Chapter 5. New features
This part describes new features and major enhancements introduced in Red Hat Enterprise Linux 8.2.
5.1. Installer and image creation
Ability to register your system, attach RHEL subscriptions, and install from the Red Hat CDN
In RHEL 8.2, you can register your system, attach RHEL subscriptions, and install from the Red Hat Content Delivery Network (CDN) before package installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature. Benefits include:
- The use of the smaller Boot ISO image file removes the need to download the larger Binary DVD ISO image file.
- The CDN uses the latest packages that result in a fully subscribed and up-to-date system immediately after installation. There is no requirement to install package updates after installation.
- Registration is performed before package installation, resulting in a shorter and more streamlined installation process.
- Integrated support for Red Hat Insights is available.
Ability to register your system to Red Hat Insights during installation
In RHEL 8.2, you can register your system to Red Hat Insights during installation. Interactive GUI installations, as well as automated Kickstart installations, support this feature.
- Easier to identify, prioritize, and resolve issues before business operations are affected.
- Proactively identify and remediate threats to security, performance, availability, and stability with predictive analytics.
- Avoid problems and unplanned downtime in your environment.
Image Builder now offers cloud-init support for creating Azure images
With this enhancement, cloud-init support is available for Azure images created by Image Builder. As a result, the creation of on-premise images with fast-provisioning and the ability to add custom data is available to customers.
5.2. Software management
User-Agent header string now includes information read from the
With this enhancement, the
User-Agent header string, which is normally included with the HTTP requests made by DNF, has been extended with information read from the
To obtain more information, see
user_agent in the
dnf.conf(5) man page.
dnf-automatic.timer timer units now use the real-time clock by default
dnf-automatic.timer timer units used the monotonic clock, which resulted in unpredictable activation time after the system boot. With this update, the timer units run between 6 a.m. and 7 a.m. If the system is off during that time, the timer units are activated within one hour after the system boot.
createrepo_c utility now skips packages whose metadata contains the disallowed control characters
To ensure a valid XML, the package metadata must not contain any control characters, with the exception of:
- the horizontal tab
- the newline character
- the carriage return character
With this update, the
createrepo_c utility does not include packages with metadata containing disallowed control characters in a newly created repository, and returns the following error message:
C_CREATEREPOLIB: Critical: Cannot dump XML for PACKAGE_NAME (PACKAGE_SUM): Forbidden control chars found (ASCII values <32 except 9, 10 and 13)
5.3. Shells and command-line tools
opencv rebased to version 3.4.6
opencv packages have been upgraded to upstream version 3.4.6. Notable changes include:
Support for new Open CL parameters, such as
objdetectmodule now supports QR code detection algorithm.
Multiple new methods, such as
Multiple new functions, such as
Various performance improvements, including improvements of the GaussianBlur function,
v_store_interleaveintrinsics when using SSSE3 instructions.
5.4. Infrastructure services
graphviz-python3 is now distributed in the CRB repository
This update adds the
graphviz-python3 package to RHEL 8. The package provides bindings required for usage of the Graphviz graph visualization software from Python.
Note that the
graphviz-python3 package is distributed in the unsupported CodeReady Linux Builder repository (CRB).
tuned rebased to version 2.13.0
tuned packages have been upgraded to upstream version 2.13.0. Notable enhancements include:
- Architecture-dependant tuning framework has been added.
- Support for multiple include directives has been added.
Tuning in the
realtimeprofiles has been updated.
powertop rebased to version 2.11
powertop package has been upgraded to version 2.11, which provides a following notable change:
- Support for the EHL, TGL, ICL/ICX platforms
BIND now supports .GeoIP2 instead of GeoLite Legacy GeoIP
The GeoLite Legacy GeoIP library is no longer supported in BIND. With this update, GeoLite Legacy GeoP has been replaced with GeoIP2, which is provided in the
libmaxminddb data format.
Note that the new format may require some configuration changes, and the format also does not support following legacy GeoIP access control list (ACL) settings:
- geoip netspeed
- geoip org
- ISO 3166 Alpha-3 country codes
stale-answer now provides old cached records in case of DDoS attack
Previously, the Distributed Denial of Service (DDoS) attack caused the authoritative servers to fail with the SERVFAIL error. With this update, the
stale-answer functionality provides the expired records until a fresh response is obtained.
To enable or disable the
serve-stale feature, use either of these:
- Configuration file
- Remote control channel (rndc)
BIND rebased to version 9.11.13
bind packages have been upgraded to version 9.11.13. Notable changes include:
tcp-highwaterstatistics variable has been added. This variable shows maximum concurrent TCP clients recorded during a run.
SipHash-2-4-based DNS Cookies (RFC 7873) algorithm has been added.
Glue addresses for rooting priming queries are returned regardless of how the
minimal-responsesconfiguration option is set.
named-checkconfcommand now ensures the validity of the
Automatic rollover per RFC 5011 no longer fails when the
managed-keysstatements are both configured for the same name. Instead, a warning message is logged.
Internationalized Domain Name (IDN) processing in the
nslookuputilities is now disabled by default when they are not run on terminal (for example, in a script). IDN processing in
digcan be switched on by using the
RHEL 8 now contains the DISA STIG profile
Security Technical Implementation Guides (STIG) are a set of baseline recommendations published by the Defense Information Systems Agency (DISA) to harden the security of information systems and software that might otherwise be vulnerable. This release includes the profile and Kickstart file for this security policy. With this enhancement, users can check systems for compliance, remediate systems to be compliant, and install systems compliant with DISA STIG for Red Hat Enterprise Linux 8.
crypto-policies can now be customized
With this update, you can adjust certain algorithms or protocols of any policy level or set a new complete policy file as the current system-wide cryptographic policy. This enables administrators to customize the system-wide cryptographic policy as required by different scenarios.
RPM packages should store policies provided by them in the
/usr/share/crypto-policies/policies directory. The
/etc/crypto-policies/policies directory contains local custom policies.
For more information, see the
Custom Policies section in the
update-crypto-policies(8) man page and the
Crypto Policy Definition Format section in the
update-crypto-policies(8) man page.
SCAP Security Guide now supports ACSC Essential Eight
scap-security-guide packages now provide the Australian Cyber Security Centre (ACSC) Essential Eight compliance profile and a corresponding Kickstart file. With this enhancement, users can install a system that conforms with this security baseline. Furthermore, you can use the OpenSCAP suite for checking security compliance and remediation using this specification of minimum security controls defined by ACSC.
oscap-podman for security and compliance scanning of containers is now available
This update of the
openscap packages introduces a new utility for security and compliance scanning of containers. The
oscap-podman tool provides an equivalent of the
oscap-docker utility that serves for scanning container and container images in RHEL 7.
setroubleshoot can now analyze and react to
execmem access denials
This update introduces a new
setroubleshoot plugin. The plugin can analyze
execmem access denials (AVCs) and provide relevant advice. As a result,
setroubleshoot can now suggest a possibility to switch a boolean if it allows access, or report the issue when no boolean can allow access.
setools-gui package, which has been part of RHEL 7, is now being introduced to RHEL 8. Graphical tools help inspect relations and data flows especially in multi-level systems with highly specialized SELinux policies. With the
apol graphical tool from the
setools-gui package, you can inspect and analyze aspects of an SELinux policy. Tools from the
setools-console-analyses package enable you to analyze domain transitions and SELinux policy information flows.
Confined users in SELinux can now manage user session services
Previously, confined users were not able to manage user session services. As a result, they could not execute
systemctl --user or
busctl --user commands or work in the RHEL web console. With this update, confined users can manage user sessions.
lvmdbusd service is now confined by SELinux
lvmdbusd service provides a D-Bus API to the logical volume manager (LVM). Previously, the
lvmdbusd daemon could not transition to the
lvm_t context even though the SELinux policy for
lvm_t was defined. As a consequence, the
lvmdbusd daemon was executed in the
unconfined_service_t domain and SELinux labeled
lvmdbusd as unconfined. With this update, the
lvmdbusd executable file has the
lvm_exec_t context defined and
lvmdbusd can now be used correctly with SELinux in enforcing mode.
semanage now supports listing and modifying SCTP and DCCP ports.
semanage port allowed listing and modifying of only TCP and UDP ports. This update adds SCTP and DCCP protocol support to
semanage port. As a result, administrators can now check if two machines can communicate via SCTP and fully enable SCTP features to successfully deploy SCTP-based applications.
semanage export now shows customizations related to permissive domains
With this update, the
semanage utility, which is part of the
policycoreutils package for SELinux, is able to display customizations related to permissive domains. System administrators can now transfer permissive local modifications between machines using the
semanage export command.
udica can add new allow rules generated from SELinux denials to existing container policy
When a container that is running under a policy generated by the
udica utility triggers an SELinux denial,
udica is now able to update the policy. The new parameter
--append-rules can be used to append rules from an AVC file.
New SELinux types enable services to run confined
This update introduces new SELinux types that enable the following services to run as confined services in SELinux enforcing mode instead of running in the
lldpdnow runs as
rrdcachednow runs as
stratisdnow runs as
timedatexnow runs as
Clevis is able to list policies in place for a given LUKS device
With this update, the
clevis luks list command lists PBD policies in place for a given LUKS device. This makes it easier to find information on Clevis pins in use and pin configuration, for example, Tang server addresses, details on
tpm2 policies, and SSS thresholds.
Clevis provides new commands for reporting key status and rebinding expired keys
clevis luks report command now provides a simple way to report whether keys for a particular binding require rotation. Regular key rotations in a Tang server improve the security of Network-Bound Disk Encryption (NBDE) deployments, and therefore the client should provide detection of expired keys. If the key is expired, Clevis suggests using the
clevis luks regen command which rebinds the expired key slot with a current key. This significantly simplifies the process of key rotation.
Clevis can now extract the passphrase used for binding a particular slot in a LUKS device
With this update to the Clevis policy-based decryption framework, you can now extract the passphrase used for binding a particular slot in a LUKS device. Previously, if the LUKS installation passphrase was erased, Clevis could not perform LUKS administrative tasks, such as re-encryption, enabling a new key slot with a user passphrase, and re-binding Clevis when the administrator needs to change the
sss threshold. This update introduces the
clevis luks pass command that shows the passphrase used for binding a particular slot.
Clevis now provides improved support for decrypting multiple LUKS devices on boot
clevis packages have been updated to provide better support for decrypting multiple LUKS-encrypted devices on boot. Prior to this improvement, the administrator had to perform complicated changes to the system configuration to enable the proper decryption of multiple devices by Clevis on boot. With this release, you can set up the decryption by using the
clevis luks bind command and updating the initramfs through the
dracut -fv --regenerate-all command.
For more details, see the Configuring automated unlocking of encrypted volumes using policy-based decryption section.
openssl-pkcs11 rebased to 0.4.10
openssl-pkcs11 package has been upgraded to upstream version 0.4.10, which provides many bug fixes and enhancements over the previous version. The
openssl-pkcs11 package provides access to PKCS #11 modules through the engine interface. The major changes introduced by the new version are:
- If a public key object corresponding to the private key is not available when loading an ECDSA private key, the engine loads the public key from a matching certificate, if present.
You can use generic PKCS #11 URI (for example
pkcs11:type=public) because the
openssl-pkcs11engine searches all tokens that match a given PKCS #11 URI.
- The system attempts to log in with a PIN only if a single device matches the URI search. This prevents authentication failures due to providing the PIN to all matching tokens.
When accessing a device, the
openssl-pkcs11engine now marks the RSA methods structure with the
RSA_FLAG_FIPS_METHODflag. In FIPS mode, OpenSSL requires the flag to be set in the RSA methods structure. Note that the engine cannot detect whether a device is FIPS-certified.
rsyslog rebased to 8.1911.0
rsyslog utility has been upgraded to upstream version 8.1911.0, which provides a number of bug fixes and enhancements over the previous version. The following list includes notable enhancements:
omhttpmodule allows you to send messages over the HTTP REST interface.
- The file input module is enhanced to improve stability, error reporting, and truncation detection.
action.resumeIntervalMaxparameter that can be used with any action allows capping retry interval growth at a specified value.
StreamDriver.PermitExpiredCertsoption for TLS permits connections even if a certificate has expired.
- You can now suspend and resume output based on configured external file content. This is useful in cases where the other end always accepts messages and silently drops them when it is not able to process them all.
- Error reporting for the file output module is improved and now contains real file names and more information on causes of errors.
- Disk queues now run multi-threaded, which improves performance.
You can set stricter TLS operation modes: checking of the
extendedKeyUsagecertificate field and stricter checking of the
rsyslog now provides the
omhttp plugin for communication through an HTTP REST interface
With this update of the
rsyslog packages, you can use the new
omhttp plugin for producing an output compatible with services using a Representational State Transfer (REST) API, such as the Ceph storage platform, Amazon Simple Storage Service (Amazon S3), and Grafana Loki. This new HTTP output module provides a configurable REST path and message format, support for several batching formats, compression, and TLS encryption.
For more details, see the
/usr/share/doc/rsyslog/html/configuration/modules/omhttp.html file installed on your system with the
rsyslog now supports
This update of the
rsyslog packages introduces support for setting the time of periodical reconnection in the
omelasticsearch module. You can improve performance when sending records to a cluster of Elasticsearch nodes by setting this parameter according to your scenario. The value of the
rebindinterval parameter indicates the number of operations submitted to a node after which
rsyslog closes the connection and establishes a new one. The default value
-1 means that
rsyslog does not re-establish the connection.
mmkubernetes now provides metadata cache expiration
With this update of the
rsyslog packages, you can use two new parameters for the
mmkubernetes module for setting metadata cache expiration. This ensures that deleted Kubernetes objects are removed from the
mmkubernetes static cache. The value of the
cacheentryttl parameter indicates the maximum age of cache entries in seconds. The
cacheexpireinterval parameter has the following values:
-1for disabling cache-expiration checks
0for enabling cache-expiration checks
- greater than 0 for regular cache-expiration checks in seconds
audit rebased to version 3.0-0.14
audit packages have been upgraded to upstream version 3.0-0.14, which provides many bug fixes and enhancements over the previous version, most notably:
- Added an option to interpret fields in the syslog plugin
30-ospp-v42.rulesfile into more granular files
Moved example rules to the
- Fixed Audit KRB5 transport mode for remote logging
Audit now contains many improvements from the kernel v5.5-rc1
This addition to the Linux kernel contains the majority of enhancements, bug fixes, and cleanups related to the Audit subsystem and introduced between the version 4.18 and 5.5-rc1. The following list highlights important changes:
Wider use of the
exefield for filtering
- Support for v3 namespaced capabilities
- Improvements for filtering on remote file systems
Fix of the
- Fixes of a use-after-free memory corruption and memory leaks
- Improvements of event-record association
Cleanups of the
fanoticyinterface, Audit configuration options, and the syscall interface
- Fix of the Extended Verification Module (EVM) return value
- Fixes and cleanups of several record formats
- Simplifications and fixes of Virtual File System (VFS) auditing
fapolicyd rebased to 0.9.1-2
fapolicyd packages that provide RHEL application whitelisting have been upgraded to upstream version 0.9.1-2. Notable bug fixes and enhancements include:
- Process identification is fixed.
- The subject part and the object part are now positioned strictly in the rule. Both parts are separated by a colon, and they contain the required permission (execute, open, any).
- The subject and object attributes are consolidated.
The new rule format is the following:
DECISION PERMISSION SUBJECT : OBJECT
allow perm=open exe=/usr/bin/rpm : all
sudo rebased to 1.8.29-3.el8
sudo packages have been upgraded to upstream version 1.8.29-3, which provides a number of bug fixes and enhancements over the previous version. The major changes introduced by the new version are:
sudonow writes Pluggable Authentication Module (PAM) messages to the user’s terminal, if available, instead of the standard output or standard error output. This prevents possible confusion of PAM output and command output sent to files and pipes.
notAfteroptions from LDAP and SSSD now work and display correctly with the
cvtsudoerscommand now rejects non-LDAP Data Interchange Format (LDIF) input when converting from LDIF to
sudoersand JSON formats.
With the new
sudoers, you can disable logging and auditing of allowed and denied commands.
You can now use
-goption to specify a group that matches any of the target user’s groups even if no groups are present in the
runas_specspecification. Previously, you could only do so if the group matched the target user’s primary group.
Fixed a bug that prevented
sudofrom matching the host name to the value of
sssd.conf, if specified.
A vulnerability that allowed a
sudouser to run a command as root when the
rootaccess with the
ALLkeyword is now fixed (CVE-2019-14287).
The use of unknown user and group IDs for permissive
sudoersentries, for example using the ALL keyword, is now disabled. You can enable it with the
pam_namespace module now allows specifying additional mount options for
nodev mount options can now be used in the
/etc/security/namespace.conf configuration file to respectively disable setuid bit effect, disable running executables, and to prevent files from being interpreted as character or block devices on the mounted
Additional mount options are specified in the
tmpfs(5) man page.
pam_faillock can now read settings from
faillock.conf configuration file
pam_faillock module, a part of pluggable authentication modules (PAM), can now read settings from the configuration file located at
/etc/security/faillock.conf. This makes it easier to set up an account lockout on authentication failures, provide user profiles for this functionality, and handle different PAM configurations by simply editing the
User-space applications can now retrieve the
netns id selected by the kernel
User-space applications can request the kernel to select a new
netns ID and assign it to a network name space. With this enhancement, users can specify the
NLM_F_ECHO flag when sending an
netlink message to the kernel. The kernel then sends the
netlink message back to the user. This message includes the
netns ID set to the value the kernel selected. As a result, user-space applications now have a reliable option to identify the
netlink ID the kernel selected.
firewalld rebased to version 0.8
firewalld packages have been updated to version 0.8. Notable changes include:
This version of
firewalldincludes all bug fixes since version 0.7.0.
firewalldnow uses the
libnftablesJSON interface to the
nftablessubsystem. This improves performance and reliability of rule application.
In service definitions, the new
- This version allows custom helpers to use standard helper modules.
ndptool can now specify a destination address in IPv6 header
With this update, the
ndptool utility can send a Neighbor Solicitation (NS) or a Neighbor Advertisement (NA) message to a specific destination by specifying the address in the IPv6 header. As a result, a message can be sent to addresses other than just the link-local address.
nftables now supports multi-dimensional IP set types
With this enhancement, the
nftables packet-filtering framework supports set types with concatenations and intervals. As a result, administrators no longer require workarounds to create multi-dimensional IP set types.
nftables rebased to version 0.9.3
The nftables packages have been upgraded to upstream version 0.9.3, which provides a number of bug fixes and enhancements over the previous version:
A JSON API has been added to the
libnftableslibrary. This library provides a high-level interface to manage nftables rule sets from third-party applications. To use the new API in Python, install the
Statements support IP prefixes and ranges, such as
Support for operating system fingerprints has been added to mark packets based on the guessed operating system. For further details, see the
osf expressionsection in the
Transparent proxy support has been added to redirect packets to a local socket without changing the packet header in any way. For details, see the
tproxy statementsection in the
- The security mark support has been added.
- The support for dynamic sets updates has been improved to set updates from the packet path.
- The support for transport header port matching has been added.
For further information about notable changes, read the upstream release notes before updating:
Rules for the
firewalld service can now use connection tracking helpers for services running on a non-standard port
User-defined helpers in the
firewalld service can now use standard kernel helper modules. This enables administrators to create
firewalld rules to use connection tracking helpers for services running on a non-standard port.
whois package is now available
With this enhancement, the
whois package is now available in RHEL 8.2.0. As a result, retrieving information about a specific domain name or IP address is now possible.
eBPF for tc is now fully supported
The Traffic Control (tc) kernel subsystem and the tc tool can attach extended Berkeley Packet Filtering (eBPF) programs as packet classifiers and actions for both ingress and egress queueing disciplines. This enables programmable packet processing inside the kernel network data path. eBPF for tc, previously available as a technology preview, is now fully supported in RHEL 8.2.
Kernel version in RHEL 8.2
Red Hat Enterprise Linux 8.2 is distributed with the kernel version 4.18.0-193.
Extended Berkeley Packet Filter for RHEL 8.2
The Extended Berkeley Packet Filter (eBPF) is an in-kernel virtual machine that allows code execution in the kernel space, in the restricted sandbox environment with access to a limited set of functions. The virtual machine executes a special assembly-like code. The eBPF bytecode first loads to the kernel, followed by its verification, code translation to the native machine code with just-in-time compilation, and then the virtual machine executes the code.
Red Hat ships numerous components that utilize the eBPF virtual machine. Each component is in a different development phase, and thus not all components are currently fully supported. In RHEL 8.2, the following eBPF components are supported:
- The BPF Compiler Collection (BCC) tools package, which is a userspace collection of dynamic kernel tracing utilities that use the eBPF virtual machine for creating efficient kernel tracing and manipulation programs. The BCC provides tools for I/O analysis, networking, and monitoring of Linux operating systems using eBPF.
- The BCC library which allows the development of tools similar to those provided in the BCC tools package.
- The eBPF for Traffic Control (tc) feature, which enables programmable packet processing inside the kernel network data path.
All other eBPF components are available as Technology Preview, unless a specific component is indicated as supported.
The following notable eBPF components are currently available as Technology Preview:
- The eXpress Data Path (XDP) feature
For more information regarding the Technology Preview components, see Technology Previews.
Control Group v2 is now fully supported in RHEL 8
Control Group v2 mechanism is a unified hierarchy control group. Control Group v2 organizes processes hierarchically and distributes system resources along the hierarchy in a controlled and configurable manner.
Unlike the previous version, Control Group v2 has only a single hierarchy. This single hierarchy enables the Linux kernel to:
- Categorize processes based on the role of their owner.
- Eliminate issues with conflicting policies of multiple hierarchies.
Control Group v2 supports numerous controllers. Some of the examples are:
CPU controller regulates the distribution of CPU cycles. This controller implements:
- Weight and absolute bandwidth limit models for normal scheduling policy.
- Absolute bandwidth allocation model for real-time scheduling policy.
Cpuset controller confines processor and/or memory placement of processes to only those of the mentioned resources that are specified in the
Memory controller regulates the memory distribution. Currently, the following types of memory usages are tracked:
- Userland memory - page cache and anonymous memory.
- Kernel data structures such as dentries and inodes.
- TCP socket buffers.
- I/O controller regulates the distribution of I/O resources.
- Writeback controller interacts with both Memory and I/O controllers and is Control Group v2 specific.
The information above was based on Control Group v2 upstream documentation. You can refer to the same link to obtain more information about particular Control Group v2 controllers.
Be warned that not all features mentioned in the upstream document are implemented yet in RHEL 8.
Randomizing free lists: Improved performance and utilization of direct-mapped memory-side-cache
With this enhancement, you can enable page allocator to randomize free lists and improve the average utilization of a direct-mapped memory-side-cache. The kernel command-line option
page_alloc.shuffle, enables the page allocator to randomize the free lists and sets the boolean flag to
sysfs file, which is located at
/sys/module/page_alloc/parameters/shuffle reads the flag status, shuffles the free lists, such that the Dynamic Random Access Memory (DRAM) is cached, and the latency band between the DRAM and persistent memory is reduced. As a result, persistent memory with a higher capacity and lower bandwidth is available on general purpose server platforms.
The TPM userspace tool has been updated to the last version
tpm2-tools userspace tool has been updated to version 3.2.1. This update provides several bug fixes, in particular relating to Platform Configuration Register code and manual page clean ups.
The C620-series PCH chipset now supports the Intel Trace Hub feature
This update adds hardware support for Intel Trace Hub (TH) in C620-series Platform Controller Hub (PCH), also known as Lewisburg PCH. Users with C620-series PCH can now use Intel TH.
perf tool now supports per die events aggregation for CLX-AP and CPX processors
With this update, the
perf tool now provides support for per-die event counts aggregation for some Intel CPUs with multiple dies. To enable this mode, add the
--per-die option in addition to the
-a option for Xeon Cascade Lake-AP (CLX-AP) and Cooper Lake (CPX) system processors. As a result, this update detects any imbalance between the dies. The
perf stat command captures the event counts and displays the output as:
# perf stat -e cycles --per-die -a -- sleep 1 Performance counter stats for 'system wide': S0-D0 8 21,029,877 cycles S0-D1 8 19,192,372 cycles
The threshold of
crashkernel=auto is decreased on IBM Z
The lower threshold of the
crashkernel=auto kernel command-line parameter is now decreased from 4G to 1G on IBM Z systems. This implementation allows the IBM Z to align with the threshold of the AMD64 and Intel 64 systems to share the same reservation policy on the lower threshold of
crashkernel=auto. As a result, the crash kernel is able to automatically reserve memory for
kdump on systems with less than 4GB RAM.
numactl manual entry clarifies the memory usage output
With this release of RHEL 8, the manual page for
numactl explicitly mentions that the memory usage information reflects only the resident pages on the system. The reason for this addition is to eliminate potential confusion for users whether the memory usage information relates to resident pages or virtual memory.
kexec-tools document is now updated to include Kdump FCoE target support
In this release, the
/usr/share/doc/kexec-tools/supported-kdump-targets.txt file has been updated to include Kdump Fibre Channel over Ethernet (FCoE) target support. As a result, users can now have better understanding of the status and details of the
kdump crash dumping mechanism on a FCoE target support.
Firmware-assisted dump now supports PowerNV
Firmware-assisted dump (
fadump) mechanism is now supported on the PowerNV platform. The feature is supported with the IBM POWER9 FW941 firmware version and later. At the time of system failure,
fadump, along with the
vmcore file, also exports the
opalcore file. The
opalcore file contains information about the state of OpenPOWER Abstraction Layer (OPAL) memory at the time of breakdown. The
opalcore file is helpful in debugging crashes of OPAL-based systems.
kernel-rt source tree now matches the latest RHEL 8 tree
kernel-rt sources have been updated to use the latest RHEL kernel source tree. The realtime patch set has also been updated to the latest upstream v5.2.21-rt13 version. Both of these updates provide a number of bug fixes and enhancements.
rngd is now able to run with non-root privileges
The random number generator daemon (
rngd) checks whether data supplied by the source of randomness is sufficiently random and then stores the data in the kernel’s random-number entropy pool. With this update,
rngd is able to run with non-root user privileges to enhance system security.
Virtual Persistent Memory now supported for RHEL 8.2 and later on POWER 9
When running a RHEL 8.2 or later host with a PowerVM hypervisor on IBM POWER9 hardware, the host can now use the Virtual Persistent Memory (vPMEM) feature. With vPMEM, data persists across application and partition restarts until the physical server is turned off. As a result, restarting workloads that use vPMEM is significantly faster.
The following requirements must be met for your system to be able to use vPMEM:
- Hardware Management Console (HMC) V9R1 M940 or later
- Firmware level FW940 or later
- E980 system firmware FW940 or later
- L922 system firmware FW940 or later
- PowerVM level V3.1.1
Note that several known issues currently occur in RHEL 8 with vPMEM. For details, see the following Knowledgebase articles:
5.8. File systems and storage
LVM now supports the
dm-writecache caching method
LVM cache volumes now provide the
dm-writecache caching method in addition to the existing
- This method speeds up access to frequently used data by caching it on the faster volume. The method caches both read and write operations.
- This method caches only write operations. The faster volume, usually an SSD or a persistent memory (PMEM) disk, stores the write operations first and then migrates them to the slower disk in the background.
To configure the caching method, use the
--type cache or
--type writecache option with the
For more information, see Enabling caching to improve logical volume performance.
async policy is now ACID compliant
With this release, the VDO
async write mode is now compliant with Atomicity, Consistency, Isolation, Durability (ACID). If the system unexpectedly halts while VDO is writing data in
async mode, the recovered data is now always consistent.
Due to the ACID compliance, the performance of
async is now lower compared to the previous release. To restore the original performance, you can change the write mode on your VDO volume to
async-unsafe mode, which is not ACID compliant.
For more information, see Selecting a VDO write mode.
You can now import VDO volumes
vdo utility now enables you to import existing VDO volumes that are currently not registered on your system. To import a VDO volume, use the
vdo import command.
Additionally, you can modify the Universally Unique Identifier (UUID) of a VDO volume using the
vdo import command.
per-op error counter is now available in the output of the
A minor supportability feature is available for the NFS client systems: the output of the
nfsiostat commands in
nfs-utils have a
per-op error count. This enhancement allows these tools to display
per-op error counts and percentages that can assist in narrowing down problems on specific NFS mount points on an NFS client machine. Note that these new statistics depend on kernel changes that are inside the Red Hat Enterprise Linux 8.2 kernel.
Writeback IOs with
cgroup awareness is now available in XFS
With this release, XFS supports writeback IOs with
cgroup awareness. In general,
cgroup writeback requires explicit support from the underlying file system. Until now, writeback IOs on XFS was the attribute for the root
The FUSE file systems now implement
copy_file_range() system call provides a way for file systems to implement efficient data copy mechanism. With this update, GlusterFS, which is using the Filesystem in Userspace (FUSE) framework takes advantage of this mechanism. Since read/write functionality of FUSE file systems involves multiple copies of data, using
copy_file_range() can significantly improve performance.
per-op statistics is now available for the
A support feature is now available for the NFS client systems: the
/proc/self/mountstats file has the
per-op error counter. With this update, under each
per-op statistics row, the ninth number indicates the number of the operations that have been completed with a status value less then zero. This status value indicates an error. For more information, see the updates to the
nfsiostat programs in the
nfs-utils that displays these new error counts.
New mount stats
lease_expired are available in
A support feature is available for NFSv4.x client systems. The
/proc/self/mountstats file has the
lease_time and the
lease_expired fields at the end of the line starting with
lease_time field indicates the number of seconds in the NFSv4 lease time. The
lease_expired field indicates the number of seconds since the lease has expired, or 0 if the lease has not expired.
5.9. High availability and clusters
New command options to disable a resource only if this would not affect other resources
It is sometimes necessary to disable resources only if this would not have an effect on other resources. Ensuring that this would be the case can be impossible to do by hand when complex resource relations are set up. To address this need, the
pcs resource disable command now supports the following options:
pcs resource disable --simulate: show effects of disabling specified resource(s) while not changing the cluster configuration
pcs resource disable --safe: disable specified resource(s) only if no other resources would be affected in any way, such as being migrated from one node to another
pcs resource disable --safe --no-strict: disable specified resource(s) only if no other resources would be stopped or demoted
In addition, the
pcs resource safe-disable command has been introduced as an alias for
pcs resource disable --safe.
New command to show relations between resources
pcs resource relations command allows you to display the relations between cluster resources in a tree structure.
New command to display the status of both a primary site and recovery site cluster
If you have configured a cluster to use as a recovery site, you can now configure that cluster as a recovery site cluster with the
pcs dr command. You can then use the
pcs dr command to display the status of both your primary site cluster and your recovery site cluster from a single node.
Expired resource constraints are now hidden by default when listing constraints
Listing resource constraints no longer by default displays expired constraints. To include expired constaints, use the
--all option of the
pcs constraint command. This will list expired constraints, noting the constraints and their associated rules as
(expired) in the display.
Pacemaker support for configuring resources to remain stopped on clean node shutdown
When a cluster node shuts down, Pacemaker’s default response is to stop all resources running on that node and recover them elsewhere. Some users prefer to have high availability only for failures, and to treat clean shutdowns as scheduled outages. To address this, Pacemaker now supports the
shutdown-lock-limit cluster properties to specify that resources active on a node when it shuts down should remain stopped until the node next rejoins. Users can now use clean shutdowns as scheduled outages without any manual intervention. For information on configuring resources to remain stopped on a clean node shutdown, see link: Configuring resources to remain stopped on clean node shutdown.
Support for running the cluster environment in a single node
A cluster with only one member configured is now able to start and run resources in a cluster environment. This allows a user to configure a separate disaster recovery site for a multi-node cluster that uses a single node for backup. Note that a cluster with only one node is not in itself fault tolerant.
5.10. Dynamic programming languages, web and database servers
A new module:
RHEL 8.2 introduces Python 3.8, provided by the new module
python38 and the
ubi8/python-38 container image.
Notable enhancements compared to Python 3.6 include:
New Python modules, for example,
New language features, such as assignment expressions (the so-called walrus operator,
:=) or positional-only parameters
Improved developer experience with the
breakpoint()built-in function, the
=format string specification, and compatibility between debug and non-debug builds of Python and extension modules
- Performance improvements
- Improved support for optional static type hints
An addition of the
=specifier to formatted string literals (f-strings) for easier debugging
Updated versions of packages, such as
Python 3.8 and packages built for it can be installed in parallel with Python 3.6 on the same system.
Note that the
python38 module does not include the same binary bindings to system tools (RPM, DNF, SELinux, and others) that are provided for the
To install packages from the
python38 module, use, for example:
# yum install python38 # yum install python38-Cython
python38:3.8 module stream will be enabled automatically.
To run the interpreter, use, for example:
$ python3.8 $ python3.8 -m cython --help
See Using Python for more information.
Note that Red Hat will continue to provide support for Python 3.6 until the end of life of RHEL 8. Python 3.8 will have a shorter life cycle, see RHEL 8 Application Streams Life Cycle.
Previously, when the user tried to install the
mod_wsgi module using the
yum install mod_wsgi command, the
python3-mod_wsgi package was always installed. RHEL 8.2 introduces Python 3.8 as an addition to Python 3.6. With this update, you need to specify which version of
mod_wsgi you want to install, otherwise an error message is returned.
To install the Python 3.6 version of
# yum install python3-mod_wsgi
To install the Python 3.8 version of
# yum install python38-mod_wsgi
Note that the
python38-mod_wsgi packages conflict with each other, and only one
mod_wsgi module can be installed on a system due to a limitation of the Apache HTTP Server.
This change introduced a dependency known issue described in BZ#1829692.
Support for hardware-accelerated deflate in
zlib on IBM Z
This update adds support for a hardware-accelerated deflate algorithm to the
zlib library in the IBM Z mainframes. As a result, performance of compression and decompression on IBM Z vector machines has been improved.
Performance improved when decompressing
gzip on IBM Power Systems, little endian
This update adds optimization for the 32-bit Cyclic Redundancy Check (CRC32) to the
zlib library on IBM Power Systems, little endian. As a result, performance of decompressing
gzip files has been improved.
A new module stream:
RHEL 8.2 introduces a new module stream,
maven:3.6. This version of the Maven software project management and comprehension tool provides numerous bug fixes and various enhancements over the
maven:3.5 stream distributed with RHEL 8.0.
To install the
maven:3.6 stream, use:
# yum module install maven:3.6
If you want to upgrade from the
maven:3.5 stream, see Switching to a later stream.
mod_md now supports the ACMEv2 protocol
mod_md module has been updated to version 2.0.8. This update adds a number of features, notably support for version 2 of the Automatic Certificate Management Environment (ACME) certificate issuance and management protocol, which is the Internet Engineering Task Force (IETF) standard (RFC 8555). The original ACMEv1 protocol remains supported but is deprecated by popular service providers.
New extensions for PHP 7.3
php:7.3 module stream has been updated to provide two new PHP extensions:
rrd extension provides bindings to the
RRDtool C library.
RRDtool is a high performance data logging and graphing system for time series data.
Xdebug extension is included to assist you with debugging and development. Note that the extension is provided only for development purposes and should not be used in production environments.
For information about installing and using PHP in RHEL 8, see Using the PHP scripting language.
This update adds the
Perl-Convert-ASN1 packages to RHEL 8. The
perl-LDAP package provides an LDAP client for the Perl language.
perl-LDAP requires the
perl-Convert-ASN1 package, which encodes and decodes Abstract Syntax Notation One (ASN.1) data structures using Basic Encoding Rules (BER) and Distinguished Encoding Rules (DER).
sscg now supports generating private key files protected by a password
sscg utility is now able to generate private key files protected by a password. This adds another level of protection for private keys, and it is required by some services, such as FreeRADIUS.
5.11. Compilers and development tools
grafana rebased to version 6.3.6
grafana package has been upgraded to version 6.3.6, which provides multiple bug fixes and enhancements. Notable changes include:
- Database: Rewrites system statistics query for better performance.
- Fixes query field layout in split view for the Safari browsers.
Adds Live option for the supported data sources, adds the
orgIdto URL for sharing purposes.
Adds support for the new
endparameters for labels endpoint.
- Adds support for toggling raw query mode in the Explore, allow switching between metrics and logs.
- Displays log lines context, does not parse log levels if provided by field or label.
Handles newlines in the
- Fixes browsing back to the dashboard panel.
- Fixes filter by series level in logs graph.
- Fix issues when loading and graph/table are collapsed.
- Fixes the selection/copy of log lines.
Dashboard: Fixes dashboards
initfailed loading error for dashboards with panel links that had missing properties, and fixes timezone dashboard setting while exporting to the comma-separated values (CSV) Data links.
- Editor: Fixes issue where only entire lines were being copied.
LDAP: Integration of the
Profile/UserAdmin: Fixes user agent parser crashing the
grafana-serveron 32-bit builds.
Prevents panel editor crash while switching to the
Prometheusdata source, changes
brace-insertionbehaviour to be less annoying.
Fixes queries with the
label_replaceand removes the $1 match when loading the query editor.
- Consistently allows multi-line queries in the editor, taking timezone into account for the step alignment.
Uses the overridden panel range for
$__rangeinstead of the dashboard range.
Adds time range filter to series labels query, escapes
|literals in the interpolated
- Fixes while adding labels for metrics which contain colons in the Explore.
- Prevents panel editor crash while switching to the
- Auth: Allows expiration of the API keys, returns device, os and browser while listing user auth tokens in HTTP API, supports list and revoke of user auth tokens in UI.
DataLinks: Correctly applies scoped variables to the data links, follows timezone while displaying datapoint timestamp in the graph context menu, uses datapoint timestamp correctly when interpolating the variables, fixes the incorrect interpolation of the
- Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows, adds new fill gradient option.
Graphite: Avoids the glob of single-value array variables, fixes issues with alias function being moved last, fixes issue with the
seriesByTag& function with variable parameter, uses
- TimeSeries: Assumes values are all numbers.
Gauge/BarGauge: Fixes issue with lost thresholds and an issue loading Gauge with the
- PanelLinks: Fixes crash issue with Gauge & Bar Gauge panels with panel links (drill down links), fixes render issue while there is no panel description.
OAuth: Fixes the
OAuthrefresh in DS proxy.
- Auth Proxy: Includes additional headers as a part of the cache key.
cli: Fix for recognizing when in dev mode, fixes the issue of
encrypt-datasource-passwordsfailing with the sql error.
- Permissions: Show plugins in the navigation for non admin users but hides plugin configuration.
- TimePicker: Increases max height of quick range dropdown and fixes style issue for custom range popover.
- Loki: Displays live tailed logs in correct order in the Explore.
- Timerange: Fixes a bug where custom time ranges were not following the Universal Time Coordinated (UTC).
remote_cache: Fixes the
Alerting: Add tags to alert rules, attempts to send email notifications to all the given email addresses, improves alert rule testing, support for configuring the content field for the
- Alertmanager: Replaces illegal characters with underscore in the label names.
- AzureMonitor: Changes clashing built-in Grafana variables or macro names for the Azure Logs.
CloudWatch: Made region visible for Amazon Web Services (AWS) Cloudwatch Expressions, adds the AWS
- GraphPanel: Do not sort series when legend table and sort column is not visible.
- InfluxDB: Supports visualizing logs in the Explore.
- MySQL/Postgres/MSSQL: Adds parsing for day, weeks, and year intervals in macros, adds support for periodically reloading client certs.
Plugins: Replaces the
dataFormatslist with the
skipDataQueryflag in the
- Refresh picker: Handles empty intervals.
ymin/max configuration to the singlestat sparklines.
Templating: Correctly displays the
__textin the multi-value variable after page reloads, supports selecting all the filtered values of a multi-value variable.
- Frontend: Fixes Json tree component not working issue.
- InfluxDB: Fixes issues with single quotes not escaped in the label value filters.
Config: Fixes the
connectionstringoption for the
- Elasticsearch: Fixes the empty query (via template variable) should be sent as wildcard, fixes the default max concurrent shard requests, supports visualizing logs in the Explore.
- TablePanel: Fixes the annotations display.
Grafana-CLI: Fixes receiving flags via command line, wrapper for the
config/homepathare now global flags.
HTTPServer: Fixes the
X-XSS-Protectionheader formatting, options for returning new headers
Strict-Transport-Security, fixes the
Strict-Transport-Securityheader, serves Grafana with a custom URL path prefix.
pcp rebased to version 5.0.2
pcp package has been upgraded to version 5.0.2, which provides multiple bug fixes and enhancements. Notable changes include:
pcp-webapp-*packages are now replaced by the
pcp-collectltool is now replaced by the
New and improved performance metric domain agents (PMDAs):
pmdamssql: New PMDA for Microsoft SQL Server implementation.
pmdanetcheck: New PMDA to perform network checks.
pmdanfsclient: Adds the
pmdalmsensors: Improvements in the name parsing and error handling.
hv_24x7nest events on the multi-node system.
- Correctly handles sparse or discontinuous numa nodes.
instnameand not the
Adds an active and total slabs to
Fixes several unix socket,
icmp6metrics, hugepage metric value. calculations,
segfaultin interrupts code with large CPU counts
Fetches more network metrics in the
pmdabcc: Fixes the tracepoints module for the
bcc0.10.0 and higher versions
pmdabpftrace: New PMDA for metrics from the
Fixes memory leak in the
Avoids excessive stat calls in
cgrouppaths and only un-escape instance names.
- Fixes memory leak in the
pmdaroot: Improves handling of cached or inactive the
cgroupbehaviour and refreshes the container
cgroupfs change as well.
Fixes to collector (server) tools:
pmproxy: Openmetrics support via the
/metricsendpoint, consolidates the
pmseries/grafanaREST API, and adds new async
PMWEBAPI(3)REST API implementation.
selinux: Numerous pcp policy updates.
pmdas: Enables authentication support, new
set_comm_flagsmethod to set the communication flags.
python api: Exports the
pmdaGetContext()and adds debugging wrapper.
perl api: Ensures context set up for PMDA store as with python wrapper.
systemd: Adds 120s timeout in all the services and fixes failure to start the
Fixes to analysis (client) tools:
pmchart: Fixes chart auto-scaling under fetch error conditions.
pmrep: Fixes the
pmseries: Provides support for the delta keyword and better timestamps.
pcp-atop: Fixes the write mode (
-w) to handle the
pcp-atopsar: Fixes the mishandling of a few command line arguments.
pcp-dstat: Fixes misaligned headers in CSV output and handling of the
--bitscommand line option.
libpcp: Fixes the
segvwith local context and multi-archive replay error handling for the corrupted archive(s).
grafana-pcp is now available in RHEL 8.2
grafana-pcp package provides new
grafana data sources and application plugins connecting
grafana. With the
grafana-pcp package, you can analyze historical
PCP metrics and real-time
PCP metrics using the
pmseries query language and
pmwebapi live services respectively. For more information, see Performance Co-Pilot Grafana Plugin.
Updated GCC Toolset 9
GCC Toolset 9 is a compiler toolset that provides recent versions of development tools. It is available as an Application Stream in the form of a Software Collection in the
Notable changes introduced with RHEL 8.2 include:
- The GCC compiler has been updated to version 9.2.1, which provides many bug fixes and enhancements that are available in upstream GCC.
The GCC Toolset 9 components are now available in the two container images:
rhel8/gcc-toolset-9-toolchain, which includes the GCC compiler, the GDB debugger, and the
rhel8/gcc-toolset-9-perftools, which includes the performance monitoring tools, such as SystemTap and Valgrind.
To pull a container image, run the following command as root:
# podman pull registry.redhat.io/<image_name>
The following tools and versions are provided by GCC Toolset 9:
To install GCC Toolset 9, run the following command as root:
# yum install gcc-toolset-9
To run a tool from GCC Toolset 9:
$ scl enable gcc-toolset-9 tool
To run a shell session where tool versions from GCC Toolset 9 take precedence over system versions of these tools:
$ scl enable gcc-toolset-9 bash
For more information, see Using GCC Toolset.
GCC Toolset 9 now supports NVIDIA PTX target offloading
The GCC compiler in GCC Toolset 9 now supports OpenMP target offloading for NVIDIA PTX.
The updated GCC compiler is now available for RHEL 8.2
The system GCC compiler, version 8.3.1, has been updated to include numerous bug fixes and enhancements available in the upstream GCC.
The GNU Compiler Collection (GCC) provides tools for developing applications with the C, C++, and Fortran programming languages.
For usage information, see Developing C and C++ applications in RHEL 8.
A new tunable for changing the maximum fastbin size in
malloc function uses a series of fastbins that hold reusable memory chunks up to a specific size. The default maximum chunk size is 80 bytes on 32-bit systems and 160 bytes on 64-bit systems. This enhancement introduces a new
glibc.malloc.mxfast tunable to
glibc that enables you to change the maximum fastbin size.
Vectorized math library is now enabled for GNU Fortran in GCC Toolset 9
With this enhancement, GNU Fortran from GCC Toolset can now use routines from the vectorized math library
libmvec. Previously, the Fortran compiler in GCC Toolset needed a Fortran header file before it could use routines from
libmvec provided by the GNU C Library
glibc.malloc.tcache tunable has been enhanced
glibc.malloc.tcache_count tunable allows to set the maximum number of memory chunks of each size that can be stored in the per-thread cache (tcache). With this update, the upper limit of the
glibc.malloc.tcache_count tunable has been increased from 127 to 65535.
glibc dynamic loader is enhanced to provide a non-inheriting library preloading mechanism
With this enhancement, the loader can now be invoked to load a user program with a
--preload option followed by a colon-separated list of libraries to preload. This feature allows users to invoke their programs directly through the loader with a non-inheriting library preload list.
Previously, users had to use the LD_PRELOAD environment variable which was inherited by all child processes through their environment.
GDB now supports the ARCH(13) extension on the IBM Z architecture
With this enhancement, the GNU Debugger (GDB) now supports the new instructions implemented by the ARCH(13) extension on the IBM Z architecture.
elfutils rebased to version 0.178
elfutils package has been upgraded to version 0.178, which provides multiple bug fixes and enhancements. Notable changes include:
elfclassify: a new tool to analyze ELF objects.
debuginfod: a new server, client tool, and library to index and automatically fetch ELF, DWARF, and source from files and RPM archives through HTTP.
libeblis now directly compiled into
eu-readelfhas multiple new flags for notes, section numbering, and symbol tables.
libdwhas improved multithreading support.
libdwsupports additional GNU DWARF extensions.
SystemTap rebased to version 4.2
The SystemTap instrumentation tool has been updated to version 4.2. Notable enhancements include:
- Backtraces can now include source file names and line numbers.
- Numerous Berkeley Packet Filter (BPF) back-end extensions are now available, for example, for looping, timing, and other processes.
- A new service for managing SystemTap scripts is available. This service sends metrics to a Prometheus-compatible monitoring system.
SystemTap has inherited functionality of a new HTTP file server for
debuginfod. This server automatically sends debugging resources to SystemTap.
Enhancements to IBM Z series performance counters
IBM Z series type 0x8561, 0x8562, and 0x3907 (z14 ZR1) machines are now recognized by
libpfm. Performance events for monitoring elliptic-curve cryptography (ECC) operations on IBM Z series are now available. This allows monitoring of additional subsystems on IBM Z series machines.
Rust Toolset rebased to version 1.41
Rust Toolset has been updated to version 1.41. Notable changes include:
- Implementing new traits is now easier because the orphan rule is less strict.
You can now attach the
#[non_exhaustive]attribute to a
Box<T>in the Foreign Function Interface (FFI) has more guarantees now.
Box<T>will have the same Application Binary Interface (ABI) as a
T*pointer in the FFI.
- Rust is supposed to detect memory-safety bugs at compile time, but the previous borrow checker had limitations and allowed undefined behaviour and memory unsafety. The new non-lexical lifetimes (NLL) borrow checker can report memory unsafety problems as hard errors. It now applies to the Rust 2015 and Rust 2018 editions. Previously, in Rust 2015 the NLL borrow checker only raised warnings about such problems.
To install the
rust-toolset module, run the following command as root:
# yum module install rust-toolset
For usage information, see Using Rust Toolset.
LLVM Toolset rebased to version 9.0.1
LLVM Toolset has been upgraded to version 9.0.1. With this update, the
asm goto statements are now supported. This change allows to compile the Linux kernel on the AMD64 and Intel 64 architectures.
To install the
llvm-toolset module, run the following command as root:
# yum module install llvm-toolset
For more information, see Using LLVM Toolset.
Go Toolset rebased to version 1.13
Go Toolset has been upgraded to version 1.13. Notable enhancements include:
Go can now use a FIPS-certified cryptographic module when the RHEL system is booted in the FIPS mode. Users can enable this mode manually using the
The Delve debugger, version 1.3.2, is now available for Go. It is a source-level debugger for the Go (
golang) programming language.
To install the
go-toolset module, run the following command as root:
# yum module install go-toolset
To install the Delve debugger, run the following command as root:
# yum install delve
To debug a
helloworld.go program using Delve, run the following command:
$ dlv debug helloworld.go
For more information on Go Toolset, see Using Go Toolset.
For more information on Delve, see the upstream Delve documentation.
OpenJDK now supports also secp256k1
Previously, Open Java Development Kit (OpenJDK) could use only curves from the NSS library. Consequently, OpenJDK provided only the secp256r1, secp384r1, and secp521r1 curves for elliptic curve cryptography (ECC). With this update, OpenJDK uses the internal ECC implementation and supports also the secp256k1 curve.
5.12. Identity Management
IdM now supports new Ansible management modules
This update introduces several
ansible-freeipa modules for automating common Identity Management (IdM) tasks using Ansible playbooks:
ipausermodule automates adding and removing users.
ipagroupmodule automates adding and removing users and user groups to and from user groups.
ipahostmodule automates adding and removing hosts.
ipahostgroupmodule automates adding and removing hosts and host groups to and from host groups.
ipasudorulemodule automates the management of
ipapwpolicymodule automates the configuration of password policies in IdM.
ipahbacrulemodule automates the management of host-based access control in IdM.
Note that you can combine two or more
ipauser calls into one with the
users variable or, alternatively, use a JSON file containing the users. Similarly, you can combine two or more
ipahost calls into one with the
hosts variable or, alternatively, use a JSON file containing the hosts. The
ipahost module can also ensure the presence or absence of several IPv4 and IPv6 addresses for a host.
Healthcheck now supports screening DNS records
This update introduces a standalone manual test of DNS records on an Identity Management (IdM) server.
The test uses the
Healthcheck tool and performs a DNS query using the local resolver in the
etc/resolv.conf file. The test ensures that the expected DNS records required for autodiscovery are resolvable.
Direct integration of RHEL into AD using SSSD now supports FIPS
With this enhancement, the System Services Security Daemon (SSSD) now integrates with Active Directory (AD) deployments whose authentication mechanisms use encryption types that were approved by the Federal Information Processing Standard (FIPS). The enhancement enables you to directly integrate RHEL systems into AD in environments that must meet the FIPS criteria.
The SMB1 protocol has been disabled in the Samba server and client utilities by default
In Samba 4.11, the default values of the
server min protocol and
client min protocol parameters have been changed from
SMB2_02 because the server message block version 1 (SMB1) protocol is deprecated. If you have not set these parameters in the
- Clients that only support SMB1 are no longer able to connect to the Samba server.
Samba client utilities, such as
smbclient, and the
libsmbclientlibrary fail to connect to servers that only support SMB1.
Red Hat recommends to not use the SMB1 protocol. However, if your environment requires SMB1, you can manually re-enable the protocol.
To re-enable SMB1 on a Samba server:
Add the following setting to the
server min protocol = NT1
# systemctl restart smb
To re-enable SMB1 for Samba client utilities and the
Add the following setting to the
client min protocol = NT1
# systemctl restart smb
Note that the SMB1 protocol will be removed in a future Samba release.
samba rebased to version 4.11.2
The samba packages have been upgraded to upstream version 4.11.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
By default, the server message block version 1 (SMB1) protocol is now disabled in the Samba server, client utilities, and the
libsmbclientlibrary. However, you can still set the
server min protocoland
client min protocolparameters manually to
NT1to re-enable SMB1. Red Hat does not recommend to re-enabling the SMB1 protocol.
encrypt passwordsparameters are deprecated. These parameters enable insecure authentication and are only available in the deprecated SMB1 protocol.
-oparameter has been removed from the
onodeclustered trivial database (CTDB) utility.
- Samba now uses the GnuTLS library for encryption. As a result, if the FIPS mode in RHEL is enabled, Samba is compliant with the FIPS standard.
ctdbdservice now logs when it uses more than 90% of a CPU thread.
- The deprecated Python 2 support has been removed.
Samba automatically updates its
tdb database files when the
winbind service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading
tdb database files.
For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.11.0.html
Directory Server rebased to version 184.108.40.206
The 389-ds-base packages have been upgraded to upstream version 220.127.116.11, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:
Certain legacy scripts have been replaced in Directory Server
This enhancement provides replacements for the unsupported
repl-monitor.pl legacy scripts in Directory Server. These scripts have been replaced with the following commands:
dsctl instance_name dbverify
dsconf schema validate-syntax
dsconf replication dump-changelog
dsconf plugin posix-winsync fixup
dsconf replication monitor
For a list of all legacy scripts and their replacements, see Command-line utilities replaced in Red Hat Directory Server 11.
Setting up IdM as a hidden replica is now fully supported
Identity Management (IdM) in RHEL 8.2 fully supports setting up IdM servers as hidden replicas. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no
SRV records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas.
Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries.
To install a new hidden replica, use the
ipa-replica-install --hidden-replica command. To change the state of an existing replica, use the
ipa server-state command.
For further details, see Installing an IdM hidden replica.
Kerberos ticket policy now supports authentication indicators
Authentication indicators are attached to Kerberos tickets based on which pre-authentication mechanism has been used to acquire the ticket:
otpfor two-factor authentication (password + OTP)
radiusfor RADIUS authentication
pkinitfor PKINIT, smart card or certificate authentication
hardenedfor hardened passwords (SPAKE or FAST)
The Kerberos Distribution Center (KDC) can enforce policies such as service access control, maximum ticket lifetime, and maximum renewable age, on the service ticket requests which are based on the authentication indicators.
With this enhancement, administrators can achieve finer control over service ticket issuance by requiring specific authentication indicators from a user’s tickets.
krb5 package is now FIPS-compliant
With this enhancement, non-compliant cryptography is prohibited. As a result, administrators can use Kerberos in FIPS-regulated environments.
Directory Server sets the
sslVersionMin parameter based on the system-wide crypto policy
By default, Directory Server now sets the value of the
sslVersionMin parameter based on the system-wide crypto policy. If you set the crypto policy profile in the
/etc/crypto-policies/config file to:
FIPS, Directory Server sets
LEGACY, Directory Server sets
Alternatively, you can manually set
sslVersionMin to higher value than the one defined in the crypto policy:
# dsconf -D "cn=Directory Manager" __ldap://server.example.com__ security set --tls-protocol-min TLS1.3
Wayland is now enabled on dual-GPU systems
Previously, the GNOME environment defaulted to the X11 session on laptops and other systems that have two graphical processing units (GPUs). With this release, GNOME now defaults to the Wayland session on dual-GPU systems, which is the same behavior as on single-GPU systems.
5.14. Graphics infrastructures
Support for new graphics cards
The following graphics cards are now supported:
- Intel HD Graphics 610, 620, and 630, which are found with the Intel Comet Lake H and U processors
Intel Ice Lake UHD Graphics 910 and Iris Plus Graphics 930, 940, and 950.
You no longer need to set the
alpha_supportkernel option to enable support for Intel Ice Lake graphics.
The AMD Navi 10 family, which includes the following models:
- Radeon RX 5600
- Radeon RX 5600 XT
- Radeon RX 5700
- Radeon RX 5700 XT
- Radeon Pro W5700
The Nvidia Turing TU116 family, which includes the following models.
Note that the
nouveaugraphics driver does not yet support 3D acceleration with the Nvidia Turing TU116 family.
- GeForce GTX 1650 Super
- GeForce GTX 1660
- GeForce GTX 1660 Super
- GeForce GTX 1660 Ti
- GeForce GTX 1660 Ti Max-Q
Additionally, the following graphics drivers have been updated:
5.15. The web console
Administrators can now use client certificates to authenticate to the RHEL 8 web console
With this web console enhancement, a system administrator can use client certificates to access a RHEL 8 system locally or remotely using a browser with certificate authentication built in. No additional client software is required. These certificates are commonly provided by a smart card or Yubikey, or can be imported into the browser.
When logging in with a certificate, the user cannot currently perform administrative actions in the web console. But the user can perform them on the Terminal page with the
sudo command after authenticating with a password.
Option to log in to the web console with a TLS client certificate
With this update, it is possible to configure the web console to log in with a TLS client certificate that is provided by a browser or a device such as a smart card or a YubiKey.
Changes to web console login
RHEL web console has been updated with the following changes:
The web console will automatically log you out of your current session after 15 minutes of inactivity. You can configure the timeout in minutes in the
Similarly to SSH, the web console can now optionally show the content of banner files on the login screen. Users need to configure the functionality in the
cockpit.conf(5) manual page for more information.
The RHEL web console has been redesigned to use the PatternFly 4 user interface design system
The new design provides better accessibility and matches the design of OpenShift 4. Updates include:
- The Overview page has been completely redesigned. For example, information is grouped into easier-to-understand panels, health information is more prominent, resource graphs have been moved to their own page, and the hardware information page is now easier to find.
- Users can use the new Search field in the Navigation menu to easily find specific pages that are based on keywords.
For more information about PatternFly, see the PatternFly project page.
Virtual Machines page updates
The web console’s
Virtual Machines page got several storage improvements:
- Storage volume creation now works for all libvirt-supported types.
- Storage pools can be created on LVM or iSCSI.
Virtual Machines page now supports the creation and removal of virtual network interfaces.
Storage page updates
Usability testing showed that the default mount point concept on the RHEL web console
Storage page was hard to grasp, and led to a lot of confusion. With this update, the web console no longer offers a Default choice when mounting a file system. Creating a new file system now always requires a specified mount point.
Additionally, the web console now hides the distinction between the configuration (
/etc/fstab) and the run-time state (
/proc/mounts). Changes made in the web console always apply to both the configuration and the run-time state. When the configuration and the run-time state differ from each other, the web console shows a warning, and enable users to easily bring them back in sync.
Attempting to create a RHEL virtual machine from an install tree now returns a more helpful error message.
RHEL 7 and RHEL 8 virtual machines created using the
virt-install utility with the
--location option in some cases fail to boot. This update adds a virt-install error message that provides instructions on how to work around this problem.
Intel Xeon Platinum 9200 series processors supported on KVM guests
Support for Intel Xeon Platinum 9200 series processors (previously known as
Cascade Lake) has now been added to the KVM hypervisor and kernel code, and to the libvirt API. This enables KVM virtual machines to use Intel Xeon Platinum 9200 series processors.
EDK2 rebased to version stable201908
The EDK2 package has been upgraded to version stable201908, which provides multiple enhancements. Notably:
- EDK2 now includes support for OpenSSL-1.1.1.
To comply with the upstream project’s licensing requirements, the EDK2 package license has been changed from
BSD and OpenSSL and MITto
BSD-2-Clause-Patent and OpenSSL and MIT.
Creating nested virtual machines
With this update, nested virtualization is fully supported for KVM virtual machines (VMs) running on an Intel 64 host with RHEL 8. With this feature, a RHEL 7 or RHEL 8 VM that runs on a physical RHEL 8 host can act as a hypervisor, and host its own VMs.
Note that on AMD64 systems, nested KVM virtualization remains a Technology Preview.
The default registries search list in
/etc/containers/registries.conf has been updated
registries.search list in
/etc/containers/registries.conf has been updated to only include trusted registries that provide container images curated, patched, and maintained by Red Hat and its partners.
Red Hat recommends always using fully qualified image names including:
- The registry server (full DNS name)
- Image name
Tag (for example
When using short names, there is always an inherent risk of spoofing For example, a user wants to pull an image named
foobar from a registry and expects it to come from
myregistry.com is not first in the search list, an attacker could place a different
foobar image at a registry earlier in the search list. The user would accidentally pull and run the attacker image and code rather than the intended content. Red Hat recommends only adding registries which are trusted, that is registries which do not allow unknown or anonymous users to create accounts with arbitrary names. This prevents an image from being spoofed, squatted or otherwise made insecure.
Podman no longer depends on
Podman does not need or depend on the
oci-systemd-hook package which has been removed from the
container-tools:2.0 module streams.