is rarely used. Note that key encapsulation with RSA (RSASVE) does not - use padding but is still supported. -

-
-

- Bugzilla:2168665 -

-
-

NTLM and Krb4 are deprecated in Cyrus SASL

-

- The NTLM and Kerberos 4 authentication protocols have been deprecated and might be removed in a - future major version of RHEL. These protocols are no longer considered secure and have already - been removed from upstream implementations. -

-
-

- Jira:RHELDOCS-17380[1] -

-
-

Digest-MD5 in SASL is deprecated

-

- The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) - framework is deprecated, and it might be removed from the cyrus-sasl packages in a future major release. -

-
-

- Bugzilla:1995600[1] -

-
-

OpenSSL deprecates MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, - RC2, RC4, RC5, SEED, and PBKDF1

-

- The OpenSSL project has deprecated a set of cryptographic algorithms because they are insecure, - uncommonly used, or both. Red Hat also discourages the use of those algorithms, and RHEL 9 - provides them for migrating encrypted data to use new algorithms. Users must not depend on those - algorithms for the security of their systems. -

-
-

- The implementations of the following algorithms have been moved to the legacy provider in OpenSSL: - MD2, MD4, MDC2, Whirlpool, Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED, and PBKDF1. -

-

- See the /etc/pki/tls/openssl.cnf configuration file for instructions on - how to load the legacy provider and enable support for the deprecated algorithms. -

-

- Bugzilla:1975836 -

-
-

/etc/system-fips is now deprecated -

-

- Support for indicating FIPS mode through the /etc/system-fips file - has been removed, and the file will not be included in future versions of RHEL. To install RHEL - in FIPS mode, add the fips=1 parameter to the kernel command line - during the system installation. You can check whether RHEL operates in FIPS mode by using the - fips-mode-setup --check command. -

-
-

- Jira:RHELPLAN-103232[1] -

-
-

libcrypt.so.1 is now deprecated

-

- The libcrypt.so.1 library is now deprecated, and it might be - removed in a future version of RHEL. -

-
-

- Bugzilla:2034569 -

-
-
-
-
-
-

10.3. Subscription management

-
-
-
-
-

The --token option of the subscription-manager command is deprecated

-

- The --token=<TOKEN> option of the subscription-manager register command is an authentication method - that helps register your system to Red Hat. This option depends on capabilities offered by the - entitlement server. The default entitlement server, subscription.rhsm.redhat.com, is planning to turn off this - capability. As a consequence, attempting to use subscription-manager register --token=<TOKEN> might fail with - the following error message: -

-
- 
Token authentication not supported by the entitlement server
-

- You can continue registering your system using other authorization methods, such as including paired - options --username / --password and --org / --activationkey of the subscription-manager register command. -

-

- Bugzilla:2163716 -

-
-
-
-
-
-

10.4. Shells and command-line tools

-
-
-
-
-

Setting the TMPDIR variable in the ReaR - configuration file is deprecated

-

- Setting the TMPDIR environment variable in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file), by using a statement - such as export TMPDIR=…​, does not work and is deprecated. -

-
-

- To specify a custom directory for ReaR temporary files, export the variable in the shell environment - before executing ReaR. For example, execute the export TMPDIR=…​ - statement and then execute the rear command in the same shell session - or script. -

-

- Jira:RHELDOCS-18049 -

-
-

The dump utility from the dump package has been deprecated

-

- The dump utility used for backup of file systems has been - deprecated and will not be available in RHEL 9. -

-
-

- In RHEL 9, Red Hat recommends using the tar, dd, or bacula, backup utility, based on type - of usage, which provides full and safe backups on ext2, ext3, and ext4 file systems. -

-

- Note that the restore utility from the dump package remains available and supported in RHEL 9 and is available - as the restore package. -

-

- Bugzilla:1997366[1] -

-
-

The SQLite database backend in Bacula has been deprecated

-

- The Bacula backup system supported multiple database backends: PostgreSQL, MySQL, and SQLite. - The SQLite backend has been deprecated and will become unsupported in a later release of RHEL. - As a replacement, migrate to one of the other backends (PostgreSQL or MySQL) and do not use the - SQLite backend in new deployments. -

-
-

- Jira:RHEL-6856 -

-
-
-
-
-
-

10.5. Networking

-
-
-
-
-

Network teams are deprecated in RHEL 9

-

- The teamd service and the libteam - library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major - release. As a replacement, configure a bond instead of a network team. -

-
-

- Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and - teams, that have similar functions. The bonding code has a high customer adoption, is robust, and - has an active community development. As a result, the bonding code receives enhancements and - updates. -

-

- For details about how to migrate a team to a bond, see Migrating - a network team configuration to network bond. -

-

- Bugzilla:1935544[1] -

-
-

NetworkManager connection profiles in ifcfg - format are deprecated

-

- In RHEL 9.0 and later, connection profiles in ifcfg format are - deprecated. The next major RHEL release will remove the support for this format. However, in - RHEL 9, NetworkManager still processes and updates existing profiles in this format if you - modify them. -

-
-

- By default, NetworkManager now stores connection profiles in keyfile format in the /etc/NetworkManager/system-connections/ directory. Unlike the ifcfg format, the keyfile format supports all connection settings that - NetworkManager provides. For further details about the keyfile format and how to migrate profiles, - see NetworkManager - connection profiles in keyfile format. -

-

- Bugzilla:1894877[1] -

-
-

The iptables back end in firewalld is deprecated

-

- In RHEL 9, the iptables framework is deprecated. As a consequence, - the iptables backend and the direct interface in firewalld are also - deprecated. Instead of the direct interface you can use the native - features in firewalld to configure the required rules. -

-
-

- Bugzilla:2089200 -

-
-

The PF_KEYv2 kernel API is deprecated -

-

- Applications can configure the kernel’s IPsec implementation by using the PV_KEYv2 and the newer netlink API. - PV_KEYv2 is not actively maintained upstream and misses important - security features, such as modern ciphers, offload, and extended sequence number support. As a - result, starting with RHEL 9.3, the PV_KEYv2 API is deprecated and - will be removed in the next major RHEL release. If you use this kernel API in your application, - migrate it to use the modern netlink API as an alternative. -

-
-

- Jira:RHEL-1015[1] -

-
-
-
-
-
-

10.6. Kernel

-
-
-
-
-

ATM encapsulation is deprecated in RHEL 9

-

- Asynchronous Transfer Mode (ATM) encapsulation enables Layer-2 (Point-to-Point Protocol, - Ethernet) or Layer-3 (IP) connectivity for the ATM Adaptation Layer 5 (AAL-5). Red Hat has not - been providing support for ATM NIC drivers since RHEL 7. The support for ATM implementation is - being dropped in RHEL 9. These protocols are currently used only in chipsets, which support the - ADSL technology and are being phased out by manufacturers. Therefore, ATM encapsulation is - deprecated in Red Hat Enterprise Linux 9. -

-
-

- For more information, see PPP Over - AAL5, Multiprotocol - Encapsulation over ATM Adaptation Layer 5, and Classical IP and ARP over ATM. -

-

- Bugzilla:2058153 -

-
-

The kexec_load system call for kexec-tools has been deprecated

-

- The kexec_load system call, which loads the second kernel, will not - be supported in future RHEL releases. The kexec_file_load system - call replaces kexec_load and is now the default system call on all - architectures. -

-
-

- For more information, see Is - kexec_load supported in RHEL9?. -

-

- Bugzilla:2113873[1] -

-
-

Network teams are deprecated in RHEL 9

-

- The teamd service and the libteam - library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major - release. As a replacement, configure a bond instead of a network team. -

-
-

- Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and - teams, that have similar functions. The bonding code has a high customer adoption, is robust, and - has an active community development. As a result, the bonding code receives enhancements and - updates. -

-

- For details about how to migrate a team to a bond, see Migrating - a network team configuration to network bond. -

-

- Bugzilla:2013884[1] -

-
-
-
-
-
-

10.7. File systems and storage

-
-
-
-
-

lvm2-activation-generator and its generated - services removed in RHEL 9.0

-

- The lvm2-activation-generator program and its generated services - lvm2-activation, lvm2-activation-early, and lvm2-activation-net are removed in RHEL 9.0. The lvm.conf event_activation setting, used to activate the services, is - no longer functional. The only method for auto activating volume groups is event based - activation. -

-
-

- Bugzilla:2038183 -

-
-

Persistent Memory Development Kit (pmdk) and - support library have been deprecated in RHEL 9

-

- pmdk is a collection of libraries and tools for System - Administrators and Application Developers to simplify managing and accessing persistent memory - devices. pmdk and support library have been deprecated in RHEL 9. - This also includes the -debuginfo packages. -

-
-

- The following list of binary packages produced by pmdk, including the - nvml source package have been deprecated: -

-
-
    -
  • - libpmem -
    • -
  • - libpmem-devel -
    • -
  • - libpmem-debug -
    • -
  • - libpmem2 -
    • -
  • - libpmem2-devel -
    • -
  • - libpmem2-debug -
    • -
  • - libpmemblk -
    • -
  • - libpmemblk-devel -
    • -
  • - libpmemblk-debug -
    • -
  • - libpmemlog -
    • -
  • - libpmemlog-devel -
    • -
  • - libpmemlog-debug -
    • -
  • - libpmemobj -
    • -
  • - libpmemobj-devel -
    • -
  • - libpmemobj-debug -
    • -
  • - libpmempool -
    • -
  • - libpmempool-devel -
    • -
  • - libpmempool-debug -
    • -
  • - pmempool -
    • -
  • - daxio -
    • -
  • - pmreorder -
    • -
  • - pmdk-convert -
    • -
  • - libpmemobj++ -
    • -
  • - libpmemobj++-devel -
    • -
  • - libpmemobj++-doc -
    • -
-
-

- Jira:RHELDOCS-16432[1] -

-
-
-
-
-
-

10.8. Dynamic programming languages, web and database servers

-
-
-
-
-

libdb has been deprecated

-

- RHEL 8 and RHEL 9 currently provide Berkeley DB (libdb) version - 5.3.28, which is distributed under the LGPLv2 license. The upstream Berkeley DB version 6 is - available under the AGPLv3 license, which is more restrictive. -

-
-

- The libdb package is deprecated as of RHEL 9 and might not be available - in future major RHEL releases. -

-

- In addition, cryptographic algorithms have been removed from libdb in - RHEL 9 and multiple libdb dependencies have been removed from RHEL 9. -

-

- Users of libdb are advised to migrate to a different key-value - database. For more information, see the Knowledgebase article Available replacements for the deprecated - Berkeley DB (libdb) in RHEL. -

-

- Bugzilla:1927780[1], Jira:RHELPLAN-80695, Bugzilla:1974657 -

-
-
-
-
-
-

10.9. Compilers and development tools

-
-
-
-
-

Smaller size of keys than 2048 are deprecated by openssl 3.0 in Go’s FIPS mode

-

- Key sizes smaller than 2048 bits are deprecated by openssl 3.0 and - no longer work in Go’s FIPS mode. -

-
-

- Bugzilla:2111072 -

-
-

Some PKCS1 v1.5 modes are now deprecated in - Go’s FIPS mode

-

- Some PKCS1 v1.5 modes are not approved in FIPS-140-3 for encryption and are disabled. They will no longer work - in Go’s FIPS mode. -

-
-

- Bugzilla:2092016[1] -

-
-
-
-
-
-

10.10. Identity Management

-
-
-
-
-

SHA-1 in OpenDNSSec is now deprecated -

-

- OpenDNSSec supports exporting Digital Signatures and authentication records using the SHA-1 algorithm. The use of the SHA-1 - algorithm is no longer supported. With the RHEL 9 release, SHA-1 in - OpenDNSSec is deprecated and it might be removed in a future minor release. Additionally, - OpenDNSSec support is limited to its integration with Red Hat Identity Management. OpenDNSSec is - not supported standalone. -

-
-

- Bugzilla:1979521 -

-
-

The SSSD implicit files provider domain is disabled by default

-

- The SSSD implicit files provider domain, which retrieves user - information from local files such as /etc/shadow and group - information from /etc/groups, is now disabled by default. -

-
-

- To retrieve user and group information from local files with SSSD: -

-
-
    -
  1. -

    - Configure SSSD. Choose one of the following options: -

    -
    -
      -
    1. -

      - Explicitly configure a local domain with the id_provider=files option in the sssd.conf configuration file. -

      - 
      [domain/local]
-id_provider=files
-...
      -
      2. -
    2. -

      - Enable the files provider by setting enable_files_domain=true in the sssd.conf configuration file. -

      - 
      [sssd]
-enable_files_domain = true
      -
      3. -
    -
    -
    2. -
  2. -

    - Configure the name services switch. -

    - 
    # authselect enable-feature with-files-provider
    -
    3. -
-
-

- Jira:RHELPLAN-100639[1] -

-
-

The SSSD files provider has been - deprecated

-

- The SSSD files provider has been deprecated in Red Hat Enterprise - Linux (RHEL) 9. The files provider might be removed from a future - release of RHEL. -

-
-

- Jira:RHELPLAN-139805[1] -

-
-

The nsslapd-ldapimaprootdn parameter is - deprecated

-

- In Directory Server, the nsslapd-ldapimaprootdn configuration - parameter is used to map a system root entry to a root DN entry. Usually, the nsslapd-ldapimaprootdn parameter has the same value as the nsslapd-rootdn parameter. In addition, changing one attribute but not - changing the other leads to a non-functional autobind configuration that breaks dsconf utility and access to the web console. -

-
-

- With this update, Directory Server uses only the nsslapd-rootdn - parameter to map a system root entry to a root DN entry. As a result, the nsslapd-ldapimaprootdn parameter is deprecated and the root DN change - does not break dsconf utility and access to the web console. -

-

- Bugzilla:2170494 -

-
-

The nsslapd-conntablesize configuration - parameter has been removed from 389-ds-base

-

- The nsslapd-conntablesize configuration parameter has been removed - from the 389-ds-base package in RHEL 9.3. Previously, the nsslapd-conntablesize configuration attribute specified the size of - the connection table that managed established connections. With the introduction of the - multi-listener feature, which improves the management of established connections, Directory - Server now calculates the size of the connection table dynamically. This also resolves issues, - when the connection table size was set too low and it affected the number of connections the - server was able to support. Starting with RHEL 9.3, use only nsslapd-maxdescriptors and nsslapd-reservedescriptors attributes to manage the number of TCP/IP - connections Directory Server can support. -

-
-

- Bugzilla:2098236 -

-
-

The SMB1 protocol is deprecated in Samba

-

- Starting with Samba 4.11, the insecure Server Message Block version 1 (SMB1) protocol is - deprecated and will be removed in a future release. -

-
-

- To improve the security, by default, SMB1 is disabled in the Samba server and client utilities. -

-

- Jira:RHELDOCS-16612[1] -

-
-
-
-
-
-

10.11. Desktop

-
-
-
-
-

GTK 2 is now deprecated

-

- The legacy GTK 2 toolkit and the following, related packages have been deprecated: -

-
-
-
    -
  • - adwaita-gtk2-theme -
    • -
  • - gnome-common -
    • -
  • - gtk2 -
    • -
  • - gtk2-immodules -
    • -
  • - hexchat -
    • -
-
-

- Several other packages currently depend on GTK 2. These have been modified so that they no longer - depend on the deprecated packages in a future major RHEL release. -

-

- If you maintain an application that uses GTK 2, Red Hat recommends that you port the application to - GTK 4. -

-

- Jira:RHELPLAN-131882[1] -

-
-

LibreOffice is deprecated

-

- The LibreOffice RPM packages are now deprecated and will be removed in a future major RHEL - release. LibreOffice continues to be fully supported through the entire life cycle of RHEL 7, 8, - and 9. -

-
-

- As a replacement for the RPM packages, Red Hat recommends that you install LibreOffice from either - of the following sources provided by The Document Foundation: -

-
- -
-

- Jira:RHELDOCS-16300[1] -

-
-
-
-
-
-

10.12. Graphics infrastructures

-
-
-
-
-

Motif has been deprecated

-

- The Motif widget toolkit has been deprecated in RHEL, because development in the upstream Motif - community is inactive. -

-
-

- The following Motif packages have been deprecated, including their development and debugging - variants: -

-
-
    -
  • - motif -
    • -
  • - openmotif -
    • -
  • - openmotif21 -
    • -
  • - openmotif22 -
    • -
-
-

- Additionally, the motif-static package has been removed. -

-

- Red Hat recommends using the GTK toolkit as a replacement. GTK is more maintainable and provides new - features compared to Motif. -

-

- Jira:RHELPLAN-98983[1] -

-
-
-
-
-
-

10.13. Red Hat Enterprise Linux system roles

-
-
-
-
-

The network system role displays a deprecation - warning when configuring teams on RHEL 9 nodes

-

- The network teaming capabilities have been deprecated in RHEL 9. As a result, using the network RHEL system role on a RHEL 8 control node to configure a - network team on RHEL 9 nodes, shows a warning about the deprecation. -

-
-

- Bugzilla:1999770 -

-
-
-
-
-
-

10.14. Virtualization

-
-
-
-
-

SecureBoot image verification using SHA1-based signatures is - deprecated

-

- Performing SecureBoot image verification using SHA1-based signatures on UEFI (PE/COFF) - executables has become deprecated. Instead, Red Hat recommends using signatures based on the - SHA2 algorithm, or later. -

-
-

- Bugzilla:1935497[1] -

-
-

Limited support for virtual machine snapshots

-

- Creating snapshots of virtual machines (VMs) is currently only supported for VMs not using the - UEFI firmware. In addition, during the snapshot operation, the QEMU monitor might become - blocked, which negatively impacts the hypervisor performance for certain workloads. -

-
-

- Also note that the current mechanism of creating VM snapshots has been deprecated, and Red Hat does - not recommend using VM snapshots in a production environment. However, a new VM snapshot mechanism - is under development and is planned to be fully implemented in a future minor release of RHEL 9. -

-

- Jira:RHELDOCS-16948[1], Bugzilla:1621944 -

-
-

The virtual floppy driver has become deprecated

-

- The isa-fdc driver, which controls virtual floppy disk devices, is - now deprecated, and will become unsupported in a future release of RHEL. Therefore, to ensure - forward compatibility with migrated virtual machines (VMs), Red Hat discourages using floppy - disk devices in VMs hosted on RHEL 9. -

-
-

- Bugzilla:1965079 -

-
-

qcow2-v2 image format is deprecated

-

- With RHEL 9, the qcow2-v2 format for virtual disk images has become deprecated, and will become - unsupported in a future major release of RHEL. In addition, the RHEL 9 Image Builder cannot - create disk images in the qcow2-v2 format. -

-
-

- Instead of qcow2-v2, Red Hat strongly recommends using qcow2-v3. To convert a qcow2-v2 image to a - later format version, use the qemu-img amend command. -

-

- Bugzilla:1951814 -

-
-

virt-manager has been - deprecated

-

- The Virtual Machine Manager application, also known as virt-manager, has been deprecated. The RHEL - web console, also known as Cockpit, is - intended to become its replacement in a subsequent release. It is, therefore, recommended that - you use the web console for managing virtualization in a GUI. Note, however, that some features - available in virt-manager might not be yet - available in the RHEL web console. -

-
-

- Jira:RHELPLAN-10304[1] -

-
-

libvirtd has become deprecated

-

- The monolithic libvirt daemon, libvirtd, has been deprecated in RHEL 9, and will be removed in a - future major release of RHEL. Note that you can still use libvirtd - for managing virtualization on your hypervisor, but Red Hat recommends switching to the newly - introduced modular libvirt daemons. For instructions and details, - see the RHEL - 9 Configuring and Managing Virtualization document. -

-
-

- Jira:RHELPLAN-113995[1] -

-
-

Legacy CPU models are now deprecated

-

- A significant number of CPU models have become deprecated and will become unsupported for use in - virtual machines (VMs) in a future major release of RHEL. The deprecated models are as follows: -

-
-
-
    -
  • - For Intel: models before Intel Xeon 55xx and 75xx Processor families (also known as Nehalem) -
    • -
  • - For AMD: models before AMD Opteron G4 -
    • -
  • - For IBM Z: models before IBM z14 -
    • -
-
-

- To check whether your VM is using a deprecated CPU model, use the virsh dominfo utility, and look for a line similar to the following in - the Messages section: -

- 
tainted: use of deprecated configuration settings
-deprecated configuration: CPU model 'i486'
-

- Bugzilla:2060839 -

-
-

RDMA-based live migration is deprecated

-

- With this update, migrating running virtual machines using Remote Direct Memory Access (RDMA) - has become deprecated. As a result, it is still possible to use the rdma:// migration URI to request migration over RDMA, but this - feature will become unsupported in a future major release of RHEL. -

-
-

- Jira:RHELPLAN-153267[1] -

-
-

The Intel vGPU feature has been removed

-

- Previously, as a Technology Preview, it was possible to divide a physical Intel GPU device into - multiple virtual devices referred to as mediated devices. These - mediated devices could then be assigned to multiple virtual machines (VMs) as virtual GPUs. As a - result, these VMs shared the performance of a single physical Intel GPU, however only selected - Intel GPUs were compatible with this feature. -

-
-

- Since RHEL 9.3, the Intel vGPU feature has been removed entirely. -

-

- Bugzilla:2206599[1] -

-
-
-
-
-
-

10.15. Containers

-
-
-
-
-

Running RHEL 9 containers on a RHEL 7 host is not supported

-

- Running RHEL 9 containers on a RHEL 7 host is not supported. It might work, but it is not - guaranteed. -

-
-

- For more information, see Red Hat Enterprise - Linux Container Compatibility Matrix. -

-

- Jira:RHELPLAN-100087[1] -

-
-

SHA1 hash algorithm within Podman has been deprecated

-

- The SHA1 algorithm used to generate the filename of the rootless network namespace is no longer - supported in Podman. Therefore, rootless containers started before updating to Podman 4.1.1 or - later have to be restarted if they are joined to a network (and not just using slirp4netns) to ensure they can connect to containers started after - the upgrade. -

-
-

- Bugzilla:2069279[1] -

-
-

rhel9/pause has been deprecated

-

- The rhel9/pause container image has been deprecated. -

-
-

- Bugzilla:2106816 -

-
-

The CNI network stack has been deprecated

-

- The Container Network Interface (CNI) network stack is deprecated and will be removed from - Podman in a future minor release of RHEL. Previously, containers connected to the single - Container Network Interface (CNI) plugin only via DNS. Podman v.4.0 introduced a new Netavark - network stack. You can use the Netavark network stack with Podman and other Open Container - Initiative (OCI) container management applications. The Netavark network stack for Podman is - also compatible with advanced Docker functionalities. Containers in multiple networks can access - containers on any of those networks. -

-
-

- For more information, see Switching - the network stack from CNI to Netavark. -

-

- Jira:RHELDOCS-16756[1] -

-
-

The Inkscape and LibreOffice Flatpak images are deprecated

-

- The rhel9/inkscape-flatpak and rhel9/libreoffice-flatpak Flatpak images, which are available as - Technology Previews, have been deprecated. -

-
-

- Red Hat recommends the following alternatives to these images: -

-
- -
-

- Jira:RHELDOCS-17102[1] -

-
-
-
-
-
-

10.16. Deprecated packages

-
-
-
-

- This section lists packages that have been deprecated and will probably not be included in a future - major release of Red Hat Enterprise Linux. -

-

- For changes to packages between RHEL 8 and RHEL 9, see Changes - to packages in the Considerations in adopting RHEL 9 - document. -

-
-
Important
-
-

- The support status of deprecated packages remains unchanged within RHEL 9. For more - information about the length of support, see Red Hat Enterprise Linux - Life Cycle and Red - Hat Enterprise Linux Application Streams Life Cycle. -

-
-
-

- The following packages have been deprecated in RHEL 9: -

-
-
    -
  • - adwaita-gtk2-theme -
    • -
  • - autocorr-af -
    • -
  • - autocorr-bg -
    • -
  • - autocorr-ca -
    • -
  • - autocorr-cs -
    • -
  • - autocorr-da -
    • -
  • - autocorr-de -
    • -
  • - autocorr-dsb -
    • -
  • - autocorr-el -
    • -
  • - autocorr-en -
    • -
  • - autocorr-es -
    • -
  • - autocorr-fa -
    • -
  • - autocorr-fi -
    • -
  • - autocorr-fr -
    • -
  • - autocorr-ga -
    • -
  • - autocorr-hr -
    • -
  • - autocorr-hsb -
    • -
  • - autocorr-hu -
    • -
  • - autocorr-is -
    • -
  • - autocorr-it -
    • -
  • - autocorr-ja -
    • -
  • - autocorr-ko -
    • -
  • - autocorr-lb -
    • -
  • - autocorr-lt -
    • -
  • - autocorr-mn -
    • -
  • - autocorr-nl -
    • -
  • - autocorr-pl -
    • -
  • - autocorr-pt -
    • -
  • - autocorr-ro -
    • -
  • - autocorr-ru -
    • -
  • - autocorr-sk -
    • -
  • - autocorr-sl -
    • -
  • - autocorr-sr -
    • -
  • - autocorr-sv -
    • -
  • - autocorr-tr -
    • -
  • - autocorr-vi -
    • -
  • - autocorr-vro -
    • -
  • - autocorr-zh -
    • -
  • - cheese -
    • -
  • - cheese-libs -
    • -
  • - clutter -
    • -
  • - clutter-gst3 -
    • -
  • - clutter-gtk -
    • -
  • - cogl -
    • -
  • - daxio -
    • -
  • - dbus-glib -
    • -
  • - dbus-glib-devel -
    • -
  • - enchant -
    • -
  • - enchant-devel -
    • -
  • - eog -
    • -
  • - evolution -
    • -
  • - evolution-bogofilter -
    • -
  • - evolution-devel -
    • -
  • - evolution-help -
    • -
  • - evolution-langpacks -
    • -
  • - evolution-mapi -
    • -
  • - evolution-mapi-langpacks -
    • -
  • - evolution-pst -
    • -
  • - evolution-spamassassin -
    • -
  • - festival -
    • -
  • - festival-data -
    • -
  • - festvox-slt-arctic-hts -
    • -
  • - flite -
    • -
  • - flite-devel -
    • -
  • - gedit -
    • -
  • - gedit-plugin-bookmarks -
    • -
  • - gedit-plugin-bracketcompletion -
    • -
  • - gedit-plugin-codecomment -
    • -
  • - gedit-plugin-colorpicker -
    • -
  • - gedit-plugin-colorschemer -
    • -
  • - gedit-plugin-commander -
    • -
  • - gedit-plugin-drawspaces -
    • -
  • - gedit-plugin-findinfiles -
    • -
  • - gedit-plugin-joinlines -
    • -
  • - gedit-plugin-multiedit -
    • -
  • - gedit-plugin-sessionsaver -
    • -
  • - gedit-plugin-smartspaces -
    • -
  • - gedit-plugin-synctex -
    • -
  • - gedit-plugin-terminal -
    • -
  • - gedit-plugin-textsize -
    • -
  • - gedit-plugin-translate -
    • -
  • - gedit-plugin-wordcompletion -
    • -
  • - gedit-plugins -
    • -
  • - gedit-plugins-data -
    • -
  • - gnome-common -
    • -
  • - gnome-photos -
    • -
  • - gnome-photos-tests -
    • -
  • - gnome-screenshot -
    • -
  • - gnome-themes-extra -
    • -
  • - gtk2 -
    • -
  • - gtk2-devel -
    • -
  • - gtk2-devel-docs -
    • -
  • - gtk2-immodule-xim -
    • -
  • - gtk2-immodules -
    • -
  • - highcontrast-icon-theme -
    • -
  • - inkscape -
    • -
  • - inkscape-docs -
    • -
  • - inkscape-view -
    • -
  • - iptables-devel -
    • -
  • - iptables-libs -
    • -
  • - iptables-nft -
    • -
  • - iptables-nft-services -
    • -
  • - iptables-utils -
    • -
  • - libdb -
    • -
  • - libgdata -
    • -
  • - libgdata-devel -
    • -
  • - libpmem -
    • -
  • - libpmem-debug -
    • -
  • - libpmem-devel -
    • -
  • - libpmem2 -
    • -
  • - libpmem2-debug -
    • -
  • - libpmem2-devel -
    • -
  • - libpmemblk -
    • -
  • - libpmemblk-debug -
    • -
  • - libpmemblk-devel -
    • -
  • - libpmemlog -
    • -
  • - libpmemlog-debug -
    • -
  • - libpmemlog-devel -
    • -
  • - libpmemobj -
    • -
  • - libpmemobj-debug -
    • -
  • - libpmemobj-devel -
    • -
  • - libpmempool -
    • -
  • - libpmempool-debug -
    • -
  • - libpmempool-devel -
    • -
  • - libreoffice -
    • -
  • - libreoffice-base -
    • -
  • - libreoffice-calc -
    • -
  • - libreoffice-core -
    • -
  • - libreoffice-data -
    • -
  • - libreoffice-draw -
    • -
  • - libreoffice-emailmerge -
    • -
  • - libreoffice-filters -
    • -
  • - libreoffice-gdb-debug-support -
    • -
  • - libreoffice-graphicfilter -
    • -
  • - libreoffice-gtk3 -
    • -
  • - libreoffice-help-ar -
    • -
  • - libreoffice-help-bg -
    • -
  • - libreoffice-help-bn -
    • -
  • - libreoffice-help-ca -
    • -
  • - libreoffice-help-cs -
    • -
  • - libreoffice-help-da -
    • -
  • - libreoffice-help-de -
    • -
  • - libreoffice-help-dz -
    • -
  • - libreoffice-help-el -
    • -
  • - libreoffice-help-en -
    • -
  • - libreoffice-help-eo -
    • -
  • - libreoffice-help-es -
    • -
  • - libreoffice-help-et -
    • -
  • - libreoffice-help-eu -
    • -
  • - libreoffice-help-fi -
    • -
  • - libreoffice-help-fr -
    • -
  • - libreoffice-help-gl -
    • -
  • - libreoffice-help-gu -
    • -
  • - libreoffice-help-he -
    • -
  • - libreoffice-help-hi -
    • -
  • - libreoffice-help-hr -
    • -
  • - libreoffice-help-hu -
    • -
  • - libreoffice-help-id -
    • -
  • - libreoffice-help-it -
    • -
  • - libreoffice-help-ja -
    • -
  • - libreoffice-help-ko -
    • -
  • - libreoffice-help-lt -
    • -
  • - libreoffice-help-lv -
    • -
  • - libreoffice-help-nb -
    • -
  • - libreoffice-help-nl -
    • -
  • - libreoffice-help-nn -
    • -
  • - libreoffice-help-pl -
    • -
  • - libreoffice-help-pt-BR -
    • -
  • - libreoffice-help-pt-PT -
    • -
  • - libreoffice-help-ro -
    • -
  • - libreoffice-help-ru -
    • -
  • - libreoffice-help-si -
    • -
  • - libreoffice-help-sk -
    • -
  • - libreoffice-help-sl -
    • -
  • - libreoffice-help-sv -
    • -
  • - libreoffice-help-ta -
    • -
  • - libreoffice-help-tr -
    • -
  • - libreoffice-help-uk -
    • -
  • - libreoffice-help-zh-Hans -
    • -
  • - libreoffice-help-zh-Hant -
    • -
  • - libreoffice-impress -
    • -
  • - libreoffice-langpack-af -
    • -
  • - libreoffice-langpack-ar -
    • -
  • - libreoffice-langpack-as -
    • -
  • - libreoffice-langpack-bg -
    • -
  • - libreoffice-langpack-bn -
    • -
  • - libreoffice-langpack-br -
    • -
  • - libreoffice-langpack-ca -
    • -
  • - libreoffice-langpack-cs -
    • -
  • - libreoffice-langpack-cy -
    • -
  • - libreoffice-langpack-da -
    • -
  • - libreoffice-langpack-de -
    • -
  • - libreoffice-langpack-dz -
    • -
  • - libreoffice-langpack-el -
    • -
  • - libreoffice-langpack-en -
    • -
  • - libreoffice-langpack-eo -
    • -
  • - libreoffice-langpack-es -
    • -
  • - libreoffice-langpack-et -
    • -
  • - libreoffice-langpack-eu -
    • -
  • - libreoffice-langpack-fa -
    • -
  • - libreoffice-langpack-fi -
    • -
  • - libreoffice-langpack-fr -
    • -
  • - libreoffice-langpack-fy -
    • -
  • - libreoffice-langpack-ga -
    • -
  • - libreoffice-langpack-gl -
    • -
  • - libreoffice-langpack-gu -
    • -
  • - libreoffice-langpack-he -
    • -
  • - libreoffice-langpack-hi -
    • -
  • - libreoffice-langpack-hr -
    • -
  • - libreoffice-langpack-hu -
    • -
  • - libreoffice-langpack-id -
    • -
  • - libreoffice-langpack-it -
    • -
  • - libreoffice-langpack-ja -
    • -
  • - libreoffice-langpack-kk -
    • -
  • - libreoffice-langpack-kn -
    • -
  • - libreoffice-langpack-ko -
    • -
  • - libreoffice-langpack-lt -
    • -
  • - libreoffice-langpack-lv -
    • -
  • - libreoffice-langpack-mai -
    • -
  • - libreoffice-langpack-ml -
    • -
  • - libreoffice-langpack-mr -
    • -
  • - libreoffice-langpack-nb -
    • -
  • - libreoffice-langpack-nl -
    • -
  • - libreoffice-langpack-nn -
    • -
  • - libreoffice-langpack-nr -
    • -
  • - libreoffice-langpack-nso -
    • -
  • - libreoffice-langpack-or -
    • -
  • - libreoffice-langpack-pa -
    • -
  • - libreoffice-langpack-pl -
    • -
  • - libreoffice-langpack-pt-BR -
    • -
  • - libreoffice-langpack-pt-PT -
    • -
  • - libreoffice-langpack-ro -
    • -
  • - libreoffice-langpack-ru -
    • -
  • - libreoffice-langpack-si -
    • -
  • - libreoffice-langpack-sk -
    • -
  • - libreoffice-langpack-sl -
    • -
  • - libreoffice-langpack-sr -
    • -
  • - libreoffice-langpack-ss -
    • -
  • - libreoffice-langpack-st -
    • -
  • - libreoffice-langpack-sv -
    • -
  • - libreoffice-langpack-ta -
    • -
  • - libreoffice-langpack-te -
    • -
  • - libreoffice-langpack-th -
    • -
  • - libreoffice-langpack-tn -
    • -
  • - libreoffice-langpack-tr -
    • -
  • - libreoffice-langpack-ts -
    • -
  • - libreoffice-langpack-uk -
    • -
  • - libreoffice-langpack-ve -
    • -
  • - libreoffice-langpack-xh -
    • -
  • - libreoffice-langpack-zh-Hans -
    • -
  • - libreoffice-langpack-zh-Hant -
    • -
  • - libreoffice-langpack-zu -
    • -
  • - libreoffice-math -
    • -
  • - libreoffice-ogltrans -
    • -
  • - libreoffice-opensymbol-fonts -
    • -
  • - libreoffice-pdfimport -
    • -
  • - libreoffice-pyuno -
    • -
  • - libreoffice-sdk -
    • -
  • - libreoffice-sdk-doc -
    • -
  • - libreoffice-ure -
    • -
  • - libreoffice-ure-common -
    • -
  • - libreoffice-wiki-publisher -
    • -
  • - libreoffice-writer -
    • -
  • - libreoffice-x11 -
    • -
  • - libreoffice-xsltfilter -
    • -
  • - libreofficekit -
    • -
  • - libsoup -
    • -
  • - libsoup-devel -
    • -
  • - libuser -
    • -
  • - libuser-devel -
    • -
  • - libwpe -
    • -
  • - libwpe-devel -
    • -
  • - mcpp -
    • -
  • - mod_auth_mellon -
    • -
  • - motif -
    • -
  • - motif-devel -
    • -
  • - pmdk-convert -
    • -
  • - pmempool -
    • -
  • - python3-pytz -
    • -
  • - qt5 -
    • -
  • - qt5-assistant -
    • -
  • - qt5-designer -
    • -
  • - qt5-devel -
    • -
  • - qt5-doctools -
    • -
  • - qt5-linguist -
    • -
  • - qt5-qdbusviewer -
    • -
  • - qt5-qt3d -
    • -
  • - qt5-qt3d-devel -
    • -
  • - qt5-qt3d-doc -
    • -
  • - qt5-qt3d-examples -
    • -
  • - qt5-qtbase -
    • -
  • - qt5-qtbase-common -
    • -
  • - qt5-qtbase-devel -
    • -
  • - qt5-qtbase-doc -
    • -
  • - qt5-qtbase-examples -
    • -
  • - qt5-qtbase-gui -
    • -
  • - qt5-qtbase-mysql -
    • -
  • - qt5-qtbase-odbc -
    • -
  • - qt5-qtbase-postgresql -
    • -
  • - qt5-qtbase-private-devel -
    • -
  • - qt5-qtbase-static -
    • -
  • - qt5-qtconnectivity -
    • -
  • - qt5-qtconnectivity-devel -
    • -
  • - qt5-qtconnectivity-doc -
    • -
  • - qt5-qtconnectivity-examples -
    • -
  • - qt5-qtdeclarative -
    • -
  • - qt5-qtdeclarative-devel -
    • -
  • - qt5-qtdeclarative-doc -
    • -
  • - qt5-qtdeclarative-examples -
    • -
  • - qt5-qtdeclarative-static -
    • -
  • - qt5-qtdoc -
    • -
  • - qt5-qtgraphicaleffects -
    • -
  • - qt5-qtgraphicaleffects-doc -
    • -
  • - qt5-qtimageformats -
    • -
  • - qt5-qtimageformats-doc -
    • -
  • - qt5-qtlocation -
    • -
  • - qt5-qtlocation-devel -
    • -
  • - qt5-qtlocation-doc -
    • -
  • - qt5-qtlocation-examples -
    • -
  • - qt5-qtmultimedia -
    • -
  • - qt5-qtmultimedia-devel -
    • -
  • - qt5-qtmultimedia-doc -
    • -
  • - qt5-qtmultimedia-examples -
    • -
  • - qt5-qtquickcontrols -
    • -
  • - qt5-qtquickcontrols-doc -
    • -
  • - qt5-qtquickcontrols-examples -
    • -
  • - qt5-qtquickcontrols2 -
    • -
  • - qt5-qtquickcontrols2-devel -
    • -
  • - qt5-qtquickcontrols2-doc -
    • -
  • - qt5-qtquickcontrols2-examples -
    • -
  • - qt5-qtscript -
    • -
  • - qt5-qtscript-devel -
    • -
  • - qt5-qtscript-doc -
    • -
  • - qt5-qtscript-examples -
    • -
  • - qt5-qtsensors -
    • -
  • - qt5-qtsensors-devel -
    • -
  • - qt5-qtsensors-doc -
    • -
  • - qt5-qtsensors-examples -
    • -
  • - qt5-qtserialbus -
    • -
  • - qt5-qtserialbus-devel -
    • -
  • - qt5-qtserialbus-doc -
    • -
  • - qt5-qtserialbus-examples -
    • -
  • - qt5-qtserialport -
    • -
  • - qt5-qtserialport-devel -
    • -
  • - qt5-qtserialport-doc -
    • -
  • - qt5-qtserialport-examples -
    • -
  • - qt5-qtsvg -
    • -
  • - qt5-qtsvg-devel -
    • -
  • - qt5-qtsvg-doc -
    • -
  • - qt5-qtsvg-examples -
    • -
  • - qt5-qttools -
    • -
  • - qt5-qttools-common -
    • -
  • - qt5-qttools-devel -
    • -
  • - qt5-qttools-doc -
    • -
  • - qt5-qttools-examples -
    • -
  • - qt5-qttools-libs-designer -
    • -
  • - qt5-qttools-libs-designercomponents -
    • -
  • - qt5-qttools-libs-help -
    • -
  • - qt5-qttools-static -
    • -
  • - qt5-qttranslations -
    • -
  • - qt5-qtwayland -
    • -
  • - qt5-qtwayland-devel -
    • -
  • - qt5-qtwayland-doc -
    • -
  • - qt5-qtwayland-examples -
    • -
  • - qt5-qtwebchannel -
    • -
  • - qt5-qtwebchannel-devel -
    • -
  • - qt5-qtwebchannel-doc -
    • -
  • - qt5-qtwebchannel-examples -
    • -
  • - qt5-qtwebsockets -
    • -
  • - qt5-qtwebsockets-devel -
    • -
  • - qt5-qtwebsockets-doc -
    • -
  • - qt5-qtwebsockets-examples -
    • -
  • - qt5-qtx11extras -
    • -
  • - qt5-qtx11extras-devel -
    • -
  • - qt5-qtx11extras-doc -
    • -
  • - qt5-qtxmlpatterns -
    • -
  • - qt5-qtxmlpatterns-devel -
    • -
  • - qt5-qtxmlpatterns-doc -
    • -
  • - qt5-qtxmlpatterns-examples -
    • -
  • - qt5-rpm-macros -
    • -
  • - qt5-srpm-macros -
    • -
  • - webkit2gtk3 -
    • -
  • - webkit2gtk3-devel -
    • -
  • - webkit2gtk3-jsc -
    • -
  • - webkit2gtk3-jsc-devel -
    • -
  • - wpebackend-fdo -
    • -
  • - wpebackend-fdo-devel -
    • -
  • - xorg-x11-server-Xorg -
    • -
-
-
-
-
-
-
-
-

Chapter 11. Known issues

-
-
-
-

- This part describes known issues in Red Hat Enterprise Linux 9.3. -

-
-
-
-
-

11.1. Installer and image creation

-
-
-
-
-

The auth and authconfig Kickstart commands require the AppStream - repository

-

- The authselect-compat package is required by the auth and authconfig Kickstart commands - during installation. Without this package, the installation fails if auth or authconfig are used. However, by - design, the authselect-compat package is only available in the - AppStream repository. -

-
-

- To work around this problem, verify that the BaseOS and AppStream repositories are available to the - installation program or use the authselect Kickstart command during - installation. -

-

- Bugzilla:1640697[1] -

-
-

The reboot --kexec and inst.kexec commands do not provide a predictable system - state

-

- Performing a RHEL installation with the reboot --kexec Kickstart - command or the inst.kexec kernel boot parameters do not provide the - same predictable system state as a full reboot. As a consequence, switching to the installed - system without rebooting can produce unpredictable results. -

-
-

- Note that the kexec feature is deprecated and will be removed in a - future release of Red Hat Enterprise Linux. -

-

- Bugzilla:1697896[1] -

-
-

Unexpected SELinux policies on systems where Anaconda is running as an - application

-

- When Anaconda is running as an application on an already installed system (for example to - perform another installation to an image file using the –image - anaconda option), the system is not prohibited to modify the SELinux types and attributes during - installation. As a consequence, certain elements of SELinux policy might change on the system - where Anaconda is running. -

-
-

- To work around this problem, do not run Anaconda on the production system. Instead, run Anaconda in - a temporary virtual machine to keep the SELinux policy unchanged on a production system. Running - anaconda as part of the system installation process such as installing from boot.iso or dvd.iso is not affected by this - issue. -

-

- Bugzilla:2050140 -

-
-

Local Media installation source is not - detected when booting the installation from a USB that is created using a third party - tool

-

- When booting the RHEL installation from a USB that is created using a third party tool, the - installer fails to detect the Local Media installation source (only - Red Hat CDN is detected). -

-
-

- This issue occurs because the default boot option int.stage2= attempts - to search for iso9660 image format. However, a third party tool might - create an ISO image with a different format. -

-

- As a workaround, use either of the following solution: -

-
-
    -
  • - When booting the installation, click the Tab key to edit the - kernel command line, and change the boot option inst.stage2= to - inst.repo=. -
    • -
  • - To create a bootable USB device on Windows, use Fedora Media Writer. -
    • -
  • - When using a third party tool such as Rufus to create a bootable USB device, first - regenerate the RHEL ISO image on a Linux system, and then use the third party tool to create - a bootable USB device. -
    • -
-
-

- For more information on the steps involved in performing any of the specified workaround, see, Installation media is not - auto-detected during the installation of RHEL 8.3. -

-

- Bugzilla:1877697[1] -

-
-

The USB CD-ROM drive is not available as an installation source in - Anaconda

-

- Installation fails when the USB CD-ROM drive is the source for it and the Kickstart ignoredisk --only-use= command is specified. In this case, Anaconda - cannot find and use this source disk. -

-
-

- To work around this problem, use the harddrive --partition=sdX --dir=/ - command to install from USB CD-ROM drive. As a result, the installation does not fail. -

-

- Jira:RHEL-4707 -

-
-

Hard drive partitioned installations with iso9660 filesystem fails -

-

- You cannot install RHEL on systems where the hard drive is partitioned with the iso9660 filesystem. This is due to the updated installation code that - is set to ignore any hard disk containing a iso9660 file system - partition. This happens even when RHEL is installed without using a DVD. -

-
-

- To workaround this problem, add the following script in the Kickstart file to format the disc before - the installation starts. -

-

- Note: Before performing the workaround, backup the data available on the disk. The wipefs command formats all the existing data from the disk. -

- 
%pre
-wipefs -a /dev/sda
-%end
-

- As a result, installations work as expected without any errors. -

-

- Jira:RHEL-4711 -

-
-

Anaconda fails to verify existence of an administrator user - account

-

- While installing RHEL using a graphical user interface, Anaconda fails to verify if the - administrator account has been created. As a consequence, users might install a system without - any administrator user account. -

-
-

- To work around this problem, ensure you configure an administrator user account or the root password - is set and the root account is unlocked. As a result, users can perform administrative tasks on the - installed system. -

-

- Bugzilla:2047713 -

-
-

New XFS features prevent booting of PowerNV IBM POWER systems with firmware - older than version 5.10

-

- PowerNV IBM POWER systems use a Linux kernel for firmware, and use Petitboot as a replacement - for GRUB. This results in the firmware kernel mounting /boot and - Petitboot reading the GRUB config and booting RHEL. -

-
-

- The RHEL 9 kernel introduces bigtime=1 and inobtcount=1 features to the XFS filesystem, which kernels with firmware - older than version 5.10 do not understand. -

-

- To work around this problem, you can use another filesystem for /boot, - for example ext4. -

-

- Bugzilla:1997832[1] -

-
-

RHEL for Edge installer image fails to create mount points when installing - an rpm-ostree payload

-

- When deploying rpm-ostree payloads, used for example in a RHEL for - Edge installer image, the installer does not properly create some mount points for custom - partitions. As a consequence, the installation is aborted with the following error: -

-
- 
The command 'mount --bind /mnt/sysimage/data /mnt/sysroot/data' exited with the code 32.
-

- To work around this issue: -

-
-
    -
  • - Use an automatic partitioning scheme and do not add any mount points manually. -
    • -
  • - Manually assign mount points only inside /var directory. For - example, /var/my-mount-point), and - the following standard directories: /, /boot, /var. -
    • -
-
-

- As a result, the installation process finishes successfully. -

-

- Jira:RHEL-4741 -

-
-

NetworkManager fails to start after the installation when connected to a - network but without DHCP or a static IP address configured

-

- Starting with RHEL 9.0, Anaconda activates network devices automatically when there is no - specific ip= or Kickstart network configuration set. Anaconda - creates a default persistent configuration file for each Ethernet device. The connection profile - has the ONBOOT and autoconnect value - set to true. As a consequence, during the start of the installed - system, RHEL activates the network devices, and the networkManager-wait-online service fails. -

-
-

- As a workaround, do one of the following: -

-
-
    -
  • -

    - Delete all connections using the nmcli utility except one - connection you want to use. For example: -

    -
    -
      -
    1. -

      - List all connection profiles: -

      - 
      # nmcli connection show
      -
      2. -
    2. -

      - Delete the connection profiles that you do not require: -

      - 
      # nmcli connection delete <connection_name>
      -

      - Replace <connection_name> with the name of the connection you want to - delete. -

      -
      3. -
    -
    -
    • -
  • -

    - Disable the auto connect network feature in Anaconda if no specific ip= or Kickstart network configuration is set. -

    -
    -
      -
    1. - In the Anaconda GUI, navigate to Network - & Host Name. -
      2. -
    2. - Select a network device to disable. -
      3. -
    3. - Click Configure. -
      4. -
    4. - On the General tab, clear - the Connect automatically with - priority checkbox. -
      5. -
    5. - Click Save. -
      6. -
    -
    -
    • -
-
-

- Bugzilla:2115783[1] -

-
-

Unable to load an updated driver from the driver update disc in the - installation environment

-

- A new version of a driver from the driver update disc might not load if the same driver from the - installation initial RM disk has already been loaded. As a consequence, an updated version of - the driver cannot be applied to the installation environment. -

-
-

- As a workaround, use the modprobe.blacklist= kernel command line option - together with the inst.dd option. For example, to ensure that an - updated version of the virtio_blk driver from a driver update disc is - loaded, use modprobe.blacklist=virtio_blk and then continue with the - usual procedure to apply drivers from the driver update disk. As a result, the system can load an - updated version of the driver and use it in the installation environment. -

-

- Jira:RHEL-4762 -

-
-

Kickstart installations fail to configure the network connection -

-

- Anaconda performs the Kickstart network configuration only through the NetworkManager API. - Anaconda processes the network configuration after the %pre - Kickstart section. As a consequence, some tasks from the Kickstart %pre section are blocked. For example, downloading packages from the - %pre section fails due to unavailability of the network - configuration. -

-
-

- To work around this problem: -

-
-
    -
  • - Configure the network, for example using the nmcli tool, as a - part of the %pre script. -
    • -
  • - Use the installer boot options to configure the network for the %pre script. -
    • -
-
-

- As a result, it is possible to use the network for tasks in the %pre - section and the Kickstart installation process completes. -

-

- Bugzilla:2173992 -

-
-

Enabling the FIPS mode is not supported when building rpm-ostree images with RHEL image builder

-

- Currently, there is no support to enable the FIPS mode when building rpm-ostree images with RHEL image builder. -

-
-

- Jira:RHEL-4655 -

-
-

Images built with the stig profile remediation - fails to boot with FIPS error

-

- FIPS mode is not supported by RHEL image builder. When using RHEL image builder customized with - the xccdf_org.ssgproject.content_profile_stig profile remediation, - the system fails to boot with the following error: -

-
- 
Warning: /boot//.vmlinuz-<kernel version>.x86_64.hmac does not exist
-FATAL: FIPS integrity test failed
-Refusing to continue
-

- Enabling the FIPS policy manually after the system image installation with the fips-mode-setup --enable command does not work, because the /boot directory is on a different partition. System boots successfully if - FIPS is disabled. Currently, there is no workaround available. -

-
-
Note
-
-

- You can manually enable FIPS after installing the image by using the fips-mode-setup --enable command. -

-
-
-

- Jira:RHEL-4649 -

-
-

Driver disk menu fails to display user inputs on the console

-

- When you start RHEL installation using the inst.dd option on the - kernel command line with a driver disk, the console fails to display the user input. - Consequently, it appears that the application does not respond to the user input and stops - responding, but displays the output which is confusing for users. However, this behavior does - not affect the functionality, and user input gets registered after pressing Enter. -

-
-

- As a workaround, to see the expected results, ignore the absence of user inputs in the console and - press Enter when you finish adding inputs. -

-

- Jira:RHEL-4737 -

-
-
-
-
-
-

11.2. Security

-
-
-
-
-

OpenSSL does not detect if a PKCS #11 token supports the creation of raw - RSA or RSA-PSS signatures

-

- The TLS 1.3 protocol requires support for RSA-PSS signatures. If a PKCS #11 token does not - support raw RSA or RSA-PSS signatures, server applications that use the OpenSSL library fail to - work with an RSA key if the key is held by the PKCS #11 token. As a result, TLS communication - fails in the described scenario. -

-
-

- To work around this problem, configure servers and clients to use TLS version 1.2 as the highest TLS - protocol version available. -

-

- Bugzilla:1681178[1] -

-
-

OpenSSL incorrectly handles PKCS #11 tokens - that does not support raw RSA or RSA-PSS signatures

-

- The OpenSSL library does not detect key-related capabilities of - PKCS #11 tokens. Consequently, establishing a TLS connection fails when a signature is created - with a token that does not support raw RSA or RSA-PSS signatures. -

-
-

- To work around the problem, add the following lines after the .include - line at the end of the crypto_policy section in the /etc/pki/tls/openssl.cnf file: -

- 
SignatureAlgorithms = RSA+SHA256:RSA+SHA512:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA512:ECDSA+SHA384
-MaxProtocol = TLSv1.2
-

- As a result, a TLS connection can be established in the described scenario. -

-

- Bugzilla:1685470[1] -

-
-

With a specific syntax, scp empties files - copied to themselves

-

- The scp utility changed from the Secure copy protocol (SCP) to the - more secure SSH file transfer protocol (SFTP). Consequently, copying a file from a location to - the same location erases the file content. The problem affects the following syntax: -

-
-

- scp localhost:/myfile localhost:/myfile -

-

- To work around this problem, do not copy files to a destination that is the same as the source - location using this syntax. -

-

- The problem has been fixed for the following syntaxes: -

-
-
    -
  • - scp /myfile localhost:/myfile -
    • -
  • - scp localhost:~/myfile ~/myfile -
    • -
-
-

- Bugzilla:2056884 -

-
-

The OSCAP Anaconda add-on does not fetch tailored profiles in the graphical - installation

-

- The OSCAP Anaconda add-on does not provide an option to select or deselect tailoring of security - profiles in the RHEL graphical installation. Starting from RHEL 8.8, the add-on does not take - tailoring into account by default when installing from archives or RPM packages. Consequently, - the installation displays the following error message instead of fetching an OSCAP tailored - profile: -

-
- 
There was an unexpected problem with the supplied content.
-

- To work around this problem, you must specify paths in the %addon org_fedora_oscap section of your Kickstart file, for example: -

- 
xccdf-path = /usr/share/xml/scap/sc_tailoring/ds-combined.xml
-tailoring-path = /usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml
-

- As a result, you can use the graphical installation for OSCAP tailored profiles only with the - corresponding Kickstart specifications. -

-

- Jira:RHEL-1824 -

-
-

Ansible remediations require additional collections

-

- With the replacement of Ansible Engine by the ansible-core package, - the list of Ansible modules provided with the RHEL subscription is reduced. As a consequence, - running remediations that use Ansible content included within the scap-security-guide package requires collections from the rhc-worker-playbook package. -

-
-

- For an Ansible remediation, perform the following steps: -

-
-
    -
  1. -

    - Install the required packages: -

    - 
    # dnf install -y ansible-core scap-security-guide rhc-worker-playbook
    -
    2. -
  2. -

    - Navigate to the /usr/share/scap-security-guide/ansible - directory: -

    - 
    # cd /usr/share/scap-security-guide/ansible
    -
    3. -
  3. -

    - Run the relevant Ansible playbook using environment variables that define the path to - the additional Ansible collections: -

    - 
    # ANSIBLE_COLLECTIONS_PATH=/usr/share/rhc-worker-playbook/ansible/collections/ansible_collections/ ansible-playbook -c local -i localhost, rhel9-playbook-cis_server_l1.yml
    -

    - Replace cis_server_l1 with the - ID of the profile against which you want to remediate the system. -

    -
    4. -
-
-

- As a result, the Ansible content is processed correctly. -

-
-
Note
-
-

- Support of the collections provided in rhc-worker-playbook is - limited to enabling the Ansible content sourced in scap-security-guide. -

-
-
-

- Jira:RHEL-1800 -

-
-

Keylime does not accept concatenated PEM certificates

-

- When Keylime receives a certificate chain as multiple certificates in the PEM format - concatenated in a single file, the keylime-agent-rust Keylime - component does not correctly use all the provided certificates during signature verification, - resulting in a TLS handshake failure. As a consequence, the client components (keylime_verifier and keylime_tenant) - cannot connect to the Keylime agent. To work around this problem, use just one certificate - instead of multiple certificates. -

-
-

- Jira:RHELPLAN-157225[1] -

-
-

Keylime refuses runtime policies whose digests start with a - backslash

-

- The current script for generating runtime policies, create_runtime_policy.sh, uses SHA checksum functions, for example, - sha256sum, to compute the file digest. However, when the input file - name contains a backslash or \n, the checksum function adds a - backslash before the digest in its output. In such cases, the generated policy file is - malformed. When provided with the malformed policy file, the Keylime tenant produces the - following or similar error message: me.tenant - ERROR - Response code 400: Runtime policy is malformatted. - To work around the problem, remove the backslash from the malformed policy file manually by - entering the following command: sed -i 's/^\\//g' <malformed_file_name>. -

-
-

- Jira:RHEL-11867[1] -

-
-

Keylime agent rejects requests from the verifier after update

-

- When the API version number of the Keylime agent (keylime-agent-rust) has been updated, the agent rejects requests that - use a different version. As a consequence, if a Keylime agent is added to a verifier and then - updated, the verifier tries to contact the agent using the old API version. The agent rejects - this request and fails the attestation. To work around this problem, update the verifier (keylime-verifier) before updating the agent (keylime-agent-rust). As a result, when the agents are updated, the - verifier detects the API change and updates its stored data accordingly. -

-
-

- Jira:RHEL-1518[1] -

-
-

The fapolicyd utility incorrectly allows - executing changed files

-

- Correctly, the IMA hash of a file should update after any change to the file, and fapolicyd should prevent execution of the changed file. However, this - does not happen due to differences in IMA policy setup and in file hashing by the evctml utility. As a result, the IMA hash is not updated in the - extended attribute of a changed file. Consequently, fapolicyd - incorrectly allows the execution of the changed file. -

-
-

- Jira:RHEL-520[1] -

-
-

Default SELinux policy allows unconfined executables to make their stack - executable

-

- The default state of the selinuxuser_execstack boolean in the - SELinux policy is on, which means that unconfined executables can make their stack executable. - Executables should not use this option, and it might indicate poorly coded executables or a - possible attack. However, due to compatibility with other tools, packages, and third-party - products, Red Hat cannot change the value of the boolean in the default policy. If your scenario - does not depend on such compatibility aspects, you can turn the boolean off in your local policy - by entering the command setsebool -P selinuxuser_execstack off. -

-
-

- Bugzilla:2064274 -

-
-

SSH timeout rules in STIG profiles configure incorrect options

-

- An update of OpenSSH affected the rules in the following Defense Information Systems Agency - Security Technical Implementation Guide (DISA STIG) profiles: -

-
-
-
    -
  • - DISA STIG for RHEL 9 (xccdf_org.ssgproject.content_profile_stig) -
    • -
  • - DISA STIG with GUI for RHEL 9 (xccdf_org.ssgproject.content_profile_stig_gui) -
    • -
-
-

- In each of these profiles, the following two rules are affected: -

- 
Title: Set SSH Client Alive Count Max to zero
-CCE Identifier: CCE-90271-8
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
-
-Title: Set SSH Idle Timeout Interval
-CCE Identifier: CCE-90811-1
-Rule ID: xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
-

- When applied to SSH servers, each of these rules configures an option (ClientAliveCountMax and ClientAliveInterval) - that no longer behaves as previously. As a consequence, OpenSSH no longer disconnects idle SSH users - when it reaches the timeout configured by these rules. As a workaround, these rules have been - temporarily removed from the DISA STIG for RHEL 9 and DISA STIG with GUI for RHEL 9 profiles until a - solution is developed. -

-

- Bugzilla:2038978 -

-
-

GnuPG incorrectly allows using SHA-1 signatures even if disallowed by crypto-policies

-

- The GNU Privacy Guard (GnuPG) cryptographic software can create and verify signatures that use - the SHA-1 algorithm regardless of the settings defined by the system-wide cryptographic - policies. Consequently, you can use SHA-1 for cryptographic purposes in the DEFAULT cryptographic policy, which is not consistent with the - system-wide deprecation of this insecure algorithm for signatures. -

-
-

- To work around this problem, do not use GnuPG options that involve SHA-1. As a result, you will - prevent GnuPG from lowering the default system security by using the insecure SHA-1 signatures. -

-

- Bugzilla:2070722 -

-
-

OpenSCAP memory-consumption problems

-

- On systems with limited memory, the OpenSCAP scanner might stop prematurely or it might not - generate the results files. To work around this problem, you can customize the scanning profile - to deselect rules that involve recursion over the entire / file - system: -

-
-
-
    -
  • - rpm_verify_hashes -
    • -
  • - rpm_verify_permissions -
    • -
  • - rpm_verify_ownership -
    • -
  • - file_permissions_unauthorized_world_writable -
    • -
  • - no_files_unowned_by_user -
    • -
  • - dir_perms_world_writable_system_owned -
    • -
  • - file_permissions_unauthorized_suid -
    • -
  • - file_permissions_unauthorized_sgid -
    • -
  • - file_permissions_ungroupowned -
    • -
  • - dir_perms_world_writable_sticky_bits -
    • -
-
-

- For more details and more workarounds, see the related Knowledgebase article. -

-

- Bugzilla:2161499 -

-
-

Remediating service-related rules during kickstart installations might - fail

-

- During a kickstart installation, the OpenSCAP utility sometimes incorrectly shows that a service - enable or disable state remediation is - not needed. Consequently, OpenSCAP might set the services on the installed system to a - non-compliant state. As a workaround, you can scan and remediate the system after the kickstart - installation. This will fix the service-related issues. -

-
-

- BZ#1834716 -

-
-
-
-
-
-

11.3. RHEL for Edge

-
-
-
-
-

The open-vm-tools package is not available in - the edge-vsphere image

-

- Currently, the open-vm-tools package is not installed by default in - the edge-vsphere image. To workaround this issue, include the - package in the blueprint customization. When using the edge-vsphere - image type, add the open-vm-tools in the blueprint for the RHEL for - Edge Container image or the RHEL for Edge Commit image. -

-
-

- Jira:RHELDOCS-16574[1] -

-
-
-
-
-
-

11.4. Software management

-
-
-
-
-

The Installation process sometimes becomes unresponsive

-

- When you install RHEL, the installation process sometimes becomes unresponsive. The /tmp/packaging.log file displays the following message at the end: -

-
- 
10:20:56,416 DDEBUG dnf: RPM transaction over.
-

- To workaround this problem, restart the installation process. -

-

- Bugzilla:2073510 -

-
-

Running createrepo_c on local repositories - generates duplicate repodata files

-

- When you run the createrepo_c command on local repositories, it - generates duplicate copies of repodata files, one of the copies is - compressed and one is not. There is no workaround available, however, you can safely ignore the - duplicate files. The createrepo_c command generates duplicate - copies because of requirements and differences in other tools relying on repositories created by - using createrepo_c. -

-
-

- Bugzilla:2056318 -

-
-
-
-
-
-

11.5. Shells and command-line tools

-
-
-
-
-

ReaR fails during recovery if the TMPDIR - variable is set in the configuration file

-

- Setting and exporting TMPDIR in the /etc/rear/local.conf or /etc/rear/site.conf ReaR configuration file does not work and is - deprecated. -

-
-

- The ReaR default configuration file /usr/share/rear/conf/default.conf - contains the following instructions: -

- 
# To have a specific working area directory prefix for Relax-and-Recover
-# specify in /etc/rear/local.conf something like
-#
-# export TMPDIR="/prefix/for/rear/working/directory"
-#
-# where /prefix/for/rear/working/directory must already exist.
-# This is useful for example when there is not sufficient free space
-# in /tmp or $TMPDIR for the ISO image or even the backup archive.
-

- The instructions mentioned above do not work correctly because the TMPDIR variable has the same value in the rescue environment, which is - not correct if the directory specified in the TMPDIR variable does not - exist in the rescue image. -

-

- As a consequence, setting and exporting TMPDIR in the /etc/rear/local.conf file leads to the following error when the rescue - image is booted : -

- 
mktemp: failed to create file via template '/prefix/for/rear/working/directory/tmp.XXXXXXXXXX': No such file or directory
-cp: missing destination file operand after '/etc/rear/mappings/mac'
-Try 'cp --help' for more information.
-No network interface mapping is specified in /etc/rear/mappings/mac
-

- or the following error and abort later, when running rear recover: -

- 
ERROR: Could not create build area
-

- To work around this problem, if you want to have a custom temporary directory, specify a custom - directory for ReaR temporary files by exporting the variable in the shell environment before - executing ReaR. For example, execute the export TMPDIR=…​ statement and - then execute the rear command in the same shell session or script. As a - result, the recovery is successful in the described configuration. -

-

- Jira:RHEL-24847 -

-
-

Renaming network interfaces using ifcfg files - fails

-

- On RHEL 9, the initscripts package is not installed by default. - Consequently, renaming network interfaces using ifcfg files fails. - To solve this problem, Red Hat recommends that you use udev rules - or link files to rename interfaces. For further details, see Consistent - network interface device naming and the systemd.link(5) man - page. -

-
-

- If you cannot use one of the recommended solutions, install the initscripts package. -

-

- Bugzilla:2018112[1] -

-
-

The chkconfig package is not installed by - default in RHEL 9

-

- The chkconfig package, which updates and queries runlevel - information for system services, is not installed by default in RHEL 9. -

-
-

- To manage services, use the systemctl commands or install the chkconfig package manually. -

-

- For more information about systemd, see Introduction - to systemd. For instructions on how to use the systemctl - utility, see Managing - system services with systemctl. -

-

- Bugzilla:2053598[1] -

-
-

Setting the console keymap requires the libxkbcommon library on your minimal install

-

- In RHEL 9, certain systemd library dependencies have been converted - from dynamic linking to dynamic loading, so that your system opens and uses the libraries at - runtime when they are available. With this change, a functionality that depends on such - libraries is not available unless you install the necessary library. This also affects setting - the keyboard layout on systems with a minimal install. As a result, the localectl --no-convert set-x11-keymap gb command fails. -

-
-

- To work around this problem, install the libxkbcommon library: -

- 
# dnf install libxkbcommon
-

- Jira:RHEL-6105 -

-
-

The %vmeff metric from the sysstat package displays incorrect values

-

- The sysstat package provides the %vmeff metric to measure the page reclaim efficiency. The values of - the %vmeff column returned by the sar -B command are incorrect because sysstat does not parse all relevant /proc/vmstat values provided by later kernel versions. To work around - this problem, you can calculate the %vmeff value manually from the - /proc/vmstat file. For details, see Why the sar(1) tool reports %vmeff values - beyond 100 % in RHEL 8 and RHEL 9? -

-
-

- Jira:RHEL-12009 -

-
-

The Service Location Protocol (SLP) is vulnerable to an attack through - UDP

-

- The OpenSLP provides a dynamic configuration mechanism for applications in local area networks, - such as printers and file servers. However, SLP is vulnerable to a reflective denial of service - amplification attack through UDP on systems connected to the internet. SLP allows an - unauthenticated attacker to register new services without limits set by the SLP implementation. - By using UDP and spoofing the source address, an attacker can request the service list, creating - a Denial of Service on the spoofed address. -

-
-

- To prevent external attackers from accessing the SLP service, disable SLP on all systems running on - untrusted networks, such as those directly connected to the internet. Alternatively, to work around - this problem, configure firewalls to block or filter traffic on UDP and TCP port 427. -

-

- Jira:RHEL-6995[1] -

-
-
-
-
-
-

11.6. Infrastructure services

-
-
-
-
-

Both bind and unbound disable validation of SHA-1-based signatures

-

- The bind and unbound components - disable validation support of all RSA/SHA1 (algorithm number 5) and RSASHA1-NSEC3-SHA1 - (algorithm number 7) signatures, and the SHA-1 usage for signatures is restricted in the DEFAULT - system-wide cryptographic policy. -

-
-

- As a result, certain DNSSEC records signed with the SHA-1, RSA/SHA1, and RSASHA1-NSEC3-SHA1 digest - algorithms fail to verify in Red Hat Enterprise Linux 9 and the affected domain names become - vulnerable. -

-

- To work around this problem, upgrade to a different signature algorithm, such as RSA/SHA-256 or - elliptic curve keys. -

-

- For more information and a list of top-level domains that are affected and vulnerable, see the DNSSEC records signed with - RSASHA1 fail to verify solution. -

-

- Bugzilla:2070495 -

-
-

named fails to start if the same writable zone - file is used in multiple zones

-

- BIND does not allow the same writable zone file in multiple zones. Consequently, if a - configuration includes multiple zones which share a path to a file that can be modified by the - named service, named fails to start. - To work around this problem, use the in-view clause to share one - zone between multiple views and make sure to use different paths for different zones. For - example, include the view names in the path. -

-
-

- Note that writable zone files are typically used in zones with allowed dynamic updates, secondary - zones, or zones maintained by DNSSEC. -

-

- Bugzilla:1984982 -

-
-

libotr is not compliant with FIPS

-

- The libotr library and toolkit for off-the-record (OTR) messaging - provides end-to-end encryption for instant messaging conversations. However, the libotr library does not conform to the Federal Information Processing - Standards (FIPS) due to its use of the gcry_pk_sign() and gcry_pk_verify() functions. As a result, you cannot use the libotr library in FIPS mode. -

-
-

- Bugzilla:2086562 -

-
-
-
-
-
-

11.7. Networking

-
-
-
-
-

Using the XDP multi buffer mode with the mlx5 - driver and a MTU greater than 3498 bytes requires disabling RX Striding RQ

-

- Running an eXpress Data Path (XDP) script with multi buffer mode on a host that matches all of - the following conditions fails: -

-
-
-
    -
  • - The host uses the mlx5 driver. -
    • -
  • - The Maximum Transmission Unit (MTU) value is greater than 3498 bytes. -
    • -
  • - The receive striding receive queue (RX Striding RQ) feature is enabled on the Mellanox - interface. -
    • -
-
-

- If all conditions apply, the script fails with a link set xdp fd failed - error. To run the XDP script on a host with a higher MTU, disable RX Striding RQ on the Mellanox - interface: -

- 
# ethtool --set-priv-flags <interface_name> rx_striding_rq off
-

- As a result, you can use the XDP multi buffer mode on interfaces that use the mlx5 driver and have an MTU value greater than 3498 bytes. -

-

- Jira:RHEL-6496[1] -

-
-

kTLS does not support offloading of TLS 1.3 to NICs

-

- Kernel Transport Layer Security (kTLS) does not support offloading of TLS 1.3 to NICs. - Consequently, software encryption is used with TLS 1.3 even when the NICs support TLS offload. - To work around this problem, disable TLS 1.3 if offload is required. As a result, you can - offload only TLS 1.2. When TLS 1.3 is in use, there is lower performance, since TLS 1.3 cannot - be offloaded. -

-
-

- Bugzilla:2000616[1] -

-
-

Failure to update the session key causes the connection to break -

-

- Kernel Transport Layer Security (kTLS) protocol does not support updating the session key, which - is used by the symmetric cipher. Consequently, the user cannot update the key, which causes a - connection break. To work around this problem, disable kTLS. As a result, with the workaround, - it is possible to successfully update the session key. -

-
-

- Bugzilla:2013650[1] -

-
-

The initscripts package is not installed by - default

-

- By default, the initscripts package is not installed. As a - consequence, the ifup and ifdown - utilities are not available. As an alternative, use the nmcli connection up and nmcli connection down commands to enable and disable connections. If - the suggested alternative does not work for you, report the problem and install the NetworkManager-initscripts-updown package, which provides a - NetworkManager solution for the ifup and ifdown utilities. -

-
-

- Bugzilla:2082303 -

-
-

The mlx5 driver fails while using the Mellanox - ConnectX-5 adapter

-

- In Ethernet switch device driver model (switchdev) mode, the mlx5 driver fails when configured with the device managed flow - steering (DMFS) parameter and ConnectX-5 adapter supported - hardware. As a consequence, you can see the following error message: -

-
- 
BUG: Bad page cache in process umount pfn:142b4b
-

- To work around this problem, use the software managed flow steering (SMFS) parameter instead of - DMFS. -

-

- Jira:RHEL-9897[1] -

-
-

The Intel® i40e adapter permanently fails on - IBM Power10

-

- When the i40e adapter encounters an I/O error on IBM Power10 - systems, the Enhanced I/O Error Handling (EEH) kernel services trigger the network driver’s - reset and recovery. However, EEH repeatedly reports I/O errors until the i40e driver reaches the predefined maximum of EEH freezes. As a - consequence, EEH causes the device to fail permanently.   -

-
-

- Jira:RHEL-15404[1] -

-
-

The xdp-loader features command fails -

-

- The xdp-loader utility was compiled against a previous version of - libbpf. As a consequence, the xdp-loader features command fails with an error: -

-
- 
Cannot display features, because xdp-loader was compiled against an old version of libbpf without support for querying features.
-

- No workaround is available. As a result, you cannot use the xdp-loader features command to display interface features. -

-

- Jira:RHEL-3382[1] -

-
-
-
-
-
-

11.8. Kernel

-
-
-
-
-

The kdump mechanism in kernel causes OOM errors on the 64K kernel

-

- The 64K kernel page size on the 64-bit ARM architecture uses more memory than the 4KB kernel. - Consequently, kdump causes a kernel panic and memory allocation - fails with out of memory (OOM) errors. As a work around, manually configure the crashkernel value to 640 MB. For example, set the crashkernel= parameter as crashkernel=2G- :640M. -

-
-

- As a result, the kdump mechanism does not fail on the 64K kernel in the - described scenario. -

-

- Bugzilla:2160676[1] -

-
-

Customer applications with dependencies on kernel page size might need - updating when moving from 4k to 64k page size kernel

-

- RHEL is compatible with both 4k and 64k page size kernels. Customer applications with - dependencies on a 4k kernel page size might require updating when moving from 4k to 64k page - size kernels. Known instances of this include jemalloc and - dependent applications. -

-
-

- The jemalloc memory allocator library is sensitive to the page size - used in the system’s runtime environment. The library can be built to be compatible with 4k and 64k - page size kernels, for example, when configured with --with-lg-page=16 - or env JEMALLOC_SYS_WITH_LG_PAGE=16 (for jemallocator Rust crate). Consequently, a mismatch can occur between the - page size of the runtime environment and the page size that was present when compiling binaries that - depend on jemalloc. As a result, using a jemalloc-based application triggers the following error: -

- 
<jemalloc>: Unsupported system page size
-

- To avoid this problem, use one of the following approaches: -

-
-
    -
  • - Use the appropriate build configuration or environment options to create 4k and 64k page - size compatible binaries. -
    • -
  • - Build any user space packages that use jemalloc after booting - into the final 64k kernel and runtime environment. -
    • -
-
-

- For example, you can build the fd-find tool, which also uses jemalloc, with the cargo Rust package - manager. In the final 64k environment, trigger a new build of all dependencies to resolve the - mismatch in the page size by entering the cargo command: -

- 
# cargo install fd-find --force
-

- Bugzilla:2167783[1] -

-
-

Upgrading to the latest real-time kernel with dnf does not install multiple kernel versions in - parallel

-

- Installing the latest real-time kernel with the dnf package manager - requires resolving package dependencies to retain the new and current kernel versions - simultaneously. By default, dnf removes the older kernel-rt package during the upgrade. -

-
-

- As a workaround, add the current kernel-rt package to the installonlypkgs option in the /etc/yum.conf - configuration file, for example, installonlypkgs=kernel-rt. -

-

- The installonlypkgs option appends kernel-rt to the default list used by dnf. - Packages listed in installonlypkgs directive are not removed - automatically and therefore support multiple kernel versions to install simultaneously. -

-

- Note that having multiple kernels installed is a way to have a fallback option when working with a - new kernel version. -

-

- Bugzilla:2181571[1] -

-
-

The Delay Accounting functionality does not - display the SWAPIN and IO% - statistics columns by default

-

- The Delayed Accounting functionality, unlike early versions, is - disabled by default. Consequently, the iotop application does not - show the SWAPIN and IO% statistics - columns and displays the following warning: -

-
- 
CONFIG_TASK_DELAY_ACCT not enabled in kernel, cannot determine SWAPIN and IO%
-

- The Delay Accounting functionality, using the taskstats interface, provides the delay statistics for all tasks or - threads that belong to a thread group. Delays in task execution occur when they wait for a kernel - resource to become available, for example, a task waiting for a free CPU to run on. The statistics - help in setting a task’s CPU priority, I/O priority, and rss limit - values appropriately. -

-

- As a workaround, you can enable the delayacct boot option either at run - time or boot. -

-
-
    -
  • -

    - To enable delayacct at run time, enter: -

    - 
    echo 1 > /proc/sys/kernel/task_delayacct
    -

    - Note that this command enables the feature system wide, but only for the tasks that you - start after running this command. -

    -
    • -
  • -

    - To enable delayacct permanently at boot, use one of the - following procedures: -

    -
    - -
    -
    • -
-
-

- As a result, the iotop application displays the SWAPIN and IO% statistics columns. -

-

- Bugzilla:2132480[1] -

-
-

Hardware certification of the real-time kernel on systems with large - core-counts might require passing the skew-tick=1 boot - parameter

-

- Large or moderate sized systems with numerous sockets and large core-counts can experience - latency spikes due to lock contentions on xtime_lock, which is used - in the timekeeping system. As a consequence, latency spikes and delays in hardware - certifications might occur on multiprocessing systems. As a workaround, you can offset the timer - tick per CPU to start at a different time by adding the skew_tick=1 - boot parameter. -

-
-

- To avoid lock conflicts, enable skew_tick=1: -

-
-
    -
  1. -

    - Enable the skew_tick=1 parameter with grubby. -

    - 
    # grubby --update-kernel=ALL --args="skew_tick=1"
    -
    2. -
  2. - Reboot for changes to take effect. -
    3. -
  3. -

    - Verify the new settings by displaying the kernel parameters you pass during boot. -

    - 
    cat /proc/cmdline
    -
    4. -
-
-

- Note that enabling skew_tick=1 causes a significant increase in power - consumption and, therefore, it must be enabled only if you are running latency sensitive real-time - workloads. -

-

- Jira:RHEL-9318[1] -

-
-

The kdump mechanism fails to capture the vmcore file on LUKS-encrypted targets

-

- When running kdump on systems with Linux Unified Key Setup (LUKS) - encrypted partitions, systems require a certain amount of available memory. When the available - memory is less than the required amount of memory, the systemd-cryptsetup service fails to mount the partition. - Consequently, the second kernel fails to capture the crash dump file on the LUKS-encrypted - targets. -

-
-

- As a workaround, query the Recommended crashkernel value and gradually - increase the memory size to an appropriate value. The Recommended crashkernel value can serve as reference to set the required - memory size. -

-
-
    -
  1. -

    - Print the estimate crash kernel value. -

    - 
    # kdumpctl estimate
    -
    2. -
  2. -

    - Configure the amount of required memory by increasing the crashkernel value. -

    - 
    # grubby --args=crashkernel=652M --update-kernel=ALL
    -
    3. -
  3. -

    - Reboot the system for changes to take effect. -

    - 
    # reboot
    -
    4. -
-
-

- As a result, kdump works correctly on systems with LUKS-encrypted - partitions. -

-

- Jira:RHEL-11196[1] -

-
-

The kdump service fails to build the initrd file on IBM Z systems

-

- On the 64-bit IBM Z systems, the kdump service fails to load the - initial RAM disk (initrd) when znet - related configuration information such as s390-subchannels reside - in an inactive NetworkManager connection profile. Consequently, the - kdump mechanism fails with the following error: -

-
- 
dracut: Failed to set up znet
-kdump: mkdumprd: failed to make kdump initrd
-

- As a workaround, use one of the following solutions: -

-
-
    -
  • -

    - Configure a network bond or bridge by re-using the connection profile that has the znet configuration information: -

    - 
    $ nmcli connection modify enc600 master bond0 slave-type bond
    -
    • -
  • -

    - Copy the znet configuration information from the inactive - connection profile to the active connection profile: -

    -
    -
      -
    1. -

      - Run the nmcli command to query the NetworkManager connection profiles: -

      - 
      # nmcli connection show
-
-NAME                       UUID               TYPE   Device
-
-bridge-br0           ed391a43-bdea-4170-b8a2 bridge   br0
-bridge-slave-enc600  caf7f770-1e55-4126-a2f4 ethernet enc600
-enc600               bc293b8d-ef1e-45f6-bad1 ethernet --
      -
      2. -
    2. -

      - Update the active profile with configuration information from the inactive - connection: -

      - 
      #!/bin/bash
- inactive_connection=enc600
- active_connection=bridge-slave-enc600
- for name in nettype subchannels options; do
- field=802-3-ethernet.s390-$name
- val=$(nmcli --get-values "$field"connection show "$inactive_connection")
- nmcli connection modify "$active_connection" "$field" $val"
- done
      -
      3. -
    3. -

      - Restart the kdump service for changes to take - effect: -

      - 
      # kdumpctl restart
      -
      4. -
    -
    -
    • -
-
-

- Bugzilla:2064708 -

-
-

The iwl7260-firmware breaks Wi-Fi on Intel - Wi-Fi 6 AX200, AX210, and Lenovo ThinkPad P1 Gen 4

-

- After updating the iwl7260-firmware or iwl7260-wifi driver to the version provided by RHEL 9.1 and later, - the hardware gets into an incorrect internal state. reports its state incorrectly. Consequently, - Intel Wifi 6 cards may not work and display the error message: -

-
- 
kernel: iwlwifi 0000:09:00.0: Failed to start RT ucode: -110
-kernel: iwlwifi 0000:09:00.0: WRT: Collecting data: ini trigger 13 fired (delay=0ms)
-kernel: iwlwifi 0000:09:00.0: Failed to run INIT ucode: -110
-

- An unconfirmed workaround is to power off the system and back on again. Do not reboot. -

-

- Bugzilla:2129288[1] -

-
-

weak-modules from kmod fails to work with module inter-dependencies

-

- The weak-modules script provided by the kmod package determines which modules are kABI-compatible with - installed kernels. However, while checking modules' kernel compatibility, weak-modules processes modules symbol dependencies from higher to - lower release of the kernel for which they were built. As a consequence, modules with - inter-dependencies built against different kernel releases might be interpreted as - non-compatible, and therefore the weak-modules script fails to work - in this scenario. -

-
-

- To work around the problem, build or put the extra modules against the latest stock kernel before - you install the new kernel. -

-

- Bugzilla:2103605[1] -

-
-

dkms provides an incorrect warning on program - failure with correctly compiled drivers on 64-bit ARM CPUs

-

- The Dynamic Kernel Module Support (dkms) utility does not recognize - that the kernel headers for 64-bit ARM CPUs work for both the kernels with 4 kilobytes and 64 - kilobytes page sizes. As a result, when the kernel update is performed and the kernel-64k-devel package is not installed, dkms provides an incorrect warning on why the program failed on - correctly compiled drivers. To work around this problem, install the kernel-headers package, which contains header files for both types of - ARM CPU architectures and is not specific to dkms and its - requirements. -

-
-

- JIRA:RHEL-25967[1] -

-
-
-
-
-
-

11.9. File systems and storage

-
-
-
-
-

Anaconda fails to login iSCSI server using the no authentication method after unsuccessful CHAP authentication - attempt

-

- When you add iSCSI discs using CHAP authentication and the login attempt fails due to incorrect - credentials, a relogin attempt to the discs with the no authentication method fails. To workaround this problem, close the - current session and login using the no authentication method. -

-
-

- Bugzilla:1983602[1] -

-
-

Device Mapper Multipath is not supported with NVMe/TCP

-

- Using Device Mapper Multipath with the nvme-tcp driver can result - in the Call Trace warnings and system instability. To work around this problem, NVMe/TCP users - must enable native NVMe multipathing and not use the device-mapper-multipath tools with NVMe. -

-
-

- By default, Native NVMe multipathing is enabled in RHEL 9. For more information, see Enabling - multipathing on NVMe devices. -

-

- Bugzilla:2033080[1] -

-
-

The blk-availability systemd service - deactivates complex device stacks

-

- In systemd, the default block deactivation code does not always - handle complex stacks of virtual block devices correctly. In some configurations, virtual - devices might not be removed during the shutdown, which causes error messages to be logged. To - work around this problem, deactivate complex block device stacks by executing the following - command: -

-
- 
# systemctl enable --now blk-availability.service
-

- As a result, complex virtual device stacks are correctly deactivated during shutdown and do not - produce error messages. -

-

- Bugzilla:2011699[1] -

-
-

Disabling quota accounting is no longer possible for an XFS filesystem - mounted with quotas enabled

-

- Starting with RHEL 9.2, it is no longer possible to disable quota accounting on an XFS - filesystem which has been mounted with quotas enabled. -

-
-

- To work around this issue, disable quota accounting by remounting the filesystem, with the quota - option removed. -

-

- Bugzilla:2160619[1] -

-
-

udev rule change for NVMe devices

-

- There is a udev rule change for NVMe devices that adds OPTIONS="string_escape=replace" parameter. This leads to a disk by-id - naming change for some vendors, if the serial number of your device has leading whitespace. -

-
-

- Bugzilla:2185048 -

-
-

NVMe/FC devices cannot be reliably used in a Kickstart file

-

- NVMe/FC devices can be unavailable during parsing or execution of pre-scripts of the Kickstart - file, which can cause the Kickstart installation to fail. To work around this issue, update the - boot argument to inst.wait_for_disks=30. This option causes a delay - of 30 seconds, and should provide enough time for the NVMe/FC device to connect. With this - workaround along with the NVMe/FC devices connecting in time, the Kickstart installation - proceeds without issues. -

-
-

- Jira:RHEL-8164[1] -

-
-

Kernel panic while using the qedi - driver

-

- While using the qedi iSCSI driver, the kernel panics after OS - boots. To work around this issue, disable the kfence runtime memory - error detector feature by adding kfence.sample_interval=0 to the - kernel boot command line. -

-
-

- Jira:RHEL-8466[1] -

-
-

Unable to boot ARM based system with kernel-64k page size

-

- While installing the vdo package, a kernel with 4k page size is - installed as a dependency. As a consequence, the system boots with the 4k page size kernel even - if you select 64k page size on the Software - Selection screen. To work around this issue, select Minimal Install under Base Environment and 64k as page size under - Kernel options. When the system boots for - the first time, install additional softwares using the DNF package manager. -

-
-

- Jira:RHEL-8354 -

-
-
-
-
-
-

11.10. Dynamic programming languages, web and database servers

-
-
-
-
-

python3.11-lxml does not provide the lxml.isoschematron submodule

-

- The python3.11-lxml package is distributed without the lxml.isoschematron submodule because it is not under an open source - license. The submodule implements ISO Schematron support. As an alternative, pre-ISO-Schematron - validation is available in the lxml.etree.Schematron class. The - remaining content of the python3.11-lxml package is unaffected. -

-
-

- Bugzilla:2157708 -

-
-

The --ssl-fips-mode option in MySQL and MariaDB does not change - FIPS mode

-

- The --ssl-fips-mode option in MySQL - and MariaDB in RHEL works differently than in upstream. -

-
-

- In RHEL 9, if you use --ssl-fips-mode as an argument for the mysqld or mariadbd daemon, or if you use - ssl-fips-mode in the MySQL or MariaDB server configuration files, --ssl-fips-mode does not change FIPS mode for these database servers. -

-

- Instead: -

-
-
    -
  • - If you set --ssl-fips-mode to ON, - the mysqld or mariadbd server - daemon does not start. -
    • -
  • - If you set --ssl-fips-mode to OFF - on a FIPS-enabled system, the mysqld or mariadbd server daemons still run in FIPS mode. -
    • -
-
-

- This is expected because FIPS mode should be enabled or disabled for the whole RHEL system, not for - specific components. -

-

- Therefore, do not use the --ssl-fips-mode option in MySQL or MariaDB in RHEL. Instead, ensure - FIPS mode is enabled on the whole RHEL system: -

-
-
    -
  • - Preferably, install RHEL with FIPS mode enabled. Enabling FIPS mode during the installation - ensures that the system generates all keys with FIPS-approved algorithms and continuous - monitoring tests in place. For information about installing RHEL in FIPS mode, see Installing - the system in FIPS mode. -
    • -
  • - Alternatively, you can switch FIPS mode for the entire RHEL system by following the - procedure in Switching - the system to FIPS mode. -
    • -
-
-

- Bugzilla:1991500 -

-
-
-
-
-
-

11.11. Identity Management

-
-
-
-
-

MIT Kerberos does not support ECC certificates for PKINIT

-

- MIT Kerberos does not implement the RFC5349 request for comments document, which describes the - design of elliptic-curve cryptography (ECC) support in Public Key Cryptography for initial - authentication (PKINIT). Consequently, the MIT krb5-pkinit package, - used by RHEL, does not support ECC certificates. For more information, see Elliptic Curve Cryptography (ECC) Support - for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). -

-
-

- Jira:RHEL-4902 -

-
-

The DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to - work against AD KDCs

-

- The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key - Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 - algorithm. -

-
-

- However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest - algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate users by - using PKINIT against an AD KDC. -

-

- To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the - following command: -

- 
 # update-crypto-policies --set DEFAULT:SHA1
-

- Bugzilla:2060798 -

-
-

The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent - communicates with a non-RHEL-9 and non-AD Kerberos agent

-

- If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts - with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT - authentication of the user fails. To work around the problem, perform one of the following - actions: -

-
-
-
    -
  • -

    - Set the RHEL 9 agent’s crypto-policy to DEFAULT:SHA1 to - allow the verification of SHA-1 signatures: -

    - 
    # update-crypto-policies --set DEFAULT:SHA1
    -
    • -
  • -

    - Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the - SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions - that use SHA-256 instead of SHA-1: -

    -
    -
      -
    • - CentOS 9 Stream: krb5-1.19.1-15 -
      • -
    • - RHEL 8.7: krb5-1.18.2-17 -
      • -
    • - RHEL 7.9: krb5-1.15.1-53 -
      • -
    • - Fedora Rawhide/36: krb5-1.19.2-7 -
      • -
    • - Fedora 35/34: krb5-1.19.2-3 -
      • -
    -
    -
    • -
-
-

- As a result, the PKINIT authentication of the user works correctly. -

-

- Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs - CMS data with SHA-256 instead of SHA-1. -

-

- See also The - DEFAULT:SHA1 subpolicy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs. -

-

- Jira:RHEL-4875 -

-
-

FIPS support for AD trust requires the AD-SUPPORT crypto subpolicy -

-

- Active Directory (AD) uses AES SHA-1 HMAC encryption types, which are not allowed in FIPS mode - on RHEL 9 by default. If you want to use RHEL 9 IdM hosts with an AD trust, enable support for - AES SHA-1 HMAC encryption types before installing IdM software. -

-
-

- Since FIPS compliance is a process that involves both technical and organizational agreements, - consult your FIPS auditor before enabling the AD-SUPPORT subpolicy to - allow technical measures to support AES SHA-1 HMAC encryption types, and then install RHEL IdM: -

- 
 # update-crypto-policies --set FIPS:AD-SUPPORT
-

- Bugzilla:2057471 -

-
-

Heimdal client fails to authenticate a user using PKINIT against RHEL 9 - KDC

-

- By default, a Heimdal Kerberos client initiates the PKINIT authentication of an IdM user by - using Modular Exponential (MODP) Diffie-Hellman Group 2 for Internet Key Exchange (IKE). - However, the MIT Kerberos Distribution Center (KDC) on RHEL 9 only supports MODP Group 14 and - 16. -

-
-

- Consequently, the pre-autentication request fails with the krb5_get_init_creds: PREAUTH_FAILED error on the Heimdal client and Key parameters not accepted on the RHEL MIT KDC. -

-

- To work around this problem, ensure that the Heimdal client uses MODP Group 14. Set the pkinit_dh_min_bits parameter in the libdefaults section of the client configuration file to 1759: -

- 
[libdefaults]
-pkinit_dh_min_bits = 1759
-

- As a result, the Heimdal client completes the PKINIT pre-authentication against the RHEL MIT KDC. -

-

- Jira:RHEL-4889 -

-
-

IdM in FIPS mode does not support using the NTLMSSP protocol to establish a - two-way cross-forest trust

-

- Establishing a two-way cross-forest trust between Active Directory (AD) and Identity Management - (IdM) with FIPS mode enabled fails because the New Technology LAN Manager Security Support - Provider (NTLMSSP) authentication is not FIPS-compliant. IdM in FIPS mode does not accept the - RC4 NTLM hash that the AD domain controller uses when attempting to authenticate. -

-
-

- Jira:RHEL-12154[1] -

-
-

IdM Vault encryption and decryption fails in FIPS mode

-

- The OpenSSL RSA-PKCS1v15 padding encryption is blocked if FIPS mode is enabled. Consequently, - Identity Management (IdM) Vaults fail to work correctly as IdM is currently using the PKCS1v15 - padding for wrapping the session key with the transport certificate. -

-
-

- Jira:RHEL-12143[1] -

-
-

Users without SIDs cannot log in to IdM after an upgrade

-

- After upgrading your IdM replica to RHEL 9.2, the IdM Kerberos Distribution Center (KDC) might - fail to issue ticket-granting tickets (TGTs) to users who do not have Security Identifiers - (SIDs) assigned to their accounts. Consequently, the users cannot log in to their accounts. -

-
-

- To work around the problem, generate SIDs by running the following command as an IdM administrator - on another IdM replica in the topology: -

- 
# ipa config-mod --enable-sid --add-sids
-

- Afterward, if users still cannot log in, examine the Directory Server error log. You might have to - adjust ID ranges to include user POSIX identities. -

-

- See the When upgrading to RHEL9, - IDM users are not able to login anymore Knowledgebase solution for more information. -

-

- Jira:RHELPLAN-157939[1] -

-
-

Migrated IdM users might be unable to log in due to mismatching domain - SIDs

-

- If you have used the ipa migrate-ds script to migrate users from - one IdM deployment to another, those users might have problems using IdM services because their - previously existing Security Identifiers (SIDs) do not have the domain SID of the current IdM - environment. For example, those users can retrieve a Kerberos ticket with the kinit utility, but they cannot log in. To work around this problem, - see the following Knowledgebase article: Migrated IdM users unable to log in due - to mismatching domain SIDs. -

-
-

- Jira:RHELPLAN-109613[1] -

-
-

MIT krb5 user fails to obtain an AD TGT - because of incompatible encryption types generating the user PAC

-

- In MIT krb5 1.20 and later packages, a Privilege Attribute - Certificate (PAC) is included in all Kerberos tickets by default. The MIT Kerberos Distribution - Center (KDC) selects the strongest encryption type available to generate the KDC checksum in the - PAC, which currently is the AES HMAC-SHA2 encryption types defined - in RFC8009. However, Active Directory (AD) does not support this RFC. Consequently, in an AD-MIT - cross-realm setup, an MIT krb5 user fails to obtain an AD - ticket-granting ticket (TGT) because the cross-realm TGT generated by MIT KDC contains an - incompatible KDC checksum type in the PAC. -

-
-

- To work around the problem, set the disable_pac parameter to true for the MIT realm in the [realms] - section of the /var/kerberos/krb5kdc/kdc.conf configuration file. As a - result, the MIT KDC generates tickets without PAC, which means that AD skips the failing checksum - verification and an MIT krb5 user can obtain an AD TGT. -

-

- Bugzilla:2016312 -

-
-

Potential risk when using the default value for ldap_id_use_start_tls option

-

- When using ldap:// without TLS for identity lookups, it can pose a - risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an - attacker to impersonate a user by altering, for example, the UID or GID of an object returned in - an LDAP search. -

-
-

- Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. - Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted - communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are - not affected as they use encrypted connections protected by SASL and GSSAPI. -

-

- If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the - /etc/sssd/sssd.conf file. The default behavior is planned to be changed - in a future release of RHEL. -

-

- Jira:RHELPLAN-155168[1] -

-
-

Adding a RHEL 9 replica in FIPS mode to an IdM deployment in FIPS mode that - was initialized with RHEL 8.6 or earlier fails

-

- The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the - use of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961, - section 5.1. -

-
-

- This constraint is a blocker when adding a RHEL 9 Identity Management (IdM) replica in FIPS mode to - a RHEL 8 IdM environment in FIPS mode in which the first server was installed on a RHEL 8.6 system - or earlier. This is because there are no common encryption types between RHEL 9 and the previous - RHEL versions, which commonly use the AES HMAC-SHA1 encryption types but do not use the AES - HMAC-SHA2 encryption types. -

-

- You can view the encryption type of your IdM master key by entering the following command on the - server: -

- 
# kadmin.local getprinc K/M | grep -E '^Key:'
-

- To work around the problem, enable the use of AES HMAC-SHA1 on the RHEL 9 replica: -

- 
update-crypto-policies --set FIPS:AD-SUPPORT
-
-
-
WARNING
-
- This workaround might violate FIPS compliance. -
-
-
-

- As a result, adding the RHEL 9 replica to the IdM deployment proceeds correctly. -

-

- Note that there is ongoing work to provide a procedure to generate missing AES HMAC-SHA2-encrypted - Kerberos keys on RHEL 7 and RHEL 8 servers. This will achieve FIPS 140-3 compliance on the RHEL 9 - replica. However, this process will not be fully automated, because the design of Kerberos key - cryptography makes it impossible to convert existing keys to different encryption types. The only - way is to ask users to renew their passwords. -

-

- Jira:RHEL-4888 -

-
-

SSSD registers the DNS names properly

-

- Previously, if the DNS was set up incorrectly, SSSD always failed the first attempt to register - the DNS name. To work around the problem, this update provides a new parameter dns_resolver_use_search_list. Set dns_resolver_use_search_list = false to avoid using the DNS search - list. -

-
-

- Bugzilla:1608496[1] -

-
-

Installing a RHEL 7 IdM client with a RHEL 9.2+ IdM server in FIPS mode - fails due to EMS enforcement

-

- The TLS Extended Master Secret (EMS) extension (RFC 7627) is now - mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 and later systems. This is in - accordance with FIPS-140-3 requirements. However, the openssl - version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL - 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 9.2 and later - fails. -

-
-

- If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around - the problem by removing the requirement for EMS usage on the RHEL 9 server by applying a - NO-ENFORCE-EMS subpolicy on top of the FIPS crypto policy: -

- 
# update-crypto-policies --set FIPS:NO-ENFORCE-EMS
-

- Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and - accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client - succeeds. -

-

- Jira:RHEL-4955 -

-
-

When the nsslapd-numlisteners attribute value - is more than 2, Directory Server fails

-

- If the nsslapd-numlisteners attribute value is higher than 2, Directory Server might close the listening file descriptor instead - of the accepted file descriptor. As a result, after some time, Directory Server stops listening - on some ports and fails. -

-
-

- To work around the problem, set the nsslapd-numlisteners attribute - value to 1. -

-

- Jira:RHEL-17178[1] -

-
-
-
-
-
-

11.12. Desktop

-
-
-
-
-

VNC is not running after upgrading to RHEL 9

-

- After upgrading from RHEL 8 to RHEL 9, the VNC server fails to start, even if it was previously - enabled. -

-
-

- To work around the problem, manually enable the vncserver service after - the system upgrade: -

- 
# systemctl enable --now vncserver@:port-number
-

- As a result, VNC is now enabled and starts after every system boot as expected. -

-

- Bugzilla:2060308 -

-
-

User Creation screen is unresponsive

-

- When installing RHEL using a graphical user interface, the User Creation screen is unresponsive. - As a consequence, creating users during installation is more difficult. -

-
-

- To work around this problem, use one of the following solutions to create users: -

-
-
    -
  • - Run the installation in VNC mode and resize the VNC window. -
    • -
  • - Create users after completing the installation process. -
    • -
-
-

- Jira:RHEL-11924[1] -

-
-

WebKitGTK fails to display web pages on IBM Z

-

- The WebKitGTK web browser engine fails when trying to display web pages on the IBM Z - architecture. The web page remains blank and the WebKitGTK process ends unexpectedly. -

-
-

- As a consequence, you cannot use certain features of applications that use WebKitGTK to display web - pages, such as the following: -

-
-
    -
  • - The Evolution mail client -
    • -
  • - The GNOME Online Accounts settings -
    • -
  • - The GNOME Help application -
    • -
-
-

- Jira:RHEL-4157 -

-
-
-
-
-
-

11.13. Graphics infrastructures

-
-
-
-
-

NVIDIA drivers might revert to X.org

-

- Under certain conditions, the proprietary NVIDIA drivers disable the Wayland display protocol - and revert to the X.org display server: -

-
-
-
    -
  • - If the version of the NVIDIA driver is lower than 470. -
    • -
  • - If the system is a laptop that uses hybrid graphics. -
    • -
  • - If you have not enabled the required NVIDIA driver options. -
    • -
-
-

- Additionally, Wayland is enabled but the desktop session uses X.org by default if the version of the - NVIDIA driver is lower than 510. -

-

- Jira:RHELPLAN-119001[1] -

-
-

Night Light is not available on Wayland with NVIDIA

-

- When the proprietary NVIDIA drivers are enabled on your system, the Night Light feature of GNOME is not available - in Wayland sessions. The NVIDIA drivers do not currently support Night Light. -

-
-

- Jira:RHELPLAN-119852[1] -

-
-

X.org configuration utilities do not work under Wayland

-

- X.org utilities for manipulating the screen do not work in the Wayland session. Notably, the - xrandr utility does not work under Wayland due to its different - approach to handling, resolutions, rotations, and layout. -

-
-

- Jira:RHELPLAN-121049[1] -

-
-
-
-
-
-

11.14. Red Hat Enterprise Linux system roles

-
-
-
-
-

If firewalld.service is masked, using the - firewall RHEL system role fails

-

- If firewalld.service is masked on a RHEL system, the firewall RHEL system role fails. To work around this problem, unmask - the firewalld.service: -

-
- 
systemctl unmask firewalld.service
-

- Bugzilla:2123859 -

-
-

Unable to register systems with environment names

-

- The rhc system role fails to register the system when specifying - environment names in rhc_environment. As a workaround, use - environment IDs instead of environment names while registering. -

-
-

- Jira:RHEL-1172 -

-
-
-
-
-
-

11.15. Virtualization

-
-
-
-
-

Installing a virtual machine over https or ssh in some cases fails -

-

- Currently, the virt-install utility fails when attempting to - install a guest operating system (OS) from an ISO source over a https or ssh connection - for - example using virt-install --cdrom https://example/path/to/image.iso. Instead of - creating a virtual machine (VM), the described operation ends unexpectedly with an internal error: process exited while connecting to monitor message. -

-
-

- Similarly, using the RHEL 9 web console to install a guest operating system fails and displays an - Unknown driver 'https' error if you use an https or ssh URL, or the - Download OS function. -

-

- To work around this problem, install qemu-kvm-block-curl and qemu-kvm-block-ssh on the host to enable https and ssh protocol support. - Alternatively, use a different connection protocol or a different installation source. -

-

- Bugzilla:2014229 -

-
-

Using NVIDIA drivers in virtual machines disables Wayland

-

- Currently, NVIDIA drivers are not compatible with the Wayland graphical session. As a - consequence, RHEL guest operating systems that use NVIDIA drivers automatically disable Wayland - and load an Xorg session instead. This primarily occurs in the following scenarios: -

-
-
-
    -
  • - When you pass through an NVIDIA GPU device to a RHEL virtual machine (VM) -
    • -
  • - When you assign an NVIDIA vGPU mediated device to a RHEL VM -
    • -
-
-

- Jira:RHELPLAN-117234[1] -

-
-

The Milan VM CPU type is sometimes not - available on AMD Milan systems

-

- On certain AMD Milan systems, the Enhanced REP MOVSB (erms) and - Fast Short REP MOVSB (fsrm) feature flags are disabled in the BIOS - by default. Consequently, the Milan CPU type might not be available - on these systems. In addition, VM live migration between Milan hosts with different feature flag - settings might fail. To work around these problems, manually turn on erms and fsrm in the BIOS of your host. -

-
-

- Bugzilla:2077767[1] -

-
-

A hostdev interface with failover settings - cannot be hot-plugged after being hot-unplugged

-

- After removing a hostdev network interface with failover - configuration from a running virtual machine (VM), the interface currently cannot be re-attached - to the same running VM. -

-
-

- Jira:RHEL-7337 -

-
-

Live post-copy migration of VMs with failover VFs fails

-

- Currently, attempting to post-copy migrate a running virtual machine (VM) fails if the VM uses a - device with the virtual function (VF) failover capability enabled. To work around the problem, - use the standard migration type, rather than post-copy migration. -

-
-

- Jira:RHEL-7335 -

-
-

Host network cannot ping VMs with VFs during live migration

-

- When live migrating a virtual machine (VM) with a configured virtual function (VF), such as a - VMs that uses virtual SR-IOV software, the network of the VM is not visible to other devices and - the VM cannot be reached by commands such as ping. After the - migration is finished, however, the problem no longer occurs. -

-
-

- Jira:RHEL-7336 -

-
-

Disabling AVX causes VMs to become unbootable

-

- On a host machine that uses a CPU with Advanced Vector Extensions (AVX) support, attempting to - boot a VM with AVX explicitly disabled currently fails, and instead triggers a kernel panic in - the VM. -

-
-

- Bugzilla:2005173[1] -

-
-

Windows VM fails to get IP address after network interface reset -

-

- Sometimes, Windows virtual machines fail to get an IP address after an automatic network - interface reset. As a consequence, the VM fails to connect to the network. To work around this - problem, disable and re-enable the network adapter driver in the Windows Device Manager. -

-
-

- Jira:RHEL-11366 -

-
-

Windows Server 2016 VMs sometimes stops working after hot-plugging a - vCPU

-

- Currently, assigning a vCPU to a running virtual machine (VM) with a Windows Server 2016 guest - operating system might cause a variety of problems, such as the VM terminating unexpectedly, - becoming unresponsive, or rebooting. -

-
-

- Bugzilla:1915715 -

-
-

Using a large number of queues might cause VMs to fail

-

- Virtual machines (VMs) might fail when the virtual Trusted Platform Module (vTPM) device is - enabled and the multi-queue virtio-net feature is - configured to use more than 250 queues. -

-
-

- This problem is caused by a limitation in the vTPM device. The vTPM device has a hard-coded limit on - the maximum number of opened file descriptors. Since multiple file descriptors are opened for every - new queue, the internal vTPM limit can be exceeded, causing the VM to fail. -

-

- To work around this problem, choose one of the following two options: -

-
-
    -
  • - Keep the vTPM device enabled, but use less than 250 queues. -
    • -
  • - Disable the vTPM device to use more than 250 queues. -
    • -
-
-

- Jira:RHEL-13335[1] -

-
-

Redundant error messages on VMs with NVIDIA passthrough devices -

-

- When using an Intel host machine with a RHEL 9.2 and later operating system, virtual machines - (VMs) with a passed through NVDIA GPU device frequently log the following error message: -

-
- 
Spurious APIC interrupt (vector 0xFF) on CPU#2, should never happen.
-

- However, this error message does not impact the functionality of the VM and can be ignored. For - details, see the Red Hat - KnoweldgeBase. -

-

- Bugzilla:2149989[1] -

-
-

Some Windows guests fail to boot after a v2v conversion on hosts with AMD - EPYC CPUs

-

- After using the virt-v2v utility to convert a virtual machine (VM) - that uses Windows 11 or a Windows Server 2022 as the guest OS, the VM currently fails to boot. - This occurs on hosts that use AMD EPYC series CPUs. -

-
-

- Bugzilla:2168082[1] -

-
-

Restarting the OVS service on a host might block network connectivity on - its running VMs

-

- When the Open vSwitch (OVS) service restarts or crashes on a host, virtual machines (VMs) that - are running on this host cannot recover the state of the networking device. As a consequence, - VMs might be completely unable to receive packets. -

-
-

- This problem only affects systems that use the packed virtqueue format in their virtio networking stack. -

-

- To work around this problem, use the packed=off parameter in the virtio networking device definition to disable packed virtqueue. With - packed virtqueue disabled, the state of the networking device can, in some situations, be recovered - from RAM. -

-

- Jira:RHEL-333 -

-
-

Recovering an interrupted post-copy VM migration might fail

-

- If a post-copy migration of a virtual machine (VM) is interrupted and then immediately resumed - on the same incoming port, the migration might fail with the following error: Address already in use -

-
-

- To work around this problem, wait at least 10 seconds before resuming the post-copy migration or - switch to another port for migration recovery. -

-

- Jira:RHEL-7096 -

-
-

NUMA node mapping not working correctly on AMD EPYC CPUs

-

- QEMU does not handle NUMA node mapping on AMD EPYC CPUs correctly. As a result, the performance - of virtual machines (VMs) with these CPUs might be negatively impacted if using a NUMA node - configuration. In addition, the VMs display a warning similar to the following during boot. -

-
- 
sched: CPU #4's llc-sibling CPU #3 is not on the same node! [node: 1 != 0]. Ignoring dependency.
-WARNING: CPU: 4 PID: 0 at arch/x86/kernel/smpboot.c:415 topology_sane.isra.0+0x6b/0x80
-

- To work around this issue, do not use AMD EPYC CPUs for NUMA node configurations. -

-

- Bugzilla:2176010 -

-
-

NFS failure during VM migration causes migration failure and source VM - coredump

-

- Currently, if the NFS service or server is shut down during virtual machine (VM) migration, the - source VM’s QEMU is unable to reconnect to the NFS server when it starts running again. As a - result, the migration fails and a coredump is initiated on the source VM. Currently, there is no - workaround available. -

-
-

- Bugzilla:2058982 -

-
-

PCIe ATS devices do not work on Windows VMs

-

- When you configure a PCIe Address Translation Services (ATS) device in the XML configuration of - virtual machine (VM) with a Windows guest operating system, the guest does not enable the ATS - device after booting the VM. This is because Windows currently does not support ATS on virtio devices. -

-
-

- For more information, see the Red - Hat KnowledgeBase. -

-

- Bugzilla:2073872 -

-
-

virsh blkiotune --weight command fails to set - the correct cgroup I/O controller value

-

- Currently, using the virsh blkiotune --weight command to set the VM - weight does not work as expected. The command fails to set the correct io.bfq.weight value in the cgroup I/O controller interface file. - There is no workaround at this time. -

-
-

- Bugzilla:1970830 -

-
-

Starting a VM with an NVIDIA A16 GPU sometimes causes the host GPU to stop - working

-

- Currently, if you start a VM that uses an NVIDIA A16 GPU passthrough device, the NVIDIA A16 GPU - physical device on the host system in some cases stops working. -

-
-

- To work around the problem, reboot the hypervisor and set the reset_method for the GPU device to bus: -

- 
# echo bus > /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method
-# cat /sys/bus/pci/devices/<DEVICE-PCI-ADDRESS>/reset_method
-bus
-

- For details, see the Red Hat - Knowledgebase. -

-

- Jira:RHEL-7212[1] -

-
-

RT VMs with a FIFO scheduler cannot boot

-

- Currently, after setting a real-time (RT) virtual machine (VM) to use the fifo setting for the vCPU scheduler, the VM becomes unresponsive when - you attempt to boot it. Instead, the VM displays the Guest has not initialized the display (yet) error. -

-
-

- Jira:RHEL-2815[1] -

-
-

Windows VMs might become unresponsive due to storage errors

-

- On virtual machines (VMs) that use Windows guest operating systems, the system in some cases - becomes unresponsive when under high I/O load. When this happens, the system logs a viostor Reset to device, \Device\RaidPort3, was issued error. -

-
-

- Jira:RHEL-1609[1] -

-
-

Windows 10 VMs with certain PCI devices might become unresponsive on - boot

-

- Currently, a virtual machine (VM) that uses a Windows 10 guest operating system might become - unresponsive during boot if a virtio-win-scsi PCI device with a - local disk back end is attached to the VM. To work around the problem, boot the VM with the - multi_queue option enabled. -

-
-

- Jira:RHEL-1084[1] -

-
-

The repair function of virtio-win-guest-tool for the virtio-win drivers - does not work

-

- Currently, when using the Repair button of virtio-win-guest-tool for a virtio-win - driver, such as the Virtio Balloon Driver, the button has no effect. As a consequence, the - driver cannot be reinstalled after being removed on the guest. -

-
-

- Jira:RHEL-1517[1] -

-
-

Windows 11 VMs with a memory balloon device set might close unexpectedly - during reboot

-

- Currently, rebooting virtual machines (VMs) that use a Windows 11 guest operating system and a - memory balloon device in some cases fails with a DRIVER POWER STAT FAILURE blue-screen error. -

-
-

- Jira:RHEL-935[1] -

-
-

Migrating a Windows 11 or Windows Server 2022 VM under high network load - sometimes fails

-

- When live-migrating a virtual machine (VM) that uses Windows Server 2022 or Windows 11 as the - guest operating system, the migration might become unresponsive or terminate unexpectedly if the - network is impacted by high packed loss. -

-
-

- Jira:RHEL-2316[1] -

-
-

Resuming a postcopy VM migration fails in some cases

-

- Currently, when performing a postcopy migration of a virtual machine (VM), if a proxy network - failure occurs during the RECOVER phase of the migration, the VM becomes unresponsive and the - migration cannot be resumed. Instead, the recovery command displays the following error: -

-
- 
error: Requested operation is not valid: QEMU reports migration is still running
-

- Jira:RHEL-7115 -

-
-

The virtio balloon driver sometimes does not work on Windows 10 - VMs

-

- Under certain circumstances, the virtio-balloon driver does not work correctly on virtual - machines (VMs) that use a Windows 10 guest operating system. As a consequence, such VMs might - not use their assigned memory efficiently. -

-
-

- Jira:RHEL-12118 -

-
-

The virtio file system has suboptimal performance in Windows VMs -

-

- Currently, when a virtio file system (virtiofs) is configured on a virtual machine (VM) that - uses a Windows guest operating system, the performance of virtiofs in the VM is significantly - worse than in VMs that use Linux guests. -

-
-

- Jira:RHEL-1212[1] -

-
-

Hot-unplugging a storage device on Windows VMs might fail

-

- On virtual machines (VMs) that use a Windows guest operating system, removing a storage device - when the VM is running (also known as a device hot-unplug) in some cases fails. As a - consequence, the storage device remains attached to the VM and the disk manager service might - become unresponsive. -

-
-

- Jira:RHEL-869 -

-
-

Hot plugging CPUs to a Windows VM might cause a system failure

-

- When hot plugging the maximum number of CPUs to a Windows virtual machine (VM) with huge pages - enabled, the guest operating system might crash with the following Stop error: -

-
- 
PROCESSOR_START_TIMEOUT
-

- Jira:RHEL-1220 -

-
-

Updating virtio drivers on Windows VMs might - fail

-

- When updating the KVM paravirtualized (virtio) drivers on a Windows - virtual machine (VM), the update might cause the mouse to stop working and the newly installed - drivers might not be signed. This problem occurs when updating the virtio drivers by installing from the virtio-win-guest-tools package, which is a part of the virtio-win.iso file. -

-
-

- To work around this problem, update the virtio drivers by using Windows - Device Manager. -

-

- Jira:RHEL-574[1] -

-
-

Kdump fails on virtual machines with AMD SEV-SNP

-

- Currently, kdump fails on RHEL 9 virtual machines (VMs) that use the AMD Secure Encrypted - Virtualization (SEV) with the Secure Nested Paging (SNP) feature. -

-
-

- Jira:RHEL-10019[1] -

-
-
-
-
-
-

11.16. RHEL in cloud environments

-
-
-
-
-

Cloning or restoring RHEL 9 virtual machines that use LVM on Nutanix AHV - causes non-root partitions to disappear

-

- When running a RHEL 9 guest operating system on a virtual machine (VM) hosted on the Nutanix AHV - hypervisor, restoring the VM from a snapshot or cloning the VM currently causes non-root - partitions in the VM to disappear if the guest is using Logical Volume Management (LVM). As a - consequence, the following problems occur: -

-
-
-
    -
  • - After restoring the VM from a snapshot, the VM cannot boot, and instead enters emergency - mode. -
    • -
  • - A VM created by cloning cannot boot, and instead enters emergency mode. -
    • -
-
-

- To work around these problems, do the following in emergency mode of the VM: -

-
-
    -
  1. - Remove the LVM system devices file: rm /etc/lvm/devices/system.devices -
    2. -
  2. - Re-create LVM device settings: vgimportdevices -a -
    3. -
  3. - Reboot the VM -
    4. -
-
-

- This makes it possible for the cloned or restored VM to boot up correctly. -

-

- Alternatively, to prevent the issue from occurring, do the following before cloning a VM or creating - a VM snapshot: -

-
-
    -
  1. - Uncomment the use_devicesfile = 0 line in the /etc/lvm/lvm.conf file -
    2. -
  2. - Reboot the VM -
    3. -
-
-

- Bugzilla:2059545[1] -

-
-

Customizing RHEL 9 guests on ESXi sometimes causes networking - problems

-

- Currently, customizing a RHEL 9 guest operating system in the VMware ESXi hypervisor does not - work correctly with NetworkManager key files. As a consequence, if the guest is using such a key - file, it will have incorrect network settings, such as the IP address or the gateway. -

-
-

- For details and workaround instructions, see the VMware Knowledge Base. -

-

- Bugzilla:2037657[1] -

-
-

RHEL instances on Azure fail to boot if provisioned by cloud-init and configured with an NFSv3 mount entry

-

- Currently, booting a RHEL virtual machine (VM) on the Microsoft Azure cloud platform fails if - the VM was provisioned by the cloud-init tool and the guest - operating system of the VM has an NFSv3 mount entry in the /etc/fstab file. -

-
-

- Bugzilla:2081114[1] -

-
-

Setting static IP in a RHEL virtual machine on a VMware host does not - work

-

- Currently, when using RHEL as a guest operating system of a virtual machine (VM) on a VMware - host, the DatasourceOVF function does not work correctly. As a consequence, if you use the cloud-init utility to set the VM’s network to static IP and then - reboot the VM, the VM’s network will be changed to DHCP. -

-
-

- To work around this issue, see the VMware Knowledge Base. -

-

- Jira:RHEL-12122 -

-
-

Large VMs might fail to boot into the debug kernel when the kmemleak option is enabled

-

- When attempting to boot a RHEL 9 virtual machine (VM) into the debug kernel, the booting might - fail with the following error if the machine kernel is using the kmemleak=on argument. -

-
- 
Cannot open access to console, the root account is locked.
-See sulogin(8) man page for more details.
-
-Press Enter to continue.
-

- This problem affects mainly large VMs because they spend more time in the boot sequence. -

-

- To work around the problem, edit the /etc/fstab file on the machine and - add extra timeout options to the /boot and /boot/efi mount points. For example: -

- 
UUID=e43ead51-b364-419e-92fc-b1f363f19e49 /boot xfs defaults,x-systemd.device-timeout=600,x-systemd.mount-timeout=600 0 0
-
-UUID=7B77-95E7 /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt,x-systemd.device-timeout=600,x-systemd.mount-timeout=600 0 2
-

- Jira:RHELDOCS-16979[1] -

-
-
-
-
-
-

11.17. Supportability

-
-
-
-
-

Timeout when running sos report on IBM Power - Systems, Little Endian

-

- When running the sos report command on IBM Power Systems, Little - Endian with hundreds or thousands of CPUs, the processor plugin reaches its default timeout of - 300 seconds when collecting huge content of the /sys/devices/system/cpu directory. As a workaround, increase the - plugin’s timeout accordingly: -

-
-
-
    -
  • - For one-time setting, run: -
    • -
-
- 
# sos report -k processor.timeout=1800
-
-
    -
  • - For a permanent change, edit the [plugin_options] section of - the /etc/sos/sos.conf file: -
    • -
-
- 
[plugin_options]
-# Specify any plugin options and their values here. These options take the form
-# plugin_name.option_name = value
-#rpm.rpmva = off
-processor.timeout = 1800
-

- The example value is set to 1800. The particular timeout value highly depends on a specific system. - To set the plugin’s timeout appropriately, you can first estimate the time needed to collect the one - plugin with no timeout by running the following command: -

- 
# time sos report -o processor -k processor.timeout=0 --batch --build
-

- Bugzilla:1869561[1] -

-
-
-
-
-
-

11.18. Containers

-
-
-
-
-

Running systemd within an older container image does not work

-

- Running systemd within an older container image, for example, centos:7, does not work: -

-
- 
$ podman run --rm -ti centos:7 /usr/lib/systemd/systemd
- Storing signatures
- Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
- [!!!!!!] Failed to mount API filesystems, freezing.
-

- To work around this problem, use the following commands: -

- 
# mkdir /sys/fs/cgroup/systemd
-# mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd
-# podman run --runtime /usr/bin/crun --annotation=run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup --rm -ti centos:7 /usr/lib/systemd/systemd
-

- Jira:RHELPLAN-96940[1] -

-
-
-
-
-
-
-

Appendix A. List of tickets by component

-
-
-
-

- Bugzilla and JIRA tickets are listed in this document for reference. The links lead to the release notes - in this document that describe the tickets. -

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ComponentTickets
-

- 389-ds-base -

- 		-

- Bugzilla:2188627, Bugzilla:1987471, - Bugzilla:2149025, - Bugzilla:2166332, - Bugzilla:2189946, - Bugzilla:2189954, - Bugzilla:1975930, - Bugzilla:1974242, - Bugzilla:1759941, - Bugzilla:2053204, - Bugzilla:2116948, Bugzilla:2179278, - Bugzilla:2189717, - Bugzilla:2170494, - Bugzilla:2098236, - Jira:RHEL-17178 -

-
-

- NetworkManager -

- 		-

- Bugzilla:2176137, - Bugzilla:2161915, - Bugzilla:2151986, - Bugzilla:2190375, - Bugzilla:2069001, - Bugzilla:2069004, - Bugzilla:2148684, - Bugzilla:2158328, - Bugzilla:2180966, Bugzilla:2151040, - Bugzilla:1894877 -

-
-

- Release Notes -

- 		-

- Jira:RHELDOCS-16861, Jira:RHELDOCS-16760, - Jira:RHELDOCS-16756, Jira:RHELDOCS-16612, Jira:RHELDOCS-17102, - Jira:RHELDOCS-16979 -

-
-

- anaconda -

- 		-

- Bugzilla:2171811, - Bugzilla:2164819, - Bugzilla:2177219, - Bugzilla:2157921, - Bugzilla:2065754, - Bugzilla:2107346, - Bugzilla:2127473, - Bugzilla:2050140, - Bugzilla:1877697, - Jira:RHEL-4707, - Jira:RHEL-4711, - Bugzilla:1997832, - Jira:RHEL-4741, - Bugzilla:2115783, - Jira:RHEL-4762, - Bugzilla:2163497, - Jira:RHEL-4737 -

-
-

- ansible-freeipa -

- 		-

- Bugzilla:2175767, - Bugzilla:2127903, - Bugzilla:2127907 -

-
-

- audit -

- 		-

- Jira:RHELPLAN-161087 -

-
-

- bacula -

- 		-

- Jira:RHEL-6856 -

-
-

- bind -

- 		-

- Bugzilla:1984982 -

-
-

- cloud-init -

- 		-

- Bugzilla:2118235, Bugzilla:2172341, - Jira:RHEL-12122 -

-
-

- cockpit -

- 		-

- Bugzilla:2203361 -

-
-

- cockpit-appstream -

- 		-

- Bugzilla:2030836 -

-
-

- cockpit-machines -

- 		-

- Bugzilla:2173584 -

-
-

- crash -

- 		-

- Bugzilla:2170283 -

-
-

- createrepo_c -

- 		-

- Bugzilla:2056318 -

-
-

- crypto-policies -

- 		-

- Bugzilla:2216257, - Bugzilla:2193324, - Jira:RHEL-591, - Bugzilla:2225222 -

-
-

- cups-filters -

- 		-

- Bugzilla:2229784 -

-
-

- cyrus-sasl -

- 		-

- Bugzilla:1995600 -

-
-

- debugedit -

- 		-

- Bugzilla:2177302 -

-
-

- device-mapper-multipath -

- 		-

- Jira:RHEL-782, - Bugzilla:2164869, - Bugzilla:2033080, - Bugzilla:2011699, - Bugzilla:1926147 -

-
-

- device-mapper-persistent-data -

- 		-

- Bugzilla:2175198 -

-
-

- dnf -

- 		-

- Bugzilla:2124793, - Bugzilla:2212262, - Bugzilla:2073510 -

-
-

- dnf-plugins-core -

- 		-

- Bugzilla:2157844, - Bugzilla:2134638, - Bugzilla:2203100 -

-
-

- edk2 -

- 		-

- Bugzilla:1935497 -

-
-

- elfutils -

- 		-

- Bugzilla:2182061, Bugzilla:2182059 -

-
-

- fapolicyd -

- 		-

- Jira:RHEL-624, - Jira:RHEL-622, - Jira:RHEL-817, - Bugzilla:2054740, Jira:RHEL-520 -

-
-

- fence-agents -

- 		-

- Bugzilla:2187327 -

-
-

- fuse3 -

- 		-

- Bugzilla:2188182 -

-
-

- gcc -

- 		-

- Bugzilla:2193180, - Bugzilla:2168204, Bugzilla:2208908 -

-
-

- gcc-toolset-13 -

- 		-

- Bugzilla:2171919 -

-
-

- gcc-toolset-13-annobin -

- 		-

- Bugzilla:2171923 -

-
-

- gcc-toolset-13-binutils -

- 		-

- Bugzilla:2171926 -

-
-

- gcc-toolset-13-gcc -

- 		-

- Bugzilla:2172093 -

-
-

- gcc-toolset-13-gdb -

- 		-

- Bugzilla:2172096 -

-
-

- gfs2-utils -

- 		-

- Bugzilla:2170017 -

-
-

- gimp -

- 		-

- Bugzilla:2047161 -

-
-

- glibc -

- 		-

- Bugzilla:2169978, - Bugzilla:2213907, - Bugzilla:2177235 -

-
-

- gnupg2 -

- 		-

- Bugzilla:2073567, - Bugzilla:2070722 -

-
-

- gnutls -

- 		-

- Bugzilla:2157953, Bugzilla:2108532 -

-
-

- golang -

- 		-

- Bugzilla:2185259, Bugzilla:2111072, - Bugzilla:2092016 -

-
-

- grafana -

- 		-

- Bugzilla:2193018, Bugzilla:2190025 -

-
-

- grub2 -

- 		-

- Bugzilla:2184069 -

-
-

- gssproxy -

- 		-

- Bugzilla:2181465 -

-
-

- gtk3 -

- 		-

- Jira:RHEL-11924 -

-
-

- httpd -

- 		-

- Bugzilla:2184403, Bugzilla:2173295 -

-
-

- ipa -

- 		-

- Bugzilla:2196426, Bugzilla:2165880, - Bugzilla:2229712, - Bugzilla:2227831, Bugzilla:2084180, Bugzilla:2084166, - Bugzilla:2069202, - Bugzilla:2094673, - Bugzilla:2057471, - Jira:RHEL-12154, - Jira:RHEL-12143, - Jira:RHEL-4955 -

-
-

- iproute -

- 		-

- Jira:RHEL-428 -

-
-

- java-17-openjdk -

- 		-

- Bugzilla:2186647 -

-
-

- jmc-core -

- 		-

- Bugzilla:1980981 -

-
-

- kdump-anaconda-addon -

- 		-

- Jira:RHEL-11196 -

-
-

- kernel -

- 		-

- Bugzilla:1898184, Bugzilla:2177180, Bugzilla:2144528, - Bugzilla:2210263, - Bugzilla:2180124, - Bugzilla:2192730, Bugzilla:2178741, - Bugzilla:2195986, - Bugzilla:2208365, - Bugzilla:2187856, Bugzilla:2192722, - Bugzilla:2171093, - Bugzilla:2189292, - Bugzilla:2193330, - Bugzilla:2178930, Bugzilla:2092194, - Bugzilla:2101598, - Bugzilla:2218207, - Bugzilla:2173947, - Bugzilla:2178956, - Bugzilla:2173594, - Bugzilla:1613522, - Bugzilla:1874182, Bugzilla:1995338, - Bugzilla:1570255, Bugzilla:2177256, - Bugzilla:2178699, - Bugzilla:2023416, - Bugzilla:2021672, - Bugzilla:2027304, - Bugzilla:1660337, Bugzilla:1955275, Bugzilla:2142102, - Bugzilla:2068237, - Bugzilla:2040643, - Bugzilla:2186375, - Bugzilla:2183538, Bugzilla:2206599, Bugzilla:2167783, - Bugzilla:2000616, - Bugzilla:2013650, - Bugzilla:2132480, - Bugzilla:2059545, - Bugzilla:2005173, Bugzilla:2128610, - Bugzilla:2129288, - Bugzilla:2013884, Bugzilla:2149989 -

-
-

- kernel / Networking / IPSec -

- 		-

- Jira:RHEL-1015 -

-
-

- kernel / Networking / NIC Drivers -

- 		-

- Jira:RHEL-6496, - Jira:RHEL-9897, - Jira:RHEL-15404 -

-
-

- kernel / Platform Enablement / NVMe -

- 		-

- Jira:RHEL-8171, - Jira:RHEL-8164 -

-
-

- kernel / Storage / Storage Drivers -

- 		-

- Jira:RHEL-8466 -

-
-

- kernel / Virtualization / KVM -

- 		-

- Jira:RHEL-7212, - Jira:RHEL-2815 -

-
-

- kernel-rt -

- 		-

- Bugzilla:2181571 -

-
-

- kernel-rt / Other -

- 		-

- Jira:RHEL-9318 -

-
-

- kexec-tools -

- 		-

- Bugzilla:2083475, - Bugzilla:2173815, Bugzilla:2169720, - Bugzilla:2160676, - Bugzilla:2113873, - Bugzilla:2064708 -

-
-

- keylime -

- 		-

- Jira:RHEL-595, - Jira:RHEL-11866, Jira:RHEL-392, - Jira:RHEL-393, Jira:RHEL-947, - Jira:RHEL-1252, - Jira:RHEL-11867, - Jira:RHEL-1518 -

-
-

- keylime-agent-rust -

- 		-

- Jira:RHEL-476, Jira:RHEL-395, - Jira:RHEL-396 -

-
-

- kmod -

- 		-

- Bugzilla:2103605 -

-
-

- kmod-kvdo -

- 		-

- Jira:RHEL-8354 -

-
-

- krb5 -

- 		-

- Bugzilla:2178298, - Bugzilla:2155607, - Jira:RHEL-4902, - Bugzilla:2060798, - Jira:RHEL-4875, - Jira:RHEL-4889, - Bugzilla:2060421, - Bugzilla:2016312, - Jira:RHEL-4888 -

-
-

- libabigail -

- 		-

- Bugzilla:2186931 -

-
-

- libotr -

- 		-

- Bugzilla:2086562 -

-
-

- libpfm -

- 		-

- Bugzilla:2185652 -

-
-

- libvirt -

- 		-

- Bugzilla:2032406, - Bugzilla:2168499, - Bugzilla:2014487, - Bugzilla:2143158, - Bugzilla:2078693 -

-
-

- libxcrypt -

- 		-

- Bugzilla:2034569 -

-
-

- llvm-toolset -

- 		-

- Bugzilla:2178796 -

-
-

- lvm2 -

- 		-

- Bugzilla:2038183 -

-
-

- mysql -

- 		-

- Bugzilla:1991500 -

-
-

- nfs-utils -

- 		-

- Bugzilla:2081114 -

-
-

- nginx-1.22-module -

- 		-

- Bugzilla:2170808 -

-
-

- nmstate -

- 		-

- Bugzilla:2179916, - Bugzilla:2180795, - Bugzilla:2177733, - Bugzilla:2183214, - Bugzilla:2187622 -

-
-

- nodejs -

- 		-

- Bugzilla:2186717 -

-
-

- nss -

- 		-

- Bugzilla:2157950 -

-
-

- nvme-cli -

- 		-

- Bugzilla:2159929 -

-
-

- nvme-stas -

- 		-

- Bugzilla:1893841 -

-
-

- open-vm-tools -

- 		-

- Bugzilla:2037657 -

-
-

- opencryptoki -

- 		-

- Bugzilla:2160061 -

-
-

- opensc -

- 		-

- Jira:RHEL-280 -

-
-

- openscap -

- 		-

- Bugzilla:2217442, Bugzilla:2161499 -

-
-

- openslp -

- 		-

- Jira:RHEL-6995 -

-
-

- openssh -

- 		-

- Bugzilla:2070163, Bugzilla:2056884 -

-
-

- openssl -

- 		-

- Bugzilla:2216256, Bugzilla:2153471, - Bugzilla:2188180, - Bugzilla:2160797, - Bugzilla:2168665, - Bugzilla:1975836, - Bugzilla:1681178, - Bugzilla:1685470 -

-
-

- osbuild -

- 		-

- Jira:RHEL-4655 -

-
-

- osbuild-composer -

- 		-

- Bugzilla:2173928, - Jira:RHEL-7999, - Jira:RHEL-4649 -

-
-

- oscap-anaconda-addon -

- 		-

- Bugzilla:2172264, - Jira:RHEL-1824 -

-
-

- pacemaker -

- 		-

- Bugzilla:2189301, Bugzilla:2182482 -

-
-

- papi -

- 		-

- Bugzilla:2111923, Bugzilla:2186927, - Bugzilla:2215582 -

-
-

- pause-container -

- 		-

- Bugzilla:2106816 -

-
-

- pcp -

- 		-

- Bugzilla:2175602, Bugzilla:2185803 -

-
-

- pcs -

- 		-

- Bugzilla:2168155, - Bugzilla:2163953, - Bugzilla:2175881, - Bugzilla:2182810, - Bugzilla:1423473, - Bugzilla:2177996, - Bugzilla:1860626, - Bugzilla:2163914 -

-
-

- pcsc-lite-ccid -

- 		-

- Bugzilla:2209457 -

-
-

- perl-HTTP-Tiny -

- 		-

- Bugzilla:2228412 -

-
-

- pki-core -

- 		-

- Bugzilla:2084181 -

-
-

- podman -

- 		-

- Jira:RHELPLAN-154314, - Jira:RHELPLAN-154432, Jira:RHELPLAN-154441, - Jira:RHELPLAN-154438, - Jira:RHELPLAN-163003, Jira:RHELPLAN-160660, - Jira:RHELPLAN-154429, - Bugzilla:2069279 -

-
-

- postfix -

- 		-

- Bugzilla:2134789 -

-
-

- python-greenlet -

- 		-

- Bugzilla:2149497 -

-
-

- python3.11-lxml -

- 		-

- Bugzilla:2157708 -

-
-

- qemu-kvm -

- 		-

- Bugzilla:1880531, - Bugzilla:1965079, Bugzilla:1951814, Bugzilla:2060839, Bugzilla:2014229, - Jira:RHEL-7335, - Jira:RHEL-7336, - Bugzilla:1915715, - Jira:RHEL-13335, - Jira:RHEL-333, - Bugzilla:2176010, - Bugzilla:2058982, - Bugzilla:2073872 -

-
-

- qemu-kvm / Devices -

- 		-

- Jira:RHEL-1220 -

-
-

- qemu-kvm / Graphics -

- 		-

- Jira:RHEL-7135 -

-
-

- qemu-kvm / Live Migration -

- 		-

- Jira:RHEL-7096, - Jira:RHEL-2316, - Jira:RHEL-7115 -

-
-

- qemu-kvm / Networking -

- 		-

- Jira:RHEL-7337 -

-
-

- rear -

- 		-

- Bugzilla:2188593, - Bugzilla:2172912, - Bugzilla:2196445, - Bugzilla:2145014 -

-
-

- redis -

- 		-

- Bugzilla:2129826 -

-
-

- resource-agents -

- 		-

- Bugzilla:2174911, - Bugzilla:2142518, - Bugzilla:2142002, - Bugzilla:2182415, - Bugzilla:2179003 -

-
-

- restore -

- 		-

- Bugzilla:1997366 -

-
-

- rhel-system-roles -

- 		-

- Bugzilla:2224384, Bugzilla:2216753, - Bugzilla:2224385, Bugzilla:2185065, Bugzilla:2181656, - Bugzilla:2211194, - Bugzilla:2218592, - Bugzilla:2211723, - Bugzilla:2218204, - Bugzilla:2151373, - Bugzilla:2179460, - Bugzilla:2211748, - Bugzilla:2229802, - Bugzilla:2181657, - Bugzilla:2168692, - Bugzilla:2211984, - Bugzilla:2232241, - Bugzilla:2232231, - Bugzilla:2224090, - Bugzilla:2222761, - Bugzilla:2223764, - Bugzilla:2222428, - Bugzilla:2216520, - Bugzilla:2211187, Bugzilla:2209200, - Bugzilla:2193058, - Bugzilla:2186057, - Jira:RHEL-1499, - Jira:RHEL-1397, - Jira:RHEL-906, - Jira:RHEL-1495, - Jira:RHEL-898, - Jira:RHEL-885, - Bugzilla:1999770, - Bugzilla:2123859, - Jira:RHEL-1172, Bugzilla:2186218 -

-
-

- rpm -

- 		-

- Bugzilla:2157836 -

-
-

- rsyslog -

- 		-

- Jira:RHELPLAN-160541 -

-
-

- rust -

- 		-

- Bugzilla:2191743, Bugzilla:2227082 -

-
-

- s390utils -

- 		-

- Bugzilla:1932480 -

-
-

- samba -

- 		-

- Bugzilla:2190415 -

-
-

- scap-security-guide -

- 		-

- Bugzilla:2221697, Bugzilla:2155790, - Jira:RHEL-1905, - Bugzilla:2203791, - Bugzilla:2213958, Bugzilla:2223178, Bugzilla:2193169, - Jira:RHEL-1800, - Bugzilla:2038978 -

-
-

- selinux-policy -

- 		-

- Bugzilla:2080443, - Bugzilla:2170495, Bugzilla:2184999, Bugzilla:2162663, - Bugzilla:2112729, - Jira:RHELPLAN-163014, - Bugzilla:2187745, Bugzilla:2229722, - Bugzilla:2064274 -

-
-

- setools -

- 		-

- Bugzilla:2231801 -

-
-

- sevctl -

- 		-

- Bugzilla:2104857 -

-
-

- sos -

- 		-

- Bugzilla:1869561 -

-
-

- squid-container -

- 		-

- Bugzilla:2178953 -

-
-

- sssd -

- 		-

- Bugzilla:2065693, - Bugzilla:2056482, - Bugzilla:1608496 -

-
-

- stratisd -

- 		-

- Bugzilla:2041558 -

-
-

- subscription-manager -

- 		-

- Bugzilla:2163716, - Bugzilla:2136694 -

-
-

- sysstat -

- 		-

- Jira:RHEL-12009 -

-
-

- systemd -

- 		-

- Bugzilla:2018112, - Jira:RHEL-6105 -

-
-

- systemtap -

- 		-

- Bugzilla:2186934 -

-
-

- tang -

- 		-

- Bugzilla:2188743 -

-
-

- tigervnc -

- 		-

- Bugzilla:2060308 -

-
-

- tuned -

- 		-

- Bugzilla:2113900 -

-
-

- ubi9-micro-container -

- 		-

- Bugzilla:2223028 -

-
-

- udisks2 -

- 		-

- Bugzilla:1983602, - Bugzilla:2213769 -

-
-

- unbound -

- 		-

- Bugzilla:2070495 -

-
-

- valgrind -

- 		-

- Bugzilla:2124346 -

-
-

- virt-v2v -

- 		-

- Bugzilla:2168082 -

-
-

- virtio-win -

- 		-

- Bugzilla:1969724, - Jira:RHEL-11366, - Jira:RHEL-910, - Jira:RHEL-1609, - Jira:RHEL-869 -

-
-

- virtio-win / distribution -

- 		-

- Jira:RHEL-1517, - Jira:RHEL-574 -

-
-

- virtio-win / virtio-win-prewhql -

- 		-

- Jira:RHEL-1084, - Jira:RHEL-935, - Jira:RHEL-12118, - Jira:RHEL-1212 -

-
-

- webkit2gtk3 -

- 		-

- Jira:RHEL-4157 -

-
-

- which -

- 		-

- Bugzilla:2181974 -

-
-

- xdp-tools -

- 		-

- Bugzilla:2218500, Jira:RHEL-3382 -

-
-

- other -

- 		-

- Bugzilla:2232554, Jira:RHELDOCS-17055, Jira:RHELPLAN-163133, - Jira:RHELPLAN-163665, - Jira:RHELDOCS-16405, - Jira:RHELDOCS-16247, Bugzilla:2136937, - Jira:RHELDOCS-16474, - Jira:RHELDOCS-16462, - Jira:RHELDOCS-16386, - Jira:RHELPLAN-156196, Jira:RHELDOCS-16708, Jira:RHELDOCS-16709, - Jira:RHELDOCS-16339, - Jira:RHELDOCS-16877, Jira:RHELPLAN-122345, - Jira:RHELDOCS-16487, - Jira:RHELDOCS-16752, - Jira:RHELDOCS-17101, - Bugzilla:2236182, - Jira:RHELDOCS-17040, Bugzilla:2020529, - Bugzilla:2030412, - Jira:RHELPLAN-103993, Jira:RHELPLAN-27394, - Jira:RHELPLAN-27737, - Jira:RHELDOCS-16861, Jira:RHELDOCS-17050, Bugzilla:1927780, Jira:RHELPLAN-110763, - Bugzilla:1935544, Bugzilla:2089200, - Jira:RHELDOCS-16948, - Jira:RHELPLAN-99136, Jira:RHELDOCS-17380, Jira:RHELPLAN-103232, Bugzilla:1899167, Bugzilla:1979521, Jira:RHELPLAN-100087, - Jira:RHELPLAN-100639, - Bugzilla:2058153, Jira:RHELPLAN-113995, Jira:RHELPLAN-98983, Jira:RHELPLAN-131882, Jira:RHELPLAN-139805, Jira:RHELDOCS-16756, Jira:RHELPLAN-153267, Jira:RHELDOCS-16300, Jira:RHELDOCS-16432, - Jira:RHELDOCS-16393, - Jira:RHELDOCS-16612, Jira:RHELDOCS-17102, - Jira:RHELPLAN-157225, - Jira:RHELPLAN-157337, - Bugzilla:1640697, - Bugzilla:1697896, - Bugzilla:2047713, - Jira:RHELPLAN-96940, - Jira:RHELPLAN-117234, - Jira:RHELPLAN-119001, Jira:RHELPLAN-119852, - Bugzilla:2077767, - Bugzilla:2053598, - Bugzilla:2082303, - Jira:RHELPLAN-121049, - Jira:RHELPLAN-157939, - Jira:RHELPLAN-109613, - Bugzilla:2160619, - Bugzilla:2173992, - Bugzilla:2185048, Bugzilla:1970830, - Jira:RHELDOCS-16574 -

-
-
-
-
-
-
-
-

Appendix B. Revision history

-
-
-
-
-
-
0.2-3
-
-

- Thu Jul 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated the abstract in the Deprecated functionalities section -
    • -
-
-
-
0.2-2
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Add Deprecated Functionality RHELDOCS-18049 - (Shells and command-line tools). -
    • -
-
-
-
0.2-1
-
-

- Tue Jun 11 2024, Brian Angelica (bangelic@redhat.com) -

-
-
    -
  • - Added an Known Issue RHEL-24847 - (Shells and command-line tools). -
    • -
-
-
-
0.2-0
-
-

- Thu May 16 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Known Issue RHEL-10019 - (Virtualization). -
    • -
-
-
-
0.1-9
-
-

- Thu Apr 18 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added an Enhancement RHEL-19142 - (Networking). -
    • -
-
-
-
0.1-8
-
-

- Thu Apr 11 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-7
-
-

- Thu Mar 14 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-6
-
-

- Mon Mar 04 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-5
-
-

- Wed Feb 28 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated a Known Issue to Bug Fix RHEL-8171 - (Storage). -
    • -
-
-
-
0.1-4
-
-

- Wed Feb 7 2024, Lucie Vařáková (lvarakova@redhat.com) -

-
-
    -
  • - Added a new feature RHEL-14694 - (Networking). -
    • -
-
-
-
0.1-3
-
-

- Thu Feb 1 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Added a KI BZ#1834716 - (Security) -
    • -
  • - Updated s Deprecated Functionality RHELDOCS-16756 (Container - tools) -
    • -
-
-
-
0.1-2
-
-

- Mon Jan 29 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.1-1
-
-

- Thu Jan 2024, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Added an enhancement related to Python RHELDOCS-17369 - (Dynamic programming languages, web and database servers) -
    • -
-
-
-
0.1-0
-
-

- Wed Jan 10 2024, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-9
-
-

- Tue Jan 2 2024, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Updated description in Enhancement BZ#2184403 -
    • -
-
-
-
0.0-8
-
-

- Thu Nov 23 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-7
-
-

- Wed Nov 22 2023, Gabriela Fialová (gfialova@redhat.com) -

-
- -
-
-
0.0-6
-
-

- Tue Nov 21 2023, David Vozenilek (dvozenil@redhat.com) -

-
- -
-
-
0.0-5
-
-

- Mon Nov 20 2023, Jana Heves (jsvarova@redhat.com) -

-
-
    -
  • - Add KI RHEL-15404 - sst_kernel_generalists -
    • -
-
-
-
0.0-4
-
-

- Sun Nov 19 2023, Filip Hanzelka (fhanzelk@redhat.com) -

-
- -
-
-
0.0-3
-
-

- Thu Nov 16 2023, Marek Suchánek (msuchane@redhat.com) -

-
- -
-
-
0.0-2
-
-

- Thu Nov 16 2023, Lenka Špačková (lspackova@redhat.com) -

-
-
    -
  • - Node.js 20 is now fully supported (BZ#2186717). -
    • -
-
-
-
0.0-1
-
-

- Wed Nov 08 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.3 Release Notes. -
    • -
-
-
-
0.0-0
-
-

- Wed Sep 27 2023, Gabriela Fialová (gfialova@redhat.com) -

-
-
    -
  • - Release of the Red Hat Enterprise Linux 9.3 Beta Release Notes. -
    • -
-
-
-
-
-
-
-
-

Legal Notice

-
- Copyright © 2024 Red Hat, Inc. -
-
- The text of and illustrations in this document are licensed by Red Hat under a Creative Commons - Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available - at http://creativecommons.org/licenses/by-sa/3.0/. - In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must - provide the URL for the original version. -
-
- Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, - Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. -
-
- Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, - the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and - other countries. -
-
- Linux® is the registered trademark of Linus Torvalds in the United - States and other countries. -
-
- Java® is a registered trademark of Oracle and/or its affiliates. -
-
- XFS® is a trademark of Silicon Graphics International Corp. or its - subsidiaries in the United States and/or other countries. -
-
- MySQL® is a registered trademark of MySQL AB in the United States, - the European Union and other countries. -
-
- Node.js® is an official trademark of Joyent. Red Hat is not formally - related to or endorsed by the official Joyent Node.js open source or commercial project. -
-
- The OpenStack® Word Mark and OpenStack logo are either registered - trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United - States and other countries and are used with the OpenStack Foundation's permission. We are not - affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community. -
-
- All other trademarks are the property of their respective owners. -
-
-
-
- diff --git a/app/services/fetch_graphql_data.py b/app/services/fetch_graphql_data.py deleted file mode 100644 index 50ff203..0000000 --- a/app/services/fetch_graphql_data.py +++ /dev/null @@ -1,70 +0,0 @@ -import logging -import os -import re -from collections import defaultdict - -from bs4 import BeautifulSoup - -from app.config import BASE_DIR -from app.models import ReleaseModel - -logger = logging.getLogger(__name__) - - -def load_html_and_split_paragraphs(file_path): - # Open and read the HTML file - try: - with open(file_path, "r", encoding="utf-8") as file: - html_content = file.read() - except FileNotFoundError: - logging.error(f"File {file_path} not found") - return [] - - # Parse the HTML content using BeautifulSoup - soup = BeautifulSoup(html_content, "html.parser") - - sections = defaultdict(str) - - current_title = None - all_text = [] - title_tags = ["h1", "h2", "h3", "h4", "h5", "h6"] - # Iterate over the tags in the document - for element in soup.find_all([*title_tags, "p", "ul", "ol", "li", "div", "span"]): - if element.name in title_tags: - if current_title and all_text: - sections[current_title] = { - "title": current_title, - "text": normalize_text("\n".join(all_text).strip()), - "tag": element.name, - } - - current_title = normalize_text(element.get_text().strip()) - all_text = [] - else: - all_text.append(element.get_text().strip()) - - if current_title and all_text: - sections[current_title] = { - "title": current_title, - "text": normalize_text("\n".join(all_text).strip()), - "tag": element.name, - } - - return list(sections.values()) - - -def normalize_text(text): - text = re.sub(r"\n+", "\n", text) - text = re.sub(r"\s+", " ", text) - text = text.strip() - return text - - -def get_release_notes(release: ReleaseModel): - # TODO: in future this should be replace with a function that will use GrapQL client to fetch data from database - # It should be cached for a certain period of time - logging.info(f"Fetching release notes for version {release.major}.{release.minor}") - path = os.path.join(BASE_DIR, "data", f"{release.major}.{release.minor}.html") - data = {"release": release, "paragraphs": load_html_and_split_paragraphs(path)} - # TODO cache results or load them to the database on schedule - return data