Chapter 4. New features

This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.2 Beta.

4.1. Installer and image creation

Ability to register your system, attach RHEL subscriptions, and install from the Red Hat CDN

In RHEL 8.2 Beta, you can register your system, attach RHEL subscriptions, and install from the Red Hat Content Delivery Network (CDN) before package installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature. Benefits include:

  • The use of the smaller Boot ISO image file removes the need to download the larger Binary DVD ISO image file.
  • The CDN uses the latest packages that result in a fully subscribed and up-to-date system immediately after installation. There is no requirement to install package updates after installation.
  • Registration is performed before package installation, resulting in a shorter and more streamlined installation process.
  • Integrated support for Red Hat Insights is available.

(BZ#1748281)

Ability to register your system to Red Hat Insights during installation

In RHEL 8.2 Beta, you can register your system to Red Hat Insights during installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature.

Benefits include:

  • Easier to identify, prioritize, and resolve issues before business operations are affected.
  • Proactively identify and remediate threats to security, performance, availability, and stability with predictive analytics.
  • Avoid problems and unplanned downtime in your environment.

(BZ#1746391)

Ability to update blueprint in the GUI for Image Builder if an error occurs while resolving dependencies

With this enhancement, the user is able to update the blueprint in the graphical UI for Image Builder if an error occurs while resolving dependencies. When such an error occurs, the user sees an inline alert in the Edit Package page that lists the packages that have issues. To fix the issue, the user can modify or remove the packages that are defined in the blueprint until the dependencies can be resolved.

(BZ#1676539)

Image Builder now offers cloud-init support for creating Azure images

With this enhancement, cloud-init support is available for Azure images created by Image Builder. As a result, the creation of on-demand images with fast-provisioning and the ability to add custom data is available to customers.

(BZ#1754711)

4.2. Software management

All dnf-automatic.timer timer units now use the real-time clock by default

Previously, the dnf-automatic.timer timer units used the monotonic clock, which resulted in unpredictable activation time after the system boot. With this update, the timer units run between 6 a.m. and 7 a.m. If the system is off during that time, the timer units are activated within one hour after the system boot.

(BZ#1754609)

4.3. Infrastructure services

graphviz-python3 is now distributed in the CRB repository

This update adds the graphviz-python3 package to RHEL 8. The package provides bindings required for usage of the Graphviz graph visualization software from Python.

Note that the graphviz-python3 package is distributed in the unsupported CodeReady Linux Builder repository (CRB).

(BZ#1704875)

tuned rebased to version 2.13.0

The tuned packages have been upgraded to upstream version 2.13.0. Notable enhancements include:

  • Support for architecture-dependent tuning has been added.
  • Support for multiple include directives has been added.
  • Tuning in the sap-hana, latency-performance, and realtime profiles has been updated.

(BZ#1738250)

powertop rebased to version 2.11

The powertop package has been upgraded to version 2.11, which provides a following notable change:

  • Support for the EHL, TGL, ICL/ICX platforms

(BZ#1716721)

BIND now supports .GeoIP2 instead of GeoLite Legacy GeoIP

The GeoLite Legacy GeoIP library is no longer supported in BIND. With this update, GeoLite Legacy GeoP has been replaced with GeoIP2, which is provided in the libmaxminddb data format.

Note that the new format may require some configuration changes, and the format also does not support following legacy GeoIP access control list (ACL) settings:

  • geoip netspeed
  • geoip org
  • ISO 3166 Alpha-3 country codes

(BZ#1564443)

stale-answer now provides old cached records in case of DDoS attack

Previously, the Distributed Denial of Service (DDoS) attack caused the authoritative servers to fail with the SERVFAIL error. With this update, the stale-answer functionality provides the expired records until a fresh response is obtained.

To enable or disable the serve-stale feature, use either of these:

  • Configuration file
  • Remote control channel (rndc)

(BZ#1664863)

BIND rebased to version 9.11.13

The bind packages have been upgraded to version 9.11.13. Notable changes include:

  • The tcp-highwater statistics variable has been added. This variable shows maximum concurrent TCP clients recorded during a run.
  • The SipHash-2-4-based DNS Cookies (RFC 7873) algorithm has been added.
  • Glue addresses for rooting priming queries are returned regardless of how the minimal-responses configuration option is set.
  • The named-checkconf command now ensures the validity of the DNS64 network prefixes.
  • Automatic rollover per RFC 5011 no longer fails when the trusted-keys and managed-keys statements are both configured for the same name. Instead, a warning message is logged.
  • Internationalized Domain Name (IDN) processing in the dig and nslookup utilities is now disabled by default when they are not run on terminal (for example, in a script). IDN processing in dig can be switched on by using the +idnin and +idnout options.

(BZ#1704328)

4.4. Security

crypto-policies can now be customized

With this update, you can adjust certain algorithms or protocols of any policy level or set a new complete policy file as the current system-wide cryptographic policy. This enables administrators to customize the system-wide cryptographic policy as required by different scenarios.

RPM packages should store policies provided by them in the /usr/share/crypto-policies/policies directory. The /etc/crypto-policies/policies directory contains local custom policies.

For more information, see the Custom Policies section in the update-crypto-policies(8) man page and the Crypto Policy Definition Format section in the update-crypto-policies(8) man page.

(BZ#1690565)

SCAP Security Guide now supports ACSC Essential Eight

The scap-security-guide packages now provides the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.

(BZ#1755194)

setroubleshoot can now analyze and react to execmem access denials

There was previously no plugin able to analyze execmem access denials (AVCs). With this enhancement, setroubleshoot can now react to all execmem AVCs. It can now suggest a possibility to switch a boolean if the access can be allowed by one or report the issue when no boolean can allow the access.

(BZ#1649842)

New packages: setools-gui and setools-console-analyses

The setools-gui package, which has been part of RHEL 7, is now being introduced to RHEL 8. Graphical tools are helpful for inspecting relations and data flows especially in multi-level systems with highly specialized SELinux policies. With the apol graphical tool from the setools-gui package, you can inspect and analyze aspects of an SELinux policy. Tools from the setools-console-analyses package enable you to analyze domain transitions and SELinux policy information flows.

(BZ#1731519)

Confined users in SELinux can now manage user session services

Previously, confined users were not able to manage user session services. As a result, they could not execute systemctl --user or busctl --user commands or work in the RHEL web console. With this update, confined users can manage user sessions.

(BZ#1727887)

The lvmdbusd service is now confined by SELinux

The lvmdbusd service provides a D-Bus API to the logical volume manager (LVM). Previously, the lvmdbusd daemon could not transition to the lvm_t context even though the SELinux policy for lvm_t was defined. As a consequence, the lvmdbusd daemon was executed in the unconfined_service_t domain and SELinux labeled lvmdbusd as unconfined. With this update, the lvmdbusd executable file has the lvm_exec_t context defined and lvmdbusd can now be used correctly with SELinux in enforcing mode.

(BZ#1726166)

semanage now supports listing and modifying SCTP and DCCP ports.

Previously, semanage port allowed listing and modifying of only TCP and UDP ports. This update adds SCTP and DCCP protocol support to semanage port. As a result, administrators can now check if two machines can communicate via SCTP and fully enable SCTP features to successfully deploy SCTP-based applications.

(BZ#1563742)

semanage export now shows customizations related to permissive domains

With this update, the semanage utility, which is part of the policycoreutils package for SELinux, is able to display customizations related to permissive domains. System administrators can now transfer permissive local modifications between machines using the semanage export command.

(BZ#1417455)

udica can add new allow rules generated from SELinux denials to existing container policy

When a container that is running under a policy generated by the udica utility triggers an SELinux denial, udica is now able to update the policy. The new parameter -a or --append-rules can be used to append rules from an AVC file.

(BZ#1732704)

Clevis is able to list policies in place for a given LUKS device

With this update, the clevis luks list command lists PBD policies in place for a given LUKS device. This makes it easier to find information on Clevis pins in use and pin configuration, for example Tang server addresses, details on tpm2 policies, and SSS thresholds.

(BZ#1766526)

Clevis provides new commands for reporting key status and rebinding expired keys

The clevis luks report command now provides a simple way to report whether keys for a particular binding require rotation. Regular key rotations in a Tang server improve the security of Network-Bound Disk Encryption (NBDE) deployments, and therefore the client should provide detection of expired keys. If the key is expired, Clevis suggests using the clevis luks regen command which rebinds the expired key slot with a current key. This significantly simplifies the process of key rotation.

(BZ#1564559, BZ#1564566)

Clevis can now extract the passphrase used for binding a particular slot in a LUKS device.

With this update to the Clevis policy-based decryption framework, you can now extract the passphrase used for binding a particular slot in a LUKS device. Previously, if the LUKS installation passphrase was erased, Clevis could not perform LUKS administrative tasks, such as re-encryption, enabling a new key slot with a user passphrase, and re-binding Clevis when the administrator needs to change the sss threshold. This update introduces the clevis luks pass command that shows the passphrase used for binding a particular slot.

(BZ#1436780)

openssl-pkcs11 rebased to 0.4.10

The openssl-pkcs11 package has been upgraded to upstream version 0.4.10, which provides many bug fixes and enhancements over the previous version. The openssl-pkcs11 package provides access to PKCS #11 modules through the engine interface. The major changes introduced by the new version are:

  • If a public key object corresponding to the private key is not available when loading an ECDSA private key, the engine loads the public key from a matching certificate, if present.
  • You can use generic PKCS #11 URI (for example "pkcs11:type=public") because the 'openssl-pkcs11' engine searches all tokens that match a given PKCS #11 URI.
  • The system attempts to log in with a PIN only if a single device matches the URI search. This prevents authentication failures due to providing the PIN to all matching tokens.
  • When accessing a device, the openssl-pkcs11 engine now marks the RSA methods structure with the RSA_FLAG_FIPS_METHOD flag. In FIPS mode, OpenSSL requires the flag to be set in the RSA methods structure. Note that the engine cannot detect whether a device is FIPS-certified.

(BZ#1745082)

rsyslog rebased to 8.1911.0

The rsyslog utility has been upgraded to upstream version 8.1911.0, which provides a number of bug fixes and enhancements over the previous version. The following list includes notable enhancements:

  • New omhttp module allows you to send messages over the HTTP REST interface.
  • The file input module is enhanced to improve stability, error reporting, and truncation detection.
  • New action.resumeIntervalMax parameter that can be used with any action allows capping retry interval growth at a specified value.
  • New StreamDriver.PermitExpiredCerts option for TLS permits connections even if a certificate has expired.
  • You can now suspend and resume output based on configured external file content. This is useful in cases where the other end always accepts messages and silently drops them when it is not able to process them all.
  • Error reporting for the file output module is improved and now contains real file names and more information on causes of errors.
  • Disk queues now run multi-threaded, which improves performance.
  • You can set stricter TLS operation modes: checking of the extendedKeyUsage certificate field and stricter checking of the CN/SAN certificate fields.

(BZ#1740683)

rsyslog now provides the omhttp plugin for communication through an HTTP REST interface

With this update of the rsyslog packages, you can use the new omhttp plugin for producing an output compatible with services using a Representational State Transfer (REST) API, such as the Ceph storage platform, Amazon Simple Storage Service (Amazon S3), and Grafana Loki. This new HTTP output module provides a configurable REST path and message format, support for several batching formats, compression, and TLS encryption.

For more details, see the '/usr/share/doc/rsyslog/html/configuration/modules/omhttp.html' file installed on your system with the rsyslog-doc package.

(BZ#1676559)

omelasticsearch in rsyslog now supports rebindinterval

This update of the rsyslog packages introduces support for setting the time of periodical reconnection in the omelasticsearch module. You can improve performance when sending records to a cluster of Elasticsearch nodes by setting this parameter according to your scenario. The value of the rebindinterval parameter indicates the number of operations submitted to a node after which rsyslog closes the connection and establishes a new one. The default value -1 means that rsyslog does not re-establish the connection.

(BZ#1692073)

rsyslog mmkubernetes now provides metadata cache expiration

With this update of the rsyslog packages, you can use two new parameters for the mmkubernetes module for setting metadata cache expiration. This ensures that deleted Kubernetes objects are removed from the mmkubernetes static cache. The value of the cacheentryttl parameter indicates the maximum age of cache entries in seconds. The cacheexpireinterval parameter has the following values:

  • -1 for disabling cache-expiration checks
  • 0 for enabling cache-expiration checks
  • greater than 0 for regular cache-expiration checks in seconds

(BZ#1692072)

audit rebased to version 3.0-0.14

The audit packages have been upgraded to upstream version 3.0-0.14, which provides many bug fixes and enhancements over the previous version, most notably:

  • Added an option to interpret fields in the syslog plugin
  • Divided the 30-ospp-v42.rules file into more granular files
  • Moved example rules to the /usr/share/audit/sample-rules/ directory
  • Fixed Audit KRB5 transport mode for remote logging

(BZ#1757986)

Audit now contains many improvements from the kernel v5.5-rc1

This addition to the Linux kernel contains the majority of enhancements, bug fixes, and cleanups related to the Audit subsystem and introduced between the version 4.18 and 5.5-rc1. The following list highlights important changes:

  • Wider use of the exe field for filtering
  • Support for v3 namespaced capabilities
  • Improvements for filtering on remote file systems
  • Fix of the gid filter rule
  • Fixes of a use-after-free memory corruption and memory leaks
  • Improvements of event-record association
  • Cleanups of the fanoticy interface, Audit configuration options, and the syscall interface
  • Fix of the Extended Verification Module (EVM) return value
  • Fixes and cleanups of several record formats
  • Simplifications and fixes of Virtual File System (VFS) auditing

(BZ#1716002)

fapolicyd rebased to 0.9.1-2

The fapolicyd packages that provide RHEL application whitelisting have been upgraded to upstream version 0.9.1-2. Notable bug fixes and enhancements include:

  • Process identification is fixed.
  • The subject part and the object part are now positioned strictly in the rule. Both parts are separated by a colon, and they contain the required permission (execute, open, any).
  • The subject and object attributes are consolidated.
  • The new rule format is following:

    DECISION PERMISSION SUBJECT : OBJECT

    For example:

    allow perm=open exe=/usr/bin/rpm : all

(BZ#1759895)

Rebased to sudo-1.8.29-3.el8

Fixed/Changes:

  • Sudo now writes PAM messages to the user’s terminal, if available, instead of the standard output or standard error. This prevents PAM output from being intermixed with that of the command when output is sent to a file or pipe.
  • notBefore/notAfter from ldap/sssd works and displays correctly(sudo -l)
  • The cvtsudoers command will now reject non-LDIF input when converting from LDIF format to sudoers or JSON formats.
  • The new log_allowed and log_denied sudoers settings make it possible to disable logging and auditing of allowed and/or denied commands.
  • If the user specifies a group via sudo’s -g option that matches any of the target user’s groups, it is now allowed even if no groups are present in the Runas_Spec. Previously, it was only allowed if it matched the target user’s primary group.
  • Fixed a bug that prevented sudo from honoring the value of ipa_hostname from sssd.conf, if specified, when matching the host name.
  • CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword
  • CVE-2019-19232 sudo: attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user

(BZ#1733961)

pam_faillock module can now read settings from faillock.conf configuration file

pam_faillock, a part of pluggable authentication modules (PAM), can now read settings from the configuration file located at /etc/security/faillock.conf. This makes it easier to set up an account lockout on authentication failures, provide user profiles for this functionality, and handle different PAM configurations by simply editing the faillock.conf file.

(BZ#1537242)

4.5. Networking

User-space applications can now retrieve the netns id selected by the kernel

User-space applications can request the kernel to select a new netns ID and assign it to a network name space. With this enhancement, users can specify the NLM_F_ECHO flag when sending an RTM_NETNSID netlink message to the kernel. The kernel then sends the netlink message back to the user. This message includes the netns ID set to the value the kernel selected. As a result, user-space applications now have a reliable option to identify the netlink ID the kernel selected.

(BZ#1763661)

firewalld rebased to version 0.8

The firewalld packages have been updated to version 0.8. Notable changes include:

  • This version of firewalld includes all bug fixes since version 0.7.0.
  • firewalld now uses the libnftables JSON interface to the nftables subsystem. This improves performance and reliability of rule application.
  • In service definitions, the new helper element replaces module.
  • This version allows custom helpers to use standard helper modules.

(BZ#1740670)

ndptool can now specify a destination address in IPv6 header

With this update, the ndptool utility can send a Neighbor Solicitation (NS) or a Neighbor Advertisement (NA) message to a specific destination by specifying the address in the IPv6 header. As a result, a message can be sent to addresses other than just the link-local address.

(BZ#1697595)

Rules for the firewalld service can now use connection tracking helpers for services running on a non-standard port

User-defined helpers in the firewalld service can now use standard kernel helper modules. This enables administrators to create firewalld rules to use connection tracking helpers for services running on a non-standard port.

(BZ#1733066)

The whois package is now available

With this enhancement, the whois package is now available in RHEL 8.2.0. As a result, retrieving information about a specific domain name or IP address is now possible.

(BZ#1734183)

eBPF for tc is now fully supported

The Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and egress queueing disciplines. This enables programmable packet processing inside the kernel network data path. eBPF for tc, previously available as a technology preview, is now fully supported in RHEL 8.2.

(BZ#1755347)

The libnbd library has been added to RHEL

With this update, the libnbd client library for Network Block Device (NBD) protocol has been added to RHEL. This allows clients to access most NBD features, such as virt-v2v warm conversions, accessing hard disks over a network, or accessing virtual hard disks.

(BZ#1715367)

4.6. Kernel

Extended Berkeley Packet Filter in RHEL 8

Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes special assembly-like code. After the code is loaded to the kernel and verified, it is then translated to the native machine code with just-in-time compilation. There are numerous components shipped by Red Hat that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported.

The following eBPF components are fully supported in RHEL 8.2:

  • The BPF Compiler Collection (BCC) tools package is a userspace collection of dynamic kernel tracing utilities that use the eBPF virtual machine for creating efficient kernel tracing and manipulation programs. BCC provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
  • The BCC library which allows the development of tools similar to those provided in the BCC tools package.
  • The eBPF for tc feature enables programmable packet processing inside the kernel network data path.

The following eBPF components are currently available as a Technology Preview:

  • The bpftrace tracing language
  • The eXpress Data Path (XDP) feature

For details regarding the Technology Preview components, see Section 6.3, “Kernel”.

(BZ#1780124)

The numactl manual entry clarifies the memory usage output

With this release of RHEL 8, the manual page for numactl explicitly mentions that the memory usage information reflects only the resident pages on the system. The reason for this addition is to eliminate potential confusion for users whether the memory usage information relates to resident pages or virtual memory.

(BZ#1730738)

kexec-tools documents are now updated to include Kdump FCoE target support

With this enhancement, the kexec-tools documentation has been updated to include Kdump FCoE target support. As a result, users can now have better understanding of the status and details of kdump on FCoE target support.

(BZ#1690729)

Randomizing free lists: Improved performance and utilization of direct-mapped memory-side-cache

With this enhancement, you can enable page allocator to randomize free lists and improve the average utilization of a direct-mapped memory-side-cache. The kernel command-line option page_alloc.shuffle, enables the page allocator to randomize the free lists and sets the boolean flag to True. The sysfs file, which is located at /sys/module/page_alloc/parameters/shuffle reads the flag status, shuffles the free lists, such that the Dynamic Random Access Memory (DRAM) is cached, and the latency band between the DRAM and persistent memory is reduced. As a result, persistent memory with a higher capacity and lower bandwidth is available on general purpose server platforms.

(BZ#1620349)

kernel-rt source tree now matches the latest RHEL 8 tree

The kernel-rt sources have been updated to use the latest RHEL kernel source tree. The realtime patch set has also been updated to the latest upstream v5.2.21-rt13 version. Both of these updates provide a number of bug fixes and enhancements.

(BZ#1680161)

rngd is now able to run with non-root privileges

The random number generator daemon (rngd) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel’s random-number entropy pool. With this update, rngd is able to run with non-root user privileges to enhance system security.

(BZ#1692435)

4.7. High availability and clusters

New command options to disable a resource only if this would not affect other resources

It is sometimes necessary to disable resources only if this would not have an effect on other resources. Ensuring that this would be the case can be impossible to do by hand when complex resource relations are set up. To address this need, the pcs resource disable command now supports the following options:

  • pcs resource disable --simulate: show effects of disabling specified resource(s) while not changing the cluster configuration
  • pcs resource disable --safe: disable specified resource(s) only if no other resources would be affected in any way, such as being migrated from one node to another
  • pcs resource disable --safe --no-strict: disable specified resource(s) only if no other resources would be stopped or demoted

In addition, the pcs resource safe-disable command has been introduced as an alias for pcs resource disable --safe.

(BZ#1631519)

New command to show relations between resources

The new 'pcs resource relations' command allows you to display the relations between cluster resources in a tree structure.

(BZ#1631514)

New command to display the status of both a primary site and recovery site cluster

If you have configured a cluster to use as a recovery site, you can now configure that cluster as a recovery site cluster with the pcs dr command. You can then use the pcs dr command to display the status of both your primary site cluster and your recovery site cluster from a single node.

(BZ#1676431)

Expired resource constraints are now hidden by default when listing constraints

Listing resource constraints no longer by default displays expired constraints. To include expired constaints, use the --all option of the pcs constraint command. This will list expired constraints, noting the constraints and their associated rules as (expired) in the display.

(BZ#1442116)

4.8. Dynamic programming languages, web and database servers

A new module: python38

RHEL 8.2 introduces Python 3.8, provided by the new module python38.

Notable enhancements compared to Python 3.6 include:

  • New Python modules, for example, contextvars, dataclasses, or importlib.resources
  • New language features, such as assignment expressions or positional-only parameters
  • Improved developer experience with the breakpoint() built-in function, the = format string specification, and compatibility between debug and non-debug builds of Python and extension modules
  • Performance improvements
  • Improved support for optional static type hints
  • Updated versions of packages, such as pip, requests, or Cython

Python 3.8 and packages built for it can be installed in parallel with Python 3.6 on the same system.

To install packages from the python38 module, use, for example:

# yum install python38
# yum install python38-Cython

The python38:3.8 module stream will be enabled automatically.

To run the interpreter, use, for example:

$ python3.8
$ python3.8 -m cython --help

See also Installing, managing, and removing user-space components.

Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8.

(BZ#1747329)

Changes in mod_wsgi installation

Previously, when the user tried to install the mod_wsgi module using the yum install mod_wsgi command, the python3-mod_wsgi package was always installed. RHEL 8.2 introduces Python 3.8 as an addition to Python 3.6. With this update, you need to specify which version of mod_wsgi you want to install, otherwise an error message is returned.

To install the Python 3.6 version of mod_wsgi:

# yum install python3-mod_wsgi

To install the Python 3.8 version of mod_wsgi:

# yum install python38-mod_wsgi

Note that the python3-mod_wsgi and python38-mod_wsgi packages conflict with each other, and only one mod_wsgi module can be installed on a system due to a limitation of the Apache HTTP Server.

(BZ#1779705)

Support for hardware-accelerated deflate in zlib on IBM Z

This update adds support for a hardware-accelerated deflate algorithm to the zlib library in the IBM Z mainframes. As a result, performance of compression and decompression on IBM Z vector machines has been improved.

(BZ#1659433)

A new module stream: maven:3.6

RHEL 8.2 introduces a new module stream, maven:3.6. This version of the Maven software project management and comprehension tool provides numerous bug fixes and various enhancements over the maven:3.5 stream distributed with RHEL 8.0.

To install the maven:3.6 stream, use:

# yum install @maven:3.6

If you want to upgrade from the maven:3.5 stream, see Switching to a later stream.

(BZ#1783926)

New extensions for PHP 7.3

The php:7.3 module stream has been updated to provide two new PHP extensions: rrd and Xdebug.

The rrd extension provides bindings to the RRDtool C library. RRDtool is a high performance data logging and graphing system for time series data.

The Xdebug extension is included to assist you with debugging and development. Note that the extension is provided only for development purposes and should not be used in production environments.

(BZ#1769857, BZ#1764738)

New packages: perl-LDAP and perl-Convert-ASN1

This update adds the perl-LDAP and Perl-Convert-ASN1 packages to RHEL 8. The perl-LDAP package provides an LDAP client for the Perl language. perl-LDAP requires the perl-Convert-ASN1 package, which encodes and decodes Abstract Syntax Notation One (ASN.1) data structures using Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER).

(BZ#1663063, BZ#1746898)

4.9. Compilers and development tools

Updated GCC Toolset 9

GCC Toolset 9 has been updated with RHEL 8.2 and provides the following tools:

ToolVersion

GCC

9.2.1

GDB

8.3

Valgrind

3.15.0

SystemTap

4.1

Dyninst

10.1.0

binutils

2.32

elfutils

0.176

dwz

0.12

make

4.2.1

strace

5.1

ltrace

0.7.91

annobin

8.79

GCC Toolset 9 is available as an Application Stream in the form of a Software Collection in the AppStream repository.

For detailed instructions regarding usage, see Using GCC Toolset.

(BZ#1789401)

Upgraded compiler toolsets

The following compiler toolsets, distributed as Application Streams, have been upgraded with RHEL 8.2:

  • Clang and LLVM Toolset, which provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis, to version 9.0.0.
  • Rust Toolset, which provides the Rust programming language compiler rustc, the cargo build tool and a dependency manager, and required libraries, to version 1.39.
  • Go Toolset, which provides the Go (golang) programming language tools and libraries, to version 1.13.4. In addition, this update introduces the Delve debugger for the Go programming language.

(BZ#1789398)

grafana-pcp is now available in RHEL 8.2

The grafana-pcp package provides new grafana data sources and application plugins connecting PCP with grafana. With the grafana-pcp package, you can analyze historical PCP metrics and real-time PCP metrics using the pmseries query language and pmwebapi live services respectively. For more information, see Performance Co-Pilot Grafana Plugin.

(BZ#1685315)

4.10. Identity Management

The SMB1 protocol has been disabled in the Samba server and client utilities by default

In Samba 4.11, the default values of the server min protocol and client min protocol parameters have been changed from NT1 to SMB2_02 because the server message block version 1 (SMB1) protocol is deprecated. If you have not set these parameters in the /etc/samba/smb.conf file:

  • Clients that only support SMB1 are no longer able to connect to the Samba server.
  • Samba client utilities, such as smbclient, and the libsmbclient library fail to connect to servers that only support SMB1.

Red Hat recommends to not use the SMB1 protocol. However, if your environment requires SMB1, you can manually re-enable the protocol.

To re-enable SMB1 on a Samba server:

  • Add the following setting to the /etc/samba/smb.conf file:
server min protocol = NT1
  • Restart the smb service:
# systemctl restart smb

To re-enable SMB1 for Samba client utilities and the libsmbclient library:

  • Add the following setting to the /etc/samba/smb.conf file:
client min protocol = NT1
  • Restart the smb service:
# systemctl restart smb

Note that the SMB1 protocol will be removed in a future Samba release.

(BZ#1785248)

samba rebased to version 4.11.2

The samba packages have been upgraded to upstream version 4.11.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:

  • By default, the server message block version 1 (SMB1) protocol is now disabled in the Samba server, client utilities, and the libsmbclient library. However, you can still set the server min protocol and client min protocol parameters manually to NT1 to re-enable SMB1. Red Hat does not recommend to re-enabling the SMB1 protocol.
  • The lanman auth and encrypt passwords parameters are deprecated. These parameters enable insecure authentication and are only available in the deprecated SMB1 protocol.
  • The -o parameter has been removed from the onode clustered trivial database (CTDB) utility.
  • The ctdbd service now logs when it uses more than 90% of a CPU thread.
  • The deprecated Python 2 support has been removed.

Samba automatically updates its tdb database files when the smbd, nmbd, or winbind service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading tdb database files.

For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.11.0.html

(BZ#1754409)

A health check feature has been added to Directory Server

This enhancement adds a health check feature to Directory Server. The dsctl healthcheck command performs read-only operations on a Directory Server instance and reports, for example, if the instance is configured properly or if replication agreements are working correctly.

(BZ#1685160)

Directory Server rebased to version 1.4.2.4

The 389-ds-base packages have been upgraded to upstream version 1.4.2.4, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

(BZ#1748994)

The dbverify, validate-syntax.pl, and repl-monitor.pl scripts have been replaced in Directory Server

This enhancement provides replacements for the unsupported dbverify, validate-syntax.pl, and repl-monitor.pl legacy scripts in Directory Server. These scripts have been replaced with the following commands:

  • dbverify: dsctl instance_name dbverify
  • validate-syntax.pl: dsconf schema validate-syntax
  • repl-monitor.pl: dsconf replication monitor

For a list of all legacy scripts and their replacements, see Command-line utilities replaced in Red Hat Directory Server 11.

(BZ#1739718)

4.11. The web console

Option to log in to the web console with a TLS client certificate

With this update, it is possible to configure the web console to log in with a TLS client certificate that is provided by a browser or a device such as a smart card or a YubiKey.

(BZ#1678465)

Changes to web console login

RHEL web console has been updated with the following changes:

  • The web console will automatically log you out of your current session after 15 minutes of inactivity. You can configure the timeout in minutes in the /etc/cockpit/cockpit.conf file.
  • Similarly to SSH, the web console can now optionally show the content of banner files on the login screen. Users need to configure the functionality in the /etc/cockpit/cockpit.conf file.

See the cockpit.conf(5) manual page for more information.

(BZ#1754163)

The RHEL web console has been redesigned to use the PatternFly 4 user interface design system

The new design provides better accessibility and matches the design of OpenShift 4. Updates include:

  • The Overview page has been completely redesigned. For example, information is grouped into easier-to-understand panels, health information is more prominent, resource graphs have been moved to their own page, and the hardware information page is now easier to find.
  • Users can use the new Search field in the Navigation menu to easily find specific pages that are based on keywords.

For more information about PatternFly, see the PatternFly project page.

(BZ#1784455)

Virtual Machines page updates

The web console’s Virtual Machines page got several storage improvements:

  • Storage volume creation now works for all libvirt-supported types.
  • Storage pools can be created on LVM or iSCSI.

Additionally, the Virtual Machines page now supports the creation and removal of virtual network interfaces.

(BZ#1676506, BZ#1672753)

Web console Storage page updates

Usability testing showed that the "default mount point" concept on the RHEL web console Storage page was hard to grasp, and led to a lot of confusion. With this update, the web console no longer offers a "Default" choice when mounting a file system. Creating a new file system now always requires a specified mount point.

Additionally, the web console now hides the distinction between the configuration (/etc/fstab) and the run-time state (/proc/mounts). Changes made in the web console always apply to both the configuration and the run-time state. When the configuration and the run-time state differ from each other, the web console shows a warning, and enable users to easily bring them back in sync.

(BZ#1784456)

4.12. Virtualization

Attempting to create a RHEL virtual machine from an install tree now returns a more helpful error message.

RHEL 7 and RHEL 8 virtual machines created using the virt-install utility with the --location option in some cases fail to boot. This update adds a virt-install error message that provides instructions on how to work around this problem.

(BZ#1677019)

EDK2 rebased to version stable201908

The EDK2 package has been upgraded to version stable201908, which provides multiple enhancements. Notably:

  • EDK2 now includes support for OpenSSL-1.1.1.
  • To comply with the upstream project’s licensing requirements, the EDK2 package license has been changed from BSD and OpenSSL and MIT to BSD-2-Clause-Patent and OpenSSL and MIT.

(BZ#1748180)

Creating nested virtual machines

With this update, nested virtualization is fully supported for KVM virtual machines (VMs) running on an Intel 64 host with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.

Note that on AMD64 systems, nested KVM virtualization remains a Technology Preview.

(JIRA:RHELPLAN-14047, JIRA:RHELPLAN-24437)